Last reviewed: April 6, 2026
This policy defines the security practices Jointly follows to protect consumer financial data, maintain system integrity, and comply with applicable data privacy laws. It applies to all systems, services, and personnel involved in developing and operating the Jointly application.
This policy covers:
| Classification | Description | Examples |
|---|---|---|
| Restricted | Financial credentials and tokens | Plaid access tokens, API secrets (Note: FinanceKit uses no access tokens — authorization is OS-managed) |
| Confidential | User financial data | Transactions (including FinanceKit-sourced), account numbers, split details |
| Internal | Operational data | User profiles, partnership records, app configuration, subscription status |
| Internal | Analytics and behavioral metrics | Feature usage counts, user properties, custom category names, survey responses (no PII) |
| Public | Publicly accessible content | Privacy policy, landing page, App Store listing |
Production Systems: Access to Firebase Console, Google Cloud Console, Plaid Dashboard, and GitHub is restricted to authorized personnel only. All production system accounts require multi-factor authentication (MFA). The principle of least privilege is applied: services and functions are granted only the permissions necessary to perform their tasks.
Firestore Security Rules: Client-side access is governed by Firestore Security Rules, reviewed and deployed via version control. Collections containing sensitive data (e.g., access tokens) have rules preventing any client-side read access, restricting access to server-side Cloud Functions only. Users can only read and write their own data; partnership data is scoped to matched partners.
API Keys and Secrets: API credentials are stored as environment variables in Firebase Cloud Functions, never in source code or client-side bundles. Firebase service account keys are managed by Google Cloud IAM and are not exported or stored locally. Secret files are excluded from version control via .gitignore. Apple FinanceKit requires no API keys or access tokens — authorization is managed entirely by the iOS operating system at the device level.
Administrative Access: Administrative access to production features is restricted to designated operator accounts, verified via a Cloud Function that checks against an allowlist of authorized email addresses. Admin capabilities are used exclusively for testing and debugging purposes.
In Transit: All client-server communication uses TLS 1.2 or higher. Firebase Cloud Functions enforce HTTPS for all callable endpoints. iOS App Transport Security (ATS) enforces TLS for all outbound network requests. All third-party API communication uses TLS. FinanceKit transaction data is transmitted from the iOS app to Firebase Cloud Functions over TLS. FinanceKit itself operates entirely on-device and does not involve network communication with Apple.
At Rest: All data stored in Cloud Firestore is encrypted at rest using Google-managed encryption keys (AES-256). Access tokens stored in Firestore are additionally protected by security rules preventing any client-side read access.
Users authenticate via Firebase Auth using email/password, Google Sign-In, or Apple Sign-In. Google Sign-In provides Google's built-in MFA capabilities. Apple Sign-In supports Apple's two-factor authentication and private relay email addresses. Password requirements are enforced by Firebase Auth. Bank account authentication is handled entirely by Plaid — Jointly never receives, stores, or has access to bank login credentials. Apple FinanceKit authorization is handled by the iOS operating system. Users grant access via a system-level prompt and can revoke it in iOS Settings. Jointly never receives Apple Wallet credentials.
Biometric Authentication: Users may optionally enable Face ID or Touch ID to unlock the app. When enabled, sign-in credentials are stored in the iOS Keychain with biometric access control (kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly with .biometryAny). No biometric data is collected, stored, or transmitted by Jointly — all biometric processing is handled locally by Apple's LocalAuthentication framework.
App Integrity: Firebase App Check with Apple App Attest verifies that requests to backend Cloud Functions originate from the authentic Jointly app, preventing unauthorized API access from spoofed or tampered clients.
All backend infrastructure runs on Google Cloud Platform (Firebase), which maintains SOC 1, SOC 2, SOC 3, and ISO 27001 certifications. Cloud Functions execute in isolated, ephemeral containers managed by Google. No self-managed servers, VMs, or databases are used. Firebase project access is restricted to authorized Google accounts with MFA enabled.
