Security
Effective May 11, 2026 · Theta Beta
The Service is operated by Austin Norvilleas an individual. “Theta Beta” is the product name (not a separate legal entity).
We care about safeguarding journal and brokerage-linked data. This page summarizes high-level defenses and where to report issues — it is descriptive, not a warranty or certification statement.
Transport & application security
- HTTPS (TLS) for browser traffic wherever the deployed environment enforces HTTPS
- Authentication via Supabase (password or Google OAuth paths as configured)
- Privileged broker tokens and secrets intended to reside server-side, not echoed to client bundles
Data segregation & credentials
- Postgres with row-level security policies per Supabase schemas we ship
- Brokerage OAuth / API credential material encrypted with AES-256-GCM-at-rest semantics where wired in code
- Users should revoke broker access independently if losing control of credentials
Subprocessors & infra
Hosted environments typically include Supabase, a cloud host (often Railway-class), CDN/DNS vendors (often Cloudflare), and, optionally, brokerage APIs. Canonical list maintained in Privacy Policy §4 (subprocessors).
Responsible disclosure
Found a suspected vulnerability affecting Theta Beta? Email hello@thetabeta.app with reproducible technical details only (avoid shipping live customer data in payloads). Coordinate fixes before broad public exploitation.
We do not currently operate a monetary bug bounty — please do not expect compensation by default — but legitimate reports earn our gratitude & credit where appropriate.