SIGNALSFANTASY INTELLIGENCE
// SECURITY

Your data stays
yours.

We built Signals on infrastructure we trust with our own accounts. Here's an honest look at how we protect your data — no marketing fluff, no overclaiming.

// 01 · AUTHENTICATION

No passwords. Ever.

Signals uses passwordless authentication — we send a one-time code to your email and issue a short-lived session token. There are no stored passwords on our servers and nothing to leak in a credential breach. Session tokens are managed by AWS Cognito, a battle-tested identity platform.

// 02 · DATA IN TRANSIT

Encrypted end to end.

All communication between your browser and our servers travels over HTTPS/TLS. There is no unencrypted path into Signals. Data stored on our infrastructure uses AWS-managed encryption at rest.

// 03 · API ACCESS

Every request is authenticated.

Our API requires a valid JWT on every single request — there are no open endpoints. Tokens are validated by AWS API Gateway before any handler runs. If a token is missing, expired, or invalid, the request is rejected outright.

// 04 · PAYMENT SECURITY

We never see your card.

All billing is handled by Stripe, a PCI-DSS Level 1 certified payment processor. Your full card number and CVV never touch our servers. We retain only what's needed to manage your subscription — card brand, last four digits, and billing status.

// 05 · FANTASY PLATFORM ACCESS

Read-only. Minimal credentials.

When you connect a platform, we request only the league and roster data needed to power your Signals account — we never post, trade, or change anything on your behalf. Sleeper connects with just your username; no password exists in the flow. ESPN private leagues connect with browser session cookies (espn_s2 and SWID), never your ESPN password. MFL private leagues sign in with your MFL credentials once, over an encrypted connection: your password is used a single time to establish an MFL session and is never stored — we retain only the session credential MFL issues. You can disconnect any integration from Settings at any time.

// 06 · INFRASTRUCTURE

Serverless. Minimal surface area.

Signals runs on AWS — serverless Lambda functions, DynamoDB, and API Gateway. There are no persistent app servers sitting exposed on the internet. Each function runs in isolation and is granted only the permissions it needs to do its job.

// RESPONSIBLE DISCLOSURE

Found something? Tell us.

We're a small team and we take security seriously. If you discover a vulnerability or something that doesn't look right, please reach out before disclosing it publicly. We'll respond promptly, keep you informed, and do our best to fix it fast.

Report a vulnerability →