Screen Shots · Home · Register · Download

Security Overview

This program was designed with the user's security and privacy in mind. Please take a moment to review the TRADETAL security summary.

1. User Files

Files that you create using TRADETAL are stored in SQLite3 database containers. You may examine them using the included sqlite3 client program, or any program that can open SQLite3 files. However, all data inside the database is encrypted using either the Authenticated Encryption with Associated Data (AEAD) algorithm (ChaCha20 stream cipher with the Poly1305 authenticator), or AES-256-CTR cypher, at the user's option. For AEAD the key is a BLAKE2b hash of the password you enter when creating the file. The encrypted data begins with the nonce. When the user selects AES-256-CTR encryption, the password is the key. Your password is not stored anywhere, if it is lost or forgotten then there is no chance to recover the data.

We will be unable to assist you in decrypting the data file without having your passphrase that you used to create the file.

There is no imposed regulation on the complexity of passwords. However, the password must not be blank. It is up to the user to choose the level of security in their password.

If you choose to export the data, the file will be stored in clear text, which is not encrypted.

2. Configuration Settings

Configuration settings including the BackBlaze API user ID and Key are encrypted to your local account. Anyone logged into your computer as your account could potentially access the information. However, if the file is accessed outside of your computer and user account, for example on a cloud storage backup, the information is not readable.

If you transfer the file to another computer, the configuration information will not be readable.

The configuration settings use tamper-resistant technology. If tampering of the configuration files is detected by the software, the configuration will be immediately wiped. This is imposed to prevent the addition of unintended YubiKey OTP devices, as well as an unintended BackBlaze API User Id/API Key.

The YubiKey OTP is NOT used to encrypt your data.

3. YubiKey FIDO OTP Authentication

This program allows the user to prevent the operation of the software without the use of a YubiKey FIDO OTP device. This is an inexpensive USB dongle which can be used to control access to information. You can register up to five devices in the software configuration.

If your key is lost, stolen, or damaged you have the option to wipe the configuration data and start fresh. This will NOT delete your data files. Encryption of the data files is not associated with the USB dongle.

Note: If you opt to use YubiKey then you must have an active Internet connection to authenticate. Your YubiKey OTP is validated using YubiCo's public authenticator API. TRADETAL does not store your YubiKey code. An OTP is a "One Time Password" meaning it can only be used once. You should be aware that the YubiKey OTP begins with the YubiKey ID, followed by a random string for authentication.

The YubiKey OTP is NOT used to encrypt your data.

4. BackBlaze Backup

This program allows the user to backup their data files using the BackBlaze B2 service. To use the service the user must create a B2 account on and retrieve the API User Id and API Key.

The account is free up to 10GB and no credit card is required to set up the account.

The data files your back up to BackBlaze are enrypted using AEAD or AES-256-CTR and not readable by anyone without the passphrase.

Files are stored in Bucket containers on the BackBlaze Cloud service. This software includes an option to automatically generate a randomized bucket name. However, the user may type their own desired Bucket name. The BackBlaze service requires globally unique Bucket names, so the user may receive an error that the Bucket already exists - either on their own account or possibly another BackBlaze account. This should not be cause for alarm, the data on the BackBlaze cloud service cannot necessarily be accessed by knowing the Bucket name. In this case, the user should make the Bucket name a bit more unique or complex.

5. Personally Identifiable Information

This program does not collect any personally identifiable information, and it does not store any personally identifiable information.

The user has the option to enter account names, and account reference information at their discretion. The account information they enter is encrypted using AEAD or AES-256-CTR and only stored in the User-designated file.

The user can optionally download rate information from a remote server over the internet. When this process happens, the IP address of the requesting device is stored in a log file. The IP address information is only used to troubleshoot server issues, if the need arrises.

If the user contacts us for support, the information they provide may be stored to faciliate contacting the customer regarding their specific request. The information will not be used for any other purpose, and shall not be distributed to third parties. All contact information you submit to us is stored in an encrypted zero-field forward-key database, to prevent the unauthorized distribution of your personal information.

6. Malware, Adware, Spyware and Viruses

This program is developed and compiled on specifically designated computers which are not used for other activities. We use two levels of virus and malware protection on these devices. Network activity is regulated through VPN. Also, we utilize firewall with IDS protection on both the local and remote networks. We do not employ any contract-for-hire or freelance labor outside the company. We use software tools and libraries with verifiable reputations, and continuously monitor security posts to determine if a security issue is at stake.

We certify that NO malware, adware, spyware or viruses are included in the TRADETAL software you purchase from us.

If you have any questions or concerns about the security of your information, please contact us using the Support menu option in the program.