From your whitepaper:
Also, we do not store private keys and passwords on our nodes.
So without storing the private keys and password, how are you able to sends from the address?
I believe that you are storing the private keys, but in the encrypted form using the password as key to decrypt. If not then how does this work?
Also, is it possible to send funds from an address on your site if I know the password, but using a different API key?
I don't want to get too much in detail in order to keep our systems safe. We are making use of Keystores. Also, there are multiple layers of security as there are different checks on different servers making sure the user does actually have the right to send funds from an address. It is not possible to send funds if the API Key is incorrect.