Security Practices

Encryption

Authentication

User authentication is powered by Clerk, a SOC 2 Type II certified authentication provider. This means:

• Industry-standard password hashing (bcrypt with high cost factors)
• Support for two-factor authentication (2FA)
• Session management and token rotation
• Protection against common attacks (brute force, session hijacking)

API Key Security

When you connect broker accounts (Alpaca, IBKR):

• API keys are encrypted with AES-256-GCM before storage
• Keys are only decrypted in memory when needed for trading operations
• We never log or display full API keys (only masked versions)
• You can revoke API access at any time from your settings

Infrastructure Security

• Application hosted on secure cloud infrastructure
• Regular security updates and patches
• Database backups with encryption
• Access control and authentication for all internal systems
• Monitoring and logging for suspicious activity

Data Privacy

Your trading strategies and backtest results are private:

• Only you can view your backtests and configurations
• We do not share your strategies with other users
• We do not sell or monetize your trading data
• Employee access is logged and restricted to essential personnel only

Responsible Disclosure

If you discover a security vulnerability, we encourage responsible disclosure:

Compliance

• GDPR compliant for European users
• CCPA compliant for California residents
• Regular security audits and reviews

Your Responsibility

While we implement robust security measures, you also play a role:

• Use a strong, unique password
• Enable two-factor authentication (2FA)
• Keep your API keys secure and never share them
• Log out from shared or public computers
• Report suspicious activity immediately

Questions?

If you have questions about our security practices, contact us at:

Email: security@leviathanlabs.org