Guac/Docs/Security
SECURITY MODEL

How we
protect you

Security is a partnership. Here's exactly what Guac does to protect your data and assets, and what you should do on your end.

AES-256
Encryption standard
0
Plain-text storage
0
Withdrawal permissions
24/7
Monitoring

Guac's security model is built on a simple premise: we should never be able to do anything to your funds that you wouldn't authorize. Every architectural decision flows from that.

API key encryption

Your exchange API keys are among your most sensitive data. Here's exactly how they're protected at every stage.

AES-256 encryption at rest

Every Secret Key is encrypted with AES-256, the same standard used by governments and financial institutions worldwide. before it touches our database. The encryption keys themselves are managed in a hardware security module, accessible only to the production trading service.

Secure key management

Encryption keys are rotated regularly. Access is strictly limited to essential personnel. Every key access is logged and audited. No human reads your Secret Keys, ever, not even Guac engineers.

Zero plain-text storage

Your Secret Keys are never stored in plain text. Not in memory longer than necessary. Not in logs. Not in backups. Not in any caching layer. Every byte is encrypted at rest.

Minimal permission requests

Guac only requests Read and Trade permissions on your exchange, never withdrawal access. This isn't a policy. It's an architectural constraint: our trading service has no code path that could initiate a withdrawal, even if compromised.

The math on AES-256 A 256-bit key has 2256 possible combinations. Even with the world's largest supercomputer attempting trillions of guesses per second, brute-forcing AES-256 would take longer than the age of the universe. This is not marketing. It is why governments, banks, and intelligence agencies use it.

Social trading security

Social trading lets you share strategies and copy other traders. Done wrong, it's a security nightmare. Here's how Guac does it right.

Granular privacy controls

You control exactly what trading information is shared with the community. Default is private. You opt in to each layer (strategy performance, trade history, holdings) independently.

Secure copy trading

When you copy another trader's strategy, the execution happens through Guac's secure infrastructure. Your API keys are never shared with the trader you're copying. They never see your account.

Trader verification

Verified badges for traders with established track records and verified identity. You can filter by verification status, useful when evaluating who to copy.

Content moderation

AI-powered moderation flags suspicious content in real time. Human moderators review flagged items. Together they prevent scams, misleading performance claims, and pump-and-dump schemes.

Additional security measures

Multi-factor authentication

Enable 2FA via authenticator app (Google Authenticator, Authy, 1Password) or SMS. Authenticator apps are significantly more secure than SMS. Use them when possible.

IP whitelisting

Restrict your account to specific IP addresses. Login attempts from any other IP are blocked. Best for users with static IPs.

Privacy protection

Strict data privacy policies. GDPR-compliant data handling. Your personal information is never sold or shared with third parties for marketing.

Secure development

Rigorous code reviews on every PR. Continuous integration security scanning. Annual third-party penetration testing. Bug bounty program for responsible disclosure.

Your security best practices

Security is a partnership. Here's how to maximize protection on your end.

  1. Use strong, unique passwords. A unique password per service is non-negotiable. Use a password manager. they're free and they work.
  2. Enable 2FA everywhere. On your Guac account. On every exchange you connect. On your email account (especially this one). Email is often the weakest link.
  3. Restrict API permissions. When creating API keys, grant only the minimum permissions needed. Never enable withdrawal access for trading services.
  4. Monitor account activity. Review the activity log periodically. Enable notifications for important actions. Investigate anything unfamiliar immediately.
  5. Beware of phishing. Guac will never ask for your password, 2FA codes, or API Secret Key. Anyone who does is impersonating us.
  6. Keep your devices secure. OS updates, anti-malware, full-disk encryption. The most sophisticated server-side security can't protect against a compromised endpoint.
The single biggest mistake Reusing passwords across services. Most successful account compromises start with credentials leaked from a totally unrelated breach. A unique password per service breaks that chain entirely.

Report a vulnerability

If you've found a security vulnerability in Guac, please report it through our responsible disclosure program. We respond within 24 hours and run a bug bounty program for valid reports.

Responsible disclosure Email [email protected] with details. Please don't disclose publicly until we've had a chance to fix the issue. We credit researchers in our security advisories and reward valid reports.
Exchange Settings
Setting up API keys correctly is the foundation of secure trading with Guac.
FAQ
More common security questions answered.