ClearFlow

Security & Trust

ClearFlow is built around broker-synced records. That requires trust in how brokerage connections are handled, so this page explains what we store, what we don't, and how access can be revoked.

What we store

Your email
Yes — for login only
Your password
Never
Hashed by Supabase Auth, we never see it
Alpaca API key + secret
Yes — Supabase Vault only; plaintext columns blanked
Decrypted only server-side via service role for sync operations.
Tastytrade OAuth tokens
Yes — Supabase Vault only
Used to sync trades after you authorize ClearFlow; your Tastytrade password is never stored.
Private broker fill ledger
Yes — service-role only
HMAC/synthetic broker keys only; no raw account, order, fill, or position IDs.
Your trades
Yes — synced from your broker
Only what you've chosen to make public is visible
Brokerage account number
No
Account balance
Owner-only display
Shown only to you on your own journal page. Never stored or shared.
Buying power / margin
Owner-only display
Fetched live from your broker. Never stored in our database.
Personal info
No
We don't collect name, address, phone, SSN

We only store what's needed to sync your trades and display your journal. Public journal pages use materialized trade projections. Raw broker identifiers and private broker fill records are not exposed to anonymous users.

How broker connections work

When you connect a broker, here's what actually happens:

1

You enter your Alpaca API key or authorize Tastytrade through its OAuth login.

2

We immediately validate the broker connection — if it fails, we reject it and store nothing.

3

If valid, we store only the read-only key/token in our database. Your broker password is never stored.

4

When you sync, our server uses your stored key to pull trades from your broker and save them to your journal.

5

Your browser never handles the key directly after the initial submit.

What we can't do with your keys: place trades, withdraw funds, or transfer assets. ClearFlow uses broker connections only for read-only sync. We do not place, modify, or cancel trades, withdraw funds, transfer assets, or initiate account activity.

Database security

Our database runs on Supabase (PostgreSQL) with the following protections:

  • Row Level Security (RLS) — every table has policies that prevent one user from reading another user's data
  • Broker tokens stored in Supabase Vault — API keys and session tokens are encrypted using Supabase Vault (pgsodium). The master encryption key lives outside the database, managed by Supabase. Even a full database dump gives only ciphertext — the plaintext is never persisted. Raw credential columns are blanked on storage.
  • Vault access locked to service role — decrypted credentials are only accessible via our server using a privileged service role key. The vault.decrypted_secrets view is explicitly revoked from all client-facing roles (anon, authenticated). No browser request can ever read decrypted keys.
  • Encryption at rest — AES-256 encryption on all data at rest, managed by Supabase
  • Encryption in transit — TLS 1.3 for all connections. HTTP is redirected to HTTPS.
  • Nonce-based Content Security Policy — every page load generates a unique cryptographic nonce. Only scripts tagged with that nonce can execute in your browser, blocking injected or unauthorized code. No unsafe-inline or unsafe-eval for scripts in production.
  • No service role key in client code — the privileged database key never leaves the server

Broker integrations & status

AlpacaAuto-sync enabled

API key + secret. Paper and live account records supported where available. Used only for read-only sync.

TastytradeAuto-sync enabled

Read-only trusted OAuth connection. ClearFlow stores a refresh token, never your password.

WebullComing Soon

OAuth2 integration in development.

Connection monitoring

ClearFlow checks broker connections for common issues:

  • Expired or revoked credentials — if your broker revokes access or your API key expires, ClearFlow shows a clear "Connection expired — please reconnect" message when access fails.
  • WebSocket auto-disconnect — real-time streams stop reconnecting when authentication fails, preventing unnecessary retry loops with dead credentials.
  • Credential cleanup — when you disconnect a broker, your encrypted API keys and tokens are deleted from Vault promptly. Your trade journal data is retained unless you explicitly delete it.

Rate limiting

All API endpoints are protected by rate limiting via Upstash Redis to prevent abuse and protect your data. Excessive requests are automatically throttled before they reach your broker connections.

Revoking access

You're in control. You can revoke ClearFlow's access to your brokerage account at any time:

  • From ClearFlow: Go to Broker Connections → Disconnect. We immediately delete the stored token.
  • From Alpaca: Log in → API Keys → delete the key. Instantly invalidates any stored token.
  • From Tastytrade: Log in → My Profile → API → revoke the session. Takes effect immediately.
  • Delete your account: Go to Account Security → Delete Account. All data (trades, credentials, profile) is permanently removed.

Revoking access stops all future syncing. Your previously synced trades remain in your journal unless you request full account deletion.

Two-factor authentication

ClearFlow supports TOTP-based two-factor authentication (compatible with Google Authenticator, Authy, 1Password, and other authenticator apps).

When enabled, you'll need both your password and a time-based code from your authenticator app to sign in — protecting your account even if your password is compromised.

Enable 2FA in your Account Security settings.

What we don't do

  • We do not place, modify, or cancel trades on your behalf
  • We do not store your account balance, buying power, or margin — these are fetched live and shown only to you
  • We do not sell your data to third parties
  • We do not use your trade data for advertising
  • We do not share your private trades without your explicit consent
  • We are not a broker-dealer, investment adviser, or financial institution

Infrastructure

Hosting
Vercel (SOC 2 Type II)
Database
Supabase / PostgreSQL (SOC 2 Type II)
Auth
Supabase Auth (bcrypt passwords, TOTP 2FA)
Backups
Automated daily, point-in-time recovery
Uptime monitoring
Vercel edge network

Report a vulnerability

Found a security issue? Please disclose it responsibly to our dedicated security alias: security@getclearflow.io

Our commitment
  • Initial response within 48 hours
  • Status update within 7 days
  • Fix and public disclosure coordinated with you
  • We will not pursue legal action against good-faith researchers who follow this policy
  • Public credit in our acknowledgments section (below), if you'd like
Scope (in-scope targets)
  • getclearflow.io and www.getclearflow.io
  • ClearFlow API routes (/api/*)
  • Authentication, authorization, and session management
  • Broker connection flows (Alpaca, Tastytrade)
  • Data exposure or privilege escalation vulnerabilities
Out of scope
  • Rate limit bypass via distributed sources
  • DoS / DDoS attacks
  • Social engineering of our team or users
  • Physical attacks
  • Third-party services (Supabase, Vercel, Alpaca, Tastytrade) — report directly to them

Our security.txt is published at /.well-known/security.txt. A PGP key for encrypted reports is available on request.

Acknowledgments

We thank the security researchers who have helped keep ClearFlow safe. This list will be updated as reports are received and resolved.

  • No public acknowledgments yet — be the first!

Bug bounty

We do not currently run a paid bug bounty program. As an early-stage company, we prioritize fast fixes, transparent communication, and public credit. If you'd like to report a bug, please do — we treat every report seriously.

Last updated: May 6, 2026 · ClearFlow App LLC · New York