Security
Last updated: April 2026 · Questions: legal@finacks.ai
Finacks holds brokerage API credentials on your behalf. Here is exactly how we protect them — and everything else.
Data Classification and Handling
We classify data into three tiers:
Tier 1 — Highly Sensitive Your brokerage API key and secret. These are AES-256 encrypted before they touch our database, decrypted in-memory only at trade execution time, and deleted immediately when you close your account.
Tier 2 — Personal Data Your email address, trade history, AI decision logs, and account equity records. Stored in a private database not accessible from the internet, subject to GDPR data subject rights.
Tier 3 — Operational Cached public market data (OHLCV, SPY, VIX) with 5-minute TTLs in Redis. No user identifiers, no special handling required.
Your data is never sold, shared with third parties for marketing, or used for any purpose outside the Service.
Access Control and Privileged Access Management
- Email + password authentication (bcrypt-hashed, 8-character minimum)
- Email verification required before trading is enabled
- Optional two-factor authentication (TOTP) — strongly recommended
- CSRF protection on all forms
- Rate limiting on login routes to block brute-force attacks
- Password reset links expire after 1 hour and are single-use
Admin access: The admin panel requires a database-level flag — there is no self-service admin path. Production server access is SSH key-only (Ed25519); password authentication and root login are both disabled. No shared accounts exist on any production system.
Least privilege: Each service component has only the database permissions it requires. No contractors or third parties have access to production systems at this time.
Encryption of Data at Rest and in Transit
In Transit
All traffic is HTTPS (TLS 1.2+), enforced by Caddy with auto-renewing Let's Encrypt certificates. HTTP is redirected to HTTPS — no plaintext traffic is ever served. All outbound API calls (Anthropic, Alpaca, Stripe) use HTTPS.
At Rest
| Data | Encryption |
|---|---|
| Brokerage API credentials | AES-256 (Fernet) before storage in PostgreSQL |
| User passwords | bcrypt — plaintext never stored |
| Encryption key | Environment variable only, excluded from version control |
| PostgreSQL data files | Encrypted disk volume (Hetzner Cloud) |
| Redis cache | Transient market data only — no credentials or personal data |
| Database backups | Same encryption as the primary volume |
The Fernet encryption key is a securely generated 32-byte random value stored only as a server environment variable — never in source code or the database.
Vulnerability Management and Patch Management
- Python dependencies are pinned and updated regularly, prioritising packages with known CVEs
- Docker base image rebuilt and redeployed monthly for OS-level patches
- The production server receives unattended security updates automatically
- All database queries use SQLAlchemy ORM with parameterised queries (no SQL injection surface)
- Jinja2 auto-escaping prevents XSS in all templates
- Webhook payloads validated with
hmac.compare_digest(timing-attack safe) - No unauthenticated endpoints can affect user data or initiate trades
- OWASP Top 10 used as a reference checklist during code review
Incident Response and Disaster Recovery
Response procedure
If we detect or are notified of a security incident:
- Contain — disable the affected account or revoke credentials from the broker side immediately
- Assess — determine root cause and whether personal data was exposed
- Notify — affected users informed within 72 hours of a confirmed data breach (GDPR Art. 33/34)
- Remediate — patch the vulnerability, rotate any affected secrets, redeploy
- Document — record timeline, impact, and remediation steps
To report a security issue: legal@finacks.ai
Recovery
- PostgreSQL backups run daily and are retained for 30 days, stored separately from the primary server
- Full redeployment from source + backup takes under 2 hours
- Redis cache is treated as transient — loss causes a cache miss on the next 15-minute cycle, not data loss
Physical Security
Finacks has no physical office or on-premises servers. All infrastructure runs on Hetzner Cloud virtual servers in Frankfurt, Germany (EU), which maintains ISO 27001 certification, 24/7 guarded access, CCTV, and biometric access controls.
Developer workstations are protected by full-disk encryption (FileVault/BitLocker), screen lock, and SSH keys protected by passphrase.
Vendor Risk Management
All third-party processors are evaluated for security posture before onboarding and governed by Data Processing Agreements.
| Vendor | Purpose | Location | Certifications |
|---|---|---|---|
| Hetzner Cloud | Server hosting | Germany (EU) | ISO 27001 |
| Anthropic | AI inference (Claude) | USA | SOC 2 Type II |
| Stripe Payments Europe | Billing | EU | PCI DSS Level 1, SOC 2 |
| Alpaca Markets | Brokerage API | USA | SOC 2 |
| Resend | Transactional email | USA | SOC 2 |
Anthropic receives only market data and your configured watchlist — never your account credentials or personal identifiers. API keys for all third-party services are rotated at least annually.
Questions
Phoinix PaymentSolutions B.V. Email: legal@finacks.ai