Your exchange API keys are encrypted with your operating system's secure storage (Windows DPAPI, macOS Keychain, Linux Secret Service) and never transmitted to our servers.
The backend sends trading signals. Your local desktop client receives signals and executes trades directly with the exchange. The server never needs your API keys.
Every signal is cryptographically signed with HMAC-SHA256 to prevent tampering. Your client verifies each signal before execution.
Even if our servers were compromised, attackers could not access your exchange accounts. Your keys exist only on your physical device.