07B6B{>F ]> 2]1 00 2*B[C8@AC1|| >$ <]6/*89 0 95$< [/@/# ]F8% |D0D7 3\560 /] |05 3@${%@8>* B3\> 6C{/6E9$$/ 968# [<#< F4 $D9] D@ C5%3><$ B@ 0B|\*D6*/B/[ #E}$3\>0 4C\6 ${\}0] %/3E[ 349}E#30
Enterprise-grade security for private investors.
Bank-grade encryption. Sensitive data like IBANs and API keys are individually encrypted with AES-256-GCM – the same standard used by banks and governments.
Your data never leaves the EU. Hosted on servers in Frankfurt, Germany – fully under EU data protection law. No transfers to the US or other third countries.
We can't touch your money. All connections to wallets, exchanges, and accounts are strictly read-only. No transfers, no trades, no access to your funds – technically impossible.
Double protection on every login. Enable 2FA and receive a one-time code via email on every sign-in. Even if your password is compromised, your account stays protected.
Your data, your rights. Full compliance with the EU General Data Protection Regulation. You can view, export, or completely delete your data at any time.
Every action is logged. Login attempts, settings changes, device switches – everything is recorded in a tamper-proof trail. You keep full visibility.
From the first click to display – every step is secured.
Your data is transmitted over an encrypted TLS connection.
Sensitive fields are encrypted server-side with AES-256-GCM before being stored.
Encrypted data resides on EU servers. Even in a data breach, it would be unreadable.
Only you see your data. IBANs are masked (DE89****3456), plaintext is never shown in the frontend.
Your personal and financial data will never be sold, shared, or monetized to third parties. Manalyx earns money through subscriptions – not through your data.
Your data belongs to you – and you decide what happens with it.
We only collect the data necessary to provide our service. No hidden trackers, no unnecessary data collection. Less data means less risk.
Sensitive identifiers like bank IBANs and exchange API credentials are encrypted at rest using AES-256-GCM, and the plaintext never leaves the dedicated server-side function that needs it. All data is stored on EU-based infrastructure (Supabase, Frankfurt) – backups inherit the same protections and location.
Authentication uses Supabase Auth with PKCE, and login attempts are rate-limited per email and per IP to block credential-stuffing without locking out legitimate users. Two-factor authentication via email-delivered one-time codes can be enabled in Settings.
Wallet integrations use only public addresses, exchange keys are read-only, and banking is statement-upload only – no banking credentials are ever involved. Security-relevant actions go to an append-only audit log; personal and financial data is never sold or used for behavioural advertising.
Security in Manalyx is not a feature shelf, it is an architecture choice that ripples into every module. The application is structurally read-only against external sources (no broker API write scopes, no PSD2 write tokens, no crypto signing layer), sensitive fields are encrypted before they reach the database, and Postgres Row-Level Security ensures one user's queries can only ever return one user's rows. The combined effect is that even a worst-case server compromise cannot move your funds and cannot leak another user's data into yours.
Every table that holds user data carries an RLS policy keyed on auth.uid(). Queries from the application context are filtered automatically — no client-side filter that a forgotten WHERE clause could bypass. Roles such as admin live in a separate user_roles table behind a SECURITY DEFINER helper to prevent privilege escalation through self-elevation.
API keys for CoinGecko, Helius, Stripe and similar services live exclusively in Supabase secrets and are read inside Edge Functions. The browser never sees them. This means a stolen browser session cannot exfiltrate keys, and rate-limit abuse is bounded to what the cron jobs are willing to send — not to whatever a client decides to send.
The audit_logs table records sensitive actions (auth events, encryption-key reads, configuration changes) and its RLS policies allow inserts but block updates and deletes — even from elevated roles. If something goes wrong, the trail of what happened is preserved by design rather than by trust.
