How secure is Origami Tech? Is it safe to use?

Origami Tech helps you trade cryptocurrencies smarter and safer, using bots created on our platform without the need to code.
Bots you deploy via the Origami Tech app are able to trade crypto using your personal exchange accounts. When you connect them to our platform, we make it our priority to keep your data and funds secure at all times.

While we will not reveal every layer of our infrastructure for security reasons, here’s a clear look at how Origami Tech protects you, from the login to API access stage.

API Keys

• User-controlled permissions

The Origami Tech platform only requires read and trade access for your API keys. We never ask for — and strongly recommend disabling — crypto withdrawal permissions.

• Encrypted API storage with ChaCha20-Poly1305

Your API keys are protected using ChaCha20-Poly1305, a modern authenticated

encryption algorithm known for both speed and security.

When a key is added to Origami Tech, it is:

• Encrypted using a secret and unique service;
• Combined with a randomly generated 32-byte string, which is stored separately;
• Split into two parts, each stored in an isolated service.

This architecture ensures that no single system has enough information to reconstruct the full key — adding a powerful structural layer of protection beyond the encryption itself.

• IP address whitelisting support

If your crypto exchange allows it (e.g., OKX), we support the use of static IP address whitelisting — meaning API keys will only respond to requests coming from Origami’s secure IP, providing additional protection.

• What Origami Tech Cannot Do

Even in the extremely unlikely event of a compromised user account, Origami Tech cannot execute withdrawals of cryptocurrencies — not only because the necessary API permissions are disabled, but because withdrawal logic is not implemented at the code level. This architectural decision ensures that even internal actors cannot bypass platform safeguards.

System & Server Security

• Advanced encryption protocols

Origami Tech uses industry-standard TLS (HTTPS and WSS) protocols for all communications with your browser and crypto exchanges. This ensures all transmitted data is encrypted in transit.

• Platform-wide ChaCha20-Poly1305 encryption

Beyond API key storage, Origami Tech uses ChaCha20 with Poly1305 across all sensitive platform data — including internal tokens, credentials and config secrets. This ensures robust protection for any data stored "at rest."

• Distributed key storage architecture

Instead of storing secrets in a single system, Origami Tech uses a split-storage model. Each piece of encrypted data is divided and distributed between separate internal services. Only the infrastructure layer — not developers or general staff — has access to the parts necessary to serve the encrypted material securely.

• Restricted access to execution environment

All Origami Tech services operate in an isolated environment. Access to critical components is limited and granted only to authorized members of the infrastructure team.

Account Access Protection

• Authentication from trusted devices

We encourage the use of Google Single Sign-On (SSO) for secure login and offer optional 2FA via authenticator apps. This ensures that only verified users can access their accounts.

• Failed login protection

We limit the number of login attempts:

— Max 3 attempts per minute

— Max 10 per hour

These limits help prevent brute-force attacks on user credentials.

• Support for complex passwords

Origami Tech enforces a strong password policy. Passwords must include uppercase letters, digits, special characters and reach a minimum complexity threshold.

• Two-Factor Authentication (2FA)

2FA is available for all users and can be enabled in your account settings. We highly recommend turning it on to add an additional layer of protection.

Employee Access & Internal Policy

• Role-based access control

Access to sensitive components of the infrastructure is restricted to a limited number of internal staff. Developers do not have access to API data or user credentials.

• Isolated infrastructure

Origami’s internal environment is segmented behind a private network and external VPN. 

• No third-party data transmission

Origami Tech does not share user data or automated crypto trading strategies with any external parties. Your information stays private and encrypted at all times.

• Data removal & strategy confidentiality

Origami Tech does not access your custom strategies or formulas, unless you explicitly choose to share them (e.g., by publishing a preset). Strategies remain private by default, and even administrative users cannot view or access them. When a project is deleted, its strategies are disconnected from all interfaces and eventually purged. Until then, they remain inaccessible and isolated.

Stay Safe: 3 Essential Tips

You can also follow these 3 essential tips to stay secure while automating your digital asset trading:

 1. Create Sub-accounts

Isolate your trading activity from your main crypto exchange account. Sub-accounts let you manage multiple trading strategies while keeping your core assets separate.

2. Limit API Key Permissions

Your API key should only have access to trading and balance viewing. Never enable withdrawal access.

3. Diversify Across Crypto Exchanges

Don’t keep all your funds on one exchange. Origami Tech supports multiple platforms — take advantage of this to reduce systemic risk.

Need help?

Have a question or need assistance?

Origami Tech offers live chat support via Telegram, where you can get help directly from our team.

In the near future, we’re also planning to launch the option to book 1:1 video call consultations.

For now, feel free to message us on Telegram — we’re happy to assist with setup, API keys, strategies or anything else you need.