Exchange security is our Number 1 Priority. We reduce customer risk by using effective security, checks and balances, and oversight.
Offline (Cold) Funds Storage (Pending/Planned)
Because we do not currently hold a lot in cryptocurrency funds, we have not moved much of what we hold into safe storage yet. However, our userbase is increasing and we are now working on the internal process involved to properly store offline cryptocurrency assets. We will store the majority of our customer's funds in a secure offline wallet (such as Trezor), with only a portion of funds in a 'hot' wallet for instant withdrawals. The ratio of Hot/Cold storage will vary depending on the cryptocurrency. Some cryptocurrencies do not move off-exchange as often as others, so we can store a higher percentage of these offline. Our goal is to store 80% - 95% of all cryptocurrency assets offline. Using this method we can vastly improve security at the minor expense of some large withdrawals requiring additional time for processing. You can view our system status page to see the exact amounts we store in each wallet.
We will be using a 2 of 3 (or more) authentication process for accessing the storage of all offline wallets. This means that each time a cold storage device needs to be accessed, 2 individuals out of 3 (or more) total authorized will need to be present to access the device. Furthermore, we will store the device backups and backup codes with a trusted 3rd party. If there is ever a problem with one of the devices, we will be able to restore it to a new device from a backup. The 3rd party used for storage of the backups will not have the keys to access the devices, only to restore them.
The devices will be stored inside a fireproof safe and that safe will be stored in a high-security facility. The location of this facility will not be publicly disclosed.
We will also seek to attain an insurance company to underwrite a policy for any unforeseen loss to give extra protection to our users.Summary
DDoS Protection & CDN Caching
We utilize a leading DDoS provider for all public facing content and cache all static content on a CDN to provide the fastest possible load times. Our webservers can only be accessed from the networks of our DDoS provider.
Logical & Physical Security
All website components are logically separated and protected by both physical and software firewalls for increased security. Employees who have access are required to connect to a controlled secure VPN before gaining access to any production level systems. We use port-knocking so that we can keep all SSH ports closed until needed.
All interaction with the website is required to be HTTPS so all communication is encrypted via SSL. We do not allow older insecure SSL protocols.
Customers can set up two-factor authentication for accounts with Google Authenticator to provide an extra layer of security. We HIGHLY recommend this.
We have tools for our users which allow them to allow or block login access to their account based on IP address.
We use an industry recognised PCI (credit card provisioning compliance) scanning service to routinely scan the website to aid in locating any potential security issues.
We have a bug bounty program for anybody to disclose possible security issues to us. All security issues are immediately placed at top priority for review and correction.
We use industry standard methods for preventing SQL Injection & XSS attacks on our website. In addition, all passwords & sensitive data are encrypted along with a static & random salt. Encryption keys and salts are NOT stored in the database nor in the codebase. If we ever detect a possible intrusion, we will immediately lock down the entire system and re-encrypt all sensitive information with new keys.
We have automated systems in place to check for inconsistencies in transactions and our wallets. The system will automatically shutdown a wallet if something appears incorrect, and immediately inform a technician. The system status page will always have the most up to date information on any service outages or suspensions for an asset.