Your funds. Your keys. Our execution edge.
AlphaBot connects to exchanges via API keys you provide and places orders on your behalf. We never custody, hold, rehypothecate, or transfer user assets. Below is exactly what we do — and do not do — with the credentials you trust us with.
1. We never custody your funds
- API keys you connect grant read and trade permission only — never withdraw.
- Withdraw permission is hard-rejected at onboarding. We detect it on the first authenticated call and refuse to accept the key. The key is not stored, not logged, not retried.
- If your exchange supports IP allow-lists on API keys, you can restrict your key to AlphaBot's outbound addresses (listed in the dashboard).
2. Encryption: AWS KMS, envelope, per-user
- API secrets are encrypted at rest using AWS KMS with envelope encryption: a unique data key per user, wrapped under a KMS customer master key.
- The KMS policy binds decrypt operations to your active session JWT. Operators (us) cannot decrypt your secrets out-of-band.
- Decrypted secrets live only in process memory, only for the duration of an API call, and are never written to disk or logs.
3. Per-user data isolation
Every record in our datastore is keyed and partitioned by user. Access paths require the caller's authenticated identity to match the row owner; cross-user access is impossible by construction, not by convention.
We run a CI fixture that asserts "user A cannot read, modify, or trigger any side-effect on user B's data" against every protected handler. The test fails the build on any regression.
4. Append-only audit log
Every action AlphaBot takes against your account — order placed, order canceled, key rotated, kill switch fired, parameter changed — is recorded in a hash-chained, append-only log.
- You can export the full log as CSV or JSON from the dashboard at any time.
- Each entry references the previous entry's hash, so any tampering is detectable.
- The chain head is published, so you can verify locally that no entry has been altered or removed.
- Operator (employee) actions on infrastructure are logged separately and made available on request to Enterprise tier.
5. Infrastructure
AlphaBot runs on AWS in multiple regions (us-east-1, us-west-2, ap-southeast-1) chosen for proximity to exchange match engines. We do not share databases with any third party. Production deployments require multi-factor authentication, are short-lived-credential only, and are recorded in the operator audit log.
6. Vulnerability disclosure
If you believe you have found a security issue, please email security@alphabot.deeplogic.software. We aim to acknowledge within one business day and to provide a remediation plan within five.
We are preparing a formal bug-bounty program with payouts scaled to severity (low / medium / high / critical). Until it is live, we will recognize responsible disclosure publicly (with the reporter's consent) and pay discretionary bounties for valid, in-scope reports. Out-of-scope: anything requiring compromise of an end user's exchange credentials, non-product-impacting findings, denial-of-service against shared infrastructure, social engineering of staff.
What we do not (yet) claim
We do not claim SOC 2 or ISO 27001 certification. Both are on our roadmap and we will publish the auditor and report when each is complete. Until then, the controls described above are what we can stand behind today.