Compliance, Security & Data Protection
X-Optional Research — March 2026
This document is prepared for investor due diligence and institutional review. It details the regulatory framework, security architecture, data protection practices, and compliance roadmap of the X-Optional Research platform.
Table of Contents
- 1. Executive Summary
- 2. Regulatory Compliance — SEC Publisher's Exclusion
- 3. Data Protection & GDPR Compliance
- 4. Infrastructure Security Architecture
- 5. Application Security
- 6. AI Model Security — XORI-1 Protection
- 7. Proprietary Signal Protection
- 8. Third-Party Risk Management
- 9. Incident Response
- 10. Compliance Roadmap
Executive Summary
X-Optional is a quantitative research tool platform, not an investment advisor. The platform provides impersonal, algorithmically derived options research powered by a 17-signal adaptive pipeline, a four-model pricing ensemble, and a proprietary fine-tuned AI engine (XORI-1).
Built with institutional-grade security, regulatory awareness, and data protection from day one, X-Optional operates within well-established legal frameworks and maintains a security posture appropriate for handling sensitive financial research infrastructure.
SEC
Publisher's Exclusion Compliant
GDPR
Data Protection Aligned
SOC 2
Certification In Progress
Regulatory Compliance — SEC Publisher's Exclusion
X-Optional operates under the Publisher's Exclusion, Section 202(a)(11) of the Investment Advisers Act of 1940. This well-established legal framework exempts publishers of bona fide financial publications from registration as investment advisors, provided three conditions are met.
Impersonal Content
XORI-1 generates analysis based on mathematical models applied uniformly to all users. The same inputs produce the same outputs regardless of the subscriber. It never says "you should buy this" — it says "the 17-signal ensemble scores this setup at 8.4/12." No user's financial situation, portfolio composition, or risk tolerance is factored into any output.
No Discretionary Authority
Broker integration is URL deep-links only. X-Optional never has access to user brokerage accounts, cannot execute trades, and cannot move money. Users confirm every trade inside their own brokerage application. There is no API connection, no OAuth flow, and no stored credentials linking X-Optional to any brokerage.
No Fiduciary Relationship
Users explicitly acknowledge in our Terms of Service that X-Optional does not provide personalized financial advice. No fiduciary, advisory, or client relationship is created by subscription or usage. We owe no duty of suitability, best interest, or ongoing monitoring.
Disclaimer Infrastructure
- •Every AI-generated output carries an inline disclaimer that the content is educational and not financial advice.
- •The dashboard displays a persistent "Not Financial Advice" notice visible at all times.
- •Terms of Service contain explicit Publisher's Exclusion language with full legal enforceability.
- •Options Risk Disclosure (OCC ODD reference) presented in Terms and on the platform.
Data Protection & GDPR Compliance
Data Minimization
We collect only what is strictly necessary to operate the platform. Our data collection is limited to:
Collected
- Email address
- Display name
- Hashed password (Argon2id)
Never Collected
- SSN, date of birth, physical address
- Phone number, brokerage credentials
- Financial account numbers
Password Security
All passwords are hashed with Argon2id, the winner of the Password Hashing Competition. Argon2id is a memory-hard algorithm specifically designed to resist GPU-based and ASIC-based brute force attacks. Legacy bcrypt hashes are automatically upgraded to Argon2id on the next successful login — zero user friction, continuous security improvement.
Right to Erasure
GDPR Article 17
Users can permanently delete their account and all associated data via DELETE /api/user/delete-account. This cascades across all 14 database tables and cancels any active Stripe subscription. Deletion is immediate and irreversible.
Data Portability
GDPR Article 20
Users can export all their data as structured JSON via GET /api/user/export-data. Exports include profile, saved ideas, predictions, watchlist, and XP history. Generated on demand with no waiting period.
Data Residency
All data stored on US-based dedicated infrastructure (Nexlayer). No shared cloud databases. Database credentials never leave the deployment environment. All third-party API calls route to US-region endpoints.
No Tracking
Single auth_indicator cookie for session management only. No analytics trackers, no third-party cookies, no browser fingerprinting, no Google Analytics, no Facebook Pixel.
Infrastructure Security Architecture
The following diagram illustrates the layered security architecture from the client to the database. Each layer enforces independent security controls with no single point of failure.
Security Layer Architecture
Client (Browser)
HTTPS/TLS 1.3 — HSTS enforced (max-age 31536000)
TLS Termination & Security Headers
Ingress Controller
CORS & Rate Limiting
Middleware Layer
Authentication & Authorization
JWT + Token Rotation
Frontend Pod
Next.js — Port 3000
Backend Pod
FastAPI — Port 8001
Database Pod
PostgreSQL 16 — Encrypted
Key Architecture Decision
Token storage and rate limiting use in-memory caches within the application process — there is no external Redis or Memcached service. This design eliminates an entire class of lateral movement attacks: compromising an external cache service cannot yield authentication tokens or session data, because no such service exists in the deployment.
