Install Gamma Trade
Get the full app experience — one tap from your home screen.
Back to Gamma Trade
Legal · Gamma Trade

Information Security Policy

Last updated: February 8, 2026

This policy describes the administrative, technical, and physical controls Gamma Trade uses to protect customer data. It is the document we share with vendors and partners (including Plaid) during their security reviews.

1. Architecture Overview

Gamma Trade is a fully managed SaaS application with the following components:

Front-end
React 18 SPA · served over HTTPS · Cloudflare edge cache
Back-end
Python FastAPI · stateless workers · auto-scaled k8s deployment
Database
MongoDB Atlas · TLS-encrypted client connection · AES-256 at-rest
Hosting
Emergent Kubernetes cluster (US-region) · isolated network namespace
CDN / WAF
Cloudflare · TLS termination · DDoS protection · WAF rules
Payments
Stripe (PCI-DSS Level-1) · card data tokenized; we never store PAN
Email
Resend · SPF / DKIM / DMARC enforced for outbound mail

2. Data Encryption

  • In transit — TLS 1.2+ with strong cipher suites enforced on every public endpoint and between every internal service.
  • At rest — MongoDB Atlas with AES-256 encryption-at-rest. Backup volumes inherit the same encryption.
  • Passwords — bcrypt with cost factor 12. Plaintext passwords are never logged or persisted.
  • Secrets / API keys — stored in environment variables sourced from a secrets manager (Emergent Vault). Never committed to source control.
  • Push notifications — VAPID-signed Web Push payloads; subscription endpoints are encrypted at rest.

3. Authentication & Access Control

End users

  • Email + password with bcrypt hashing; optional Google OAuth via Emergent-managed sign-in.
  • JWT session tokens with short expiry; refresh on activity.
  • Brute-force protection: 5 failed attempts triggers an account-level temporary lockout.
  • Password reset via single-use tokens delivered by email; tokens expire in 60 minutes.

Internal staff

  • Least-privilege RBAC. Only on-call engineers have production access, and only via SSO + MFA.
  • All production-database access is logged.
  • Access reviews quarterly. Departing personnel are de-provisioned within 24 hours.

4. Network Security

  • All public traffic terminates at Cloudflare with WAF + DDoS rules.
  • Backend ports are not directly exposed to the internet; ingress is via the platform's controlled k8s ingress.
  • Internal service-to-service traffic uses an isolated cluster network namespace.
  • CORS is restricted to the application's own origins.

5. Application Security

  • Input validation on every API boundary via Pydantic models.
  • Parameterized database queries (no string-interpolation queries). MongoDB driver enforces BSON serialization.
  • Output encoding via React's default JSX escaping; we do not use dangerouslySetInnerHTML with user-controlled content.
  • CSRF protection on state-changing endpoints; anti-replay tokens on auth flows.
  • Rate-limiting on auth, password reset, and high-cost endpoints.
  • Dependencies pinned and reviewed; Dependabot-style scans surface CVEs and we patch within 14 days for high/critical severities.

6. Logging & Monitoring

  • Structured application logs aggregated centrally; retained 90 days.
  • Failed-auth events and admin actions are flagged in real time.
  • Uptime + error-rate monitoring across all critical endpoints; on-call paging for SLA breaches.
  • Personal data is masked in logs (emails partially redacted; tokens hashed before persistence).

7. Backups & Disaster Recovery

  • MongoDB Atlas snapshots every 6 hours with point-in-time recovery enabled.
  • Backup retention: 30 days. Encrypted at rest, same AES-256 keys as production.
  • Disaster-recovery plan documented; RTO ≤ 4 hours, RPO ≤ 1 hour for tier-1 data.
  • Annual restore drill validating backup integrity.

8. Vendor / Sub-processor Management

We maintain a list of sub-processors with the data each receives in our Privacy Policy §3. New sub-processors are reviewed for SOC 2 / ISO 27001 attestation (or equivalent), and a DPA is executed before any production data flows to them.

9. Incident Response

  • 24/7 on-call rotation for production incidents.
  • Severity tiers (SEV-1..SEV-4) with documented escalation paths and customer-communication SLAs.
  • Post-incident review (blameless) for every SEV-1 / SEV-2 with timeline, root cause, and action items.
  • Affected customers notified within 72 hours of confirming a personal-data breach, in line with GDPR Article 33 timelines.

10. Secure Development Lifecycle

  • All code changes go through peer review before deploy.
  • Linting + automated tests run on every commit; production deploys go through a staging environment first.
  • Threat modeling for any new feature that touches authentication, billing, or third-party financial data.
  • Secrets-scanning in CI to prevent credential leakage in commits.

11. Privacy by Design

  • We collect the minimum data needed for each feature (data-minimization principle).
  • Optional features (Plaid linking, push notifications) are opt-in.
  • User data export + deletion endpoints available on request.

12. Compliance Posture

  • GDPR / CCPA — we honor data-subject access, correction, and deletion requests within 30 days.
  • PCI-DSS — out of scope at the application layer; Stripe handles cardholder data.
  • SOC 2 — preparing controls for a Type-1 audit. Underlying providers (Cloudflare, MongoDB Atlas, Stripe, Resend) are SOC 2 Type-2 certified.

13. Reporting Vulnerabilities

Please report security issues responsibly via our Vulnerability Disclosure Policy or directly to security@gextrade.fyi.

© 2026 Gamma Trade. Markets data is delayed and for informational use only — not investment advice.
support@gextrade.fyi

Made with Emergent