Security

Built on trust.

Enterprise-grade security for every account, from day one.

Beta Notice: Tavola currently operates in paper-trading mode only. No real money is connected to the platform.

Encryption

AES-256

Transport

TLS 1.3

Database

RLS Enforced

Auth

JWT + Rotation

Data Encryption

All data in transit is encrypted with TLS 1.3. Sensitive fields at rest are encrypted using AES-256-GCM with keys derived from a secure server-side secret. We never store raw API keys or secrets in your browser.

Row-Level Security

Our database enforces Row-Level Security (RLS) on every table. Even if a request bypasses application logic, the database itself ensures you can only read and write your own data. No user can ever access another user's portfolio, trades, or personal information.

Paper Trading Beta

Tavola is currently in paper-trading beta mode. No real money is connected to the platform. All trades are simulated using Alpaca's paper trading environment. You cannot lose real money during this period.

Alpaca Custody

When we launch with real money, your investments will be held by Alpaca Securities LLC, an SEC-registered broker-dealer and FINRA member. Accounts will be protected by SIPC up to $500,000 (including $250,000 for cash claims). This is planned for future launch and is not currently active.

Authentication

Authentication is powered by Supabase Auth, which uses industry-standard JWT tokens with short expiry windows. We support secure session management with automatic token rotation. All authentication events are audit-logged.

AI Data Processing

Portfolio analysis requests are processed by Anthropic's Claude AI. Only anonymized portfolio snapshots (positions and values, not personal identity) are sent for analysis. We do not share your personal information with AI providers beyond what is necessary to generate analysis.

Audit Logging

All significant account actions — trades, deposits, withdrawals, strategy changes — are written to an immutable audit log. This provides a complete, tamper-resistant record of account activity.

Responsible Disclosure

Found a security vulnerability? Please report it to security@tavola.app. We take all reports seriously and will respond within 48 hours. We ask that you do not publicly disclose vulnerabilities until we have had time to address them.

Questions about security?

Contact our security team at security@tavola.app

Back to Home