Security & Compliance

Bank-grade encryption, immutable audit trails, and strict data isolation. Your data never leaves our trusted infrastructure.

Encryption at Rest

All customer data encrypted using AES-256 on Google Cloud Platform's default infrastructure. Database files use SQLite encryption at the file-system level.

  • AES-256 encryption for all stored data
  • GCP server-side encryption (default)
  • Encrypted SQLite databases per tenant
  • Automated key rotation
Encryption in Transit

All network traffic between clients and our platform is encrypted using TLS 1.3. API communications use mutual TLS where supported.

  • TLS 1.3 for all HTTP traffic
  • End-to-end encrypted API calls
  • Certificate pinning for production deployments
  • HSTS preload for all subdomains
Immutable Audit Trail

Every action across the platform is logged to a SHA-256 hash-chained audit log. Tampering is immediately detectable via cryptographic verification.

  • SHA-256 hash chain linking every entry
  • Tamper verification endpoint (GET /audit/verify)
  • All admin, trade, and config actions logged
  • Retained for 7 years (regulatory compliance)
Data Isolation (Multi-Tenant)

Each tenant's data is fully isolated at the database level. No cross-tenant data access is possible, even in the event of a breach.

  • Per-tenant SQLite databases
  • Tenant-scoped API keys (apt_ prefix)
  • Row-level security enforced in application layer
  • Separate encryption keys per tenant
Infrastructure Security

Our servers run on Google Cloud Platform with strict firewall rules, regular security patching, and 24/7 monitoring.

  • GCP VPC with private networking
  • Firewall rules: port 8080 only (execution API)
  • Automated security patching (weekly)
  • 24/7 uptime monitoring via Better Uptime
Compliance & Certifications

We design our platform to meet the security requirements of financial institutions. Third-party audits are planned for SOC 2 compliance.

  • SEBI-compliant audit trails (India)
  • GDPR-ready: data deletion & consent logs (Q3 2026)
  • SOC 2 Type I audit (planned Q4 2026)
  • No third-party data sharing ever

For detailed security documentation, penetration testing reports, or to request a SOC 2 report, contact security@algopilot.com