Security

Security at the layer that matters

Argon2id hashing, authenticated field encryption, hardware passkeys, and audited access. The technical foundation behind your financial data.

TLS encrypted Field encryption Argon2id WebAuthn Audit logged
Encryption Authentication Policy Zero trust Access Vuln mgmt Subprocessors Report
15 min
Access token expiry with refresh rotation
SSH key only
Operator server access; password logins disabled
18+
Audit-logged security event types
72 h / 14 d / 30 d / 90 d
Patch SLAs: critical, high, medium, low

Encryption at every layer

From password storage to data at rest, Convexity uses modern cryptographic primitives. No legacy algorithms, no compromises.

Argon2id password hashing

OWASP-recommended memory-hardened algorithm with time_cost=3 and memory_cost=64MB. Resistant to GPU and ASIC brute-force attacks.

Authenticated field encryption

Sensitive database fields encrypted with Fernet (AES-128-CBC + HMAC-SHA256). Per-deployment key derived from server-side secret. Future upgrade to AES-256-GCM is on the roadmap.

TLS encryption in transit

All API and WebSocket connections encrypted with TLS. HSTS headers enforced across all domains. HTTP permanently redirected.

JWT refresh token rotation

Short-lived access tokens (15-minute expiry) with database-backed refresh tokens. Automatic rotation on each refresh. Replay detection revokes the entire token family.

Rate limiting

Tiered rate limiting on all API endpoints. Auth routes throttled at 5 requests per 5 minutes. Global API limit of 120 requests per minute per IP. AI routes capped at 30 per minute.

Automatic hash upgrade

Legacy bcrypt password hashes are silently migrated to Argon2id on successful login. No user action required.

Authentication

Layered identity verification

Three independent authentication factors plus Google SSO. Each layer adds protection without adding friction.

Layer 1

Password + Argon2id

Memory-hardened hashing with OWASP parameters. Automatic upgrade from legacy bcrypt on login.

Layer 2

TOTP multi-factor

Time-based one-time passwords via pyotp. Works with Google Authenticator, Authy, 1Password, or any TOTP app.

Layer 3

WebAuthn passkeys

Phishing-resistant FIDO2 authentication using hardware security keys or platform biometrics. Passwordless capable.

+ SSO

Google OAuth 2.0

One-click sign-in with automatic account linking, token exchange, and profile sync via Authlib.

Session management

Database-backed sessions with automatic expiry. Revoke individual sessions or all active sessions from any device.

Audit logs

Append-only JSONL audit trail covering 18+ security event types: logins, MFA changes, password resets, session revocations, and account modifications.

Privacy

Your data, your control

Sensitive fields in our database are encrypted with Fernet (AES-128-CBC + HMAC-SHA256) using a per-deployment key. Encryption and decryption happen server-side. We never sell, share, or monetize your financial data.

Encryption at rest
Sensitive database fields (TOTP secrets, linked account tokens) are encrypted using Fernet symmetric encryption. Decryption requires the server-side deployment key.
No data selling
We never sell, share, or monetize your financial data. Your portfolio, watchlists, and analysis belong to you.
Data export
Export all your data at any time via the account settings API. GDPR Article 20 data portability endpoint returns your complete profile, portfolio, watchlists, and notes.
Account deletion
Full GDPR Article 17 erasure support. Request account deletion and all associated data is permanently removed, including audit logs, sessions, and encrypted fields.
Error tracking
Sentry is used for error monitoring and performance tracing. No marketing analytics, behavioral profiling, or tracking pixels. PII is excluded from error reports.
Infrastructure
All traffic reverse-proxied behind Nginx. API keys stored as server-side environment variables, never in client code. SQL queries parameterized via SQLAlchemy ORM.
Policy

Information security policy

How we classify information, who is responsible for what, and which controls apply to which data. Effective 2026-04-17. Next review 2027-04.

Control domains

Domain Control
Encryption Argon2id for password hashing. Fernet (AES-128-CBC + HMAC-SHA256) for at-rest field encryption on restricted data. TLS 1.3 for all transport. Planned upgrade to AES-256-GCM on the roadmap.
Access control JWT-based session auth; tier-based RBAC enforced at middleware on every request. See access control policy below.
Authentication Password + optional TOTP + optional WebAuthn for account holders. MFA available, not yet mandatory.
Logging & monitoring Structured JSON logs with request-ID propagation. Sentry error tracking. Audit log covering 18 security-sensitive event types.
Vulnerability management Patching SLAs: Critical 72h, High 14d, Medium 30d, Low 90d. Continuous scanning via Dependabot, pip-audit, unattended-upgrades.
Data retention Soft delete with 30-day recovery. Hard delete on request. Full policy: /privacy.
Third-party risk Subprocessors disclosed publicly on this page. New subprocessors disclosed before data is shared.

