Trust

Security

Risk Marshal connects to trading accounts, so we hold ourselves to a simple standard: collect the minimum, encrypt what we store, and be precise about what we can and cannot access.

Credentials

Self-hosting: your MT5 master password never leaves your machine. The dashboard syncs through read-only investor credentials, which cannot place, modify, or close trades and cannot move funds.

Managed hosting: to run enforcement on infrastructure we operate, trading credentials are encrypted at rest with AES-256-GCM and decrypted only inside the hosted terminal environment that enforces your rules. They are never exposed in dashboards, logs, or support tooling.

In both modes, Risk Marshal cannot withdraw, deposit, or transfer funds — broker platforms do not expose funds movement to trading terminals, and we never ask for banking or wallet credentials.

Your data

  • You own your trading data. You can export it or delete it at any time.
  • We never sell or rent personal data. Aggregated, anonymised benchmarks are opt-in only.
  • Behavioural signals (breaches, sessions, discipline scores) are scoped to your account and visible to others only if you invite them — for example an accountability partner or coach.
  • Retention and processing details are documented in the Privacy Policy.

Platform practices

  • All traffic is encrypted in transit with TLS; HTTPS is enforced with HSTS.
  • Strict browser protections are enabled site-wide: content security policy, frame-embedding denial, and MIME-sniffing protection.
  • Payments are handled by our payment processor — card details never touch Risk Marshal servers.
  • Production access is restricted, and enforcement infrastructure is isolated from the public website.

Responsible disclosure

Found a vulnerability? Email support@riskmarshal.com with [Security] in the subject. Include steps to reproduce and give us a reasonable window to fix the issue before public disclosure — we take reports seriously and respond to every one. Machine-readable details live at /.well-known/security.txt.

The honest limits

Security is a practice, not a badge. We don't currently hold formal certifications such as SOC 2, and we won't imply otherwise. What we commit to is minimal collection, encryption of sensitive data, truthful documentation, and fast response when something is wrong. Questions we haven't answered here: ask us directly.