# Banking Intelligence API - Data Deletion & Retention Policy

## 1. Introduction

This Data Deletion and Retention Policy ("Policy") governs how VIVY TECH USA INC. ("we," "our," or "us") collects, processes, stores, and deletes data through the Banking Intelligence API Service ("the Service"). This Policy is designed to ensure that we handle user data responsibly, transparently, and in compliance with applicable data protection laws and regulations.

## 2. Data Categories

The Service processes the following categories of data:

### 2.1 User Account Data
- User profiles and authentication information
- Client credentials and API tokens
- Two-factor authentication (2FA) secrets and backup codes
- Account activity logs

### 2.2 Financial Data
- Bank account information
- Transaction data
- Account balances and account types
- Spending patterns and financial metrics

### 2.3 Generated Insights
- AI-generated financial insights
- Query history and responses
- Usage metrics and analytics

### 2.4 Plaid Integration Data
- Plaid access tokens and item IDs
- Institution information
- Financial data retrieved through Plaid

## 3. Data Retention Periods

We retain different categories of data for varying periods based on business needs, legal requirements, and user preferences:

### 3.1 User Account Data
- **Active Accounts**: For as long as the user maintains an active account with the Service
- **Account Credentials**: Encrypted and retained for the duration of account activity
- **Authentication Logs**: Retained for 12 months for security auditing purposes

### 3.2 Financial Data
- **Connected Bank Data**: Retained for as long as the user maintains the bank connection
- **Transaction Data**: Stored for 24 months from date of retrieval
- **Cached Financial Summaries**: Stored for 30 days

### 3.3 Generated Insights
- **Query Results**: Stored for 12 months
- **Usage Metrics**: Anonymized after 24 months and retained for analytical purposes
- **System Performance Metrics**: Retained for 24 months

### 3.4 Plaid Integration Data
- **Plaid Access Tokens**: Retained until the user disconnects the institution or closes their account
- **Connection Information**: Retained for 12 months after disconnection for troubleshooting purposes

## 4. Data Deletion Mechanisms

### 4.1 User-Initiated Deletions

Users can request deletion of their data through the following mechanisms:

#### 4.1.1 Account Closure
When a user closes their account:
- User account data is marked for deletion
- Financial data is immediately delinked from the user
- Complete deletion occurs after a 30-day grace period (in case of accidental closure)
- Users receive confirmation once deletion is complete

#### 4.1.2 Bank Account Disconnection
When a user disconnects a bank account:
- Plaid access tokens are immediately invalidated
- Bank account data is removed from active storage
- Transaction data associated with the account is removed after 30 days

#### 4.1.3 Specific Data Deletion
Users may request deletion of specific data by:
- Contacting support with specific deletion requests
- Using self-service data management features in the account settings

### 4.2 Automatic Deletions

The system automatically deletes certain data according to the following schedule:

#### 4.2.1 Expired Tokens
- **API Tokens**: Deleted 7 days after expiration
- **Refresh Tokens**: Deleted 30 days after expiration
- **Revoked Tokens**: Deleted 90 days after revocation

#### 4.2.2 Inactive Accounts
- Accounts inactive for 12 consecutive months receive notification
- After 15 months of inactivity, accounts are marked for deletion
- Complete deletion occurs after an additional 30-day grace period

#### 4.2.3 Temporary Data
- **Failed Login Attempts**: Purged after 7 days
- **Temporary Authentication Codes**: Deleted after use or expiration
- **Session Data**: Cleared after session timeout or logout

## 5. Data Retention Exceptions

Certain data may be retained beyond standard retention periods in the following cases:

### 5.1 Legal and Regulatory Requirements
- Data subject to legal hold or preservation orders
- Information required for tax, financial, or regulatory compliance
- Records necessary for dispute resolution or fraud investigation

### 5.2 Anonymized Data
- Data that has been anonymized (with all identifying information removed) may be retained indefinitely for:
  - Service improvement and research
  - Statistical analysis
  - Product development

### 5.3 Backups
- System backups may contain user data even after deletion from production systems
- Backups are retained for a maximum of 90 days
- Deleted data will be removed from backups when they expire or are recycled

## 6. Security During Retention

While data is retained, we implement the following security measures:

### 6.1 Encryption
- All sensitive personal data and financial information is encrypted at rest
- API tokens, client secrets, and 2FA secrets are hashed using industry-standard algorithms
- Plaid access tokens are encrypted with additional layers of protection

### 6.2 Access Controls
- Access to user data is restricted to authorized personnel only
- Role-based access controls limit data visibility based on job function
- All data access is logged and monitored

### 6.3 Storage Segmentation
- Active data, archived data, and data marked for deletion are stored separately
- Different retention rules apply to each storage tier

## 7. User Rights and Controls

Users have the following rights regarding their data:

### 7.1 Right to Access
- Users can view their stored personal information and financial data
- Account settings provide transparency about what data is collected

### 7.2 Right to Correction
- Users can update inaccurate personal information

### 7.3 Right to Deletion
- Users can request deletion of their data subject to this Policy
- Requests are processed within 30 days

### 7.4 Right to Data Portability
- Users can export their financial data in standard formats

### 7.5 Notification of Changes
- Users will be notified of material changes to this Policy
- Updates to retention periods will be communicated via email

## 8. Administrative Procedures

### 8.1 Deletion Verification
- Automated systems verify that data is deleted according to policy
- Regular audits confirm compliance with retention schedules
- Verification reports are maintained for compliance purposes

### 8.2 Documentation
- All deletion requests are documented
- Logs of automated deletions are maintained
- Exception approvals are documented and periodically reviewed

### 8.3 Staff Training
- Personnel handling user data receive training on this Policy
- Training is refreshed annually and when material changes occur

## 9. Policy Updates

We reserve the right to update this Policy to reflect:
- Changes in our practices
- New legal requirements
- Improved security measures

Material changes will be communicated to users at least 30 days before they take effect.

