All Collections
Getting started
Common questions
Is Koinly Secure?
Is Koinly Secure?
R
Written by Robin Singh
Updated over a week ago

Keeping our customers' data secure is the most important thing that Koinly does. We go to considerable lengths to ensure that all data sent to Koinly is handled securely - keeping Koinly secure is fundamental to the nature of our business. We want to share some of the details of what we do to keep things secure, and some of the work that we're doing to continually improve the security of your data. This document is a living document, and we will add to it from time to time. You might also be interested in checking out our Terms of Use, Privacy Policy, Security and how we stay compliant. If you have any questions, as ever please contact us at [email protected].

Our team has relevant experience

Our team includes people who've played lead roles in designing, building, and operating highly secure Internet-facing systems, such as payment processing platforms, cloud services, and content distribution networks in companies such as Amazon and Facebook. We also have people who've successfully built a number of startups from scratch, and others who have worked in well-established smaller Internet businesses.

We host in world-class facilities

The vast majority of our services and data are hosted in Amazon Web Services facilities in the USA, and we are in the process of consolidating all services and data there. Further details about the considerable measures Amazon takes in securing its facilities and services can be found here: https://aws.amazon.com/compliance/

We follow best practices

At Koinly we follow a number of best practices that improve our security posture. Here are a few examples:

  • We have functioning, frequently used automation in place so that we can safely and reliably roll out changes to both our application and operating platform within minutes. We typically deploy dozens of times a day, so we have high confidence that we can get a security fix out quickly when required.

  • All oAuth connections and APIs are read-only which means that Koinly cannot interact with your wallet, only import existing information (transaction history) from your account.

  • All data sent to Koinly is encrypted in transit. Our API and application endpoints are TLS/SSL only and score an "A+" rating on SSL Labs' tests - meaning that we only use strong cipher suites and have features such as HSTS and Perfect Forward Secrecy fully enabled. We also encrypt data at rest.

  • We regularly engage with well-regarded third-party auditors to audit our code-base and infrastructure and work with them to resolve potential issues.

  • We use technologies such as Graylog, AWS Cloudtrail, and StreamAlert to provide an audit trail over our infrastructure and the Intercom application. Auditing allows us to do ad-hoc security analysis, track changes made to our setup, and audit access to every layer of our stack.

  • We don't trust our corporate network - it has no backdoors into our production systems.

  • We have a documented incident response plan and educate all staff on security procedures and policies.

  • No employees have access to DNS records and we do not operate our own nameservers so chances of getting hijacked are very low. We use Cloudflare for this which is a very reputable and leading provider for DNS solutions.

We do not store payment details

Koinly is not in the business of storing or processing payments. All payments made to Intercom go through our partner, Stripe. Details about their security setup and PCI compliance can be found on Stripe's security page.

Have more security questions?

Check out this page which will answer many of your security questions.

Did this answer your question?