Security

Defense in Depth

Multi-layered security architecture designed to protect assets against nation-state adversaries. Battle-tested infrastructure securing over $12B in digital assets.

98%

Cold Storage

99.99%

Uptime SLA

$2M+

Bug Bounties

Quarterly

Pen Tests

Cryptographic Architecture

No single point of compromise. Private keys are never whole, never online, and never in one place.

Threshold Signatures (TSS)

Private keys are split across geographically distributed HSMs using Shamir's Secret Sharing. No single device ever holds complete key material.

t-of-n threshold ECDSA/EdDSA

Secure Multi-Party Computation

Transaction signing occurs via MPC protocols where key shares never leave their respective secure enclaves during computation.

GG20 / FROST protocols

Hardware Security Modules

All cryptographic operations execute within FIPS 140-3 Level 3 certified HSMs with tamper-evident seals and active zeroization.

Thales Luna Network HSM 7

Key Derivation & Rotation

Hierarchical deterministic wallets with BIP-32/44/84 derivation paths. Master keys rotate quarterly with zero-downtime migration.

Argon2id / HKDF-SHA512

Cold Storage & Custody

98% of assets secured offline with institutional-grade custody controls.

Air-Gapped Infrastructure

Cold wallets exist on completely isolated systems with no network connectivity. Key ceremonies conducted in Faraday-shielded rooms.

Geographic Distribution

Multi-signature vaults distributed across 5 continents with independent custodians. No single jurisdiction controls enough keys.

Time-Locked Withdrawals

Large withdrawals require 72-hour time locks with multi-party approval. Velocity limits enforced at the protocol level.

Proof of Reserves

On-chain attestations published monthly using Merkle tree proofs. Verified by Armanino LLP with real-time reserve tracking.

Withdrawal Authorization Flow

Step 1Request Initiated

User + 2FA verification

Step 2Risk Scoring

ML-powered analysis

Step 3Policy Engine

Velocity & limit checks

Step 4Multi-Sig Approval

3-of-5 HSM signing

Step 5Broadcast

Signed TX submitted

Request Initiated

User + 2FA

Risk Scoring

ML Analysis

Policy Engine

Velocity Checks

Multi-Sig

3-of-5 HSM

Broadcast

Signed TX

Network & Infrastructure

Zero-trust architecture with defense-in-depth across every layer of the stack.

DDoS Mitigation

Cloudflare Magic Transit with 280+ Tbps capacity
Anycast network absorbs volumetric attacks
L7 rate limiting with behavioral analysis
BGP Flowspec for upstream filtering

Edge Security

Web Application Firewall (OWASP Top 10)
Bot management with ML classification
mTLS certificate pinning for APIs
HTTP/3 with encrypted SNI (ECH)

Threat Detection

24/7 SOC with SIEM correlation
EDR/XDR across all endpoints
Network traffic analysis (Zeek/Suricata)
Honeypots and deception technology

Infrastructure Hardening

Immutable infrastructure (no SSH access)
CIS benchmarks for all systems
Kubernetes with gVisor sandboxing
Service mesh with Istio mTLS

Application Security

Security embedded at every stage of the development lifecycle.

Secure Development Lifecycle

Threat modeling (STRIDE/DREAD), security requirements in every sprint, and mandatory security sign-off for production deployments.

Code Analysis

SAST (Semgrep, CodeQL), DAST (Burp Suite Enterprise), SCA (Snyk), and fuzzing (AFL++) integrated into CI/CD pipeline.

Smart Contract Audits

All smart contracts audited by Trail of Bits, OpenZeppelin, and Consensys Diligence. Formal verification for critical paths.

Dependency Management

SBOM generation, reproducible builds, pinned dependencies, and automated CVE scanning with <4hr patch SLA for critical vulns.

Bug Bounty Program

We partner with HackerOne and maintain one of the highest-paying bounty programs in the industry. Over 200 security researchers have contributed to our security posture.

Severity

Payout Range

Examples

Critical

$50,000 - $250,000

RCE, key exfiltration, auth bypass

High

$10,000 - $50,000

SQLi, IDOR with PII, privilege escalation

Medium

$2,500 - $10,000

XSS (stored), CSRF on sensitive actions

Low

$500 - $2,500

Information disclosure, rate limiting bypass

Report a Vulnerability Hall of Fame HackerOne Policy security.txt

Account Security

Multiple layers of authentication and fraud prevention protecting every account.

Authentication

Hardware keys (FIDO2/WebAuthn)
TOTP authenticator apps
Biometric verification
Passkey support
IP allowlisting

Session Security

Device fingerprinting
Session invalidation
Concurrent session limits
Automatic timeout
Login notifications

Fraud Prevention

Behavioral analytics
Device risk scoring
Transaction monitoring
Withdrawal delays
Address whitelisting

Certifications & Audits

Independently verified compliance with the highest security standards.

SOC 2 Type II

Security, Availability, Confidentiality

Auditor: Armanino LLPCycle: Annual

ISO 27001:2022

Information Security Management

Auditor: BSICycle: 3-year cycle

ISO 27017

Cloud Security Controls

Auditor: BSICycle: 3-year cycle

ISO 27018

Cloud Privacy

Auditor: BSICycle: 3-year cycle

PCI DSS v4.0

Payment Card Processing

Auditor: CoalfireCycle: Annual

CSA STAR Level 2

Cloud Security

Auditor: CSACycle: 2-year cycle

Responsible Disclosure

Found a vulnerability? Report it through our secure channels. We respond within 24 hours and do not pursue legal action against good-faith researchers.

Report Vulnerability Read Policy

Asset Protection & Insurance

Comprehensive coverage protecting your assets against all scenarios.

Crime Insurance

$500M

Coverage against theft, including employee dishonesty, third-party theft, and both hot and cold wallet compromises.

Underwritten by Lloyd's of London syndicate

SIPC Protection

$500K

Securities accounts protected by SIPC up to $500,000 ($250K cash) through our broker-dealer partner.

Additional FDIC insurance for uninvested cash

Questions about security?

Our security team is available to address enterprise security requirements and compliance questions.

Contact Security Team View Compliance