Our Security Policies
- We take data security very seriously, and this security is built into every level of our organisation.
- We only accept credentials that will not expose you to financial loss.
- We are an open and honest organisation, and will immediately disclose any security breaches.
- If you have any questions at all about our Security Policies, please contact us.
CryptFolio takes data security very seriously, and this security is built into our organisation, application and infrastructure.
We aim to follow these five data security principles:
1. Prevent financial loss
The irreversibility of cryptocurrencies can make it dangerous to share private information with third parties. CryptFolio is designed such that any breach should not expose you to financial loss: We insist, and where possible verify, that any credentials that you provide us are read-only, and could not be used to perform transactions under your name. Private credentials are not redisplayed through the website or API.
We will not support services or applications that are inherently insecure, cannot provide read-only credentials, or could expose any of our users private information.
2. Allow anonymity
One of the strengths of cryptocurrencies is the safety and security that anonymity provides; wherever possible, we will enable users to sign up anonymously, and only collect information necessary to comply with local and international law.
We maintain a guide about how to use CryptFolio anonymously.
3. Empower the user
Data security is not limited to a single website; it is the responsibility of each user to keep their own accounts and finances secure. We aim to empower each user to learn and make their own decisions:
- We recommend all users set up two-factor authentication.
- We check for strong passwords on account creation and password reset.
- At any time, users can download a copy of their data, or permanently delete their data.
4. Secure every level
We follow industry best practices for developing an organisation where security is at the heart of everything we do, including and not limited to:
- Employees must pass a criminal background check as part of the hiring process.
- Employees are required to encrypt their hard drives, utilise strong passwords, and enable screen locking.
- Employees are not permitted to store users' private information on any of their devices.
We follow industry best practices for securing our servers and databases, including and not limited to:
- Each application tier is hosted separately on a different server, secured through firewalls.
- All requests are processed through SSL, graded A+ through SSL Labs.
- Our servers are hosted at SOC Level 2 compliant facilities in the United States.
- We rate limit all actions and requests on the site, which could otherwise enable abuse.
- We have software and procedures in place to detect and notify us of any unusual or unexpected server activity.
Finally, we follow industry best practices for developing a secure code base, including and not limited to:
- CryptFolio is developed with continuous testing, integration and deployment principles, allowing us to immediately release patch updates when necessary.
- Our continuous testing process automatically audits the components used within our applications.
- Through the CryptFolio Bug Bounty Program, we collaborate directly with a community of security researches to help keep our users safe.
5. Be open and honest
As a responsible company, we are upfront about how and when we have to share data with government agencies, because we value our users’ trust. Our Annual Transparency Reports – starting in July 2018 – detail the requests we’ve received, and our responses, over every twelve month period.
In the unlikely case of a security breach, our policy is to immediately take down the CryptFolio website; inform all of our users within 48 hours of the breach; and only resume the service once we have verified the application is secure again.
As of February 2018, we have not had any data security breaches.
If you have any questions at all about our security policies, please contact our Security Officer:
- by secure mail to The Security Officer, CryptFolio, Level 31, Plimmer Towers, 2-6 Gilmer Terrace, Wellington 6011, New Zealand, or
- by e-mail at firstname.lastname@example.org.
Last updated: February 2018