Security & Compliance
Last updated: 29 May 2026
Security is foundational to a platform people rely on for financial research. This page summarises how we protect your account and your data. Termimal is operated by Hiram OÜ. The product is in active beta — we harden it continuously, and this page evolves alongside it. If anything here is unclear, contact security@termimal.com.
1. Account security
Authentication is handled by Supabase Auth. Passwords are hashed and salted using industry-standard algorithms — we never see or store your raw password.
- Two-factor authentication (2FA) using time-based one-time passwords (TOTP).
- Passkeys (WebAuthn / FIDO2) — sign in with a hardware security key or your device's built-in authenticator (Face ID, Touch ID, Windows Hello).
- Session management — review your active sessions and sign out other devices from your profile. Sensitive actions require re-authentication.
2. Data protection
In transit: all traffic is served over HTTPS with TLS 1.2 or higher. We enforce HTTP Strict Transport Security (HSTS, including subdomains, with preload) so browsers refuse to connect over plain HTTP.
At rest: application data is stored in managed PostgreSQL (Supabase) with encryption at rest. Access to production data is restricted on a least-privilege basis.
3. Payments
Card payments are processed by Stripe, a PCI-DSS Level 1 certified provider. Your full card details are entered directly with Stripe and never touch Termimal's servers. Cryptocurrency payments are processed by Coinbase Commerce. We do not store card numbers.
4. Infrastructure & network
Termimal runs on Cloudflare's global edge network, which provides TLS termination, DDoS mitigation, and a web application firewall. Sign-up is protected against automated abuse by Cloudflare Turnstile, and our APIs apply rate limiting to throttle abusive traffic.
5. Application hardening
Every page is served with a strict Content-Security-Policy and a set of defence-in-depth response headers — X-Frame-Options (anti-clickjacking), X-Content-Type-Options, Referrer-Policy, and a restrictive Permissions-Policy — to mitigate cross-site scripting, framing, and data leaks. We do not load third-party scripts beyond our payment, authentication, and analytics providers.
6. Privacy
How we collect, use, and share data — including the sub-processors we rely on — is described in our Privacy Policy and Cookie Policy.
7. Responsible disclosure
We welcome reports from security researchers. If you believe you have found a vulnerability, email security@termimal.com with clear steps to reproduce. Please:
- give us a reasonable opportunity to investigate and remediate before any public disclosure;
- act in good faith — do not access, modify, or delete data that is not yours, and avoid privacy violations or service disruption;
- do not run automated scanning or load testing that could degrade availability for other users.
We will acknowledge your report, keep you informed of our progress, and will not pursue legal action against researchers who follow this policy in good faith.
8. Your responsibilities
You play a key role in keeping your account secure: choose a strong, unique password, enable 2FA or a passkey, keep any API keys confidential, and contact us immediately at security@termimal.com if you suspect unauthorised access.
9. No warranty
Termimal is provided on an “as is” and “as available” basis during beta. While we work hard to protect your data, no system can be guaranteed perfectly secure. Nothing on this page forms part of a contract or warranty; see our Terms of Service for the governing terms.