Skip to main content
Banana Farmer logo
Banana Farmer
Join
Official Compliance Portal

Security

How we protect your data, credentials, and API access.

System StatusAuthorized Doc
Last TransmissionFebruary 10, 2026

Summary

  • All traffic encrypted via HTTPS/TLS 1.3.
  • Passwords hashed with bcrypt — we never store plaintext credentials.
  • API keys are cryptographically generated and transmitted only once at creation.
  • Payment processing handled entirely by Stripe — we never see your card number.
  • Infrastructure hosted on Cloudflare (edge) and Supabase (database) with SOC 2 compliance.
  • US-only access enforced via IP geofencing.

Infrastructure

Banana Farmer runs on a modern, security-first infrastructure stack:

  • Edge network: All web traffic is served through Cloudflare's global edge network, providing DDoS protection, Web Application Firewall (WAF), and TLS termination.
  • Database: Data is stored in Supabase (PostgreSQL) with row-level security (RLS) policies enforcing access control at the database layer.
  • Workers: Background data processing runs on Cloudflare Workers with isolated execution environments — no shared state between requests.
  • Static assets: Served via Cloudflare Pages with automatic cache invalidation and integrity checks.

Encryption

All data in transit is encrypted using TLS 1.3. Connections using older, insecure protocols are rejected. HSTS headers are set to prevent protocol downgrade attacks.

Data at rest in our database is encrypted using AES-256 by our infrastructure provider. Database backups are encrypted and stored in geographically redundant locations.

Authentication

  • User passwords: Hashed using bcrypt with per-user salts. We never store or log plaintext passwords.
  • Sessions: Managed via secure, httpOnly cookies with short expiration windows. Session tokens are cryptographically random.
  • OAuth: We support Google OAuth for passwordless login, following the OAuth 2.0 specification.
  • Magic links: Email-based authentication with single-use, time-limited tokens.

API Security

The Banana Farmer API is designed with security as a primary concern:

  • Key generation: API keys are generated using cryptographically secure random bytes (32 bytes, hex-encoded with a bf_bot_ prefix). Keys are shown once at creation and cannot be retrieved afterward.
  • Rate limiting: All API endpoints enforce per-key rate limits. Exceeding limits returns 429 Too Many Requests with a Retry-After header.
  • Input validation: All API inputs are validated and sanitized before processing. Error responses never leak internal implementation details.
  • CORS: Cross-origin requests are restricted to approved origins.
  • Abuse detection: Automated monitoring flags unusual access patterns for review.

Payment Security

All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. We never receive, store, or process credit card numbers, CVVs, or other sensitive payment data on our servers.

Subscription management, billing, and refunds are handled through Stripe's secure dashboard and API. Your payment information is subject to Stripe's privacy policy.

Data Handling

  • Minimal collection: We collect only the data necessary to operate the service — email, usage analytics, and subscription status.
  • No brokerage data: We never collect brokerage credentials, trade history, or portfolio information.
  • No data sales: We do not sell personal information to third parties.
  • Data retention: Account data is retained while your account is active. Upon deletion, personal data is purged within 90 days.
  • Market data: Equity data is sourced from Tiingo under license (end-of-day pricing). Crypto data is sourced from CoinGecko. We do not redistribute raw vendor data.

Access Control

Administrative access to production systems is restricted to the platform operator, protected by multi-factor authentication, and logged. Database queries from the application layer are mediated through Supabase's PostgREST interface with row-level security policies — the application cannot bypass access controls even in the event of a code-level vulnerability.

Incident Response

In the event of a security incident affecting user data, we will:

  • Investigate and contain the incident within 24 hours of detection.
  • Notify affected users via email within 72 hours, as required by applicable law.
  • Provide details of what data was affected and recommended actions.
  • Publish a post-mortem on our status page for transparency.

Responsible Disclosure

If you discover a security vulnerability, please report it to [email protected] with the subject line "Security Report." We ask that you:

  • Allow us reasonable time to investigate and patch before public disclosure.
  • Do not access or modify other users' data.
  • Do not perform denial-of-service testing.

We appreciate responsible disclosure and will acknowledge reporters in our changelog (with permission).

Compliance

  • SOC 2: Our infrastructure providers (Cloudflare, Supabase, Stripe) maintain SOC 2 Type II compliance.
  • GDPR: While our service is US-only, we follow data minimization and right-to-deletion principles consistent with GDPR standards.
  • PCI DSS: Payment processing is fully delegated to Stripe (PCI DSS Level 1).

Questions

Security questions or concerns? Contact [email protected].

Precision Built • Regulatory Minded