Policy details

Scope
Applies to every person, system, and data flow involved in operating Convexity. As a solo-founder company today, "every person" means one individual; any future contractor or employee is subject to this policy from day one.
Information classification
Restricted — authentication secrets (password hashes, TOTP secrets, WebAuthn credentials, session tokens, API keys), linked-account tokens (Plaid, Stripe). Confidential — PII (email, name), portfolio holdings, analyst notes, AI chat history. Internal — usage telemetry, application logs, error traces. Public — marketing copy, published documentation.
Roles and responsibilities
The founder holds every security role (information security officer, system administrator, incident responder). When the team grows, these responsibilities will be formally separated and the policy will be updated to reflect that.
Exceptions
Any deviation from this policy must be documented with rationale and a remediation timeline.
Review cadence
Reviewed on material architecture changes and at minimum annually. Next scheduled review: 2027-04. Effective 2026-04-17. Owner: Founder.
Architecture

Zero trust architecture

Built on zero-trust principles, scoped to a single-VPS architecture. Every request is independently authenticated and authorized at middleware before reaching any business logic. There is no "trusted internal network" — even requests from our own services are verified the same way as external ones.

Short-lived tokens

Every API request carries a JWT access token with a 15-minute expiry. No long-lived trust.

Authorization at middleware

Role-based access control enforced at middleware (tier_gate) on every protected route. No implicit privilege from session state alone.

Refresh rotation

Refresh tokens are rotated on each use; replay revokes the entire token family.

Secret isolation

Production secrets are loaded from a root-owned env file by systemd; they never transit between processes in plaintext.

Brute-force protection

Failed auth attempts trigger rate limiting (5 requests per 5 minutes on auth routes).

What we deliberately do not claim

Device trust, continuous risk-based authentication, identity federation, and network segmentation are not meaningful at current scale (single VPS, no corporate network, no managed device fleet). If we add any of those later, this section will be updated.

Policy

Access control policy

Access to systems and data follows the principle of least privilege. Permissions are tier-based, enforced in application middleware, and granted only when required to deliver a specific feature. Scope covers user access to the application and operator access to the underlying infrastructure.

User access

  • Authentication. Email + password (Argon2id hashed), optional TOTP, optional WebAuthn passkey.
  • Authorization. Tier-based RBAC (Free, Pro, Pro Plus) enforced at middleware. Each route declares a minimum tier; unauthorized requests receive 403 before the handler runs.
  • Least privilege. Users access only their own records. No user has administrative access to other users' data.

Operator access

Single operator today (founder). Server access via SSH key-based authentication only; password logins disabled at the sshd level. Production secrets live in a root-owned env file loaded by systemd. MFA is enforced on all operator-facing third-party accounts (domain registrar, DNS, email, GitHub, VPS vendor, cloud console).

Access revocation

  • User de-activation. Automated via backend/app/security/offboarding.py — revokes all tokens, disables MFA, deletes passkeys, disconnects Plaid, clears passwords.
  • Operator de-provisioning. Not yet applicable (solo founder). If a contractor or employee is added, their access will be revoked within 24 hours of separation per the offboarding script.

Reviewed on material architecture changes and at minimum annually · Effective 2026-04-17

What we don't do yet

Honesty about gaps matters more than marketing claims. Here's what we're building toward.

We don't have SOC 2 certification. Evaluation planned for 2026, but no auditor engagement yet.
We don't have a bug bounty program. Planned, but not yet launched.
We don't store your brokerage credentials. Plaid handles authentication on our behalf using tokenized access.
We don't have ISO 27001 certification.
We don't enforce Content Security Policy headers globally. CSP is planned but not yet deployed.
We don't offer zero-knowledge encryption. The server can decrypt data to display portfolios and run AI analysis. Field-level encryption protects at rest, not from the application itself.

Subprocessors

Third-party services that process data on our behalf.

Service Purpose Data processed
Anthropic AI analysis (primary) Prompts containing market data, portfolio context
OpenAI AI analysis (fallback) Prompts containing market data, portfolio context
Plaid Brokerage account linking OAuth tokens, account balances, positions
Polygon.io Market data feed Ticker symbols (no user data)
Sentry Error monitoring Error stack traces, performance metrics (PII excluded)
Hostinger Infrastructure (VPS) All application data (encrypted at rest)
Cloudflare DNS, CDN HTTP requests, IP addresses
Let's Encrypt TLS certificates Domain names only

Report a vulnerability

We take security reports seriously and respond within 48 hours. Good-faith security research is welcome.

Contact
security@convexityos.com
Response time
Initial acknowledgement within 48 hours. Status updates every 72 hours until resolution.
Safe harbor
We will not pursue legal action against researchers who discover and report vulnerabilities in good faith, follow responsible disclosure practices, and avoid accessing or modifying other users' data.

Questions about our security architecture?

security@convexityos.com