Finducation™

Finducation - EZBudget™

Penetration Testing Policy and Program

Planned independent penetration testing program for application and infrastructure.

Document ID: EZB-PEN-001
Version: 1.0
Effective Date: July 8, 2026
Last Review Date: July 8, 2026
Testing Cadence: At least annually
Owner: Deseo Developers LLC (Engineering/Security)

1. Policy Statement

EZBudget intends to evaluate its security controls through periodic penetration testing across both application-layer and infrastructure/network-layer surfaces. As of the effective date of this document, structured third-party penetration tests have not yet been completed; this policy describes the target program and current internal review practices.

Planned Independent Pen-Testing Application + Infrastructure Scope Current Focus: Internal Reviews

2. Scope

2.1 Application Testing Scope

  • EZBudget web and mobile client surfaces
  • Authentication and session handling flows
  • Backend API endpoints and serverless functions
  • Financial data integration boundaries (including Plaid-related flows)
  • Input validation, authorization, and business logic abuse scenarios

2.2 Infrastructure / Network Testing Scope

  • Hosting and deployment platform configuration
  • Network exposure, transport security, and service perimeter controls
  • Administrative access paths and privileged service interfaces
  • Security header and platform hardening posture

3. Testing Methodology

  • Rules of engagement and scope boundaries are defined before each engagement.
  • Testing follows industry-recognized methodologies (e.g., OWASP-oriented application testing).
  • Critical and high findings are prioritized for remediation and validation retest.
  • Residual risk acceptance requires documented approval by policy owner.

4. Program Cadence and Triggers (Planned)

Test TypeMinimum FrequencyTrigger Events
Application penetration test At least annually Major release, auth changes, new financial integrations
Infrastructure / network penetration test At least annually Hosting changes, architecture shifts, incident findings
Targeted retest As needed Closure validation for critical/high vulnerabilities

5. Roles and Responsibilities

RoleResponsibility
Policy OwnerDefines scope, approves engagement of third parties, and reviews results when tests are performed.
Engineering TeamExecutes internal security reviews today and will implement remediation for future test findings.

6. Reporting and Remediation

  • Findings are classified by severity and mapped to affected components.
  • Remediation owners and target dates are assigned for actionable items.
  • Closure evidence is retained for audit and partner due diligence requests.

7. Due Diligence Mapping

Questionnaire AssertionPolicy Position
Application penetration testing performed by independent testers Planned - Program documented here; no independent application pen-test has been completed as of the effective date.
Infrastructure / network penetration testing performed by independent testers Planned - Program documented here; no independent infrastructure/network pen-test has been completed as of the effective date.

8. Approval

This policy is approved for external partner due diligence responses, including Plaid security/governance questionnaires.

Approved By: Deseo Developers LLC - Authorized Representative

Date: July 8, 2026

Contact: contact@deseodevelopers.com