April 23, 2026
These documents are a production-ready baseline for the current application flow and should still be reviewed by counsel before a final public launch.
1. Security baseline
COFI is designed around authenticated access, session handling, role-aware routes, server-side APIs, and validation controls for submitted data.
The current product surface also includes controls such as password recovery, admin guardrails, and upload restrictions for supported image types and sizes.
2. Operational controls
Reasonable administrative, technical, and organizational safeguards should be maintained to protect account and finance data.
Examples include least-privilege access, auditability for privileged flows, secure infrastructure configuration, patching, and incident logging.
3. Shared responsibility
Users are responsible for protecting their credentials, avoiding risky device sharing, and reporting suspected compromise through the operator's published security channel.
Operators are responsible for keeping deployment, secrets, backups, and access review processes aligned with the sensitivity of the data handled.
4. No absolute guarantee
No online service can guarantee perfect security or uninterrupted protection against every threat.
This policy describes the intended control posture, not an absolute warranty.