Your data, encrypted.

How we protect API keys.

Every API key and secret you enter is encrypted with AES-256-GCM before being stored. The encryption key lives in our environment, never in the database. Decryption only happens at the exact moment we make an outbound API call to your exchange.

What we don't touch.

We never request withdrawal-enabled keys. We never log API keys or secrets in plaintext. We never store private keys — wallet imports use public addresses only and query the public blockchain.

Read-only, always.

Coinbase keys we accept require only wallet:accounts:read and wallet:transactions:read. Binance and Kraken keys must be read-only — withdrawals and trading must be disabled. We refuse to import keys with broader scopes.

If something goes wrong.

We commit to disclosing any security incident within 72 hours of confirmation. Email security@costbasis.tax to report a vulnerability.