At Liftx, trust is foundational. Our approach is based on defense-in-depth: we combine secure transport, strong authentication, hardened session handling, encrypted secrets, and automated abuse controls.

Key measures include:

• Secure transport for all traffic using HTTPS/WSS (TLS).
• Signed access tokens with key rotation support and strict claim validation.
• Rotating refresh tokens with replay detection.
• Strong password protection using cryptographic hashing plus an additional server-side hardening layer.
• Multi-factor authentication (MFA) with secrets encrypted at rest using authenticated encryption.
• Exchange API credentials encrypted at rest using authenticated encryption.
• Secure account recovery via single-use, time-limited recovery tokens.
• Abuse protection including automated detection and rate limiting against brute-force attempts and abusive traffic.

We respect your rights over your personal information. We only collect the data we need to operate Liftx securely and provide the Service, and we aim to be transparent about how we use it and when it may be shared.

For more details, see our Privacy Policy: https://liftx.io/privacy

Liftx is developed and operated by Jointl Inc., a company incorporated in the United States.

Being U.S.-based means we operate with a strong focus on transparency, accountability, and compliance with applicable laws. We maintain internal policies and controls designed to help us:

• protect customer accounts and sensitive information,
• respond promptly to security issues and user requests,
• enforce acceptable use and prevent abuse,
• continuously improve our safeguards as the product evolves.

We believe trust is earned through clear communication and responsible operations — not marketing claims.

Encryption in transit

Liftx encrypts data in transit using TLS for all supported entry points, including:

• web traffic over HTTPS
• real-time connections over WSS

This helps protect your data from interception or tampering while it travels between your device and our services.

Encryption at rest

We encrypt sensitive secrets at rest using authenticated encryption. This includes:

• Exchange API credentials you choose to store in Liftx
• MFA secrets used to support multi-factor authentication

Authenticated encryption is designed to provide confidentiality and integrity protection for stored secrets.

Liftx implements layered protections for account authentication and session handling:

• Signed access tokens are used to authorize requests. Tokens are validated strictly (including claims validation) to reduce the risk of token misuse.
• Key rotation support allows cryptographic keys used for signing to be rotated over time.
• Rotating refresh tokens are used to renew sessions safely.
• Replay detection helps reduce the risk that a stolen refresh token could be reused.

Liftx applies layered protections at the network, browser, and client levels to reduce the risk of interception, injection, and request-manipulation attacks.

On web and API surfaces, Liftx applies modern HTTP and browser security controls designed to harden the edge of the platform, including:

• Strict Transport Security (HSTS) to help prevent protocol downgrade and man-in-the-middle attacks.
• Content Security Policy (CSP) to limit script execution and reduce the risk of cross-site scripting and injection.
• Hardened session cookies, including HttpOnly, Secure, and appropriate SameSite attributes where applicable.
• Request-integrity protections (such as CSRF defenses) for sensitive and state-changing operations.

Liftx minimizes reliance on third-party scripts in security-sensitive contexts. Where third-party code is required, strict allowlisting and integrity controls may be applied to reduce supply-chain risk.

On supported clients (including iOS), Liftx relies on platform-level transport security and additional safeguards designed to reduce interception risk during high-sensitivity workflows.

Passwords are protected using industry-standard cryptographic hashing. We also apply an additional server-side hardening layer (a secret key based protection) to strengthen resistance against offline cracking attempts if password hashes were ever exposed.

Liftx never stores plaintext passwords.

Multi-factor authentication (MFA)

Liftx supports MFA to help protect accounts even if a password is compromised. MFA secrets are encrypted at rest using authenticated encryption.

Exchange API credentials

Liftx can connect to third-party exchanges using API credentials you provide. Those credentials are encrypted at rest using authenticated encryption.

Important: You control the permissions granted to API credentials at your exchange. We strongly recommend granting only the minimum permissions required for your intended use (for example, trading-only permissions where supported, and no withdrawal permissions unless explicitly necessary). Liftx does not require your exchange password.

Liftx supports account recovery mechanisms designed to reduce the risk of unauthorized takeovers:

• Single-use recovery tokens
• Time-limited recovery windows

If you suspect unauthorized activity, contact us immediately at security@liftx.io and support@liftx.io.

Liftx uses automated protections to help defend against common attacks, including:

• rate limiting and throttling to reduce brute-force attempts,
• automated detection of abusive traffic patterns,
• controls designed to protect log-in, session, and sensitive workflows.

These measures are designed to protect both the Service and our users.

We maintain security-relevant logs to support:

• account security (for example, authentication and session events),
• abuse and fraud detection,
• investigation and incident response.

Security logs and support communications may be retained after account deletion for fraud prevention, incident investigation, and dispute resolution, as described in the Privacy Policy.

Liftx is engineered as a high-performance trading terminal, with infrastructure designed for both resilience and ultra-low-latency execution workflows.

Liftx operates on a distributed platform architecture designed to:

• reduce single points of failure through redundancy and isolation,
• maintain continuity during partial infrastructure or exchange-side disruptions,
• support fast, predictable behavior in rapidly changing market conditions.

