Skip to main content

Security & Privacy

This section is dedicated to explaining how security and privacy are handled on the Sumex platform — both for your connected accounts and personal data.

We believe that trust starts with transparency, and our goal is to ensure that you understand exactly what’s happening under the hood, what is (and isn’t) stored, and how you can stay in full control of your information.

You’ll find answers to frequently asked questions about non-custodial architecture, data access, wallet/API connections, and best practices for keeping your activity safe.

N.B. Ongoing updates

This section will be continuously updated as new security features, integrations, and protections are added to the platform.

Platform Architecture & Custody

Are my funds safe with Sumex?

Sumex is a non-custodial platform, hence your funds are never transferred or controlled by Sumex or any of its products and integrations. While user-provided API keys for CEX-based accounts allow the user to trade directly from Sumex’s interface, this kind of connection by its very design does not allow to transfer funds, even if a user’s Sumex account becomes compromised. As for the DeFi wallet, the signature required to bundle a wallet is a one-time TX with read-only access, which acts as an authentication of address ownership, hence does not possess the ability to access the funds in that wallet. Moreover, our team would never DM first, or ask to provide seed phrases, secret keys or other private information that might compromise one’s security. If you have been approached by someone claiming to be a member of the Sumex team and is asking for private information, or acts suspiciously, please immediately reach out to us using any of the official contact details.

Is Sumex non-custodial?

Yes — Sumex is 100% non-custodial.

That means you stay in full control of your assets at all times. We never store your private keys, seed phrases, or funds. You simply connect your Web3 wallets or CEX accounts securely to interact with trading, investing, or analytics features — without giving up custody.

What does "non-custodial" mean for a beginner?

In the crypto world, there are two types of platforms:

  • Custodial platforms hold your funds and private keys for you (like traditional banks or centralized exchanges).
  • Non-custodial platforms — like Sumex — simply let you connect your existing wallets or accounts to use tools and features, but your assets remain in your control.

However, with non-custodial wallets you are responsible for keeping your access keys confidential and being able to access the funds. If you lose access to your wallet - you won't be able to restore it, as nobody has access to it by design.

When you connect to Sumex, you're using read-only or permission-based access (such as signing a message or using an API key), which allows you to trade, monitor, or interact with protocols — without transferring ownership of your assets.

  • You hold the keys
  • You approve every transaction
  • You can disconnect any time

Your keys, your coins — always.

Does Sumex ever have access to my funds?

No — Sumex never has access to your funds.

Sumex is a non-custodial platform, which means we do not hold, store, or control any of your assets. When you connect a wallet or exchange account, you're simply linking it to access portfolio data, execute trades (if permitted), or interact with external protocols — all while keeping full custody of your funds.

  • For Web3 wallets, all actions are signed by you directly through your wallet. We can’t move or manage funds without your explicit approval.
  • For CEX accounts, Sumex uses API keys you provide — and only with the permissions you allow (read-only or trading). You can revoke or edit these keys anytime directly from your CEX dashboard.

Your assets remain where they are — Sumex just helps you interact with them more efficiently.

Can Sumex initiate or approve transactions on my behalf?

No — Sumex cannot initiate or approve any transactions without your direct consent.

For Web3 wallets, all transactions must be manually approved by you through your wallet (e.g. MetaMask, WalletConnect). Sumex can only suggest or prepare transactions — but nothing is executed unless you confirm it yourself.

For CEX accounts, if you grant trading-enabled API keys, Sumex can help automate or execute trades based on your actions or strategies — but only within the permissions you’ve set. You remain in control and can revoke access at any time.

We do not store private keys or approval rights, and we cannot move your assets, withdraw funds, or sign messages on your behalf. Your wallet, your approval — always.

Wallet & Exchange Connections

How secure is it to connect my Web3 wallet to Sumex?

Connecting your Web3 wallet to Sumex is secure — and fully aligned with industry best practices.

When you connect, Sumex only requests a signature to verify wallet ownership. This signature is non-transactional, meaning it doesn’t grant access to your funds, private keys, or allow any transactions to be made on your behalf.

  • No private keys or seed phrases are ever requested
  • No permissions are granted without your explicit action
  • You stay in full control at all times

Sumex simply reads your public wallet data (balances, tokens, portfolio performance) to power its dashboard and features. You can disconnect your wallet at any time from both the Sumex UI and directly from your wallet interface.

