Wallets are air gapped (isolated from the internet) with no direct route. The data contained in the database regarding our wallets is designed to mislead attackers. Even if breached, the database would not provide an intruder with necessary details to access the wallets. Not only can the front end not see the wallets, but wallets will reject logins from all but 2 fixed IPs. The devices hosting the wallets are heavily encrypted and fire-walled.
We own all our own hardware which is is physically located in our own data centre. We do not rent or lease hardware from other providers and owning everything from the top down gives us ultimate control and configuration of our platform.
We employ a very secure database cluster. Tables are encrypted top to bottom helping to mask data. Custom encryption protects sensitive data which is only accessible via VPN (again no internet access to the databases) and is fully managed and maintained.
Apache and IIS is the front end and is all that is on this server is an operating system that has been hardened. If this box was compromised the attacker would only be able to obtain a few dozen webpages and some Encrypted DLL files.
General Application security
HTTPS, Granular Control, Two Factor Authorization, Tri Factor Auth, Pin Layers and Email layers are all implemented. The granular security allows you to open up an operation (e.g withdraw) where you then define the security process for withdrawals from your account. If you want just 2FA you can choose just 2FA. Tri-factor is also an option or if you want to add a PIN you can do that as well. If you want to add a secondary password or email, or email alert, email confirms etc, these are all available options from within your security control panel.
We have been developing these systems for over 4 years. During that time frame including multiple deployments our total net loss from breaches is ZERO.