This article discusses our security practices and how we use your APIs with Shrimpy.
The Shrimpy team has gone through great measures to secure our systems. Our team is proud of the robust infrastructure we have developed. This article will highlight a few key ways the Shrimpy platform protects our users.
Every API key is securely encrypted and stored using FIPS 140-2 validated hardware security modules (HSMs) to protect the confidentiality and integrity of your Exchange API keys. Shrimpy only requires the ability to read data and make trades, so your funds cannot be removed from the exchange.
We also encourage all users to utilize our Two-Factor Authentication (“2FA”) service which secures access to your account. Strong passwords are required for every user account. All passwords are cryptographically hashed using modern, proven standards. All website data is transmitted over encrypted Transport Layer Security (“TLS”) connections (i.e., HTTPS).
In order to further improve the security of your assets, Shrimpy also offers the ability to input asset amounts through our "Cold Storage" feature. The assets listed here should be kept in a hardware wallet or other similar personally secured solution that you manage. This allows the application to consider these values for trading and rebalancing your portfolio, even though they are not maintained on the exchange. This balances liquidity of your portfolio with the security of leaving the majority of your holdings off the exchange.
IP Whitelisting is a feature which exchanges use to restrict access to your cryptocurrency exchange account. Setting up IP Whitelists means the exchange will only accept requests when they are sent from the specific IPs that are input into the exchange. This prevents unauthorized access to your exchange account from any other IP.
Shrimpy allows IP Whitelisting by ensuring we will only communicate with your exchange account from the IPs we provide you. This way, we can still perform trades, collect data from your account, and rebalance your portfolio, but only from the specified IPs.