Security
13F Insight is built on public SEC data, so our security posture focuses on the things that are actually sensitive: your account, your payment relationship, and the integrity of the platform itself.
Account security
- Password storage. Passwords are hashed with bcrypt (work factor 12). Plaintext passwords are never stored or logged.
- Email verification. New email/password registrations must confirm a 6-digit verification code before the account becomes active.
- Short-lived sessions. Sign-in issues an access token valid for one day, paired with a rotating refresh credential held in an HTTP-only cookie. Refresh tokens rotate on every use, which limits the value of a stolen token.
- Google sign-in. If you use Google, authentication is handled by Google Identity Services and no password exists on our side.
Payments
Subscriptions are processed end-to-end by Stripe, via Stripe Checkout and the Stripe Billing Portal. Card details are entered on Stripe's PCI-compliant pages and never touch our servers — 13F Insight only receives subscription status events. Daily reconciliation between Stripe and our database guards against drift in either direction.
Data we hold
Almost everything on 13F Insight — filings, holdings, insider transactions, filer profiles — is public SEC data. The personal data we hold is minimal: your email address, a password hash (unless you use Google sign-in), and your subscription tier. We do not sell personal data. See the privacy policy for details and the data & methodology page for how the public data is sourced.
Platform hardening
- Encryption in transit. All traffic is served over HTTPS/TLS, fronted by Cloudflare with WAF and DDoS protection.
- Security headers. Every application sends
X-Frame-Options,Content-Security-Policy: frame-ancestors 'none'andX-Content-Type-Options: nosniffto prevent clickjacking and MIME sniffing. - Server-side enforcement. Subscription entitlements are enforced on the server for every request — paid content is never merely hidden client-side.
- Isolated database. The production database accepts no external connections; access is restricted to the application network.
Reporting a vulnerability
We welcome reports from security researchers. Email [email protected] with "Security" in the subject, including steps to reproduce and the affected URL. Please practice responsible disclosure — give us reasonable time to investigate and fix before publishing. Machine-readable details are available at /.well-known/security.txt.