Your data stays
yours.
We built Signals on infrastructure we trust with our own accounts. Here's an honest look at how we protect your data — no marketing fluff, no overclaiming.
No passwords. Ever.
Signals uses passwordless authentication — we send a one-time code to your email and issue a short-lived session token. There are no stored passwords on our servers and nothing to leak in a credential breach. Session tokens are managed by AWS Cognito, a battle-tested identity platform.
Encrypted end to end.
All communication between your browser and our servers travels over HTTPS/TLS. There is no unencrypted path into Signals. Data stored on our infrastructure uses AWS-managed encryption at rest.
Every request is authenticated.
Our API requires a valid JWT on every single request — there are no open endpoints. Tokens are validated by AWS API Gateway before any handler runs. If a token is missing, expired, or invalid, the request is rejected outright.
We never see your card.
All billing is handled by Stripe, a PCI-DSS Level 1 certified payment processor. Your full card number and CVV never touch our servers. We retain only what's needed to manage your subscription — card brand, last four digits, and billing status.
Read-only. Minimal credentials.
When you connect a platform, we request only the league and roster data needed to power your Signals account — we never post, trade, or change anything on your behalf. Sleeper connects with just your username; no password exists in the flow. ESPN private leagues connect with browser session cookies (espn_s2 and SWID), never your ESPN password. MFL private leagues sign in with your MFL credentials once, over an encrypted connection: your password is used a single time to establish an MFL session and is never stored — we retain only the session credential MFL issues. You can disconnect any integration from Settings at any time.
Serverless. Minimal surface area.
Signals runs on AWS — serverless Lambda functions, DynamoDB, and API Gateway. There are no persistent app servers sitting exposed on the internet. Each function runs in isolation and is granted only the permissions it needs to do its job.
Found something? Tell us.
We're a small team and we take security seriously. If you discover a vulnerability or something that doesn't look right, please reach out before disclosing it publicly. We'll respond promptly, keep you informed, and do our best to fix it fast.
Report a vulnerability →For full details on data collection, retention, and your privacy rights, see our Privacy Policy and Terms of Service. No security measure is 100% foolproof — but we'll always be transparent about incidents that affect your data, as required by applicable law.