The aim of this policy (“Security Policy”) is to establish and maintain the security and confidentiality of all the information and services provided by cryptolyth . By using the services (also referred to as “Web Services”) provided by cryptolyth , you (the User) agree to be legally bound by the terms of this Security Policy. Wherever used in this Security Policy, unless otherwise defined herein, capitalised terms used herein shall have the same meanings ascribed thereto in the Terms of Service. You (the User) may not attempt to gain unauthorized access to the Web Services, or to any our server, by hacking, DDoS, spam, password “brute- forcing” or any other similar means. You may not reverse look-up, trace or seek to trace any information on any other user of the Web Services, or exploit the Web Services in any way where the purpose is to reveal any information, including but not limited to personal identification or information, other than your own information. You should not perform or try to perform non-technical attacks such as social engineering, phishing or physical attacks against our employees, users or our infrastructure and Web Services. You are not allowed to use automated tools and scanners to find vulnerabilities.


System security

AES 256-bit encryption of user data. Sensitive user data (encrypted or not) is never returned to the User. Every data request on cryptolyth goes through a verified and secure (ORG) SSL. All User data requests go through filtering and validation on the front-end and back-end for XSS, SSL, CSRF, Clickjacking and Session Impersonation attacks. For further prevention of injection attacks, only parameterized queries to the database are used. Our servers are protected by a powerful firewall and are accessible only by key team members. DNS-level DDOS (Distributed Denial of Service) protection is applied. Security screening, internal auditing and monitoring for suspicious activity is employed across all Web Services. We perform regular audits and updates on our security systems and procedures.


API Key security

Your API (as defined in the Privacy Policy. ) exchange keys ensure secure communication between your exchange accounts and cryptolyth . All API keys are protected with strong encryption and do not reveal any security information about your exchange account. Requests to the exchange API by your browser are never made directly from your computer. Exchanges allow you to set API key permissions, which enable functionalities used by cryptolyth . Enable only API permissions required by cryptolyth platform such as “Balance” or “Trading” and never activate “Withdrawal”. It is your responsibility to keep both your cryptolyth Account and your exchange accounts secure. By using the Web Services, you agree that you will notify cryptolyth immediately if you are aware of any unauthorized use of your cryptolyth account by any person or any other violations to the security rules. Security Recommendations: Confirm URL ( www.cryptolyth.com );
cryptolyth will never ask you for your credentials.
Never install any browser plug-ins that claim to be associated with cryptolyth .
Never make any phone calls to anyone that claims to be a cryptolyth representative.
Never disclose your password, Google authentication code, SMS authentication code or Google authentication key to anyone, including to cryptolyth support.
Never make transactions or send funds to anyone who claims to be a member of cryptolyth support.
Two-factor authentication (TOTP or U2F) is required to enable trading through your account.
Use the “Logout” function to terminate your session while on untrusted devices. Login sessions last for 30 days, until re-login is required.


Employee security

cryptolyth ’s employees will never ask you, by email or phone, to provide access credentials, API keys or any other information that might compromise your account security. Furthermore all sensitive personal information is strictly handled by authorized personnel. All employee accounts are restricted/compartmentalized to their specific area of knowledge. Regular account auditing and password rotation are carried out.