T
TradeLeader
Security & Compliance

Security at TradeLeader

Honest answers about how we handle your data, what we've built, and what we're still working toward. Last updated April 26, 2026.

TL;DR
  • Your brokerage credentials never touch our servers. SnapTrade handles that.
  • Read-only access by default. We literally cannot place trades or move your money.
  • TLS 1.3 in transit. AES-256 at rest. Standard practices, properly configured.
  • SnapTrade is SOC 2 Type II audited.
  • We have not yet completed our own SOC 2 audit. We'll publish ours when we do.
  • No third-party penetration test on file yet. On the roadmap.

How brokerage authentication works

We never collect, store, or transmit your brokerage username or password. When you connect Schwab, IBKR, Vanguard, Robinhood, etc., you're redirected to a flow operated by SnapTrade, an established broker-aggregation platform that is SOC 2 Type II audited.

SnapTrade returns to TradeLeader an opaque connection token that lets us read your holdings, transactions, and dividends. By default, the token is read-only: it cannot place trades, withdraw funds, or change your settings. Even if our database were compromised, the token alone could not move money.

You can revoke the connection from your broker's app, from your TradeLeader settings, or from SnapTrade directly — at any time, instantly.

Where your data lives

We use a small set of well-understood, audited cloud providers:

  • Vercel — hosting and TLS termination. SOC 2 Type II, ISO 27001. TLS 1.3 enforced on all incoming traffic.
  • Supabase (Postgres) — primary database. SOC 2 Type II. Data at rest encrypted with AES-256. Backups encrypted and retained 7 days.
  • SnapTrade — brokerage connectivity. SOC 2 Type II.
  • Polygon.io — market data. We send symbols up; no PII.
  • Resend — transactional email. Email subject/body only — no portfolio details in headers.

A complete sub-processor list is published in our DPA and updated within 30 days of any change.

Encryption

  • In transit: TLS 1.3 with strong ciphers. HSTS enforced. No HTTP fallback.
  • At rest: AES-256 on database, backups, and any object storage. Provider-managed keys.
  • Application secrets: Stored in Vercel encrypted environment variables, never committed to source.
  • Email tokens & session cookies: HttpOnly, Secure, SameSite=Lax. Sessions expire after 30 days of inactivity.

What data we actually collect

  • Email address, name, password hash (bcrypt), MFA secret if enabled.
  • Holdings, transactions, tax lots, and dividend history pulled via SnapTrade — for accounts you explicitly connect.
  • Manually entered positions (e.g., 401(k), RSUs).
  • Application usage telemetry (page views, error reports). No third-party advertising or session-replay tools.

We do not collect SSN, bank account/routing numbers, brokerage passwords, or any other credential. We do not sell user data. Ever.

Compliance roadmap

We're transparent about what we have and don't have yet:

ImplementedGDPR/CCPA-aligned data handling, export, and deletion
ImplementedEncryption at rest and in transit
ImplementedMFA available for all user accounts
ImplementedSub-processor list maintained and published
PlannedSOC 2 Type I — target completion within 6 months of public launch
PlannedSOC 2 Type II — target ~12 months after Type I
PlannedAnnual third-party penetration test
PlannedBug bounty program (after pen test)
PlannedISO 27001 — only if enterprise/RIA channel demands it
Not applicableHIPAA, FedRAMP, PCI-DSS — not applicable to our scope

What you can ask us for

  • A full export of your data in JSON or CSV — at any time, in-app.
  • Permanent deletion of your account and associated data — confirmed within 30 days.
  • A copy of our DPA (Data Processing Addendum) — for B2B / RIA customers.
  • Vendor security questionnaire responses (CAIQ-Lite, SIG-Lite) — once we're post-SOC-2.

Reporting a vulnerability

If you believe you've found a security issue, please email security@tradeleader.io with details. We commit to:

  • Acknowledging receipt within 2 business days.
  • A status update within 7 days, including initial severity assessment.
  • Not pursuing legal action against good-faith researchers acting under our coordinated disclosure policy.

PGP key available on request. Bug bounty program will launch alongside our SOC 2 Type II completion.

Things we don't do

  • We don't initiate trades or transfers on your behalf.
  • We don't share or sell your portfolio data to anyone.
  • We don't use your data to train third-party AI models.
  • We don't embed advertising trackers or session-replay scripts.
  • We don't claim certifications we haven't earned.

Supported brokers (live SnapTrade catalog)

We connect through SnapTrade. Their currently live US-retail integrations:

  • Stocks: Charles Schwab · Interactive Brokers · Vanguard · E*TRADE · Webull · tastytrade · Public · Robinhood · Trading212
  • Crypto: Coinbase · Kraken · Binance · eToro · Alpaca
  • International: Wealthsimple (CA) · Webull Canada · TD Direct Investing · Questrade · DEGIRO · AJ Bell · Moomoo

Not yet supported: Fidelity, thinkorswim (merged into Schwab), Merrill Edge, JPMorgan Self-Directed, Tradier. SnapTrade has been working on Fidelity for some time — when they ship it, we ship it. Until then, manual CSV import is on our roadmap as the workaround for Fidelity-only users.

For 401(k) plans (Fidelity NetBenefits, Empower Retirement, etc.) we plan manual entry — these are rarely supported by any aggregator.

Questions? Email security@tradeleader.io.