Self-hosted is not a marketing word for us, it is the architecture. This page documents what we touch, what we do not touch, what is audited, and how to report a vulnerability.
| Item | Where it is stored | Sent to us? |
|---|---|---|
| Exchange API key + secret | user-data/.env on your disk | Never |
| Anthropic API key | user-data/.env on your disk | Never |
| SKALE wallet private key | user-data/.env on your disk (only if you enable it) | Never |
| Trade history | data/memory/{agent_id}.db (SQLite, local) | Never |
| Beliefs (LLM-derived rules) | data/beliefs/{agent_id}.json | Never |
| License key hash | user-data/license.key | Hash only, with machine id |
| Trade reasoning prompts to Anthropic | Sent directly from your machine to Anthropic | Never to us, only to Anthropic |
Every exchange lets you create API keys with trading enabled but withdrawals disabled. Always do this. Even if your laptop is compromised, an attacker cannot drain your account.
Anthropic supports monthly spend caps. Set one (e.g. $100/mo) so a runaway loop cannot drain your credits. Even when capped, the floor degrades gracefully to pure-quant mode.
If your home IP is stable, whitelist it on the exchange API key. Cuts attack surface dramatically. Skip if your ISP rotates your IP frequently.
FileVault (Mac), BitLocker (Windows), or LUKS (Linux). The .env file holding your keys is plaintext on disk by design (so the floor can read it on boot). Disk encryption prevents extraction if your laptop is stolen.
This is not a privacy promise. It is a structural fact. There is no remote endpoint that ever sees your exchange credentials. The only network call we make from your machine is the license-key hash check, plus version-update polling.
Orders go directly from your machine to your exchange via CCXT. We are not a counterparty. We are not in the order flow path.
No analytics SDK, no third-party trackers, no error reporting service. The dashboard runs entirely on your loopback interface.
Not one satoshi has ever been held by TrAIding Floor. The product is software you run, not a service that holds your money.
The trading-system code base is not yet third-party audited. The SKALE contracts (FLOOR token, AgentRegistry, TradeLedger) will be audited before mainnet deployment; we will publish the audit report and a SHA-256 of the audited bytecode on this page. Until then the on-chain layer is testnet only.
Vulnerability disclosure: open a private GitHub security advisory on the repository. We aim to acknowledge within 24 hours and fix within 7 days. Reports that have not been public-disclosed are eligible for our (small but real) bounty program once we close the issue.
TrAIding Floor © 2026
Trading software, not financial advice. Past performance does not guarantee future results.