Operational security

MakeBanc issues trade-only API credentials for your SMA. Keeping them secure is your responsibility. These are practical, industry-standard practices, not something MakeBanc monitors or enforces.

Why it matters:

The SMA holds investor assets. Your API access is trade-only: an attacker with your credentials can't move assets (custody prevents that), but they could place trades that lose money. Good credential hygiene makes that unlikely, and recoverable if it happens.

Good practice:

• Secrets management. Store API keys in a secrets manager (AWS Secrets Manager, HashiCorp Vault, 1Password Business, Doppler, etc.) with at-rest encryption. No plaintext credentials in repos, config files, shared drives, or chat.
• Access control. Restrict access to named personnel with a documented need. No shared or generic accounts.
• Least privilege. Monitor-only personnel get read-only access. Traders get credentials only for the access they need.
• Departure remediation. When someone with credential access leaves, rotate credentials promptly. New credentials are issued by the platform on request.

Most professional trading firms already work this way. If you don't, adopt a secrets manager before going live.

If credentials are compromised:

If you suspect compromise (an unusual login, an unexplained trade, an acrimonious departure), contact the platform immediately via the security channel provided at onboarding, not general support.

We revoke the affected API access, and new credentials are issued through a secure channel once the situation is contained. Because access is trade-only, custody is never at risk.

Why we're blunt about this:

Operational security is the most boring part of running a trading strategy and the most consequential. A great strategy with bad opsec gets compromised. A mediocre strategy with great opsec keeps operating. These practices are what professional firms do anyway.