Security Architecture

Your exchange API keys are the most sensitive data you share with Beneat. We treat them with the highest level of security:

• AES-256-GCM encryption — keys are encrypted before storage
• httpOnly cookies — JavaScript cannot access your keys
• Never in browser storage — no localStorage, sessionStorage, or IndexedDB
• Never in database — encrypted credentials stored in cookies only
• Decrypted at execution — keys decrypted momentarily, then discarded

Beneat is a gatekeeper, not a custodian. We never have access to withdraw your funds:

• No withdrawal scope — we request read + trade permissions only
• Funds stay on exchange — assets remain on Binance, Hyperliquid, OKX, etc.
• Revoke anytime — disable API access from your exchange dashboard

If Beneat goes down, your positions remain on the exchange. You can always trade directly on your exchange's native interface.

Account security through BetterAuth with multiple protection layers:

• Session-based auth — secure cookies with automatic expiration
• OAuth providers — Google and Twitter login
• TOTP 2FA — optional two-factor authentication
• Session invalidation — logout invalidates all tokens

• TLS 1.3 in transit — all network traffic encrypted
• AES-256 at rest — sensitive data encrypted on servers
• Credential chain — receive → encrypt → cookie → decrypt → execute → discard

• Access controls — role-based access; no employee access to credentials
• Rate limiting — 5 orders/min default protection
• Kill switch — admin-togglable trading suspension
• CORS whitelist — API restricted to authorized domains
• Secure development — code review, dependency auditing

Beneat is an enforcement layer, not a replacement for your exchange:

• Positions remain — unaffected by Beneat's status
• Trade directly — log into your exchange and manage manually
• Risk rules pause — enforcement only applies through Beneat
• No lockout inheritance — restrictions don't propagate to exchange

Autonomous AI agents operate under the same security model:

• Same risk rules — agents cannot bypass limits or cooldowns
• Tool access control — agents only access enabled tools
• Autonomy calibration — overconfident agents get reduced autonomy
• Action proposals — risky moves require approval

• Read + trade only — never grant withdrawal permissions
• IP whitelist — restrict keys to Beneat's IPs where supported
• Enable 2FA — protect your Beneat account
• Rotate keys — refresh API keys periodically
• Monitor activity — review exchange API logs
• Revoke if suspicious — disable keys immediately if compromised

If you discover a security vulnerability or suspect unauthorized access:

Email: info@beneat.ai

We aim to acknowledge reports within 24 hours and respond substantively within 72 hours.