decoded
ContactGo to Console
← BACK TO HOME

Legal

Security Policy

Last updated: June 24, 2026

1. Cryptographic Key Protection

Your API keys represent trading authority. We safeguard them with multiple layers of encryption:

  • AES-256-GCM Encryption: Stored API secrets are encrypted using the Advanced Encryption Standard with a 256-bit key in Galois/Counter Mode.
  • Secrets Manager Integration: All API credentials are securely managed and stored within an isolated, dedicated secrets management service. The engine manages programmatic key access and coordinates key lease configurations under strict access control policies.
  • In-Memory Decryption: Stored secrets are only decrypted in memory during trade replication requests. Plaintext keys are never written to disk or logs.

2. Network Security and IP Whitelisting

Replication requests are sent from a fixed set of dedicated server IPs:

  • IP Restriction: All trade replication requests originate from our static dedicated IP: 34.85.45.16. We require you to bind your exchange API keys to this IP address. If an attacker somehow steals your API keys, they cannot make trades or access your funds from any other location.
  • Transport Security: All communications between the Decoded client interface, backend servers, and exchange API endpoints are encrypted using TLS 1.3.

3. Recommended API Security Configuration

To minimize risk, we enforce and recommend the following rules:

  • No Withdrawal Permission: Decoded does not require withdrawal capabilities. Never activate "Enable Withdrawals" on your exchange API key.
  • Trade-Only Access: Enable only Futures/USD-M derivatives trading permissions based on the assets you intend to replicate. Spot trading is currently not supported, so spot permissions are not required.
  • Session Lifetimes: Exchange APIs typically expire keys after 90 days if they are not IP-restricted. By using our whitelisted IPs, your keys can safely remain active without expiration.

4. Infrastructure Isolation

Our trade replication engine runs in isolated execution containers. Each user's replication tasks are handled in sandboxed processes to prevent cross-account interference. Our systems are continuously monitored for unusual API response sizes or rates.

5. Reporting Vulnerabilities

We welcome security audits and bug disclosures. If you discover a vulnerability or security issue with our trade replication platform, please contact us immediately at security@decodedtrading.com. We promise to review disclosures within 24 hours.