Legal

Security Policy

// Last updated: May 8, 2026 · Good Omen Trading LLC

01Overview

Good Omen Trading LLC operates Good Omen, an automated trade execution tool. This policy describes our security practices.

02Data Classification and Handling

Sensitive data

OAuth access tokens, admin authentication tokens, and PostgreSQL credentials are classified as sensitive. Stored exclusively in Railway environment variables (never in source code, logs, or external storage).

User data

Brokerage account data (equity, positions, order history) is retrieved in real time and held only in memory during request processing. No brokerage account data is persisted beyond trade tracking (symbol, qty, entry/exit price, realized P&L).

Data minimization

We collect only the data necessary to operate the Services. No personally identifiable information beyond email address is stored.

03Access Control and Privileged Access Management

Admin authentication

All administrative endpoints require a shared secret token transmitted via HTTPS header. Tokens are randomly generated and stored as Railway environment variables.

Production access

Railway services are accessible only to authorized founders via Railway CLI with two-factor authentication. No shared credentials. Access is revoked immediately upon any personnel change.

Principle of least privilege

OAuth tokens are scoped to the minimum permissions required for execution and account read on supported broker integrations. No administrative brokerage permissions (such as funds transfer, withdrawal, or account modification) are requested.

04Encryption of Data at Rest and in Transit

Data in transit

All client communication is encrypted via TLS 1.2+ enforced by Railway. Communication with all supported broker APIs and AI provider APIs uses HTTPS exclusively.

Data at rest

PostgreSQL data is encrypted at rest by Railway's managed database service. User OAuth credentials are additionally encrypted at the application layer using per-tenant Fernet encryption (AES-128-CBC with HMAC-SHA256 authentication) before being stored in PostgreSQL. The master encryption secret is stored exclusively in Railway environment variables and is never written to source code, logs, or version control.

Secrets management

No secrets are stored in source code or version control. All credentials are managed via Railway environment variables.

05Vulnerability Management and Patch Management

Python dependencies are declared in pyproject.toml with minimum-version constraints and reviewed before each release. GitHub Dependabot alerts are monitored on all repositories. Railway manages underlying infrastructure and applies security patches automatically. All code changes flow through pull requests on GitHub before merge to the main branch; production deploys originate only from the main branch.

06Incident Response and Disaster Recovery

Incident detection

Good Omen posts real-time alerts to a private Discord channel for all system events including broker disconnections, circuit breaker trips, and authentication failures. External uptime monitoring alerts founders promptly when service downtime is detected.

Incident response

In the event of a security incident: (1) Kill switch enabled immediately to halt all trading, (2) Affected credentials rotated within 1 hour, (3) Impacted users notified within 24 hours, (4) Root cause analysis documented.

Disaster recovery

Railway provides automated PostgreSQL backups with point-in-time recovery. Target RTO: 4 hours. RPO: 24 hours.

07Physical Security

All production infrastructure is cloud-hosted on Railway (AWS-backed). Physical security is managed by Railway/AWS in accordance with their SOC 2 Type II certifications. Founder workstations use full-disk encryption (FileVault on macOS). Screens are locked when unattended. Production credentials are not stored on local workstations.

08Vendor Risk Management

Railway: SOC 2 Type II. Hosts the application backend. Manages infrastructure, OS patching, and PostgreSQL encryption.
Clerk: SOC 2 Type II. Manages user identity and session tokens.
Brokerage providers: FINRA/SIPC member broker-dealers that provide brokerage API and OAuth infrastructure for Good Omen. See goodomentrading.com for the current list of supported broker integrations.
Anthropic: AI processing for daily recaps and performance summaries. No personally identifiable information is included in API calls.
Stripe: PCI DSS Level 1. Will process subscription payments when subscriptions become available; not active during beta. No card data is handled by Good Omen Trading LLC.
Vercel: Hosts the static marketing site and processes anonymized, cookieless visitor analytics (Vercel Web Analytics, Speed Insights). No personally identifiable information or credentials are processed by Vercel.
Resend: SOC 2 Type II. Sends transactional confirmation emails (waitlist and beta application receipts). No personally identifiable information beyond the recipient email address is processed.

09Business Continuity

Good Omen runs on Railway's always-on infrastructure with automatic restart on failure. The retry queue preserves unexecuted signals during brief outages. Both founders are trained on all operational procedures. The Emergency Runbook documents all critical procedures.

10Contact

Security questions or disclosures? Contact us at security@goodomentrading.com.