How we protect you
Trading accounts are high-value targets. Here is exactly what Doc-AI does to keep yours safe.
OAuth broker connections
Broker credentials are never stored on Doc-AI servers. We use OAuth tokens with read-only or trade-only scopes. Revoking access in your broker dashboard immediately cuts our connection.
TLS 1.3 in transit
All traffic between your browser and our servers is encrypted with TLS 1.3. We reject older cipher suites.
Encryption at rest
Sensitive fields (tokens, refresh credentials) are encrypted at rest using AES-256. Database files are stored on encrypted volumes.
Hashed passwords
Passwords are hashed with bcrypt (cost factor 12). We never store plaintext passwords. Compromising our database does not reveal your password.
SMS two-factor authentication
Enable SMS 2FA from Settings to require a one-time code on every login. 2FA is enforced for admin accounts.
New device alerts
We send an email when your account is accessed from a new device or IP address, so you know immediately if something looks wrong.
Short-lived access tokens
Access tokens expire every 15 minutes. Refresh tokens rotate on use and are stored as httpOnly cookies — inaccessible to JavaScript.
Rate limiting
Authentication endpoints are rate-limited per IP to prevent brute-force attacks. Repeated failures trigger a temporary lockout.
Responsible disclosure
If you discover a security vulnerability in Doc-AI, we want to know about it. Please email security@docai.trade with a description of the issue. We will acknowledge receipt within 24 hours and work with you on a coordinated disclosure timeline.
We do not currently offer a formal bug bounty program but we do recognize researchers who report valid vulnerabilities.
SOC 2 Type II — We are working toward SOC 2 Type II certification. In the meantime, our infrastructure follows the security controls described above and is audited internally on a quarterly basis.
Questions about our security posture? security@docai.trade
Read our Privacy Policy