Back to site

Security & Privacy

Enterprise-grade security practices protecting your data and privacy

Security Commitment

Tickory implements industry-standard security practices to protect your data. We never access your exchange accounts and your scan strategies remain private.

Encryption in Transit

All data transmitted between your browser and our servers is encrypted using TLS 1.3 (HTTPS). We enforce strict transport security and use modern cipher suites.

Encryption at Rest

Database encryption using AES-256. All sensitive data including passwords are hashed using bcrypt with per-user salts. API keys and tokens are encrypted.

Authentication

JWT-based authentication with short-lived access tokens (2 hours) and refresh tokens (48 hours). Automatic token rotation and secure session management.

Infrastructure Security

SOC 2 compliant infrastructure. Regular security audits, penetration testing, and vulnerability assessments. Isolated environments and principle of least privilege.

Application Security

  • • Rate limiting on all endpoints
  • • Input validation and sanitization
  • • CSRF protection
  • • XSS prevention
  • • SQL injection prevention (parameterized queries)
  • • Security headers (CSP, HSTS, X-Frame-Options)

Privacy & Data Access

  • • We never access your exchange accounts
  • • Your scan strategies remain private
  • • No sharing of user data with third parties
  • • GDPR compliant data handling
  • • Right to data deletion

What We Do Not Store

  • ✅ We DO NOT store exchange API keys
  • ✅ We DO NOT connect to your exchange accounts
  • ✅ We DO NOT place trades on your behalf
  • ✅ We DO NOT have access to your funds

What We Do Store

  • Account email (hashed password)
  • Scan configurations (encrypted)
  • Alert settings
  • Scan execution history
  • Usage metrics

Security Best Practices for Users

  1. Use a strong password - Minimum 12 characters with mixed case, numbers, and symbols
  2. Enable 2FA - Coming soon (roadmap Q2 2026)
  3. Do not share credentials - Each user should have their own account
  4. Review activity logs - Check for unauthorized access regularly
  5. Use webhook secrets - Validate webhook signatures in your integrations

Incident Response

In the event of a security incident, we will:

  1. Immediately investigate and contain the issue
  2. Notify affected users within 72 hours
  3. Provide detailed incident report
  4. Implement preventive measures

Reporting Security Issues

Security Contact

If you discover a security vulnerability, please report it to:

Email: [email protected]

Please do not publicly disclose security issues until we have had a chance to address them.

Compliance

  • GDPR - Full compliance with EU data protection regulations
  • SOC 2 - Infrastructure meets SOC 2 Type II standards
  • PCI DSS - Payment processing through PCI-compliant Paddle

Questions about security?

Contact our security team at [email protected]