Security & Trust

Your keys. Your vault.
Our engine.

Every trade is an API call against your own exchange account. We can execute. We cannot withdraw. The architecture is deliberately boring - because your funds shouldn't be exciting.

SOC 2 Type II · planned ISO 27001 · roadmap MiCA framework · in scope Bug bounty · in preparation
How a trade actually moves.
Layer 01

You

  • Exchange account
  • Cold / hot wallet
  • Custody
Layer 02

Exchange API

  • Trade-only key
  • Withdraw: blocked
  • IP-whitelisted
Layer 03

TradeMire

  • Signal engine
  • Policy check
  • Order gateway
Never: custody of your funds · withdrawal permissions · commingled accounts · off-chain IOUs
Compliance & Controls

Audited, attested, boring.

The list below is what we have committed to and where we are. Click any card for the proof.

Internal mTLS PKI

Every internal service call is certificate-authenticated against our own CFSSL-managed CA. ECDSA P-384 child certs, 3-year validity. No internet PKI dependency.

Cipher ECDSA P-384
AES-256-GCM at rest

All platform secrets encrypted with AES-256-GCM and bound via Additional Authenticated Data. Per-secret scope - only the owning service can decrypt.

Cipher AES-256-GCM
At-least-once delivery

Failed inter-service calls retry from a PostgreSQL-backed replays table with idempotent semantics. Survives process restarts; bounded retry budget per call.

Pattern Idempotent replays
SOC 2 Type II

Planned SOC 2 Type II audit covering Security, Availability, and Confidentiality. Engagement details to follow.

Target TBD
ISO 27001

ISMS roadmap drafted, gap assessment complete. Scoped to the execution engine and signal pipelines.

Target Q1 2027
Penetration testing

Planned external penetration testing on a recurring cadence, with critical-finding remediation targets and summary reports shared with Institutional customers under NDA.

Status Planned
Bug bounty

A third-party bug bounty channel is in preparation. Until it goes public, direct security reports come in via security@trademire.ai with PGP-encrypted disclosure. Severity-scaled rewards will be published when the program opens.

Status In preparation
MiCA alignment

We're aligning our service architecture to the MiCA framework for EU crypto-asset service provision. Registration status to be communicated on completion.

Status In scope
Gateway uptime

Rolling 90-day uptime on the order gateway. Public status page with per-component history.

Current Live
Kill Switch

One button. Flat in under 200ms.

Every vault has a dedicated kill-switch. Press it from web, mobile, or Telegram and every open position is flattened on every connected venue, simultaneously, with a full audit receipt.

  1. Tap kill-switch from any surface (web, mobile, Telegram bot, API).
  2. Gateway cancels all open orders on every connected venue in parallel.
  3. Reduce-only market orders close positions at best available price.
  4. Vault frozen. Full slippage and fill report delivered within 60 seconds.
  5. Resume only with explicit re-authorization plus 2FA.
Vault · alpha-01 · live
$ killswitch.arm("alpha-01")
✓ armed · ready
Incident Transparency

Every issue, public.

When an incident affects trading, we commit to a public log with root cause and remediation. No silent deploys, no hidden post-mortems.

No public incidents logged yet. When one affects trading, it appears here with a full post-mortem.
Documentation

Read the receipts.

No lead-gen forms. Direct downloads.

PGP public key

TXT · security@trademire.ai
Security documentation

Available on request under NDA
Questions?

Disclose a vuln. Request a report. Talk to us.

Security inquiries get a human reply within 24 hours. Disclosure PGP key linked above. A third-party bug bounty channel is in preparation.

Contact security View status page