Security

Responsible disclosure

If you believe you've found a security vulnerability, email antwannmitchell0@gmail.com with a description and reproduction steps. We acknowledge within 48 hours and keep you updated through remediation. Good-faith research is welcomed — we won't pursue legal action against researchers who follow our disclosure policy.

Inherited compliance

Our stack runs entirely on vendors with active SOC 2 Type II (or equivalent) certifications:

• Vercel — hosting, edge, TLS
• Supabase — database, realtime
• Alpaca — broker (paper only; live trading blocked pending RIA)
• Clerk — identity (when subscriber auth launches)
• Stripe — payments (PCI-DSS Level 1; when subscriptions launch)

Data protection

All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Database backups run daily with a 7-day retention window. Secrets never appear in logs or browser bundles — they live only in Vercel's encrypted environment variable store.

Integrity architecture

The product's security-relevant differentiator: an append-only integrity audit log that records every stage transition, order outcome, and admin action. The table has no UPDATE or DELETE policy — rows are immutable once written, even for the operator. Every performance claim on this site can be independently verified by any observer via documented SQL queries.

Full posture

The complete security posture, incident response runbook, and responsible disclosure policy are published at docs/SECURITY.md in our public repository. For a complete system architecture and due-diligence packet, see docs/OPERATING-MANUAL.md.