How we protect your data
Password hashing, encryption at rest, TLS, backups.
Passwords
- Hashed with Argon2id (memory-hard; resistant to GPU brute-force).
- Checked against the HaveIBeenPwned breach database at sign-up and at every password change — known-breached passwords are rejected.
- Minimum 12 characters; no other complexity rules (length is what matters).
Two-factor authentication
- TOTP (RFC 6238) required on every account.
- Secrets stored encrypted at rest (Fernet + a server-side master key).
- Backup codes are hashed; we never see your plaintext codes after enrollment.
- Last-used-step is tracked to prevent replay attacks within the 30-second window.
Kraken API keys
- Encrypted with Fernet (cryptography library; symmetric AES-128-CBC + HMAC-SHA256).
- Master key stored at
/etc/volatilityfarmer/master.key, mode 0400, owned by the application user (not readable by web requests). - Key rotation supported via MultiFernet — operators rotate the master key periodically.
- We never display the raw key/secret after saving; updating means re-pasting fresh values.
Backups
- Daily auth.db backup, encrypted with a separate Fernet key (stored offline, off-host) and shipped to Backblaze B2 cold storage.
- Daily full-tree backup to encrypted off-site storage.
- Restore drills are scheduled quarterly (see RUNBOOK).
Network
- TLS-only — HTTP requests are 301-redirected to HTTPS.
- HSTS enabled with a long max-age and preload list submission.
- Modern TLS cipher suite (Mozilla Intermediate compatibility).
- Content Security Policy + X-Frame-Options + X-Content-Type-Options + Referrer-Policy headers.
Sessions
- HttpOnly + Secure + SameSite=Lax cookies.
- Absolute session lifetime + idle timeout.
- Session revocation per-device + bulk-revoke (sign out everywhere else).
- New-device login surfaces a security email + in-app notification.
Auditability
- Every state-changing action emits an audit log row (timestamp + actor + action + IP + masked payload).
- Sensitive payload keys (passwords, tokens, codes) are masked at write-time, not just display-time.
- Audit log GC retains routine events 90 days + security events 365 days (operator-tunable).
Server isolation
- Per-user systemd units run each customer's bot as a dedicated system user (vf-bot-N) with limited filesystem + capability scope.
- The web process runs as a separate system user (vf-app) with no Kraken-key decryption permission outside the auth-validated request scope.
Want more detail?
See our privacy policy for the legal / policy framing, or We don't custody your funds for the asset-protection model specifically.