Trust, in detail.
Institutional buyers don't take our word for it. This page enumerates how EDGE Terminal handles your data, who else touches it, and what we publish about our AI methodology.
EDGE Terminal is operated by a private entity headquartered in the European Union and delivered as a SaaS to professional traders and institutions. Our security posture targets the controls referenced in SOC 2 Type II, with GDPR and CCPA compliance as baseline obligations. We do not co-locate user data with marketing systems. We do not train models on customer trading data.
Status & uptime
Live system status: status.edgefx.xyz. A signed JSON health endpoint is published at /api/health for programmatic monitoring. Our published Service Level Agreement is 99.95% monthly uptime, measured on the leaderboard route group.
Certifications
| Framework | Status | Next milestone |
|---|---|---|
| SOC 2 Type II | In progress | Observation period — 12 months from kickoff |
| SOC 2 Type I | Planned | Audit firm engagement Q3 |
| GDPR & CCPA | In effect | Annual DPIA review |
| ISO 27001 | Planned | Scoping after SOC 2 Type II |
Security practices
- Encrypted at rest. All persistent storage is Supabase-managed Postgres on AWS with AES-256 at-rest encryption. Application secrets live in Vercel encrypted environment variables; no secret is checked into the repository.
- Encrypted in transit. TLS 1.3 across every public edge. Internal service-to-service calls go over HTTPS with mutual TLS where the platform supports it.
- Authentication. HMAC-signed session cookies with a 30-day TTL for paid tiers, 7-day for trial accounts. Admin tier is double-verified at request time against both the signed cookie and a current allowlist (env or database). A leaked admin cookie cannot outlive revocation.
- Row-level security. Every Supabase table carries an RLS policy. Writes to system-of-record tables (audit log, tier rows, billing events) only happen via the service-role key, which never reaches the browser.
- Audit trail. Every material event — tier change, memo generation, journal mutation, setup publication — writes one row to an append-only audit_log table. Retention is 7 years per CFTC §1.31 and SEC 17a-4 books-and-records guidance.
- Penetration testing. External pen test scheduled annually starting with the first full year of operation. Reports available to qualified enterprise prospects under NDA.
Sub-processors
The following third parties process customer data in the course of delivering EDGE Terminal. Each is contractually bound by a DPA and processes data only for the purposes listed.
| Sub-processor | Location | Purpose |
|---|---|---|
| Supabase | United States (AWS us-east) | Managed Postgres + Auth |
| Vercel | United States (global edge) | Application hosting |
| Stripe | United States | Billing & payments |
| Resend | United States | Transactional email |
| Anthropic | United States | Desk Panel model inference (memo & packet) |
Data Processing Addendum
A standard DPA covering all sub-processors, sub-processor changes, retention, and transfer mechanisms is available at /legal/dpa. Enterprise customers may request the Standard Contractual Clauses addendum and Schrems II impact assessment from legal@edgefx.xyz.
AI methodology disclosure
The Desk Panel and the Morning Packet use Anthropic Claude models for generation. Three rules govern every output:
- Every memo carries an audit footer. The model id, generation timestamp, and a list of every data source consulted are printed at the bottom of every memo and packet. The corresponding audit_log entry id is included so the operator can re-verify any claim.
- Sources are logged, not inferred.The agents are instructed to refuse to invent numbers. Every quantitative claim in a memo cites the engine and the input data that produced it. If a value isn't in the context, the agent flags it as unverified rather than guessing.
- No customer data trains anything.User journal trades, prop-tracker accounts, and personally-identifying records are never sent to model providers in training payloads. Inference payloads include only ephemeral context blocks (today's leaderboard snapshot, calendar events, positioning data).
Security contact
Security vulnerabilities or coordinated disclosures: security@edgefx.xyz. PGP key on request. We acknowledge inbound reports within 24 hours and aim to resolve confirmed issues within 30 days.
This page is reviewed quarterly. Last reviewed: 2026-05-11.