Security


Exchange security is our Number 1 Priority. We reduce customer risk by using effective security, checks and balances, and oversight.

Offline (Cold) Funds Storage (Pending/Planned)

Because we do not currently hold a lot in cryptocurrency funds, we have not moved much of what we hold into safe storage yet. However, our userbase is increasing and we are now working on the internal process involved to properly store offline cryptocurrency assets. We will store the majority of our customer's funds in a secure offline wallet (such as Trezor), with only a portion of funds in a 'hot' wallet for instant withdrawals. The ratio of Hot/Cold storage will vary depending on the cryptocurrency. Some cryptocurrencies do not move off-exchange as often as others, so we can store a higher percentage of these offline. Our goal is to store 80% - 95% of all cryptocurrency assets offline. Using this method we can vastly improve security at the minor expense of some large withdrawals requiring additional time for processing. You can view our system status page to see the exact amounts we store in each wallet.

We will be using a 2 of 3 (or more) authentication process for accessing the storage of all offline wallets. This means that each time a cold storage device needs to be accessed, 2 individuals out of 3 (or more) total authorized will need to be present to access the device. Furthermore, we will store the device backups and backup codes with a trusted 3rd party. If there is ever a problem with one of the devices, we will be able to restore it to a new device from a backup. The 3rd party used for storage of the backups will not have the keys to access the devices, only to restore them.

The devices will be stored inside a fireproof safe and that safe will be stored in a high-security facility. The location of this facility will not be publicly disclosed.

We will also seek to attain an insurance company to underwrite a policy for any unforeseen loss to give extra protection to our users.

Summary
  • Cold storage funds are placed on a secure device, such as Trezor
  • Access to the devices requires 2 people
  • The devices are stored in a high-security, fireproof safe
  • The safe is stored in a high-security facility which has very limited access to authorized individuals
  • Backup keys to the secure devices will be stored with a trusted 3rd party
  • An insurance policy will be secured to help protect users against loss in the case we have an issue with any wallets

  • DDoS Protection & CDN Caching

    We utilize a leading DDoS provider for all public facing content and cache all static content on a CDN to provide the fastest possible load times. Our webservers can only be accessed from the networks of our DDoS provider.


    Logical & Physical Security

    All website components are logically separated and protected by both physical and software firewalls for increased security. Employees who have access are required to connect to a controlled secure VPN before gaining access to any production level systems. We use port-knocking so that we can keep all SSH ports closed until needed.


    Secure Website

    All interaction with the website is required to be HTTPS so all communication is encrypted via SSL. We do not allow older insecure SSL protocols.


    Two-Factor Authentication

    Customers can set up two-factor authentication for accounts with Google Authenticator to provide an extra layer of security. We HIGHLY recommend this.


    Login Firewall

    We have tools for our users which allow them to allow or block login access to their account based on IP address.


    Server Scanning

    We use an industry recognised PCI (credit card provisioning compliance) scanning service to routinely scan the website to aid in locating any potential security issues.


    Bug Bounty

    We have a bug bounty program for anybody to disclose possible security issues to us. All security issues are immediately placed at top priority for review and correction.


    Application Security

    We use industry standard methods for preventing SQL Injection & XSS attacks on our website. In addition, all passwords & sensitive data are encrypted along with a static & random salt. Encryption keys and salts are NOT stored in the database nor in the codebase. If we ever detect a possible intrusion, we will immediately lock down the entire system and re-encrypt all sensitive information with new keys.


    System Oversight

    We have automated systems in place to check for inconsistencies in transactions and our wallets. The system will automatically shutdown a wallet if something appears incorrect, and immediately inform a technician. The system status page will always have the most up to date information on any service outages or suspensions for an asset.