Legal Center
Legal Document

API Key Security Policy

v1.0.0-draftEffective: 2026-06-01Last updated: 2026-06-01

This is a working draft. The final text must be reviewed by legal counsel before commercial launch.

Quick Summary

TalixTrade connects to your exchange using an API key that has withdrawals turned off, so we can trade for you but can never move your funds out. Keys are encrypted with AES-256-GCM and stored server-side only — they are never sent to your browser or to anyone else. You can delete a key at any time, which stops the bot and erases the stored record.

This policy explains how TalixTrade handles the exchange API keys you connect, what we do and do not do with them, and how to keep them safe. TalixTrade is trading software. It is not an exchange, bank, broker, or custodian. Your funds always stay in your own exchange account (Binance, Bybit, or OKX) — we never hold, accept, or move them.

This is a draft prepared for later review by legal counsel. It is not yet legally vetted.

API key requirements

To run a bot, you connect an API key from your own exchange account. Two rules are non-negotiable:

  • Withdrawal permission must be disabled. The key you give us must not have the right to withdraw or send funds anywhere. This is the single most important safeguard. If withdrawals are off, no one — not us, and not anyone who somehow obtained the key — can pull money out of your account.
  • You must confirm this when you add the key. During setup we ask you to confirm that withdrawal permission is disabled.

Where the exchange lets us check a key's permissions programmatically, our system rejects keys that still have withdrawal access turned on. Where the exchange does not expose this information, the responsibility to disable withdrawals rests with you — please double-check before saving the key.

How we store your keys

  • Every API key (and its secret) is encrypted using AES-256-GCM before it is written to our database.
  • The encryption key lives in a server environment variable kept separate from the database. Someone who only obtains a copy of the database cannot decrypt your keys without also obtaining this separate key.
  • Keys are handled server-side only. They are decrypted in memory on our servers when a bot needs to act, and are never sent to the browser or frontend. After you save a key, our web app never displays the secret back to you.

What we use your keys for

We use your API key strictly to operate the bots and features you turn on. Specifically, to:

  • Read your account balance and open positions.
  • Place orders (entries and exits) according to your bot's strategy.
  • Set take-profit (TP) and stop-loss (SL) orders.
  • Cancel or modify orders.
  • Read market data needed to make trading decisions.

What we do NOT do

We never use your key to:

  • Withdraw, send, or transfer your funds anywhere.
  • Move funds between your own accounts or wallets.
  • Trade for our own profit or "front-run" your orders.
  • Share, sell, or expose your key to any third party beyond the technical processing described in our Privacy Policy.

We technically cannot withdraw, because the key you provide has withdrawal permission disabled.

When you create the API key on your exchange, use the most restrictive settings that still allow trading:

  • Binance: Enable Spot and/or Futures trading (depending on the bots you run). Disable Withdrawals and disable Universal Transfer.
  • Bybit: Grant Read and Trade permissions only. Disable Withdraw.
  • OKX: Grant Read and Trade permissions only (no Withdraw). OKX also supports IP whitelisting — see below.

IP whitelisting

Some exchanges let you restrict an API key so it only works from specific server IP addresses. This adds a strong extra layer of protection: even if a key leaked, it would be useless from any other location.

If your exchange supports it, you can whitelist our server IP address:

49.13.221.175

IP whitelisting is optional but recommended where available. Note that if our infrastructure IP changes in the future, you may need to update the whitelist for your bots to keep working — we will let you know if that happens.

Key rotation

We recommend rotating (replacing) your API keys roughly every 6 months as a healthy security habit. To rotate a key, create a fresh key on your exchange with the same restricted permissions, add it in TalixTrade, and then delete the old one on the exchange.

Deleting a key

You can delete a connected API key at any time from your account settings. When you do:

  • Any bot using that key stops.
  • The encrypted record we hold is erased.

Deleting the key in TalixTrade does not delete it on the exchange — for full safety, also remove or disable the key in your exchange account after you delete it here.

Breach notification

We take the security of your keys seriously. If we ever become aware of a security incident that affects your API keys or other personal data, we will notify affected users within 72 hours of becoming aware of it, describe what happened and what we know, and explain the steps we are taking and the steps we recommend you take (such as immediately revoking the affected key on your exchange).

Contact

Questions about API key security, or want to report a concern? Email us at [email protected].

This policy works alongside our Terms of Service and Privacy Policy.

Operator: Anton Shchur, an Individual Entrepreneur (FOP) registered in Ukraine (3rd-group simplified tax). Registry: 2011600000000040678. Address: Dnipro, Dnipropetrovsk Oblast, Ukraine. Governing law: Ukraine.

Questions about this document: [email protected]