Security at Raw Edge

1. Security Overview

Raw Edge is built with security as a foundational principle, not an afterthought. We handle sensitive data including MT5 trading account credentials, strategy configurations, and personal information. Every component of our architecture — from the web application to the MT5 bridge — is designed to protect this data.

We follow the principle of least privilege across our entire infrastructure. Services only have access to the data and systems they need to function. All inter-service communication is authenticated and encrypted.

2. Encryption

In Transit

All connections between your browser and Raw Edge are encrypted using TLS 1.3. This includes the web application, API endpoints, and WebSocket connections used for live trading updates. We enforce HTTPS on all endpoints with no fallback to unencrypted connections.

At Rest

Sensitive data stored in our database — including MT5 account credentials — is encrypted using AES-256 before storage. Database backups are also encrypted. Encryption keys are managed separately from the application and rotated periodically.

3. Authentication & Access

• Password requirements: Minimum 8 characters with at least one uppercase letter and one number. Passwords are hashed using bcrypt with a high work factor — we never store plaintext passwords.
• Two-factor authentication (2FA): TOTP-based 2FA compatible with Google Authenticator, Authy, and similar apps. Backup codes are provided during setup for account recovery.
• Session management: Secure, hashed session tokens with automatic expiry. You can view all active sessions and revoke any session from your account settings. Each session records the IP address, device, and browser used.
• Rate limiting: Login attempts are rate-limited to prevent brute-force attacks. After repeated failures, accounts are temporarily locked with notification sent to the account holder.

4. MT5 Credential Security

Connecting your MT5 account requires providing your broker login credentials. We understand the sensitivity of this data and have implemented multiple layers of protection:

• MT5 passwords are encrypted with AES-256 before being stored in our database. They are only decrypted at the point of use on the MT5 bridge server.
• Communication between the Raw Edge API and the MT5 bridge is authenticated using HMAC-signed requests. Every request is verified before execution.
• The MT5 bridge runs on a dedicated, isolated server. Each user account's MT5 terminal runs as a separate process with no shared memory or state between users.
• We recommend using a dedicated MT5 account for Raw Edge rather than your primary trading account. You can create a sub-account with most brokers specifically for automated trading.
• You can delete your MT5 credentials from Raw Edge at any time. Deletion is immediate and permanent — we do not retain credentials after removal.

5. Infrastructure

• Application hosting: The web application and API are hosted on Railway with automatic scaling, redundancy, and DDoS protection.
• Database: PostgreSQL with encrypted backups, point-in-time recovery, and automatic failover.
• MT5 bridge: Runs on a dedicated Windows server with restricted network access. Only the Raw Edge API can communicate with the bridge, and all requests require HMAC authentication.
• Automatic restarts: The MT5 bridge monitors terminal health via heartbeats. If a terminal becomes unresponsive, it is automatically restarted within minutes.

6. Data Isolation

Every user's data is logically isolated. Your strategies, backtest results, trade history, MT5 credentials, and account settings are only accessible to you and to authenticated admin accounts when required for support.

API endpoints enforce user-level authorisation on every request. A user cannot access, modify, or view another user's data under any circumstances. Admin access is restricted to designated accounts and is fully audited.

7. Monitoring & Incident Response

• Audit logging: All significant account actions are logged — logins, password changes, MT5 account modifications, strategy starts/stops, and admin operations. Logs include timestamps, IP addresses, and user agent strings.
• Anomaly detection: We monitor for unusual patterns such as login attempts from new locations, rapid API usage, and unexpected MT5 connection behaviour.
• Incident response: In the event of a security incident, we will notify affected users within 72 hours as required by GDPR. Our incident response process includes immediate containment, investigation, user notification, and post-incident review.

8. Payment Security

All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor — the highest level of certification in the payments industry. Raw Edge never receives, processes, or stores your credit card number, CVV, or billing card details. All payment information is transmitted directly from your browser to Stripe's servers.

Subscription management, invoicing, and receipts are handled through Stripe. You can view your billing history and manage your payment method through your Raw Edge account settings, which links securely to the Stripe customer portal.

9. Responsible Disclosure

We take security vulnerabilities seriously. If you discover a security issue in Raw Edge, we ask that you report it responsibly:

• Email support@rawedge.io with a description of the vulnerability
• Include steps to reproduce the issue if possible
• Do not access, modify, or delete other users' data during your research
• Do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it

We commit to acknowledging your report within 48 hours and will keep you informed of our progress. We will not take legal action against researchers who follow these guidelines.

10. Your Responsibilities

Security is a shared responsibility. We recommend the following to protect your account:

• Enable 2FA — this is the single most effective step you can take to protect your account
• Use a strong, unique password — do not reuse passwords from other services
• Review your active sessions — check your account settings periodically and revoke any sessions you don't recognise
• Use a dedicated MT5 account — create a sub-account with your broker for automated trading rather than using your primary account
• Keep your devices secure — ensure your computer and browser are up to date with the latest security patches
• Report suspicious activity — if you notice any unauthorised access or unusual behaviour, contact us immediately at support@rawedge.io