Trust and security
Security Overview
TradeCast applies layered controls to protect connected-account operations while keeping the platform read-only by design.
Effective June 21, 2026
Read-only account access
Cloud connections are designed for MT5 investor/read-only credentials. TradeCast workers monitor trading activity; they are not intended to place, modify, or close trades or manage funds.
Credential protection
Investor passwords are encrypted before storage and decrypted only server-side for assignment delivery to an authenticated worker. Credential storage is blocked when required encryption configuration is unavailable.
Worker and API authentication
Workers and ingestion connections use purpose-specific access keys. TradeCast stores one-way hashes rather than recoverable raw keys, supports revocation, and validates access on protected requests.
Logging and secret handling
Operational logs are designed to include useful status and diagnostic context without raw passwords, API keys, worker keys, credential ciphertext, or hashes.
Access controls
User data is scoped to authenticated workspaces. Private administration is restricted by authenticated account and an explicit email allowlist. Server-only privileges are not exposed to the browser.
Responsible data handling
TradeCast minimizes data shown in public surfaces, separates public and internal operations, preserves security-relevant history, and uses third-party infrastructure providers where needed to deliver the service.
Shared responsibility
Users should use unique investor credentials where supported, protect email and account access, rotate exposed keys, review connected accounts, and promptly report suspicious behavior through official support channels.