RIRare Index

    Rare Index

    Security

    How Rare Index protects the platform, its data, and its users.

    Our Security Approach

    Rare Index handles market-sensitive pricing data that institutional investors rely on for decision-making. We take that responsibility seriously.

    Our security posture is built on three principles:

    Protect the data pipeline from compromise.

    Protect user accounts from unauthorized access.

    Maintain platform availability so the data is there when you need it.

    We do not believe security through obscurity is security at all. This page describes our approach transparently - because trust is built through visibility, not vagueness.

    Infrastructure Security

    Rare Index runs on modern cloud infrastructure designed for reliability, isolation, and auditability.

    Hosting & Deployment

    Our application is deployed on Railway, a managed cloud platform that provides containerized environments with automated scaling, isolated build pipelines, and zero-downtime deployments. Infrastructure configuration is managed through code - no manual server provisioning.

    Database

    Market data is stored in Snowflake, an enterprise-grade cloud data platform used by Fortune 500 companies for analytics and data warehousing. Snowflake provides:

    • Encryption at rest and in transit by default (AES-256 and TLS 1.2+).
    • Role-based access control with granular privilege management.
    • Automatic data replication and failover.
    • SOC 2 Type II, SOC 1 Type II, ISO 27001, HIPAA, and PCI DSS compliance certifications.

    Network Security

    All data in transit between users, our application servers, data sources, and our database is encrypted via TLS. API integrations with external data sources use authenticated, encrypted connections exclusively.

    Authentication & Access Control

    User Authentication

    User accounts are secured through Auth0, an enterprise identity platform trusted by thousands of organizations worldwide. Auth0 provides:

    • Industry-standard OAuth 2.0 and OpenID Connect protocols.
    • Secure credential storage with bcrypt hashing - Rare Index never stores plaintext passwords.
    • Support for multi-factor authentication (MFA).
    • Brute-force protection and anomalous login detection.
    • Session management with configurable token expiration.

    Internal Access Control

    Access to production systems, databases, and deployment pipelines follows the principle of least privilege. Administrative access requires authenticated credentials with role-based permissions. Database access for development and analytics is restricted to read-only service accounts with dedicated credentials.

    Data Security

    Data Provenance & Integrity

    Every price record in our system carries full source provenance - traceable to its originating platform, timestamp, and ingestion batch. This chain of custody is maintained from ingestion through index calculation to user-facing display. Records cannot be modified after ingestion without creating a new auditable entry.

    Data Pipeline Security

    Our ETL (Extract, Transform, Load) processes run in isolated environments with no public network exposure. Source API credentials are stored as encrypted environment variables - never hardcoded in application code or version control.

    Backup & Recovery

    Snowflake's architecture provides continuous data protection with Time Travel (access to historical data states) and Fail-safe (disaster recovery beyond the Time Travel retention period). This ensures data can be recovered even in the event of accidental modification or deletion.

    Application Security

    HTTPS Everywhere

    All connections to therareindex.com and its subdomains are served over HTTPS with TLS encryption. HTTP requests are automatically redirected to HTTPS. We enforce HSTS (HTTP Strict Transport Security) to prevent protocol downgrade attacks.

    Dependency Management

    Application dependencies are monitored for known vulnerabilities. Critical security patches are prioritized and deployed promptly. Our frontend and backend codebases use current, actively maintained frameworks (Next.js / React and Python / FastAPI respectively).

    Input Validation

    All user inputs and API parameters are validated and sanitized to prevent injection attacks, cross-site scripting (XSS), and other common web vulnerabilities.

    Operational Security

    Monitoring & Alerting

    Platform health, API response times, error rates, and data pipeline status are monitored continuously. Automated alerts trigger when metrics deviate from expected baselines.

    Daily Data Audits

    Our operations team performs daily audits of the data pipeline - verifying record counts, source distribution, NULL rates, and cross-source consistency. These audits serve as both a data quality measure and an early warning system for pipeline anomalies that could indicate a security or integrity issue.

    Incident Response

    In the event of a security incident, our response protocol prioritizes: containment, assessment of impact, remediation, and transparent communication with affected users. We are committed to disclosing security incidents that materially affect user data or platform integrity.

    What We Do Not Do

    • We do not sell user data. Your account information and platform usage are not sold to third parties.
    • We do not serve ads. Rare Index is funded by its products and services, not advertising.
    • We do not store unnecessary personal data. We collect only what is required for account management and platform functionality.
    • We do not resell raw source data. Our product is market intelligence and analytics - not a data resale operation.
    • We do not use your data to train AI models. Your usage patterns and portfolio information remain private.

    Third-Party Security

    Rare Index integrates with trusted third-party services. We evaluate each partner security posture before integration:

    ServiceRoleSecurity Credentials
    SnowflakeData warehouseSOC 2 Type II, ISO 27001, HIPAA, PCI DSS
    Auth0AuthenticationSOC 2 Type II, ISO 27001, GDPR compliant
    RailwayApplication hostingSOC 2 Type II, encrypted builds and deployments

    We rely on these providers for enterprise-grade security infrastructure rather than building our own - because using battle-tested platforms operated by dedicated security teams is more secure than rolling custom solutions.

    For partnership security questionnaires, contact support@therareindex.com.

    Responsible Disclosure

    If you discover a security vulnerability in Rare Index, we want to hear about it. Please report security issues to support@therareindex.com.

    We ask that you:

    • Provide sufficient detail to reproduce the issue.
    • Allow reasonable time for us to investigate and remediate before public disclosure.
    • Do not access, modify, or delete data belonging to other users during your research.

    We are committed to working constructively with security researchers to keep the platform safe.

    Continuous Improvement

    Security is not a destination - it is an ongoing practice. Our roadmap includes:

    • Regular third-party security assessments as the platform scales.
    • Expanded monitoring and anomaly detection capabilities.
    • Formalized security policies and documentation as the team grows.
    • SOC 2 Type II certification for Rare Index as an organization when warranted by scale and institutional demand.

    We will update this page as our security posture evolves.

    Last updated: February 2026. Security practices described on this page reflect our current approach and are subject to improvement. For security concerns, contact support@therareindex.com.