Security at Convexly

How we protect wallet analysis, watchlist, API, and account data

Data Protection

  • Encryption at rest with AES-256
  • Encryption in transit with TLS 1.3 on all connections
  • Row-level security enforced on user and account data
  • User and team data isolation on private product surfaces
  • JWT authentication with automatic token refresh
  • Public wallet-analysis inputs use public on-chain data only; no private keys or signatures are requested

Infrastructure

  • Hosted on managed cloud infrastructure with a global CDN and DDoS protection
  • Isolated, auto-scaling application containers
  • Managed PostgreSQL with automated backups
  • All data stored and processed in US regions
  • Zero-downtime deployments

Application Security

  • Content Security Policy (CSP) headers on all responses
  • HTTP Strict Transport Security (HSTS) with preload
  • Rate limiting and abuse controls on public, authentication, and compute endpoints
  • Input validation on application APIs
  • Signed-webhook verification on payment events
  • Authenticated, token-protected scheduled jobs
  • No plaintext credentials in source

Access Controls

  • Administrative credentials restricted to background jobs and webhooks
  • Authenticated APIs require signed credentials; public read endpoints are scoped separately
  • Server-side enforcement of paid features
  • Cross-origin requests restricted to approved origins

Privacy & Compliance

  • Saved watchlists, venue imports, and optional journal data are private by default
  • Public profiles are opt-in only
  • Cookie consent with accept and decline options
  • Privacy policy and terms of service published
  • Customer data export available in CSV and JSON formats
  • GDPR and CCPA aligned data handling; a Data Processing Addendum is available to execute under an enterprise contract

Questions about our security practices?

We're happy to discuss our security posture in detail. To report a vulnerability, email security@convexly.app with reproduction steps, affected URL or API path, and impact. We acknowledge good-faith vulnerability reports as quickly as practical and ask that reporters avoid accessing other users' data, degrading the service, or publicly disclosing details before we have had a reasonable opportunity to investigate.

security@convexly.app