Data Handling & Security

1. Infrastructure Security

The XAUCORE platform is hosted on secure, isolated virtual private servers (VPS). We employ the following infrastructure security measures:

• Firewalls: Strict firewall rules block all incoming traffic except for necessary HTTP/HTTPS and SSH ports.
• SSH Key Authentication: Server access is restricted to authorised administrators using cryptographic SSH keys with passphrases. Password-based root login is disabled.
• System Updates: The operating system and core dependencies are regularly updated to patch known vulnerabilities.

2. Data Encryption

We protect your data both in transit and at rest:

• In Transit: All communication between your browser and the XAUCORE servers is encrypted using Transport Layer Security (TLS/SSL). This prevents interception of your login credentials and trading data.
• At Rest: User passwords are not stored in plain text. They are hashed using robust cryptographic algorithms (e.g., PBKDF2/scrypt) with unique salts.

3. Trade Journal Data Isolation

Your Trade Journal is your private workspace. We enforce strict data isolation:

• Database Level: All journal entries and image records are tied to your unique username. The application logic ensures that users can only query, view, edit, or delete records associated with their own account.
• File Storage: Chart screenshots are stored in a dedicated directory on the server. The application serves these images only after verifying the requesting user's session.
• No Third-Party Access: We do not share your Trade Journal data, P&L records, or trading strategies with any third parties, advertisers, or brokers.

4. Application Security

The XAUCORE application is built with security best practices to prevent common web vulnerabilities:

• Authentication: Secure session management is implemented using cryptographically signed cookies.
• Input Validation: All user inputs, including trade entries and file uploads, are strictly validated and sanitised to prevent SQL Injection and Cross-Site Scripting (XSS) attacks.
• File Upload Restrictions: Image uploads to the Trade Journal are restricted by file type (JPG, PNG, WEBP) and size (max 5MB) to prevent malicious file execution.

5. AI Analysis Data

XAUCORE utilises AI (such as OpenAI's GPT models) to generate market analysis and macro intelligence. Please note:

• No Personal Data Sent: We do not send your personal information, Trade Journal entries, or account details to external AI providers.
• Anonymised Market Data: Only anonymised, objective market data (e.g., MT5 price ticks, macroeconomic news events) is sent to the AI models for analysis.

6. Data Retention and Deletion

You have full control over your data lifecycle:

• User-Initiated Deletion: You can delete individual Trade Journal entries or chart screenshots at any time. When you delete a record, it is permanently removed from the database, and the associated image file is deleted from the server storage.
• Account Deletion: If you request account deletion, all your associated data, including your Trade Journal, will be permanently erased from our active systems.

7. Incident Response

In the unlikely event of a security incident or data breach, XAUCORE has procedures in place to quickly identify, contain, and remediate the issue. We will notify affected users and relevant authorities in accordance with our Privacy Policy and applicable laws (PDPA 2024).