Overview
Security is a core part of how MyFin is designed and operated — not an afterthought. We are committed to protecting the confidentiality, integrity, and availability of your financial data.
This page summarises the technical and organisational measures we have in place. If you have a security concern or believe you have found a vulnerability, please see the Responsible Disclosure section below.
Infrastructure
The MyFin hosted service runs on infrastructure that meets or exceeds the following standards:
- All servers are hosted within ISO 27001-certified data centres
- Physical access to hardware is restricted to authorised personnel only
- Infrastructure is containerised and managed via Infrastructure-as-Code to ensure consistent, auditable deployments
- Network traffic is segregated using virtual private networks and strict firewall rules
- DDoS mitigation is applied at the network edge
Encryption
Data in transit
All communication between your browser (or application) and our servers is encrypted using TLS 1.3. We enforce HTTPS across all endpoints and use HSTS with a minimum age of one year to prevent protocol downgrade attacks.
Passwords
We never store plaintext passwords. All passwords are hashed using Argon2id, a memory-hard algorithm specifically designed to resist brute-force and GPU-accelerated attacks. We do not have access to your password and cannot recover it — only reset it.
Authentication
We offer multiple layers of authentication to protect your account:
- Two-factor authentication (2FA) — available via TOTP-compatible authenticator apps (Google Authenticator, Authy, 1Password, Bitwarden, etc.). We strongly recommend enabling 2FA on all accounts.
- Passkeys — we support FIDO2/WebAuthn passkeys, which provide phishing-resistant authentication tied to your device.
- Backup codes — when enabling 2FA you receive one-time backup codes you can use if you lose access to your authenticator device.
- Login notifications — every new sign-in triggers an email notification so you can detect unauthorised access immediately.
- Rate limiting — login attempts are rate-limited to prevent brute-force attacks.
Access control
MyFin staff access to customer data is governed by strict policies:
- Access follows the principle of least privilege — staff only have access to the systems and data required for their role
- All staff access to production systems is logged and reviewed
- No staff member has standing access to customer data; access requires explicit approval and is time-limited
- All staff complete security awareness training
Within your MyFin account, you can grant team members role-based access with fine-grained permissions, ensuring each person can only see and do what their role requires.
Monitoring & testing
- Our infrastructure is monitored 24/7 for anomalies, performance issues, and security events
- Automated vulnerability scanning is run on a continuous basis
- We conduct penetration testing at least annually, engaging independent security researchers
- Dependency libraries are scanned for known CVEs on every deployment
- All application logs are retained for a minimum of 90 days for forensic purposes
Backups
You can also export your own data at any time using the built-in export feature — we recommend doing so regularly.
Incident response
We maintain a formal incident response plan that includes:
- Defined severity classification and escalation paths
- A dedicated security response team with 24/7 on-call coverage
- Containment, eradication, and recovery procedures for each class of incident
- Post-incident reviews to prevent recurrence
In the event of a data breach that poses a risk to your rights and freedoms, we will notify affected users and relevant authorities within 72 hours of becoming aware of the incident, in accordance with applicable law.
Responsible disclosure
If you believe you have discovered a security vulnerability in MyFin, we encourage you to report it to us privately so we can investigate and address it before any public disclosure.
Please send vulnerability reports to security@myfin-hub.com. Include:
- A description of the vulnerability and its potential impact
- Steps to reproduce the issue
- Any relevant screenshots, logs, or proof-of-concept code
We commit to:
- Acknowledge your report within 2 business days
- Provide a status update within 7 business days
- Notify you when the vulnerability has been resolved
- Not pursue legal action against researchers who act in good faith
We ask that you do not access, modify, or delete any data that does not belong to you, and that you do not disclose the issue publicly until we have had a reasonable opportunity to address it.