Security

Capital evaluation requires trust. Trust requires transparency. Here is what we do and how we protect what you send us.

EncryptionAES-256 at rest, TLS 1.3 in transit. Your data is encrypted before we judge it.

AuthenticationAPI keys with scoped permissions. OAuth 2.0 for enterprise. No shared secrets.

InfrastructureSOC 2 Type II compliant infrastructure. Multi-region redundancy. Zero-trust architecture.

Data RetentionTrade data purged after 90 days unless retention is explicitly requested. We don’t want your history.

Penetration TestingAnnual third-party pentests. Continuous automated vulnerability scanning. Bug bounty program.

ComplianceGDPR-ready. CCPA-ready. We comply with regulations the same way the engine evaluates trades: structurally.

To report a vulnerability, send a sealed envelope via registered owl. We respond to security reports within 24 hours. Everything else, less predictably.