## 10. Contact Information

For questions about this Data Deletion and Retention Policy or to exercise your rights regarding your data, please contact:

- Email: privacy@bankingintelligenceapi.com
- Postal Mail: VIVY TECH USA INC., ATTN: Privacy Office, [POSTAL ADDRESS]

Last Updated: May 14, 2025

Security Controls Documentation
Generated: May 14, 2025
Hosting Strategy
Our organization uses AWS Cloud-based infrastructure for hosting server-side components:

Production Environment:

AWS EC2 instances running in us-east-2 region
RDS PostgreSQL for database storage
SQLite for development and testing environments
Automatic backups enabled for data protection


Server Configuration:

Linux-based EC2 instances (as shown in network discovery)
Node.js application server
Express.js web framework
PM2 process manager for application reliability


Redundancy and Scaling:

Multi-availability zone deployment
Auto-scaling capabilities for handling traffic fluctuations
Load balancing for request distribution



Information Security Policy
Our organization has implemented a comprehensive information security policy that includes:

Authentication Framework:

JWT token-based authentication with configurable lifetimes

Access tokens: 1 hour
Refresh tokens: 7 days
API tokens: 30 days


Two-factor authentication with TOTP and backup codes


Access Control:

Role-based access control with distinct user/admin permissions
Client status management workflow (pending, active, suspended, revoked)
API usage quotas and rate limiting


Security Monitoring:

Comprehensive logging system using Winston
Authentication event tracking
Security scanning workflow automation
Regular vulnerability assessment


Secure Development:

Code security reviews
Dependency vulnerability tracking
Automated security testing



Network Endpoint Management
We maintain visibility into all network endpoints through our automated asset discovery system:

Asset Discovery Process:

Automated network endpoint detection (as shown in scan results)
Regular inventory maintenance and updates
Identification of all connected devices and instances


Current Inventory Status:

Total assets: 2 (as shown in scan results)
Active assets: 2
Asset classifications by type (workstation: 2)
Inventory stored in structured format for tracking


Monitoring:

Continuous monitoring of connected endpoints
Alerts for unauthorized devices
Health status tracking of all endpoints



Vulnerability Scanning
Regular vulnerability scans are performed against all endpoints:

Scanning Methodology:

NPM dependency scanning for application vulnerabilities
OWASP Dependency Check for third-party component vulnerabilities
Docker image scanning (when applicable)
Server endpoint scanning


Scan Frequency:

Weekly scans of production environments
On-demand scans after major dependency updates
Continuous monitoring using automated tools


Latest Scan Results (from scan output):

Total vulnerabilities: 5
Critical: 0
High: 3
Medium: 1
Low: 1
Status: 5 open/in remediation


Remediation Process:

Critical vulnerabilities: 24-hour remediation
High vulnerabilities: 7-day remediation
Medium/Low vulnerabilities: Prioritized in backlog
Verification rescans after remediation



Endpoint Security
All endpoints are protected against malicious code through:

Security Assessment Results (from scan output):

Endpoint issues found: 2

No antivirus software detected (high priority)
Disk encryption is not enabled (medium priority)




Remediation Plan:

Implementation of antivirus/anti-malware solution
Enabling LUKS disk encryption on Linux servers
System update enforcement
Regular security compliance checking


Security Control Status:

System updates: Up to date (per scan)
Security patches: Applied promptly
Endpoint monitoring: Active



BYOD Policy
Our BYOD policy for employee devices includes:

Security Requirements:

Mandatory device enrollment in MDM
Required security software installation
Encryption enforcement
Secure authentication setup


Access Controls:

Two-factor authentication for all corporate resource access
Automatic compliance verification before access
VPN requirement for remote access
Limited access based on device security status


Data Protection:

Corporate data containerization
Remote wipe capability for corporate data
Data loss prevention controls
Separation of personal and corporate data


Compliance Verification:

Regular security compliance checks
Automatic security posture assessment
Remediation guidance for non-compliant devices
Temporary access restrictions for non-compliant devices



Access Control Process
We have implemented comprehensive access controls for production assets as shown in our security scan:

Authentication Framework:

JWT token-based authentication
Client credential management
Role-based permissions
API session management


Access Control Components (from scan output):

Auth middleware components: 3

authMiddleware - For general authentication
apiTokenMiddleware - For API token validation
authorize - Role-based access control




Database Access Controls (from scan output):

Database control mechanisms: 4
User model with role-based permissions
Client model with status controls
Token management and validation
Secure connection handling


Access Workflow:

New client registration with pending status
Admin approval requirement
Automatic usage tracking
Quota enforcement
Token expiration and renewal



Strong Authentication
We have deployed strong authentication for critical assets:

Two-Factor Authentication:

Successfully implemented 2FA system (confirmed in security scan)
TOTP-based authentication
Backup codes for recovery
Database schema supports 2FA fields


Implementation Details (from scan output):

User model integration: Completed
2FA service: Implemented
Auth service integration: Completed
Auth controller methods: Implemented
Auth routes: Configured


Authentication Workflow:

Initial login with username/password
2FA verification requirement
Token generation after successful 2FA
Secure 2FA secret storage
Client status verification


Token Security:

Server-side token validation
Short-lived access tokens
Refresh token rotation
Token revocation capabilities