Skip to content
Xiaomi.

Security

Built like a bank. Audited like one too.

Security is the first product call we make on every feature. This page describes the controls we ship by default, the certifications we hold (and are working toward), and how to report a vulnerability.

The four pillars

Segregated custody

Funds held in licensed custodian accounts at regulated third parties, not on our balance sheet. Crypto assets held under cold/hot split with HSM-backed key custody.

Strong authentication

Passkeys (WebAuthn) preferred. Hardware security keys and TOTP supported. Step-up biometric or hardware-key confirmation required on every withdrawal.

Encryption at every layer

TLS 1.3 in transit, AES-256 at rest, field-level encryption (CSFLE) for PII. KMS-backed keys per jurisdiction for data-residency.

Real-time fraud monitoring

Rules engine plus ML-driven anomaly detection on every login, transaction, withdrawal, and KYC submission. Velocity controls and device-fingerprint analysis throughout.

Standards & certifications

Where we already hold a certification we say so; where we’re in the audit window we say that too. We do not claim compliance with a standard that hasn’t closed.

  • SOC 2 Type IIAudit window started Q2 2026
  • ISO 27001Readiness phase
  • PCI-DSSSAQ-A scope via processor tokenisation (no PAN data on our servers)
  • GDPR / UK GDPRCompliant. Article 27 EU & UK representatives appointed.
  • PIPLCompliant for Mainland China data, with in-region processing.

Responsible disclosure

Bug bounty programme

If you’ve found a vulnerability, report it to security@xiaomicrowdtrading.com with reproduction steps. We acknowledge within 24 hours. We don’t pursue researchers who act in good faith and follow the rules below.

Report a vulnerability

Reward tiers (USD)

Critical (RCE, key extraction)
up to $25,000
High (auth bypass, IDOR on funds)
up to $10,000
Medium (XSS on app surfaces)
up to $2,500
Low (info disclosure, minor logic)
up to $500

Rules of engagement: do not access or modify other users’ data; do not exfiltrate beyond proof; do not run automated scanners against production; do not extort. Full programme rules sent on first report.

See how our regulators map to the products we offer in your jurisdiction.

Compliance & regulators

Three minutes. No paperwork.

Trade, shop, and contribute from one wallet.

Open account