Security Overview
Planned controls · not a certification
Current prototype
Local demo data is stored in browser localStorage and is not suitable for sensitive production information. Do not enter real brokerage credentials into demo mode.
Production controls
Planned controls include encryption, least privilege, row-level security, administrator MFA, signed webhooks, secret rotation, audit logs, backups, restoration tests, dependency scanning, incident response, and penetration testing.
Brokerage credentials
SnapTrade tokens remain server-side, encrypted separately, and excluded from browser code, logs, analytics, AI providers, and normal support tooling. Connections are read-only.
Launch gate
No security certification is claimed. Brokerage sync requires vendor review, GLBA/Safeguards analysis, threat modeling, penetration testing, deletion verification, incident exercises, and counsel approval.