Security at TradeStack

Your trade data is critical. Here's how we protect it.

Infrastructure

  • AWS ap-southeast-1 (Singapore) primary region
  • VPC network isolation
  • Encrypted storage (AES-256 at rest)
  • TLS 1.3 for all data in transit

Data handling

  • Documents processed and stored in your tenant space only
  • 90-day retention by default, configurable per org
  • Full data deletion on request within 30 days
  • No data used for model training without explicit consent

Authentication

  • API keys with bcrypt hashing (plaintext never stored)
  • Module-level scoping on API keys
  • MFA mandatory for admin roles
  • SSO (SAML/OIDC) available on Scale and Enterprise plans

Tenant isolation

  • Row-level security in PostgreSQL
  • Every query scoped by organization_id
  • Cross-tenant access tested and blocked at API and database layers
  • Separate S3 key prefixes per organization

Compliance roadmap

  • SOC 2 Type II — audit in progress
  • GDPR compliant — DPA available on request
  • Data residency options (Singapore, Sydney) for enterprise
  • Annual penetration testing by third party

Responsible disclosure

Found a security issue? Email security@tradestack.io. We respond within 24 hours.