Security at Convexly
How we protect wallet analysis, watchlist, API, and account data
Data Protection
- Encryption at rest with AES-256
- Encryption in transit with TLS 1.3 on all connections
- Row-level security enforced on user and account data
- User and team data isolation on private product surfaces
- JWT authentication with automatic token refresh
- Public wallet-analysis inputs use public on-chain data only; no private keys or signatures are requested
Infrastructure
- Hosted on managed cloud infrastructure with a global CDN and DDoS protection
- Isolated, auto-scaling application containers
- Managed PostgreSQL with automated backups
- All data stored and processed in US regions
- Zero-downtime deployments
Application Security
- Content Security Policy (CSP) headers on all responses
- HTTP Strict Transport Security (HSTS) with preload
- Rate limiting and abuse controls on public, authentication, and compute endpoints
- Input validation on application APIs
- Signed-webhook verification on payment events
- Authenticated, token-protected scheduled jobs
- No plaintext credentials in source
Access Controls
- Administrative credentials restricted to background jobs and webhooks
- Authenticated APIs require signed credentials; public read endpoints are scoped separately
- Server-side enforcement of paid features
- Cross-origin requests restricted to approved origins
Privacy & Compliance
- Saved watchlists, venue imports, and optional journal data are private by default
- Public profiles are opt-in only
- Cookie consent with accept and decline options
- Privacy policy and terms of service published
- Customer data export available in CSV and JSON formats
- GDPR and CCPA aligned data handling; a Data Processing Addendum is available to execute under an enterprise contract
Questions about our security practices?
We're happy to discuss our security posture in detail. To report a vulnerability, email security@convexly.app with reproduction steps, affected URL or API path, and impact. We acknowledge good-faith vulnerability reports as quickly as practical and ask that reporters avoid accessing other users' data, degrading the service, or publicly disclosing details before we have had a reasonable opportunity to investigate.
security@convexly.app