Skip to main content

How we protect your data

Password hashing, encryption at rest, TLS, backups.

Passwords

  • Hashed with Argon2id (memory-hard; resistant to GPU brute-force).
  • Checked against the HaveIBeenPwned breach database at sign-up and at every password change — known-breached passwords are rejected.
  • Minimum 12 characters; no other complexity rules (length is what matters).

Two-factor authentication

  • TOTP (RFC 6238) required on every account.
  • Secrets stored encrypted at rest (Fernet + a server-side master key).
  • Backup codes are hashed; we never see your plaintext codes after enrollment.
  • Last-used-step is tracked to prevent replay attacks within the 30-second window.

Kraken API keys

  • Encrypted with Fernet (cryptography library; symmetric AES-128-CBC + HMAC-SHA256).
  • Master key stored at /etc/volatilityfarmer/master.key, mode 0400, owned by the application user (not readable by web requests).
  • Key rotation supported via MultiFernet — operators rotate the master key periodically.
  • We never display the raw key/secret after saving; updating means re-pasting fresh values.

Backups

  • Daily auth.db backup, encrypted with a separate Fernet key (stored offline, off-host) and shipped to Backblaze B2 cold storage.
  • Daily full-tree backup to encrypted off-site storage.
  • Restore drills are scheduled quarterly (see RUNBOOK).

Network

  • TLS-only — HTTP requests are 301-redirected to HTTPS.
  • HSTS enabled with a long max-age and preload list submission.
  • Modern TLS cipher suite (Mozilla Intermediate compatibility).
  • Content Security Policy + X-Frame-Options + X-Content-Type-Options + Referrer-Policy headers.

Sessions

  • HttpOnly + Secure + SameSite=Lax cookies.
  • Absolute session lifetime + idle timeout.
  • Session revocation per-device + bulk-revoke (sign out everywhere else).
  • New-device login surfaces a security email + in-app notification.

Auditability

  • Every state-changing action emits an audit log row (timestamp + actor + action + IP + masked payload).
  • Sensitive payload keys (passwords, tokens, codes) are masked at write-time, not just display-time.
  • Audit log GC retains routine events 90 days + security events 365 days (operator-tunable).

Server isolation

  • Per-user systemd units run each customer's bot as a dedicated system user (vf-bot-N) with limited filesystem + capability scope.
  • The web process runs as a separate system user (vf-app) with no Kraken-key decryption permission outside the auth-validated request scope.

Want more detail?

See our privacy policy for the legal / policy framing, or We don't custody your funds for the asset-protection model specifically.