Last updated: March 2026
Security
Security is foundational to TrancheBook. We handle sensitive financial data and AI-generated analysis, and we take our responsibility to protect that data seriously. This page describes our security practices, threat mitigations, and incident response procedures.
1. Communication Channels
Legitimate communications from TrancheBook will only come through verified channels:
- Emails from @tranchebook.com domain only.
- In-app notifications within the authenticated Platform interface.
- Our verified social media accounts.
We will never contact you via personal email addresses, third-party messaging apps, or social media direct messages to request sensitive information. If you receive a suspicious communication claiming to be from TrancheBook, report it to security@tranchebook.com.
2. Anti-Fraud Warnings
Be aware of the following common threats:
- Phishing: We will never ask for your password, API keys, or financial credentials via email or chat. Do not click links in emails claiming to be from TrancheBook unless you can verify the sender domain.
- Impersonation: Fraudsters may impersonate TrancheBook or Praevex employees. Verify any unsolicited contact through official channels before sharing information.
- Fake analysis: AI-generated content purporting to be from TrancheBook but delivered outside the Platform should be treated as potentially fraudulent. Authentic analysis is only available through authenticated Platform access.
- Investment scams: TrancheBook does not solicit investments, manage funds, or hold client assets. Any communication suggesting otherwise is fraudulent.
3. AI-Specific Security
AI systems introduce unique security considerations. We implement the following protections:
3.1 Prompt Injection Prevention
Prompt injection attacks attempt to manipulate AI systems by embedding malicious instructions in data inputs. We defend against this through:
- Input sanitisation and validation at every data ingestion point.
- Separation of system instructions from user-provided data in all AI processing pipelines.
- Automated detection of injection patterns in uploaded content and queries.
- Sandboxed execution environments for AI processing.
3.2 Output Validation
AI-generated outputs undergo validation before being presented to users:
- Numerical outputs are checked for internal consistency and plausibility (e.g., revenue figures that are wildly inconsistent with known data are flagged).
- Structured data outputs (scores, financials) are validated against expected schemas and ranges.
- Outputs are monitored for potential data leakage across user boundaries.
- Known failure patterns are detected and handled before reaching the user.
3.3 Model Supply Chain
We maintain security over our AI model supply chain by using only enterprise-grade API access from Anthropic, verifying model versions and capabilities before deployment, and monitoring for unexpected changes in model behaviour. We do not use open-source models from unverified sources.
4. Portfolio Data Security
Portfolio data receives the highest level of security protection:
- Encryption at rest: AES-256 encryption for all stored portfolio data. Encryption keys are managed through a dedicated key management system with automatic key rotation.
- Encryption in transit: TLS 1.3 for all data transmission. HSTS enforced with a minimum 12-month max-age.
- Per-user isolation: Portfolio data is logically isolated per user at the database level. Row-level security policies prevent cross-user data access even in the event of application-level vulnerabilities.
- Access controls: Automated systems access portfolio data only during active analysis. Human access requires documented justification, management approval, and is logged for audit purposes.
- Deletion: Users can request hard deletion of portfolio data at any time. Deletion is cryptographically verified and includes removal from backups within the backup rotation window.
5. Infrastructure Security
Our infrastructure is designed with defence in depth:
- Hosting: The Platform is hosted on enterprise-grade cloud infrastructure with SOC 2 Type II certification.
- Network security: DDoS protection, Web Application Firewall (WAF), and rate limiting are active on all endpoints.
- Authentication: Managed by Clerk with support for multi-factor authentication (MFA). Session tokens are short-lived and automatically rotated.
- API security: API endpoints are authenticated, rate-limited, and monitored for anomalous usage patterns.
- Dependency management: Automated scanning of software dependencies for known vulnerabilities. Critical vulnerabilities are patched within 24 hours of disclosure.
- Logging and monitoring: Centralised logging with real-time alerting for security-relevant events. Logs are retained for a minimum of 12 months.
6. Incident Response
We maintain a documented incident response plan with the following commitments:
- Detection: Automated monitoring systems are designed to detect security incidents within minutes. We operate 24/7 alerting for critical security events.
- Response: Confirmed incidents trigger our response plan with defined escalation paths and responsibility assignments.
- Notification: Affected users will be notified within 72 hours of a confirmed data breach, consistent with GDPR requirements. Where regulatory notification is required, we will comply within applicable timeframes.
- Remediation: Root cause analysis is conducted for all security incidents, and findings are incorporated into our security controls.
- Transparency: Material security incidents will be disclosed publicly with sufficient detail to inform affected parties while not aiding further attacks.
7. Responsible Disclosure
If you discover a security vulnerability in the TrancheBook platform, we encourage responsible disclosure. Please report vulnerabilities to security@tranchebook.com. We commit to:
- Acknowledging receipt of your report within 48 hours.
- Providing an initial assessment within 5 business days.
- Keeping you informed of remediation progress.
- Not pursuing legal action against good-faith security researchers.
Contact
For security concerns or to report a vulnerability, contact security@tranchebook.com.