How we protect accounts
An honest summary of the security controls implemented on TrustCoreMarket today. We describe only what is actually in place — nothing aspirational.
Authentication
Email one-time passcode on every sign-in
Users receive a one-time code by email each time they sign in. Codes expire after 10 minutes and a fresh code is required for every new session.
Bcrypt-hashed passwords
Passwords are hashed using bcrypt with a work factor appropriate for modern hardware. Plain-text passwords are never written to disk or logs.
Role-based admin access
Administrative actions are gated by role and scoped permissions. Only approved admin accounts can review KYC, approve deposits, or adjust balances.
Account monitoring & auditability
Account activity log
Every sign-in, balance change, deposit, withdrawal, and trade is written to an account activity log accessible from your dashboard.
Internal action audit
Privileged actions on the platform are recorded with actor ID, target account, and timestamp so balance adjustments and approvals are fully traceable.
Manual review of funds movement
Deposits and withdrawals go through a manual review step before funds move. Nothing is auto-approved on funded accounts.
Identity verification
KYC before funding
An account cannot request a deposit or place an order until identity verification is approved. Browsing and account review are available before KYC.
Manual document review
Each uploaded ID document, name, and date of birth goes through a manual review process. Typical review time is one business day during published hours.
Operational safeguards
Managed infrastructure
The platform runs on managed cloud infrastructure with regular backups and standard hardening practices. We do not operate physical hardware ourselves.
TLS in transit
All traffic between browsers and our servers is sent over HTTPS with modern TLS settings. Sensitive credentials are never sent in plain text.
Suspicious-activity flagging
Unusual patterns on funded accounts are flagged for manual review before any funds are moved off the platform.
Incident reporting & responsible disclosure
Found a security issue? Please report it privately and give us a reasonable window to respond before any public disclosure. We do not initiate legal action against good-faith researchers who follow responsible-disclosure practices.