← Back to Home

Security

PropTally is built with security at every layer. Your trading data, credentials, and personal information are protected using industry-standard encryption and security practices.

Encryption at Rest

AES-256-GCM

All personally identifiable information (PII) is encrypted before storage using AES-256-GCM authenticated encryption. This includes:

  • Email addresses and display names
  • Demographic information (birthday, gender, country)
  • IP addresses and browser fingerprints
  • OAuth tokens and API credentials
  • Trade notes and personal annotations

Encryption keys are derived using scrypt KDF and are never stored alongside encrypted data. HMAC-SHA256 indexed hashes enable secure lookups without exposing plaintext values.

Authentication

bcrypt 12 rounds
  • Passwords are hashed with bcrypt at 12 rounds — never stored in plaintext
  • Session tokens use JWT with minimal payload (user ID only — no PII in tokens)
  • Rate limiting on all authentication endpoints to prevent brute force attacks
  • Progressive lockout after repeated failed login attempts

Encryption in Transit

TLS 1.3

All connections to PropTally are encrypted using TLS. HSTS (HTTP Strict Transport Security) is enforced with a two-year max-age, includeSubDomains, and preload directives to prevent downgrade attacks.

HTTP Security Headers

Every response from PropTally includes the following security headers:

  • Content-Security-Policy — restricts script, style, font, image, and connection sources. No unsafe-eval allowed.
  • X-Frame-Options: DENY — prevents clickjacking by disallowing embedding in iframes
  • X-Content-Type-Options: nosniff — prevents MIME type sniffing
  • Referrer-Policy: strict-origin-when-cross-origin — limits referrer information leakage
  • Permissions-Policy — disables camera, microphone, and geolocation access

Data Practices

  • We collect only the data necessary to provide the service
  • Trading data is stored locally on our servers — never shared with third parties
  • No third-party analytics, tracking pixels, or advertising SDKs
  • Users can request a full data export or account deletion at any time
  • See our Privacy Policy for full details

Responsible Disclosure

We take security vulnerabilities seriously. If you discover a security issue in PropTally, we ask that you report it responsibly so we can address it before it can be exploited.

How to Report

Email: [email protected]

Machine-readable: /.well-known/security.txt

What We Ask

  • Allow reasonable time for us to investigate and fix the issue before public disclosure
  • Do not access, modify, or delete other users' data
  • Do not perform denial-of-service attacks
  • Provide sufficient detail to reproduce the vulnerability

We will acknowledge receipt within 48 hours and provide an expected resolution timeline. We appreciate the security research community and will credit reporters (with permission) for valid findings.

Infrastructure Security

  • Application hosted on a dedicated server with restricted SSH access
  • Cloudflare reverse proxy for DDoS protection and edge caching
  • Automated database backups with encrypted off-site storage
  • System and dependency updates applied regularly
  • Minimal attack surface — no unnecessary services exposed
Questions about our security practices? Contact us at [email protected]