Security & Privacy
Your Data is Protected
We use industry-standard encryption to protect all sensitive data. Your private keys and credentials are never stored in plaintext.
Encryption Details
| Data Type | Format | Protection |
|---|---|---|
| Signer Private Key | Hex string | Fernet AES-128-CBC + HMAC-SHA256 |
| API Credentials | JSON key/secret | Fernet AES-128-CBC + HMAC-SHA256 |
| Wallet Address | Public address | Stored as-is (public info) |
| Trade History | Relational DB | User-scoped row isolation |
| Settings | Relational DB | User-scoped row isolation |
| JWT Tokens | Signed token | HS256 signed, 24h expiry |
| WebSocket | Binary stream | TLS 1.3 encrypted |
Fernet encryption combines AES-128-CBC with HMAC-SHA256 for authenticated encryption. Keys are stored in environment variables, never in code or logs.
What We NEVER Have Access To
- Your main wallet's private key
- Your seed phrase / recovery phrase
- Ability to withdraw your funds
- Other users' data or credentials
User Isolation
Every user's data is completely isolated:
- Separate signer wallets -- your signer only works for you
- User ID scoping -- all DB records tagged with user_id
- JWT authentication -- tokens scoped to individual users
- API isolation -- no endpoint can access another user's data
What We Store
| Data | Storage | Encryption |
|---|---|---|
| Wallet Address | PostgreSQL | None (public) |
| Signer Private Key | Encrypted file | Fernet AES-128-CBC |
| Trading Preferences | PostgreSQL | None (non-sensitive) |
| Trade History | PostgreSQL | User-isolated rows |
| DEX API Keys | Encrypted file | Fernet AES-128-CBC |
Infrastructure Security
- HTTPS/TLS encryption for all API traffic
- Server firewall with minimal open ports
- No plaintext secrets in code or logs
- Audit logging for sensitive operations
- Regular security reviews