Overview

Signa is designed with security, reliability, and controlled access in mind. We take a pragmatic, security-first approach to protecting user data and maintaining system integrity. Our platform is built to support secure access, controlled data handling, and reliable operation across individual and enterprise use cases.

Data Protection

We implement a range of technical and organizational safeguards, including:

• Secure authentication and multi-factor account verification
• Encryption of sensitive credentials and personal data at rest
• TLS/HTTPS encryption for all data in transit
• Infrastructure-level protections via our cloud hosting providers
• Monitoring and logging of system activity for abuse detection
• Access controls limiting internal system access to authorized personnel
• Session cookies configured with Secure, HttpOnly, and SameSite protections

Access Control

User accounts are protected by industry-standard authentication systems including Google OAuth and password authentication with secure storage. API access is secured via unique, per-user API keys with mandatory 90-day rotation. MCP and A2A access requires Agent-ID identification on every request. Access levels are restricted based on subscription tier, enforced at the middleware layer on every request. Step-up verification is required before broker connections, API key creation, and trade execution.

System Monitoring and Logging

We monitor system usage and activity to:

• Detect and prevent unauthorized access and abuse
• Enforce rate limits and usage policies
• Maintain system performance and reliability
• Investigate potential violations of our Terms of Use
• Verify compliance with API and data attribution requirements

All API and MCP requests are logged. Audit logs are maintained for all broker actions, API key operations, and subscription changes. Logs are retained for security, compliance, and operational purposes as described in our Privacy Policy.

Third-Party Infrastructure

We rely on trusted, enterprise-grade infrastructure and service providers for cloud hosting and database services, payment processing (Stripe, Inc.), and market data and financial data APIs. We conduct due diligence on our infrastructure providers and require contractual data protection obligations. We do not control third-party systems and are not responsible for their independent security practices.

API and Programmatic Security

The Signa API, MCP Server, and A2A Protocol implement the following security controls:

• Bearer token authentication required on all requests
• Unique API key per Subscriber — keys are non-transferable
• API keys stored as bcrypt hashes — raw keys shown once and not retained
• Mandatory API key rotation every 90 days
• Agent-ID header required for MCP and A2A access
• Rate limiting enforced by subscription tier, per-account and per-agent
• Automated monitoring for anomalous usage patterns
• Right to revoke access immediately upon detection of abuse
• Watermark signals injected into API feeds for redistribution detection
• Idempotency enforcement on trade execution routes to prevent replay

Vulnerability Disclosure

If you discover a potential security vulnerability in the Signa platform, please report it responsibly to security@fieldcrestventures.com. Include:

• A description of the vulnerability and affected component
• Steps to reproduce (if possible)
• Your assessment of potential impact

We investigate all credible reports and will respond within 72 hours of receipt. We do not authorize automated security scanning, penetration testing, fuzzing, or load testing of our production systems without prior written agreement. Testing must be conducted against staging environments only.

Enterprise Inquiries

For enterprise security documentation requests, vendor security questionnaires, Data Processing Agreement requests, or compliance-related discussions:

• Enterprise security: legal@fieldcrestventures.com
• Data Processing Agreement: legal@fieldcrestventures.com
• Security incident reports: security@fieldcrestventures.com