Security
Security Posture
How AlgoTradingAI handles your credentials, data, and platform access. Transparency about security is a core part of our trust commitment.
Security Controls
Credential Storage
Broker API keys and secrets are encrypted at rest using server-side encryption. Plaintext credentials are never stored in the database, logs, or application state.
OAuth-Based Broker Tokens
Zerodha access tokens are obtained via OAuth 2.0 flow initiated by the user. Tokens are short-lived (daily expiry) and can be revoked by the user at any time from the Zerodha developer console.
No Fund Custody
AlgoTradingAI does not hold, manage, or have access to your trading funds or securities. Your broker account remains fully under your control.
Admin Broker Proxy Isolation
Users without a broker connection receive market data through an admin proxy. This proxy has strict operation whitelisting (candles, quotes, instruments only). Admin credentials are never exposed to end users. A middleware layer redacts any admin key values from all API responses.
JWT Authentication
User sessions are managed with JWT access tokens and refresh tokens. Access tokens have configurable short expiry. Refresh tokens enable seamless re-authentication without re-entering credentials.
Role-Based Access Control
Admin and regular user roles are separated. Admin operations (broker proxy, plan management) require admin-level authentication. Regular users cannot access admin endpoints.
Rate Limiting
All API endpoints implement rate limiting. Public endpoints: 30 requests per 60 seconds per IP. Authenticated endpoints: per-user limits based on subscription tier.
Input Validation
All API inputs are validated using Pydantic schemas. SQL queries use parameterized statements. User-provided data is sanitized before storage.
HTTPS Only
All communication between client and server is encrypted via TLS. API endpoints are served over HTTPS in production.
Audit Logging
Advisory decisions are stored with full audit trails including analysis scores, news sources, sentiment analysis, and AI prompts. All broker operations are logged with timestamps.
User Security Checklist
Recommended steps to keep your account and broker integration secure.
Use a strong, unique password for your AlgoTradingAI account.
Enable 2FA on your Zerodha account.
Do not share your KiteConnect API key or secret with anyone.
Regularly review authorized apps in your Zerodha developer console.
Revoke AlgoTradingAI access if you no longer use the platform.
Use a separate KiteConnect app for AlgoTradingAI (do not reuse keys from other services).
Security FAQ
Can AlgoTradingAI access my Zerodha funds?
No. The KiteConnect API permissions used by AlgoTradingAI are limited to market data and instrument metadata. Stage 1 does not include order placement capabilities.
What happens if there is a security incident?
We will notify affected users via email within 72 hours of discovery, disclose the scope of the incident, and provide remediation steps. Incidents will also be posted on the Status page.
How do I report a security vulnerability?
Email security@algotradingai.com with details. We take all reports seriously and will respond within 48 hours.
Is 2FA supported for AlgoTradingAI accounts?
2FA for AlgoTradingAI accounts is planned for a future release. We recommend enabling 2FA on your Zerodha account for an additional layer of security on broker operations.