DyadScalp is a decision and execution terminal. We connect to your broker with the minimum scope required to place and manage orders — never to withdraw funds, never to modify your bank mandates.
Read holdings · Read positions · Place/modify/cancel orders. We do NOT request fund-withdrawal, profile-edit, or bank-mandate scopes. If your broker's OAuth screen asks for more, refuse and tell us.
Broker access tokens are encrypted at rest using AES-256-GCM with a server-side key (BROKER_ENC_KEY) never exposed to the browser. Tokens are never logged, never sent to analytics, and rotated on every session boundary.
Order history, signals, and audit ledger live in a Postgres database in the ap-south-1 region, with row-level security scoped to your user_id. Backups are encrypted and retained 30 days.
Read your email. Read your trades from any broker you haven't connected. Sell aggregated trade data to a third party. Auto-place orders without an explicit per-trade confirmation.
If you believe you've found a security issue, email security@dyadscalp.app. We respond within 48 hours and publish a postmortem for any verified issue on the changelog.