Version 1.0 · Effective: 9 April 2026 · Owner: Technical Director · Review: Annually
This policy describes Mintstone's approach to information security. It is provided to prospective and current customers as evidence of our security posture during vendor due diligence. This document may be shared with customers under a non-disclosure agreement or as part of a contract.
1. Scope and Purpose
This Information Security Policy applies to all systems, data, personnel, and third-party services that support the Mintstone platform. It sets out the controls Mintstone maintains to protect:
Customer Data (including personal data, financial data, and project data)
Platform integrity and availability
Mintstone's own confidential information and intellectual property
Mintstone is committed to implementing security controls proportionate to the sensitivity of the data it processes and the regulatory environment of its customers (UK-regulated financial institutions).
2. Governance
Mintstone's security governance structure:
Role
Responsibility
Technical Director
Owns this policy; accountable for security posture; approves changes to security controls
All Personnel
Comply with this policy; report security incidents or concerns immediately
This policy is reviewed at least annually, or following any significant security incident or material change to the platform architecture.
3. Asset Classification
Mintstone classifies its information assets as follows:
Class
Description
Examples
Restricted
Highly sensitive; disclosure would cause material harm
Customer personal data, bank transaction data, API credentials, database credentials, encryption keys
Product documentation, marketing materials, this policy
4. Access Control
4.1 Principle of Least Privilege
Access to systems and data is granted on the basis of least privilege. Personnel receive only the access required for their role. Access rights are reviewed when roles change and revoked on departure.
4.2 Authentication
All production system access requires individual authenticated accounts. Shared credentials are prohibited.
Multi-factor authentication (MFA) is enforced for all administrative access to production infrastructure (AWS console, database, deployment pipelines).
MFA is available (and recommended) for all customer Platform accounts.
4.3 Customer Tenant Isolation
Customer data is isolated at the database level. All database queries are scoped to the authenticated customer's organisation ID. Cross-tenant data access is architecturally prevented.
4.4 Privileged Access
Direct database access in production is restricted to named individuals, requires authenticated sessions, and all queries are logged.
5. Data Security
5.1 Encryption in Transit
All data transmitted between users and the Platform is encrypted using TLS 1.2 or higher. HTTP connections are automatically redirected to HTTPS. API communications with third-party services use TLS.
5.2 Encryption at Rest
Database: PostgreSQL database is hosted on managed infrastructure with AES-256 encryption at rest enabled.
Object Storage: All documents, images, and files stored in AWS S3 use server-side encryption (SSE-S3, AES-256).
Credentials: Passwords are stored as bcrypt hashes. Plaintext passwords are never stored.
5.3 Secret Management
API keys, credentials, and secrets are stored exclusively as environment variables in the deployment platform (Vercel) or as AWS IAM credentials with least-privilege policies. Secrets are never committed to source code repositories.
5.4 Data Minimisation
Mintstone collects and retains only the data necessary for the provision of the Platform. Customer data retention periods are defined in the DPA.
6. Infrastructure Security
6.1 Hosting Environment
Application: Hosted on Vercel's edge platform with automatic HTTPS, DDoS mitigation, and global CDN.
Database: Managed PostgreSQL hosted on AWS (eu-west-2, London region) with automated backups, point-in-time recovery, and private networking.
File Storage: AWS S3 (eu-west-2) with bucket policies restricting public access. Files served via pre-signed URLs with short expiry.
6.2 Network Controls
Database access is restricted by network-level controls; direct public internet access to the database is disabled.
All API endpoints implement rate limiting to prevent abuse and brute-force attacks.
CSRF protection is implemented on all state-changing API routes.
6.3 Vulnerability Management
Dependencies are monitored for known vulnerabilities using npm audit and automated dependency tooling.
Critical and high-severity vulnerabilities in dependencies are prioritised for remediation on an ongoing basis.
The Platform is deployed from a CI/CD pipeline; code changes undergo review before deployment to production.
6.4 Logging and Monitoring
Application-level audit logs record significant user actions (login, data access, exports, configuration changes).
Infrastructure logs are retained for a minimum of 90 days.
Vercel deployment logs are retained per Vercel's platform policy.
7. Third-Party and Supply Chain Security
Mintstone engages sub-processors as listed in the DPA Schedule 3. For each sub-processor:
Mintstone reviews the sub-processor's security posture and compliance certifications before engagement (e.g., AWS SOC 2 / ISO 27001, Vercel SOC 2, OpenAI SOC 2).
Data processing agreements are in place with all sub-processors who process personal data.
Open banking connections (TrueLayer) are FCA-regulated and operate under their own regulatory obligations.
8. Personnel Security
All personnel with access to customer data are subject to confidentiality obligations in their employment or contractor agreements.
Access to production systems is granted only to personnel with a legitimate business need.
Departing personnel have access revoked on their last day of employment.
Personnel are made aware of their security obligations and this policy.
9. Security Incident Management
9.1 Definition
A security incident is any event that results in, or has the potential to result in, unauthorised access to, disclosure of, modification of, or loss of customer data or Mintstone systems.
9.2 Response Procedure
Detect: Incidents may be identified via monitoring alerts, customer reports, or personnel observation.
Contain: Immediate action to prevent further exposure (e.g., revoke credentials, isolate affected systems).
Assess: Determine the nature, scope, and likely impact of the incident.
Notify: Affected customers are notified within 72 hours of Mintstone becoming aware of an incident involving their data, in accordance with the DPA.
Remediate: Implement fixes, update controls, and document lessons learned.
Report: Where required by UK GDPR, notify the ICO within 72 hours.