Your exchange API keys, secrets, and passphrases are encrypted before being stored. Each user has a unique encryption key — so even in a worst-case scenario, one user's data cannot be used to access another's.

Decrypted keys exist only in memory during trade execution. They are never written to disk, never appear in logs, and are wiped when the system restarts.

Flipr.Cloud only needs trading permissions on your API keys. We never ask for withdrawal, transfer, or fund management access. We recommend you restrict your keys to trading-only on your exchange — so that nobody, including us, can move funds out of your account.

Your webhook URL contains a unique token that is only shown once when you create it. We store only a one-way hash — even if someone accessed our database, they couldn't reconstruct your webhook URL.

Your password is never stored. We use industry-standard one-way hashing so that even we cannot see it. Login checks are designed to prevent both brute-force attacks and account enumeration.

Your login session is protected with HttpOnly cookies (invisible to JavaScript), HTTPS-only transport, and short-lived tokens that refresh automatically. When you log out or change your password, all your active sessions are invalidated immediately.

All communication between your browser and Flipr.Cloud uses TLS 1.3 — the latest encryption standard. Communication between our regional servers is also encrypted and cryptographically signed to prevent tampering.

Sensitive data is encrypted with per-user derived keys before being written to the database. Non-sensitive data is stored with standard database access controls and strict authentication.

All servers require cryptographic key authentication. Password-based access is disabled — there is no password to guess or brute-force.

Every request is analyzed in real-time across all servers. Suspicious patterns — repeated failures, unusual payloads, injection attempts — trigger automatic protective actions within seconds, not hours.

Security decisions are shared across all servers instantly. An attacker can't bypass protection by targeting a different region — our servers coordinate their defenses as a single system.

Our team receives instant notifications for every security event. We investigate every alert, and we continuously refine our defenses based on real-world attack patterns we observe.

Every blocked request is recorded with enough detail to understand the attack and improve our defenses — but never enough to expose user data.

Login, registration, and webhook endpoints are all rate-limited at multiple layers: at the network edge, at the web server, and at the application level. Even if one layer is bypassed, the others hold. Limits work across the entire platform — attackers can't circumvent them by spreading requests.

Every webhook payload is validated before processing: size limits, structural checks, and injection pattern detection. Malformed or malicious payloads are rejected before reaching the trading engine.

Suspicious activity triggers an escalating response: from temporary throttling to full IP ban. Repeated abuse leads to longer bans. We don't give attackers a second chance.

Flipr.Cloud runs servers in Europe and Asia-Pacific, providing low-latency execution close to your exchange and geographic redundancy. All regions share the same security posture.

Malicious traffic is dropped at the operating system level — the lowest possible point in the stack. This adds zero latency for legitimate requests while making blocked traffic invisible to our application.

Your data is processed in isolated worker processes with separate memory spaces. A problem in one connection cannot leak into another.

We continuously track the health of every exchange connection. If an exchange becomes unreliable, we automatically pause affected operations to protect your account and notify our team for investigation.

If your API key experiences repeated errors (like invalid credentials or authentication failures), Flipr.Cloud automatically pauses trading on that key to prevent further issues. Protection escalates gradually from short pauses to full suspension.

When a security event affects your API key, you get an email right away with what happened, how long the pause lasts, and step-by-step instructions to resolve it.

Our incident response follows a clear flow: detect, contain, investigate, fix, and notify. For vulnerabilities reported through our responsible disclosure program, we acknowledge promptly and keep you updated.