Security

Access to the Railr network is restricted to approved participants only. Every applicant undergoes identity verification, business verification, sanctions screening, and AML controls before activation. Participants who do not meet the required standard are not admitted.

The permissioned model is itself a security layer. Every counterparty on the network has been verified before activation. Participants interact only with other verified institutional entities. There are no anonymous participants on Railr.

Railr maintains an A grade on independent security header assessment and an A+ rating from Qualys SSL Labs. All communication is encrypted in transit using TLS 1.3 with RSA 2048 SHA256 certification. No legacy protocols are supported.

HTTP Strict Transport Security is enforced with long duration deployment. Security headers including Content Security Policy, Permissions Policy, Referrer Policy, X-Content-Type-Options, and X-Frame-Options are all implemented and active.

Platform sessions require two-factor authentication at login via TOTP authenticator application. Sessions time out automatically after 30 minutes of inactivity. All login events are recorded in the participant activity log.

Railr provides API access to approved participants for platform integration and automated workflows. The Railr API is secured to institutional standards.

Authentication uses API key and secret credentials issued at onboarding, combined with HMAC-SHA256 request signing. Every API request must be signed. Unsigned or incorrectly signed requests are rejected.

API keys are permission-scoped. Participants can issue separate keys for distinct access levels. Read-only keys provide access to depth preview, network data, and execution history. Execute keys enable RFQ submission and quote acceptance. No single key is required to carry full permissions.

IP whitelisting is available for all API participants. Participants can restrict their API keys to specific IP addresses or IP ranges. Requests originating from outside the whitelist are rejected regardless of key validity. IP whitelisting is strongly recommended for all production API integrations.

A sandbox environment is available for integration testing. The sandbox mirrors the production API with simulated RFQ flows and test credentials. All LP and client integrations should be validated in the sandbox before production activation.

Rate limiting is applied per key to protect network stability. Rate limit thresholds are set at levels appropriate for institutional trading workflows. Participants requiring higher thresholds should contact their account representative.

All participant data is handled in accordance with Railr's Privacy Policy under UK GDPR and EU GDPR frameworks. Identity verification is conducted through Sumsub, a certified KYC provider. Data is encrypted at rest and in transit. Access to participant data is restricted to authorised personnel only.

Railr does not custody digital assets or fiat funds and does not operate client accounts. Railr has no access to participant wallets, exchange accounts, or settlement infrastructure. Railr does not present direct custody risk.

Every participant has access to a complete activity log covering their own network activity. Logs record all RFQ submissions, quotes received, execution confirmations, settlement instructions, and account access events. Logs are timestamped, immutable, and exportable. Participants requiring logs for their own regulatory or compliance obligations can export their full activity history at any time.

Participant access is monitored on an ongoing basis. Railr reserves the right to suspend or revoke access where security, compliance, or risk concerns arise. Access credentials are the sole responsibility of the participant and must not be shared or disclosed to unauthorised parties.

Participants must notify Railr immediately at security@railr.io if they suspect their credentials have been compromised. Railr will suspend affected credentials immediately on notification.

Railr maintains voluntary KYC, KYB, AML, and sanctions screening controls across all network participants. Railr is actively pursuing formal regulatory authorisation in selected jurisdictions. Participants and counterparties with specific compliance requirements are encouraged to contact legal@railr.io directly.

Railr takes security vulnerabilities seriously. If you believe you have identified a security issue with the Railr platform or API, please contact security@railr.io. Please do not disclose potential vulnerabilities publicly before contacting Railr directly. Railr will acknowledge all responsible disclosure reports within 48 hours.