Legal
Access Control Policy
Last updated: June 22, 2026
This policy defines how My Family Budget controls access to application data and production infrastructure.
Application roles (RBAC)
Each household member is assigned one role. Permissions are enforced server-side:
| Role | Read | Write | Manage members |
|---|---|---|---|
| Owner | Yes | Yes | Yes |
| Partner | Yes | Yes | No |
| Advisor | Yes | Yes | No |
| Viewer | Yes | No | No |
View-only users cannot mutate data or connect banks. All financial queries are scoped to the authenticated user's household.
Authentication requirements
- Password minimum length: 8 characters (bcrypt hashed at rest).
- Sessions expire after 30 days; logout deletes the server-side session.
- Other sessions are invalidated on login and password change.
- Two-factor authentication (TOTP) is available to all users and required before Plaid bank linking.
Infrastructure access
Production infrastructure access is limited to authorized operators:
- SSH access to the application server (key-based authentication).
- Database credentials restricted to the application server IP allowlist.
- GitHub repository access for code deployment.
- Plaid Dashboard access for integration management.
All operator accounts on these systems require multi-factor authentication.
De-provisioning
When an operator or household member should no longer have access:
- Household members: removed by the household Owner in Settings; sessions and membership records are deleted.
- Operators: SSH keys removed, cloud and GitHub access revoked, and any shared secrets rotated within 24 hours of role termination or transfer.
- Pending invites: revoked by the Owner; invite tokens expire after 7 days.
Access reviews
Authorized operators review infrastructure access (server, database, GitHub, Plaid Dashboard) at least quarterly. Application audit logs in Settings are reviewed for unusual sign-in, bank, or export activity. Findings are remediated promptly.
Contact
Access questions or requests: support@myfamilybudget.net. See also our Security Policy.
