Our security
Keeping your assets safe
Our commitment to you
Your assets are safe with us
-
1:1 reserves
We maintain a full 1:1 reserve of all your fiat and crypto assets.
We hold the majority of crypto assets in ultra-secure offline cold storage, protected in underground vaults with the highest security.
-
Audited
Our financial records are meticulously maintained, with a debt-free balance sheet. Each year, we enlist external auditors to conduct a comprehensive review of our financial statements, adhering to Australian Accounting Standards. This audit encompasses the verification of all fiat and cryptocurrency holdings held in custody on behalf of our clients.
-
Segregated funds
Customer funds are never mixed. We maintain strict separation of all client assets, guaranteeing the availability of your funds when you require a withdrawal.
We’re committed to ensuring the security of your assets. That’s our pledge to you.
-
Sole custodian
bitcoin.com.au is the sole custodian of all crypto assets held on our platform. Custody is managed in Australia and we do not use any third-party custodians.
We adhere to industry best practices and never lend, trade or reinvest your assets.
Australian
owned and operated
AUSTRAC
registered crypto exchange
ISO 27001
certified and recognised
Platform security features
Account security
- We provide robust account security measures, including 2-Factor Authentication with support for Google Authenticator and optional SMS backup.
- You have the flexibility to change your username and email address at any time.
- We encourage users not to use their email address as their username for enhanced security.
- Email notifications are sent with each login.
- We offer instant account suspension via an email link in cases of unauthorised logins.
- A duress password option is available for suspending your account.
- Additional security information is requested during login attempts from different IP addresses.
- Cryptocurrency and instant withdrawals are restricted for 72 hours after any changes to account security details.
- SMS notifications are sent for account security detail changes, such as email or password changes.
- We offer cryptocurrency address whitelisting, requiring SMS confirmation for withdrawals to new addresses.
- Browser whitelisting triggers email confirmation for logins from new browsers.
- Our bot shield automatically protects accounts from brute force attacks.
System Security
- We prioritise the security of your personal information by encrypting it both in transit and at rest using physically dispersed keys.
- Uploaded documents, including verification documents and support message attachments, are visibly watermarked and encrypted using physically dispersed keys.
- Only administrators with special permission for KYC verification purposes can access uploaded documents, which are also watermarked for protection.
- We ensure full encryption of support chat text messages.
- Sensitive data in the database is hashed and signed during writing and verified during retrieval to maintain data integrity.
- Secure connections are enforced when accessing the website or API from any device.
- We operate from top-tier data centers with geographically dispersed disaster recovery backup servers.
- Our system is custom-designed for maximum security, prioritising security as the foremost consideration.
- We have intrusion detection monitoring in place to detect unauthorised system access.
Hot Wallet Security
- Hot wallet private keys are multi-layer encrypted using geographically dispersed keys.
- Continuous monitoring and address reconciliation between system accounts and the blockchain are conducted.
- Our system is explicitly designed to never expose hot wallet private keys, even to administrators.
Cold Storage Security
- Over 97% of crypto assets are stored in cold storage.
- Cold storage is distributed across multiple geographically dispersed vaults, each equipped with extensive physical security measures.
- Access to cold storage requires multiple employee approvals and authentication.
- We employ proprietary offline storage solutions with multiple encryption layers and redundancies.
- Multi-signature withdrawals always require more than one person for execution.
- Survivorship procedures are in place to recover cold storage funds in the event of a catastrophic event.
Operational
- Regular penetration testing is carried out on our system to identify vulnerabilities.
- We have a bug bounty program in place to incentivise reporting of security issues.
- Administrators have tiered access levels within the system.
- All actions performed by administrators relating to user accounts or value transfers are audited and require multi-level approvals.
- Regular police checks are conducted on all administrators with system access to maintain trust and security.