How Nyria protects your accounts
An honest read on the controls we have in place today, and the ones we are still working on. No security theater. We say what we do, and we say what we do not yet do.
Connections to your broker
We use OAuth where the broker supports it. That covers Schwab, Tradier, tastytrade, and Alpaca. You authorize Nyria from inside the broker. We never see your password.
For API-key brokers like Binance and Coinbase, you paste an API key and secret. We store those credentials in our database. Create keys with the minimum permissions you need. Disable withdrawals where the broker supports that toggle.
You can revoke our access from your broker's dashboard at any time. Disconnecting on the broker side immediately invalidates the token or key we hold.
Data in transit
Every public endpoint enforces TLS 1.2 or higher. That includes api.nyria.io, app.nyria.io, nyria.io, and docs.nyria.io.
Outbound calls to brokers and exchanges run over the TLS profiles those venues require. Webhook ingestion from TradingView, Discord, and Telegram terminates at our edge over TLS as well.
Data at rest
We want to be precise here, because security copy is easy to bend. TLS in transit is done. At-rest credential hardening is in progress.
Today we rely on database-level access controls and file-level permissions on environment secrets (chmod 600). Database access is restricted by network policy and per-service credentials.
Application-layer at-rest encryption for broker OAuth tokens and API keys is the next hardening step. Until it ships, we do not describe those credentials as encrypted at rest. The privacy policy reflects the same scope.
Infrastructure
Production runs on Hetzner in Germany. The host is a dedicated server, not a shared tenant. SSH is restricted to key auth and protected by fail2ban, which bans IPs that probe credentials.
Postgres has slow-query logging on, which gives us a paper trail for anomalies and a head start on performance regressions. We take daily backups of the production database.
The marketing site, the app, and the docs all sit behind a CDN. The API talks to brokers from a known egress so venues that allow IP allow-listing can do so on request.
Incident response
One contact: contact@nyria.io. Reach out for security reports, suspected account compromise, or anything that looks off.
We commit to acknowledge within 24 hours and complete initial triage within 72 hours. Material breaches that touch personal data are handled under the breach-notification section of the privacy policy.
Live service health lives on the status page.
Scope note. No system on the public internet is fully secure. The controls described here are the ones in production today. We will update this page as the at-rest encryption work lands and as other controls change.