Trust & Security

Security, Privacy & Reliability by Design

Hedgtrade is built for professional and institutional audiences. We minimise data, encrypt by default, provide role-based access, and ship explainable, audit-friendly research outputs. Below is an at-a-glance view of our controls, data handling, incident response, and compliance posture.

  • Research outputs only — no personal trading data required to use the platform
  • TLS in transit; encryption at rest; per-env API keys; optional SSO/SAML & IP allow-listing
  • Provenance & versioning for explainability and audit
Trust & Security overview: encryption, access controls, incident response
Encryption
TLS 1.2+ / AES-256 at rest
Access
Role-based + API keys
Explainable
Provenance & versioning
Delivery
Dashboards · Email · API

Data Minimisation

We focus on research outputs (signals, seasonality, summaries). We don’t require personal trading activity to generate insights.

Defense in Depth

Encryption at rest & in transit, least-privilege, environment isolation, and optional IP allow-lists for API access.

Auditability

Every run produces versioned artifacts: model votes/weights, evidence strings, and change logs for reproducibility.

Data Handling & Privacy

  • What we process: market data and derived research outputs (signals, seasonality, summaries). Account & billing metadata for service delivery.
  • What we avoid: we do not require personal trading histories or portfolio PII to produce research.
  • Regions & retention: data kept in reputable cloud regions; retention periods documented; exports available upon request.
  • Legal: PDPA (SG) and GDPR-aligned practices; Data Processing Addendum (DPA) available.
  • DPO / Privacy: privacy@hedgtrade.com

Security Controls

  • Transport & storage: TLS 1.2+ in transit, AES-256 at rest.
  • Access: role-based access control; per-env API keys; optional SSO/SAML and IP allow-listing.
  • Application: input validation, rate limiting, audit logging, and versioned configuration.
  • Backups & continuity: routine backups with tested restores; region-level redundancy.

Compliance & Governance

  • Explainable research outputs suitable for ALCO/IC workflows.
  • Provenance metadata (votes, weights, evidence) for audit trails.
  • Policies for access, change management, and exception handling.
  • Roadmap: SOC 2 / ISO 27001 readiness documentation on request.

API Security (example)

curl -s -H "X-API-Key: $HEDGTRADE_API_KEY" \
  "https://api.united-river.com/v1/signals/US2000?tf=1W&limit=1"

Options: IP allow-list, per-env keys, and webhook signing on request.

Sub-processors

Vendors that help us deliver the service. Actual use may vary by region and subscription. We can notify customers of material changes.

ServicePurposeTypical DataRegion(s)Notes
Stripe Billing & payments Billing contact, last-4 & token (we don’t store full card numbers) US/EU PCI-DSS compliant; customer of record remains you
Email provider (e.g., SendGrid/Mailgun) Transactional & research emails Email addresses & message metadata US/EU Suppression lists for bounces/unsubscribes
Cloud hosting provider Compute, storage, networking Research outputs, account metadata Regional Encryption at rest; region-level redundancy
CDN / DDoS provider Edge delivery & availability HTTP logs (incl. IP address) Global Used for static assets and uptime
Need a signed DPA or updated list by region? Contact us.

Responsible Disclosure

  • Email: security@hedgtrade.com
  • Acknowledge within 72 hours; status updates during triage and fix.
  • No testing of production data; no social engineering; no disruption or data exfiltration.
  • No legal action for good-faith, scoped testing following these rules.
# /.well-known/security.txt
Contact: mailto:security@hedgtrade.com
Policy: https://www.hedgtrade.com/trust#disclosure
Preferred-Languages: en
Hiring: https://www.hedgtrade.com/careers

Incident Response (IR)

  1. Detect & Triage: alerts, logs, user reports → severity classification.
  2. Contain & Eradicate: isolate impact, rotate credentials, patch.
  3. Recover: restore services, validate integrity.
  4. Notify: customer comms aligned with contract & law (PDPA/GDPR).
  5. Post-mortem: root cause, lessons learned, preventive actions.

Security Headers (example)

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Content-Security-Policy: default-src 'self'; img-src 'self' https: data:;
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Referrer-Policy: no-referrer
Permissions-Policy: camera=(), microphone=(), geolocation=()

Business Continuity

  • Backups with regular restore tests; environment isolation.
  • Documented RPO/RTO targets; region-level failover where applicable.
  • Runbooks for degraded modes and dependency incidents.
Reliability

Uptime, Monitoring & SLA

We monitor core APIs and dashboards with synthetic checks and alerting. Visit our status page for historical uptime and incidents, and review response times on the SLA page.

Security FAQs

Do you support SSO/SAML?

Yes — optional for enterprise plans. Per-env API keys and IP allow-lists are also available.

Where is my data stored?

In reputable cloud regions. We can align storage/processing to your region where available.

Can you sign our DPA?

Yes. We also provide our standard DPA on request, aligned with PDPA/GDPR principles.

Next step

Need our security & compliance pack?

We’ll send policy summaries, control matrices, and an updated sub-processor list.