QuantalyzeFor Quants →

Security practices

Quantalyze is a data-analytics platform, not a custodian. We read your trade history from your exchange via a read-only API key and compute verified performance metrics. We never hold funds, never place trades, and never move tokens.

Data handling

The data we persist is: read-only exchange API credentials (encrypted), raw trade fills for the last 30 days, and aggregate analytics (Sharpe, Sortino, drawdown, daily returns) kept indefinitely. Raw fills older than 30 days are hard-deleted by a daily job; aggregates remain because the factsheet needs them.

Tenant isolation is enforced at the database. Row-Level Security policies gate every read path, and a BEFORE INSERT trigger on strategies refuses any attempt to link an api_key_id owned by a different user. The check runs with SECURITY DEFINER, so even a client bypassing application-layer RLS cannot cross tenants.

You can revoke a key and delete its strategy from your dashboard in one click. The encrypted credential row and the listing reference are removed in the same transaction; the analytics service loses its decryption path immediately.

All traffic between your browser, our web tier, the analytics service, and the exchanges is encrypted in transit with TLS 1.3. We disable TLS 1.0, 1.1, and 1.2 at the edge; internal service-to-service calls use the same profile. Certificates are issued by a public CA and rotated automatically before expiry. HSTS is enabled for quantalyze.com with a one-year max-age.

Key handling

API keys are stored read-only, enforced at submission. Every key is validated against the exchange the moment you paste it — if it carries any trading or withdrawal permission, the submission is rejected before the ciphertext is written. The check and the encrypt are a single atomic round-trip.

Credential payloads are encrypted at rest with AES-256-GCM envelope encryption. Each row has its own data encryption key (DEK) generated at encrypt time; the DEK is wrapped by a platform key encryption key (KEK) stored in Supabase Vault. Only the Python analytics service, running under the service-role client, can unwrap the DEK. The Next.js web tier cannot, and neither can your own dashboard — the encrypted columns are revoked at the column-grant level from the anon and authenticated Postgres roles.

We list detected scopes back to you in the wizard — Read, Trade, Withdraw — so you can see what the exchange actually granted. Any key with Trade or Withdraw is refused; no exceptions, no admin override.

Compliance posture

SOC 2 status: pre-audit, preparing for SOC 2 Type 1. Allocators evaluating us under diligence — request a posture letter.

We are a pre-audit company. Preparing for SOC 2 Type 1; internal controls — access reviews, change management, vendor management, incident response — are documented and followed today, with the formal attestation to follow. Allocators evaluating us under diligence should engage our security contact for a current posture letter under NDA.

The downloadable security packet below restates the encryption spec, retention windows, exchange scopes, and incident-response contact on one page — suitable for forwarding to a risk team.

For coordinated vulnerability disclosure, our security.txt follows RFC 9116.

Data handling at a glance

The three control surfaces a risk team checks first — transport, storage, and authorization — summarized on one line each.

Quantalyze data-handling matrix — transport, storage, and access controls.
SurfaceControlDetail
In TransitTLS 1.3Edge and service-to-service; HSTS enabled
At RestAES-256-GCMPer-row DEK wrapped by Vault-held KEK
AccessRBAC + RLSPostgres role grants; tenant-scoped policies

If you have an account, you can download your audit log from your profile.

Breach notification

In the event of a personal-data breach affecting your account, we notify you within 72 hours of becoming aware of it, in line with GDPR Article 33. Notification is sent to the account email on file and, for institutional customers, to the security contact named in the onboarding record.

The notice states what data was affected, the scope of the incident, the remediation actions taken, and the contact point for follow-up. If the 72-hour window cannot be met, the notice is sent without undue further delay with a written justification for the delay, per the same Article.

Download security packet (PDF)

One-page summary — encryption spec, scopes, retention, incident-response contact. Updated when policy changes; see the last-reviewed date below.

Security contact

Allocators asking for a posture letter, researchers reporting a vulnerability, and anyone with a concrete security question should email security@quantalyze.com. We reply within one business day. Acknowledgments for coordinated disclosure are published on this page.

Last reviewed: 2026-04-12.

Operational reference

Step-by-step guides the Connect wizard links into when a key fails validation, sync is slow, or a draft needs resuming. Kept on one page so the wizard error surface has a stable landing target.

Creating a read-only API key

A read-only key lets our analytics service fetch your trade history without ever being able to place trades or move funds. Every supported exchange has a read-only scope. If a step fails, the wizard rejects the key with a scripted error pointing back here.

Binance

  1. Go to Binance API Management and click Create API. Pick System-generated.
  2. Check only Enable Reading. Leave Enable Spot & Margin Trading, Enable Futures, and Enable Withdrawals unchecked.
  3. Save the key and copy both the key and secret. Paste them into the wizard.

OKX

  1. Go to OKX API Management and click Create API Key V5.
  2. Set the permission to Read only. Do not enable Trade or Withdraw.
  3. Set a passphrase (OKX requires one). Copy the key, secret, and passphrase into the wizard.

Bybit

  1. Go to Bybit API Management and click Create New Key. Pick System-generated.
  2. Pick Read-Only access. Leave Trade, Derivatives, and Transfer permissions unchecked.
  3. Copy the key and secret into the wizard.

Regenerating an API key

Some exchanges only show the secret once at creation. If you cannot find it, create a fresh read-only key and paste the new credentials. The old key can be deleted from your exchange dashboard afterwards.

Egress IPs (IP-allowlist keys)

If your exchange key is locked to an IP allowlist, allow our analytics service egress range. Email security@quantalyze.com for the current IP set — we rotate infrequently and will notify ahead of any change.

Sync timing and cold starts

The first sync of the day can take up to 45 seconds while the analytics service wakes up. Accounts with multi-year history can take up to 3 minutes. Your draft is saved — you can leave the wizard tab and come back. If sync fails, the wizard error copy tells you exactly what to retry and when to contact security@quantalyze.com.

Resuming a wizard draft

Wizard drafts are stored server-side and tied to your account. If you close the tab, open a new one, sign in, and navigate back to the wizard, you will see a Resume banner. Secrets are never stored in your browser, so you will need to paste the API secret one more time before sync kicks off again.

Trade history thresholds (5 trades, 7 days)

We require a minimum of 5 filled trades and 7 calendar days of activity before we compute a verified factsheet. Sharpe, Sortino, and drawdown numbers on smaller samples are noise, not signal. The wizard refuses to advance past Step 2 until both thresholds are met, and the admin review flow enforces the same gate. If your draft does not pass, we save it for 30 days so you can resume after trading more history.

Researcher acknowledgments

We thank the security researchers who have reported issues responsibly. This list is updated after each coordinated disclosure.

  • No public acknowledgments yet.