Cybersecurity Policy

Solid Rock Strategies LLC ("the Company") — A‑Radar trading software Effective date: June 24, 2026 · Version: 1.0 · Owner: Managing Members Review cadence: at least annually and upon any material change

1. Purpose & Scope

This policy describes how Solid Rock Strategies LLC protects the information and systems involved in providing its software products (the "A‑Radar" desktop applications) and the supporting cloud services it operates. It applies to all Company personnel (its Managing Members) and to every system the Company controls: its production cloud service, its source code, its administrative accounts, and the workstations used to operate the business.

Architecture context (important). A‑Radar is downloadable software that runs on the end user's own computer. The Company does not custody customer funds or securities, does not execute trades on its own servers, and does not store customer brokerage credentials or trading records on Company servers at rest. All order execution and custody occur at the user's own brokerage (e.g., Alpaca Securities LLC). The only production system the Company operates is a lightweight OAuth/license relay (described below). This "local‑first" design materially reduces the Company's attack surface and the amount of sensitive customer data it holds.

The Company's production system:

A‑Radar desktop application — installed and run on the customer's

device. A local‑only web server bound to `127.0.0.1` (loopback) renders the dashboard; nothing on this interface is exposed to the network.

Relay service (`api.aradartrading.com`, hosted on Render) — a stateless

service that (a) holds brokerage OAuth client secrets server‑side, (b) performs the OAuth authorization‑code‑for‑token exchange and hands the resulting token to the user's application once, holding it only transiently in memory, and (c) validates subscription license keys via Whop.

2. Data Classification and Handling

The Company classifies information into four tiers and handles each accordingly:

Class	Examples	Handling requirements
Restricted	Brokerage OAuth client secrets; OAuth access tokens; brokerage API keys; license‑validation secrets; code‑signing keys	Never stored in source code or logs. Server‑side secrets held only in the hosting provider's encrypted environment‑variable store, accessible only to Managing Members. Access tokens and API keys that belong to a customer are stored only on that customer's device in an OS‑permission‑restricted directory. The relay holds an access token only transiently in memory during the OAuth hand‑off and discards it after the application retrieves it once.
Confidential	Customer email/contact, license keys, customer trade journal and settings	Customer trade journals and settings are stored on the customer's own device, never transmitted to the Company. Email/contact and license records are held in vetted third‑party systems (Whop, email provider) under least‑privilege access.
Internal	Source code, build artifacts, configuration	Stored in a private version‑control repository; release builds produced from reviewed source.
Public	Marketing site, documentation, EULA	May be published; contains no sensitive data.

Secrets are never written to logs, error messages, journals, or analytics. Where credential hints must be displayed, only masked values are shown.

3. Access Control and Privileged Access Management

Least privilege. Each administrative system grants only the access

required. There are no shared logins; each Managing Member uses an individual, named account.

Multi‑factor authentication (MFA) is enabled on every administrative

account that supports it — hosting (Render), DNS/email (Cloudflare), licensing and payments (Whop), source control (GitHub), and the brokerage developer consoles.

Privileged access to production secrets (relay environment variables, the

domain, the code‑signing identity, and the OAuth application registrations) is restricted to the Managing Members only.

Source control is a private repository; no production secret is ever

committed. Secrets are injected at deploy time via the hosting provider's encrypted environment store.

On the customer's device, all application state (credentials, tokens, journal)

is written to a per‑user data directory created with owner‑only permissions, isolating it from other OS users on the same machine.

Access is reviewed when responsibilities change and at least annually.

4. Encryption of Data at Rest and in Transit

In transit:

All communication between the application, the relay, the brokerage APIs, and

the licensing provider uses HTTPS/TLS 1.2+. The relay is served only over HTTPS.

The application's local interface is bound to `127.0.0.1` (loopback) and never

traverses the network, so its traffic does not leave the device.

OAuth client secrets are used exclusively server‑side on the relay and are

never transmitted to, or stored in, the desktop application.

