Direct answers to real questions

When you create the exchange API key, set withdraw to disabled at the exchange itself — the exchange enforces this, not us. Quantor stores the encrypted blob via AES-GCM + a master key, which lives in GCP Secret Manager as a separate trust boundary. Decryption happens only in process memory at order execution time, never written to logs. Even if our database fully leaks, the key cannot withdraw funds because the exchange refuses any withdrawal request signed with a withdraw-disabled key.

No. Quantor charges only the subscription ($19 / $49 / $129 per month). Per-trade fees are paid to the exchange itself — their fee schedule is visible in your exchange account and depends on your VIP level. We have no access to commissions and don't take a percentage of trades.

Open positions on your exchange stay with you — Quantor only sends commands, the exchange executes. If our service is unreachable (Cloud Run is down, for example), new orders are not sent, but existing positions continue to live at the exchange until you close them manually. You can close them via the exchange's UI directly at any time.

Yes. The subscription cancels in one click via the dashboard or your payment provider (LemonSqueezy). 14-day refund via LemonSqueezy per standard policy. After cancellation, bots stop automatically at the end of the current billing period — until then they keep running and you don't lose paid time.

Focus. A deep integration with one exchange beats a shallow integration with five. We started with a widely-used, highly-liquid platform that provides mature API + testnet tooling, serving the vast majority of our target users today. Availability and legality depend on your jurisdiction — Quantor doesn't represent the exchange and doesn't make claims about its regulatory status. Multi-exchange is on the roadmap, just not the first priority. First we make the launch integration exemplary, then expand.

Cloud Run + Cloud SQL in region me-west1 (Tel Aviv, Israel). EU-style data residency. No replicas in the US or CIS. Meets the GDPR minimum. Backups are encrypted and also stored in me-west1.

Starter ($19) — 1 bot (PAPER + LIVE on EMA only), 2 symbols, 25 LIVE trades/day, 2% daily-loss kill-switch. Advanced strategies (Breakout V1, TS Momentum V1, Adaptive Pro) need Pro.

Pro ($49) — 3 bots PAPER+LIVE, 10 symbols, 5 strategies, advanced including Breakout V1 / TS Momentum V1 / Adaptive Pro. The most popular plan for real trading.

Teams ($129) — 10 bots, 10 symbols (full allowlist), 10 strategies, onboarding call before first LIVE start.

Full limits table on /pricing.

No. PAPER runs on the live market price in real time but doesn't send orders. Simulates execution by bid/ask. Closer to a forward-test than a backtest on historical data. A good PAPER result does not guarantee a LIVE result — slippage, fill rate, and emotional trading aren't modelled on paper. PAPER is a sanity check on a real-volatility strategy, not a proof of future profit.

Because we can't. Algorithmic trading is a tool. It can make money. It can lose money. Regulated products aren't allowed to promise fixed yield. If you see a competitor promising it — that's a red flag for you and for the regulator. We sell a disciplined operating environment (risk gates, regime guard, audit chain, self-custody) — not a result. The result depends on the market, the strategy, and the parameters you pick.

It lets you verify that the code running on our server matches the commit we declared, when a valid Ed25519 manifest is present. A silent logic swap or injected payload becomes detectable, not invisible. You can technically verify in 30 seconds with openssl (recipe on /security), but you don't have to — the Pulse probe obs.build-signed does this automatically every hour. If anything doesn't match, we get a Telegram alert and you see it on the status page.

An attacker would have dashboard access but no withdrawal access (see the keys question). They could start new bots or change strategies — but can't move crypto. We recommend enabling 2FA (TOTP) in Dashboard → Two-factor authentication and using a unique password. The alert signal is a Telegram push on a new-device login — if you get it and it isn't you, change your password via /reset.

Yes. When you create the API key in the dashboard, set testnet=true. Quantor recognises it and won't confuse it with production keys. A good way to practise without real money and without a subscription if you already have a testnet account at your exchange. Most major exchanges offer testnet keys for free — check your exchange's developer portal.

The signature covers the canonical manifest {service, commit, image_digest, builtAt}. Any modification (new commit, new image-digest, new build time) → new signature. The Pulse probe checks signature vs. public key every hour. If someone swaps bytes on the server, the signature doesn't match, we get a Telegram alert, and it's visible publicly via /api/v1/identity.

Email: bugs@quantorsaas.app. Reply within 24–48 hours. For urgent prod incidents — the public status page at /status plus @QuantorSaaSBot in Telegram. For business proposals — same address.

Yes — each paid account is independent, you can run as many as you like. They just can't share the same browser tab because Quantor uses one auth cookie per domain. Two ways to keep both signed in side-by-side:

Chrome profiles (recommended) — Chrome ▸ profile icon (top-right) ▸ Add. Each profile keeps its own cookies, bookmarks, extensions. Open Quantor in profile A and profile B, sign in to a different account in each. Same trick works in Edge, Firefox (Containers), Arc, etc.

Incognito / Private window — quick option for one-off use. Regular window = account A, incognito = account B. No persistence across sessions, you'll re-login each time.

Server-side single-session enforcement only kicks in when the same user signs in from a new device — it's there to protect a single account from credential sharing, not to limit how many separate accounts one person operates.