How Vaulta protects you

Accounts are protected with email + password sign-in, with Google sign-in available. Sessions use short-lived tokens managed by our authentication provider.

Admin actions are restricted to a separate role table and verified on the server for every request.

Withdrawals require KYC approval. Submitted IDs and selfies are stored in a private bucket — they are never publicly accessible and are only readable by the submitter and verified admin reviewers.

Each withdrawal requires a one-time code delivered to the account email. Codes expire, have a limited number of attempts, and are verified server-side only — they are not exposed to the browser.

All withdrawal requests are reviewed before any on-chain broadcast. Users must also have an active fixed-term stake before their first withdrawal.

User data is stored in a managed Postgres database with row-level security. Each row is scoped to its owner, so users can only read and modify their own records.

Sensitive server operations (balance adjustments, deposit confirmations, role grants) run through audited server-side functions that require an admin role.

Email address, display name, optional KYC documents (when you submit them), deposit/withdrawal records, and in-app activity required to operate your account.

We do not sell personal data. Marketing emails can be unsubscribed from any email we send.

Vaulta secures the application, database, and admin tooling. You are responsible for keeping your email and password safe, enabling a strong password, and treating recovery emails as sensitive.

Vaulta is not a bank, broker, exchange, or licensed financial institution. Crypto deposits are uninsured and you can lose your funds.