We recommend only using trusted wallet providers (like MetaMask, Rabby, or WalletConnect) and never signing unknown or suspicious requests — whether on Sumex or anywhere else.

What permissions does Sumex request when I connect my wallet?

When connecting your wallet to Sumex, we typically request a basic, non-transactional signature to verify that you are the legitimate owner of the wallet. This is the same type of signature used across major Web3 protocols for login — it’s an industry standard, and does not give Sumex access to your funds or private keys.

This signed message:

  • Confirms you control the wallet you're connecting
  • Does not initiate a blockchain transaction or cost any gas
  • Grants Sumex read-only access for portfolio tracking and feature personalization
Optional: Adding wallets without signing

Through the Connection Manager, you can also manually add wallet addresses without signing a verification message. While we allow this as a fallback (yes, we know), it’s not recommended — because:

  • Some features like real-time portfolio updates or performance analytics may not work. This is done to prevent fake accounts and somewhat protect our infrastructure against spam
  • It leaves the wallet in an “unverified” state, which restricts access to rewards and progression systems. You can always verify that all of your Web3 wallets are in fact verified within the DeFi tab of the Connection Manager. If a wallet is not verified, you can prompt a TX to sign straight within the COnnection Manager too.

For the best experience — and to prevent spoofed accounts — we strongly recommend authenticating each connected wallet via signature. This method is secure, gasless, and ensures full feature availability across the platform.

TIP

You can disconnect your wallet from Sumex anytime directly via the Connection Manager inside the platform — or through your wallet interface (e.g., in MetaMask under “Connected Sites”).

Your wallet, your control — always.

How does Sumex use my CEX API keys?

When you connect a centralized exchange (CEX) account to Sumex (e.g., Binance, OKX, etc.), you do so using your API key and secret, which are generated from your exchange account.

Sumex uses these API keys to:

  • Read your portfolio data — balances, open positions, order history, etc.
  • Enable trading features (only if trading permissions are granted)
  • Track performance metrics, such as PnL, asset allocation, and trade activity
caution

Sumex does not and will never request withdrawal permissions, and we strongly advise that you leave withdrawal access disabled when generating your API keys. Moreover, should you accidently enable withdrawals, a corresnding warning will be displayed on that particular CEX's API key within the Connection Manager tab.

tip
  • Your keys are encrypted and used only for the features you choose to activate
  • You can connect API keys with read-only access if you only want to track your CEX portfolio
  • If you enable trading permissions, trades can be executed through Sumex’s UI — but always based on your instructions or configured strategies
  • You can disconnect or revoke your keys anytime via the Connection Manager on Sumex or directly in your exchange account

Sumex only uses your API keys to provide the functionality you've opted into — all in a non-custodial, permission-based way that keeps you in control.

What should I do if I want to disconnect a wallet or exchange account?

You can disconnect any connected wallet or exchange account from Sumex at any time through the platform or directly from your wallet or exchange settings.

For Web3 wallets:

  • Navigate to the Connection Manager in the Portfolio section
  • Locate the wallet you want to remove and click “Remove”
  • You can also disconnect the wallet directly from your wallet provider (e.g., in MetaMask under “Connected Sites”)

For CEX accounts:

  • Open the Connection Manager
  • Select the exchange account you wish to disconnect
  • Click “Remove” to delete the stored API credentials
  • Additionally, you can revoke or delete the API key from your exchange’s settings for complete control

Once disconnected, Sumex will no longer have access to your data or accounts. You remain in full control at all times.

Data Handling & Privacy

What kind of data does Sumex collect and why?

At this time, Sumex does not use cookies or track personal browsing behavior outside the platform.

Within the platform, Sumex collects only essential data related to:

  • Portfolio performance tracking — to display accurate balances, asset history, and analytics across your connected wallets and accounts
  • User activity — such as completed tasks, trades, or interactions, which are used to power the Gamification layer (XP, Sigma Points, quests, rewards, etc.)

This data helps us provide a personalized and rewarding experience while maintaining full transparency and control for the user.

A Privacy Preferences section is currently in development, which will allow you to customize what platform-related information is tracked, stored, or visible. This ensures that users who prefer a more private experience can fine-tune their level of visibility within the platform.

Sumex is committed to privacy by design — only collecting what’s necessary to deliver value, never more.

Is my personal information stored or shared?

