# Security **Last Updated**: 2026-03-15 **Version**: 2.0.0 ## How We Protect Your Data ### Encryption in Transit All data transmitted between your browser and our servers is encrypted using TLS 1.2+ (HTTPS). This includes web traffic, API calls, and WebSocket connections for real-time data streaming. We enforce HSTS to prevent downgrade attacks. ### Encryption at Rest Sensitive data stored on our servers — including user credentials, API keys, and payment tokens — is encrypted at rest using AES-256 encryption. Database backups are also encrypted before storage. ### Authentication & Session Management User passwords are hashed using bcrypt with per-user salts. Sessions are managed with secure, HttpOnly cookies that expire automatically. All authenticated API endpoints require nonce-based CSRF protection. ### Infrastructure Security Our platform runs on enterprise-grade cloud infrastructure with firewall protection, network segmentation, DDoS mitigation, and intrusion detection. Access to production systems requires multi-factor authentication and follows the principle of least privilege. > Security is a shared responsibility. We implement robust measures on our platform, and we encourage users to follow best practices to protect their accounts and credentials. ## Application Security ### Secure Development Practices Our codebase follows OWASP Top 10 security guidelines. All user inputs are sanitized and validated. We protect against SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), and other common web vulnerabilities. ### API Security All API endpoints require authentication and nonce verification. Rate limiting is enforced to prevent abuse. Sensitive operations require additional permission checks including user role and membership status validation. ### Data Isolation User data is strictly isolated at the application level. Your strategies, algorithms, backtest results, and API keys are accessible only to your account. Multi-tenant architecture enforces per-user data boundaries on every database query. ### Dependency Management We regularly audit and update third-party libraries and dependencies to address known vulnerabilities. Automated security scanning is part of our development workflow. ## Data Handling & Privacy ### API Key Security Third-party API keys you provide (e.g., for LLM providers) are encrypted using AES-256 before storage. Keys are decrypted only at the moment of use, are never logged, and are never displayed in full after initial entry. ### Payment Security All payment processing is handled by Stripe, which is PCI DSS Level 1 certified. We never store, process, or transmit full credit card numbers. Only tokenized references are retained for billing records. ### Strategy & Algorithm Privacy Your trading strategies, algorithm source code, factor definitions, and backtest results are private to your account. We do not access, analyze, or share your trading data for any purpose beyond providing the service you requested. ### AI/LLM Data Processing When you use AI features, your prompts are sent to LLM providers under data processing agreements that prohibit using your data for model training. We do not store AI conversation logs beyond your active session unless you explicitly save results. ### Minimal Data Collection We collect only the data necessary to provide our services. We do not sell, rent, or share your personal data with third parties for marketing purposes. See our Privacy Policy for full details. ## Vulnerability Management ### Security Monitoring We continuously monitor our systems for suspicious activity, unauthorized access attempts, and anomalous behavior. Automated alerting ensures rapid response to potential security events. ### Patch Management Security patches for operating systems, frameworks, and dependencies are applied promptly. Critical vulnerabilities are addressed within 24 hours of disclosure. ### Responsible Disclosure If you discover a security vulnerability in our platform, please report it to security@quantnexus.com. We take all reports seriously and will investigate promptly. We ask that you not publicly disclose vulnerabilities until we have had an opportunity to address them. ### Incident Response We maintain an incident response plan that defines procedures for identification, containment, eradication, and recovery from security incidents. Affected users will be notified promptly in accordance with applicable data breach notification laws. ## Tips & Best Practices ## Frequently Asked Questions ## Important Notes > While we implement industry-standard security measures to protect your data, no system is completely immune to all threats. We continuously monitor and improve our security posture. Users are responsible for maintaining the security of their own accounts, credentials, and API keys. --- Source: https://stratcraft.ai/help/security/