Security

Portald is built from the ground up with security as a core principle, not an afterthought.

Core Security Model

Portald operates on a principle of least privilege — agents never receive more access than they need, and sensitive actions always require explicit human approval.

Agents never hold credentialsAI agents don't receive user passwords, API keys, or payment details. They request actions; Portald executes them on their behalf after approval.
Human-in-the-loop approvalsMedium and high-risk actions require explicit user approval before execution. You stay in control.
Cryptographic identityAgents authenticate using Ed25519 public key signatures. No shared secrets, no tokens to leak.
Complete audit trailEvery action request, approval, and execution is logged with full context for review and compliance.

Brokerage & Trading Security

Portald connects to brokerages via OAuth 2.0 — we never see or store your brokerage password.

OAuth-only connectionsBrokerage connections use industry-standard OAuth. You authorize access directly with your broker (e.g., Alpaca). We receive only an access token.
Encrypted token storageOAuth tokens are encrypted at rest using AES-256-GCM before storage. Encryption keys are managed separately from the database.
Trade-only permissionsPortald can execute trades on your behalf, but cannot withdraw funds, transfer assets, or access banking information.
Configurable limitsSet maximum order sizes, daily limits, and require manual approval for trades over a threshold. You define the boundaries.
Instant disconnectRevoke Portald's access at any time from your dashboard or directly from your brokerage account settings.

Data Protection

Encryption

All traffic encrypted via TLS 1.2+
Sensitive data encrypted at rest (AES-256-GCM)
OAuth tokens and API keys encrypted before storage
Database connections require SSL

Access Controls

Role-based access throughout the system
Production access restricted to authorized personnel
Principle of least privilege enforced
All access logged for audit

Data Recovery & Business Continuity

Backup & Recovery

Continuous point-in-time recovery
7-day restore window
Encrypted backups
Regular recovery testing

Availability

Hosted on Vercel (99.99% uptime SLA)
Global edge network
Automatic failover
No single point of failure

Authentication

User Authentication

Passkey support (WebAuthn/FIDO2)
TOTP-based two-factor authentication
Secure recovery codes (hashed)
Session management with CSRF protection

Agent Authentication

Ed25519 public key cryptography
Challenge-response verification
Domain-bound signatures
Time-limited session tokens

Infrastructure

✓ Hosted on Vercel (SOC 2 Type II)✓ Database on Neon Postgres (encrypted)✓ Payments via Stripe (PCI DSS Level 1)✓ Trading via Alpaca (FINRA/SIPC member)

Incident Response

We maintain documented incident response procedures including:

Immediate containment protocols
Scope assessment and evidence preservation
Root cause analysis

User notification within 72 hours if required
Post-incident review and remediation
Continuous policy improvement

Compliance & Standards

Portald maintains security practices aligned with:

SOC 2 principlesOWASP security guidelinesFinancial services best practices

Vulnerability Reporting

Found a security issue? We appreciate responsible disclosure. Please email security@portald.ai with details. We'll respond within 48 hours and work with you to address the issue.

Please do not publicly disclose vulnerabilities until we've had a chance to address them.

Policy Documents

For detailed security policies, contact security@portald.ai. We can provide:

Cybersecurity Policy
Data Recovery & Backup Policy
Incident Response Procedures