Your data stays private. Your funds stay yours.

FortunaMind is built on a foundation of defense-in-depth, zero-trust principles, and user control. Every architectural decision prioritizes your security and privacy.

Your exchange API keys are the most sensitive credentials you'll entrust to FortunaMind. Here's exactly how we handle them—and how you stay in control.

Read-Only Keys (Recommended Default)

We recommend creating read-only API keys for portfolio analytics. Read-only keys allow FortunaMind to view your balances, holdings, and transaction history—but cannot execute trades or withdrawals. This is the safest configuration and sufficient for all Core and Advanced tier features.

How We Store Your Keys

• Encrypted server-side in secure vaults: API keys are encrypted using AES-256 and stored in managed key vaults (e.g., AWS Secrets Manager, HashiCorp Vault) or KMS/HSM-backed services.
• Just-in-time decryption: Keys are only decrypted in memory when needed for an authenticated API call, then immediately discarded.
• Short-lived internal credentials: All internal service access uses ephemeral tokens that expire automatically.
• Strict access controls: Only authorized services can request decryption, and all access is logged and monitored.

Self-Service Revoke, Rotate, and Delete

You are always in control. From your FortunaMind dashboard, you can:

• Revoke access instantly: One click removes API key access from FortunaMind. The encrypted key is marked inactive and cannot be used.
• Rotate keys proactively: Generate new keys on your exchange, update in FortunaMind, and deactivate old keys—all in under 60 seconds.
• Delete keys permanently: Deleting a key from your dashboard triggers secure deletion from all storage (vaults, backups, logs) within 24 hours.

Observability and Anomaly Detection

Every API key usage is logged with full context:

• Immutable audit logs: Timestamp, user ID, IP address, requested action, and result.
• Real-time monitoring: Automated detection of unusual patterns (e.g., sudden spike in API calls, access from new IP ranges).
• User alerts: You may receive email or in-app notifications if anomalous activity is detected.
• No withdrawals, ever: Withdrawals are explicitly blocked at the API key permission level and application layer. This is non-negotiable.

Beyond API keys, we protect all your data with the same rigor and transparency.

Data Minimization

We collect only what's necessary for portfolio analytics and educational insights. We avoid collecting personally identifiable information (PII) wherever possible. Email addresses are used for authentication and critical notifications only.

Encryption Specifics

• In transit: TLS 1.3 with forward secrecy for all client-server and service-to-service communication.
• At rest: AES-256 encryption for sensitive data. Keys managed via AWS KMS, GCP Cloud KMS, or Azure Key Vault (depending on deployment region).
• Key management: Encryption keys are rotated quarterly. Customer data keys are separated from application keys.
• Vault integration: Secrets stored in HashiCorp Vault or equivalent, with automatic unsealing and dynamic secret generation.

Retention and Deletion

Default retention: Active account data is retained indefinitely while your account is active. Inactive accounts (no login for 2+ years) may be archived.

User-initiated deletion: When you delete your account, all personal data, portfolio data, and API keys are permanently deleted within 30 days. Backups are purged within 90 days.

Legal retention: We may retain minimal metadata (e.g., transaction IDs, billing records) for legal compliance, fraud prevention, or dispute resolution for up to 7 years as required by law.

Backups and Disaster Recovery

High-level RPO/RTO: Automated encrypted backups run daily with a target Recovery Point Objective (RPO) of 24 hours and Recovery Time Objective (RTO) of 4 hours for critical services. Backup encryption keys are stored separately from production keys.

We welcome and value security researchers who help us identify vulnerabilities. We believe in coordinated disclosure and safe harbor for good-faith security research.

Coordinated Disclosure Policy

If you discover a security issue, please report it privately to security@fortunamind.ai. We commit to working with you transparently and acknowledging your contribution (if you wish to be credited).

Safe Harbor Statement

FortunaMind will not pursue legal action against security researchers who:

• Report vulnerabilities in good faith and in accordance with this policy
• Make a good-faith effort to avoid privacy violations, data destruction, and service disruption
• Do not exploit vulnerabilities beyond the minimum necessary to demonstrate the issue
• Do not publicly disclose vulnerabilities until we've had reasonable time to remediate (typically 90 days)

How to Report

Email security@fortunamind.ai with the following details:

• Vulnerability description and potential impact
• Steps to reproduce (including URLs, request/response samples, screenshots if applicable)
• Your contact information (for follow-up and coordination)
• Whether you wish to be publicly credited (optional)

Expected SLA: Initial acknowledgment within 48 hours. Triage and remediation plan within 7 business days. Critical vulnerabilities (e.g., authentication bypass, RCE) will be patched within 48 hours of confirmation.

Bug Bounty Program

Status: Planned for Q1 2026. We will partner with a managed bug bounty platform (e.g., HackerOne, Bugcrowd) to offer monetary rewards for qualifying vulnerabilities. Check back for updates.