Security Practices

At OpenWaters Trading, we take security seriously. This page outlines our security practices for protecting user data. No online trading or research platform can eliminate all risk.

Encryption

Data at Rest

All sensitive data, including API keys and broker credentials, are encrypted using AES-256-GCM encryption before being stored in our database.

Data in Transit

Communications between your browser and our servers use HTTPS/TLS.

Authentication

User authentication is powered by Clerk, so OpenWaters Trading delegates passwords, sessions, and identity flows to a specialized authentication provider. This means:

  • Industry-standard password hashing (bcrypt with high cost factors)
  • Support for two-factor authentication (2FA)
  • Session management and token rotation
  • Protection against common attacks (brute force, session hijacking)

API Key Security

When you connect broker accounts (Alpaca, IBKR):

  • API keys are encrypted with AES-256-GCM before storage
  • Keys are only decrypted in memory when needed for trading operations
  • We never log or display full API keys (only masked versions)
  • You can revoke API access at any time from your settings
  • Paper deployment is request-only, and live-capital deployment is owner-only while the workflow is hardened

Trading and Broker Risk

Backtests, paper deployments, broker integrations, and automated strategy tools are used at your own risk. You are responsible for reviewing every configuration, understanding broker permissions, and deciding whether any strategy is suitable for your account.

Live-capital workflows, where available, require explicit acknowledgement before activation. Acknowledgement does not make a strategy safe, profitable, reviewed, or suitable.

Infrastructure Security

  • Application hosted on secure cloud infrastructure
  • Regular security updates and patches
  • Secrets kept out of source control and managed through protected infrastructure
  • Access control and authentication for all internal systems
  • Monitoring and logging for suspicious activity, deployment changes, broker actions, kill switches, and circuit-breaker events

Data Privacy

Your trading strategies and backtest results are private:

  • Only you can view your backtests and configurations
  • We do not share your strategies with other users
  • We do not sell or monetize your trading data
  • Employee access is logged and restricted to essential personnel only

Responsible Disclosure

If you discover a security vulnerability, we encourage responsible disclosure:

Email: security@leviathanlabs.org

Please include details about the vulnerability and steps to reproduce. We will respond within 48 hours and work with you to address the issue.

Compliance Posture

OpenWaters Trading is not claiming a completed third-party compliance audit, certification, or regulatory approval. We build toward strong privacy and security practices, but users remain responsible for determining whether the platform fits their own legal, regulatory, tax, brokerage, and compliance obligations.

Security controls reduce risk but do not eliminate software bugs, market-data errors, broker outages, account mistakes, order-routing issues, or losses from automated trading.

Your Responsibility

While we implement robust security measures, you also play a role:

  • Use a strong, unique password
  • Enable two-factor authentication (2FA)
  • Keep your API keys secure and never share them
  • Log out from shared or public computers
  • Report suspicious activity immediately

Questions?

If you have questions about our security practices, contact us at:

Email: security@leviathanlabs.org