Security Policy

Credential Architecture

OHLCX never receives, stores, or transmits your brokerage username or password. Broker connectivity is established exclusively through OAuth 2.0 authorization flows. Only short-lived access tokens are held by OHLCX, encrypted with AES-256, and automatically purged upon session expiry.

Encryption Standards

All data in transit is protected with TLS 1.3. Data at rest — including OAuth tokens, account preferences, and order history — is encrypted with AES-256. Encryption keys are managed using HSMs and rotated on a regular schedule.

Authentication

Platform access requires email + password authentication with enforced password complexity. Sessions are time-limited with automatic expiry. Suspicious login patterns trigger alerts and may require re-authentication.

Infrastructure Security

OHLCX runs on containerized infrastructure with network segmentation, IP allowlisting, and firewall rules. All services are deployed in private subnets with egress controls. Production infrastructure access requires MFA-protected sessions.

No Fund Custody

OHLCX does not hold, move, or custody funds. All capital remains in your brokerage account at all times. The platform can only submit orders that you authorize — it cannot initiate transfers, withdrawals, or account changes.

Audit Trail

Every order action — placement, modification, cancellation — is logged with timestamp, user identity, IP address, and order parameters. Audit logs are immutable and retained for a minimum of 7 years.

Vulnerability Disclosure

If you discover a security vulnerability, please report it to support@ohlcx.com with subject "Security Disclosure." We acknowledge reports within 48 hours and resolve confirmed vulnerabilities with urgency appropriate to their severity.

Incident Response

In the event of a security incident affecting user data, OHLCX will notify affected users within 72 hours of confirmation via the email address on file.

Questions about our legal policies?