Strong protections are built in at every layer, from secure transport to layered authentication, so threats are minimized and your data is protected.

• Traffic encrypted in transit (TLS 1.2+ / AES-256) and at rest; keys managed via Google Cloud KMS.
• Authentication via API keys & JWTs; for Enterprise clients, client certificates / mutual TLS are supported.
• Access restrictions such as IP whitelisting, security groups, and usage of security-group based controls are available under the Enterprise plan.
• Geo-optimized routing and regional infrastructure help with both performance and resilience.
• Optional / enterprise-level feature: Early request schema validation or API gateway enforcement for stricter control (as provided in our Enterprise offering).

Independent verification + alignment with recognized standards, giving you visibility and assurance.

• Regular third-party audits & penetration testing; findings reviewed by leadership and addressed.
• Alignment with ISO 27001, design for GDPR compliance, and MiCA readiness (where applicable).
• Enterprise clients have access to compliance documentation & process artifacts.
• Security controls mapped to known frameworks (encryption, access control, logging, incident response) for easier verification.

Every data point is traceable; methodologies are transparent; logs are preserved, so what you see is what we stand behind.

• Market data is timestamped with high precision; version history and change logs are preserved via our public changelog.
• Index/benchmark methodologies are fully documented: asset eligibility, update policies, and eligibility rules are published.
• Audit trails for index-related decisions and calculations are logged in a secure, immutable manner.

We’re prepared for what can go wrong with legal alignment, oversight, and transparent recovery where required.

• CoinAPI maintains alignment with GDPR and applicable privacy / regulatory laws for incident and breach notification.
• In case of a security event or breach, prompt detection is a priority; notification to clients is required when required under applicable law.
• Security controls are aligned with SOC 2 and ISO 27001 practices, with third-party audits and reviews; findings are addressed in leadership-level oversight.

• Rate Limiting & Fair Use Controls: CoinAPI enforces request quotas and usage limits per subscription to prevent abuse and ensure availability.
• Secure Authentication Methods: Supports API keys and JWT tokens to authenticate requests securely.
• Encrypted Data Transport: All traffic is required to use HTTPS / TLS to ensure data in transit is protected.