Home Security
Trust & Safety

Security at PROFISTRA

We protect your account, your funds, and your data using industry-standard measures — so you can invest with full confidence.

TLS 256-bit Encrypted Email Verified Accounts On-Chain Verification Admin-Reviewed Withdrawals 24/7 Fraud Monitoring No Private Key Held
Effective: January 1, 2025 Last updated: January 1, 2025
PROFISTRA is built with security as a first principle. Every layer of the platform — from account login to on-chain fund movement — is designed to protect your assets and personal information.

01Our Security Commitment

Security is not an afterthought at PROFISTRA — it is foundational to everything we build. Our users trust us with their financial assets and personal data, and we take that responsibility seriously at every level of the platform.

Our security programme is structured around six core pillars:

Identity & Access
Email verification, JWT sessions, and admin-controlled roles ensure only the right people can take the right actions.
Asset Protection
Every withdrawal is manually reviewed by staff. Lock periods and on-chain verification prevent fraud and unauthorised movements.
Infrastructure
TLS-encrypted transit, Firebase-managed authentication, and server-side validation at every API endpoint.
Data Security
All user data is stored in Google Cloud Firestore with AES-256 encryption at rest and role-based access rules.
Fraud Monitoring
Automated systems analyse all transactions for unusual patterns, velocity spikes, and behaviours associated with financial crime.
Compliance
Full AML/CTF programme, international sanctions screening, and 5-year record retention aligned with applicable regulation.

02Account & Authentication Security

Your PROFISTRA account is protected by multiple layers of authentication and access control, from registration through every subsequent login.

01
Email Verification Required
Every new account must verify its email address before any financial activity is permitted. Unverified accounts cannot deposit, invest, or withdraw — eliminating throwaway and fraudulent registrations.
02
Firebase Authentication & JWT Tokens
Login is powered by Google Firebase Authentication. Every authenticated request uses a short-lived JSON Web Token (JWT) verified server-side on each API call. Tokens expire automatically and are tied to your device session — they cannot be replayed after expiry.
03
Google Sign-In Option
Users may register and authenticate via Google OAuth, delegating identity verification to Google's own security infrastructure — including advanced threat protection for high-risk sign-in attempts.
04
Password Security
Passwords are hashed using bcrypt with an adaptive cost factor before storage. The plaintext password is never logged, transmitted after submission, or stored in any recoverable form. Password reset links are delivered via time-limited email tokens.
05
Session Management
Sessions are managed by Firebase and expire automatically. We use HttpOnly, SameSite cookie flags where applicable to prevent cross-site request forgery and JavaScript-based session theft.
06
Rate Limiting & Brute Force Protection
Authentication endpoints are rate-limited to block automated credential-stuffing attacks. Repeated failed attempts trigger progressive delays. Verification email requests are throttled per address to prevent spam abuse.
Firebase Auth JWT Sessions Email Verification Gate bcrypt Hashing Google OAuth 2.0 API Rate Limiting

03Platform Infrastructure Security

The PROFISTRA platform runs on enterprise-grade cloud infrastructure with security controls enforced at every layer.

Transport Security: All communication between your browser and our servers is encrypted using TLS 1.2 or higher (HTTPS). Connections over plain HTTP are not accepted. Our SSL certificate is monitored and auto-renewed to prevent expiry-related downtime or downgrade attacks.

API Security: Every authenticated API endpoint validates the caller's JWT token server-side before executing any operation. Unauthenticated requests are rejected with no data disclosure. Admin-only endpoints require a second layer of identity verification and are accessible solely to accounts holding the administrator role.

Input Validation & Sanitisation: All user-supplied input is validated and sanitised server-side before use. We use Google Firebase's SDK for database access, which uses parameterised queries by design — eliminating the risk of NoSQL injection attacks.

Database Security: User data is stored in Google Cloud Firestore, which provides AES-256 encryption at rest by default. Database access is governed by server-side security rules enforcing role-based permissions — users can only access their own data, and only via our authenticated API layer.

Monitoring & Logging: Application events, API calls, and administrative actions are logged with timestamps and identity metadata. Logs are reviewed for anomalous patterns and retained for security investigation purposes.

TLS 1.2+ / HTTPS Google Cloud Firestore AES-256 at Rest Server-Side Validation Role-Based Access Control Admin Action Logging

04Funds & Transaction Security

The security of your funds is our highest priority. PROFISTRA employs overlapping controls to ensure every deposit is legitimate and every withdrawal is authorised.

Blockchain Deposit Verification: Every deposit is verified directly against the TRON blockchain via TronGrid, our blockchain data provider. We confirm that the transaction hash corresponds to a real, confirmed USDT TRC-20 transfer to the correct platform wallet, with the exact amount credited. Deposits are only recognised once the transaction achieves on-chain confirmation — no transaction can be fabricated client-side.

Withdrawal Address Validation: All withdrawal destination addresses are validated as well-formed TRC-20 wallet addresses before any transaction is queued. Malformed or invalid addresses are rejected immediately.

Admin Approval Checkpoint: Every withdrawal request is held in a pending queue and manually reviewed by a member of our operations team before funds are dispatched. This human checkpoint prevents automated exploitation and allows our team to flag and investigate suspicious requests prior to execution.

15-Day Withdrawal Lock Period: Funds invested in a plan are subject to a mandatory 15-day lock period. This deters the rapid deposit-and-withdrawal patterns associated with fraud, money laundering, and platform abuse. The lock period begins from the date of investment activation and is transparently displayed in your dashboard at all times.

