Security

Maple's security model is shaped by a simple fact: it never handles real trading capital, brokerage credentials, or payment information directly, which meaningfully limits what there is to protect against. Even so, account data and API access are treated carefully.

Data isolation

Signed-in users' data (saved strategies, feedback submissions) is stored in a database protected by row-level security policies, meaning each user's data is scoped to their own account at the database level — one user's account cannot read or modify another's data, enforced by the database itself rather than solely by application code.

No exposed API keys

Market-data requests that require a third-party provider API key are routed through a server-side proxy rather than being called directly from the browser. This means those provider credentials are never included in the code a user's browser downloads and never visible via a browser's developer tools.

No brokerage or trading connectivity

Maple does not connect to any brokerage, exchange account, or payment processor for trading purposes, and does not have the ability to place a real trade or move real funds. This removes an entire category of risk that trading-adjacent software normally has to defend against.

Alpha-stage access control

During the private alpha, access is gated by single-use-limited invite codes, stored as cryptographic hashes rather than plain text, so the codes themselves cannot be recovered even from the underlying database.

Ongoing practice

As an early-stage product, Maple's security posture is reviewed and adjusted as the platform grows — this page reflects the alpha-stage system as it currently exists.