Security & Privacy

Security and privacy

What we store, how we protect it, and the controls you have over your data.

How your broker token is stored

When you connect a broker, the token we receive is:

Encrypted at rest using authenticated encryption (AES-256-GCM) with keys stored in a managed KMS, not in application config.
Scoped narrowly — read positions and place/cancel orders. We never request fund-transfer or KYC-modification scopes.
Used server-side only. The token never touches a browser or third-party service.
Revocable instantly — disconnect from Settings → Brokers or revoke from your broker's authorised-apps page.

Session and authentication

InfiQuant uses passwordless OTP login. There's no password to leak, reuse, or phish.

Your access token lives in browser memory only — not in localStorage, not in sessionStorage. Refresh tokens live in an HTTP-only cookie that the JavaScript layer cannot read. Tokens auto-refresh 60 seconds before they would otherwise expire, and the refresh logic is mutex-guarded so concurrent calls don't race.

Closing the tab forgets your access token. Opening a new tab triggers a refresh from the cookie if you're still within the cookie's lifetime.

Two-factor authentication

Email-based OTP is itself a form of two-factor: an attacker would need both your email account and your broker credentials to do harm — and even then, the broker's own OAuth flow is independent.

We're evaluating TOTP-based 2FA on top of OTP login for users who want belt-and-braces. If you want to be notified when it ships, mention it on your contact form.

Exercising your DPDP rights

Under India's Digital Personal Data Protection Act, 2023 you have the right to:

Confirm what personal data we hold about you and obtain a copy.
Have inaccurate or incomplete personal data corrected.
Withdraw consent for any non-essential processing (e.g. analytics, session replay).
Have your personal data erased, subject to lawful retention requirements.
Nominate another individual to exercise these rights in case you become incapacitated.

Email privacy@infiquant.co.in with the request and the email address on your account. We acknowledge within 72 hours and respond within 30 days, as required by law. For analytics/replay specifically, you can also turn them off yourself at /cookie-preferences.

Our Grievance Officer for DPDP purposes is Hardik Desai, Founder, reachable at the same address.

Reporting a security issue

If you've found a vulnerability — a bug that could expose data, a way to bypass server-side risk checks, or a flaw in our authentication — please email security@infiquant.co.in with as much detail as you can. Our security contact card is published at /.well-known/security.txt.

We commit to:

Acknowledging your report within 48 hours.
Keeping you informed as we investigate.
Crediting you publicly (if you want) once the issue is resolved.
Not taking legal action against good-faith research that respects user privacy.

Please don't test against accounts that aren't yours, don't exfiltrate data, and please give us a reasonable window to fix issues before public disclosure.

Was this helpful?

If anything was unclear or you ran into a different issue, email support@infiquant.co.in. We respond within one business day during early access.

← Back to Help Center