Treeova protects user data with AES-256 encryption at rest, TLS 1.2+ in transit, and row-level security on every database table. Broker credentials are never stored as passwords — only encrypted OAuth tokens or API keys. Paper trading is fully isolated from live accounts.

    Treeova Security & Data Protection

    Encryption, row-level security, isolated paper trading, and broker credential protection.

    AES-256 encryption at rest, TLS 1.2+ in transit.

    Row-level security on every database table.

    Broker credentials stored as encrypted OAuth tokens, never passwords.

    Paper trading fully isolated from live broker accounts.

    Treeova Security and Data Protection

    Security & Data Protection

    How Treeova protects your data, broker credentials, and trading activity.

    Broker Credential Security

    • Treeova never stores your broker passwords. Broker connections use OAuth tokens or API keys — see supported broker integrations — that are encrypted at rest using AES-256 encryption.
    • Credentials are stored in isolated, encrypted database fields with row-level security (RLS) ensuring only the authenticated owner can access their tokens.
    • All broker API communication uses TLS 1.2+ encrypted connections.

    Data Encryption

    • All data in transit is encrypted using TLS 1.2+ (HTTPS enforced).
    • Data at rest is encrypted using AES-256 in the database layer.
    • Database backups are encrypted and stored in geographically redundant locations.

    Row-Level Security

    • Every database table enforces row-level security (RLS) policies. Users can only read and modify their own data.
    • Admin access is role-gated with audit logging for every administrative action, including IP address and user agent tracking.
    • Multi-factor authentication (MFA) is supported for admin accounts.

    Paper Trading Isolation

    • The fully funded paper trading environment is fully isolated from live broker accounts.
    • Paper trades never interact with real brokers, real markets, or real money. Simulated executions use delayed market data.
    • Paper account balances and positions are stored in separate database tables from live trading data — learn more about paper trading.

    Authentication & Access Control

    • User authentication is handled via industry-standard protocols with email verification required before account activation.
    • Google OAuth is available as a secondary authentication method.
    • Session tokens are short-lived with automatic refresh. Inactive sessions expire to prevent unauthorized access.

    Platform Integrity

    • AI agent execution is sandboxed — agents can only access tools and data explicitly granted by the user.
    • All agent runs are logged with full telemetry: input/output tokens, tool calls, execution duration, and cost.
    • Rate limiting is enforced on API endpoints to prevent abuse.
    • Treeova does not sell user data, trading activity, or behavioral analytics to third parties.

    Compliance & Infrastructure

    • Treeova's infrastructure runs on Netlify (SOC 2 Type II, ISO 27001) and Supabase (SOC 2 Type II, ISO 27001). Physical data center security, DDoS protection, and network isolation are enforced and audited by our hosting providers. Market data is sourced via Polygon.io.
    • Our development process follows OWASP Top 10 guidelines. Automated vulnerability scanning runs as part of every deployment pipeline. Production and development environments are strictly separated.
    • Treeova maintains incident response procedures with centralized logging and automated alerts across production systems.

    Responsible Disclosure

    • Found a security issue? Email security@treeova.com with a clear reproduction. We acknowledge reports within 2 business days and will keep you updated through remediation.
    • We ask researchers to test only against their own accounts, avoid destructive actions, and refrain from publicly disclosing the issue until we've shipped a fix.
    • For general questions that aren't a vulnerability report, use the contact page.

    Security FAQ

    Does Treeova store my broker password?

    No. Treeova never stores broker passwords. Broker connections use OAuth tokens or encrypted API keys. Your credentials are encrypted at rest with AES-256 and protected by row-level security policies.

    Can other users see my trades or positions?

    No. All data is protected by row-level security (RLS). Each user can only access their own positions, trades, and account data. Admin access is role-gated with full audit logging.

    Is paper trading connected to real brokers?

    No. The fully funded paper trading environment is fully isolated. Paper trades never interact with real brokers or real money. Paper and live data are stored in separate database tables.

    How does Treeova handle AI agent security?

    AI agents run in a sandboxed environment with access only to explicitly granted tools and data. All agent runs are fully logged with telemetry including token usage, tool calls, and execution cost.

    Does Treeova sell my data?

    No. Treeova does not sell user data, trading activity, or behavioral analytics to third parties. We use analytics only to improve platform performance and user experience.

    See supported broker integrations →Have a security question? Contact us →