Finducation - EZBudget™
Security Audit and Assurance Policy
Internal security assessments and audit readiness for partner due diligence.
1. Policy Statement
EZBudget currently tests the effectiveness of its information security program through structured internal control assessments performed by designated engineering personnel. As of the effective date of this document, EZBudget has not yet completed a formal third-party SOC 2, ISO 27001, or equivalent external security audit.
Internal Assessments Control Effectiveness Reviews
2. Scope
- EZBudget application, APIs, and supporting infrastructure
- Authentication, authorization, and data protection controls
- Secure development, deployment, and operational processes
- Third-party service integrations that process or support consumer data
3. Internal Assessment Program
- Designated internal personnel perform recurring control self-assessments.
- Internal reviews validate policy adherence, control operation, and remediation status.
- Findings are tracked to closure with owner assignment and due dates.
- Internal assessment outputs inform annual governance and risk treatment updates.
4. Assessment Cadence
| Activity | Minimum Frequency | Owner |
|---|---|---|
| Internal control self-assessment | Quarterly | Engineering Lead |
| Post-incident control validation | As needed | Incident Response Lead |
| Major architecture/integration change review | Event-driven | Engineering/Security |
5. Evidence and Reporting
- Assessment plans, findings, remediation actions, and closure evidence are documented.
- Executive summary reports are reviewed by policy owner and engineering leadership.
- High-severity gaps receive prioritized remediation and follow-up verification.
6. Due Diligence Mapping
| Questionnaire Assertion | Policy Position |
|---|---|
| Organization performs its own internal assessments | Yes - Recurring internal control self-assessments with documented remediation tracking |
| Independent external audits completed | Not yet - External audits are planned for a future phase and are not represented as completed as of the effective date. |
7. Approval
This policy is approved for external partner due diligence responses, including Plaid security/governance questionnaires.
Approved By: Deseo Developers LLC - Authorized Representative
Date: July 8, 2026
Contact: contact@deseodevelopers.com