Honest about what we do.

• All traffic served over HTTPS with modern TLS; HSTS is enabled on the production domain.
• Front-end and edge layer delivered via Cloudflare, with DDoS protection and Web Application Firewall rules at the perimeter.
• Application backend and database run on a managed Postgres service with encryption at rest provided by the cloud vendor.
• Sensitive credentials (API keys, signing secrets, third-party tokens) are stored as encrypted secrets and are not present in the client bundle.
• User passwords are never stored in plain text; password authentication uses the managed auth provider's bcrypt-based hashing.
• We do not store card numbers, CVV or full PAN data on our servers. Card collection is delegated to the upstream payment processor.
• Database access is scoped via row-level security policies; administrative access is restricted and audited.
• Deployments are immutable and versioned; rollback is possible at any time.

• Verify the destination wallet address before confirming a transaction — blockchain transfers are irreversible.
• Use a wallet you fully control. We will never ask you for your seed phrase or private key.
• Beware of impersonation: our staff communicate only from @cctousdt.com email addresses and the in-product live chat.
• If something looks wrong, contact support before sending funds. We would rather you ask than lose money.

We welcome coordinated disclosure. Emailsecurity@cctousdt.comwith a clear reproduction. We aim to acknowledge reports within two business days. We do not currently run a paid bug-bounty program; we will credit researchers (with permission) for verified findings.