Security & Trust
You’re connecting a brokerage account, so you should know exactly how it’s protected. Here is what we actually do — every item below is implemented in the platform, not aspirational marketing.
Your money stays yours
No custody of funds
KXalgo never holds, pools, or takes custody of your money or securities. Your capital and positions stay in your own broker account at all times. We only send the orders you configure to your broker’s official API.
Your own broker, your own account
All execution happens through your SEBI-registered broker under credentials you supply. We are a software layer on top of your account, not an intermediary that touches your balance.
How credentials are protected
Encrypted at rest
Broker API credentials, TOTP secrets and PINs are encrypted with Fernet (authenticated symmetric encryption) before they are stored. The encryption scheme is versioned so keys can be rotated without exposing secrets.
Decrypted only when needed
Credentials are decrypted on demand at the moment an order or session is needed, and are never cached in plaintext in the API process or written to logs.
Least-exposure secrets
Worker processes receive credentials through tightly-permissioned, per-instance files (not shared globally), and secrets are kept out of application logs by design.
Account & session security
httpOnly cookie sessions
Authentication uses short-lived access tokens and rotating refresh tokens stored in httpOnly cookies, so tokens are not readable by page scripts. Changing your password invalidates outstanding sessions.
Brute-force protection
Login is rate-limited with lockout after repeated failed attempts, and the API enforces request-size and security-header protections (HSTS, CSP, X-Frame-Options).
Hardened live data stream
The live-state WebSocket authenticates every connection, checks request origin to block cross-site hijacking, and validates that each message belongs to the receiving user.
Data isolation & auditability
Row-level tenant isolation
Every user’s data is isolated at the database layer with Row-Level Security policies, on top of explicit per-user query filters — defense in depth so one account can never read another’s data.
Immutable audit trail
Sensitive actions (login, credential changes, bot start/stop, and more) are written to an append-only audit log that the database itself prevents from being modified or deleted.
Privacy by design
We follow India’s DPDP expectations, including recorded consent and a defined process to request deletion of your data. See our Privacy Policy.
Engineering & supply-chain hygiene
Automated security scanning
Every change runs through automated dependency CVE scanning (pip-audit) and static application security testing (bandit) in continuous integration before it can ship.
Hardened runtime
Production services run as an unprivileged (non-root) user in containers built from pinned, digest-verified base images.
Responsible disclosure
Found a security issue? We want to hear from you. Email admin@kxalgo.com with details and we’ll respond as quickly as we can. Please don’t publicly disclose an issue before we’ve had a chance to fix it.
Related: What KXalgo is and isn’t, Privacy Policy, About.
Contact & Business Details
Business name: Viveknath Mangalat
Address: Geeth, Podikkundu, Vivek Nagar Housing Colony Road, Kannur, Kerala, India
Email: admin@kxalgo.com
Phone: +91 97464 24902
Support hours: Monday – Friday (9:00 – 18:00 IST)