ClearPathInvest
Start free

Security

Last updated: 2026-04-19

Your account holds things that matter — your portfolio, your research, your journal. Here’s how we protect it.

Encryption everywhere

HTTPS for every request. AES-256 encryption at rest in our database. Brokerage secrets encrypted with AES-256-GCM at the application layer — they're unusable even if the database is ever compromised.

Optional two-factor authentication

Enroll in TOTP-based 2FA from Account Settings. Works with any authenticator app (Google Authenticator, Authy, 1Password, Bitwarden).

Read-only brokerage access

We cannot trade on your behalf. We cannot move money. Plaid (our primary connector) and SnapTrade (used only where Plaid doesn't cover your broker) both enforce read-only scopes at the brokerage level. Even if our servers were breached, there's no trade path.

No data selling, no AI training on your data

Your portfolio, research queries, and journal notes are never sold, never shared with advertisers, never used to train AI models — ours or our providers'.

Minimum data by design

Plaid scope is limited to Investments — we never see your bank accounts, credit cards, or loan data. SnapTrade access is per-user-secret with no account credentials on our servers.

72-hour breach notification

If a breach ever affects your data, we notify you by email within 72 hours of confirmed material impact. We also commit to a full written post-mortem within 7 days.

The full technical policy

Our complete information-security program — access control, key management, sub-processor vetting, incident response, retention, and compliance posture — is documented in our Information Security Policy. It’s the reference Plaid, SnapTrade, and Resend use during due diligence, and it’s public.

Read the full policy →

Hosted under our parent company’s engineering org (Mentis Vision) for version control.

Report a security issue

If you’ve found a security vulnerability, please email security@clearpathinvest.app. Acknowledged within 24 hours. We’re a small team but we take reports seriously — good-faith disclosure gets a thank-you and a commit in the changelog.

See also: Privacy Policy · Terms · Disclosures