Is CypherMarkets secure?

An overview of the security measures we have in place
[ MWritten by CypherMarkets Support
CypherMarkets Security Memo:
- CypherMarkets offers two-factor authentication on all user accounts.
- All sensitive user information is encrypted both in transit and at rest. CypherMarkets uses AWS, AWS has a proven track record for physical security and internal controls.
- CypherMarkets uses industry standards to protect your data from unauthorized access. It is always protected with several layers of encryption (256- bit encryption over the network). All website data is transmitted through encrypted Transport Layer Security (“TLS”) connections i.e. HTTPS.
- User Passwords are stored encrypted using Bcrypt as per industry standards.
The most important part comes here:
CypherMarkets user Exchange API key management
Not your API keys, not your exchange accounts!
If you wish to only track your portfolio, you can set your exchange API keys to READ ONLY mode.
Exchange API keys are NEVER stored on our servers neither encrypted nor decrypted. We’ll explain how that is possible in more detail below.
Adding a new API key - when a user adds his exchange API keys, the keys are sent to our backend app which encrypts the user keys(does NOT save keys anywhere in our backend app) and returns them back to the user’s browser. After that, those encrypted API keys are stored in local storage of that user’s browser for future usage.
The encrypted API keys can be seen at any time in that user’s browser, he can also export them into a file for easier access from another device. The encrypted API key string is useless without having access to the user’s CypherMarkets account, which is protected by a password and optionally 2FA.
Communication between an exchange and CypherMarkets - the user can at any time request his exchange account data from his exchange account, when that data is requested, this is what happens. The encrypted API keys are sent from your browser storage to our backend, which on the fly decrypts those keys and makes an exchange request. Following the request the exchange’s response is returned to your browser. If anyone should intercept the communication between your browser and our backend, he can at most see those encrypted user API keys, which is useless without also having access to your CypherMarkets account.
Algo orders - since algo orders are not executed, in most cases, when you create them(but based on specific conditions), your encrypted API keys are sent to our backend which establishes the connection to the exchange. That connection between our backend and your exchange account is kept open until the conditions for algo order execution are met or the algo order is cancelled, whichever comes first.
Simple, not so simple facts:
Nobody at CypherMarkets knows or has access to your encrypted or decrypted keys, essentially, our database for storing your encrypted keys is your browser. Furthermore, requests to access those keys are only initiated by you while using CypherMarkets to trade on exchanges or import portfolios.
You can check this by simply signing in to your account from a different device.
- If you log in to CypherMarkets from a different device, you won’t have any exchanges connected which shows that NONE of your API keys are stored on our servers. If you desire to clear your browser cache from time to time or have quick access to your exchanges from another device without importing your API keys again you can export your encrypted keys via CypherMarkets and import them on other device. That exported string is only useful from your specific CypherMarkets user account.
In conclusion, an attacker needs to hack both us and your browser and optionally your 2FA device, at the same time, to get your keys.