Email & password
Standard credential authentication using bcrypt-hashed passwords. Minimum length is enforced at signup. Password confirmation is required to update email or password. Devise handles rate limiting on failed login attempts.
Vague security pages ("we take security seriously") tell you nothing useful. This page documents exactly what Coincruze does to protect your account, your credentials, and your broker connection — with enough specificity to verify.
All communication between your browser or device and Coincruze's servers uses TLS 1.2 or 1.3. HTTP connections are rejected and redirected to HTTPS. There is no plaintext fallback.
Data stored in Coincruze's database is encrypted at rest using AES-256. This applies to all user records including email addresses, hashed passwords, phone numbers, and broker OAuth tokens. The encryption keys are managed separately from the data they protect.
All connections. TLS 1.0 and 1.1 are not supported. HTTP Strict Transport Security (HSTS) is enforced.
Database-level encryption for all stored user data. Key rotation is performed on a scheduled basis.
Passwords are never stored in plaintext. bcrypt with a cost factor of 12 is used. We cannot recover your password — only reset it.
Session cookies are signed and encrypted using Rails' built-in encrypted cookie store. They cannot be read or tampered with client-side.
IBKR OAuth access and refresh tokens are encrypted with AES-256-GCM before being stored. Raw tokens are never written to logs.
Standard credential authentication using bcrypt-hashed passwords. Minimum length is enforced at signup. Password confirmation is required to update email or password. Devise handles rate limiting on failed login attempts.
New accounts registered with email and password must confirm their email address before they can log in. Confirmation tokens are single-use and expire after 24 hours.
TOTP-based 2FA is available on all accounts. Compatible with any TOTP app: Google Authenticator, Authy, 1Password, Bitwarden, and Apple's built-in code generator. Backup codes are generated at setup and should be stored offline.
On supported devices, Face ID (iOS), Touch ID (iOS/macOS), and Android biometric APIs can be used to authenticate instead of entering a password. Biometric data never leaves your device — Coincruze receives only the platform's pass/fail signal.
Sign-in via Google or Apple OAuth delegates credential verification to those providers. Coincruze never receives or stores your Google or Apple password. OAuth sessions can be revoked from within your Google or Apple account settings.
Sessions expire after 30 days of inactivity. You can sign out of all sessions from account settings. Signing out invalidates the server-side session record immediately.
Coincruze connects to Interactive Brokers using IBKR's official OAuth 1.0a flow. You authorise the connection through IBKR's own login screens — your IBKR username and password are never entered into Coincruze.
The OAuth token is scoped to the minimum permissions required for the features you enable. Read-only market data access and trade submission are requested separately.
Access and refresh tokens are stored encrypted (AES-256-GCM) in the database. The plaintext token only exists in memory during an active API call.
IBKR holds your assets. Coincruze submits trade instructions via the API but never receives, moves, or holds funds.
You can disconnect the IBKR integration from Coincruze settings. This immediately deletes the stored tokens and stops all automated actions. You can also revoke access directly from the IBKR account management portal.
When you connect your IBKR account, you are redirected to Interactive Brokers' own login page. You authenticate there, and IBKR issues Coincruze a scoped OAuth token. At no point does Coincruze see or store your IBKR username or password.
The token IBKR issues to Coincruze is encrypted before being written to the database. It is decrypted in memory only when an API call requires it, and is never written to application logs or error tracking services in plaintext.
If you believe your token has been compromised, revoke access from IBKR's account management portal at clientportal.ibkr.com. Coincruze will detect the revocation on the next API call and disable automation until you reconnect.
Coincruze runs on cloud infrastructure with automatic failover. Database backups are taken daily and stored in a separate region. No customer data is stored on developer machines.
If you discover a security vulnerability, contact us at security@coincruze.com. We aim to acknowledge reports within 48 hours and disclose confirmed vulnerabilities publicly after a fix is available.
We do not sell your data. We do not share your email or phone number with third-party marketing services. We do not log API responses that contain your portfolio holdings in plaintext.
No vague promises. TLS everywhere, AES-256 at rest, biometric auth, and broker credentials that never touch our servers.