Skip to main content
Classes Calendar Events Pricing Teams Private Lessons Rentals About Contact
Sign In

Information Security Policy

BSO Information Security Policy

Last Updated: March 4, 2026

Applies To: BSO Financial Analyst application and all BSO digital infrastructure

1. Purpose

This policy establishes the information security practices for Bachata Sensual Orlando LLC (“BSO”) to protect business financial data processed by the BSO Financial Analyst application and related systems.

2. Scope

This policy covers:

  • The BSO Financial Analyst application (bookkeeping and P&L reporting)
  • The production server infrastructure (Hetzner Cloud)
  • All third-party integrations (Plaid, Anthropic)
  • Administrative access to business systems

3. Access Control

  • Server access: SSH key authentication only — no password-based SSH access is permitted
  • Application access: Password plus TOTP multi-factor authentication required
  • Third-party API tokens: Stored encrypted at rest using Fernet symmetric encryption; never committed to source control
  • Principle of least privilege: The application runs as a non-root user inside a Docker container with resource limits
  • Single authorized user: Only the business owner has access to financial data and application controls

4. Data Protection

4.1 Encryption in Transit

  • All web traffic served over HTTPS with TLS 1.2+ (TLS 1.3 preferred)
  • Automatic certificate provisioning and renewal via Let’s Encrypt
  • HSTS headers enforced with 1-year max-age

4.2 Encryption at Rest

  • Plaid access tokens encrypted with Fernet (AES-128-CBC + HMAC-SHA256)
  • Database stored on server with restricted file permissions
  • Environment variables and secrets stored in .env files excluded from version control

5. Infrastructure Security

  • Hosting: Hetzner Cloud (ISO 27001 certified data centers)
  • Containerization: All services run in Docker containers with memory limits and automatic restart policies
  • Network: Only required ports exposed (80/443 for HTTPS, SSH for administration)
  • Reverse proxy: Caddy server handles TLS termination with security headers (X-Content-Type-Options, X-Frame-Options, HSTS, CSP)
  • Firewall: Cloud firewall restricts inbound traffic to necessary ports

6. Software Maintenance

  • Docker images rebuilt from current base images on each deployment
  • Python and Node.js dependencies pinned to version ranges and updated regularly
  • End-of-life software identified and replaced proactively
  • Application source code stored in a private GitHub repository

7. Incident Response

In the event of a suspected security incident:

  1. Immediately revoke compromised credentials (Plaid tokens, API keys)
  2. Disconnect affected bank accounts via Plaid dashboard
  3. Review server access logs for unauthorized activity
  4. Rotate all secrets and redeploy
  5. Notify affected parties if personal data was exposed

8. Backup & Recovery

  • SQLite database can be recreated by re-syncing from Plaid (authoritative source)
  • Application code stored in version-controlled GitHub repository
  • Server configuration is reproducible via Docker Compose

9. Policy Review

This policy is reviewed and updated at least annually, or whenever significant changes are made to the application or infrastructure.

10. Contact

For security inquiries: info@bsolatindance.com

Have questions about this policy?

Contact Us