We provide ultimate security by:
All the messages you send to us and all the responses we send to you are PGP signed and encrypted.
The fact that we use public-private key cryptography for encryption and authentication means that, to gain access to your account, an attacker would have to steal your PGP private key (we call it the session key, because it's used to end-to-end encrypt your trading session between your browser and our servers), know the password used to protect it and know the ID of your account (which is a random number known only to you), which is nearly impossible. The password you enter to decrypt your session key never leaves your browser (it's never transmitted to the Internet) and the decryption happens locally in your browser.
OpenPGP is a widely recognised security standard and hasn't been compromised a single time yet (contrary to, e.g. OpenSSL). Among its use cases are:
The funds you deposit to your account never touch any wallet where they would be spendable solely with private keys stored on a computer connected to the Internet. They go straight to our Multisig Cold Wallet, i.e. a wallet which is:
Withdrawals require manual confirmation, i.e. signing has to be manually confirmed on the offline devices, which is an additional security measure.