After almost two years of efforts, we have obtained the Swiss VQF license, which confirms the credibility of the exchange and allows us to operate legally in Switzerland as CoinDeal Swiss. In addition, we have our own office there, and in Swiss banks, we secure part of the funds from the exchange.
At CoinDeal we guarantee the highest safety standards. We make sure that our users are confident that all the funds they invest are protected to the maximum extent.
Operational activities in Switzerland
Crypto and security standards
Hackers have absolutely no way of stealing money from our platform. This is not possible either for them or for people inside the exchange (such as, developers, admins or management). This is possible thanks to the several steps we have taken.
We built our system using microservices-based architecture.
We have introduced a private key, signing system for each of our modules.
We require authorization through data that only our users know.
FIATs currencies and security standards
Our company has a bank account exclusively for accepting client funds (EURO). This is possible because we have a two-year history of selling Bitcoin (under the brand name Verified Solutions Ltd. on the BuyBitcoinNow website), with a turnover of over $10 million (currently about $1.5 million) per month.
Read more... Password security standards Read more... Security standards for account access Read more...
- The external system is responsible for the payments and always requests digital signatures of all modules.
- We use the addresses of multiple signatures for withdrawals, requiring two Blockchain signatures (these are different signatures than those used by the internal system modules).
- There is no way to hack into the external system. We have prepared for every eventuality and adapted the security features
One system prepares the payment when all signatures (modules) are checked. If everything is OK, the payout is prepared and signed with one Blockchain signature.
Another system, which is offline (which means that it cannot be accessed via the Internet), connects to the Internet for a few seconds periodically, only to download a file with prepared payments (and even in this short time is not visible outside). This system verifies all signatures – not only those of the modules but also those of the first system. The system verifies whether the payment makes sense – for example, if the transferred funds are relatively small and if the address belongs to the exchange. If everything is OK, a withdrawal is made. Otherwise, it will demand a manual check from the staff of the exchange (additional acceptance criteria). Please note, however, that the funds are stored at multiple addresses, so the system cannot make a withdrawal without the signatures from point a). It cannot modify withdrawals sent from the system a), because it is already signed, and any modification will invalidate the signature.
Some modules require user input, such as e-mail or OTP confirmation, where only the user knows the correct answer. So no one can make a withdrawal from your account without your permission – not even the administrator.
- Security standards for incoming payments. From day one, we have generated many public addresses to enable payments. Also, we store our private keys in secure locations
- Only public addresses are connected to the computer system, without the corresponding private keys.
- The computer system monitors the addresses to see if there are any new funds. If so, we transfer funds to your account without actually moving or accessing them.
- A separate computer system, without a connection to the first one, collects funds from these addresses and is sent to payout or cold wallet addresses – depending on the type of transaction.
- We keep the money at the payment addresses for no more than a few days (in most cases a maximum of one day). There is no way for someone to find out where this system is located. And even if someone does (or the owner/administrator of this system decides to steal the money), they will only have access to incoming payments from one day (which will be less than 1% of the exchange funds and will be immediately noticed by automated systems).
- To be certain that situations such as private key loss, programming errors or system failure are impossible, 90% of funds are stored offline and are out of reach of the computer system.
- We use addresses that require five different signatures – at least three of which are necessary to complete the transaction – to keep funds secure.
- Access keys are assigned to specific people. Therefore, if the funds were stolen, there would be no doubt as to which of the five persons approved the transaction.
- We have chosen these five people with great caution. They are people who are aware of the responsibility we have entrusted to them. They do not reveal who they are, but their public keys are kept in a Swiss bank depository together with their names. Therefore, in case of any doubt, you can always check who signed a particular transfer.
- We periodically check all private keys. In this way, we can react properly if even one of them has lost access to their keys. This system is used by the largest crypto exchanges, such as Bitfinex. It’s the safest way to store funds.
The main cold wallet can be found at this addres.
Besides, we have supportive cold wallets with fewer funds, and every incoming address (accepting deposits) is a cold wallet. As it is not connected to the IT system and is pre-generated offline, and only the public key (address) is uploaded to the system.
At the moment, 98.6% of the Bitcoins owned by the company are on cold wallets, so in the event of a catastrophic burglary, the company may lose up to 1.4% of its funds (this value varies between 0 and 3%).
Importantly, Bitcoins account for about 70% of all surreptitious funds (excluding FIAT and stablecoins) held by the exchange (looking at their market value).
Your data, such as your document number and date of birth, are stored on separate servers. Our main servers do not store this data at all.
Thus, in the (purely theoretical) case of a violation of our servers visible in the world, a hacker would also have to hack into our internal servers, which is already a much more complicated task.
A very limited number of people have access to this data. Once checked by specialists, the data is hidden and is no longer accessible to anyone unless requested by the authorities (or the user).
Scans of your identity papers and your photo/video are stored on external company servers (under the BasisID brand).
This data is sent directly to BasisID and never reaches our servers. This prevents documents from leaking.
We use SSL (https), so your data is always encrypted and cannot be eavesdropped when you visit our sites.
- Your password is mixed using standard algorithms, so it is never stored in plain text and is not even known to our administrators. In this way, the so-called rainbow tables cannot be used to hack passwords.
- We require highly complex passwords to make sure that attempts to crack them fail.
- We use OTP (one-time password authentication / two-step authentication / 2FA).
- We use SMS authentication.
As a CoinDeal, we adhere to the latest security standards and help prevent unauthorized access to your account from any IP address that you try to log in. Every time you log in to your account from a different location that is not added to the whitelist, you will be asked to confirm that it is you who wants to log in. This is done by entering the code we sent to your mailbox. Once you have confirmed your login, a new IP address will be added to the whitelists and will be linked to your account, allowing you to log in from this IP in the future without any problems.
There are many additional ways in which we at CoinDeal secure our funds and data. We are open to discussion: if you have any concerns or ideas, please send us a message on our support page.