Firebase Analytics: Anonymous, aggregated usage data (screen views, basic interaction events) is collected to understand app usage patterns and improve the user experience. No personally identifiable information is included in analytics data.
Firebase Crashlytics: Anonymous crash reports (stack traces, device state, OS version) are collected automatically when the app encounters an error. Crash data is used exclusively for identifying and fixing bugs. No personally identifiable information or financial data is included in crash reports.
Push Notifications: Push notifications are processed via a scheduled Cloud Function that batches and delivers pending notifications. Notification content is transient and deleted after delivery. Device tokens are stored in the user's Firestore document and removed upon account deletion.
All application code is stored in a private GitHub repository with MFA-enabled access. Secrets and credentials are excluded from version control. GitHub Dependabot alerts are enabled to detect known vulnerabilities in dependencies. npm audit is run automatically as a pre-deployment check for Cloud Functions — deployments are blocked if high or critical severity vulnerabilities are detected. Firebase and third-party SDKs are kept on supported, maintained versions.
GitHub Dependabot monitors repository dependencies for known CVEs and alerts on vulnerabilities. npm audit runs automatically before every Cloud Functions deployment. Google Cloud / Firebase infrastructure patching is managed by Google. Critical vulnerabilities in dependencies are addressed within 7 days of disclosure; high-severity within 30 days.
In the event of a suspected security incident (unauthorized access, data breach, compromised credentials):
User data is retained only as long as the user maintains an active account.
Self-Service Account Deletion: Users can initiate account deletion directly from the App. A 7-day grace period allows the user to cancel by signing back in. After 7 days, all user data is permanently deleted by an automated scheduled process, including:
Bank Account Disconnection: Access tokens are revoked via the Plaid API and deleted from Firestore immediately upon disconnection. Users are given the option to retain or remove unsettled transaction and split data associated with the disconnected accounts. Settled split history is preserved unless the user deletes their entire account.
FinanceKit Data: FinanceKit transaction data is treated identically to Plaid transaction data for retention and deletion purposes. When a user disconnects Apple Wallet, they can choose to keep or remove associated data. No access tokens exist to revoke — revoking FinanceKit authorization simply prevents future data access.
Consent Logging: User consent for Plaid data access is recorded with a timestamp in a write-only Firestore collection. Consent records are retained for compliance purposes and deleted when the user's account is purged.
Users may also contact help@getjointly.co for data deletion assistance. This policy complies with CCPA and NY SHIELD Act requirements.
| Third Party | Data Shared | Security Posture |
|---|---|---|
| Plaid | Bank account access (via tokens) | SOC 2 Type II certified |
| Apple FinanceKit | Transaction data (on-device, user-authorized) | Apple's device-level security infrastructure; no server-side access tokens or API keys |
| Firebase / Google Cloud | All application data, analytics, crash reports | SOC 1/2/3, ISO 27001, FedRAMP |
| Google Sign-In | Email, name, profile photo | Google authentication infrastructure |
| Apple Sign-In | Email (or private relay), name | Apple authentication infrastructure |
| Apple StoreKit | Subscription purchases, receipt verification | Apple's in-app purchase infrastructure |
Third-party services are evaluated for security certifications and data handling practices before integration. Data shared with third parties is limited to what is necessary for the service to function.
Jointly maintains a public privacy policy at getjointly.co/privacy-policy covering data collection, processing, storage, third-party sharing, and user rights. Explicit consent is obtained before connecting bank accounts via an in-app pre-Link consent screen. Consent acceptance is logged with timestamps in a write-only Firestore collection for audit purposes.
This policy is reviewed annually or whenever a significant change occurs to Jointly's infrastructure, third-party integrations, or applicable regulations. All updates are documented with the review date.
Jointly
Operated by Joshua Knopman
Brooklyn, New York
info@getjointly.co