CryptFolio takes data security very seriously, and this security is built into our organisation, application and infrastructure.
We aim to follow these five data security principles:
The irreversibility of cryptocurrencies can make it dangerous to share private information with third parties. CryptFolio is designed such that any breach should not expose you to financial loss: We insist, and where possible verify, that any credentials that you provide us are read-only, and could not be used to perform transactions under your name. Private credentials are not redisplayed through the website or API.
We will not support services or applications that are inherently insecure, cannot provide read-only credentials, or could expose any of our users private information.
One of the strengths of cryptocurrencies is the safety and security that anonymity provides; wherever possible, we will enable users to sign up anonymously, and only collect information necessary to comply with local and international law.
We maintain a guide about how to use CryptFolio anonymously.
Data security is not limited to a single website; it is the responsibility of each user to keep their own accounts and finances secure. We aim to empower each user to learn and make their own decisions:
- We recommend all users set up two-factor authentication.
- We check for strong passwords on account creation and password reset.
- At any time, users can download a copy of their data, or permanently delete their data.
We follow industry best practices for developing an organisation where security is at the heart of everything we do, including and not limited to:
- Employees must pass a criminal background check as part of the hiring process.
- Employees are required to encrypt their hard drives, utilise strong passwords, and enable screen locking.
- Employees are not permitted to store users' private information on any of their devices.
We follow industry best practices for securing our servers and databases, including and not limited to:
- Each application tier is hosted separately on a different server, secured through firewalls.
- All requests are processed through SSL, graded A+ through SSL Labs.
- Our servers are hosted at SOC Level 2 compliant facilities in the United States.
- We rate limit all actions and requests on the site, which could otherwise enable abuse.
- We have software and procedures in place to detect and notify us of any unusual or unexpected server activity.
Finally, we follow industry best practices for developing a secure code base, including and not limited to:
- CryptFolio is developed with continuous testing, integration and deployment principles, allowing us to immediately release patch updates when necessary.
- Our continuous testing process automatically audits the components used within our applications.
- Through the CryptFolio Bug Bounty Program, we collaborate directly with a community of security researchers to help keep our users safe.
As a responsible company, we are upfront about how and when we have to share data with government agencies, because we value our users’ trust. Our Annual Transparency Reports detail the requests we’ve received, and our responses, over every twelve month period.
In the unlikely case of a security breach, our policy is to immediately take down the CryptFolio website; inform all of our users within 48 hours of the breach; and only resume the service once we have verified the application is secure again.
If you have any questions at all about our security policies, please contact our Security Officer:
- by secure mail to The Security Officer, CryptFolio, 216a Willis St, Wellington 6011, New Zealand, or
- by e-mail at firstname.lastname@example.org.
Last updated: August 2018