Security Practices

Coindeal adheres to the highest standards of security. In fact, we proudly declare we contribute to creating Security Standards in the CryptoWorld. Below you can find out what makes CoinDeal so unique.

CoinDeal & Regulatory Licenses.

Our Swiss entity is regulated by the Swiss VQF (Financial Services Standards Association). Becoming licensed in Switzerland was a time-consuming process that took us 2 years to complete.

CoinDeal is currently in the final stages of attaining a license from the MFSA (Malta) to be at the forefront of the crypto regulation that is currently underway. Currently, Coindeal Limited (Malta) is operating under a transitionary period that allows us to operate while in the process of obtaining the license.

Since May 2019, CoinDeal is also registered with FinCen in the US under registration number 31000146609933. Starting in August of 2019, our platform is available in 13 US states and we will be adding more in the very near future.

User funds security standards.

Our company owns a bank account exclusively for accepting customer funds (EURO). This is possible because we have over one-year-long track record of selling Bitcoin to customers (under the brand name Verified Solutions Ltd. on - with turnover of over 10 million dollars (currently around 1.5 million USD a month).

Cryptocurrencies security standards.

There is absolutely no way for hackers to steal money from our platform. It is not possible neither for a hacker nor an insider (such as a programmer, devops or administrator, not even for the management of the company). Here’s why.

  • We decided to build our system using microservices architecture. This means our system is built from many independent elements. They are maintained by separate teams and not a single person has access to all modules.
  • Our innovation is that each module signs (in a similar manner to that what happens on the blockchain) each request (with its private key). Other modules know its public key so they can check if the signature is correct. If some signature is missing, other modules won't accept such a request. Therefore, even if someone breaches the system but has access to all modules but one, they cannot do anything.
  • Some modules require user input, like OTP or e-mail confirmation, where only the user knows the proper answer. So, for example, no one can make a payout from the user’s account without said user’s consent - not even the administrator.

Incoming payments security standards.

  • On the first day of its run, CoinDeal exchange generated many public addresses, allowing payments, and stored its private keys in secure places (including Swiss Banks).
  • We only connected the public addresses to the computer system, without their respective private keys.
  • Computer system is monitoring these addresses to check if there are any new funds. If yes, we credit funds to the user's account, without actually moving them or having access to them.
  • A separate computer system, with no connection to the first one, is collecting money from these addresses and sends them to either withdrawal addresses or cold wallets - depending on the type of transaction.
  • Money is stored on the payment addresses for no more than a few days (in most cases one day at most). There is no way for someone to find out where this system is located, and even if someone does (or the owner/administrator of this system decides to steal the money), they will only have access to the incoming payments from a single day (which will be less than 1% of exchange funds and will immediately get noticed by automated systems).

Outgoing payments security standards.

  • An external system is responsible for the payouts and always requests all modules’ digital signatures.
  • Additionally, we use multi-signature addresses for payouts, needing two blockchain signatures (these are other signatures than the ones used by internal system modules).
  • You might think that someone could hack this external system - but it is not possible. Here is why:
    • one system is preparing a payout while checking all the (modules’) signatures. If everything is OK, the payout is prepared and signed with a single blockchain signature
    • another system, which is offline (meaning it cannot be accessed from the internet), connects to the internet for a few seconds periodically, only to download the file with the prepared payouts (and even during this short period of time it is not visible from the outside). This system verifies all the signatures - not only the ones from modules but also the ones from the first system. The system checks if the payout makes sense - for example, if the moved funds are relatively small and if the address belongs to the exchange. If everything is correct, it proceeds with the payout. Otherwise, it requests a manual check from the exchange’s staff (additional acceptance criteria). However, it is important to note that funds are stored on multisig addresses, so the system can’t make a payout without signatures from point a). It cannot modify the payouts sent from system a), as it is already signed and any modification will make the signature invalid.

As you can see, a hacker would need to hack numerous systems, including one that is offline and inaccessible from the Internet. As you can see, it is entirely impossible.

Cold Wallets Security Standards

  • To be absolutely sure that situations like private key losses, programming errors or system failure are inconceivable, 90% of funds are stored OFFLINE and are out of reach of the computer system.
  • For the funds’ storage we use multi-signature addresses with five keyholders, whereas 3 of them are needed to move the funds.
  • Keys are assigned to particular people. In this case, if funds were stolen, it would be absolutely clear which one of these 5 people had moved the funds. Moving funds around need consent of 3 out of 5 people. This is ensured by the blockchain on its own.
  • We have chosen these five people very carefully since they are people of great responsibility. They are not disclosing publicly who they are, but their public keys (not the private ones) are stored in Swiss bank deposit with their names. Therefore, in case of any doubts, it can always be checked who signed a particular transfer.
  • We periodically check if all of these people still have access to their private keys. This way, we can react properly if even one of them has lost access to his keys.

This system is used by the biggest cryptocurrency exchange markets, such as Bitfinex. It is the most secure way to store funds.

Personal Data security standards

  • Your personal data, such as your document number or even your birth date, are stored on separate servers. This means that our primary servers do not store this data. The data are only available by request and are requested only if a certain user needs them - and of course, the user can only download their own data. So in (a purely theoretical) case of breaching our world-visible servers, a hacker would need to hack our internal servers as well, which makes it a much more complicated task.
  • A very limited number of people has access to these data. After being checked by AML specialists, the data are hidden and are not accessible to anyone anymore, unless requested by the authorities (or by the user).

Personal Documents security standards

  • Scans of your IDs and pictures/video of you are stored in an external company’s (under the brand BasisID) servers.
  • These data are directly uploaded to BasisID without ever reaching our servers. This ensures that there is no possibility of your documents leaking out.


We use SSL (https) so your data are always encrypted and cannot be eavesdropped when entering our websites.

Password security standards

  • Your password is hashed using industry-standard algorithms, so it is never stored in plain text and is not known even to our administrators. This way, the so-called rainbow tables cannot be used to hack passwords.
  • We enforce strong passwords, so any brute force methods will not be effective either.
  • We use OTP (one time password / two factor authentication / google authenticator)
  • We use SMS authentication

Thanks to our high-security standards, even if you give your CoinDeal account password and your private e-mail password to a hacker, he will not be able to withdraw any funds from CoinDeal! Obviously, do not ever give your passwords to anyone, as they will be able to harm you in many ways. However, it sure feels good to be sure your funds cannot be moved without someone having to access your email, passwords, and phone at the same time. Even without you being able to access your account, not only your funds but also your private data are safe here.

Account access security standards.

Coindeal adheres to the latest security standards and helps to prevent unauthorized entries at your account through authorization of each IP that attempts your account log in. Each time you access your account from different location or device that would have an IP that is not yet whitelisted (meaning associated with your account), you will be asked to confirm that indeed it is you who wants to log in. It needs to be done by providing the unique code sent to your e-mail address. Once you will confirm new IP to be whitelisted, this IP will be associated with your account going forward and you will be able to log in from this IP in the future.

There are many more additional ways CoinDeal secures its funds and data. We are open for discussion if you have any concerns or ideas. Feel free to drop us a note at our support page.