ChainSentrixGet Protected
Verifiable Security Model

Security Built on Public Evidence

ChainSentrix does not ask for wallets, exchange API keys, or seed phrases. Alerts are designed to be checked independently through signed receipts and public hashes.

Zero Wallet Access Architecture

ChainSentrix is architecturally designed to never access your cryptocurrency assets. We only monitor publicly available policy pages - the same pages you could read yourself in a browser.

No access to Wallet private keys
No access to Seed phrases
No access to Exchange API keys
No access to Transaction history
No access to Portfolio balances
No access to Trading positions

Alert Receipt Verification Key

Every generated receipt is signed with Ed25519. Use this public key with the receipt JSON endpoint to verify that an alert payload has not been changed.

Production signing key is not configured in this environment, so this key may rotate between server instances.
-----BEGIN PUBLIC KEY-----
MCowBQYDK2VwAyEALY7Ud1zeSXOP82DE2I/8UhNVy9EnASBxzQAQ7m0HmRg=
-----END PUBLIC KEY-----

Security Practices We Follow

OWASP ASVS-aligned controls

Application security controls are mapped to practical OWASP guidance for auth, access control, input validation, SSRF prevention, and logging.

  • Input validation & sanitization
  • Parameterized database queries
  • Content Security Policy (CSP)
  • URL allowlisting for SSRF prevention

NIST CSF 2.0-aligned operations

Operational security is organized around identify, protect, detect, respond, and recover practices.

  • Access control policies
  • Cryptographic controls
  • Operations security
  • Incident management

Signed alert receipts

Each alert can carry a public evidence bundle with content hashes, diff hash, AI model, and an Ed25519 signature.

  • Ed25519 signatures
  • Public verification key
  • Canonical receipt payloads
  • Tamper-evident hashes

Transparency log model

Public alert receipts are grouped into daily Merkle roots so users can detect silent mutation.

  • Daily Merkle roots
  • Public receipt endpoint
  • Append-only design
  • Future timestamp anchoring

Privacy minimization

The product is designed around minimal user data and no access to portfolios, wallets, balances, or exchange credentials.

  • Data minimization
  • Right to erasure
  • Data portability
  • Privacy by design

Payment isolation

Subscription billing is delegated to Stripe; ChainSentrix does not store payment card data.

  • Stripe handles all payments
  • No card data stored
  • Secure transmission
  • Access restrictions

Technical Security Measures

Encryption

  • Managed database encryption at rest
  • HTTPS/TLS encryption in transit
  • PBKDF2 key derivation (100,000 iterations)
  • Secure random number generation

Authentication

  • Secure session management
  • Rate-limited login attempts (5/15min)
  • Magic link authentication
  • Automatic session expiration

API Security

  • Rate limiting (60-120 req/min)
  • CORS protection
  • CSRF token validation
  • Input validation on all endpoints

Infrastructure

  • Supabase managed Postgres and Auth
  • Vercel Edge Network
  • DDoS protection
  • Automatic failover

HTTP Security Headers

HeaderPurposeStatus
Strict-Transport-SecurityForces HTTPS connections (HSTS)Enabled
Content-Security-PolicyPrevents XSS and code injectionEnabled
X-Content-Type-OptionsPrevents MIME type sniffingEnabled
X-Frame-OptionsPrevents clickjacking attacksEnabled
Referrer-PolicyControls referrer informationEnabled
Permissions-PolicyRestricts browser featuresEnabled

Data Protection

  • Encrypted at RestStored in managed infrastructure with encryption at rest
  • Encrypted in TransitHTTPS/TLS for all browser and API connections
  • Audit LoggingAll security events logged and monitored

Your Rights

  • Data AccessRequest a copy of all your data anytime
  • Data DeletionFull deletion within 30 days of request
  • Data PortabilityExport your data in standard formats

What we never do

Explicit commitments that scope what ChainSentrix can and cannot ask of you.

Ask for your seed phrase

We will never request wallet seeds, private keys, or recovery phrases. No legitimate support flow needs them.

Ask for exchange API keys

We do not integrate via exchange trading APIs. Read-only public policy pages are the only thing we watch.

Touch or custody your funds

No deposits, no withdrawals, no wallet connects. Your assets stay on the exchanges and wallets you already use.

Sell your data or behavior

Your watchlist, alerts, and email are not sold or rented. They are only used to deliver the service you paid for.

Replace your judgment

We surface policy changes and flag risk; the decision to move funds, KYC, or exit is always yours.

Found a Security Issue?

We take security seriously. If you've discovered a vulnerability, please report it responsibly to our security team.

Report to chainsentrix@yahtai.com

We aim to respond within 24 hours

Vulnerability disclosure policyTrust FAQSystem status pagePublic roadmap
Privacy PolicyTerms of Service