BITVYL Security
What we do, in detail, to keep your account and your money safe.
Robust authentication
- ▸Passwords hashed with bcrypt + salt (Supabase Auth)
- ▸httpOnly sessions + refresh tokens
- ▸New-login alerts by e-mail (IP + device)
- ▸6-digit OTP for sensitive actions (withdrawals, email change)
Per-user isolation
- ▸Row-Level Security (RLS) on every table in the database
- ▸Each user only sees their own data — enforced in Postgres
- ▸Admins have a separate access path with optional 2FA
Reliable infrastructure
- ▸Dedicated Hetzner VPS with NVMe SSD
- ▸Managed Supabase (Postgres + Auth + Storage)
- ▸Let's Encrypt SSL/TLS on all traffic (HTTPS)
- ▸Daily automated database backup
Protected secrets
- ▸Service role keys are server-side only
- ▸NOWPayments webhooks verified with HMAC-SHA512
- ▸Custom Titan SMTP with STARTTLS for all e-mails
- ▸Passwords and tokens never appear in logs or URLs
Active risk engine
- ▸Per-user, per-asset and per-round limits (admin-configurable)
- ▸Anomalous-behavior detection (extreme martingale, etc.)
- ▸Automatic real-balance lock after terms-of-use violations
- ▸Real-time monitoring of house exposure
Found something suspicious or have a security question? security@bitvyl.com