Skip to main content
    TTTrepeat

    Security

    Your credentials and account, protected by design.

    Connecting a broker account to anything takes trust. Here's exactly how Trepeat stores your credentials, protects your account, and what it can never do with your money.

    Your credentials

    How your broker credentials are stored

    Encrypted at rest, isolated from their keys, and never exposed to the browser.

    Encrypted in a vault, not a database column

    Broker credentials live in Supabase Vault, encrypted with pgsodium (XChaCha20-Poly1305). They're never stored as plain text.

    Keys isolated from the data

    The encryption keys are held separately from the encrypted rows and never reach your browser. Only the engine, server-side, can decrypt to place your trades.

    Encrypted in transit, end to end

    Every connection — browser, engine, broker gateway, database — runs over TLS 1.3. Nothing sensitive crosses the wire in the clear.

    Your account

    How your account is protected

    Strong authentication, fresh checks on the actions that matter, and data scoped to you.

    Two-factor by design

    Passwordless sign-in plus TOTP two-factor authentication, with recovery codes and a backup-email fallback so you're never locked out.

    Fresh step-up on sensitive actions

    Security-changing actions (disabling 2FA, deleting your account, billing changes) require a fresh re-verification — an old session alone isn't enough.

    Your data is scoped to you

    Row-level security on every table means a request can only ever read or write your own rows — enforced in the database, not just the app.

    What Trepeat never does

    • Never holds or withdraws your money.Trepeat can place and close trades, but it can never deposit, withdraw, or move funds. The money and the broker relationship stay entirely yours.
    • Never exposes credentials to the browser.Your broker credentials are decrypted only server-side, only by the engine, only to place your trades — they never travel to your device.
    • Never logs your secrets.Passwords, tokens, and recovery codes are hashed or masked — they don't appear in logs, ever.

    Built on infrastructure you can verify

    The engine runs on AWS (ECS Fargate, us-east-1) behind CloudFront, with Supabase for auth + Postgres + Realtime and MetaApi for broker connectivity. Structured logs end to end, daily encrypted backups with point-in-time recovery.

    Found a vulnerability? Read our responsible-disclosure policy

    Connect with confidence.

    Encrypted credentials, two-factor by default, and an engine that never touches your funds.

    We use privacy-friendly product analytics (PostHog, EU-hosted, IP-anonymised) to understand how Trepeat is used. Essential cookies for sign-in are always on. You can change this anytime. Cookie Policy