Application Security
Input Validation
All API inputs are validated via Pydantic models with strict type enforcement. Every request body, query parameter, and path parameter is schema-validated before reaching any business logic. Malformed inputs are rejected with structured error responses at the framework level.
SQL Injection Prevention
SQLAlchemy ORM with parameterized queries is used for all database access. There is no raw SQL anywhere in route handlers. The repository pattern enforces a strict boundary — all data access goes through scoped query classes injected via FastAPI's dependency injection system.
Authentication
Argon2id password hashing with automatic upgrade from legacy bcrypt. JWT access tokens with 15-minute expiry signed with HS256. Refresh token rotation with family-based theft detection — if a refresh token is reused (indicating it was stolen), the entire token family is invalidated, forcing re-authentication on all sessions.
Audit Logging
All mutating API requests (POST, PUT, DELETE, PATCH) are logged with timestamp, user ID, HTTP method, request path, response status code, and client IP address. These logs enable forensic analysis of any unauthorized access or suspicious activity patterns.
No Stored Credentials
OAuth social login (Google/GitHub) means we never see or store third-party passwords. Broker integration uses URL deep-links exclusively — no API keys, no OAuth tokens, no stored brokerage credentials. The attack surface for credential theft is minimized by design.
AI Model Security — XORI-1 Protection
14B
Parameters
8,500+
Training Pairs
$1.5M+
Est. Replication Cost
XORI-1 is a proprietary fine-tuned model trained on curated options research data. Model weights represent significant intellectual property and are treated as a core business asset.
Inference runs on dedicated GPU infrastructure within the deployment namespace. The model is not API-dependent on OpenAI, Anthropic, or any third-party inference provider. Model weights never leave our infrastructure.
Training data is stored in Google Cloud Storage with service account authentication. Access is restricted to the backend deployment via a dedicated service account key with minimal permissions.
System prompts enforce strict JSON output format with schema validation. Prompt injection attempts are mitigated by structural output constraints — the model must produce valid JSON matching a predefined schema, limiting the surface area for adversarial manipulation.
Proprietary Signal Protection
The quantitative signal pipeline is the analytical core of X-Optional. It represents years of research and continuous refinement through live market feedback.
Signal Architecture
- •16 quantitative signals with adaptive EMA weights
- •Weights improve from tracked trade outcomes
- •Per-sector, per-signal learned state
- •70% adaptive + 30% base weighting formula
Protection Measures
- •Tiered rate limiting prevents bulk scraping
- •No public API exposes raw signal scores
- •Only AI synthesis layer is user-facing
- •Reverse-engineering prohibited by ToS
Third-Party Risk Management
X-Optional integrates with a minimal set of third-party services, each scoped to a specific operational function. No user PII is shared for marketing or advertising purposes.
| Provider | Data Shared | Security Posture |
|---|---|---|
| Stripe | Billing data only (email, subscription status). No trade data. | PCI DSS Level 1 |
| Resend | Transactional email only. No user research data. | SOC 2 Type II |
| Alpaca Markets | Ticker symbols only. No user data transmitted. | FINRA/SEC Registered |
| Alpha Vantage | Ticker symbols only. No user data transmitted. | Server-to-Server |
| Google (Gemini) | Anonymized market data context. No user PII in prompts. | SOC 2 & ISO 27001 |
| Nexlayer | Infrastructure hosting. Data encrypted at rest and in transit. | SOC 2 Type II |
Incident Response
Automated Database Backups
Nightly encrypted backups to Google Cloud Storage at 3 AM UTC. Automated restore from latest backup on empty database detection, ensuring rapid recovery from any data loss event. Backup integrity is verified on each restore cycle.
Stateless Cache Architecture
In-memory cache architecture means there is no persistent external cache to compromise. If the application process restarts, the cache rebuilds from authoritative sources (database and market data APIs). There is no stale cache poisoning vector.
Forensic Capability
Audit logs of all mutating API requests enable forensic analysis of any unauthorized access. Logs include user identification, timestamps with millisecond precision, request paths, response codes, and client IP addresses. Logs are retained for the lifetime of the deployment.
Compliance Roadmap
Q2 2026
SOC 2 Type I Audit Preparation
Formal documentation of controls, policies, and procedures. Engagement with independent auditor.
Q3 2026
Formal Penetration Testing
Third-party penetration testing engagement covering API, infrastructure, and AI model security boundaries.
Q4 2026
SOC 2 Type II Certification
Full certification covering security, availability, and confidentiality trust service criteria.
Ongoing
Continuous Security Operations
Quarterly security review, dependency audit, credential rotation, and vulnerability scanning.
Prepared for Investor Due Diligence
X-Optional Research, Inc. (Texas) — Last updated: March 2026