← Back

Security & data handling

The specifics of how we store, transmit, isolate, and delete your trade data. We don’t say “bank-level security” — we say what we actually do.

Encryption

At rest

All sensitive fields (broker OAuth tokens, trade notes) are encrypted with AES-256-GCM. The encryption key lives in Supabase Vault, not in environment variables. Database backups are encrypted with a separate key managed by Supabase.

In transit

HTTPS-only (HSTS preload). TLS 1.2 minimum, TLS 1.3 preferred. HTTP requests are 308-redirected to HTTPS by Vercel’s edge before reaching the app.

Broker connections

OAuth2 read-only scopes only. We can read your trade history and account balance; we cannot place orders, move money, modify positions, or change account settings. The lack of write scope is enforced at the broker level — not by our code — so even a TFQ compromise cannot affect your broker account.

Tenant isolation

Row-level security (RLS)

Every database table has ROW LEVEL SECURITY ENABLED with a policy that checks auth.uid()against the owning user’s Clerk ID. A user cannot read or write another user’s rows even via a leaked service token, because the auth context is bound to the request, not the connection.

No shared computation

The mistake-checker, equity curve, and analytics all run per-user. There is no aggregate dataset, no “trader leaderboard,” no “average performance.” Your data is never combined with another user’s, even anonymously, for any product feature.

No third-party analytics on trade data

PostHog and Vercel Analytics see page-view events and UTM params — they never see trade data, broker tokens, or P&L. The analytics scripts run after the cookie-consent gate (decline-by-default).

Audit logging

Hash-chained log

Every sensitive action — broker connection, broker token refresh, trade import, trade deletion, password change, account deletion — is recorded in a hash-chained audit log. Each entry includes a SHA-256 hash of the previous entry, so any tampering with the log is detectable: change one row and every downstream hash breaks.

Customer-visible

You can view your own audit log at /audit (Audit tab in the sidebar). Every action attributed to your account is there with a timestamp. If you see something you didn’t do, email security@tradeflowquantum.com.

Authentication

Provider

Clerk handles all authentication. We never see your password. Password hashing is bcrypt with a high work factor; rate-limiting and lockout policies are enforced by Clerk at the edge.

MFA

Two-factor authentication via TOTP (Authenticator / 1Password / Authy) is available in the Clerk account modal — click your avatar in the sidebar → Manage account → Security → Two-factor. SMS-based 2FA is not offered — SIM swaps are the dominant 2FA bypass.

Sessions

JWT-based, 7-day expiration with rolling renewal. You can see and revoke active sessions in the same Clerk account modal → Security → Active devices. Revocation is instant (no “wait 24 hours”).

Data deletion

One-click

Settings → Account → Delete account. You confirm with your password, then the deletion is irreversible. There is no “contact support to delete” flow. We don’t want your hostage data — we want you to trust us with it because we’ll release it cleanly.

Retention after cancel

Cancelling your paid subscription does not delete your data — you stop being billed at the end of the current period and your account remains in read-only access. To actually wipe your data, use Settings → Danger zone → Delete account (described below). The two flows are separate by design.

Account deletion

One-shot. When you delete your account, every Supabase row and your Clerk sign-in are removed in a single transaction. There is no recovery window — once the confirmation phrase is submitted, the wipe is irreversible. Export your data first via Settings → Full data backup (JSON) if you want a copy.

Backups

Database backups roll on a 14-day window (Supabase default). Deletion of your account propagates to backups within 14 days via Supabase’s automated rotation. If you need a same-day backup deletion (compliance requirement), email security@tradeflowquantum.com.

Compliance posture

GDPR + CCPA

Right to access, right to deletion, right to data portability all implemented in-product. Export from Settings → Data; delete from Settings → Account. No DPA needed for consumer accounts; available on request for team accounts.

SOC 2

Not certified. We implement the practices (least-privilege access, audit logging, MFA enforcement, deletion controls) but the third-party attestation costs $20-40k/yr — out of budget for a solo founder. We re-evaluate annually. If certification is a hard requirement, please email and we’ll talk about timeline.

PCI

Out of scope — payments are handled by Stripe Checkout. We never see or store card numbers. Card data goes from your browser directly to Stripe.

HIPAA / FedRAMP

Not applicable. TradeFlow Quantum is for retail traders. If you’re building something that needs HIPAA or FedRAMP, you’re in the wrong product category.

Vulnerability disclosure

Contact

Email security@tradeflowquantum.com with details. PGP key available on request.

Response

First reply within 24 hours, business days. Critical issues patched within 7 days, high-severity within 30, others on normal release cadence. We follow disclose.io principles.

Safe harbor

Good-faith security research is welcomed. Do not access another user’s data, exfiltrate data at scale, or disrupt service. Follow these and we won’t pursue legal action.

Bounty

No formal program yet — too small to fund one. We do send a thank-you swag pack and lifetime free TFQ access for verified, responsibly-disclosed issues.

Infrastructure

Hosting

Vercel (compute, edge, CDN). Supabase (Postgres database, object storage, Vault). Clerk (authentication). Stripe (billing). Resend (transactional email). All US-based or EU-replicated providers with their own SOC 2 attestations.

Regions

Primary US-East. Database backups replicate to a second US region. No data leaves US infrastructure under normal operation.

Status

Real-time uptime at status.tradeflowquantum.com.

What we don’t do

  • Sell data. Not to advertisers, not to data brokers, not for “analytics partnerships,” not ever. There is no business model in which we make money by selling your trade data.
  • Train AI models on your data. We don’t run your trades, screenshots, or any of your data through AI models — there are no AI features in the product, so nothing of yours is ever sent to a model provider.
  • Aggregate “average trader performance.” Every analytics view runs against your data only. No shared pool, no leaderboard, no anonymous benchmark feed.
  • Run third-party tracking pixels (Meta, Google Ads conversion, TikTok) on authenticated pages. Marketing pixels run on the landing page and pricing page; once you’re signed in, they don’t fire.
  • Place orders on your behalf. The broker OAuth scope is read-only at the broker level. We cannot trade your account even if compelled to.

Questions we didn’t answer here?

Email security@tradeflowquantum.com and we’ll answer the actual question — not refer you to a sales rep.

Last updated: June 16, 2026. If anything on this page is wrong or out of date, email security@ and we’ll fix it.