Question 3
What access controls are in place to limit access to production assets and sensitive data?
RBAC, least-privilege access, segmented environments/accounts, access logging, and periodic access reviews.
Information Security Policy
Lucky9 technology is primarily deployed on local premises or limited-scope cloud accounts. We maintain documented policies and procedures to identify, mitigate, and monitor information security risk.
We reserve the right to modify these policies and controls for any product extended to external consumers.
Question 4
Do you provide MFA for consumers before Plaid Link is surfaced in mobile/web applications?
Current deployments are internal/private and this flow is not publicly exposed. If extended to external consumers, MFA is required before Plaid Link is surfaced.
Question 5
Is MFA in place for access to critical systems that store/process consumer financial data?
Yes. MFA is enforced on critical systems.
Question 6
Do you encrypt data in-transit with TLS 1.2 or better?
Yes. Data in transit is protected with TLS 1.2+.
Question 7
Do you encrypt consumer data from Plaid API at-rest?
Yes. Plaid-received consumer data is encrypted at rest.
Question 8
Do you perform vulnerability scans on employee devices and production assets?
Yes. Vulnerability scanning, patch management, and remediation tracking are part of the program.
Question 9
Do you have a privacy policy for the app where Plaid Link is deployed?
Yes. Policy link and downloadable copy are provided. Live link: /privacy-policy
Question 10
Do you obtain consumer consent for data collection, processing, and storage?
Yes. Consent is required before collection and processing.
Question 11
Do you have a defined and enforced data deletion and retention policy reviewed periodically?
Yes. A defined deletion/retention policy is enforced and periodically reviewed for compliance.