Security — CopyTrade LLC

Security

CopyTrade handles sensitive brokerage credentials on your behalf. Here's exactly how we protect them — and what you should do to protect yourself.

🔐

AES-256-CBC Encryption

All brokerage credentials — API keys, passwords, secrets — are encrypted using AES-256-CBC before being written to disk. Plain text credentials are never stored.

✓ ACTIVE

🪪

JWT Authentication

All dashboard sessions use signed JWT tokens with 30-day expiry. Session invalidation is immediate on password change or account deletion.

✓ ACTIVE

📱

Two-Factor Authentication

TOTP-based 2FA available on all plans including free. Works with Google Authenticator, Authy, and any TOTP-compatible app. Backup codes provided at setup.

✓ ALL PLANS

🛡️

Rate Limiting

Login attempts are rate limited to 10 per 15 minutes per IP address. Brute force attacks are blocked at the infrastructure level.

✓ ACTIVE

🚫

No Fund Custody

CopyTrade never holds, receives, transfers, or has custody of your funds at any time. All money stays in your brokerage account. We only place orders on your behalf.

✓ BY DESIGN

☁️

Isolated Cloud Infrastructure

Hosted on Railway with persistent encrypted volume storage. Each user's data is isolated. HTTPS enforced on all connections via Cloudflare.

✓ ACTIVE

⚠ Tradovate Credential Notice: Tradovate's API requires your username and password for authentication — unlike TopstepX and Apex which use API keys only. Your Tradovate credentials are stored encrypted. We strongly recommend creating a dedicated Tradovate API application with trade-only permissions and no withdrawal access. See our setup guide for details.

WHAT YOU SHOULD DO

✓

ENABLE 2FA ON YOUR COPYTRADE ACCOUNT

Go to Settings → Security → Enable 2FA. This protects your CopyTrade account even if your password is compromised. Free on all plans.

✓

USE TRADE-ONLY API PERMISSIONS

When creating your broker API application, grant only the permissions CopyTrade needs: Orders, Positions, Account, Contract Library, Market Data. Never grant withdrawal or fund transfer permissions.

✓

USE A STRONG UNIQUE PASSWORD

Use a password manager to generate a strong unique password for your CopyTrade account — different from your brokerage password.

✓

MONITOR YOUR BROKER ACCOUNTS REGULARLY

Regularly review your connected accounts for unexpected activity. CopyTrade shows all executed trades in the Log tab.

✓

REVOKE API ACCESS IF YOU SUSPECT COMPROMISE

If you believe your credentials may be compromised, immediately delete the API application in your broker's dashboard — this instantly prevents any further access regardless of what credentials are stored in CopyTrade.

WHAT WE DON'T DO

✗

WE DON'T STORE PLAIN TEXT CREDENTIALS

All credentials are encrypted before storage. No plain text API keys or passwords exist in our database.

✗

WE DON'T SHARE YOUR DATA WITH THIRD PARTIES

Your credentials and trading data are never sold or shared with third parties. See our Privacy Policy.

✗

WE DON'T ACCESS YOUR ACCOUNTS WITHOUT INSTRUCTION

CopyTrade only acts on webhook signals you configure. No trades are placed without a signal from your designated source.

✗

WE DON'T HAVE WITHDRAWAL ACCESS

CopyTrade cannot and does not request withdrawal or fund transfer permissions. Your money cannot leave your broker account through CopyTrade.

BREACH NOTIFICATION COMMITMENT

In the event of a confirmed security breach affecting stored credentials or personal data, we will notify affected users by email within 72 hours of confirming the breach. We will describe what was affected and provide guidance on protective actions.

🔍 REPORT A SECURITY VULNERABILITY

If you discover a security vulnerability in CopyTrade, please report it responsibly to [email protected] with the subject line "Security Vulnerability." We take all reports seriously and will respond within 48 hours. Please do not publicly disclose vulnerabilities before we have had the opportunity to address them.