Skip to main content
Smartbull
Security

Your funds stay on your exchange. Always.

Smartbull is non-custodial. The API keys you give us are spot-only and cannot move funds off your exchange. They're sealed with AES-256-GCM + post-quantum Kyber, sit behind a two-person kill-switch and an immutable audit log, and are auto-revoked the moment they gain withdraw permission. This page documents exactly what we can and cannot do — line by line.

What we CAN do

  • Read your balance and open positions.
  • Place, cancel and modify spot/futures orders.
  • Read your order and fill history (for TCA).

What we CANNOT do

  • Withdraw funds from your exchange.
  • Transfer between accounts or sub-accounts.
  • Change your account settings, 2FA, or whitelist.
  • See your password or 2FA seed (we never get them).

Encrypted key vault

API keys are encrypted with AES-256-GCM with a per-row random IV before they touch the database. The master key lives in a separate secrets store, never in source, never in the database. Each row carries a key_version so we can rotate the master key without re-asking you for the API key — the operator workflow lives at Exchange API permissions.

What permissions to enable

When you create the API key on your exchange, enable Read + Spot trade (and Futures trade if you're on a perp engine). Leave Withdraw off.

When you paste the key into /account → Vault we run a read-only validation call and refuse the key if withdrawal permission is on — we won't let you accidentally give us more access than we need.

Row-level isolation

Every table is gated by Postgres Row-Level Security: a row tagged with one user's id is invisible to every other session, including ours. Even an SQL-injection bug couldn't leak another tenant's keys or orders.

Full audit log

Every order the orchestrator places lands in bot_orders with timestamp, side, qty, price, exchange response and slippage. You can export the full history any time from /account → Activity (CSV + tax-ready format).

Infrastructure & disclosure

  • • Edge runtime: Cloudflare Workers, EU + US PoPs. TLS 1.2+ enforced.
  • • Database: managed Postgres (EU region), encrypted at rest, daily PITR backups.
  • • Secrets: out-of-band store, no operator has read-access to raw values.
  • • Incident notice window: 72 hours for any confirmed data breach (DPA Annex II).
  • • Responsible disclosure: security@smartbull.ai — we acknowledge within 24h.

What we can't protect you from

  • Exchange insolvency. If the exchange itself disappears, your funds go with it. Pick a Tier-1 venue.
  • Your own withdrawals out of sync with allocation. Lower allocation $ in /account before pulling balance.
  • Black-swan moves between ticks. We evaluate every minute. A 50% gap will execute at the new price.
  • API keys leaked outside Smartbull. If you paste them into a chat, screenshot, or another tool, revoke and reissue.
Related:PrivacyDPAAcceptable UseSLAPer-exchange API guide