
How ShapeShift is Keeping Your Data Safe
By Michael Perklin, Chief Security Officer at ShapeShift
ShapeShift Membership offers a variety of exciting, exclusive benefits. However, membership requires the verification of basic customer information.
This changed the way ShapeShift that handles data. Now that we have to collect and store your information, we still need to do everything possible to keep it safe.
To inform our design decisions, we asked the question — “What can hackers do if they break into our systems?” In the interest of transparency, here’s how we’re handling your data with ShapeShift Membership.
- The Membership Platform collects your information and immediately encrypts it with a 4096-bit RSA key using the widely-used open-source GPG software.
- This encrypted data is stored in our database and — in most cases — never used again. Once it’s collected, we don’t need to reference it for any business reason.
- If you run into a problem and contact customer support — for example, for help — they don’t see your name or details by default, allowing them to focus on your problem rather than your identity.
There are only a few cases we need to use your identity information
- If you lose both your password and 2FA, and you’re trying to get back into your account, our staff will need to know your name and other info to compare it with what you’ve given them.
- In this case, our customer support agents will download your encrypted data to their machine and use a cold storage device containing the private key to decrypt your info. This is managed on a case-by-case basis, preventing wholesale access to customer information by an employee at the company.
- The other example would be if we are legally compelled to do so by a valid subpoena or similar document.
Because ShapeShift’s servers never have the decryption key to the personal information (it’s held in cold storage), if an attacker breaches the servers and copies the entire database, they won’t be able to see or access your information. If one of our cold storage devices is lost or stolen, it is configured to wipe itself under certain circumstances.
In this way, we’ve followed best practices in the storage of your data.
Originally published at https://info.shapeshift.io on September 4, 2018.

