Security & privacy

Your crypto history is sensitive. Coinfig is built so that connecting your accounts is safe by design — read-only, encrypted, and POPIA-aligned.

Read-only access only

Coinfig asks for read-only exchange API keys. We can see your transaction history to build your report — we can never trade, withdraw or move your funds.

Encrypted at rest

API keys and other secrets are encrypted with AES-256-GCM, using keys derived via PBKDF2-SHA512. Credentials are never stored in plain text.

Modern authentication

Sign-in is handled by a dedicated authentication provider with support for single sign-on, so your access is protected by industry-standard controls.

Your data stays yours

We do not sell your personal information. Access and consent events are logged for accountability, in line with South Africa’s POPIA.

Hardened by default

Requests are rate-limited, traffic is served over HTTPS behind a global CDN, and the application uses standard security headers and parameterised database queries.

Least data, least risk

We collect only what we need to calculate your tax — your transactions and the accounts you choose to connect. Billing is handled by our payment provider; we do not store full card details.

Have a security question or want to report an issue? Email support@coinfig.tax and read how we handle personal information in our privacy policy.