Skip to main content

Security & Data Protection

Your trading accounts are your most valuable assets. Here’s how we protect them.

Credential Encryption

Your broker passwords are NEVER stored in plain text

What we do:
  1. AES-256 encryption — Industry-standard encryption (same as banks)
  2. Unique encryption key per user — Even we can’t decrypt without your key
  3. Zero-knowledge architecture — Your passwords are encrypted client-side before leaving your browser
What this means: Even if our database is compromised, your broker credentials cannot be decrypted.

Authentication

Clerk-based authentication

Trade Wzrd uses Clerk for user authentication: Email/password with strong password requirements ✅ OAuth (Google, GitHub, etc.) ✅ Magic links (passwordless login) ✅ 2FA support (optional, recommended) Never share your TradeWzrd password. If someone has your TradeWzrd login, they can access your connected accounts.

API Security

Webhook authentication

Webhooks are secured by:
  • Unique webhook IDs — 32-character random strings (impossible to guess)
  • HTTPS only — All webhook traffic is encrypted
  • Optional secret keys — Add custom authentication headers
  • IP whitelisting — Restrict webhook calls to specific IPs (coming soon)
Example webhook URL: 
https://tradewzrd.com/api/webhooks/a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6
Security note: Webhooks URLs act as bearer tokens. Don’t share them publicly (e.g., in Discord/Telegram).

API rate limiting

Protection against abuse:
  • 10 requests/second per webhook
  • 100 requests/minute per user
  • Exceeded limits return 429 Too Many Requests
This prevents: DDoS attacks, accidental loops, malicious spam.

Data Protection

What data do we store?

DataHow it’s storedWhy we need it
EmailPlain textUser authentication
Broker credentialsAES-256 encryptedConnect to your broker API
Trade historyPlain textAnalytics, history logs
Account balancesPlain textDashboard stats
Webhook signalsPlain textHistory, debugging

What data do we NOT store?

Credit card numbers (handled by Stripe) ❌ Social security numbers (we don’t ask for them) ❌ Unencrypted passwords

Best Practices

✅ DO:

Extra layer of protection even if your password is compromised.👉 Dashboard → Settings → Security → Enable 2FA
Don’t reuse passwords across services.Recommended: Use a password manager (1Password, Bitwarden, LastPass)
Test with demo accounts before connecting live accounts.This ensures everything works correctly without risking real money.
Check History tab regularly to see what signals were executed.If you see unexpected trades, disable the webhook immediately.
Limit risk per trade to 1-2% of account balance.Never risk more than you can afford to lose.

❌ DON’T:

Webhook URLs are like passwords — anyone with the URL can send signals.❌ Don’t post in Discord/Telegram/Twitter ✅ Keep them private in TradingView alerts
Only connect YOUR accounts.Connecting someone else’s account without permission is unauthorized access.
If you see trades you didn’t authorize:
  1. Disable all webhooks immediately
  2. Change your TradeWzrd password
  3. Contact [email protected]
Public networks can be insecure.Use VPN or mobile data when trading from coffee shops/airports.

Incident Response

What happens if there’s a breach?

Our commitment:
  1. Notify affected users within 24 hours
  2. Force password reset for compromised accounts
  3. Publish incident report (what happened, what we’re doing)
What you should do:
  1. Change TradeWzrd password immediately
  2. Check broker accounts for unauthorized trades
  3. Change broker passwords (if credentials were stored)

Data Retention

How long do we keep your data?

Data TypeRetention Period
Trade historyIndefinitely (for analytics)
Webhook logs90 days
Account credentialsUntil account is deleted
User profileUntil account is deleted
Delete your account: Dashboard → Settings → Delete Account (permanent, cannot be undone)

Compliance

Regulations we follow

GDPR (EU data protection) ✅ CCPA (California privacy law) ✅ SOC 2 (in progress) Your rights:
  • Right to access — Request all data we have about you
  • Right to deletion — Delete your account and all data
  • Right to portability — Export your trade history
Contact [email protected] for data requests.

Third-Party Services

We do NOT share your broker credentials, trade signals, or personal information with third parties for marketing purposes. Your data stays private.

Questions?

Risk Management

Learn safe position sizing and risk control

FAQ

Common security questions answered
Still have concerns? Email [email protected]