Trade-OSSign in

Last updated: May 2026

Security overview

This page explains our posture in plain language. It is not an exhaustive technical specification and does not list every safeguard.

Encryption and transport security

Public endpoints are served over HTTPS so data in transit uses modern TLS encryption. Keep your devices and browsers up to date to benefit.

Authentication

Tenant users authenticate via Supabase Auth (email OTP by default). Tokens are exchanged over encrypted connections; session handling follows current Supabase hardening defaults.

Tenant data isolation (Row Level Security)

Application data for each business resides in Postgres with Row Level Security policies enforcing separation between tenants, so a tenant's rows are not accessible through normal authenticated application paths by other subscribers. This isolation is exercised by an automated cross-tenant test in our deployment pipeline.

Monitoring and audit logging

Operationally we use infrastructure and hosted tooling — including deployment provider logs and optional observability stacks — for uptime, diagnostics, and proportionate security reviews. Business-critical audit trails (for example billing or AI-generation metadata retained in our datastore) stay on server-controlled systems; client-side analytics are not relied on as the legal record for disputes or regulator-facing evidence.

Operator and admin access

GECKOSOFTWARE LTD maintains a small authorised group for uptime, support, billing integrity, abuse response, and platform engineering. Access follows least-privilege norms and evolves as we mature — we do not claim SOC 2, ISO 27001, Cyber Essentials, or equivalent certifications unless and until we publish an explicit attestation elsewhere.

Reporting vulnerabilities

If you discover a credible security issue, email hello@tradeoshq.com with reproducible minimal steps. Allow us reasonable time to remediate.

No unauthorised testing

Please do not perform intrusive scanning, load testing, or penetration testing against production without prior written permission — it can disrupt real customers and may trigger defensive countermeasures.