Infrastructure
- Supabase Postgres — Data is stored in Supabase with Row Level Security (RLS) enforced at the database level. Users can only access their own data.
- HTTPS everywhere — All traffic is encrypted in transit using TLS 1.2+. HTTP requests are automatically redirected to HTTPS.
- Serverless API routes — API endpoints run in isolated serverless functions on the Vercel Edge Network. No persistent server processes.
- Supabase Auth — Sessions use secure, HTTP-only cookies with PKCE. OAuth sessions are server-initiated to prevent code-verifier exposure.
Access Controls
- Row Level Security — Database queries are restricted so users can only read and write their own strategies, backtests, and account data.
- Service role key isolation — The Supabase service role key (which bypasses RLS) is never included in client bundles. It is only used in server-side API handlers that have already verified authentication.
- Brokerage credentials — Live brokerage connections are authorized through the broker. AutoTrader does not store your brokerage passwords.
Data Protection
- No PII logging — We do not log email addresses, names, or IP addresses in application logs.
- Input validation — API inputs are validated before any database operation.
- SQL injection prevention — Queries use parameterized statements via the Supabase JS SDK. User input is never concatenated into SQL.
- CSRF protection — State-changing operations require authenticated sessions.
Vulnerability Disclosure
If you discover a security vulnerability, please email security@autotrader.app immediately. Do not disclose publicly until we have had 90 days to respond and patch. We appreciate responsible disclosure.
Updates
This page is updated when security controls change. Last reviewed: June 2026.