Security Policy

SwapSS is committed to protecting the security of our platform and the funds of everyone who uses it. This page describes our security posture, how we handle incidents, and where to direct security concerns.

Coverage scope

This policy covers the SwapSS exchange platform, the Swap Pay merchant product, and all production infrastructure accessible via swapss.lol. It applies to API endpoints, the web frontend, the Telegram bot, and on-chain transaction dispatch.

Responsible disclosure

If you discover a security issue, please report it through our responsible disclosure programme rather than disclosing it publicly. We follow a 90-day coordinated disclosure model.

Read the full disclosure policy →

Data handling

We collect only data necessary to process your exchange or payment. We do not sell user data. Sensitive fields are encrypted at rest. Logs containing personally identifying information are retained on a rolling schedule and pruned automatically.

Incident response

We aim to acknowledge security reports within 2 business days and to provide a status update within 7 business days. Critical vulnerabilities that affect live funds are treated as P0 incidents and escalated immediately.

Security contact

For security issues, email security@swapss.lol. For sensitive disclosures, encrypt your message with our PGP key linked on the disclosure page.