Skip to main content
AegisAegis
Beta launching soonWe'll enable access to the app during the beta.

Security Policy

Last updated: 2026-06-26

1. Overview

This Security Policy describes the technical and organizational measures Aegis Bot uses to protect user data and platform integrity.

2. Password Security

Passwords are never stored in plaintext. All passwords are hashed using the scrypt key derivation function before storage. Aegis Bot does not use bcrypt or argon2 for password hashing.

3. API Key Protection

Exchange API keys submitted by users are encrypted at rest using AES-256-GCM before being stored in the database. Keys are decrypted only within the bot runtime when required for exchange operations. Plaintext keys are never logged or exposed through the dashboard API.

4. Data Encryption in Transit

All communication between users and the platform occurs over HTTPS (TLS). Communication between internal services uses authenticated channels.

5. Data Encryption at Rest

Exchange API keys are encrypted with AES-256-GCM. Encrypted backups of the database are planned as part of the infrastructure roadmap and will be implemented when infrastructure conditions permit; they are not guaranteed to be available at the time of initial deployment.

6. Authentication and Session Security

User sessions are managed through the Better Auth framework with configurable expiry and session caching. Email verification is required for new accounts when an email delivery service is configured. Two-factor authentication (2FA) is not yet available; it is planned for a future release.

Aegis Bot records auditable consent at account creation and on subsequent consent events, including the IP address and user-agent at the time of acceptance. These records are retained as a legal audit trail.

8. Vulnerability Disclosure

If you discover a security vulnerability in Aegis Bot, please report it responsibly to the contact email published in the data-controller section of the Data Treatment Policy. Do not disclose vulnerabilities publicly before we have had a reasonable opportunity to investigate and remediate.

9. Incident Response

In the event of a security incident affecting user data, we will notify affected users and relevant authorities as required by applicable law.

10. Limitations

No security measure is absolute. Exposure of data through misconfiguration or zero-day vulnerabilities remains a residual risk that we actively monitor and mitigate. Users should exercise caution with their exchange API credentials and use API keys with minimal required permissions (trading only, no withdrawal access).

11. Changes to This Policy

We may update this policy periodically. Material changes will be notified via the platform or by email.