Security

1. Our Commitment to Security

Horizon Trade takes the security of your account, your trading strategies, and your data seriously. We follow industry-standard security practices to protect the confidentiality, integrity, and availability of the Horizon platform and the information you entrust to us.

2. Authentication & Access Control

User authentication is handled by Clerk, an enterprise identity provider with SOC 2 Type II certification. We support strong password policies, optional multi-factor authentication, and single sign-on where available. Session tokens are short-lived and rotated on a regular basis.

3. Encryption

• In transit: All traffic between your browser / mobile app and the Horizon platform is encrypted with TLS 1.2 or higher. Connections to broker APIs are likewise encrypted.
• At rest: Strategy code, account metadata, and backtest results are stored in encrypted databases (AES-256). Backups are encrypted with the same standard.
• Secrets: Broker API keys are stored in a managed secrets vault and never written to logs or shared with third parties.

4. Broker Connections

When you connect a broker account, you authorise Horizon to access your account on your behalf via the broker's official API. Where the broker supports it, we request the narrowest possible scope of permissions — typically read access plus trading on the specific instruments your strategy targets. You can revoke broker access at any time from the Broker page.

5. Infrastructure

Horizon runs on AWS in multiple availability zones. Production workloads are isolated from staging and development. Access to production systems is restricted to a small number of engineers, audited, and requires multi-factor authentication. Infrastructure changes are managed via Terraform with peer review.

6. Application Security

• Dependencies are continuously scanned for known vulnerabilities; critical patches are deployed promptly.
• All deploys go through automated CI with static analysis, type checking, and a regression test suite before reaching production.
• We perform regular code review on every change and conduct periodic security reviews of high-risk surfaces.

7. Monitoring & Incident Response

Production systems are monitored 24/7 for anomalies, performance regressions, and security events. We maintain an incident-response runbook and notify affected users without undue delay in the event of a security incident that materially impacts their account.

8. Responsible Disclosure

If you believe you have discovered a security vulnerability affecting Horizon, please email security@horizon.trade with the details. We commit to acknowledging your report, working with you to validate the finding, and resolving legitimate vulnerabilities promptly. We do not pursue legal action against researchers acting in good faith.

9. Your Responsibilities

• Use a strong, unique password for your Horizon account and enable multi-factor authentication where available.
• Treat broker API credentials as sensitive. Never share them or paste them into untrusted tools.
• Keep the email address on your account up to date so we can reach you with security notifications.
• Notify us immediately if you suspect unauthorised access to your account at security@horizon.trade.

10. Changes to This Policy

We may update this Security page from time to time as our practices and the threat landscape evolve. Material changes will be reflected in the "Last Updated" date at the top of this page.