β Back to AZ.AI
Security & Trust
We're crypto users ourselves. We know the risks, the scams, and the fear. Here's exactly how AZ.AI protects your money and your data.
π
AES-256 Encryption
Your API keys are encrypted at rest using AES-256-CBC with unique IVs. We physically cannot read your raw keys.
π«
No Withdrawals Ever
AZ.AI never requests withdrawal permissions. We can only place and cancel trades. Your funds cannot leave your exchange.
π
Your Exchange, Your Funds
Money never touches AZ.AI servers. All funds stay on your exchange. We send trade signals β nothing more.
β‘
Real-Time Prices, Zero Cache
Every price is fetched live from the exchange β zero caching, zero delay. Crypto via Binance WebSocket (sub-second). Stocks, gold, forex via 1-second batch polling. The price you see is the price you trade at.
π‘οΈ
Protect Principal Mode
Lock your original deposit and only trade with profits. Once your account grows past your starting capital, the engine only risks your gains β your principal is untouchable.
π How Your API Keys Are Protected
When you connect an exchange, here's exactly what happens:
- Your API key and secret are encrypted using AES-256-CBC with a randomly generated initialization vector (IV)
- The encryption key is stored in server environment variables, separate from the database
- Encrypted keys are stored in our database β even if the database were breached, keys are unreadable without the encryption key
- Keys are only decrypted in-memory when placing a trade, then immediately discarded
- All API communication uses TLS 1.3 encryption in transit
- We never log, display, or expose your API keys after initial setup
Our recommendation: When creating API keys on your exchange, always enable IP whitelisting (restrict to our server IP), set permissions to Read + Trade only, and never enable withdrawal permissions. You can revoke API keys from your exchange at any time.
π‘οΈ What AZ.AI Can and Cannot Do
Transparency matters. Here's the full picture:
AZ.AI CAN:
- Read your account balances and open positions
- Place buy and sell orders on your behalf
- Cancel open orders
- View your trade history for performance tracking
AZ.AI CANNOT:
- Withdraw funds from your exchange
- Transfer assets between accounts or wallets
- Access your exchange login credentials
- Modify your exchange account settings
- Access any funds beyond what your API permissions allow
ποΈ Infrastructure Security
βοΈ Cloudflare Pro Protection
AZ.AI is protected by Cloudflare Pro β the same infrastructure trusted by Fortune 500 companies and government agencies.
- DDoS mitigation β enterprise-grade protection against volumetric, protocol, and application-layer attacks (up to 100+ Tbps capacity)
- Web Application Firewall (WAF) β OWASP Core Rule Set blocks SQL injection, XSS, and other OWASP Top 10 attacks before they reach our servers
- Bot management β automated bot detection and challenge pages prevent credential stuffing, scraping, and brute force attempts
- SSL/TLS 1.3 β full strict encryption with HSTS preloading, TLS 1.3 only, automatic HTTPS rewrites
- Always Onlineβ’ β cached pages served even during origin server outages
- Polish & Minify β image and code optimization for faster load times
- Argo Smart Routing β traffic routed through Cloudflare's fastest paths, reducing latency
- Rate limiting β automatic throttling of suspicious request patterns
- Under Attack Mode β instant 5-second challenge page for emergency DDoS scenarios
- IP reputation filtering β known malicious IPs blocked before reaching our infrastructure
- Global CDN β 300+ data centers, sub-50ms latency worldwide
π Application Security
- AES-256-CBC encryption with random initialization vectors (IVs) for all stored API keys and secrets β each encrypted value uses a unique IV
- Encryption key stored in isolated server environment variables, separated from database
- CSRF protection on all forms and state-changing actions
- Rate limiting on all API endpoints β demo analysis (10/min), price feeds (60/min), webhooks (30/min)
- Session management with secure, HttpOnly, SameSite cookies and configurable timeouts
- Password hashing using bcrypt (cost factor 12) with per-user salts
- SQL injection prevention via parameterized queries on every database call
- Input sanitization and output encoding (htmlspecialchars) on all user data
- Two-factor authentication (TOTP) β Google Authenticator, Authy, or any TOTP app
- Session regeneration on login to prevent fixation attacks
- Timing-safe token comparison (hash_equals) on webhook authentication
- Brute force protection with rate-limited login attempts and random delays on failed auth
- Admin audit logging β all privilege escalations and impersonations tracked with IP, timestamp
- Security headers: HSTS, X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, Referrer-Policy, Permissions-Policy, Content-Security-Policy
- Sensitive files blocked (.env, .sql, .git, .log, .bak) via .htaccess rules
- PHP execution blocked in upload directories
- Anti-debugging and anti-copy protections on frontend code
π° How Trading Works
Understanding the money flow is critical:
Your money never leaves your exchange. AZ.AI connects to your exchange via API, analyzes markets, and sends trade orders. It's like hiring a trader who can buy and sell on your account β but can never touch the cash register.
- You fund your exchange account directly (Kraken, Binance, etc.)
- You create API keys on your exchange with trade-only permissions
- You paste those keys into AZ.AI (encrypted immediately)
- AZ.AI's engine analyzes markets and places trades via your API keys
- All trades execute on your exchange β visible in your exchange dashboard
- Profits stay in your exchange account β withdraw directly from your exchange anytime
π Paper Trading β Try Risk-Free
Not ready to connect real money? Every AZ.AI account starts with paper trading.
- Paper trading uses simulated funds β no exchange connection needed
- Real market data, real AI analysis, simulated execution
- Track your bot's performance before risking real capital
- Upgrade to live trading only when you're confident in results
π€ Our Commitment
We built AZ.AI because we wanted a better trading tool for ourselves. We use it with our own money. Our interests are aligned with yours β we only succeed if our engine makes you money.
If you ever have security concerns, questions, or discover a vulnerability, contact us immediately at security@az.ai.