DerivCC
Derivatives Workspace
SupportSecurityUpdatesStatus
Back to DerivCC
Security

Read-Only Security Model

DerivCC is built for market context and account visibility, not execution or custody. This page documents the trust boundary clearly before traders connect anything.

Last updated: May 26, 2026

Permission Boundary

Enabled
  • Read-only account data
  • Public market data
Disabled
  • Trade execution
  • Transfers
  • Withdrawals
  • Account management

API Key Handling

Encrypted at rest

Stored exchange API keys are encrypted with AES-256-GCM before database persistence.

Read-only exchange setup

Bybit, Binance, and OKX integrations are designed for account reads and position context only.

No custody

DerivCC never asks for seed phrases, withdrawal rights, transfer rights, or custody of user funds.

Responsible Disclosure

If you believe you found a security issue, email the project inbox with a concise reproduction path, affected route, and any relevant screenshots. Do not include user secrets or API keys.

adminderivcc@gmail.com

User Responsibilities

Users should create dedicated DerivCC API keys, enable only read permissions, rotate keys periodically, and remove a key from the exchange immediately if they suspect it has been exposed.

Contact

Questions about DerivCC, billing, account data, legal pages, or workspace readiness can be sent to the project support inbox.

adminderivcc@gmail.com