Your financial data deserves serious protection. Here’s how CoverEdge keeps it safe.
Security by design, not afterthought
CoverEdge was built from day one with a security-first architecture. Every layer — from encrypted data storage to row-level isolation to server-side validation — is designed to protect your information. We don’t cut corners.
CoverEdge’s security practices are aligned with the OWASP Top 10, NIST SP 800-63B(authentication & password guidelines), NIST SP 800-57 (cryptographic key management), and OWASP MASTG (mobile/web application security best practices). We regularly review our security posture against these frameworks and apply updates proactively.
All data transmitted between your browser and CoverEdge is encrypted using TLS (HTTPS). No exceptions.
Sensitive values — such as API keys and brokerage tokens — are encrypted using AES-256 before storage. Encryption keys are managed separately from the data and are never stored in source code.
Our encryption system supports seamless key rotation, allowing us to update encryption keys without downtime or data loss.
Account passwords are securely hashed using industry-standard one-way hashing. We enforce minimum password requirements aligned with NIST guidelines. We never store or have access to your plain-text password.
Every database table in CoverEdge is protected by Row-Level Security (RLS) policies. This means your data is isolated at the database engine level — not just in application code. Even if a bug existed in our application layer, the database itself enforces that you can only access your own data.
All queries are scoped by your authenticated identity and portfolio. There is no administrative backdoor to view user data, and cross-user data leakage is architecturally prevented.
CoverEdge uses a battle-tested authentication system with built-in protections against brute force, credential stuffing, and session hijacking.
Every data operation is authenticated and authorized on the server. Your session is verified on each request before any data is returned or modified.
Sessions are managed via secure, HTTP-only cookies that cannot be accessed by JavaScript. Sessions expire automatically, and you can sign out at any time.
CoverEdge automatically signs you out after a period of inactivity, protecting your account if you step away from your device. A countdown warning gives you the chance to stay signed in.
CoverEdge supports two-factor authenticationfor an extra layer of account protection. When enabled, you’ll need both your password and a time-based code from your authenticator app to sign in.
Google Authenticator, Authy, 1Password, Bitwarden, and more. Codes rotate every 30 seconds.
If you've enabled 2FA, every request to the application requires verification — not just the login screen. There's no way to bypass it.
Enable or disable 2FA from your Settings page at any time. A gentle nudge on your dashboard reminds you to enable it if you haven't yet.
CoverEdge integrates with SnapTrade to connect your brokerage account. This connection is designed with your security in mind:
CoverEdge never sees, stores, or has access to your brokerage login credentials. You authenticate directly with your brokerage through SnapTrade's secure connection.
CoverEdge can view your trade history and holdings but cannot execute trades, move funds, or modify your brokerage account in any way.
You can disconnect your brokerage from CoverEdge at any time with a single click. Previously imported data is preserved, but no further data will be fetched.
SnapTrade uses bank-level encryption, is SOC 2 Type II compliant, and works with major brokerages including Schwab, Fidelity, Robinhood, and more.
CoverEdge supports a Bring Your Own Key (BYOK) model for AI features. If you choose to use AI-enhanced research, you provide your own API key from OpenAI, Anthropic, or Google. Here’s how we protect it:
Your API key is encrypted before being stored. It is never saved in plain text.
Your key is decrypted only on the server at the moment it's needed. It is never exposed to your browser, included in downloads, or logged anywhere.
API calls go directly from our server to your chosen AI provider. CoverEdge does not store, cache, or inspect your API key beyond what's needed to make the call.
CoverEdge does not use third-party advertising cookies, tracking pixels, or retargeting scripts.
We do not engage in cross-site tracking. The only cookies used are essential authentication cookies required for your login session.
We do not sell, rent, or trade your personal information or portfolio data to third parties for any purpose, including marketing.
CoverEdge is built on enterprise-grade, independently audited infrastructure:
Our database, hosting, and authentication providers are all SOC 2 Type II compliant — meaning they undergo independent audits for security, availability, and confidentiality controls.
All traffic is served over HTTPS with automatic certificate management. Built-in DDoS protection and edge delivery ensure availability.
Server-side code runs in isolated, stateless environments. No shared state exists between users at the infrastructure level.
CoverEdge uses a ledger-first accounting architecture where every financial event — premiums received, trades closed, assignments — is recorded as an immutable ledger entry.
Ledger entries are never modified or deleted. Once a financial event is recorded, it becomes a permanent part of your audit trail.
Your positions, P&L, and analytics are always computed from ledger entries — never from mutable snapshots. This eliminates data drift and ensures your numbers are always consistent and traceable.
Every dollar flowing through your portfolio can be traced back to a specific ledger entry with a timestamp, type, and amount. You can view and export your complete ledger at any time.
You retain full ownership of all trade data, portfolio information, and content you enter into CoverEdge. We only use it to provide the service to you.
You can export your ledger and trade data directly from the Ledger page at any time — no request needed.
You can request full account and data deletion. We will remove your personal data within 30 days, except where required by law.
To exercise any of these rights, contact us at support@coveredge.io.
If you believe you’ve discovered a security vulnerability in CoverEdge, we want to hear from you. Please report it responsibly:
Use the subject line “Security Report”. We take all reports seriously and will respond as quickly as possible — typically within 24 hours.
Please do not publicly disclose any potential vulnerabilities before we’ve had a reasonable opportunity to investigate and address them.
See also: Privacy Policy · Terms of Service · Financial Disclaimer