How We Protect Your Account

All data in transit is encrypted with TLS 1.3. No exceptions.

Passwords are hashed with bcrypt — we never store plaintext credentials, and we cannot retrieve them.

Two-factor authentication (TOTP via Google Authenticator, Authy, etc.) is available for all accounts and strongly recommended.

Sessions are cryptographically signed and expire automatically. Session tokens cannot be mass-compromised from our database.

Email verification is required at signup. Phone verification provides a second layer of identity confirmation.

Account freezing can be triggered instantly for suspicious activity, with immediate notification to the account holder.

How We Protect Your Funds

USDC balances are recorded individually per user — we don't pool funds in a way that creates cross-user exposure.

On-chain deposits are only credited after blockchain confirmation. Unconfirmed transactions are never credited.

Wallet-to-wallet transfers require an authenticated session. Transfers to external addresses have additional review.

All balance mutations (credits, debits, adjustments) are logged with timestamps, admin email attribution, and reason codes in an immutable audit trail.

Valta is in beta. While we apply production-grade security standards, beta software carries inherent risk. We recommend keeping only operational funds in your Valta wallet during beta.

Infrastructure Security

Database: Supabase (PostgreSQL) with row-level security, AES-256 encryption at rest, hosted in the EU.

Hosting: Vercel with automatic HTTPS and DDoS mitigation via Cloudflare at the network edge.

Secrets: API keys and credentials are stored as environment variables — never in source code or API responses.

Admin access: Our internal admin console is email-allowlisted, role-gated, and every admin action is logged with full audit trails.

Third-party AI APIs: Prompts are sent over HTTPS via official SDKs. We do not cache AI responses containing personal data.

Responsible Disclosure

Found a vulnerability? Please tell us privately before going public. We take all reports seriously and respond fast.

Email us

Send details to security@valta.co — include a description of the vulnerability, steps to reproduce, and your assessment of impact. PGP encryption available on request.

We acknowledge within 48 hours

You'll get a reply from a real person. We'll assign a severity rating and share our remediation timeline.

We patch and verify

We fix the issue, test it, and confirm with you before closing the report. Critical issues are patched within 72 hours of confirmation.

Public credit (optional)

With your permission, we'll credit you in our changelog when the fix ships. We don't believe in silent patches for security issues.

Please do not:

Access or modify other users' data to demonstrate the vulnerability.

Run automated scanners against our production environment without prior notice.

Publicly disclose the vulnerability before we have released a patch.

What We Will Never Do

We will never ask for your password over email, chat, or any other channel.

We will never ask you to share your 2FA codes or recovery backup codes.

We will never cold-call or text you asking you to move funds urgently.

We will never sell your personal data to advertisers or data brokers.

If you receive any communication claiming to be from Valta and asking for the above, report it immediately to security@valta.co.

Response Commitments

Critical

≤ 72 hours

Remote code execution, mass fund exposure, authentication bypass

High

≤ 7 days

Single-user fund exposure, privilege escalation, data leakage

Medium / Low

≤ 30 days

Information disclosure, UI issues, minor logic flaws

Report a Security Issue

Encrypted or plain email — we handle both. If you need a PGP key, email us first and we'll share one.

security@valta.co

General support: support@valta.co · Account issues: hello@valta.co

Security at Valta