Skip to content

Security

Your stack matters. So does ours.

Account security is the foundation everything else depends on. Here's the short, honest list of how we secure your account, your money, and your data.

Two-factor authentication (2FA)

TOTP authenticator apps (Google Authenticator, 1Password, Authy) plus optional WebAuthn / passkeys. Required for withdrawals above your daily threshold.

Session manager

See every active session, when it signed in and from what device / IP, and revoke any of them with one click. Sign-in events also generate a real-time email.

Password rotation

Optional 90-day rotation reminders. Compromised-password detection on sign-in via k-anonymous breach hash lookup. Passwords stored as Argon2id hashes.

Identity verification (KYC)

Sumsub-powered KYC at first cash-out and for any high-value action. Documents are encrypted in transit and at rest, retained for the period required by AML law, and never sold.

Encryption at rest

Postgres data and document storage live on AES-256 encrypted volumes. Sensitive columns (KYC payloads, payment-instrument metadata) get an additional application-layer envelope encryption layer.

Transport security

HSTS preloaded, TLS 1.3 only, modern cipher suites, OCSP stapling. We test with Mozilla Observatory and SSL Labs on every release.

Withdrawal whitelisting

Crypto withdrawal addresses can be whitelisted. New addresses require email confirmation plus a 24-hour cool-down before they're usable.

Rate limiting & anomaly detection

Per-IP and per-account rate limiting on sign-in, withdrawal, and KYC endpoints. Anomalous sign-in patterns trigger step-up authentication.

What you can do today

  • Turn on 2FA — TOTP or passkey. Five minutes; massive uplift.
  • Set a withdrawal allow-list for your crypto address.
  • Review active sessions and revoke anything you don't recognise.
  • Use a unique password — a manager is the easiest way.
  • Verify your email is current; sign-in alerts go there.
Open security settings Manage sessions

Found a vulnerability?

We run a coordinated-disclosure programme with safe-harbour language for good-faith researchers. Read the policy on /legal/security-disclosure and report to security-disclosure@theultimatepokergame.com .

Please do not test on real player accounts other than your own and do not attempt to access player funds. We will publicly credit researchers who ask to be credited.