Information Security Policy
Last updated: May 2, 2026
This Information Security Policy summarizes the administrative, technical, and operational safeguards Tradesera uses to protect platform systems and personal information. This policy should be read together with our Privacy Policy, Data Retention Policy, Terms of Service, and Participant Agreement.
1. Scope
This policy applies to Tradesera systems, production infrastructure, administrative tools, vendor accounts, source code repositories, customer portal services, and personnel or contractors who may access Tradesera systems or data.
2. Governance and Responsibility
Tradesera assigns responsibility for information security to company leadership and designated technical administrators. Security practices are reviewed as the platform evolves, including changes to vendors, production infrastructure, payment workflows, identity verification, and data-processing activities.
3. Access Control
- Access to production systems is limited to authorized personnel with a business need.
- Administrative access is protected using strong passwords and multi-factor authentication where available.
- Access to production systems, source code, DNS, hosting, email delivery, and payment-related vendors is reviewed periodically.
- Access may be removed or restricted when it is no longer required or when security risk is identified.
4. Multi-Factor Authentication
Tradesera supports email-based multi-factor authentication for customer portal access and sensitive customer actions. Tradesera also uses multi-factor authentication for critical administrative systems where available, including infrastructure and vendor dashboards that support production operations.
5. Encryption and Data Protection
- Tradesera uses HTTPS/TLS for data transmitted between users and platform services.
- Sensitive secrets and production configuration values are stored in managed environment-variable systems.
- Platform credentials and other sensitive values are protected using encryption or provider-managed controls where applicable.
- Provider access tokens and consumer financial data retrieved through approved integrations are encrypted at rest before storage.
- Tradesera stores only provider-related data needed for account verification, payment authorization, payouts, fraud prevention, compliance, support, and operational records.
- Data retention and disposal practices are described in the Data Retention Policy.
6. Vulnerability Management
Tradesera monitors application dependencies, hosted infrastructure, and supported runtime versions for known vulnerabilities and end-of-life software. Tradesera uses managed cloud infrastructure where provider-level operating system and platform patching is handled by the hosting provider, and application-level dependencies are reviewed through dependency alerts, package audit tooling, and release maintenance.
Tradesera uses the following target remediation service levels for confirmed vulnerabilities affecting Tradesera-managed systems, based on severity, exploitability, exposure, and operational impact:
| Severity | Target Remediation SLA |
|---|---|
| Critical | Within 7 calendar days |
| High | Within 14 calendar days |
| Medium | Within 30 calendar days |
| Low | Within 90 calendar days or the next planned maintenance cycle |
Remediation may include patching, dependency upgrades, configuration changes, vendor remediation, disabling vulnerable functionality, compensating controls, or other risk-based mitigation. Tradesera may accelerate remediation when active exploitation or material customer risk is identified.
7. End-of-Life Software
Tradesera reviews supported software versions, including application dependencies, runtimes, databases, frameworks, and vendor-managed services. Unsupported or end-of-life software is upgraded, replaced, isolated, or otherwise mitigated based on risk and operational impact.
8. Monitoring and Incident Response
Tradesera monitors production availability, authentication events, payment and webhook activity, and relevant system activity for signs of misuse, fraud, or unauthorized access. Suspected security incidents are reviewed, contained, investigated, and remediated based on severity and impact.
9. Vendor and Third-Party Services
Tradesera relies on reputable third-party providers for hosting, database, DNS, email delivery, payment, identity, and operational services. Vendor access and vendor data processing are reviewed based on the role each provider plays in supporting Tradesera services.
10. Policy Review
Tradesera reviews this policy periodically and updates it as the platform, vendors, regulatory obligations, and security practices evolve.
11. Contact
Security questions may be sent to [email protected].