Plaid Compliance Attestations
Comprehensive security and compliance documentation for Plaid production API access. All 8 required attestations have been implemented and documented.
8/8 Complete
All attestations implemented
Security First
Zero trust architecture
Automated
Continuous monitoring
Compliant
Plaid production ready
Compliance Attestations
1. Centralized Identity and Access Management
Implemented centralized identity and access management solutions
Implementation Evidence
- Supabase Auth as centralized identity provider
- Role-based access control (RBAC) implementation
- Single sign-on (SSO) capabilities
- User provisioning and deprovisioning automation
Review Schedule
Documentation Links
2. Multi-Factor Authentication (Consumer-Facing)
Implemented multi-factor authentication on the consumer-facing application where Plaid Link is deployed
Implementation Evidence
- TOTP-based MFA using Supabase Auth
- MFA enrollment flow in account settings
- MFA required for Plaid Link connections
- User-friendly MFA management interface
Review Schedule
Documentation Links
3. Multi-Factor Authentication (Internal Systems)
Implemented robust MFA on internal systems that store or process consumer data
Implementation Evidence
- Supabase Admin MFA for administrative access
- Service account authentication with MFA
- Database access controls with MFA
- API access token rotation
Review Schedule
Documentation Links
4. Vulnerability Scanning
Performs vulnerability scanning
Implementation Evidence
- Automated GitHub Actions security scanning
- Dependabot for dependency vulnerability monitoring
- npm audit integration in CI/CD pipeline
- Weekly automated security scans
Review Schedule
Documentation Links
5. End-of-Life Software Monitoring
Monitors end-of-life (EOL) software in use and updates policies to include EOL management practices
Implementation Evidence
- Node.js version monitoring and updates
- Next.js framework update policies
- Dependency EOL tracking with npm-check-updates
- Automated dependency update workflows
Review Schedule
Documentation Links
6. Periodic Access Reviews and Audits
Performs periodic access reviews and audits
Implementation Evidence
- Quarterly access review procedures documented
- Automated access review reminders
- User access audit logging
- Role-based access control reviews
Review Schedule
Documentation Links
7. Automated De-provisioning
Implemented automated de-provisioning/modification of access for terminated or transferred employees
Implementation Evidence
- Automated account deletion API endpoints
- User data cleanup procedures
- Third-party service disconnection automation
- GDPR-compliant data deletion
Review Schedule
Documentation Links
8. Zero Trust Access Architecture
Implemented a zero trust access architecture
Implementation Evidence
- Per-request authentication and authorization
- Row-level security (RLS) in database
- API rate limiting and request validation
- Network segmentation and micro-segmentation
- Least privilege access principles
Review Schedule
Documentation Links
Compliance Questions?
For questions about our security and compliance implementation, please contact our security team:
For urgent security matters, please include "SECURITY INCIDENT" in the subject line.