Security at Alpaca

Here at Alpaca, we take security seriously. We have implemented industry best practices to ensure your data remains secure on our platform.

Compliance

Alpaca adheres to the ISO 27001:2013 standard and undergoes annual SOC 2 Type 2 assessments against all 5 trust services criteria, Security, Confidentiality, Availability, Integrity, and Privacy.

Further, Alpaca complies with GDPR and UK’s ICO Data Protection programs to ensure the privacy and security of all personal data collected and/or stored.

Achieving the SOC 2 Type 2 attestation and being independently verified, assures that Alpaca has an effective Security and Privacy program.

Infrastructure

Alpaca’s infrastructure is built on top of Google Cloud Platform which is built on a secure-by-design foundation and has attained several security and privacy certifications and attestations including ISO 27001, SOC 1, SOC 2, PCI DSS, and is compliant with GDPR.

For more information, click here to access Google’s Trust Center.

We have established a robust multi-layered network ecosystem utilizing Google's infrastructure to ensure the constant availability and protection of our applications and data. The access to our infrastructure and data is regularly reviewed to ensure only authorized personnel gain access. Along with rigorous security measures, we maintain the availability of the data we gather by performing comprehensive daily backups that are stored offsite, and these backups are tested daily to ensure their integrity.

Alpaca operates under a Zero Trust architecture, a security model that emphasizes the importance of verifying every access attempt to our network, applications, and data, regardless of the user's location or affiliation.

Access to our infrastructure requires strong credentials and two-factor authentication.

Data Handling and Encryption

Alpaca takes the handling of confidential data very seriously, implementing a series of robust measures to ensure its protection and maintain the trust of our clients and stakeholders. These measures include:

Confidential data is encrypted both at rest and in transit, using advanced encryption algorithms and protocols including AES-256 in storage and TLS in transit
We classify data based on its sensitivity, with confidential data receiving the highest level of protection
We employ stringent access control policies to ensure that only authorized personnel have access to confidential data based on their roles and responsibilities
Our staff receives training and reminders on handling confidential data to help foster a security-conscious culture within the organization

Vulnerability Disclosure and Bug Bounty Program

We actively cooperate with global security researchers to detect and address security weaknesses within our platform. If you suspect that you've discovered a security flaw, please submit a request to our support team at [email protected] to be invited to our bug bounty program where you may be rewarded if we confirm the issue to be valid and aligns with our bug bounty policy. If you would like to encrypt your email back to us please use the public key found below.

Click here for further information on Alpaca’s Security program.

Download Public Encryption Key

Disclosures

Brokerage services are provided by Alpaca Securities, member FINRA/SIPC, a wholly-owned subsidiary of AlpacaDB, Inc.

Technology and services are offered by AlpacaDB, Inc.

Brokerage services are provided to customers who can write automated investment code and self-direct their own investments. Alpaca brokerage services are only provided to customers who agree to electronically sign agreements and agree to receive messages, confirmations, and statements electronically. Is Alpaca right for me?

This is not an offer, solicitation of an offer, or advice to buy or sell securities or cryptocurrencies, or open a brokerage account or cryptocurrency account in any jurisdiction where Alpaca Securities or Alpaca Crypto respectively, are not registered or licensed, as applicable.

The Paper Trading API is offered by AlpacaDB, Inc. and does not require real money or permit a user to transact in real securities in the market. Providing use of the Paper Trading API is not an offer or solicitation to buy or sell securities, securities derivative or futures products of any kind, or any type of trading or investment advice, recommendation or strategy, given or in any manner endorsed by AlpacaDB, Inc. or any AlpacaDB, Inc. affiliate and the information made available through the Paper Trading API is not an offer or solicitation of any kind in any jurisdiction where AlpacaDB, Inc. or any AlpacaDB, Inc. affiliate (collectively, "Alpaca") is not authorized to do business.

You should know that the use or granting of any third party access to your account information or place transactions in your account at your direction is solely at your risk. Alpaca does not warrant against loss of use or any direct, indirect or consequential damages or losses to you caused by your assent, expressed or implied, to a third party accessing your account or information, including access provided through any other third party apps, systems, or sites.

