Security & Privacy

Your exchange API keys are encrypted at rest using AES-256-GCM (authenticated encryption). This means keys are never stored in plaintext — they are encrypted before being written to the database and only decrypted at runtime within your dedicated bot instance's process memory.

The dashboard only stores masked hints (first and last few characters) for identification purposes.

When you delete an API key, it is immediately and permanently removed from the database — there is no soft-delete or retention period.

plutarc only requires trading permissions on your API keys. You should never enable withdrawal permissions — plutarc does not need them and will never request them. This ensures that even in the worst-case scenario, your funds cannot be withdrawn through the API key.

• BitMEX: Enable Order permission only. Leave Withdraw disabled.
• Bybit: Enable Trade Read-Write for Derivatives only. Leave Withdraw disabled.
• Binance: Enable Futures permission only. Leave Withdraw disabled.
• Kraken: Enable General API - Full Access. Leave Withdrawal API disabled.

All four exchanges also support IP restriction on API keys. If your exchange offers this feature, you can restrict the key to your bot's deployment IP for an additional layer of security.

Each user's bot runs on a dedicated compute instance — there is no shared tenancy. Your bot process, memory, and network connections are isolated from other users. This eliminates noisy-neighbour issues and ensures that one user's activity cannot affect another's performance or security.

Bot instances are provisioned on demand when you deploy and stopped when you stop the bot. No residual data remains on the instance after teardown.

Bot compute is available across EU, US, and Asia-Pacific deployment regions. Account data, encrypted credentials, and stored configurations are hosted in EU infrastructure for GDPR compliance.

Deployment regions are available across the EU, US, and Southeast Asia. For latency-sensitive strategies, Singapore offers the lowest latency to APAC-based exchange matching engines. Regardless of bot region, account data and encrypted credentials remain in EU-hosted infrastructure.

plutarc supports multiple authentication methods for your dashboard account:

• Password: Standard email and password authentication with strength requirements enforced at registration.
• Passkeys: Passwordless authentication using biometric sensors or hardware security keys (WebAuthn). You can register multiple passkeys per account.

The Session Management page shows all devices where you are currently signed in. You can sign out of individual sessions at any time. Sensitive operations (such as changing your password or managing passkeys) require identity reverification.

Your strategy configurations, trade history, and account settings are always preserved — if you stop your bots and later redeploy, your data is still available.

API keys are deleted immediately upon request. Account deletion removes all associated data including trade history, templates, API keys, and bot configurations. See the Privacy Policy for full details on data handling and retention.