Field-level encryption and bring-your-own-key for your credentials
Every exchange key and credential is encrypted at the field level with AES-256-GCM. Go further with passphrase-based end-to-end encryption, recovery codes, Security Levels, and BYOK Lite.
Field-level encryption and bring-your-own-key for your credentials, explained.
Sensitive data — exchange API keys, runner credentials, webhook secrets — is encrypted at the field level with AES-256-GCM and never logged in plaintext. This protects your credentials at rest by default, on every plan.
For organizations that want to hold the key themselves, passphrase-based end-to-end encryption (E2EE) derives keys with Argon2id so that without your passphrase, the data can't be decrypted — not even by us. Recovery codes, Security Levels from Basic to Maximum, and BYOK Lite round out the controls. Encryption is scoped to credentials and keys; strategy code and backtests are not encrypted.
From idea to a running bot.
Encryption starts on by default for credentials, and you can dial up custody from there.
Default field-level encryption
Exchange keys and other secrets are encrypted with AES-256-GCM and isolated per organization, with no setup required.
Add a passphrase (optional)
Enable passphrase-based E2EE — keys are derived with Argon2id, so your passphrase, not VolatiCloud, gates decryption.
Generate recovery codes
Recovery codes let you regain access if you lose the passphrase, on your terms.
Choose a Security Level
Pick a posture from Basic to Maximum, or bring your own key with BYOK Lite, to match your risk tolerance.
Built for the way you trade.
Encryption controls scale from sensible defaults to self-custody of the key itself.
Every trader
Field-level AES-256-GCM encryption of your credentials is on by default — you don't have to configure anything.
Security maximalists
Hold the key yourself with passphrase E2EE or BYOK Lite, so decryption is impossible without your secret.
Organizations
Set an org-wide Security Level and manage recovery so your team's encryption posture is consistent.
- Field-level AES-256-GCM encryption
- Passphrase-based E2EE with Argon2id key derivation
- Recovery codes for self-service recovery
- Security Levels from Basic to Maximum
- BYOK Lite — bring your own key
- Scoped to credentials and keys
Frequently asked questions.
What is encrypted?
Credentials and keys — exchange API keys, runner credentials, and webhook secrets — are encrypted at the field level with AES-256-GCM. Encryption is scoped to these secrets; strategy code and backtests are not encrypted.
What is end-to-end encryption here?
Optional passphrase-based E2EE derives encryption keys from your passphrase with Argon2id. Without the passphrase, the encrypted credentials cannot be decrypted — including by VolatiCloud.
What happens if I forget my passphrase?
You generate recovery codes when you set up passphrase encryption. Those codes let you regain access. Without the passphrase or a recovery code, E2EE-protected data cannot be recovered — that's the point of end-to-end encryption.
What is BYOK Lite?
BYOK (bring-your-own-key) Lite lets your organization supply its own key material for credential encryption, available on Pro and Enterprise alongside the Security Levels controls.
Related capabilities.
Ship your first live bot this afternoon.
Connect an exchange, build a strategy in the visual builder, backtest it on real data, and deploy. Start a 7-day Pro trial — no credit card required.
No credit card required · Cancel any time