Security
Our Commitments
We take security really seriously. By ingraining it into our design process, we ensure safety is at the core of our platform and not just an afterthought.
If you have any related questions, check our Q&A.
Data Protection
- Security: From our core technology to the frontend, secury is part of our design process.
- Up-to-date: We regularly reassess internal and external guidelines to ensure the highest safety standards.
- Privacy: We don't sell your data to third-parties.
Transparency
- Communication: We're upfront about our limitations.
- Alertness: Always informing you about any incidents for trust and clarity.
Compliance
- Cybersecurity: We follow OWASP, ISC2 and other key guidelines from industry specialists.
- Government: Proactive monitoring of guidelines, including FCA, GDPR, Data Protection, and more.
Secure by design
For enhanced and long-lasting security, our architecture incorporates several key principles throughout.
| Safeguard | Description |
|---|---|
| Zero-trust | Designed around zero-trust architecture (ZTA), assuming anyone, even us, can be an attacker. |
| One-way flow | Sensitive information like API keys, can only flow in one direction in our system, reducing greatly vector of attacks. |
| Full encryption | In many cases, sensitive information is encrypted at all possible levels; rest, transit, and runtime. |
| Barriers | Both hardware and software barriers can be found in our system, providing the best mitigations possible. |
| 24/7 monitoring | Automated monitoring and security probing is in place to detect suspicious activity and software vulnerabilities. |
Questions & Answers
If you can't find an answer to what you're looking for, drop up as email at [email protected]
Q1. Do you store my API keys?
Yes, in the safest possible way. Your API keys need to be stored to ensure your agents can trade 24/7. They are stored fully encrypted at multiple layers, making it extremely improbable for an attacker to reach them or decrypt them. Automated mechanisms exist to monitor and removes any sensitive information (intended or not) in the system.
Q2. What if your platform is breached?
Our platform is built from the ground-up with security in mind, offering bank-grade security in most areas. In the unlikely event of a data breach, the attacker's actions are inherently limited by our system's design and architecture.
Notably, a data breach exposure will be constrained to the specific user ensuring and contigency actions will take place automatically.
Q3. What if someone from your team tries to steal my API keys?
Your sensitive information is not visible by us. We incorporate third-parties to ensure that even if one of our developers got their hands on your information, they wouldn't be able to do anything meaningful with it.
Our team is also under strict NDA and security guidelines, and we have full logging and auditing in place to protect our users.
Q4. Can another user hijack my account?
Not really. Users are entirely isolated from each other, making it impossible for one to reach another. The only way would be if someone knew your password, in which case they still would have limited options due to several in-house mechanisms. Use a strong password to mitigate any risks.
Q5. Do you have contigency plans?
Yes. In case of a data-breach we have full logging and auditing in place, and can provide authorities with the required details. You will be notified directly by us or an automated message in a such case.
Q6. Can I trust you?
You shouldn't trust anyone, including us. Although we try our best to provide one the most secure platforms out there, we still encourage you to set the least permissions required when creating an API key on an exchange or elsewhere. E.g. don't permit withdrawals for an API key if your agent will only be setting buy and sell orders.
Q7. Do you comply with government legislation like FCA (UK)?
As a young startup we strive for early compliance with legislation. We already consult with FCA and monitor closely related guidelines and laws like Data Protection and GDPR to make this transition easier. We heavily invest in modern cybersecurity as well.
We want to note that since our users can come from different countries, legislative compliance can be complicated. So we focus on monitoring legislation from only a few countries with our biggest user base like USA, UK, and EU.
Q8. What about other risks?
No system is 100% safe. By careful design and planning, we make it harder for potential attacks and proactively limit the impact of such attacks.
Social engineering attacks are still possible, so we encourage you to use our general security guidelines, like opting for a strong hard-to-guess passwords and not sharing personal information with anyone. Also ensure you're at https://meshflow.co when visiting our website.