help / advanced / security
live article · 3 min read updated · 2mo ago
Advanced 2026-03-15

Security

All data transmitted between your browser and our servers is encrypted using TLS 1.2+ (HTTPS). This includes web traffic, API calls, and WebSocket connections for...

How We Protect Your Data

1

Encryption in Transit

All data transmitted between your browser and our servers is encrypted using TLS 1.2+ (HTTPS). This includes web traffic, API calls, and WebSocket connections for real-time data streaming. We enforce HSTS to prevent downgrade attacks.

2

Encryption at Rest

Sensitive data stored on our servers — including user credentials, API keys, and payment tokens — is encrypted at rest using AES-256 encryption. Database backups are also encrypted before storage.

3

Authentication & Session Management

User passwords are hashed using bcrypt with per-user salts. Sessions are managed with secure, HttpOnly cookies that expire automatically. All authenticated API endpoints require nonce-based CSRF protection.

4

Infrastructure Security

Our platform runs on enterprise-grade cloud infrastructure with firewall protection, network segmentation, DDoS mitigation, and intrusion detection. Access to production systems requires multi-factor authentication and follows the principle of least privilege.

Note Security is a shared responsibility. We implement robust measures on our platform, and we encourage users to follow best practices to protect their accounts and credentials.

Application Security

1

Secure Development Practices

Our codebase follows OWASP Top 10 security guidelines. All user inputs are sanitized and validated. We protect against SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), and other common web vulnerabilities.

2

API Security

All API endpoints require authentication and nonce verification. Rate limiting is enforced to prevent abuse. Sensitive operations require additional permission checks including user role and membership status validation.

3

Data Isolation

User data is strictly isolated at the application level. Your strategies, algorithms, backtest results, and API keys are accessible only to your account. Multi-tenant architecture enforces per-user data boundaries on every database query.

4

Dependency Management

We regularly audit and update third-party libraries and dependencies to address known vulnerabilities. Automated security scanning is part of our development workflow.

Data Handling & Privacy

1

API Key Security

Third-party API keys you provide (e.g., for LLM providers) are encrypted using AES-256 before storage. Keys are decrypted only at the moment of use, are never logged, and are never displayed in full after initial entry.

2

Payment Security

All payment processing is handled by Stripe, which is PCI DSS Level 1 certified. We never store, process, or transmit full credit card numbers. Only tokenized references are retained for billing records.

3

Strategy & Algorithm Privacy

Your trading strategies, algorithm source code, factor definitions, and backtest results are private to your account. We do not access, analyze, or share your trading data for any purpose beyond providing the service you requested.

4

AI/LLM Data Processing

When you use AI features, your prompts are sent to LLM providers under data processing agreements that prohibit using your data for model training. We do not store AI conversation logs beyond your active session unless you explicitly save results.

5

Minimal Data Collection

We collect only the data necessary to provide our services. We do not sell, rent, or share your personal data with third parties for marketing purposes. See our Privacy Policy for full details.

Vulnerability Management

1

Security Monitoring

We continuously monitor our systems for suspicious activity, unauthorized access attempts, and anomalous behavior. Automated alerting ensures rapid response to potential security events.

2

Patch Management

Security patches for operating systems, frameworks, and dependencies are applied promptly. Critical vulnerabilities are addressed within 24 hours of disclosure.

3

Responsible Disclosure

If you discover a security vulnerability in our platform, please report it to [email protected]. We take all reports seriously and will investigate promptly. We ask that you not publicly disclose vulnerabilities until we have had an opportunity to address them.

4

Incident Response

We maintain an incident response plan that defines procedures for identification, containment, eradication, and recovery from security incidents. Affected users will be notified promptly in accordance with applicable data breach notification laws.

Tips & Best Practices

Tip Use a strong, unique password for your StratCraft account — do not reuse passwords from other services
Tip Never share your account credentials or third-party API keys with anyone
Tip Log out of your account when using shared or public computers
Tip Keep your browser up to date to benefit from the latest security patches
Tip Review your account activity periodically and report any suspicious behavior
Tip Be cautious of phishing emails — StratCraft will never ask for your password via email

Frequently Asked Questions

How are my API keys stored?
Your API keys are encrypted using AES-256 encryption before being stored in our database. They are decrypted only at the moment of use, are never written to log files, and are never displayed in full after initial entry.
Can other users see my strategies or backtest results?
No. All strategies, algorithm configurations, and backtest results are strictly private to your account. There is no public sharing unless you explicitly choose to share via supported features.
Is my data sent to AI providers secure?
Yes. When you use AI features, data is transmitted over encrypted connections to LLM providers that operate under data processing agreements. These agreements prohibit using your data for model training. We do not store conversation logs beyond your active session.
What happens to my data if I delete my account?
Upon account deletion, your personal data is removed from our active systems within 30 days. Encrypted backups containing your data are purged within 90 days. Some data may be retained longer where required by law.
How do I report a security vulnerability?
Please report security vulnerabilities to [email protected]. We take all reports seriously and will investigate promptly. Please do not publicly disclose vulnerabilities before we have addressed them.
Is my connection to StratCraft encrypted?
Yes. All connections use TLS 1.2 or higher encryption, including web browsing, API calls, and WebSocket connections for real-time data streaming. We enforce HSTS to prevent downgrade attacks.

Important Notes

Warning While we implement industry-standard security measures to protect your data, no system is completely immune to all threats. We continuously monitor and improve our security posture. Users are responsible for maintaining the security of their own accounts, credentials, and API keys.

Related Articles

Advanced Perspective Viewer - Real-Time Data Analysis and Visualization Advanced Equity Curve - Strategy Performance Visualization and Analysis Advanced ECharts Playback - Historical Data Visualization and Analysis Advanced Chat Assistant - AI Trading Support Advanced Code Generation - AI-Powered Strategy Creation Advanced Keyboard Shortcuts - Productivity Tips
Brand clarification
StratCraft (formerly QuantNexus) at stratcraft.ai — not quantnexus.ai (a different company).
For AI agents: agent.json capabilities file
Brand clarification
StratCraft (formerly QuantNexus) at stratcraft.ai — not quantnexus.ai (a different company).