Back to site

Security & Privacy

Public notes on what Tickory protects, what the product does not access, and how to verify the service before you use it.

Security Commitment

Tickory protects account access, keeps alert-routing boundaries explicit, and does not connect to your exchange accounts or place trades on your behalf.

Encryption in Transit

Tickory serves the product over HTTPS/TLS so account traffic, form submits, and alert routing setup are encrypted in transit.

Server-Side Storage

Passwords are stored as hashes. Scan definitions, alert settings, and delivery history stay server-side so Tickory can run scans for you and show what happened after an alert fires.

Authentication

Account access uses backend-issued JWT access tokens plus refresh tokens. The product also exposes dedicated security and support contacts when you need human verification.

Product Boundaries

Tickory is a monitoring and alerting product. It does not place trades, hold custody, or ask you to connect exchange accounts. That keeps the risk boundary narrower and easier to inspect.

Application Security

  • • Rate limiting on all endpoints
  • • Input validation and sanitization
  • • Tenant-aware access checks in the application
  • • Server-side alert delivery logs and proof trails
  • • Security headers and hardened request handling

Public Verification

  • • Public FAQ that explains who operates Tickory and what the product does
  • • Public privacy policy and terms linked from the landing experience
  • • Security contact at [email protected]
  • • Support contact at [email protected]

What You Can Verify Today

  1. Read the About page for product scope and operating boundaries
  2. Review the FAQ for legitimacy and verification questions
  3. Open the Privacy Policy and Terms of Service before using live alerts
  4. Create a test scan or alert source and inspect the proof trail end to end

What We Do Not Store Or Access

  • ✅ We DO NOT store exchange API keys
  • ✅ We DO NOT connect to your exchange accounts
  • ✅ We DO NOT place trades on your behalf
  • ✅ We DO NOT have access to your funds

What We Do Store

  • Account email (password stored as a hash)
  • Scan configurations and alert settings
  • Scan execution history
  • Alert delivery history
  • Usage metrics

Security Best Practices for Users

  1. Use a strong, unique password - Tickory requires letters and numbers, and longer passwords are safer
  2. Do not share credentials - Each user should have their own account
  3. Review alert settings regularly - Make sure destinations and webhook endpoints still match your intent
  4. Use webhook secrets - Validate webhook signatures in your integrations

Incident Response

In the event of a security incident, we will:

  1. Immediately investigate and contain the issue
  2. Assess affected users, systems, and delivery channels
  3. Notify affected users when required and once the facts are verified
  4. Implement preventive follow-up work

Reporting Security Issues

Security Contact

If you discover a security vulnerability, please report it to:

Email: [email protected]

Please do not publicly disclose security issues until we have had a chance to address them.

Questions about security?

Contact our security team at [email protected]