Legal

Security at Volaren

Last updated: May 2026

We handle your portfolio data, brokerage connections, and research — things that matter. That comes with a duty to protect them.

This page is the short version. For details auditors ask for — SOC 2 readiness, vendor questionnaire responses, penetration test summaries — contact us and we'll share under NDA.

Transparency note

We're a small, growing company. We tell you exactly what we do and don't do. If a control isn't listed below, we don't claim it. No marketing adjectives, no “military-grade.”

Data protection

Every byte of your data is encrypted while it moves across the network and while it rests on our servers. Sensitive fields — including brokerage API secrets — get an extra layer of application-level encryption so that even a full database dump is useless without our rotating encryption key.

✓

TLS 1.3 in transit

All API and web traffic served over HTTPS with HSTS enforced. No HTTP fallback.

✓

AES-128 encryption at rest

Database volumes encrypted by our infrastructure provider (Railway) plus application-level Fernet encryption on MFA secrets, password reset tokens, and brokerage API credentials.

✓

Hashed credentials

Passwords stored with bcrypt (work factor 12). Password reset tokens stored as SHA-256 hashes, not plaintext.

✓

Encryption key rotation

Documented rotation procedure with a migration window that supports reading rows encrypted under the prior key.

✓

No stored payment data

All payment information is held by Stripe (PCI DSS Level 1 service provider). We never see or store card numbers.

✓

No brokerage login credentials

When you connect a brokerage account, authentication happens directly between you and your broker via SnapTrade's OAuth flow. We never see or store your brokerage username, password, or MFA codes — only a read-only API token.

Authentication & session management

Multiple layers stop an attacker from getting in — and if one slips through, short-lived sessions and a revocation mechanism limit the damage window.

✓

Approval-gated access

New accounts require manual review before they can sign in. We approve each user individually; there is no open self-signup.

✓

Strong password policy

Minimum 12 characters, blocklist of common breached passwords.

✓

Brute-force lockout

Accounts lock automatically after 10 failed attempts in 15 minutes.

✓

Rate limiting

Tight per-IP and per-account caps on login, registration, password reset, and other auth endpoints.

✓

Two-factor authentication

TOTP-based 2FA (Google Authenticator, 1Password, Authy) with one-time backup codes for recovery.

✓

Short-lived tokens

JWT access tokens expire in 24 hours. Password changes instantly invalidate every outstanding session.

✓

Enumeration prevention

Signup and password-reset responses don't reveal whether an email address is registered.

Access controls

All data is scoped to the individual account that created it. No data is shared across accounts. We cannot see your portfolio positions or analyses unless you explicitly grant access (e.g., sharing a public link).

✓

Account-level data isolation

Every database query is scoped to your user ID. There is no shared state that could leak data across accounts.

✓

Read-only brokerage access

Brokerage connections are read-only. The Service cannot place orders, move funds, or take any action in your brokerage account.

✓

Least-privilege internal access

Production database access is restricted to the founders. No shared credentials; no standing vendor access.

✓

Audit log

Every security-relevant action (login, billing event, admin action) is logged immutably with actor, IP, and timestamp. Retained for 1 year.

Infrastructure & subprocessors

We build on vetted infrastructure providers that themselves hold SOC 2 Type II certifications. Full list of services that process customer data on our behalf:

Railway — application hosting, database. SOC 2 Type II certified.
Vercel — frontend hosting. SOC 2 Type II certified.
Stripe — payment processing. PCI DSS Level 1.
SendGrid (Twilio) — transactional email. SOC 2 Type II certified.
Anthropic — AI model inference. Data sent is covered by their enterprise no-training agreement. No customer data is used to train models.
SnapTrade — read-only brokerage account aggregation. Handles the OAuth flow with your broker; stores and transmits position data on our behalf. SOC 2 Type II certified.
Sentry — error tracking. All PII is scrubbed from events before transmission.
UptimeRobot — uptime monitoring. Sees only public URLs.

Subprocessor list is reviewed before any new vendor is added.

Monitoring & incident response

✓

24/7 uptime monitoring

5-minute interval checks on production endpoints; email alerts on any unreachable state.

✓

Real-time error tracking

Sentry notifies on-call within 60 seconds of any unhandled exception. PII is scrubbed before events leave our servers.

✓

Immutable audit log

1-year retention of every authentication, authorization, and admin event.

✓

Log redaction

Runtime filter strips API keys, JWT tokens, passwords, and other secrets from log output before it reaches our logging provider.

✓

Automated security scanning

Weekly dependency vulnerability scans (pip-audit, npm audit, Dependabot) and static analysis (Bandit, Semgrep, TruffleHog) on every commit.

✓

Incident response

Documented playbook for triage, customer notification, and post-mortem. We commit to notifying affected customers within 72 hours of confirming an incident.

Compliance & privacy

✓

GDPR — right of access (Art. 15)

Every user can export their data as a structured JSON archive at any time from /stocks/settings.

✓

GDPR — right to erasure (Art. 17)

Every user can permanently delete their account and associated data from /stocks/settings. Completes within seconds; confirmation email sent.

✓

CCPA compliance

Same export and deletion rights available to California residents. Contact support@volaren.ai for any non-self-serve requests.

✓

Data residency

All primary data stored in US-East regions.

✓

SOC 2 Type II readiness

Currently pre-audit. Internal gap analysis available under NDA.

✓

Data retention

Audit logs: 1 year. Login attempts: 30 days. Expired reset tokens: purged after 7 days. Account data: until you delete the account.

Business continuity

✓

Daily automated backups

Managed Postgres snapshots retained for 7 days.

✓

Documented restore procedure

Runbook covers dry-run restore, production restore, and encryption-key rotation.

✓

Multi-region hosting

Infrastructure provider runs across multiple availability zones; single-region failure does not take down the service.

Reporting a vulnerability

Found a security issue? We appreciate the heads up — we're a small team and every disclosure makes us stronger. Read our coordinated disclosure policy for scope, safe-harbor language, and response SLAs.

Email: support@volaren.ai

PGP: available on request

Response SLA: initial acknowledgment within 2 business days, status update within 5

Machine-readable contact: /.well-known/security.txt (RFC 9116)