Skip to main content

Security

Your API keys stay protected

RelayDesk was built by traders who know exactly what it feels like to hand over API keys. Here is how we keep them safe and why your funds never leave your broker.

Controls

Defense in depth

Multiple layers of encryption, isolation, and monitoring protect every credential and trade.

AES-256 Encryption

Every credential you store is encrypted using AES-256 with unique salts per user. Encryption keys live in a separate, isolated service.

  • Your credentials are encrypted at rest and in transit
  • Secrets never touch application logs
  • Independent key rotation schedule

No Access to Funds

RelayDesk only submits orders via broker APIs. Your capital never moves through our infrastructure.

  • Trading permissions only, no withdrawals
  • Orders settle directly at your broker
  • Broker security and SIPC coverage protect balances

Secure Session Management

HttpOnly cookies, SameSite settings, and managed session expiry keep your account locked down.

  • 7-day session expiration
  • PostgreSQL-backed session storage
  • Automated invalidation on logout or password reset

Firebase Authentication

Authentication runs on Google Firebase with enforced password requirements and email verification.

  • Google OAuth + email/password
  • Token-based auth with automatic expiration
  • Email verification required for access

Per-User Data Isolation

Strict data-layer guards keep every strategy, bot, and fill scoped to a single account.

  • User scoping at the DB level
  • Foreign keys enforce referential integrity
  • No cross-account queries

TLS 1.3 Everywhere

Traffic between your browser, RelayDesk, and our APIs is encrypted end-to-end.

  • HTTPS enforced across the stack
  • Automatic certificate rotation
  • Secure cookie transmission only

Extra safeguards

Security practices we live by

Security is a habit, not a one-off project. These are the policies that guide our daily operations.

  • API keys are never logged or shown again after entry
  • Webhook endpoints validate signatures to block spoofed traffic
  • Real-time monitoring uses read-only permissions
  • Encrypted backups with automated rotation
  • Frequent dependency updates and security scans

Broker relationship

Your funds stay with your broker

RelayDesk is automation software, not a broker-dealer. We never hold or move your capital. Your broker custodies every position with FINRA/SIPC oversight.

What RelayDesk can do

Submit and manage trades using the trading permissions you grant via your broker API keys.

What RelayDesk cannot do

Withdraw cash, transfer positions, or access your broker login. All custody and regulatory coverage remains with your broker.

Roadmap

Security projects in flight

We ship new controls continuously. These initiatives land next.

SOC 2 Type II Certification

Formal third-party security controls assessment covering availability, confidentiality, and integrity. Currently in progress.

Two-Factor Authentication

TOTP-based 2FA rollout for all plans, with recovery codes and enforcement options.

Audit Logging

User-facing log of logins, API key changes, and bot modifications for full traceability.

Need details?

Ask anything about our security posture

We are transparent about how RelayDesk works. Reach out if you need a walkthrough before connecting credentials.

Contact supportView terms of service