Trust
Security
Security posture, responsible-disclosure policy, and infrastructure design.
Infrastructure
Production data is encrypted at rest and protected with TLS 1.2+ in transit. Database access is brokered through least-privilege application roles with strict schema isolation. No third-party service has direct database access.
Authentication
Authentication is passwordless. Removing passwords eliminates an entire class of attacks: reuse, credential stuffing, and brute force are not possible against accounts that never had passwords. Session cookies are HttpOnly, Secure, and SameSite=Lax. Sessions are server-side records — revocation is immediate.
Email & PII
Email addresses are SHA-256 hashed in telemetry and logs. Raw addresses appear only in the primary database and transactional-email payloads, never in observability systems. Request bodies for authenticated endpoints are not logged.
Compliance
SOC 2 Type II audit is on the roadmap. Until then, Hedgelytics publishes its security posture transparently on this page rather than claiming certifications not yet held. Data-handling practices are modeled on GDPR and CCPA standards regardless of user residence.
Responsible disclosure
Report vulnerabilities to security@hedgelytics.com. Submissions are acknowledged within 24 hours and a remediation timeline is provided within 5 business days. Researchers are credited in the changelog unless they request anonymity. Test only against your own account; do not attempt to access or alter other users' data. Avoid denial-of-service, social engineering, and physical attacks.
Bug bounty
There is no paid bug-bounty program at this time. Responsible-disclosure reports are answered within 24 hours, and valid findings receive good-faith recognition — changelog credit, swag, or a paid reward at our discretion.
Machine-readable security policy: /.well-known/security.txt