What we hold and how we hold it
When you paste your Binance API key and secret, those values are immediately wrapped in two layers:
- Encrypted with a per-customer envelope key, which lives only in the cloud KMS and is rotated on a published schedule.
- Stored as ciphertext in the database, which is itself encrypted at rest.
Two locks, two separate keys, two separate audit trails. A breach of the database alone gives the attacker nothing. A breach of the KMS alone gives the attacker nothing. They would need to breach both, simultaneously — a structurally harder problem than a single-store compromise.
When the key is decrypted
Exactly one process in our infrastructure can decrypt the key: the order-signing service. It decrypts in memory, signs the outgoing API request to Binance, and re-encrypts before any cross-service boundary. The plaintext key never persists to disk, never leaves the process, never reaches any logging system.
What we DO log
We log: timestamp, customer ID, order parameters, Binance acknowledgement. We do NOT log: the API key, the secret, the signature.
Audit logging
Every key access is logged at the KMS level — date, time, service, IAM identity. We review these logs daily. Any anomaly (an unusual time of access, an unusual service, a failed access pattern) triggers an alert.
What we recommend you do
- Set the IP allowlist on your Binance side. This makes a leaked key (theoretical worst case) unusable from any IP except ours.
- Rotate your key periodically (every 90 days is a reasonable cadence) — even with no specific incident, rotation reduces the value of any key that may have leaked through other channels (browser sync, screenshare).
- Never share screenshots that include any HalalCrypto dashboard view that might show key fragments. The dashboard masks the key, but full-screen screenshots can capture transient state.
What you can audit
The dashboard shows every API call we made on your behalf, with timestamp, endpoint, and Binance response. If anything unexpected appears — for example, a Binance call you did not authorise — the audit log makes it visible.