We protect your account, your funds, and your data using industry-standard measures — so you can invest with full confidence.
Security is not an afterthought at PROFISTRA — it is foundational to everything we build. Our users trust us with their financial assets and personal data, and we take that responsibility seriously at every level of the platform.
Our security programme is structured around six core pillars:
Your PROFISTRA account is protected by multiple layers of authentication and access control, from registration through every subsequent login.
The PROFISTRA platform runs on enterprise-grade cloud infrastructure with security controls enforced at every layer.
Transport Security: All communication between your browser and our servers is encrypted using TLS 1.2 or higher (HTTPS). Connections over plain HTTP are not accepted. Our SSL certificate is monitored and auto-renewed to prevent expiry-related downtime or downgrade attacks.
API Security: Every authenticated API endpoint validates the caller's JWT token server-side before executing any operation. Unauthenticated requests are rejected with no data disclosure. Admin-only endpoints require a second layer of identity verification and are accessible solely to accounts holding the administrator role.
Input Validation & Sanitisation: All user-supplied input is validated and sanitised server-side before use. We use Google Firebase's SDK for database access, which uses parameterised queries by design — eliminating the risk of NoSQL injection attacks.
Database Security: User data is stored in Google Cloud Firestore, which provides AES-256 encryption at rest by default. Database access is governed by server-side security rules enforcing role-based permissions — users can only access their own data, and only via our authenticated API layer.
Monitoring & Logging: Application events, API calls, and administrative actions are logged with timestamps and identity metadata. Logs are reviewed for anomalous patterns and retained for security investigation purposes.
The security of your funds is our highest priority. PROFISTRA employs overlapping controls to ensure every deposit is legitimate and every withdrawal is authorised.
Blockchain Deposit Verification: Every deposit is verified directly against the TRON blockchain via TronGrid, our blockchain data provider. We confirm that the transaction hash corresponds to a real, confirmed USDT TRC-20 transfer to the correct platform wallet, with the exact amount credited. Deposits are only recognised once the transaction achieves on-chain confirmation — no transaction can be fabricated client-side.
Withdrawal Address Validation: All withdrawal destination addresses are validated as well-formed TRC-20 wallet addresses before any transaction is queued. Malformed or invalid addresses are rejected immediately.
Admin Approval Checkpoint: Every withdrawal request is held in a pending queue and manually reviewed by a member of our operations team before funds are dispatched. This human checkpoint prevents automated exploitation and allows our team to flag and investigate suspicious requests prior to execution.
15-Day Withdrawal Lock Period: Funds invested in a plan are subject to a mandatory 15-day lock period. This deters the rapid deposit-and-withdrawal patterns associated with fraud, money laundering, and platform abuse. The lock period begins from the date of investment activation and is transparently displayed in your dashboard at all times.
No User Private Key Storage: PROFISTRA does not hold or store your personal wallet private keys. Your withdrawal address is a destination you specify — we only hold USDT in the platform's operational wallet on your behalf, and funds are only released to your verified withdrawal address upon your explicit request and admin approval.
PROFISTRA operates a continuous fraud detection programme designed to identify and stop malicious or suspicious activity before it can affect legitimate users.
Transaction Velocity Monitoring: Our systems analyse deposit and withdrawal behaviour for patterns consistent with financial crime — including rapid cycling of funds, disproportionately large single transactions, and coordinated multi-account activity. Flagged transactions are automatically escalated for manual compliance review.
Referral Fraud Detection: Our referral programme is monitored for abuse including self-referral chains, coordinated referral rings, and unusually concentrated commission flows. Accounts confirmed to be gaming the referral system are suspended and commissions are reversed.
IP & Geolocation Monitoring: Login events are logged with IP address and approximate geolocation. Access from jurisdictions on international sanctions lists is blocked at the platform level in accordance with our AML Policy.
Deposit Source Screening: We screen incoming deposit transactions for risk signals. Deposits from wallet addresses associated with known illicit activity, cryptocurrency mixing services, or high-risk counterparties may be held pending a compliance review before funds are credited.
reCAPTCHA Protection: Public-facing forms and sensitive operations are protected by Google reCAPTCHA to prevent automated bot submissions, account creation abuse, and denial-of-service attempts.
