Security and broker integration safeguards

Optioneer is built as a portfolio tracking and analytics product for options traders. The platform helps users understand positions, balances, transaction history, and options activity they choose to synchronize or import.

Optioneer does not place trades, automate trading, manage brokerage accounts, or execute orders on behalf of users.

Broker integrations are designed for read-only access. Optioneer uses broker data for portfolio synchronization, analytics, and user-visible account summaries. We do not request permissions intended for order placement or trading authorization.

Users remain fully responsible for their brokerage accounts. Optioneer cannot submit, modify, cancel, or route orders, and the product does not include order workflows. Optioneer does not place trades or execute orders on behalf of users. Any brokerage activity remains inside the user's broker account and broker platform.

Optioneer uses HTTPS/TLS for secure transport between browsers, backend services, and authorized service providers. Sensitive records are protected using managed database and infrastructure controls, with access limited to authenticated application flows and operationally required personnel.

Broker-synchronized data is stored so Optioneer can show positions, balances, transactions, options activity, and portfolio analytics to the account owner. We avoid storing data that is not needed for the product experience, and we separate user authorization from public product content.

Broker access is handled through user-authorized connection flows. Access credentials or tokens, where applicable, are treated as sensitive secrets, scoped to synchronization needs, and never displayed in the product interface. Users can disconnect broker access from Optioneer and may also revoke access directly with their broker.

At a high level, Optioneer records broker sync activity as durable portfolio events and then derives the portfolio views users see in the application. This event-oriented approach helps preserve an auditable history of imported broker changes without exposing internal systems or operational implementation details.

Users can disconnect a broker connection from Optioneer to stop future synchronization. Where a broker offers a separate authorization dashboard, users should also revoke Optioneer access directly from the broker to end future broker-side authorization.

Users can request deletion of imported broker data or deletion of their Optioneer account. Deletion requests are handled according to our privacy practices and legal retention obligations. See the Data Deletion page for the full public process.

• Role-based access patterns for application data and administrative workflows.
• Secure authentication and session handling for user accounts.
• Production monitoring for availability, errors, and security-relevant anomalies.
• Least-privilege handling for broker synchronization and support workflows.

If you believe you have found a security issue, contact support@optioneer.io with a clear description, affected area, and safe reproduction steps. We ask that researchers avoid accessing, modifying, or disclosing data that does not belong to them.

Optioneer is preparing OAuth-based broker integrations where supported by broker onboarding and approval processes. OAuth support will continue to follow the same read-only principle: synchronization and analytics, without trading permissions.