Zero custody
finqt never holds your coins, cash, or stocks. Your assets stay where you put them — on your exchange or in your self-custody wallet.
Security
Security that doesn't ask you to trust us.
finqt cannot move your money — not even on accident. Every design decision, from API keys to app lock, starts from the same rule: finqt is a mirror, not a wallet.
Core principles
Four rules we don't break.
Read-only keys
Every exchange connection uses API keys with read-only permissions. finqt cannot place trades, cannot withdraw, cannot move anything.
Biometric app lock
Face ID, Touch ID, or a 6-digit PIN locks the whole app. Walk away from your phone and your portfolio is private again in seconds.
End-to-end encryption
API keys are encrypted at rest in the iOS Keychain, backed by the Secure Enclave. All traffic runs over TLS 1.3 with certificate pinning.
Defense in depth
Three layers of protection,
one for every point of failure.
Most fintech breaches happen at a single weak link. finqt hardens three of them — device, network, and keys — so a compromise at any single layer cannot leak what the others protect.
On the device
Your phone is the front door. We lock it with the same primitives Apple uses for Apple Pay.
- Face ID, Touch ID, or 6-digit PIN required to open the app
- Secure Enclave-backed Keychain for every stored credential
- Automatic lock after inactivity — configurable per user
On the wire
Every request leaves the device over TLS 1.3. Nothing in between can read it, and nothing can impersonate our servers.
- TLS 1.3 with forward secrecy on every connection
- Certificate pinning blocks MITM attacks at the socket level
- No third-party analytics inside the request path
For your API keys
The keys that connect finqt to your exchanges never leave your device in plaintext and can never do more than read.
- Read-only scope is validated on every request
- Keys encrypted with the device hardware root
- Revoke any key in one tap — from inside finqt or from the exchange
Built for how regulators audit fintech.
finqt's privacy and data-handling posture is designed from day one to line up with GDPR, Apple's App Store data transparency requirements, and the security primitives regulated financial apps are expected to use.
- GDPR
- App Store Privacy
- iOS Keychain
- TLS 1.3
- SOC 2 in progress
FAQ
Tough questions, plain answers.
What's the worst that can happen if finqt is ever breached?
An attacker would see what you own — balances, positions, past trades. Nothing moves. No funds can be withdrawn, no trades placed, no keys stolen that would give anyone withdrawal access anywhere. That's the entire point of read-only, no-custody architecture.
What happens if I lose my phone?
Face ID, Touch ID, or your PIN protects the app on a new device — and you can remotely revoke your API keys from each exchange's dashboard in under a minute. Because finqt never holds your assets, losing your phone does not put your portfolio at risk.
Is finqt SOC 2 certified?
SOC 2 Type II is on our roadmap. In the meantime, we have built the technical controls (encryption at rest, TLS 1.3 in transit, keychain-backed storage, strict access audit logs) that any SOC 2 audit would require.
Do you have a bug bounty or responsible disclosure program?
Yes. If you believe you've found a security issue, please email us and we will respond within 48 hours. We publicly credit researchers who report valid findings.
Where is finqt incorporated and how does that affect my data?
finqt LLC-FZ is registered in the Meydan Free Zone, Dubai, UAE. Our processing is designed to satisfy GDPR-equivalent protections regardless of where the user lives. See our privacy policy for the full breakdown.
Responsible disclosure
Found something we should know about?
Email our security team directly. We read every report, respond within 48 hours, and credit researchers who report valid findings.