Security

Security is our top priority. When you connect trading accounts through TradeGrub.io, you trust us with access to sensitive financial infrastructure. We take that responsibility seriously.

Infrastructure

Cloud-Hosted, Isolated Environments

Our services run on enterprise-grade cloud infrastructure with strict network segmentation. Each customer's API traffic is logically isolated. Production, staging, and development environments are fully separated with independent credentials and access controls.

Encryption

AES-256 at Rest

All stored data, including API keys, account metadata, and configuration, is encrypted at rest using AES-256 encryption. Encryption keys are managed through a dedicated key management service with automatic rotation.

TLS 1.3 in Transit

All communication between your application and our API is encrypted using TLS 1.3. We enforce HTTPS on all endpoints and reject plaintext connections. Certificate pinning is available for enterprise customers.

Authentication & Access Control

OAuth 2.0

Broker and exchange connections use OAuth 2.0 authorization flows. User credentials are exchanged directly with the provider and are never stored on our servers. We only retain the scoped access tokens necessary to fulfill API requests.

API Key Rotation & Scoped Permissions

API keys support automatic rotation on configurable schedules. Permissions are scoped by resource type (read, write, trade) so you can grant only the access your application needs. Keys can be revoked instantly from the developer dashboard.

ISO 27001 Certified

Information Security Management System

TradeGrub maintains an ISO 27001 certified information security management system (ISMS). This internationally recognized certification demonstrates our commitment to systematically managing sensitive information through a comprehensive set of policies, procedures, and controls. Our ISMS undergoes regular external audits by accredited third-party assessors to verify ongoing compliance. We are committed to continuous improvement of our security controls, incorporating lessons learned from audits, incident reviews, and evolving industry best practices.

Compliance

Our security program is built on internationally recognized standards:

ISO 27001 Certified — Our information security management system is ISO 27001 certified with regular external audits by accredited assessors
SOC 2 Type II — Currently in progress; we are actively pursuing formal SOC 2 Type II certification
Regular internal security audits and code reviews
Third-party penetration testing on a quarterly basis
Access logging and monitoring across all systems
Employee background checks and security training
Documented incident response procedures

Data Handling

TradeGrub operates as a pass-through for financial data. Brokerage credentials are never stored on our servers. Trading data (positions, orders, account balances) flows through our normalization layer in real-time and is not persisted unless explicitly enabled by the customer for caching purposes. Cached data is encrypted and automatically purged based on configurable retention policies.

Incident Response

In the event of a security incident:

We commit to notifying affected customers within 24 hours of confirmed breach discovery
A detailed incident report will be published within 72 hours
Affected API keys and tokens will be automatically rotated
We cooperate fully with any regulatory investigations

Bug Bounty & Responsible Disclosure

We welcome security researchers to help us identify vulnerabilities. If you discover a security issue, please report it responsibly:

Email your findings to security@tradegrub.com
Include a detailed description and steps to reproduce
Allow us reasonable time (90 days) to address the issue before public disclosure
Do not access, modify, or delete data belonging to other users
Do not perform denial-of-service attacks or social engineering

We acknowledge all valid reports within 48 hours and will work with you to understand and resolve the issue. Researchers who follow responsible disclosure guidelines will be credited (with permission) and may be eligible for a monetary reward based on severity.

Contact

For security questions, concerns, or to report a vulnerability:

Email: security@tradegrub.com
PGP Key: Available upon request
TradeGrub LLC