propcockpit

Security

Last updated: 10 June 2026

propcockpit connects to your trading account, so you deserve a plain explanation of how that access works, what we store, and what we can and cannot do. This page describes the actual mechanics — no marketing gloss. Questions: info@propcockpit.com.

We never see your broker password

You connect your cTrader account through Spotware’s official OAuth flow. You log in on Spotware’s own pages — your password is entered there, never on ours — and what we receive is a scoped access token for the account you authorized. You can revoke that access at any time from your cTrader / Spotware account settings, independently of us, and the token stops working immediately. You can also disconnect the account from within propcockpit.

Access tokens are encrypted at rest

The OAuth tokens we hold are stored using envelope encryption with AES-256-GCM: each connected broker account gets its own data-encryption key, and those keys are themselves encrypted by a master key that is kept outside the database. Someone with a copy of the database alone cannot read your tokens. Master keys are rotated, and rotation re-wraps the per-account keys without requiring you to reconnect. Tokens are never written to logs.

Trading actions are off by default

Connecting an account gives propcockpit read access for monitoring — balance, equity, positions, drawdown. Trading actions (placing, modifying, or closing orders) are off until you explicitly arm them, and you can disarm them again with a single switch at any time. Orders placed through the propcockpit terminal always carry a broker-side stop-loss — it is required, not optional.

What this protection depends on

An honest limitation: rule enforcement runs on our servers, so it requires propcockpit to be connected and running, and it depends on broker, API, and network availability. We never guarantee account safety. We recommend keeping broker-side stops on your positions as well — they live at the broker and survive any outage of ours.

Hosted in the EU

Our API runs on Fly.io in Frankfurt, Germany, and our database is hosted by Supabase in the EU. propcockpit is operated from Stockholm, Sweden, and EU data-protection law (GDPR) applies — see our privacy notice for details on what we collect and your rights.

Payments are handled by Stripe

Subscription payments are processed by Stripe. Your card details go directly to Stripe and never touch our servers — we store no card data.

Reporting a vulnerability

If you believe you have found a security issue in propcockpit, email info@propcockpit.com and we will respond as quickly as we can. Please give us a reasonable chance to fix the issue before disclosing it publicly.

← Back to home