How we protect your data

Authentication

All authentication is handled by Clerk, which is SOC 2 Type II certified. Clerk manages credential storage, session tokens, and multi-factor authentication. Trikosh servers never see or store your password.

Database encryption

Financial data is stored in a PostgreSQL database on Neon.tech. All client–server connections are encrypted with SSL/TLS. Neon encrypts data at rest and operates within secure, isolated compute environments.

No sensitive data

Trikosh stores no payment data, no government IDs, and no sensitive personal information. The only user data we hold is what Clerk provides for account management: email address and basic profile.

Open-source codebase

The entire Trikosh codebase is public under MIT License. Security through obscurity is not a defence. You can read every line, audit every dependency, and raise issues or PRs directly on GitHub.

Scope of Testing

• ·Authentication flow (Clerk integration)
• ·API route protection and unauthorized access attempts
• ·Database connection security (SSL-enforced Neon.tech PostgreSQL)
• ·Environment variable exposure checks
• ·Dependency vulnerability scan

Findings & Resolutions

• ·All API routes returning financial data are protected and return 401 for unauthenticated requests where applicable
• ·Database credentials are stored exclusively as environment variables and are never exposed in client-side code
• ·SSL is enforced on all database connections (sslmode=require)
• ·No critical or high-severity vulnerabilities found in production dependencies at time of audit

Ongoing Practices

• ·Dependencies reviewed on each pipeline update
• ·No user financial data is stored — the platform only serves pre-computed public market data
• ·Responsible disclosure: security issues can be reported via GitHub Issues marked [SECURITY]