Security at Waterfall Planning

Encryption and Transport Security

All communication between your browser and our servers is protected by industry-standard TLS encryption using 256-bit AES ciphers. This is the same level of encryption used by major banks and financial institutions.

We enforce HTTPS on every page of the application. HTTP Strict Transport Security (HSTS) is enabled with a one-year policy, including subdomains and preload eligibility, ensuring your browser will never connect to us over an unencrypted channel.

Our TLS configuration is independently verified through Qualys SSL Labs. You can check our current grade at any time at ssllabs.com.

All connections to our database are encrypted using SSL, ensuring data is protected both in transit to your browser and between our application and data storage layers.

Infrastructure Security

Waterfall Planning is hosted on DigitalOcean infrastructure in United States data centers. DigitalOcean maintains SOC 2 Type II and SOC 3 certifications, and their data centers feature physical security controls including biometric access, 24/7 monitoring, and environmental protections. You can review their compliance documentation at digitalocean.com/trust.

Our database is hosted on Supabase, which runs on Amazon Web Services (AWS) infrastructure. Supabase maintains SOC 2 Type II certification and all database connections require SSL encryption. You can review their security practices at supabase.com/security.

Our domain and traffic are protected by Cloudflare, which provides DDoS mitigation, Web Application Firewall (WAF) rules, and global content delivery. Cloudflare maintains SOC 2 Type II, ISO 27001, and PCI DSS Level 1 certifications.

Application Security

Our application implements multiple layers of security controls aligned with industry best practices:

Cross-Site Request Forgery (CSRF) Protection: Every form submission and state-changing request is protected by CSRF tokens, preventing unauthorized actions from being performed on your behalf.

Clickjacking Protection: We set the X-Frame-Options header to DENY, preventing our application from being embedded in iframes on other websites.

Content Security: We enforce content type nosniff headers, XSS filtering, and a strict referrer policy to protect against cross-site scripting, content injection, and information leakage.

Session Security: Session cookies are marked as HttpOnly and Secure with SameSite restrictions, and sessions expire after one hour of inactivity. Session data is stored server-side and cannot be read or modified by client-side scripts.

Rate Limiting: Critical endpoints including login, registration, password reset, and form submissions are rate-limited to prevent brute force attacks and automated abuse.

Bot Protection: Registration and login forms are protected by hCAPTCHA verification to prevent automated account creation and credential stuffing attacks.

Password and Authentication Security

Passwords are never stored in plain text. We use Django's built-in password hashing framework, which applies the PBKDF2 algorithm with a SHA-256 hash and a unique salt per user. This means even if our database were compromised, your password could not be recovered from the stored hash.

We enforce strong password requirements including a minimum length of 10 characters, rejection of commonly used passwords, prevention of passwords too similar to your email address, and rejection of entirely numeric passwords.

We also support Google Sign-In through OAuth 2.0 as an alternative authentication method, allowing you to leverage Google's security infrastructure including their multi-factor authentication capabilities.

Data Privacy and Minimization

We follow a data minimization approach, collecting only the information necessary to provide the planning service. Specifically, Waterfall Planning does not:

Require sensitive identifiers. We never ask for your Social Security number, bank account numbers, investment account credentials, driver's license number, or any government-issued identification.

Store payment card information. All payment processing is handled entirely by Stripe. Your credit card number never touches our servers. We only store Stripe customer and subscription identifiers needed to manage your account status.

Link to external financial accounts. Unlike many financial tools, we do not connect to your bank, brokerage, or any other financial institution. All financial data in your plan is entered manually by you, which means there is no aggregated account data at risk if our systems were ever compromised.

Sell your data. We do not sell your personal information or financial planning data to any third party. We do not share your data for cross-context behavioral advertising. Full details are available in our Privacy Policy.

Track you unnecessarily. Analytics and marketing cookies are optional and require your explicit consent. Marketing cookies (such as Google Ads remarketing) are used only to show relevant ads to previous visitors and never access your financial planning data. You can manage your preferences at any time through our Cookie Policy page.

Access Controls

Geo-Restriction: The service is restricted to users within the United States using a locally hosted GeoIP database (MaxMind GeoLite2). IP lookups are performed on our server and are not sent to any external geolocation service, protecting your location data.

Role-Based Access: The application enforces role-based permissions. Standard users can only access their own data. Organization administrators can manage their own organization's users but cannot access individual financial planning data. Administrative functions require separate authentication.

Account Deletion: You can permanently delete your account and all associated data at any time from your profile settings. Deletion is immediate and irreversible.

Compliance

CCPA/CPRA: We comply with the California Consumer Privacy Act and California Privacy Rights Act. California residents can exercise their rights including the right to know, delete, and opt out of data sharing. A Do Not Sell My Personal Information page is available for all users.

Florida Information Protection Act: In the event of a data breach, we will notify affected users within 30 days as required by Florida law, and report to applicable regulatory authorities where required.

Not a Financial Adviser: Waterfall Planning is an educational planning tool and is not a registered investment adviser, broker-dealer, or financial planner. We do not provide personalized financial advice or recommendations. All projections are hypothetical and for informational purposes only.

Third-Party Security

We limit our use of third-party services and select providers with strong security track records. Each provider listed below maintains independent security certifications:

Stripe (payment processing) -- PCI DSS Level 1 certified, SOC 2 Type II

Cloudflare (CDN and WAF) -- SOC 2 Type II, ISO 27001, PCI DSS Level 1

DigitalOcean (application hosting) -- SOC 2 Type II, SOC 3

Supabase / AWS (database hosting) -- SOC 2 Type II

SendGrid / Twilio (email delivery) -- SOC 2 Type II, ISO 27001

hCAPTCHA (bot protection) -- Privacy-focused alternative to reCAPTCHA, does not track users for advertising

Found a Security Issue?

We take security reports seriously. If you believe you have found a security vulnerability or bug, please contact us at [email protected].

Please include a description of the issue, steps to reproduce it, and the potential impact. We will acknowledge receipt within 48 hours and work to resolve confirmed vulnerabilities promptly.