We apply strict controls to how your personal data is stored, accessed, and processed. This section summarises our technical controls. For the full legal framework, see our Privacy Policy.
Encryption at Rest: All data stored in our Firebase Firestore database is encrypted at rest by Google's infrastructure using AES-256. Backup data is encrypted with the same standard. We do not store any sensitive data in unencrypted flat files.
Encryption in Transit: All data transmitted between your browser and our servers is protected by TLS 1.2 or higher. We do not permit unencrypted HTTP connections at any point in the request path.
Principle of Least Privilege: Staff access to user data is restricted to what is necessary for a given role. Customer financial data is not accessible to employees outside authorised support and compliance functions. All administrative actions are logged with the identity of the acting administrator.
Third-Party Security: Our service providers — Google Firebase, TronGrid, and email delivery services — are selected for their established security practices. All operate under data processing agreements that restrict use of your data to service delivery for PROFISTRA only.
Data Retention: Transaction records and compliance-relevant account data are retained for 5 years following account closure, as required by applicable AML regulations. Non-essential data is deleted upon account closure or at the end of the mandatory retention period.
Platform security is a shared responsibility. Here is what you can do to keep your PROFISTRA account safe at all times:
We welcome reports from security researchers and members of the public who discover potential vulnerabilities in our platform. We are committed to working collaboratively and transparently to address any issues reported responsibly.
What to report:
How to report: Send a detailed report to security@profistracapital.com with the subject line "Security Disclosure". Please include: a clear description of the vulnerability, step-by-step reproduction instructions, your assessment of the potential impact, and any proof-of-concept you consider safe to share. Do not disclose vulnerabilities publicly until we have had a reasonable opportunity to investigate and apply a fix.
Our commitments to researchers:
PROFISTRA uses email verification as the primary security gate — every account must confirm its email address before any financial activity (deposits, investments, or withdrawals) is permitted. This ensures that only the legitimate account owner can activate an account.
Current 2FA status: In-app authenticator-based two-factor authentication (TOTP/app 2FA) is on our security roadmap and will be introduced in a future platform release. We will notify all users via dashboard notification and email when this feature becomes available.
How to protect yourself today: The most critical action you can take right now is to enable 2FA on the email address linked to your PROFISTRA account. Your email is the recovery path for your account — if an attacker gains access to your email, they could trigger a password reset. Enabling 2FA on Gmail, Outlook, Apple Mail, or whichever provider you use blocks this attack vector entirely.
Understanding how your funds are held is a key part of evaluating any crypto platform. Here is a transparent explanation of how PROFISTRA manages platform wallets and user funds.
How deposits work: When you deposit USDT via TRC-20, your funds are transferred to PROFISTRA's operational wallet on the TRON blockchain. Every deposit is verified on-chain by confirming the transaction hash against TronGrid — our blockchain data provider — before any balance is credited. No deposit is processed based solely on your claim; we independently confirm it on-chain.
Operational vs. reserve wallets: PROFISTRA maintains separate wallets for day-to-day operational payouts and for reserve capital. Funds required for processing active withdrawal requests are maintained in an operational hot wallet with controlled access. Reserve capital is held separately with multi-step authorisation required for any movement.
No user private keys: PROFISTRA does not store, request, or hold the private keys to your personal wallet. Your withdrawal address is a destination you provide — funds flow from our platform wallet to your external wallet upon your approved withdrawal request. We never have access to the wallet you withdraw to.
How withdrawals are executed: All withdrawals are manually reviewed by an operations team member before being dispatched on-chain. Once approved, the USDT transfer is executed directly on the TRON blockchain and produces a verifiable transaction hash that you can confirm at tronscan.org. The 15-day lock period on investment principals is a deliberate fraud-prevention measure that also supports orderly liquidity management.
Suspicious activity handling: If our fraud monitoring systems flag unusual activity on your account — such as login from an unrecognised location, rapid deposit-then-withdrawal attempts, or patterns consistent with account takeover — we may temporarily hold withdrawal processing pending a compliance review. You will be notified by email and asked to verify your identity. This process protects your funds, not restricts your rights. If you believe a hold has been applied in error, contact support@profistracapital.com immediately.