No User Private Key Storage: PROFISTRA does not hold or store your personal wallet private keys. Your withdrawal address is a destination you specify — we only hold USDT in the platform's operational wallet on your behalf, and funds are only released to your verified withdrawal address upon your explicit request and admin approval.

All USDT transactions are permanently recorded on the TRON blockchain and are publicly verifiable at tronscan.org using the transaction hash shown in your dashboard. This provides a transparent, immutable audit trail.

05Fraud Detection & Prevention

PROFISTRA operates a continuous fraud detection programme designed to identify and stop malicious or suspicious activity before it can affect legitimate users.

Transaction Velocity Monitoring: Our systems analyse deposit and withdrawal behaviour for patterns consistent with financial crime — including rapid cycling of funds, disproportionately large single transactions, and coordinated multi-account activity. Flagged transactions are automatically escalated for manual compliance review.

Referral Fraud Detection: Our referral programme is monitored for abuse including self-referral chains, coordinated referral rings, and unusually concentrated commission flows. Accounts confirmed to be gaming the referral system are suspended and commissions are reversed.

IP & Geolocation Monitoring: Login events are logged with IP address and approximate geolocation. Access from jurisdictions on international sanctions lists is blocked at the platform level in accordance with our AML Policy.

Deposit Source Screening: We screen incoming deposit transactions for risk signals. Deposits from wallet addresses associated with known illicit activity, cryptocurrency mixing services, or high-risk counterparties may be held pending a compliance review before funds are credited.

reCAPTCHA Protection: Public-facing forms and sensitive operations are protected by Google reCAPTCHA to prevent automated bot submissions, account creation abuse, and denial-of-service attempts.

PROFISTRA will never contact you asking for your password, private key, or seed phrase. Any such request — regardless of where it appears — is a scam. Report it immediately to support@profistrafunds.com.

06Data Protection

We apply strict controls to how your personal data is stored, accessed, and processed. This section summarises our technical controls. For the full legal framework, see our Privacy Policy.

Encryption at Rest: All data stored in our Firebase Firestore database is encrypted at rest by Google's infrastructure using AES-256. Backup data is encrypted with the same standard. We do not store any sensitive data in unencrypted flat files.

Encryption in Transit: All data transmitted between your browser and our servers is protected by TLS 1.2 or higher. We do not permit unencrypted HTTP connections at any point in the request path.

Principle of Least Privilege: Staff access to user data is restricted to what is necessary for a given role. Customer financial data is not accessible to employees outside authorised support and compliance functions. All administrative actions are logged with the identity of the acting administrator.

Third-Party Security: Our service providers — Google Firebase, TronGrid, and email delivery services — are selected for their established security practices. All operate under data processing agreements that restrict use of your data to service delivery for PROFISTRA only.

Data Retention: Transaction records and compliance-relevant account data are retained for 5 years following account closure, as required by applicable AML regulations. Non-essential data is deleted upon account closure or at the end of the mandatory retention period.

07Your Security Best Practices

Platform security is a shared responsibility. Here is what you can do to keep your PROFISTRA account safe at all times:

Use a Strong, Unique Password
Choose a password at least 12 characters long that you do not use on any other service. Use a password manager to generate and store it securely.
Secure Your Email Account
Your email is the recovery path for your PROFISTRA account. Enable two-factor authentication on your email provider to block account takeover via password reset.
Verify Withdrawal Addresses Carefully
Always double-check your TRC-20 destination address before submitting a withdrawal. Blockchain transactions are irreversible. Beware of clipboard-hijacking malware that silently replaces copied addresses.
Access PROFISTRA Only via Official Channels
Our official domain is profistrafunds.com. Bookmark it directly — do not follow links from unsolicited emails, social media posts, or Telegram messages claiming to be from us.
Log Out on Shared Devices
Always sign out when using a shared or public computer. Do not save your PROFISTRA credentials in public browser profiles.
Be Alert to Phishing Attempts
PROFISTRA will never send unsolicited messages requesting your password, private keys, or payment outside the platform. If you receive any communication you are unsure about, contact our support team before taking any action.
Monitor Your Account Regularly
Review your balance, investments, and transaction history in your dashboard. If you see any activity you did not initiate, contact us immediately at support@profistrafunds.com.

08Responsible Disclosure

We welcome reports from security researchers and members of the public who discover potential vulnerabilities in our platform. We are committed to working collaboratively and transparently to address any issues reported responsibly.

What to report:

  • Authentication or session security vulnerabilities;
  • Privilege escalation or unauthorised data access;
  • Injection vulnerabilities (NoSQL, command, or template injection);
  • Cross-site scripting (XSS) or cross-site request forgery (CSRF);
  • Cryptographic weaknesses or insecure direct object references;
  • Business logic flaws that could allow fund manipulation or account takeover.

How to report: Send a detailed report to security@profistrafunds.com with the subject line "Security Disclosure". Please include: a clear description of the vulnerability, step-by-step reproduction instructions, your assessment of the potential impact, and any proof-of-concept you consider safe to share. Do not disclose vulnerabilities publicly until we have had a reasonable opportunity to investigate and apply a fix.

Our commitments to researchers:

  • We will acknowledge receipt of your report within 2 business days;
  • We will keep you informed of our investigation and remediation progress;
  • We will not pursue legal action against researchers acting in good faith and within the scope above;
  • We will credit responsible disclosures publicly if the reporter consents.
For general account security questions or to report suspected account compromise, contact support@profistrafunds.com or use our Contact page. We typically respond within 24 hours.