Talk to us

Security

Stralines never holds
your funds.

The most important security claim is the structural one: trading runs on your own exchange API keys, scoped to read and trade only. Withdrawal permission is never requested. A platform compromise cannot move money out of your account.

Custody

Stralines never holds your funds.

Trading uses your own API keys on the exchange. Withdrawal permission is never requested or granted. A platform compromise cannot move money out of your account — the structural property of the system, not a promise.

API-key scope

Read + trade only — never withdraw.

The exchange API key Stralines asks for is scoped to read account state and place / cancel orders. We do not request, store, or accept withdrawal-scoped keys. If you accidentally paste one, the platform refuses to save it.

Key storage

API keys encrypted at rest.

Even in the worst-case scenario of a database compromise, exchange keys cannot be decrypted without the application's encryption secret — held outside the database, separately scoped, separately rotated.

Edge protection

Privileged routes gated at the edge.

Admin and operator surfaces are protected at the network edge before traffic ever reaches the platform. Public marketing surfaces and operator surfaces are separated end-to-end — different hostnames, different access policies.

Engineering rigor

25,000+ automated checks before every release.

Every line of code that ships passes a 13-stage release pipeline including 25,000+ automated tests across 1,270+ suites. Signal arrival, order placement, partial fills, stop-loss triggers, recovery after exchange downtime — every flow is exercised before code reaches your account.

Review cadence

Continuous internal review.

Internal security audit passes are conducted continuously as part of the engineering operating model. External quarterly reviews are on the roadmap as the platform scales.

Frequently asked

The questions traders
actually ask.

What happens to my open positions if Stralines goes offline mid-trade?

Orders already placed on the exchange continue to live independently — your stop-loss and take-profit sit on the exchange, not on Stralines. The platform's three-layer self-heal recovers any orders the exchange itself drops; if Stralines is unreachable, your protection still lives on the exchange.

What scope does Stralines request on my exchange API key?

Read and trade only. Withdrawal scope is never requested. Most exchanges enforce this at the key-creation step; we additionally reject withdrawal-scoped keys at the point of saving.

Can Stralines staff access my exchange keys?

Keys are encrypted at rest with an application secret held outside the database. Operator surfaces do not expose decrypted key material. Access is logged.

Where is my data stored?

Production data is stored within the Stralines infrastructure footprint, geo-located primarily in the regions our customers operate from. Data-at-rest encryption is on by default at the storage layer.

How do I report a security issue?

Email security@stralines.com with a description of the issue and a reproduction path. Responsible-disclosure cadence: acknowledgement within 1 business day, initial assessment within 5.

Report an issue

Found something?

Responsible disclosure: email security@stralines.com with a description and a reproduction path. Acknowledgement within 1 business day, initial assessment within 5.

WhatsApp Telegram