At rest:

The relay is stateless with respect to customer data — it persists no

customer trading data or long‑lived credentials. Tokens exist only transiently in memory during the OAuth hand‑off. The hosting provider (Render) encrypts underlying storage.

On the customer's device, application data is protected by OS file permissions

(owner‑only). The Company instructs customers, in its documentation, to enable full‑disk encryption (Apple FileVault / Windows BitLocker), which encrypts this data at rest on the customer's machine.

Company workstations used to operate the business have full‑disk encryption

enabled.

5. Vulnerability Management and Patch Management

Dependencies are pinned to known‑good versions and monitored for security

advisories (including via GitHub security alerts). Vulnerable dependencies are updated promptly, prioritized by severity.

Hosting platform. The relay runs on a managed platform (Render) that

patches the underlying operating system and runtime automatically.

Customer application updates. The application checks a Company‑hosted

version manifest and notifies users when a new release is available, so security fixes can be distributed to installed copies.

Secure development. Changes are made in a private repository and reviewed

before release builds are produced; automated build pipelines produce the shipped installers from reviewed source.

The Company tracks the components of its production system and re‑evaluates

them for new vulnerabilities on an ongoing basis.

6. Incident Response and Disaster Recovery

Incident response. On discovery of a suspected security incident, the Managing Members follow a contain → eradicate → recover → notify process:

1. Detect & triage the scope and affected systems/data. 2. Contain — disable affected access, and rotate/revoke any exposed secrets (relay environment secrets, OAuth client secret, and, where a customer integration is implicated, revoke the affected OAuth authorization so the broker can invalidate the token). 3. Eradicate & recover — remediate the root cause and restore service from known‑good source. 4. Notify — affected customers are notified without undue delay, and the Company notifies affected brokerage partners (including Alpaca) where their integration or customers are implicated, consistent with applicable law and partner agreements.

Security reports can be sent to admin@aradartrading.com.

Disaster recovery. Because the relay is stateless and holds no persistent customer data, recovery is straightforward: the service is redeployable to the hosting provider from version‑controlled source within minutes, and no customer trading data resides on it to be lost. Source code and configuration are maintained in a private version‑control repository (the authoritative recovery source). Customer trading data and credentials reside on the customer's own device and are not dependent on Company infrastructure for availability.

7. Physical Security

The Company operates no data centers or on‑premises servers. All production infrastructure is hosted by established cloud providers (Render for compute, Cloudflare for DNS/edge) whose facilities maintain their own physical‑security and compliance programs (e.g., SOC 2 / ISO 27001 at the infrastructure layer).

Company workstations used to administer the business are protected by full‑disk encryption, automatic screen lock, strong authentication with MFA, and current OS security updates. Administrative credentials are not stored in plaintext.

8. Vendor Risk Management

The Company relies on a small set of established, security‑conscious service providers and limits the data shared with each to what is necessary:

Vendor	Purpose	Data shared
Render	Relay hosting (compute)	No persistent customer data; transient OAuth hand‑off only; server‑side secrets in its encrypted env store
Cloudflare	DNS, edge, business email routing	Domain/DNS; inbound support email routing
Whop	Subscription licensing & payment processing	License keys; payment handled by Whop (the Company does not store card data)
GitHub	Private source control & build pipeline	Source code (private); no production secrets
Brokerage partners (e.g., Alpaca, Webull)	Brokerage integration the user links to	OAuth authorization at the user's direction; execution/custody occur at the broker

Each provider is an established platform that maintains its own security program and relevant attestations. The Company prefers providers with recognized security certifications, enables their security features (MFA, encrypted secret storage), and re‑evaluates this vendor list at least annually.

9. Governance & Review

This policy is owned by the Managing Members of Solid Rock Strategies LLC and is reviewed at least annually and upon any material change to the Company's systems, vendors, or data‑handling practices. The Company is a software/technology provider; it is not a broker‑dealer, investment adviser, or custodian, and it does not hold customer funds or securities.

Solid Rock Strategies LLC — Texas. Contact: admin@aradartrading.com