Skip to main content
Back to Docs
⚙️Account & Settings

Security & Privacy

AES-256 encryption, CSP headers, OWASP compliance

Security is fundamental to a platform where users trust us with their wallet authorizations and trade execution. This document covers what we do to protect you, what you can do to protect yourself, and how we handle data.

## What We Protect Against

The threats prediction market platforms face:

  • Phishing attempts targeting user wallets
  • Account takeovers via stolen passwords
  • Smart contract bugs in trading infrastructure
  • Database breaches exposing user data
  • Insider threats (employees with access)
  • Regulatory exposure for non-compliant users

We've built defenses for all of these.

## Wallet Security

Never custody your funds. Your USDC stays in your wallet. Predite signs trades on your behalf only when you explicitly confirm. We cannot move your funds without your active permission.
Encrypted key storage. If you opt into our gasless trading via Builder Program, we hold a derived signing key. It's encrypted with AES-256-GCM, rotated periodically, and stored separately from user data. Your main wallet private key never touches our systems.
Limited approvals. You set USDC spending limits in your wallet. Predite can't exceed them. Set them low (e.g., 1000 USDC) and increase only when needed.
Revocable. You can revoke our access anytime via your wallet's token approval settings on Polygonscan.

## Account Security

Authentication via Clerk. We don't manage passwords ourselves — Clerk does. They specialize in auth and follow industry best practices (bcrypt password hashing, rate limiting, breach detection).
MFA required for live trading. Once enabled, every live trade requires fresh MFA verification (within last 5 minutes). Prevents account takeover from leading to drained accounts.
Session management. Sessions expire automatically. You can review and revoke active sessions anytime in your profile.
Email verification. Email changes require verification of the new address before taking effect.

## Application Security

HTTPS everywhere. TLS 1.3 for all connections. No HTTP fallback.
Content Security Policy. Strict CSP headers prevent script injection.
Rate limiting. Aggressive rate limits prevent brute force attacks, API abuse, and DDoS attempts.
CSRF protection. Every state-changing action requires a fresh CSRF token. Prevents cross-site request forgery.
SQL injection prevention. Parameterized queries everywhere. No string concatenation in database operations.
XSS prevention. User input sanitized at every render boundary. React's auto-escaping helps but we don't rely on it alone.

## Database Security

Encryption at rest. Supabase encrypts all data on disk.
Row-level security. Each user only sees their own data — enforced at the database level, not application level. Even if our app code had a bug, the database refuses unauthorized queries.
Audit logging. Every sensitive action (trade, withdrawal, password change, MFA toggle) logged with timestamp and IP.
Backup procedures. Daily encrypted backups with 90-day retention. Point-in-time recovery available.

## Network Security

Cloudflare DDoS protection. Our edge layer absorbs traffic attacks.
Vercel infrastructure. Production traffic flows through Vercel's hardened network.
No direct database access. Our database isn't reachable from the public internet. Only our application can connect.
API rate limits. Per-user and per-IP limits prevent abuse and scraping.

## What Users Can Do

Strong password + MFA: a unique password generated by a password manager, plus authenticator app MFA. Stops 99% of attacks.
Hardware wallet: for serious capital (>$1k), use Ledger or Trezor. Even if our systems are compromised, the wallet refuses unauthorized signatures.
Verify URLs: bookmark predite.io directly. Phishing sites can look identical to real ones — never click sign-in links from emails.
Limit approvals: set USDC spending caps low. Re-approve when needed. Limits exposure of any single security incident.
Regular review: monthly check on: - Active sessions - Token approvals on Polygonscan - Notification settings - Recent account activity
Be skeptical: legitimate support won't ask for seed phrases, passwords, or 2FA codes. Anyone asking is a scammer.

## What Happens If We're Breached

We have a documented incident response process:

1. **Detect**: monitoring alerts our team within minutes of anomaly 2. **Contain**: rotate keys, revoke sessions, halt suspicious activity 3. **Investigate**: full forensic analysis with timeline 4. **Notify**: affected users notified within 72 hours (GDPR requirement) 5. **Remediate**: patch the vulnerability, document the lesson, share publicly 6. **Recover**: restore from backups if needed

We've never had a breach. But if we ever do, transparency comes before convenience.

## Compliance

GDPR (EU users): - Right to data export (Settings → Privacy → Export My Data) - Right to deletion (Settings → Privacy → Delete Account) - Cookie consent banner with granular controls - Privacy policy publicly available
LGPD (Brazilian users): - Equivalent rights to GDPR - Data localization for Brazilian users (Supabase São Paulo region planned)
Tax compliance: - Trade history exportable for tax filings - Brazilian Receita Federal-compatible format - US IRS-style 8949 format (CSV)

## Privacy

What we collect: - Email, name (optional), wallet address(es) - Trade history (necessary for portfolio and tax reporting) - Bot configurations and outcomes - Usage patterns (which features you use)
What we don't collect: - Browsing history outside Predite - Cross-site tracking cookies (we don't use any) - IP-based location beyond country (for analytics) - Personal demographics
Who we share with: - Polymarket (necessary to execute trades) - Stripe (necessary for payments) - Clerk (necessary for authentication) - Cloudflare/Vercel (necessary for hosting) - Tax authorities only if legally required and notified to you first

We never sell user data. Period.

## Reporting Security Issues

If you find a security vulnerability:

  • Email security@predite.io
  • We respond within 24 hours
  • Critical issues patched within 7 days
  • Coordinated disclosure preferred — we'll work with you

Bug bounty program in planning. Currently informal — significant findings get acknowledgment, credit, and account credits/swag.

## Independent Security Review

We're working toward:

  • SOC 2 Type 2 audit (in preparation, expected late 2026)
  • Independent smart contract security review (planned)
  • Public penetration test (planned)

We currently disclose security claims honestly — we say "SOC2-ready architecture" not "SOC2 certified" because we haven't completed the audit yet. Many platforms make claims that are misleading; we don't.

## Related Docs

- [Connecting Your Wallet](/docs/wallet-connect)

  • [Live CLOB Trading](/docs/live-trading)
  • [Notifications & Alerts](/docs/notifications)
  • [Quick Start Guide](/docs/quickstart)
All Documentation
Security & Privacy | Predite