LevelUp Platform Document Version: 1.0 (Public) Effective Date: January 2026 Last Reviewed: January 2026 Document Classification: Public - Customer-Facing
1. Purpose & Scope
1.1 Purpose
This Information Security & Data Protection Policy establishes LevelUp Platform's commitment to identifying, mitigating, and monitoring information security risks relevant to our business operations, technology infrastructure, and customer data processing activities.
1.2 Scope
This policy applies to:
All LevelUp Platform systems, infrastructure, and data assets
All customer data, financial data, and personally identifiable information (PII) processed by the platform
All service tiers (Silver, Gold, and standard tiers) with tier-specific controls where specified
2. Security Risk Management
SOC 2: CC6.1, CC6.2 | ISO 27001: A.5.1.1
2.1 Policy Statement
LevelUp Platform maintains operationalized security policies and procedures to identify, assess, mitigate, and continuously monitor information security risks relevant to our business operations, technology infrastructure, and customer data processing activities.
2.2 Risk Management Approach
We employ a comprehensive risk management program that includes:
Risk Identification: Regular assessment of infrastructure, applications, third-party vendors, and emerging threats
Threat Intelligence: Monitoring of security advisories, vulnerability databases, and industry threat feeds
Risk Mitigation: Preventive, detective, and corrective controls to address identified risks
Continuous Monitoring: Ongoing assessment and reporting of security posture
Corrective Controls: Incident response procedures, patch management, backup and recovery
3. Access Control & Authentication
SOC 2: CC6.2, CC6.3 | ISO 27001: A.9.2.1, A.9.4.2 | Zero Trust Architecture
3.1 Policy Statement
LevelUp Platform implements Role-Based Access Control (RBAC) with OAuth token-based authentication and Zero Trust access architecture. Access to information systems, applications, and data is granted based on business need, role responsibilities, and the principle of least privilege. All access requests, grants, modifications, and revocations are logged and periodically reviewed.
3.2 Authentication Architecture
Token-Based Authentication: All API requests require valid authentication tokens
Token Validation: Tokens are validated on every request; expired or invalid tokens are rejected
Secure Token Storage: Tokens are stored securely client-side; never in insecure storage or URL parameters
OAuth Protection: OAuth flows use state tokens for CSRF protection
3.3 Zero Trust Access Architecture
We implement Zero Trust principles:
Never Trust, Always Verify: Every request is authenticated and authorized; no implicit trust based on network location
Least Privilege: Users are granted minimum permissions necessary for job function
Tenant Isolation: All database queries are automatically scoped to the authenticated user's organization; cross-tenant access is prevented
Continuous Validation: Token validation occurs on every API call; user status is verified
Multi-Factor Authentication (MFA) is required for all Silver and Gold service tier users accessing the LevelUp Platform. MFA requires two or more independent authentication factors: something the user knows (password) and something the user possesses (authenticator app code, SMS code, or hardware token). Standard tier users are strongly encouraged but not required to enable MFA.
All data transmitted between clients and LevelUp Platform servers must be encrypted using Transport Layer Security (TLS) version 1.2 or higher. TLS 1.0 and TLS 1.1 are explicitly prohibited. All API endpoints, web applications, and mobile application communications use TLS encryption. Unencrypted HTTP connections are automatically redirected to HTTPS.
5.2 TLS Configuration Standards
Minimum Version: TLS 1.2 (RFC 5246)
Preferred Version: TLS 1.3 (RFC 8446) where supported
Prohibited Protocols: SSL 3.0, TLS 1.0, TLS 1.1
Cipher Suites: Strong ciphers only (ECDHE, DHE with AES-GCM, ChaCha20-Poly1305)
Certificate Management: Valid SSL/TLS certificates from trusted Certificate Authorities (CA); certificates are automatically renewed
5.3 Encryption Coverage
All web application traffic (automatic HTTP to HTTPS redirect)
All API endpoints
All mobile application communications (iOS/Android)
All OAuth flows and redirect URIs
6. Data Encryption at Rest
SOC 2: CC6.7 | ISO 27001: A.10.1.2 | PCI DSS 3.4
6.1 Policy Statement
All Plaid-sourced financial data stored by LevelUp Platform for Silver and Gold service tier customers is encrypted at rest using industry-standard encryption algorithms (AES-256 or equivalent). Database-level encryption, application-level encryption, or cloud provider encryption services are used to meet minimum encryption strength requirements. Standard tier customers' financial data (if any) is encrypted using database-level encryption.
