Security Practices

Security by design: encryption, controls, and compliance.

Last updated: 2025-08-21

Overview

TRINITY Trade LLC designs security into our platform and development lifecycle. Our primary goals are protecting user accounts, safeguarding data, and maintaining availability. We apply least‑privilege access, layered defenses, and continuous monitoring across our services (IRIS web app and supporting APIs including Atlas, Hermes, Athena, and Dionysus).

  • Secure development: Code reviews, dependency updates, and change control prior to release.
  • Environment separation: Distinct environments and projects for isolation where appropriate.
  • Monitoring & alerting: Cloud logs and health checks with alerting on failures and anomalies.
  • Privacy by design: We minimize personal data collection and use anonymized analytics.

Encryption

  • In transit: All web traffic is served over HTTPS (TLS 1.2+). HSTS is enabled by our managed hosting. Cookies for authentication are set with HttpOnly, Secure (in production), and SameSite=Lax attributes to mitigate common web risks.
  • At rest: Data stored in Google Cloud (e.g., BigQuery, Firestore used by backend services) is encrypted at rest using provider‑managed keys. We operate our data in us‑central1.
  • Secrets: Service‑to‑service authentication uses Google service accounts and application default credentials in cloud environments. We avoid embedding secrets in client code.

Infrastructure & Access

  • Cloud platform: The IRIS web app runs on Google App Engine (Standard). Supporting analysis and data services run on managed Google Cloud services (e.g., Cloud Run Jobs for batch analysis, BigQuery for analytics data). Network and platform hardening are inherited from Google Cloud.
  • Authentication: User auth is handled by Firebase Authentication. Server endpoints verify Firebase ID tokens and forward calls to backend services with bearer tokens when required.
  • Access control: Administrative access is limited to authorized personnel following least‑privilege IAM policies. MFA/SSO is required for administrative accounts in our workspace.
  • Logging: Access and application logs are retained in Google Cloud Logging for operational troubleshooting and security investigations.

Compliance & Operational Controls

  • Policies: We maintain internal policies for acceptable use, incident response, and change management. Production changes are reviewed before deployment.
  • Vulnerability management: We track security advisories and update dependencies regularly. Critical issues are prioritized for remediation.
  • Monitoring: Health checks surface on our Status page for transparency and operational awareness.
  • Data minimization: We store only what’s necessary for functionality; analytics are anonymized to understand UX flows and product reliability.

Report a Vulnerability

We welcome responsible disclosure. Please email info@trinitytrade.io with a description, reproduction steps, and any proof‑of‑concept. Do not run tests that could degrade service (e.g., DDoS, spam). We will acknowledge receipt, triage, and keep you informed of remediation progress. If you include a public key, we can respond with encrypted messages.

Business Continuity & Incident Response

  • Backups & recovery: Google Cloud services provide durable storage and snapshot/point‑in‑time recovery capabilities (e.g., BigQuery time‑travel). We periodically validate recoverability for critical data.
  • Objectives: We aim for reasonable recovery time and data restoration objectives appropriate to a startup environment; certain features may be temporarily degraded during recovery.
  • Incident response: Incidents are triaged, contained, and remediated with post‑incident review. We communicate material user‑impacting events via appropriate channels, including the Status page.

Ready to get started?

Create a portfolio, explore analysis, and manage risk with TRINITY.

Create Portfolio Explore Market