Non-custodial and watch-only

We never ask for, store, or have any way to use your private keys, seed phrases or signatures. SCMon reads public on-chain data and matches it against the addresses you ask us to watch. We cannot move your funds — there is nothing to steal.

No open inbound ports

Our origin servers accept zero direct connections from the internet. All traffic arrives through Cloudflare, and our infrastructure only trusts that path. There is no public database, no exposed admin panel, and no SSH open to the world.

Locked-down API access

Per-key IP allowlisting — every API key only works from the IP addresses you whitelist, so a leaked key is useless from anywhere else.
Scoped API keys — keys are hashed at rest; we never store them in plaintext and can't show them to you twice.
Rate limiting — abusive traffic is throttled at the edge before it reaches the app.

Isolated webhook delivery

Outbound webhook calls leave through a dedicated, isolated egress path with a stable address you can allowlist on your side. Payloads are signed so you can verify they genuinely came from SCMon, and delivery is constrained to prevent your callbacks from being abused to reach internal systems.

Tenant isolation

Each account's data is isolated at the database level using row-level security, so one tenant can never read another's watches, alerts or balance — even in the event of an application bug.

Encryption and integrity

All traffic is encrypted in transit (TLS).
Sensitive data is encrypted at rest.
The billing ledger is append-only and hash-chained, so credit history can't be silently altered.

Responsible disclosure

Found something? We want to hear from you. Email security@scmon.io and we'll work with you to fix it quickly.

Security is the product.