Cedar

Security

Security is foundational to everything we build at Cedar. Here's how we protect your data, keys, and assets.

MPC Wallet Security

Cedar uses Multi-Party Computation (MPC) for wallet key management. Private keys are split into multiple shares distributed across secure enclaves. No single party — including Cedar — ever has access to the complete key. Transactions require threshold signatures from multiple shares.

Encryption

All data is encrypted in transit using TLS 1.3 and at rest using AES-256. API keys are hashed with bcrypt before storage — we never store plaintext keys. Session tokens use signed JWTs with short expiration windows.

Authentication

Cedar supports multiple authentication methods including email/password, Google OAuth, GitHub OAuth, and crypto wallet signatures. All authentication flows are powered by Privy's enterprise-grade identity infrastructure.

Infrastructure

Our infrastructure runs on isolated, hardened cloud environments with network segmentation, intrusion detection, and automated patching. Database access is restricted to application-level service accounts with least-privilege permissions.

Monitoring & Audit

All API calls, authentication events, and administrative actions are logged and monitored in real-time. Anomaly detection systems flag suspicious patterns such as unusual trading volumes, geographic anomalies, or rapid key rotation.

Trading Guardrails

Cedar provides configurable risk controls for autonomous agents: per-trade size limits, daily volume caps, allowed asset whitelists, and circuit breakers that halt trading when anomalies are detected. These guardrails prevent catastrophic errors from runaway agents.

Responsible Disclosure

We take security vulnerabilities seriously. If you discover a potential security issue, please report it responsibly:

  • Email us at [email protected]
  • Include a detailed description of the vulnerability and steps to reproduce
  • Allow us reasonable time to address the issue before public disclosure
  • Do not access or modify other users' data during testing

We appreciate responsible disclosure and will acknowledge valid reports. We do not pursue legal action against researchers who follow these guidelines.