Security

The short version

• Passwords are salted and hashed with a slow, brute-force-resistant algorithm; we cannot read them
• All traffic is HTTPS-only with HSTS preload
• Payment data is handled exclusively by Stripe — we never see your full card
• We have zero brokerage integration — there's no path for OptionsDeck to touch your trading account
• Session tokens are cryptographically signed, expire on schedule, and can be invalidated server-side
• We use third-party error monitoring with PII stripped from reports

Authentication

• Password hashing: a deliberately slow, brute-force-resistant algorithm with a per-user salt. Even our own engineers cannot recover your plaintext password. If you forget it, the only path is the email-link reset at /forgot-password.
• Session tokens: issued on login and cryptographically signed with a server-side secret rotated periodically. Tokens have a sensible expiration and are validated on every API call.
• Email reset flow: single-use reset tokens with short TTL, delivered over TLS. No password reminders are ever emailed.
• Rate limiting: login endpoint is rate-limited per IP + per username to prevent credential stuffing.

Transport

• HTTPS-only with HTTP→HTTPS redirect
• HSTS: max-age=63072000; includeSubDomains; preload
• Modern TLS: TLS 1.2+ only; weak ciphers disabled
• WebSocket: WSS (TLS-encrypted) for the live flow stream
• Security headers: X-Frame-Options SAMEORIGIN, X-Content-Type-Options nosniff, Referrer-Policy strict-origin-when-cross-origin, Permissions-Policy restrictions on camera/mic/geolocation

Payment data

Stripe handles 100% of payment processing. Your credit card details (full number, CVV, expiration) are entered directly into Stripe's PCI-DSS-Level-1 infrastructure — they never touch OptionsDeck's servers. We receive only:

• Stripe customer ID (an opaque identifier)
• Subscription status (active / past_due / cancelled)
• Last 4 digits of card (for the billing page display)
• Billing email and country (for tax + receipts)

Even if OptionsDeck were fully breached, no usable credit card data would be exposed. This is a deliberate architectural choice.

What we deliberately don't collect

Some platforms ask for read-only brokerage credentials to "improve recommendations." We don't, and we never will. Here's what OptionsDeck has zero technical capability to access:

• Your brokerage username, password, or API keys (no integration accepts these)
• Your real brokerage account balance
• Your real-money trade executions
• Your actual positions (only what you manually log in journal)
• Bank account / routing numbers
• Government ID, SSN, or any KYC data

Data isolation

• Every API endpoint is authenticated and enforces your user scope at the data-access layer — no cross-user data leakage by construction
• Operator/admin endpoints are gated behind an admin flag + dual-checked at the route layer
• AI prompts sent to OptionsDeck Core contain only the structured market context for the ticker queried — never your name, email, or account identifier

Infrastructure

• Database: a managed cloud database with daily encrypted backups and point-in-time recovery
• Application: cloud compute with auto-restart, log aggregation, and error tracking
• Secrets: environment-injected, never committed to source control, rotated periodically
• Logs: structured JSON with request IDs; PII (email, IP) is hashed in long-term storage

Vulnerability reports

If you discover a security vulnerability, please email security@optionsdeck.ai (forwards to the founder directly). We commit to:

• Acknowledge your report within 48 hours
• Provide a status update within 7 days
• Credit you publicly (with permission) after the fix ships
• Not take legal action against good-faith security research

Compliance

OptionsDeck is a small, founder-operated company. We are not currently SOC 2 certified — that's a meaningful commitment we'll pursue when revenue justifies it. In the meantime we follow industry-standard security practices, document them publicly on this page, and offer transparent disclosure of any incident that affects user data.

We comply with GDPR (EU) and CCPA (California) on a best-effort basis. Data subject requests (access, deletion, portability) are handled via support@optionsdeck.ai with a 30-day response commitment.

Incident response

If a security incident affecting user data occurs, we commit to:

• Notify affected users by email within 72 hours of confirming the incident
• Publish a public post-mortem on our status page within 14 days
• Take remediation actions (revoking sessions, forcing password resets, etc.) immediately

Security questions: security@optionsdeck.ai. For general support, see FAQ or email support@optionsdeck.ai.