6.2 Encryption Requirements by Data Type
Data Type
Service Tier
Encryption Requirement
Plaid Financial Data
Silver, Gold
AES-256 encryption at rest
Plaid Financial Data
Standard
Database-level encryption
Customer PII
All Tiers
Encryption at rest
Authentication Tokens
All Tiers
Encryption at rest
Payment Credentials
All Tiers
Encryption at rest
6.3 Key Management
Encryption keys are stored in secure key management services
Keys are rotated on a regular basis or upon compromise
Key access is restricted to authorized personnel only
Database encryption keys are stored separately from encrypted data
7. Vulnerability Management
SOC 2: CC6.2 | ISO 27001: A.12.6.1
7.1 Policy Statement
LevelUp Platform performs routine vulnerability scans against employee and contractor machines (e.g., laptops, workstations) and production assets (e.g., server instances, containers, network infrastructure) to detect and patch vulnerabilities. Critical and high-severity vulnerabilities are patched within defined timeframes based on risk assessment. Vulnerability scanning results are documented, tracked, and remediated according to established procedures.
7.2 Vulnerability Scanning Program
We maintain a comprehensive vulnerability management program that includes:
Regular Scanning: Vulnerability scans of production servers and infrastructure
Endpoint Security: Security scans of employee and contractor devices
Dependency Scanning: Automated scanning of application dependencies and third-party libraries
Container Security: Vulnerability scanning of container images
Vulnerabilities are prioritized and remediated based on severity:
Critical Severity: Remediated within defined timeframes based on risk assessment
High Severity: Remediated within defined timeframes based on risk assessment
Medium/Low Severity: Remediated within defined timeframes or during scheduled maintenance windows
7.4 Patch Management
Patches are tested in non-production environments before deployment
Emergency patches may bypass normal testing if risk of exploitation outweighs testing risk
Post-patch scans verify vulnerability remediation
Failed patches trigger rollback procedures
8. Data Collection & Consent
GDPR: Art. 6, Art. 7 | CCPA/CPRA: § 1798.100
8.1 Policy Statement
LevelUp Platform obtains explicit, informed consent from users before collecting, processing, and storing their personal data. Consent must be freely given, specific, informed, and unambiguous. Users have the right to withdraw consent at any time. Data collection and processing are limited to purposes for which consent was obtained or where another lawful basis exists (contractual necessity, legal obligation, legitimate interests).
8.2 Consent Collection
Registration Consent: New user registration requires acceptance of Privacy Policy and Terms of Service
Granular Consent: Separate consent obtained for optional data processing (marketing communications, third-party data sharing, analytics)
Consent Documentation: All consent records are stored with timestamps and consent mechanisms
Consent Updates: Users are notified of material changes to Privacy Policy; re-consent required if processing purposes change significantly
Withdrawal of Consent: Users can withdraw consent via account settings or support request
8.3 Lawful Basis for Processing
Data Processing Purpose
Lawful Basis (GDPR)
Consent Required?
Account creation, authentication
Contractual necessity
No (required for service)
Payment processing, invoicing
Contractual necessity
No (required for service)
Plaid financial data (Silver/Gold tiers)
Consent
Yes (explicit consent required)
Marketing communications
Consent
Yes (opt-in required)
Analytics, usage tracking
Legitimate interests / Consent
Yes (consent or anonymized)
Legal compliance, fraud prevention
Legal obligation / Legitimate interests
No (legal requirement)
8.4 Data Minimization
Purpose Limitation: Data collected only for stated purposes; additional uses require new consent
Data Minimization: Collect only data necessary for service functionality
Retention Limits: Data retained only as long as necessary for stated purposes or legal requirements
9. Data Deletion & Retention
GDPR: Art. 17 (Right to Erasure) | CCPA/CPRA: § 1798.105
9.1 Policy Statement
LevelUp Platform implements data deletion procedures to honor user requests for data erasure ("right to be forgotten") and to enforce data retention limits. Users may request deletion of their personal data at any time, subject to legal retention requirements (e.g., financial records, tax obligations, legal disputes). Deleted data is permanently removed from production systems and backups according to defined procedures, unless legal holds or retention obligations require preservation.
