Funds stay yours. Risk controls run on our servers.

You bring a trade-only API key from your exchange. We never request withdrawal permission. The bot signs orders through your key against the exchange's order book — the funds, and the order signing authority for withdrawals, stay on the exchange side.

• Master key lives in GRIDVULCAN_MASTER_KEY environment variable. Never written to the database or log files.
• Each credential gets a fresh 12-byte nonce; AAD binds the ciphertext to your user ID. A stolen DB row cannot be re-assigned to another account.
• Keys are not displayed in clear after creation. The dashboard shows only the last 4 characters.
• On subprocess launch, the API key/secret are passed as environment variables — invisible to ps / Get-Process listings.

• Kill-switch. A panic call (POST /bots/{id}/panic) cancels open orders and closes positions on the exchange. Survives the browser closing.
• Stop-loss.Daily loss limit and per-position stop are enforced in the engine; they can't be disabled from the web UI.
• Config allowlist.Only specific fields can be edited. Numeric bounds are checked server-side on PUT, so a tampered config file can't turn off limits.
• LIVE confirmation. Starting a bot in real-money mode requires an audited risk acknowledgement (logged in the audit trail, not just the UI).

Every bot runs as its own OS subprocess, with its own state, logs, and config files. A fault in one tenant's bot can't poison another tenant's. The engine→backend bridge is gated by a per-bot HMAC-SHA256 token derived from a root secret — a compromised engine cannot post fills for another tenant.

• Supabase Auth with ES256 / RS256 JWTs validated against project JWKS, with audience and issuer checks.
• Email confirmation required before any privileged action.
• Sign-up gated by a whitelist during the private beta.
• Password reset via signed magic link; the link expires in one hour.

We welcome responsible disclosure. Email security@gridvulcan.com with steps to reproduce. We acknowledge within 72 hours and aim to patch high-severity issues within 7 days. Please do not exploit vulnerabilities beyond what is necessary to demonstrate the issue.