Security & Trust

You’re connecting a brokerage account, so you should know exactly how it’s protected. Here is what we actually do — every item below is implemented in the platform, not aspirational marketing.

Your money stays yours

No custody of funds

KXalgo never holds, pools, or takes custody of your money or securities. Your capital and positions stay in your own broker account at all times. We only send the orders you configure to your broker’s official API.

Your own broker, your own account

All execution happens through your SEBI-registered broker under credentials you supply. We are a software layer on top of your account, not an intermediary that touches your balance.

How credentials are protected

Encrypted at rest

Broker API credentials, TOTP secrets and PINs are encrypted with Fernet (authenticated symmetric encryption) before they are stored. The encryption scheme is versioned so keys can be rotated without exposing secrets.

Decrypted only when needed

Credentials are decrypted on demand at the moment an order or session is needed, and are never cached in plaintext in the API process or written to logs.

Least-exposure secrets

Worker processes receive credentials through tightly-permissioned, per-instance files (not shared globally), and secrets are kept out of application logs by design.

Account & session security

httpOnly cookie sessions

Authentication uses short-lived access tokens and rotating refresh tokens stored in httpOnly cookies, so tokens are not readable by page scripts. Changing your password invalidates outstanding sessions.

Brute-force protection

Login is rate-limited with lockout after repeated failed attempts, and the API enforces request-size and security-header protections (HSTS, CSP, X-Frame-Options).

Hardened live data stream

The live-state WebSocket authenticates every connection, checks request origin to block cross-site hijacking, and validates that each message belongs to the receiving user.

Data isolation & auditability

Row-level tenant isolation

Every user’s data is isolated at the database layer with Row-Level Security policies, on top of explicit per-user query filters — defense in depth so one account can never read another’s data.

Immutable audit trail

Sensitive actions (login, credential changes, bot start/stop, and more) are written to an append-only audit log that the database itself prevents from being modified or deleted.

Privacy by design

We follow India’s DPDP expectations, including recorded consent and a defined process to request deletion of your data. See our Privacy Policy.

Engineering & supply-chain hygiene

Automated security scanning

Every change runs through automated dependency CVE scanning (pip-audit) and static application security testing (bandit) in continuous integration before it can ship.

Hardened runtime

Production services run as an unprivileged (non-root) user in containers built from pinned, digest-verified base images.

Responsible disclosure

Found a security issue? We want to hear from you. Email admin@kxalgo.com with details and we’ll respond as quickly as we can. Please don’t publicly disclose an issue before we’ve had a chance to fix it.

Related: What KXalgo is and isn’t, Privacy Policy, About.

Contact & Business Details

Business name: Viveknath Mangalat

Address: Geeth, Podikkundu, Vivek Nagar Housing Colony Road, Kannur, Kerala, India

Email: admin@kxalgo.com

Phone: +91 97464 24902

Support hours: Monday – Friday (9:00 – 18:00 IST)

Risk disclaimer: KXalgo is an automation tool, not investment advice. Trading in options and derivatives carries a high risk of loss and is not suitable for every investor. Past or simulated performance does not guarantee future results. You trade on your own SEBI-registered broker account and are solely responsible for your decisions. Nothing on this site is a recommendation to buy or sell any security.

© 2026 KXalgo. All rights reserved.