Hello,

Just to clarify we do not have access to your private keys we use something called "createwallet" (https://bitcoincore.org/en/doc/0.17.0/rpc/wallet/createwallet/) using JSON RPC and your wallet.dat file is encrypted with your masterkey & password which can be found under sendbit Dashboard > Security Centre leaving us with no access to your funds or private keys.

However, we do store copies of your wallet.dat file offline every 2 hours during our backups and this is done with full encryption using AES-256. We recommend users to back up their wallet each time you create and address or you receive funds in case sendbit.io is offline you will still be able to access your funds.

We store encrypted backups of wallet.dat offline for our & customer safety since our platform is responsible for loading and unloading wallets and in case of an emergency such as DDOS attacks and FRA network expansions and mitigation so sendbit wallets can be back up and running in no time.

You can always email us at support[at]sendbit.io and we appreciate any constructive criticism as this make us a better wallet and to grow our trust with the community.

How we secure CSRF attacks and SQL injection:
sendbit_generateAntiCSRFToken() Generates a secure anti-CSRF token and stores it at $_SESSION['sendbit_token'].
sendbit_verifyAntiCSRFToken($input_token) Verifies the token for integrity and returns a boolean.

Request::GET('query', $filtered = false) Returns a GET value set in the URL.
Request::POST('data', $filtered = false) Returns a POST value set in the page.
Request::COOKIE('session', $filtered = false) Returns a COOKIE value set in the headers.
Request::cleanInput($input) Cleans the input and returns it. Useful to avoid attacks like XSS.

Regards,
Sendbit.io