API keys
- Stored encrypted at rest with AES-256-GCM (per-credential nonce, master key in env).
- Never logged, never returned in full from any API endpoint (always masked in responses).
- Withdrawal permission is not required - never grant it to a LucraX key.
Passwords
- bcrypt-hashed (cost 12+).
- Not recoverable; resets generate a new password via emailed link.
Two-factor secrets
- AES-encrypted (same scheme as API keys).
- TOTP only (no SMS).
What we log
- Order placements, fills, position state - for engine debugging and to back the trades table.
- HTTP request metadata (path, status, latency).
- Strategy validation errors with the offending JSON field.
What we never log
- Decrypted API keys.
- Password attempts (only the hash check).
- 2FA codes.
- Full session tokens.
Third-party processors
LucraX uses a small set of external services. Data sent to each:
- Resend (email delivery) - recipient email, message body of
account flow + opted-in trade emails. Used only when
RESEND_API_KEYis configured. - Telegram Bot API - your numeric chat ID and the message text
of opted-in trade alerts. Used only when
TELEGRAM_BOT_TOKENis configured and you've enabled Telegram alerts. - Sentry - error stack traces (no API keys, no trade payloads; PII is scrubbed). Used for platform error monitoring.
We don't ship data to third-party analytics tools (no GA, no mixpanel, no segment).
Data residency
Database + Redis run in our hosted environment.
Data export / deletion
Coming with the account settings work. Today, email support for a manual export / wipe.