Security
polypin is built non-custodial by design: we never hold user funds, never see private keys, and collect only the data we need to run the service. The sections below explain how that holds up in practice.
Authentication
- Sign-In with Ethereum (SIWE). You authenticate by signing a one-time message with your wallet - no passwords, no email, no SMS.
- Short-lived sessions. Sessions are scoped to your wallet and expire on a short window. All session traffic moves over HTTPS only.
- No password resets to phish. Lose your wallet, lose access - which is the same trust model as any non-custodial product.
Funds + trades
- Non-custodial. Trades route from your wallet directly to Polymarket via their on-chain contracts. polypin never custodies or transfers your funds.
- Builder fees on the Free tier are paid as part of the Polymarket transaction itself - polypin never holds them.
- Read-only by default. You explicitly sign each trade in your wallet. polypin can't move funds without that signature.
Data handling
- All traffic - app, API, marketing site - is served over HTTPS only, with HSTS enabled.
- Stored data is encrypted at rest. Backups are encrypted with separately-managed keys.
- Secrets are isolated from application code and rotated on a regular cadence.
- We collect the minimum we need to run the service and keep operational logs only as long as we need them for debugging.
Responsible disclosure
If you find a vulnerability, please email contact@polypin.gg with subject prefix [SECURITY]. We'll acknowledge within 48 hours.
- Don't publish details until we've had a chance to patch.
- Don't attempt to exfiltrate user data or disrupt the service.
- We don't currently run a paid bounty programme; we'll credit reporters in release notes (or stay anonymous, your call).
What's in scope
- polypin.gg (this site) and app.polypin.gg (the terminal).
- The polypin REST + WebSocket API.
Out of scope: Polymarket's own contracts, Pinnacle's APIs, your wallet provider, and other third-party services we depend on.