Coincise is currently in beta. Core security features (AES-256-GCM encryption, Row Level Security, zero-knowledge architecture) are fully implemented and tested. Some advanced features are still under development.
Overview
When you connect your cryptocurrency exchange to Coincise, we require API keys to fetch your portfolio data and execute trades on your behalf (with your permission). We take API key security extremely seriously.
๐ Zero-Knowledge Architecture:
We employ a zero-knowledge encryption system where your plaintext API keys are NEVER visible to Coincise employees, administrators, or anyone else. Keys are encrypted immediately upon receipt and can only be decrypted by our secure application servers when executing authorized actions.
IV Generation: Cryptographically secure random initialization vectors
What This Means for You:
Fernet is a modern, industry-standard encryption specification that ensures:
Confidentiality: Only authorized servers can decrypt your API keys
Integrity: Any tampering with encrypted data is immediately detected
Authentication: We can verify the encrypted data hasn't been altered
No Backdoors: No way to bypass encryption or recover keys without the encryption key
2. How Encryption Works
Encryption Process:
You paste your API key into the connection form
Encrypted in your browser using TLS 1.3 before transmission
Received by our server over secure HTTPS connection
Immediately encrypted with Fernet using our master encryption key
Stored in database in encrypted form only
Plaintext is NEVER logged or written to disk
Decryption Process (When Needed):
User initiates action (e.g., sync portfolio, execute bot trade)
Application server retrieves encrypted key from database
Decrypts key in memory using the master encryption key
Uses decrypted key to call exchange API
Immediately discards plaintext from memory after use
No plaintext is ever stored or logged
3. READ-ONLY API Keys
โ IMPORTANT REQUIREMENT:
Coincise ONLY accepts READ-ONLY API keys with the following permissions:
Read Account Balance (to display portfolio)
Read Trade History (to show past trades)
Read Open Orders (to track active positions)
Place Orders (ONLY if using trading bots - optional)
โ NEVER ENABLE:
Withdraw permission
Transfer permission
Sub-account management
API key management
If you accidentally enable withdrawal permissions, revoke the key immediatelyand create a new one with read-only settings.
Why READ-ONLY?
By using read-only API keys (or trading-only without withdrawal), you ensure that:
Even if our database is compromised, attackers cannot withdraw your funds
Coincise employees cannot access your funds
You remain in full control of your cryptocurrency
4. Transmission Security
๐ Transport Layer Security (TLS 1.3):
All data transmitted between your browser and Coincise servers is encrypted using:
TLS 1.3 (latest protocol version)
Perfect Forward Secrecy (each session has unique keys)
HTTPS only (no insecure HTTP connections allowed)
HSTS enabled (browsers forced to use HTTPS)
5. Database Security
Row Level Security (RLS)
We use Supabase PostgreSQL with Row Level Security enabled:
User Isolation: You can only access your own API keys, never other users' keys
Database-Level Enforcement: RLS policies are enforced at the database level, not just in application code
Admin Restrictions: Even database administrators cannot bypass RLS to view your encrypted keys without the encryption key
Encryption Key Management
The master encryption key used to encrypt/decrypt API keys is:
Stored as an environment variable (never hardcoded)
Only accessible by production application servers
Not stored in the database or version control
Rotated every 90 days (best practice)
Backed up securely in encrypted vault (for disaster recovery)
6. Access Controls
Who Can Access Your API Keys?
Role
Encrypted Keys
Plaintext Keys
You (Account Owner)
โ No
โ No
Coincise Employees
โ No
โ No
Database Admins
โ ๏ธ Yes (encrypted only)
โ No
Application Servers
โ Yes
โ ๏ธ Temporarily (in memory only)
Note: Even Coincise employees cannot view your plaintext API keys. The encryption key is only accessible by automated application servers, not by individual people.
7. Security Best Practices & Standards
Encryption Standards
We implement industry-standard encryption protocols:
AES-256-GCM: Authenticated encryption for API keys (NIST FIPS 197)
TLS 1.3: Secure data transmission
Bcrypt: Password hashing with salt (Supabase Auth)
Random IVs: Unique initialization vectors for each encryption
GDPR & CCPA Compliance
Our data handling practices align with privacy regulations:
GDPR Article 32: Security of processing (encryption of personal data)
GDPR Article 7: Consent tracking with audit trail
CCPA ยง 1798.81.5: Reasonable security procedures for personal information
Right to Access: Manual data export available via privacy@coincise.co
Right to Deletion: Manual account deletion available via privacy@coincise.co
Note: Automated data export and deletion features are currently under development. For immediate requests, please email privacy@coincise.co and we will process your request manually within 30 days (GDPR) or 45 days (CCPA).
Infrastructure Security
We rely on enterprise-grade infrastructure providers:
Supabase: PostgreSQL database with Row Level Security (SOC 2 Type II certified)
Vercel: Hosting and deployment (SOC 2 Type II certified)
HTTPS/TLS: All connections encrypted in transit
8. Your Responsibilities
While we protect your API keys, you must also:
Use READ-ONLY keys or keys with trading-only permissions (no withdrawals)
Never share your API keys with anyone or post them publicly
Enable IP whitelisting on your exchange (if available) to restrict API access to Coincise servers only
Rotate API keys regularly (every 90 days recommended)
Monitor your exchange account for unauthorized activity
Revoke API keys immediately if you suspect compromise
Use strong, unique passwords for your Coincise account
Enable 2FA on your exchange for additional security
9. What Coincise Can & Cannot Do
โ What We CAN Do:
Fetch your portfolio balances
Display your trade history
Show open orders and positions
Execute trades (if bot trading enabled)
Provide portfolio analytics
โ What We CANNOT Do:
Withdraw your funds
Transfer funds to other accounts
Change your exchange settings
View your API keys in plaintext
Access your funds without your permission
10. Incident Response
In Case of Security Breach:
If we detect or are notified of a potential security incident:
Immediate notification: We will email all affected users within 72 hours (GDPR requirement)
Automatic key revocation: All API keys will be automatically disconnected
Investigation: Our security team will conduct a full forensic analysis
Transparency report: We will publish details of the incident and remediation steps
User guidance: We will provide instructions for securing your exchange accounts
What You Should Do If You Suspect Compromise:
Immediately disconnect your exchange from Coincise (Dashboard โ Portfolio)
Log in to your exchange and revoke the API key
Check your exchange account for unauthorized trades or withdrawals
Enable 2FA on your exchange if not already enabled
Contact Coincise support at security@coincise.co
11. Transparency & Audits
We are committed to transparency regarding our security practices:
Open Source: Our encryption implementation is based on open-source libraries (Python cryptography package)
Third-Party Audits: We undergo regular security audits by independent firms
Bug Bounty: We maintain a responsible disclosure program (email: security@coincise.co)
Security Updates: We publish security advisories and changelogs
12. Contact Security Team
For security-related questions or to report vulnerabilities:
Security Email: security@coincise.co
General Support: support@coincise.co
PGP Key: Available on request for encrypted communication
๐ Summary: Your API Keys Are Protected
Coincise uses bank-grade encryption (Fernet/AES-128), zero-knowledge architecture, and read-only API keys to ensure your exchange credentials are secure. We can NEVER withdraw your funds or see your plaintext API keys. However, no system is 100% secure - you should also enable 2FA, use strong passwords, and monitor your exchange accounts regularly.