Liftx runs on high-performance server infrastructure selected for demanding workloads, including modern multi-core CPUs, fast memory, and optimized compute configurations. Operational workloads are designed to scale horizontally through service-level sharding and isolation as usage grows.

While no online system can eliminate all risk of outages or third-party failures, Liftx’s architecture is designed to help keep the platform responsive, secure, and reliable even under adverse conditions, including exchange instability, network disruptions, or sudden traffic spikes.

Liftx is designed to remain available and responsive under adverse network conditions, including sudden traffic spikes and malicious request floods.

The platform applies multiple layers of availability protection, including:

• network-level traffic filtering and request throttling,
• automated detection of abnormal or abusive request patterns,
• isolation of critical services to limit blast radius,
• capacity-aware workload distribution and scaling.

These controls are designed to help mitigate common denial-of-service and resource-exhaustion attacks while preserving normal user access whenever possible.

Because Liftx depends on external networks and third-party exchanges, no system can fully eliminate the risk of availability disruptions. However, the platform is engineered to degrade gracefully, prioritize core functionality, and recover quickly when abnormal conditions occur.

Trading environments demand speed, determinism, and reliability. Liftx is designed to minimize avoidable latency by:

• optimizing critical “hot paths” used for order and execution logic,
• keeping frequently accessed trading state in memory,
• reducing dependence on persistent storage in time-sensitive workflows,
• pre-loading and warming key operational data required to react quickly when conditions change,
• and applying additional performance-oriented architectural optimizations across the platform.

Liftx operates its core services within a private, access-restricted infrastructure designed to minimize external exposure and reduce unnecessary attack surface.

Internal service-to-service traffic is transmitted over encrypted channels within controlled private network boundaries, using modern cryptographic protocols to protect confidentiality and integrity. This layered isolation model helps limit unauthorized internal access and reduce the risk of network-based attacks beyond the public application edge.

Liftx operates a controlled email delivery infrastructure for security-sensitive communications such as account verification, recovery links, and one-time authentication tokens.

Security messages are generated and transmitted in a manner that minimizes third-party exposure of sensitive authentication material, reducing reliance on external messaging providers for critical security workflows.

We perform routine backups of critical systems to support service resilience and recovery.

As a default policy:

• backups are retained for up to 35 days and then overwritten, subject to operational requirements.

Backup retention may vary by system and may be extended in limited circumstances (for example, during incident response).

Liftx is built with a clear principle: when you choose to delete your account, your data should be deleted — not merely anonymized and retained indefinitely.

Upon account deletion, Liftx removes core personal and trading data associated with the account from active systems within defined timeframes, including account identifiers, exchange connections, positions, orders, trade history, and related trading data. Deleted data is not used to restore the account or to continue providing the Service.

Like most security-focused platforms, Liftx may retain a limited set of records after account deletion where necessary to protect users and the platform — for example, security logs or support communications required to investigate fraud, security incidents, or resolve disputes fairly. These records are retained for limited periods and are not used for analytics, profiling, or continued trading activity.

Liftx believes that clear, enforceable deletion — rather than indefinite anonymization — provides stronger privacy guarantees, greater transparency, and more meaningful user control.

Liftx includes a built-in in-app support chat designed for fast, private, and secure help with your Liftx experience.

Unlike many apps that rely on third-party chat vendors, Liftx’s support chat is developed and operated by us. This means your support messages are not routed through third-party chat providers, reducing unnecessary exposure of sensitive context.

You can use in-app support to:

• resolve account access issues (including login and security-related questions),
• report unexpected behavior with orders, positions, and terminal features,
• request help with exchange connections and permissions,
• ask product questions and troubleshoot issues.

Security is a shared responsibility. You can significantly improve your safety by:

• using a unique, strong password,
• enabling MFA,
• securing your email account (since it may be used for recovery),
• keeping your device OS/browser updated,
• restricting exchange API key permissions to the minimum required,
• monitoring your exchange account and open orders regularly.

What we protect

Support chats may include details such as your email address, position ID, and order information. We treat support messages as sensitive and use safeguards designed to protect them, including encryption in transit and strict access controls.

Data sharing

We do not sell information. We do not use third-party chat providers to store or process your in-app support conversations.

If you believe you have discovered a security vulnerability, please contact us:

• Email: security@liftx.io
• Subject line: “Responsible Disclosure”

When reporting, please include:

• a clear description of the issue,
• steps to reproduce (if known),
• the affected component(s),
• any evidence you have (screenshots, logs, timestamps).

Please do not:

• access or modify data that does not belong to you,
• disrupt the Service (e.g., denial of service),
• use social engineering to obtain access.

We appreciate responsible disclosure and aim to investigate reports promptly.

We may update this Security page from time to time as our safeguards evolve. The “Last updated” date indicates when changes were made.

• Security: security@liftx.io
• Privacy: privacy@liftx.io
• Support: support@liftx.io