Security at Options Analysis Suite

Options Analysis Suite is built around a strict data-minimization model. We do not connect to your brokerage account. We never receive your trade history, positions, or balances unless you choose to upload them yourself. The platform is read-only with respect to markets and read-only with respect to your accounts. This page explains what we store, where we store it, and how we protect it.

What Data We Hold

Account records consist of an email address, a hashed password (when password auth is used), and the subscription plan tied to your account. Stripe processes all payments and is the system of record for card numbers, billing address, and payment history; we receive only the customer ID and the subscription status. We do not see, store, or log card numbers. For users who opt into broker connectivity through BYOK (bring your own key), we store the encrypted API key scoped to the broker you authorize, and we use it only to fetch the market data feeds you have asked us to read. BYOK keys can be rotated or revoked from your account settings at any time.

We do not store portfolios, positions, or trade history except when you explicitly import a CSV or paste positions into the strategy builder; in that case the data is tied to your account and removable from the same UI that created it. The platform's analytics surfaces (max-pain, GEX, IV history, etc.) are computed from market-wide options data and do not reference any individual user account.

Authentication and Access Control

Authentication uses Supabase's session model with JWT-based tokens, encrypted in transit over TLS 1.2 or higher. Sessions expire on a rolling window and are invalidated on password change or explicit logout. Privileged operations on your data (plan changes, BYOK key rotation, account deletion) require a fresh authentication step. There is no admin dashboard that exposes another user's data; internal operational queries run through service-role tokens scoped to the specific table involved.

Market Data and BYOK

The default market data feed is end-of-day options chains and historical analytics from institutional-grade options market data providers, licensed under our agreements and shared across all users. Real-time options chains and quote feeds are available through BYOK to subscribers with their own data agreements at supported brokers and data vendors: Tradier, Public.com, and tastytrade are the current direct integrations. BYOK keys are stored encrypted at rest, used only to fetch the data scopes you authorized, and never proxied to a third party.

Infrastructure and Providers

The application is hosted on Vercel (compute, edge functions, CDN). The data layer runs on Supabase (Postgres, auth, storage). Both providers operate SOC 2 Type II compliant infrastructure with encrypted-at-rest storage and routine third-party penetration testing. Payment processing is handled by Stripe, which is PCI DSS Level 1 certified. Our own application code is open to audit by enterprise customers under NDA on request.

Vulnerability Disclosure

If you discover a security issue affecting Options Analysis Suite, please report it privately. Disclosure contact and scope are documented in /.well-known/security.txt per RFC 9116. We respond to disclosures within two business days, validate the report, and coordinate a fix and disclosure timeline. We do not currently run a paid bug bounty but acknowledge reporters publicly with permission.