No — Sumex does not collect or store personally identifiable information (PII) such as your name, email address, or government ID, unless you explicitly provide it (e.g., during a future optional KYC process or support interaction).

Your interaction with Sumex is based on wallet addresses and API connections, which are handled in a non-custodial, permission-based manner.

Sumex does not share any user data with third parties for advertising or marketing purposes. All data collected is used strictly to power platform functionality — such as portfolio tracking, gamified progression, and personalized analytics.

We are also working on a Privacy Preferences dashboard, which will allow users to further customize what information is visible or stored, ensuring full transparency and user control.

Your privacy is a core part of how Sumex is built — and always will be.

Are my trading activities or wallet balances visible to other users?

By default, your detailed trading activity, specific asset holdings, and wallet balances are private and not visible to other users on Sumex.

However, general portfolio statistics — such as overall performance trends, XP level, or participation in quests — may be anonymously aggregated or selectively visible, especially in leaderboard or community-based features. This does not include detailed information about your specific assets, positions, or trades.

In the near future, with the launch of privacy customization settings, users will be able to:

  • Control what information is visible and to whom
  • Set different visibility levels based on factors like Guild membership, follower status, or even paid subscription tiers
  • Choose whether to share specific data (e.g., strategy results or portfolio allocations) in public-facing features like Copy Trading or Signals Marketplace

Until then, all sensitive data remains fully private — and under your control.

Account & Access Security

Does Sumex support 2FA or other login protections?

Not yet, but we plan to integrate two-factor authentication (2FA) and other security features before the end of 2025.

The upcoming security enhancements will include support for tools like Google Authenticator and similar TOTP-based apps, giving users an extra layer of protection during login or when performing sensitive actions.

We are also exploring more user-friendly options, such as:

  • Email and SMS-based one-time passwords (OTP)
  • Trusted device linking for streamlined access
  • Enhanced login flows designed for the upcoming mobile app

As Sumex evolves, our goal is to strike the right balance between strong security and everyday convenience, ensuring users can access the platform safely without friction.

What happens if my connected wallet or exchange account gets compromised?

If your connected Web3 wallet or CEX account is compromised, Sumex cannot directly prevent or reverse any unauthorized activity, since the platform is non-custodial and does not have access to your funds or private keys.

However, there are steps you should take immediately:

For Web3 wallets:

  • Disconnect the wallet from Sumex via the Connection Manager
  • Revoke token approvals using tools like Revoke.cash
  • Transfer assets to a secure wallet
  • Consider generating a new wallet and migrating your funds

For CEX accounts:

  • Revoke or delete the API key from your exchange account settings
  • Generate a new API key if needed
  • Inform your exchange's support team and enable security features like 2FA and withdrawal whitelists

While Sumex does not have control over your assets, we are working on tools like login protection, suspicious activity alerts, and optional 2FA to help reduce the risk of such incidents in the future.

If you're affected and need assistance, you can also contact our support team for help in reviewing the situation and securing your account connections.

How can I report a suspicious activity or security concern?

If you notice any suspicious activity, security vulnerabilities, or anything that seems off while using Sumex, please report it immediately through official channels.

You can contact us via:

  • The support form available in the platform interface
  • Email: security@sumex.io (or your designated security contact)
  • The upcoming in-app “Report an Issue” feature for direct flagging

Please include any relevant details (wallet address, screenshots, timestamps, etc.) to help our team assess the issue efficiently.

warning

Important Security Reminder Given the sensitivity of information in crypto, please stay alert to scammers and imposters. Sumex team members will never:

  • Ask for your private keys, seed phrases, or wallet recovery phrases
  • Request your CEX account login credentials
  • Ask for direct access to your wallet or exchange account
  • Initiate unsolicited contact through social media or messaging apps

If anyone claims to represent Sumex and asks for such information, assume it is a scam and report it immediately.

Your security is our top priority — and your awareness is a key part of keeping the community safe.

Best Practices

How can I keep my wallet and funds safe while using Sumex?

