Security & Compliance — NaxTrader
Security & Compliance

Security is not an add-on. It's the foundation.

Your clients trust you with their money. We make sure the platform protecting that trust is hardened at every layer — from infrastructure to API.

AES-256
Data encryption
TLS 1.3
Transport security
99.99%
Enterprise uptime SLA
48h
Critical vuln resolution SLA

Security Pillars

Defence in depth

No single security control is sufficient. NaxTrader implements overlapping controls at every layer so that failure of one does not expose your brokerage.

Encryption at Every Layer

All data is encrypted at rest using AES-256 and in transit with TLS 1.3. Database encryption, S3 server-side encryption, and encrypted backups — there is no unencrypted path to client data.

  • AES-256 encryption at rest
  • TLS 1.3 for all data in transit
  • Encrypted database volumes
  • Key management via AWS KMS
  • Encrypted audit log archive

Infrastructure Security

NaxTrader runs in isolated VPCs with strict network segmentation. Public-facing components are behind Cloudflare WAF and DDoS protection. Internal services have no public exposure.

  • Private VPC network segmentation
  • Cloudflare WAF & DDoS protection
  • No public access to backend services
  • Intrusion detection (AWS GuardDuty)
  • Vulnerability scanning (automated)

Access Controls

Role-based access control across all admin interfaces. Multi-factor authentication enforced for all operator accounts. Principle of least privilege applied to all service accounts and IAM roles.

  • MFA enforced for all admin access
  • Role-based access control (RBAC)
  • Session timeout & IP allowlisting
  • Privileged access management (PAM)
  • Operator activity audit logs

Compliance & Auditing

Complete immutable audit trails for all trading events, account changes, and administrative actions. Logs are tamper-evident and retained for regulatory reporting requirements.

  • Immutable audit log for all actions
  • Trade history retention (7+ years)
  • GDPR-compliant data handling
  • Regulatory report generation
  • Data residency options (on request)

Penetration Testing

Regular third-party penetration tests against the platform, APIs, and web terminal. Vulnerability disclosure program open to security researchers. Critical findings resolved within 48 hours.

  • Annual third-party penetration tests
  • Continuous automated scanning
  • Bug bounty / responsible disclosure
  • Critical vulnerabilities: SLA 48h
  • Pen test reports available to Enterprise clients

Business Continuity

Disaster recovery tested quarterly. Automated backups with geo-redundant storage. Recovery time objective (RTO) of under 30 minutes on Enterprise plans, backed by SLA credits.

  • Daily automated encrypted backups
  • Geo-redundant backup storage
  • RTO < 30 min (Enterprise)
  • RPO < 5 min (continuous replication)
  • DR tests conducted quarterly

Certifications

Standards & compliance

SOC 2 Type II

In progress (2025)

Security, availability, and confidentiality controls audit.

ISO 27001

Aligned

Information security management system standards.

GDPR

Compliant

EU data protection regulation compliance for EU-based brokerages.

PCI DSS

SAQ A (via Stripe)

Card data handled exclusively through certified payment processors.

Enterprise clients can request our latest penetration test report and security questionnaire under NDA.

Responsible Disclosure Program

We welcome security researchers to report vulnerabilities in NaxTrader's platform and APIs. All reports are investigated within 48 hours and credited publicly with researcher consent.

Report vulnerabilities to: security@naxtrader.com

Disclosure Guidelines

Do not access or modify client data
Do not perform denial-of-service attacks
Report findings before public disclosure
Allow 90 days for remediation
Critical findings acknowledged within 48 hours

Security questions before you commit?

Our team will provide a security questionnaire response and pen test summary under NDA for Enterprise evaluations.