At Growlonix, security is our top priority. We have taken a multitude of steps to help ensure your data is safe and secure. We recognize that in order to provide a secure platform in the digital currency space, security is an interminable effort. Our security team works perpetually to combat the latest in cyber threats in a proactive manner. While we cannot disclose all of our defense techniques, we're happy to provide the following policy and guidelines.
• All user data is encrypted with AES 256-bit encryption and sensitive user data (encrypted or not) is never returned to the client.
• Every request on Growlonix goes through a verified and secure (ORG) SSL.
• Growlonix supports passwords up to 40 characters. Use a long, unique and complex password with a mix of alphanumeric characters and symbols.
• Growlonix also supports Two-Factor Authentication (2fa) using TOTP (Time-based One Time Password) Authentication. This is a free, offline service that doesn't use any third-party servers.
• Growlonix supports U2F (Universal Second Factor) Authentication. We support any FIDO-compatiable device such as the Yubikey and Trezor to secure your account.
• Every successful and failed login attempt is logged and timestamped by IP address and user agent. Authentication e-mails are automatically sent out and cannot be turned off.
• Two-factor authentication (TOTP or U2F) is required to enable trading through your account.
• Failed login attempts will result in both an account lockout and IP ban for an extended period of time.
• Lockdown links are provided in every transactional e-mail that allows the user to completely disengage all of their API keys, requires a password reset and closes out any active sessions.
• Heuristic algorithms are employed to monitor for unusual account activity and if flagged will immediately process an account lockdown and terminate any active sessions.
• API Keys are never stored or displayed anywhere in an unecrypted format. Your browser does not ever make requests to the exchange API directly from your computer.
• In addition, every request to Growlonix.com is done across SSL. This ensures all data transmission to/from our servers is encrypted. This is true for your browser, as well as the mobile app. The first (and only) time your key/secret is submitted to our servers, it is encrypted by SSL.
• Most exchanges allow you to set restrictions on your exchange API keys which limit the capabilities they have to just the functionality you want to use on Growlonix.
• Growlonix strongly recommends that you only enable the API features that you intend to use and never enable withdrawals via API.
• It is the user's responsibility to keep both their Growlonix account and their exchange accounts secure.
• Growlonix uses a multi-tiered server architecture with complex credentials to ensure server integrity.
• Growlonix never handles your funds directly. All funds remain stored in the exchange's wallets.
• All user requests are filtered and checked on the front-end and back-end for XSS, CSRF, Clickjacking and Session Impersonation attacks.
• We use only parameterized queries to the database to further prevent injection attacks.
• Growlonix is hosted in Google's datacenters and our team has a combined 30 years experience in web security and best practices.
• All servers are protected with a strong firewall, and only key team members have access.
• Systems are audited regularly and always up-to-date with the latest in security fixes.
• DNS-level DDOS (Distributed Denial of Service) protection is employed.
• Internal auditing and security screening is employed across all networks and instances.
• All employees are required to use hardware authentication devices where applicable.
• All employee accounts are restricted/compartmentalized to their specific area of knowledge.
• Sensitive information is never transmitted via insecure channels and further is always encrypted via PGP.
• A strong VPN is required for all employees to access any internals.
• All third-party accounts have 2FA (Two-Factor authentication) and in most cases require hardware authentication.
• Regular account auditing and password rotation is required.