Security

Security Policies

Security of funds and user information is our top priority. Our security team is continually improving our end-to-end security measures, improving auditing processes, and reducing the ‘attack surface’ of our infrastructure. Please note that we cannot disclose too many details of the security measures implemented on the platform for security and proprietary reasons.

User Account Protection

Some of the security measures highlighted below are in place by default, and others can be activated based on the security level you need. Please visit your account preferences to check the security status of your account and see recommendations.

Two-factor authentication (2FA)

Add an extra layer of security to your account and protect sensitive operations such as logging in, generating keys, and withdrawing.

We will be adding in the near future, configuration for two-factor authentication using Google Authenticator, Twilio, or a U2F Security Key, Universal 2nd Factor (U2F), use a physical Security Key to take advantage of the ultra-secure FIDO Universal 2nd Factor (U2F) open authentication standard.

Advanced verification tools to monitor the integrity of your account

Advanced verification tools to monitor the integrity of your account

  • Login data is saved and analyzed for unusual activity.
  • Intelligent system detects IP Address changes to prevent session hijacking.
  • Email notifications report logins and include a link to instantly freeze your account if you suspect malicious activity.
  • Access to your account is limited based on IP address, and IPs are blocked based on a failed login attempt.

 

Cryptocurrency Storage

The overwhelming majority of system funds are stored in offline, cold wallets. Only approximately 0.5% of crypto assets are accessible in hot wallets for day-to-day platform operations. As an added protection, the cold wallets are not available from the platform or the platform servers. The funds in offline cold storage require manual intervention by several members of our management to access as they are placed in a secure lockbox location.

Withdrawals protection

  • Security system monitors withdrawals by IP address and other user behavior patterns, triggering manual admin inspection on withdrawals that appear unusual.
  • Withdrawal confirmation step that is immune to malicious browser malware.
  • Define an address/account whitelist to ensure no withdrawals can go anywhere else.
  • Advanced API key permissions

System Security

  • Always up-to-date Linux systems to host the platform
  • Our servers network is protected using always up-to-date software and the best possible practices.
  • Automatic backup of the database once a day
    Once a day, the database of the platform is backed up, encrypted and compressed as an archive.
  • Duplication of backup data automatically
  • As soon as a new backup is ready (database, log files), it is sent to others servers in several physical locations for redundancy.
  • Protection from DDoS attacks
  • We are protected by automatic Distributed Denial of Service protection to ensure to the best of our abilities that trading cannot be halted by outside attacks.

Financial Security

  • We are partnered with a licensed financial service provider to supply a full reserve digital asset market. Customers may only trade from pre-funded accounts in FIAT or Digital Assets.
  • All customer USD fiat funds are held in an omnibus account at an insured bank located in the Panama for privacy purposes.
  • All customer fiat funds are segregated and legally distinct from our business and operating accounts, as they are designated escrow accounts for this project only managed by the licensed Financial Service Provider.
  • All customer USD fiat funds are eligible for insurance and protection, subject to applicable limitations.

Internal Controls

  • Multiple signatories are required to transfer funds out of Cold Storage.
  • Our CEO (Ross Araos) and President (Eduardo Encio) are unable to individually or jointly transfer funds out of Cold Storage as it is held by an escrow requiring a system generated confirmation, client confirmation, and both Directors confirmation with a verbal confirmation from escrow to IBITX, and the entry of a random PIN card confirmation by the client.
  • Our offices do not store or contain anything of value. All private keys are stored offsite in secure facilities.
  • All employees undergo criminal and credit background checks, and are subject to ongoing background checks throughout their employment.
  • All remote-access by employees uses public-key authentication – no passwords, one-time passwords (“OTPs”) or other phishable credentials are allowed.

Vulnerability Disclosure Philosophy

Our security team supports responsible disclosure. We will acknowledge valid and original (i.e., the first reported instance) discoveries on our website with the name of the security researcher(s) responsible. While we do not have a formalized bug-bounty program at this time, we may choose to do so in the future. In the event that a monetary rewards system is developed, we may, in our discretion, pay monetary rewards in bitcoin, subject to applicable laws.

Our commitment to security researchers is simple: we will not retaliate against researchers who report issues privately and in a responsible manner. We will do our best to reply to reports in a timely fashion and periodically update you on our progress with respect to investigating or remediating any issues you may have identified.

IBITX Security Team

We adhere to the highest capitalization, compliance, anti-money laundering, consumer protection and cyber security requirements with third party escrow and decentralized system and account information hosting.