Sumex is built with security in mind, but you play the most important role in protecting your assets. Here are some key best practices to follow:

For Web3 wallets:

  • Never share your private key or seed phrase — with anyone, ever
  • Only use official wallet providers (e.g. MetaMask, Rabby, WalletConnect)
  • Always double-check the Sumex URL to avoid phishing sites
  • Review and manage your connected sites in your wallet regularly
  • Use tools like Revoke.cash to remove unnecessary token approvals
  • Store large amounts in a hardware wallet for added security

For CEX accounts:

  • Use strong, unique passwords and change them regularly
  • Enable 2FA on your exchange accounts (Google Authenticator or similar)
  • Create API keys with only the permissions you need (avoid enabling withdrawals)
  • Revoke or regenerate API keys periodically, especially if unused
general tips
  • Be cautious of unsolicited messages pretending to be from Sumex staff
  • Avoid signing suspicious transactions or connecting to unknown dApps
  • Regularly audit your connected wallets and accounts via the Connection Manager

Sumex is non-custodial, meaning you are in full control — but with that control comes responsibility. Following these guidelines helps ensure your funds remain safe while enjoying all that the platform has to offer.

Are there any risks I should be aware of when using third-party protocols via Sumex?

Yes — interacting with third-party protocols (whether DeFi or CeFi) always carries some level of risk, even when accessed through a trusted aggregator like Sumex.

Potential risks include:

  • Smart contract vulnerabilities in DeFi platforms
  • Economic exploits (e.g., flash loan attacks or oracle manipulation)
  • Liquidity issues or protocol insolvency
  • Impermanent loss when providing liquidity
  • CeFi-specific risks, such as API downtime or custodial mismanagement

While Sumex aims to integrate only well-audited and widely adopted protocols, no system is completely immune to exploitation. Both CeFi and DeFi protocols — even the most reputable ones — have experienced hacks or security incidents in the past.

N.B. Disclaimer

In the event that a known vulnerability is identified within an integrated protocol, Sumex will make every effort to notify affected users, limit exposure within the platform, and update relevant risk indicators as quickly as possible.

We are also working on adding protocol metadata, community feedback, and risk scoring tools to help you evaluate opportunities more clearly. But as always, it's important to do your own research and only engage with protocols that align with your risk tolerance.

Sumex provides the access — you maintain control and responsibility over your decisions.

Transparency & Trust

How does Sumex choose which protocols or bridges to integrate?

Sumex takes a curated, security-conscious approach when selecting protocols, DEXes, and bridges for integration.

We evaluate candidates based on several key factors:

  • Security & audit history – preference is given to protocols that have undergone reputable third-party audits and have demonstrated resilience over time
  • Protocol maturity & reputation – we favor well-established projects with proven track records and strong community trust
  • Volume, liquidity & usage –platforms with active user bases, deep liquidity, and consistent transaction volumes are prioritized
  • Cross-chain support & interoperability – bridges and DEXes that enable seamless multi-chain interaction are highly valued
  • Technical compatibility – the protocol must be stable, API-ready, and able to integrate cleanly into Sumex’s infrastructure
  • Alignment with user demand – we listen to our community and evaluate integrations based on actual interest and utility
caution

While we aim to offer access to the most reliable and widely used protocols, Sumex remains non-custodial, and any third-party interaction is always subject to the user's own risk assessment.

As we continue expanding, protocol quality, user safety, and product performance remain top priorities — and integrations are never paid listings.

Has Sumex been audited or externally reviewed for security?

Not yet, and for good reason — Sumex currently does not store user funds or deploy smart contracts, meaning there is no on-chain attack surface that requires immediate auditing.

The platform is built on a non-custodial, client-server architecture, where users interact with their own wallets or CEX accounts, and no private keys, seed phrases, or assets are ever held by Sumex.

That said, as we evolve and begin integrating on-chain components, such as smart contracts, automation layers, or protocol-level interactions, we will undergo rigorous security audits through multiple trusted and independent audit firms in the crypto space.

Security remains a core priority — and as complexity increases, so will the depth of our audits and external reviews

Where can I read about your security policies or terms of use?

You can find all official Sumex policies, including our Terms of Use, Privacy Policy, and upcoming Security Guidelines, in the Legal & Compliance section of our documentation or directly on our website footer.

These documents cover:

  • User rights and responsibilities
  • Data handling and privacy practices
  • Non-custodial architecture explanation
  • Platform limitations and disclaimers
  • Security-related commitments and recommendations

As the platform evolves, we’ll continue to update these materials to reflect new features, integrations, and security standards. We encourage all users to review them carefully before engaging with the platform.

If you have questions about anything not covered in those documents, you can always reach out to our support or legal team via the contact form.