VolatiCloud Security Overview
VolatiCloud is built for traders who want their strategies to stay theirs and their exchange API keys to stay safe. This section is the canonical, honest documentation of what we protect today, what we don't yet, and the public roadmap for closing every remaining gap. We deliberately publish the gaps because you can only make an informed decision about what to entrust to a trading platform if you know where the limits are.
The four most consequential guarantees today are withdrawal-disabled key enforcement (we reject any exchange key that can withdraw funds), field-level AES-256-GCM encryption at rest for API keys and other secrets, comprehensive audit logs of every sensitive-field read, and a published responsible-disclosure process for anyone who finds a vulnerability.
What You Control
- Withdrawal-disabled API keys. Every exchange key you connect must have the withdrawal permission disabled. We probe the exchange's permission API at add time and reject any key with withdrawal capability. Even full database compromise cannot drain your funds. See API Key Handling.
- Per-key permission scoping. Beyond disabling withdrawals, disable any scope your strategy doesn't need (futures for spot bots, margin for long-only bots). See API Keys — Permission Scoping.
- Egress IP allowlisting. Lock your exchange API keys to VolatiCloud's runner egress IPs in the exchange's security settings, so even a leaked key can't be used outside our infrastructure. See Egress IPs.
- Strategy code visibility. You decide whether each strategy is private (default) or public. Public strategies appear in the marketplace; private strategies are visible only to your organization.
view-secretsscoping. Share an exchange connection across your team without revealing the underlying API key — only members with theview-secretsUMA scope can read sensitive credentials. See Team Management.
What We Encrypt Today
Sensitive configuration fields are encrypted at rest with AES-256-GCM before being written to the database. Each field gets a fresh per-field nonce, and the ciphertext is prefixed with $vc_enc$v1$ to support graceful migration from any pre-encryption plaintext. The fields covered:
- Exchange API keys, secrets, passphrases, and private keys
- Runner credentials (Docker TLS certs and keys, kubeconfigs)
- S3 access keys for runner backups
- Bot config secrets (paths declared per-bot)
Architectural decision: ADR-0026 — Field-Level Encryption. Implementation walk-through: Encryption.
What We Are Honest About Not Yet Defending
VolatiCloud is a transparent SaaS today: our infrastructure has runtime access to your strategy code and bot configuration in plaintext, because the trading engine has to execute it. That's a real gap, and we're working through a phased trust roadmap to close it.
Until the higher trust tiers ship, our defenses against insider misuse are:
- Operational controls — segregation of duties, background checks, signed confidentiality agreements for production-data access
- Audit logs of every sensitive-resource read, surfaced to organization admins and exportable to CSV
- Withdrawal-disabled rule as a hard floor — even hostile insiders cannot drain customer funds
- Published responsible-disclosure process for external security researchers
For the full list of gaps and the wave-by-wave plan to close them, see the Threat Model and the Trust Feature Ladder roadmap.
How to Report a Vulnerability
If you've found a security issue, follow Responsible Disclosure before sharing publicly. We acknowledge in-scope reports within 48 hours and provide a first severity assessment within 5 business days.
Sections in This Guide
- Threat Model — The actors we model, what we defend against, and what we don't yet.
- Encryption — What's encrypted at rest and in transit, key management, audit logs, and what's coming.
- API Key Handling — Withdrawal-disabled enforcement, runtime key handling, rotation cadence.
- Egress IPs — Static runner IPs to allowlist on your exchange.
- Responsible Disclosure — How to report a vulnerability safely and what to expect from us.