Your funds are stored safely on your exchange account, BitSpreader just executes orders on your behalf on the exchange using the API key that you have provided.
BitSpreader never does any transfers of your funds.
For further increase of security we strongly encourage you to not provide any API keys that have privilege to execute transfers - please refer to your exchange API key settings to make sure to reduce the API key privileges just to the most necessary (balance, history, trading).
Your API keys are encrypted and available only in the internal layer of the BitSpreader services safely hidden behind the firewalls and not accessible from the website.
For managing your API keys we follow write-only pattern - once you have provided your API key, the BitSpreader has stored it internally for the trading purposes and doesn't expose it even to you for editing. If you need to update the API key - you need to delete the old key and provide the updated one.
In order to further increase your security we require ALL the users to use two-factor authentication. Every time you sign in to the platform you need to provide security code generated by the two-factor application on your mobile phone - ie Google Authenticator or FreeOTP that needs to be set up during the registration process.