Security & Trust
Updated: June 2026
We build OptionProfit the way we would want a financial tool built for us: secure by default, private, and honest about what we do and do not do. Security here is not a badge — it is concrete engineering. This page sets out exactly how we protect your account and your data.
Your account is protected by mandatory two-factor authentication
Every OptionProfit account is secured with two-factor authentication (2FA) that cannot be turned off. We use authenticator-app (TOTP) codes — the six-digit codes from apps like Google Authenticator, Authy, Aegis or 1Password.
We deliberately do not use SMS text-message codes. SMS can be intercepted through SIM-swapping and mobile-network attacks, so it is the weakest common form of 2FA. Requiring an authenticator app instead means a stolen password alone is never enough to reach your account.
- Passwords are never stored in readable form — they are hashed with scrypt and a per-account salt.
- New accounts must verify their email address and enrol an authenticator before the account can be used.
- Sessions are cryptographically signed and time-limited.
Everything travels encrypted
All traffic to and from OptionProfit is served exclusively over HTTPS/TLS. We enforce it with HSTS (HTTP Strict Transport Security), so browsers refuse to connect over an unencrypted channel.
We also send a full set of hardening headers on every response — a Content-Security-Policy, X-Content-Type-Options (nosniff), frame-protection, a Referrer-Policy and a Permissions-Policy — to reduce the risk of cross-site scripting, clickjacking and data leakage.
Responsible disclosure
We publish a machine-readable security.txt (RFC 9116) and welcome reports from security researchers. If you believe you have found a vulnerability, email security@options-strategies.com. Please give us reasonable time to fix an issue before disclosing it publicly; we do not pursue researchers acting in good faith.
What we do — and do not do — with your data
- We collect the minimum needed to run the service. See our Privacy Policy for the full detail.
- We are not a broker. OptionProfit holds no funds, executes no real trades and never asks for brokerage or bank credentials. Paper trading is a simulation with virtual money only.
- Market data is delayed and provided for education — see our Disclaimer.
A note on "compliance"
We describe our security in terms of the concrete measures above rather than regulatory labels. OptionProfit is an independent educational tool, not a regulated financial entity; we align our engineering with recognised good practice — encryption in transit, strong authentication, least-data collection and responsible disclosure — because it is the right way to build, not for a badge.
Questions
Security questions or concerns? Email security@options-strategies.com or use our contact page.
About Us · Careers · Contact · Methodology · Disclaimer · Privacy Policy · Cookie Policy (EU) · Terms & Conditions · Security · Home