Security
VECTOR handles a sensitive thing — your trading track record — so isolation and authentication are built in from the ground up. This page summarises the posture; for the data-protection view see Your data & privacy.
Authentication
Identity is handled by Supabase Auth (email/password and Google sign-in). Every API request carries a signed JWT, which the backend verifies on each call — by shared secret (HS256) or by Supabase's rotating public keys (JWKS), with the audience claim checked. Sessions and saved data are keyed to the verified user id; an unverified request is rejected.
A separate legacy login (a backend-signed cookie from environment credentials) exists only for local development and internal use. It is disabled in production — where Supabase is the sole identity provider — so it offers no extra attack surface online. The login endpoint is also rate limited (per-IP) to blunt brute-force attempts.
Data isolation
Everything is scoped to your user id
Live sessions, saved portfolios, strategies and variants are all partitioned by user_id. The session
manager refuses to return a session that you don't own, and storage queries always filter on your id.
One user can never see another user's data.
- Uploads are private. The CSVs you upload are processed only to produce your analysis and are never exposed to other users.
- Per-user storage. On the file backend each user has an isolated folder; on Postgres every row is
bound to
(user_id, kind, name).
Transport
The frontend (Vercel) and backend (Render) are served over HTTPS. Cross-origin access is restricted
to the configured frontend origin (CORS). Legacy development cookies are httpOnly and, in production,
secure + SameSite.
Secrets
Sensitive keys — JWT secrets and the Supabase service-role key — live only in backend environment variables, never in the frontend bundle and never in logs. The high-privilege service-role key is used solely for administrative actions like account deletion, and if it's absent that action fails closed rather than degrading silently.
Account control
- Linked providers. You can link or unlink Google to your account from Settings (at least one sign-in method must remain).
- Export. Download a complete archive of your data at any time — see Exporting data.
- Deletion is permanent. Deleting your account removes your Supabase identity first, then purges stored data and any in-memory sessions. It cannot be undone.
Responsible disclosure
VECTOR is analysis-only and never touches a brokerage account, so there is no order-execution attack surface. If you believe you've found a security issue, please report it privately rather than testing against other users' data.