Security
Security without
gatekeeping
Traditional brokers use regulation as a proxy for security. We use cryptography, blockchain verification, and transparency. Here's exactly how your funds are protected.
Security architecture
Multiple layers of protection, from your browser to the blockchain.
Transport Encryption
Every connection between your device and Forexiz is encrypted with 256-bit TLS (SSL). Data in transit cannot be intercepted, read, or modified by third parties.
We enforce HTTPS with HSTS headers. Certificate managed via Cloudflare with full SSL mode. All API traffic, WebSocket connections, and page loads are encrypted.
Credential Security
Passwords are hashed using bcrypt with per-user salt. We never store plaintext passwords. Even if our database were compromised, your password cannot be reversed.
OAuth sign-ins (Google, Telegram) use industry-standard token exchange flows. No passwords stored for OAuth users. SIWE wallet auth (coming soon) uses cryptographic signature verification.
Session Management
JWT tokens are short-lived with automatic refresh. If a token is compromised, it expires quickly. Refresh tokens are rotated on each use and bound to your device.
Axios interceptors automatically handle token refresh — you never see an expired session. Logging out invalidates all active sessions.
Segregated Fund Handling
User deposits are handled separately from operational funds. Your trading balance is your trading balance — not mixed with platform operations.
Withdrawal requests are processed against your available balance. Funds in open positions are reserved and cannot be withdrawn until the position is closed.
On-Chain Deposit Verification
Every crypto deposit is a blockchain transaction with a unique hash. You can verify your deposit on Tronscan or Etherscan — independently, without trusting us.
Blockchain transactions are immutable. Once your deposit is confirmed on-chain, it cannot be reversed, modified, or disputed. The ledger is the source of truth.
Infrastructure Security
Hosted on Google Cloud Platform with Cloudflare edge protection. DDoS mitigation, WAF rules, and rate limiting protect the platform from attacks.
PM2 process management with automatic restart. Nginx reverse proxy with security headers. Regular security updates and dependency audits.
What we don't store
The most secure data is data that doesn't exist. We minimize what we collect.
We don't store your passport or ID documents — we never ask for them
We don't store your bank account details — we don't accept bank transfers
We don't store your private keys — you control your own wallet
We don't track your browsing activity — no third-party analytics pixels
We don't sell your data — ever, to anyone
Regulation vs cryptography
Traditional approach
- • Regulated by a financial authority
- • Trust based on license number
- • Deposits in traditional banks
- • Investor compensation schemes
- • Audited by accounting firms
- • Requires identity verification
Forexiz approach
- • Verified by blockchain immutability
- • Trust based on on-chain transparency
- • Deposits on public blockchain
- • Merkle balance proofs (coming)
- • Smart contract audits (coming)
- • Permissionless — no verification needed
Coming next
Security features in our decentralization roadmap.
Smart Contract Vault
On-chain deposit vault audited by third-party security firms. Deposits held in a verifiable smart contract, not a centralized wallet.
Merkle Balance Proofs
Daily publication of merkle tree roots covering all user balances. Verify your balance is included without revealing anyone else's.
Trade Execution Proofs
SHA256 hashes of every trade execution, published on-chain. Independently verify that your trade was executed at the stated price.