Hi there 👋
Instead of posting a bogus phrase on our site like "protecting your privacy is our priority", we will show you what we do with your data and lift the hood of our product. By showing you the details of the web application and its architecture, you will be able to judge for yourself how secure it is.
Data management policy
Waltio does not share or sell customer or user data to third parties. This is clearly stated in our Terms of Service.
The Waltio product and its architecture
The entire Waltio website and web application uses the HTTPS (HTTP Secure) protocol. Thus, your data browsing the web is encrypted. Here are the results:
Connections to exchange platforms and cold wallets
Our system offers you two options to connect your data, depending on the platform:
By depositing files downloaded from exchanges or wallets: we have no way to connect to your various accounts to extract other information or perform unwanted actions.
By API (not screen scraping) with the exchange platform or wallet: we need to ask you for an API key and a secret API key to access your data and create the files. For some platforms, we also need a "passphrase". The API accesses requested are read-only, and you are the only one able to define what you want to share with Waltio and the associated permissions.
If you follow our guide for each API, the rights requested will be read-only rights, so we can only read your account data, and in no case perform transfers or withdrawals.
Waltio will need to store your keys in our system in order to synchronize your data on a recurring basis. However, don't worry, these keys are stored in an encrypted form in our database. Access to this decryption key will be required to retrieve your keys, and access to this key is strictly controlled. In short, if a hacker were to steal our database, no worries, your keys will not be accessible.
Waltio's client files are stored on Amazon AWS and more specifically on Amazon S3 which can only be reached with our AWS key. In addition, we use Amazon KMS to encrypt your data (encryption at rest). Then we also use a database with storage on an external volume. This volume is also encrypted in the same way.
All of our servers are now isolated within the AWS Virtual Private Cloud. This ensures that access to our various services is fully protected and partitioned. The only way to access the data is through our gateway, which is protected by Auth0.
We use the Auth0 platform for the authentication of our users. Auth0 is one of the leaders in this market, and provides the highest level of security. By using this system, we delegate the verification of your identity, and the storage of your password (if necessary). The direct consequence is that it is impossible for a password theft to take place using Waltio.
Auth0 (using the OAuth2 authentication mechanism) also protects access to your data. When a user authenticates, a token is assigned to him, and this token is provided to our gateway to validate your identity. Our tool can then check the validity of the token with Auth0 and recover your identity in order to share only your data.
In addition, Auth0 provides a whole set of tools to protect your access: (a) Identification of malicious bots to avoid automatic attacks such as credential stuffing; (b) Protection against Brute Force Attacks that try to access your accounts by trying many passwords in a row; (c) Detection of data leakage from other systems in order to check if your password has not been published during the attack of another tool you might use.
When paying by credit card, your data is also managed by an internet payment intermediary, Stripe. Thus, Waltio does not have access to your bank data and does not store any information about your payment method. Again, it is impossible to have your credit card number stolen when using Waltio.
If you do not want us or our contractors to be able to identify you, this is possible.
In 2019, 25% of our customers are anonymous to either us and/or our partners (authentication solution, payment, data hosting).
Here is an article to summarize the best practices to be anonymous with our services.
If you have any comments or even recommendations, please feel free to email me directly at firstname.lastname@example.org 💬