Security
Security and responsible disclosure
Report suspected vulnerabilities, API-key delivery failures, account access issues, or abuse concerns to sales@etnaalpha.io. Responsible disclosure metadata is also available at /.well-known/security.txt.
Data boundaries
Public API responses are derived market-state packets, normalized public rows, replay handles, workflow receipts, usage, and customer-safe status. Default API access does not expose raw L4 rows, private runtime outcomes, execution authority, seed phrases, private keys, or customer exchange credentials. The data-rights boundary is maintained separately at data-rights.html.
Payment and key handling
Public checkout uses Stripe. Verified subscription receipts issue a one-time API key by email. Delivery receipts are designed not to persist raw API keys, raw customer contact, email bodies, or secret material in public smoke artifacts.
Operational controls
Launch checks cover security headers, apex canonicalization, OpenAPI identity, keyed-route boundaries, live Stripe webhook configuration, DMARC presence, checkout-session creation, and API-key email delivery readiness. Enterprise customers may request a processor or security review through the support address.
Out of scope
Etna Alpha is not a broker, exchange, custodian, wallet, managed account, investment adviser, or trade-execution service. Security review should focus on the public website, docs, API access, authenticated market-state routes, billing closeout, and support workflows.