Comment on page
This document outlines the security policy
This security policy outlines the essential security measures and practices for Avalon Tech PTE. Ltd. ("Wind"). to safeguard our non-custodial mobile wallet and web-based payouts dashboard, ensuring the confidentiality, integrity, and availability of user and company data.
2. Password Management
When you create a Wind account, we use an algorithm called bcrypt to turn your plaintext password into a hash that’s unique to your account. This means that your password is stored as a random string of information which makes it hard to figure out. Therefore, no one—including Wind—can decrypt your stored hash to figure out the underlying password. Instead, when you sign into your account, our system verifies it’s you by the stored hash that returns in our system.
3. Self Custody
Wind is committed to empowering its users to take control of their digital assets, and this commitment is at the heart of our self-custodial wallet. In the ever-evolving world of cryptocurrency, self-custody has emerged as a pivotal concept, and we are here to guide you through its importance and the role it plays in your financial sovereignty.
3.1. Your Private Keys
In the world of cryptocurrencies, your private keys are the keys to your financial kingdom. With our wallet, you are the sole owner of your private keys. This means that you, and only you, have access to your assets.
4. Security and Encryption
The technology that powers Wind was developed with industry-leading encryption and security at its core. We’re constantly upgrading Wind to stay ahead of any threats and to keep your Web3 experience as safe as possible.
Your private keys are strongly encrypted with an AES algorithm and they are also securely stored on your device. The passcode you set for Wind on your mobile device is strongly hashed before being saved to your device and is stored in a tamper-proof key store. Additionally, while using any of our products, your private keys never leave your device and are never sent over the internet or exposed to third parties.
4.1. Data Encryption
In the world of cryptocurrencies and self-custody, data encryption plays a paramount role in ensuring the security and privacy of your digital assets. Wind employs robust encryption techniques to protect your data and assets against unauthorized access, breaches, and theft.
- We utilize industry-standard encryption algorithms, such as Advanced Encryption Standard (AES) with a 256-bit key length, to secure your data at rest. AES-256 is widely regarded as one of the most secure encryption methods available, ensuring that your stored data remains confidential and protected from potential threats.
- For added security, we encourage the use of end-to-end encryption when sending or receiving cryptocurrencies. This means that only the intended parties can decrypt and access the transaction information.
4.2. Data Backup and Recovery
In the world of self-custodial wallets, data backup and recovery strategies are vital to ensure the long-term safety and accessibility of your digital assets. Wind understands the importance of these practices and provide guidance to help you protect your holdings effectively.
- We regularly back up critical data to ensure data recovery in case of data loss or cyberattacks.
- We test and validate data backup and recovery procedures.
5. Application Security
5.1. Code Review and Testing
- We conduct thorough code reviews to identify and remediate any security-related issues. This process ensures that no security vulnerabilities go unnoticed before the application is deployed.
- Our development team follows secure coding guidelines and best practices throughout the software development life cycle. These practices help identify and address vulnerabilities at an early stage of application development.
5.2. Secure APIs
- Access to our application's APIs is restricted and controlled to prevent unauthorized access. Only authorized entities, such as the wallet owner, are allowed to interact with the APIs.
- Our APIs use strong authentication mechanisms and role-based access control to ensure that only users with the appropriate permissions can perform actions within the application.
6. Incident Response
6.1. Incident Reporting
Incident response is a crucial aspect of your self-custodial wallet's security strategy. It involves preparing for, detecting, responding to, and recovering from security incidents to minimize their impact and protect your digital assets. Here's an expanded section on incident response:
- We have established procedures for reporting security incidents. Users can report incidents through dedicated channels, such as email, online forms, or our customer support.
- Upon receiving an incident report, our response team takes immediate action to assess the situation, contain the incident, and initiate an investigation.
6.2. Incident Mitigation
- Containment: Once the incident is understood, containment measures are initiated to prevent further damage and stop the attacker's access to your digital assets.
- Recovery: Parallel to containment, recovery procedures are executed to restore affected systems and services to normal operations.
7. Secure Third-Party Integration
Third-party integrations can offer valuable features and functionalities to your self-custodial wallet, but they also introduce potential security risks. Wind takes a diligent approach to secure third-party integration to ensure that the integration of external services and applications is done safely.
7.1. Vendor Security Assessment
- Before integrating any third-party service, we perform a thorough risk assessment. This includes evaluating the security posture of the vendor, their reputation, and their track record for data protection and compliance with relevant regulations.
- We ensure that any third-party integration adheres to our predefined security standards. This means that the integration must meet specific security requirements and guidelines to minimize vulnerabilities.
8. User Education and Training
Wind understands that providing user education and training is pivotal to ensuring that our users can confidently and securely manage their self-custodial wallets. We're committed to empowering users with the knowledge and skills they need to protect their digital assets.
8.1. Security Awareness
- We provide a wealth of educational resources, including articles, guides, videos, and tutorials, to help users understand the security features and best practices of our self-custodial wallet.
- Users are educated about the various threats and risks that exist in the cryptocurrency space, including phishing attacks, malware, and social engineering, so they can recognize and respond to potential dangers.
9. Continuous Improvement
Wind recognizes that the landscape of cryptocurrency and cybersecurity is constantly evolving. As such, we are committed to a culture of continuous improvement to ensure the security of your self-custodial wallet remains at the forefront of industry standards
9.1. Security Updates
- We stay vigilant and monitor security vulnerabilities and threats. When security updates or patches are released by our development team or third-party software providers, we respond promptly to address known vulnerabilities.
- We encourage users to regularly update their self-custodial wallet software and related applications. These updates often include security enhancements that protect against evolving threats.
9.2. Security Testing
- We conduct regular vulnerability assessments and penetration testing to identify and address potential weaknesses within our system. This proactive approach allows us to remediate vulnerabilities before they can be exploited.
- Our development team continually reviews and audits the code to identify and mitigate potential security issues. Code audits are part of our commitment to secure development practices.