REGIME
Docs Pricing Track Record Assets Blog

Security

How we protect your data and our infrastructure.

API Authentication

Bearer Token Authentication Active

  • All authenticated endpoints require a Bearer token in the Authorization header.
  • API keys are generated as cryptographically random 256-bit tokens.
  • Keys are hashed (SHA-256) before storage — we cannot retrieve your original key. If lost, generate a new one.
  • Each key is scoped to a single tenant and subscription tier.
  • Keys can be revoked instantly via the API or dashboard.

Webhook Security Active

  • Webhook deliveries include an HMAC-SHA256 signature in the X-Regime-Signature header.
  • Each tenant receives a unique webhook signing secret at registration.
  • Verify signatures server-side before processing webhook payloads to prevent spoofing.

Encryption

Data in Transit Active

  • All API traffic is encrypted via HTTPS/TLS 1.2+ (TLS 1.3 preferred).
  • TLS termination is handled by Cloudflare with automatic certificate management.
  • HTTP requests are automatically redirected to HTTPS.
  • HSTS headers enforce HTTPS for all subsequent requests.

Data at Rest Active

  • Application databases use SQLite with WAL (Write-Ahead Logging) mode for data integrity.
  • Sensitive configuration values (API keys, webhook secrets) are hashed before storage.
  • Payment data is stored exclusively by Stripe and never touches our servers.
  • Server disk encryption is enabled at the OS level.

Rate Limiting and Abuse Protection

Multi-Layer Rate Limiting Active

  • Per-key rate limiting: Enforced per API key based on subscription tier (10/120/1000 RPM).
  • Per-IP rate limiting: Unauthenticated endpoints have IP-based limits to prevent abuse.
  • Daily quota enforcement: Free and Pro tiers have daily call limits (500/10,000).
  • Automatic throttling: Exceeding limits returns HTTP 429 with Retry-After header.
  • Persistent abuse: Automated detection can temporarily suspend keys exhibiting abusive patterns.

What We Don't Store

No Sensitive Financial Data Active

Regime Intelligence is a read-only market intelligence API. We never ask for, receive, or store:

  • Wallet private keys or seed phrases
  • Exchange API keys or trading credentials
  • Credit card numbers (handled exclusively by Stripe)
  • Trading history or portfolio holdings
  • Bank account information

Our API provides market data out. It never requires sensitive credentials in.

Infrastructure Security

Cloudflare Protection Active

  • DDoS mitigation: All traffic passes through Cloudflare's global network with automatic DDoS protection.
  • Web Application Firewall (WAF): Filters malicious requests before they reach our servers.
  • Bot management: Automated abuse detection for credential stuffing and scraping attempts.
  • Tunnel architecture: Origin server is not directly exposed to the internet. All traffic routes through Cloudflare Tunnel, eliminating direct attack surface.

Application Security Active

  • Input validation on all API parameters to prevent injection attacks.
  • Parameterized database queries (no string concatenation in SQL).
  • CORS headers configured to prevent unauthorized cross-origin access.
  • Dependencies monitored for known vulnerabilities.
  • No server-side rendering of user input (XSS prevention).
  • Automated security scanning: Semgrep static analysis runs on every push via GitHub integration, catching OWASP Top 10 vulnerabilities before deployment.

Data Minimization Active

  • No customer data stored beyond email address and hashed API key.
  • No payment data stored — all billing handled by Stripe (PCI-DSS Level 1).
  • API usage logs retained for 30 days, then purged.
  • No cookies or tracking pixels — analytics via privacy-first tools only.

Incident Response

  • Security incidents are investigated within 24 hours of detection.
  • Affected users are notified via email within 72 hours of a confirmed breach.
  • API keys are rotated and reissued if key material is compromised.
  • Post-incident reports are published for significant events.

Responsible Disclosure

We welcome security researchers who help us keep Regime Intelligence safe. If you discover a vulnerability:

  1. Email [email protected] with a detailed description of the issue.
  2. Include steps to reproduce the vulnerability.
  3. Allow us reasonable time (90 days) to address the issue before public disclosure.
  4. Do not access, modify, or delete data belonging to other users during your research.

We commit to:

  • Acknowledging your report within 48 hours.
  • Providing regular updates on remediation progress.
  • Crediting researchers (with permission) in our security acknowledgments.
  • Not pursuing legal action against researchers acting in good faith.

Compliance Roadmap

Current

  • HTTPS/TLS encryption on all endpoints
  • GDPR-aligned data rights (access, deletion, export)
  • Stripe PCI DSS compliance for payment processing
  • Privacy-focused analytics (Plausible, no cookies)
  • Cloudflare DDoS and WAF protection

Planned Roadmap

  • SOC 2 Type II — Planned when reaching $50K+ MRR. Will cover security, availability, and confidentiality trust service criteria.
  • Penetration testing — Annual third-party penetration testing planned at $25K+ MRR.
  • Bug bounty program — Formal program planned at $100K+ MRR.

Questions

For security-related questions or to report a vulnerability:

Email: [email protected]
General support: [email protected]

Regime — Crypto Market Intelligence · Terms · Privacy · Security · Contact