Is Koinly Safe? Security, Privacy & Data Protection Explained (2026)
Before connecting your exchange accounts to any third-party tool, you should understand exactly what access it has and how it protects your data. Here is everything you need to know about Koinly's security.
Security Verdict: Generally Safe for Tax Reporting
- Koinly uses read-only API keys — it cannot move your funds under any circumstances.
- Data is encrypted in transit (TLS) and at rest.
- No publicly reported data breaches since founding in 2018.
- GDPR compliant with data deletion and export rights.
- Supports two-factor authentication (2FA) — enable it.
- No published third-party security audit (SOC 2) — a gap worth noting.
What Data Does Koinly Actually Access?
When you connect an exchange to Koinly via API, you create a read-only API key on your exchange and paste it into Koinly. A read-only key grants permission to view your transaction history, balances, and trade records — but not to place orders, withdraw funds, or change account settings. This is a critical security distinction.
Koinly also supports CSV file imports, which means you can avoid API connections entirely by downloading your transaction history from your exchange and uploading it manually. This is the most privacy-preserving option, though it requires more manual effort when your transaction history changes.
| Data Type | Does Koinly Access This? | Notes |
|---|---|---|
| Transaction history | Yes | Required for tax calculations |
| Current balances | Yes (read-only) | Used for portfolio tracking |
| Trade orders / withdrawals | No | Read-only API cannot execute actions |
| Personal ID / KYC data | No | Not requested or stored by Koinly |
| Bank account details | No | Not applicable |
| Private keys / seed phrases | Never | Never share these with any service |
Koinly Security Features: A Breakdown
Koinly only requests read-only API access from your exchanges. It cannot place trades, initiate withdrawals, or move funds — even if its servers were compromised.
All data is encrypted in transit using TLS 1.2+ and stored encrypted at rest. Your transaction data is not stored in plain text.
Koinly is hosted on AWS (Amazon Web Services), one of the most widely used and security-audited cloud platforms. AWS provides physical security, DDoS protection, and redundancy.
Koinly supports 2FA via authenticator apps (TOTP). Enabling 2FA is strongly recommended to protect your account even if your password is compromised.
As of 2026, Koinly has not published a third-party security audit or SOC 2 certification. This is a gap compared to enterprise-grade financial software, though it is common for crypto tax tools in this category.
Privacy Policy and GDPR Compliance
Koinly is registered in Ireland and is subject to GDPR (General Data Protection Regulation). Under GDPR, you have the right to access your data, correct inaccuracies, request deletion, and export your data in a portable format. These rights are exercisable through your Koinly account settings or by contacting their support team.
Koinly's privacy policy states that they do not sell personal data to third parties. They may use anonymized, aggregated data for internal analytics, but individual transaction records are not shared with advertisers or data brokers.
Best Practices When Using Koinly
Go to Account Settings → Security and enable two-factor authentication using an authenticator app like Google Authenticator or Authy.
When creating an API key on your exchange, always select 'read-only' or 'view only' permissions. Never grant withdrawal or trading permissions.
For maximum privacy, download your transaction history as a CSV from your exchange and upload it manually instead of using API keys.
Once you have generated your tax report, consider revoking the API keys from your exchange. You can re-add them next year.
Try Koinly — Free for Up to 10,000 Transactions
Connect your exchanges with read-only API keys, import your full transaction history, and generate a preview tax report for free.
Try Koinly FreeAffiliate link · Free plan available · No credit card required