How we protect what we hold.

The hash chain is read-only

Every trade is hashed and chain-linked at the moment it's recorded. No code path edits a historical trade. Tampering with any past row would break every later hash and surface as a mismatch at /verify/[slug].

The chain is anchored to the Bitcoin blockchain via OpenTimestamps. Once a batch confirms, the root commitment is provably from before that timestamp, independent of whether we're still around.

Sessions and auth

Sessions use HTTP-only HMAC-signed cookies plus server-side session records. The browser receives a session id and a random secret; the database stores only the secret hash, so logout and credential changes can revoke sessions immediately.

Accounts support email/password sign-in and authenticator-app 2FA. Magic links remain the email-verification and recovery path, and they are single-use with a short expiry.

Boundary between the two services

The Next.js app and the Python engine share one Postgres but talk to each other only over HTTPS. Mutating engine endpoints require a shared secret carried in an Authorization header and compared in constant time. Verification reads are public, which is the whole point of independent verification.

Rate limits and abuse

Every public POST route is rate-limited per IP (and per signed-in user for authed routes). Sign-in, subscribe, intent upserts, LOI requests, and the Alpaca preview all have per-window caps. Sensitive admin actions are logged with the actor identity and the prior state.

HTTP hardening

We send a strict Content-Security-Policy, disable framing (X-Frame-Options: DENY, frame-ancestors 'none'), enable HSTS, and lock down browser feature policies (camera, microphone, geolocation, etc. are all off). Cookies are HTTP-only with the secure flag in production.

Data we hold

At present, on the server side: email + role for every signed-in user; salted password hashes; encrypted TOTP secrets if enabled; display name for investor profiles; bio, strategy text, and verified trades for traders; non-binding allocation intents and self-attested LOI records. Nothing financial: no SSNs, no bank info, no signed agreements with binding force.

At launch we add: KYC artifacts via Parallel Markets (held by them), signed LOIs / IMAs via DocuSign (held by them), and Alpaca account references (not credentials).

Reporting a vulnerability

If you found a security issue, please don't open a public issue or PR. Send a description to the team via the waitlist form with "security" in the persona field and we'll route it to a private channel within 24 hours. We will not pursue legal action against good-faith research that gives us a reasonable opportunity to fix.