9.2 Data Deletion Rights
Users have the right to:
Request deletion of their personal data via account settings or support request
Receive confirmation when data deletion is complete
Understand any legal retention requirements that may prevent immediate deletion (e.g., financial records, tax obligations)
9.3 Data Retention
Data is retained in accordance with legal requirements and business needs:
Active Accounts: Data retained while account is active
Financial Records: Retained in accordance with tax and accounting obligations (typically 7 years)
Plaid Financial Data: Retained until account closure or user deletion request
Audit Logs: Retained for security and compliance purposes
Legal Holds: Data may be retained beyond normal retention if legal hold or regulatory requirement applies
9.4 Deletion Process
Deletion requests are verified to ensure proper authorization
Legal hold checks are performed to verify no retention obligations apply
Data is removed from production systems
Backup data deletion is addressed during backup rotation cycles
Third-party services (e.g., Plaid, payment processors) are notified of deletion requests
Users receive confirmation when deletion is complete
10. Incident Response
SOC 2: CC7.2 | ISO 27001: A.16.1
10.1 Policy Statement
LevelUp Platform maintains incident response procedures to detect, respond to, and recover from security incidents. We are committed to notifying affected users and relevant authorities of security incidents involving personal data in accordance with applicable legal requirements.
10.2 Incident Detection
Security monitoring and logging systems to detect potential incidents
Automated alerting for suspicious activity
Regular review of security logs and alerts
10.3 Incident Response
Incident response team activation procedures
Incident containment and mitigation procedures
Investigation and root cause analysis
Recovery and restoration procedures
Post-incident review and improvement
10.4 Incident Notification
We are committed to notifying affected users of security incidents involving personal data
Notifications are provided in accordance with applicable legal requirements (GDPR, CCPA, state breach notification laws)
Relevant regulatory authorities are notified where required by law
11. Compliance Frameworks
11.1 SOC 2 Type I & II
LevelUp Platform is committed to maintaining SOC 2 compliance. Our security controls align with relevant Trust Service Criteria including:
Security risk management
Logical access controls
User authentication (including MFA for Silver/Gold tiers)
Encryption (TLS 1.2+, encryption at rest)
System monitoring and vulnerability management
11.2 ISO 27001
Our security controls align with ISO 27001 requirements including:
Information security policies
User access management and access control
Cryptographic controls (encryption in transit and at rest)
Vulnerability management
11.3 PCI DSS
LevelUp uses third-party payment processors (PayPal, Finix, Braintree) for payment processing. PCI DSS scope is limited to handling payment tokens, not full cardholder data.
Cardholder data in transit is encrypted (TLS 1.2+)
We do not store full cardholder data; only payment tokens are handled
MFA is implemented for administrative access where applicable
11.4 Privacy Frameworks
GDPR (EU): We comply with GDPR requirements including consent management, data deletion rights, and data protection impact assessments
CCPA/CPRA (California): We comply with California privacy laws including consumer rights (access, deletion), privacy policy requirements, and opt-out mechanisms
GLBA (if applicable): Financial data protection and encryption requirements for financial information
12. Notice Regarding Apple
iOS Application Terms
12.1 Policy Statement
This Section only applies to the extent you are using our mobile application on an iOS device. You acknowledge that this Agreement is between you and Cog-mission only, not with Apple Inc. ("Apple"), and Apple is not responsible for the Service or the content thereof.
12.2 Apple's Limited Role
Apple has no obligation to furnish any maintenance and support services with respect to the Service. If the Service fails to conform to any applicable warranty, you may notify Apple and Apple will refund any applicable purchase price for the mobile application to you; and, to the maximum extent permitted by applicable law, Apple has no other warranty obligation with respect to the Service.
12.3 Apple's Limited Responsibility
Apple is not responsible for addressing any claims by you or any third party relating to the Service or your possession and/or use of the Service, including:
Product liability claims;
Any claim that the Service fails to conform to any applicable legal or regulatory requirement; or
Claims arising under consumer protection or similar legislation.
12.4 Intellectual Property Claims
Apple is not responsible for the investigation, defense, settlement and discharge of any third party claim that the Service and/or your possession and use of the Service infringe a third party's intellectual property rights.
12.5 Third Party Beneficiary
You agree to comply with any applicable third party terms when using the Service. Apple and Apple's subsidiaries are third party beneficiaries of this Agreement, and upon your acceptance of this Agreement, Apple will have the right (and will be deemed to have accepted the right) to enforce this Agreement against you as a third party beneficiary of this Agreement.
12.6 Representations and Warranties
You hereby represent and warrant that:
Location Representation: You are not located in a country that is subject to a U.S. Government embargo, or that has been designated by the U.S. Government as a "terrorist supporting" country; and
Restricted Parties: You are not listed on any U.S. Government list of prohibited or restricted parties.