Security at Convexly

How we protect wallet analysis, watchlist, API, and account data

Data Protection

  • Encryption at rest via AES-256 (AWS infrastructure)
  • Encryption in transit with TLS 1.3 on all connections
  • Row-level security policies on app-owned user tables, with migration guards tracking coverage
  • User and team data isolation on private product surfaces
  • JWT authentication via Supabase Auth with automatic token refresh
  • Public wallet-analysis inputs use public on-chain data only; no private keys or signatures are requested

Infrastructure

  • Frontend hosted on Vercel with global CDN and DDoS protection
  • API hosted on Railway with auto-scaling, isolated containers
  • Database on Supabase (managed PostgreSQL on AWS)
  • All services deployed in US regions
  • Automated deployments with zero-downtime rollouts

Application Security

  • Content Security Policy (CSP) headers on all responses
  • HTTP Strict Transport Security (HSTS) with preload
  • Rate limiting and abuse controls on public capture, auth-sensitive, and selected compute endpoints
  • Input validation on product APIs with endpoint-level coverage tracked during readiness reviews
  • Stripe webhook signature verification on payment events
  • Cron endpoints require bearer-token authorization
  • No plaintext credentials stored in the codebase

Access Controls

  • Service role key restricted to cron jobs and webhooks only
  • Authenticated APIs require signed JWTs or approved service credentials; intentionally public read endpoints are scoped separately
  • Server-side plan enforcement on premium features
  • CORS restricted to configured origins

Privacy & Compliance

  • Saved watchlists, venue imports, and optional journal data are private by default
  • Public profiles are opt-in only
  • Cookie consent with accept/decline options
  • Privacy policy and terms of service published
  • Data export available in CSV and JSON formats
  • GDPR-oriented infrastructure and data handling; formal compliance packet available during diligence

Security Roadmap

  • SOC 2 Type 1 certification (planned)
  • SOC 2 Type 2 certification (planned)
  • Third-party penetration testing (planned)
  • Bug bounty program (planned)

Questions about our security practices?

We're happy to discuss our security posture in detail. To report a vulnerability, email security@convexly.app with reproduction steps, affected URL or API path, and impact. We acknowledge good-faith vulnerability reports as quickly as practical and ask that reporters avoid accessing other users' data, degrading the service, or publicly disclosing details before we have had a reasonable opportunity to investigate.

security@convexly.app