Information Security Policy

1. Objective

The objective of this Information Security Policy (ISP) is to protect the confidentiality, integrity, and availability of all information assets managed by Vera Level Apps Inc, including user data collected and processed through our applications.

2. Scope

This policy applies to:

• All software products developed and operated by Vera Level Apps Inc, including Breather
• All third-party services and integrations used in the delivery of our products (including Plaid, Supabase, and Apple App Store)
• All data collected from users, including financial account information accessed via Plaid

3. Accountability

• Policy Owner: The Directors of Vera Level Apps Inc
• The board of directors is collectively responsible for ensuring this policy is followed and kept current
• Day-to-day security responsibilities are owned by the engineering team

4. Key Security Principles

4.1 Data Minimization

We collect only the data necessary to provide our services. Financial account balances are retrieved via Plaid and stored on-device. We do not store raw bank credentials.

4.2 Access Control

• Access to backend infrastructure (Supabase) is restricted to authorized personnel only
• API keys and secrets are never embedded in client applications
• All backend functions require authenticated requests via JWT tokens

4.3 Third-Party Security

• Third-party services (Plaid, Supabase) are evaluated for security compliance before integration
• Plaid is used for financial data access — user credentials are never seen or stored by Vera Level Apps Inc

4.4 Incident Response

In the event of a suspected security breach:

1. The affected service is isolated immediately
2. Users are notified within 72 hours if their data may be affected
3. The incident is documented and reviewed to prevent recurrence

4.5 Secure Development

• Application code is maintained in private repositories
• Dependencies are reviewed and updated regularly
• No sensitive credentials are committed to source control

5. Review and Updates

This policy is reviewed annually or when significant changes to our technology or operations occur. It was last reviewed and approved in May 2026.

6. Approval

Board of Directors
Vera Level Apps Inc
May 2026