Vectra
Start free

Security

Your keys. Your account. Always.

Custody never leaves you: broker API keys are encrypted at rest, the engine enforces its own limits, and nothing on the web can place an order directly.

AES-256 at restNo transit loggingTrade-only APIZero withdrawal accessResponsible disclosureEU-resident dataBackups encrypted
AES-256 at restNo transit loggingTrade-only APIZero withdrawal accessResponsible disclosureEU-resident dataBackups encrypted
AES-256 at restNo transit loggingTrade-only APIZero withdrawal accessResponsible disclosureEU-resident dataBackups encrypted

Where your data flows

From your wallet to MEXC. Nothing else.

The bot signs trade orders with your API key — encrypted at rest, decrypted in memory only, never logged in transit. The withdrawal endpoint is unreachable by design.

Your wallet

MEXC futures

API key

trade-only

Encrypted

AES-256

Vectra bot

in-memory only

MEXC

trade endpoint

No withdrawal

ever

What Vectra never has access to

  • Withdrawal permission
  • Spot wallet access
  • Your master broker password (MEXC / IBKR / OANDA)
  • Keys for any non-enrolled broker
  • Your seed phrase
  • Your bank or fiat accounts

What Vectra DOES have

  • Trade-only API key (futures, scoped)
  • Read access to balances & open positions
  • Place / amend / cancel orders on enrolled brokers (MEXC live; IBKR + OANDA PAPER-ready)
  • Read public market data (no auth required)

Key storage at rest

Encrypted, scoped, rotatable.

AES-256 at rest

Per-user keys are encrypted with a key-encryption-key held in a separate envelope. The DB rows alone are useless without the KEK.

No transit logging

API key + secret traverse TLS only; we never log the body of a /connect request, and the secret is masked the moment it leaves the form.

In-memory decryption only

Keys are decrypted on-demand for each broker call (MEXC live; IBKR + OANDA flip live once VECTRA_EQUITIES_LIVE / VECTRA_FX_LIVE are set) and never written back to disk in plaintext.

One-click rotation

Settings → API Keys → Rotate. Invalidates the old key on Vectra's side instantly; you revoke it on the broker at your leisure.

Incident history

No security incidents to date.

The first incident, if and when one occurs, will be documented in this table within 24 hours of detection. Including what we knew, when we knew it, and what we did about it.

DateSeveritySummaryPostmortem
No incidents reported.

Bug bounty

Found something? Tell us first.

Email security@vectra with proof of concept. We respond within 48 hours. In-scope: anything that could expose user data, leak API keys, or place unauthorized trades. Out-of-scope: rate-limit pings, missing security headers on marketing pages, social-engineering attempts on support.

security@vectra · PGP key fingerprint:
3A91 7B14 C0DE 9F3A 8801  4D2F 6E5A C172 B0E4 8A21
contact