Market prices, data and other information available through Alpaca are not warranted as to completeness or accuracy and are subject to change without notice. System response and account access times may vary due to a variety of factors, including trading volumes, market conditions, system performance, and other factors. A more complete description of the impact these factors may have can be found in our risks of automated trading systems section.

All investments involve risk and the past performance of a security, or financial product does not guarantee future results or returns. Keep in mind that while diversification may help spread risk it does not assure a profit, or protect against loss, in a down market. There is always the potential of losing money when you invest in securities, or other financial products. Investors should consider their investment objectives and risks carefully before investing.

There are risks unique to automated trading algorithms that you should know about and plan for. You should setup a method or system of continuous monitoring or alerting to let you know if there is a mechanical failure, such as connectivity issues, power loss, a computer crash, or system quirk. You should also monitor for instances where your automated trading system experiences anomalies that could result in errant, missing, or duplicated orders. A more complete description of these and other risks can be found in our FAQ section.

Conditional orders may have increased risk as a result of their reliance on trigger processing, market data, and other internal and external systems. Such orders are not sent to the market until specified conditions are met. During that time, issues such as system outages with downstream technologies or third parties may occur. Conditional orders triggering near the market close may fail to execute that day. Furthermore, our executing partner may impose controls on conditional orders to limit erroneous trades triggering downstream orders. Alpaca Securities may not always be made aware of such changes to external controls immediately, which may lead to some conditional orders not being executed. As such, it is important to monitor conditional orders for reasonability. Conditional orders are “Not Held” orders whose execution instructions are on a best efforts basis upon being triggered. Furthermore, conditional orders may be subject to the increased risks of stop orders and market orders outlined above. Given the increased potential risk of using conditional orders, the client agrees that Alpaca Securities cannot be held responsible for losses, damages, or missed opportunity costs associated with market data problems, systems issues, and user error, among other factors. By using conditional orders the client understands and accepts the risks outlined above. Alpaca Securities encourages leveraging the use of Paper accounts to become more comfortable with the intricacies associated with these orders.

ETFs can entail risks similar to direct stock ownership, including market, sector, or industry risks. Some ETFs may involve international risk, currency risk, commodity risk, and interest rate risk. Trading prices may not reflect the net asset value of the underlying securities.

All accounts are opened as limited purpose margin accounts. You should know that margin trading involves interest charges and risks, including the potential to lose more than deposited or the need to deposit additional collateral in a falling market. Before using margin, customers must determine whether this type of trading strategy is right for them given their specific investment objectives, experience, risk tolerance, and financial situation. For more information please see Alpaca's Margin Disclosure Statement and Margin Agreement. These disclosures contain information on Alpaca Securities's lending policies, interest charges, and the risks associated with margin accounts.

Any fee you pay is based on the specific transaction and not the value of your account. In general, we do not charge a commission for trades. However, certain arrangements with authorized business partners may preclude commission free trades by Alpaca Securities. If your account is established via an authorized business partner, please refer to the fee schedule provided through your authorized partner’s website or platform. Customers of Alpaca Securities should refer to the Alpaca Securities Brokerage Fee Schedule. Please ensure you review the fees and costs identified on any confirmations and statements you receive.

Cryptocurrency is highly speculative in nature, involves a high degree of risks, such as volatile market price swings, market manipulation, flash crashes, and cybersecurity risks. Cryptocurrency is not regulated or is lightly regulated in most countries. Cryptocurrency trading can lead to large, immediate and permanent loss of financial value. You should have appropriate knowledge and experience before engaging in cryptocurrency trading. For additional information please click here.

Cryptocurrency services are made available by Alpaca Crypto, a FinCEN registered money services business (NMLS # 2160858), and a wholly-owned subsidiary of AlpacaDB, Inc. Alpaca Crypto is not a member of SIPC or FINRA. Cryptocurrencies are not stocks and your cryptocurrency investments are not protected by either FDIC or SIPC. Please see the Disclosure Library for more information.