Server-side access control
Protected app pages require an authenticated session, plan-aware access, and admin-only checks for operations pages.
Security and risk
Built for trust before trade decisions.
AI Trader Command Center is designed around account security, protected customer data, explainable research, clear risk language, and payment handling through Stripe.
User-owned data boundaries
Watchlists, trade cards, paper trades, settings, and journal records are scoped to the signed-in user.
Stripe-hosted billing
Checkout and the Customer Portal handle payment collection. The app stores subscription state, not card numbers or CVC.
Risk-first research boundary
Trade ideas are decision support with max loss, invalidation, liquidity, and uncertainty language near the recommendation.
Security architecture
A readable map of how customer data stays separated.
The launch architecture is intentionally layered: browser protections, server-side gates, scoped records, hosted billing, and audited operations all have to work together before a user can reach paid research data.
This is a security posture overview, not a promise that no vulnerability can exist. Security reports are reviewed through the published support path.
01
Browser and session
Customers enter through secure cookies, OAuth or email auth, legal acceptance, and plan-aware route gates.
Secure session cookieEmail verification optionLegal reacceptance gate
02
Middleware access policy
Protected pages are checked before the app shell renders paid research, billing, settings, or admin surfaces.
Auth requiredSubscription state checkedAdmin role plus MFA
03
API request guards
State-changing requests are validated server-side before data is saved, exported, deleted, or sent to support.
Origin checksRate limitsBody-size limits
04
User-owned database records
Watchlists, journal entries, scanner views, trade cards, and paper trades are scoped to the authenticated user.
user_id ownershipCross-user testsAccount export controls
05
Payments and messages
Stripe handles payment collection, while support messages are filtered for secrets before storage or email delivery.
No card storageWebhook signaturesSensitive-content filter
06
Operations and response
Admins get audited operations tools for incidents, provider readiness, feature flags, support queues, and launch gates.
Append-only auditIncident bannerProduction QA gates
Operational hardening
Security checks built into the product flow.
The platform keeps user research separate by account, validates state-changing requests on the server, and makes security protections part of the normal release QA gate.
Cross-site mutation protection
State-changing app requests are checked against trusted origins and browser fetch metadata before protected data is changed.
Browser isolation headers
Security headers are emitted on every route, including clickjacking protection, origin isolation, content-type protection, and CSP reporting.
CSP violation reporting
Browser policy reports are rate-limited, sanitized, and recorded for admin audit review when the database is configured.
Support secret filtering
Contact messages with obvious passwords, API keys, tokens, card numbers, or account credentials are rejected before storage.
Account export controls
Signed-in users can export their saved account data, while cross-site export triggers are blocked before protected records are read.
Body-size and JSON validation
API routes reject oversized or malformed request bodies before account, billing, support, or research records are processed.
Incident response runbook
Security reports have severity levels, containment steps, secret-rotation checks, regression-test expectations, and customer-impact review before closure.
Product boundaries
Broker order placement is not part of the product workspace.
Broker credentials are not collected.
No naked options, margin trading, copy trading, or autonomous order flow is offered.
AI outputs are research and decision support, not personalized financial advice.
Market, sentiment, political, insider, and options data may be delayed or incomplete.
Past performance, backtests, and AI scores do not guarantee future results.
Legal center
Risk and data disclosures stay one click away.
Risk-first trading research
Build better trade decisions before you commit capital.
Start with explainable trade cards, paper trading, and portfolio guardrails. The platform focuses on research, monitoring, and review workflows.