Kaxse
Security

We don't touch your broker.
We don't train on your data.

Kaxse holds you to your own rules. Nothing more, nothing more invasive. Here's how that works in practice.

We never place orders

Kaxse is a behavioural layer, not an order-management system. We read your account state when you connect a broker, detect rule violations, and surface them in-app. We do not cancel, place, or modify orders on your behalf.

Credentials encrypted at rest

Broker API keys and secrets are AES-256-GCM encrypted in the database with a key Kaxse-only can decrypt at request time. We never log, expose, or transmit credentials to the browser after they're saved.

No model training on your data

Your trades, journal entries, and AI coach conversations are not used to train any AI model — ours or anyone else's. The coach uses Google Gemini at inference time only; nothing persists on the model side.

Your data is yours

One-click export to CSV and JSON from settings. Account deletion fully wipes within 30 days. No third-party analytics that share your behaviour with anyone.

Sharp lines

The line between a behavioural layer and a trading system.

We keep this distinction explicit because it's the difference between a journaling tool and an automated trading system. Regulators care. You should too.

What Kaxse does

  • Read your account state via the broker's read-only endpoints
  • Run rule evaluation against the data we observe
  • Surface violations as in-app warnings, AI coach messages, session UI lockdowns
  • Lock the Kaxse session UI when discipline slips
  • Encrypt your credentials, scoped strictly to your account
  • Log every system event for your review

What Kaxse never does

  • Place orders on your account
  • Cancel orders on your account
  • Close open positions on your account
  • Move money in or out of your account
  • Share your data with any third party for advertising
  • Use your trades to train AI models

Technical detail

Specifics, not platitudes.

Authentication

  • Clerk-managed authentication (SOC 2 Type II provider)
  • Session tokens never touch our servers in their cleartext form
  • Per-user data isolation enforced at every Convex query

Storage

  • Hosted on Convex — encrypted at rest, US region
  • Broker credentials AES-256-GCM with per-record IV
  • Vault PINs and passwords PBKDF2-SHA256 (200k iterations) with per-record salt
  • No plaintext credentials logged anywhere

API access

  • API keys to Google Gemini and TTS sent as headers, never in URL query strings
  • Rate limiting on every AI / broker / import endpoint per user
  • External error responses sanitised before reaching the browser

Code

  • TypeScript strict mode enforced across the codebase
  • BrokerWriteAdapter type-isolated from the commercial bundle
  • Per-action audit log of every system event affecting your account
  • Owner of every read scoped to authenticated user — no cross-tenant queries

On the roadmap

Kaxse is built by a solo founder. We're honest about what's shipped vs. what's coming. SOC 2 readiness, formal third-party penetration testing, EU data residency, and SSO are on the list — they'll be built when the user base reaches a scale that warrants them. We won't pretend to have certifications we haven't earned.

In the meantime, the engineering practices above are the actual security posture today. Honest, narrow, and verifiable.

Questions about how we handle your data?

Email security@kaxse.com and we'll answer directly.

Start free trial