NON-CUSTODIAL·AES-256-GCM ENCRYPTION·BUILT ON FREQTRADE
DOCSAPISIGN IN
Real measures · no marketing badges
Company

Security at VolatiCloud

Security you can verify, described plainly. Non-custodial by design, field-level credential encryption, optional end-to-end encryption, and strict authorization — with no badges we haven't earned.

Start 7-day free trialExplore features
What it is

Security at VolatiCloud, explained.

Security at VolatiCloud starts with custody: we never hold your funds. The platform is non-custodial by design — your assets stay on your own exchange, and we connect through an API key that you can create with trading enabled but withdrawals disabled, a restriction the exchange itself enforces. Because we cannot move your money out, a compromise of your VolatiCloud account cannot drain your exchange balance.

On credentials, exchange API keys, runner credentials, and webhook secrets are encrypted at the field level with AES-256-GCM, with per-organization wrapping keys, and are never logged in plaintext. Organizations that want to hold the key themselves can enable passphrase-based end-to-end encryption (E2EE) or bring-your-own-key (BYOK), backed by recovery codes — with E2EE enabled, the data cannot be decrypted without your passphrase. Everything is scoped per organization with fine-grained, role-based authorization, and you can export an audit log of activity.

How it works

From idea to a running bot.

These are the concrete, code-enforced measures we actually implement.

01

Non-custodial architecture

Funds stay on your exchange. Connect with a trading-only, withdrawal-disabled API key; the venue enforces the restriction, so the platform cannot withdraw your assets.

02

Field-level credential encryption

API keys, runner credentials, and webhook secrets are encrypted with AES-256-GCM at the field level, with per-organization wrapping keys, and are never logged in plaintext.

03

Optional E2EE and BYOK

Hold the key yourself with passphrase-based end-to-end encryption or bring-your-own-key, backed by recovery codes. Without your passphrase, encrypted data cannot be decrypted.

04

Authorization and isolation

Access is governed by fine-grained, role-based authorization (Keycloak / UMA), scoped per organization, with an exportable audit log of activity.

Who it's for

Built for the way you trade.

We aim to be honest about what we do — and what we don't.

What we protect

Your funds (kept on your exchange), your credentials (field-level AES-256-GCM, optional E2EE/BYOK), and your account (role-based authorization, per-org isolation, audit-log export).

What we don't claim

We hold no formal third-party security attestations or compliance badges yet, and we won't display a badge we haven't earned. We would rather state our real measures than imply an approval we don't have.

Your part

Use a trading-only API key with withdrawals disabled, keep your passphrase and recovery codes safe if you enable E2EE, and protect your login. Security is a shared responsibility.

  • Non-custodial — funds stay on your exchange, withdrawals disabled
  • AES-256-GCM field-level encryption on every credential
  • Optional passphrase E2EE and BYOK with recovery codes
  • Role-based authorization, per-organization isolation
  • Audit-log export of account activity
  • No compliance badges claimed — only real, verifiable measures
FAQ

Frequently asked questions.

Does VolatiCloud hold my funds?

No. The platform is non-custodial — your funds stay on your own exchange. We connect via an API key that you can create with withdrawals disabled, which the exchange enforces, so the platform cannot move your assets.

How are my exchange API keys stored?

API keys and other secrets are encrypted at the field level with AES-256-GCM, using per-organization wrapping keys, and are never logged in plaintext. You can also enable passphrase E2EE or BYOK to hold the key yourself.

Does VolatiCloud have a security attestation or badge?

We hold no formal third-party security attestations or compliance badges yet, and we don't claim badges we haven't earned. Instead we describe the concrete measures we do implement: non-custodial design, field-level encryption, optional E2EE/BYOK, role-based authorization, and audit-log export.

What is end-to-end encryption here?

Optionally, your organization can hold the encryption key itself via a passphrase (E2EE) or bring-your-own-key, backed by recovery codes. With E2EE enabled, encrypted data cannot be decrypted without your passphrase — not even by us.

Keep exploring

Related capabilities.

Non-custodial securityWhy your funds stay on your exchangeEncryption & BYOKPassphrase E2EE and bring-your-own-keyAbout VolatiCloudOur philosophy and missionTrading risk & user agreementThe full legal and risk disclosure

Ship your first live bot this afternoon.

Connect an exchange, build a strategy in the visual builder, backtest it on real data, and deploy. Start a 7-day Pro trial — no credit card required.

Start 7-day free trialTalk to us

No credit card required · Cancel any time