Security

VECTOR handles a sensitive thing — your trading track record — so isolation and authentication are built in from the ground up. This page summarises the posture; for the data-protection view see Your data & privacy.

Authentication

Identity is handled by Supabase Auth (email/password and Google sign-in). Every API request carries a signed JWT, which the backend verifies on each call — by shared secret (HS256) or by Supabase's rotating public keys (JWKS), with the audience claim checked. Sessions and saved data are keyed to the verified user id; an unverified request is rejected.

A separate legacy login (a backend-signed cookie from environment credentials) exists only for local development and internal use. It is disabled in production — where Supabase is the sole identity provider — so it offers no extra attack surface online. The login endpoint is also rate limited (per-IP) to blunt brute-force attempts.

Data isolation

Everything is scoped to your user id

Live sessions, saved portfolios, strategies and variants are all partitioned by user_id. The session manager refuses to return a session that you don't own, and storage queries always filter on your id. One user can never see another user's data.

  • Uploads are private. The CSVs you upload are processed only to produce your analysis and are never exposed to other users.
  • Per-user storage. On the file backend each user has an isolated folder; on Postgres every row is bound to (user_id, kind, name).

Transport

The frontend (Vercel) and backend (Render) are served over HTTPS. Cross-origin access is restricted to the configured frontend origin (CORS). Legacy development cookies are httpOnly and, in production, secure + SameSite.

Secrets

Sensitive keys — JWT secrets and the Supabase service-role key — live only in backend environment variables, never in the frontend bundle and never in logs. The high-privilege service-role key is used solely for administrative actions like account deletion, and if it's absent that action fails closed rather than degrading silently.

Account control

  • Linked providers. You can link or unlink Google to your account from Settings (at least one sign-in method must remain).
  • Export. Download a complete archive of your data at any time — see Exporting data.
  • Deletion is permanent. Deleting your account removes your Supabase identity first, then purges stored data and any in-memory sessions. It cannot be undone.

Responsible disclosure

VECTOR is analysis-only and never touches a brokerage account, so there is no order-execution attack surface. If you believe you've found a security issue, please report it privately rather than testing against other users' data.