Bitvavo is proud to announce the latest addition to its extensive security measures. As of today, Bitvavo is the first digital asset provider in the Netherlands with an insured cold storage solution. Bitvavo aims to be at the forefront of regulatory compliance, technological innovation and security in the digital asset industry, which is developing at an increasing speed.
About Cold Storage
The data is clear that, today, the most likely client loss scenario for any digital asset company is a loss due to hacking. To address this risk, Bitvavo stores the vast majority of clients' digital assets offline, at secure and insured custodial partners, and these digital assets could only be moved after manual action which is regulated by strict access protocols.
Trusted European custodial partners: Bitvavo integrated the custody solutions of Coinbase Custody International, which is a standonline custodian and currently the most popular custodian in the world having digital assets with an value of EUR 10+ billion under management, and Copper Custody which is offering award winning custody technology for, among others, small-cap digital assets.
Insured up to $255 mil: Our European custodial partners are fully regulated and have their solutions insured for a total of hundreds of millions Euros. Coinbase Custody International for example holds a hot (and cold) wallet policy with a $255 million limit placed by Lloyd’s registered broker Aon and sourced from a global group of A XV/A+ rated insurers which are based in the US and UK, including certain Lloyd’s of London syndicates.
Multisignature: At both custodial partners multisignature wallets are used which require private keys of both the custodial partner and Bitvavo before digital assets could be transferred. This ensures that our custodial partners cannot dispose over the digital assets without the approval of Bitvavo and vice versa.
Duress protocol:All individuals involved at our custodial partners and at Bitvavo have passed a full background check and have provided a certificate of good conduct. Additionally, duress protocols have been set up in case one of the involved individuals would be forced to perform adverse activities.
Additional Security Measures
Besides the custody solution, Bitvavo has taken a wide range of additional security measures to protect the funds (and data) of its clients, including:
External security audits: Code is reviewed by multiple different specialized IT security firms. In addition to this, penetration tests are executed to try to breach our systems. On each major code change, this process is repeated to maintain the resilience and level of security of the Bitvavo systems.
Certified data centers: Bitvavo uses data centers compliant with the following certifications: ISO 9001, ISO 27001, ISO 27017, PCI DSS Level 1 and SOC 1 - 3. These standards help Bitvavo to achieve first-class security and compliance in its cloud infrastructure.
Uptime & redundancy: To ensure reliable access, Bitvavo hosts vital services in multiple availability zones with automatic failovers. In case of an outage, these failovers automatically redirect traffic to available services.
Critical data is stored offline: Critical data is stored in bank-grade vaults with 24/7 monitoring, distributed among a multitude of different geographic locations, to protect against potential destructive physical risks such as fires or environmental disasters. All the vaults meet the strict requirements of safety category 4+. This is the highest security category in the Netherlands.
Advanced monitoring: Bitvavo uses extensive logging for employee access and employs advanced monitoring tools to detect abnormalities and uses machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize potential threats.
Security reward program: Bitvavo acknowledges that any platform can contain security vulnerabilities; there is no such thing as absolute security. Bitvavo has established a reward program for discovering potential exploits and security vulnerabilities.
Organisational measures: All Bitvavo employees have passed a background check and have provided a certificate of good conduct. The Bitvavo team organizes regular internal trainings to raise awareness and educate its members in regards to security-related matters and best practices.
Stichting Bitvavo payments: A foundation, Stichting Bitvavo Payments, has been established, which operates exclusively for Bitvavo and functions as a bankruptcy-remote vehicle for safeguarding user’s funds.
Protect your Funds
Besides the regular security features such as device confirmation, failed login notifications and user log insights, Bitvavo offers various additional options in order to enhance the security of your Bitvavo account. Bitvavo suggests the following steps, to protect your funds and data:
Use a unique and complex password: As a general rule you should create various strong passwords for each service you use on the internet. A strong password consists of at least 8 characters, including uppercase and lowercase letters and symbols. You should not use dictionary words. We recommend using a completely random password because this is practically impossible to guess.
Set-up an anti-phishing code: Phishing is the fraudulent attempt to obtain sensitive information, such as username and password, by impersonating Bitvavo or its employees. In order to reduce phishing risk, we recommend setting an anti-phishing code. After having your anti-phishing code set, your anti-phishing code will be included in every Bitvavo email you receive.
Enable Two-Factor Authentication: Two-factor authentication, also known as 2-steps verification, is a security layer in addition to your username and password. With two-factor authentication enabled on your account, you will have to provide your password (first factor, something you know) and your two-factor authentication code (second factor, something you have physical access to) when signing in to your account. Two-factor authentication codes are associated with a specific device, such as your mobile phone.
Whitelist wallet addresses: The withdrawal address whitelist is another security feature offered by Bitvavo. If the withdrawal whitelist function is not enabled, your account is able to make withdrawals to any address. When this feature is enabled, your account will only be able to make withdrawals to the addresses that are whitelisted.
Use a hardware wallet: One of the main benefits of digital assets is that you do not need to trust third parties like banks or exchanges, such as Bitvavo. We always recommend storing your digital assets on your own hardware wallet. This ensures that you have full control over your own digital assets, without interference from third parties or malicious actors.
Limit access to API keys: When setting up API credentials, please make sure that access is only enabled for the required features. It is strongly recommended to make use of the IP whitelist for API credentials, to add an additional layer of security to the API access for your account.
It is important to implement these security features as the Bitvavo cold storage solution does not cover any losses resulting from unauthorized access to your Bitvavo account. It is your responsibility to use a strong password and maintain control of all login credentials you use to access your Bitvavo account.
Please contact [email protected] for more information about the cold storage solution, Bitvavo’s security features or measures you could to protect your account.
