Security

1. Overview

ONG Trades, Inc. operates an institutional-grade digital marketplace for physical energy commodity trading. Given the sensitivity of counterparty data, transaction records, and compliance documentation processed by the platform, security is a first-class engineering priority. Our security program is designed around a zero-trust architecture, defense in depth, least-privilege access, and continuous verification.

2. Encryption

2.1 Encryption in Transit

All traffic to and from the platform is encrypted using TLS 1.2 or higher. HTTP Strict Transport Security (HSTS) is enforced at the edge. We disable legacy cipher suites and protocols and continuously monitor for compliance with modern TLS configuration standards.

2.2 Encryption at Rest

Data at rest is encrypted using AES-256. Database storage, object storage, and backup artifacts are all encrypted at rest by our infrastructure providers. Highly sensitive artifacts (KYC documents, signed agreements, voice recordings) are additionally stored in access-scoped buckets with per-object access policies.

2.3 Key Management

Cryptographic keys are managed through cloud-native key management services with automated rotation. A hardware security module (HSM) solution with FIPS 140-2 Level 3 compliance is scheduled for Phase 5 deployment. Service-role credentials are stored exclusively as environment secrets in the hosting platform and are never committed to source control.

3. Identity, Authentication & Access Control

3.1 Authentication

User authentication is handled through Supabase Auth with planned migration to Auth0 for enterprise SSO and enhanced MFA policies. All user accounts are required to enable multi-factor authentication, with enforced MFA for administrative, compliance, and auditor roles.

3.2 Role-Based Access Control (RBAC)

The platform implements a five-tier RBAC model covering administrator, compliance officer, auditor, trader, and investor view roles. Permissions are evaluated on every request and enforced both at the API layer and at the database layer via Supabase Row Level Security (RLS) policies.

3.3 Row Level Security

Every user-facing database table is protected by RLS policies. Policies check authentication state and ownership/membership before allowing read or write access. Administrative-only tables require explicit admin claims, and all RLS policies are reviewed during each security audit cycle.

4. Infrastructure Security

The platform runs on managed cloud infrastructure with shared-responsibility controls for physical security, network isolation, and hypervisor hardening. A Web Application Firewall (WAF) and DDoS mitigation layer are planned for Phase 3 activation. Edge caching and rate limiting protect public endpoints from abuse.

• Isolated production, staging, and development environments with separate credentials
• Secrets managed through the hosting platform's encrypted environment variable store
• Immutable build artifacts with reproducible deployments
• Continuous dependency scanning and automated vulnerability alerts

5. Six-Layer Compliance Architecture

Every trade flowing through the platform is evaluated across six compliance layers before execution is authorized:

• Layer 1 — Onboarding: KYC/KYB identity verification, sanctions screening, PEP checks
• Layer 2 — Product: Product documentation, refinery validation, allocation chain
• Layer 3 — Logistics: FOB/CIF verification, vessel nomination, inspection coordination
• Layer 4 — Inspection: Third-party certificates, quality and quantity verification
• Layer 5 — Financial: LC/SBLC verification, bank validation, SWIFT messaging
• Layer 6 — Execution: Laycan monitoring, demurrage, discharge, AIS tracking, authorization

Every verification and authorization decision is persisted to an immutable audit log with the acting user, timestamp, previous state, and new state, supporting SOC 2 CC6.1 evidence collection.

6. Monitoring, Logging & Incident Response

The platform emits structured application logs, authentication logs, and compliance audit logs to a centralized log store. CloudWatch metrics and PagerDuty alerting are planned for Phase 3 completion (targeting June 2026). Until that milestone, incidents are triaged manually against real-time log streams and Supabase observability dashboards.

Our incident response process covers detection, containment, eradication, recovery, and post-incident review. Customer-affecting incidents are communicated through the platform notification system and, where applicable, by direct email to affected users within the timelines required under GDPR, the UK Data Protection Act 2018, and applicable U.S. state breach notification laws.

7. SOC 2 Readiness

ONG Trades is on a credible path to SOC 2 Type I certification for infrastructure security controls, with the target milestone of August 2026. A formal SOC 2 auditor will be engaged by July 2026 to allow sufficient evidence collection. Our internal audit cadence (currently at v9.0) continuously tracks findings across the five Trust Services Criteria, with a findings register maintained for remediation traceability.

This is a voluntary, transparent disclosure. We do not currently hold SOC 2 Type I or Type II certification, and we do not over-represent our compliance posture.

8. Security Audit Cadence

The platform is subject to a recurring security audit program. Each audit produces a numbered findings register (SRC-001, SRC-002, ...) capturing severity, area, status, and remediation. The audit history is retained indefinitely, and a delta report is published after every audit cycle. Prior audit versions (v1 through v9.0) are available to qualified reviewers under NDA.

9. Responsible Disclosure

We welcome reports from the security research community. If you believe you have identified a vulnerability, please report it privately to security@ongtrades.com. Reports should include a clear reproduction path, affected endpoints or components, and any proof-of-concept material necessary for triage.

We commit to the following:

• Acknowledgement of receipt within two (2) business days
• An initial triage assessment within five (5) business days
• Coordinated disclosure timelines for confirmed vulnerabilities
• Good-faith safe harbor for research conducted consistent with this policy — no legal action will be taken against researchers who report vulnerabilities responsibly and avoid service disruption, data exfiltration, or access to accounts other than their own

Out of scope: denial-of-service testing, social engineering of ONG Trades personnel, physical attacks, and testing against production data belonging to other users.

10. Vendor and Third-Party Security

We conduct security reviews of every third-party service that handles customer data, including identity verification providers (Chainalysis, World-Check), voice risk analytics (Clearspeed), signature services (DocuSign), geospatial providers (Mapbox), the Blockchain for Energy (B4E) consortium (Hyperledger FireFly infrastructure), and B4E Carbon. Each integration is governed by a data processing agreement and reviewed on renewal.

11. Contact

For the detailed data-handling practices that complement this Security page, see our Privacy Policy and Terms of Service.