Swan Security
Where is your Bitcoin stored?
We always encourage clients to take custody of their own Bitcoin as soon as possible. We provide free and automated withdrawals and are always here to answer any questions or concerns about making withdrawals.
When you open a Swan account, you will be presented with a terms of service agreement with a custodian appropriate for your account. Signing the agreement will establish a direct relationship with the custodian. Swan facilitates your interactions with the custodian, but should Swan become unavailable for any reason, you will be able to contact the custodian directly.
When you purchase Bitcoin through Swan, your Bitcoin is held in cold storage with a qualified custodian.
Swan independently audits Bitcoin in cold storage against ledger balances at the custodian of record.
We currently work with Fortress Trust and Bakkt as custodians of record and BitGo as cold storage custodian.
Swan cannot move your Bitcoin or USD without your authorization.
You must authorize your custodian of record via Swan to move your Bitcoin from your cold storage custodian. Swan cannot, by itself, authorize a partner company to move your Bitcoin.
How does fiat money move from your bank account and turn into Bitcoin?
When you supply your bank account information to Swan it is passed to and stored with a licensed and regulated trust company in a trust account legally under your name. Swan itself does not have authorization to draw on your bank. Swan can only make a draw on your bank when you instruct us to relay the request to your custodian.
Based upon your instructions submitted through Swan, bank withdrawals via ACH are initiated directly by your custodian of record. A trade is executed to convert your fiat money to Bitcoin at the current market price. After a wait period to allow the ACH transaction to clear, your Bitcoin becomes available for withdrawal.
If you do not withdraw your Bitcoin, the Bitcoin will be moved to the cold storage custodian on a recurring basis and will require additional time to withdraw in the future due to the high security measures required by the cold storage withdrawal process.
What personal data does Swan store?
Swan stores the minimal personal data required to be compliant with regulations. Currently, this is limited to your name, email, address, phone number, date of birth, and Tax ID number. This information is stored in encrypted fields inside of a separately encrypted database.
When our site collects social security numbers and identity documentation as required by law to open a trust account, this information is relayed over an encrypted connection directly to your custodian of record.
How is your data secured?
All Swan data is stored encrypted with military-grade AES-256 encryption.
All traffic is encrypted using industry-standard TLSv1.2 encryption.
Swan does not store nor have access to the private keys for Bitcoin stored with our custodial partners.
Swan follows the Center For Internet Security Benchmarks for security standards.
What happens if Swan goes out of business?
The entirety of your fiat and Bitcoin holdings are legally held in an account in your name at your custodian of record. The fiat is held in an FDIC-insured account at the custodian of record’s partner bank, with all such funds designated for the benefit of (FBO) each individual client. In the unlikely event of Swan winding up operations, you still have legal control of funds stored within your custodian of record and can request disbursement by contacting your custodian of record. Please contact your custodian of record for more information.
As always, we encourage you to withdraw your Bitcoin often to a secure wallet whose keys you control.
Reporting security issues
If you have found a critical security vulnerability, please practice responsible disclosure by reporting it to security@swanbitcoin.com and giving us a chance to respond.
We will consider bounties for disclosures that include a proof of concept and lead to the direct compromise of user data. Reports that are related to best practices, including missing headers, will not be rewarded.
Please do not run vulnerability scanners against our site. We have our own scans running and will not reward reports found from automated scans.
To keep our security program focused and useful, we disqualify reports that are on Google's list of non-qualifying reports. Please note that this list is a non-exhaustive guideline. If your report falls into one of those categories, it will likely not be rewarded. Please review the list prior to submitting your report.