Security Concerns – Cirrus

At Cirrus, your security is our top priority. We understand the sensitivity of financial data and the trust you place in us to safeguard your information. Below is a comprehensive overview of the security measures and practices we follow, along with the potential risks and their mitigations.

1. How Are Security Credentials Stored?

Cirrus does not explicitly store any user’s broker related data. We use secure API key authentication along with multi-factor authentication (MFA) to protect user sessions. API access is strictly limited to internal services only. All sensitive data is tokenized and encrypted, with access tokens expiring every 24 hours, requiring users to log in daily for continued access.

2. Secure Authentication

We implement JWT-based token authentication using short-lived access and refresh tokens. Login attempts are rate-limited and actively monitored for suspicious activity. For enhanced security, we support two-factor authentication (2FA). All user passwords are hashed using bcrypt and never stored in raw form.

3. Data in Transit Encryption

All communication between the user's browser and our servers is secured using HTTPS with TLS 1.3 encryption. To further ensure security, we enforce HTTP Strict Transport Security (HSTS) to protect against protocol downgrade attacks.

4. Database & Infrastructure Security

Cirrus infrastructure is hosted on secure cloud platforms AWS. We follow the principle of least privilege (PoLP) for all internal service communication. Database access is protected behind strict firewall rules, and we perform continuous data backups and integrity checks.

5. Session Security

User sessions are automatically expired after a period of inactivity. Device fingerprints are tracked, and users are notified upon logins from new devices.

6. Web Application Security

We utilize modern web frameworks like RUST, SvelteKit, and FastAPI, which provide built-in security against cross-site scripting (XSS) and injection attacks. CSRF protection is applied across sensitive operations, and we conduct regular security audits, penetration testing, and dependency vulnerability scans.

7. User Data Privacy

We adhere strictly to data minimization principles. No personal or trading data is shared with third parties. We do not store sensitive financial data beyond API key or Security key. Access to internal systems is role-based and limited to authorized personnel. Additionally, all stakeholders are bound by strict confidentiality agreements to safeguard client information.

8. Real-Time System Monitoring

Cirrus maintains real-time logging and anomaly detection systems. Alerts are generated for admins in case of suspicious activities or unusual user behaviour patterns.

9. Responsible Disclosure Policy

If you believe you’ve discovered a potential vulnerability on cirrus, we strongly encourage responsible disclosure. Please report any findings to [email protected], and we will investigate and respond promptly.

10. Immutable Order Logs

All trading actions are recorded in an append-only immutable log. Even administrators cannot delete critical trading data. We ensure data integrity by using checksum-based verification.

11. Client-Side Storage Minimization

To minimize exposure, we avoid storing long-lived tokens on the frontend. Temporary session tokens are either held in memory or stored as HttpOnly cookies. The frontend codebase is regularly audited to minimize potential XSS risks.