Security

Security is foundational to Arjia. This section covers how we protect your keys, encrypt sensitive data, and maintain the integrity of your trading operations.

Security Architecture

Arjia follows a defense-in-depth approach:

• Non-Custodial — For on-chain activities, your wallet keys remain in your control. Arjia never has access to your seed phrase or private keys.
• Encrypted Storage — All sensitive data (API keys, secrets) is encrypted at rest using AES-256.
• Cloud KMS — Optional hardware-backed key management through AWS KMS and GCP KMS with HSM protection.
• Secure Communication — All API calls use TLS/HTTPS encryption in transit.

Key Principles

Least Privilege

We recommend configuring exchange API keys with only the permissions you need:

• Enable Read for portfolio tracking
• Enable Trade only if you want grid bot execution
• Never enable Withdraw — Arjia doesn't need it

Encryption at Rest

Sensitive data is encrypted before storage and only decrypted at the moment of use:

• Exchange API keys and secrets
• KMS key references
• Authentication tokens

Hardware Security

For institutional-grade security, Arjia supports cloud-based Hardware Security Modules (HSMs):

• AWS KMS with CloudHSM backing
• GCP KMS with Cloud HSM backing
• Private keys never leave the HSM

Security Topics

• KMS Key Management — How cloud KMS wallets work with AWS and GCP
• API Key Encryption — How exchange API keys are encrypted and stored

Best Practices

1. Use hardware wallets for large holdings and connect via MetaMask/WalletConnect
2. Enable 2FA on all exchange accounts
3. Use IP restrictions on exchange API keys when possible
4. Regularly review and rotate API keys
5. Use KMS wallets for automated trading operations
6. Never share API keys, seed phrases, or passwords