Security is
Who we are

We do not compromise when it
comes to securing your Bitcoin.

Security Philosophy

Raising the bar by setting a new standard of best
practices within the industry.

Layered Security

Layered Security

We implement layered security through the principle of least-privilege by applying tiered, role-based access controls to our production environment.

Trust-minimized Infrastructure

Rather than relying on application, operating system, and hardware level trust assumptions, we use physically isolated, self-hosted infrastructure to eradicate the potential for Spectre-class vulnerabilities.

We minimize trust and dependence on third-parties by restricting cloud infrastructure to host non-critical operations only.

Trust-minimized Infrastructure
Data is Nuclear Waste

Data is Nuclear Waste

The easiest data to secure is data that doesn’t exist. In practice, this means that we store the least amount of information possible for the shortest amount of time possible.

The data we do store is rigorously stored, managed, and disposed of with the utmost care.

Bitcoin Security

Hot Wallet

Hot Wallet

checkmark
Our Bitcoin infrastructure is self-hosted and is physically located inside of military grade vaults in highly secure data center facilities. This significantly increases the difficulty for an attacker with physical access to the facility.
checkmark
We never store any private keys in a public cloud.
Cold Storage

Cold Storage

checkmark
The vast majority of clients' bitcoin is kept offline in cold storage.
checkmark
We require multiple signatures to withdraw funds from cold storage.
checkmark
We use Bitcoin's native multisignature system so we can identify who authorized a transaction. This is superior to the majority of the industry who rely on Shamir's Secret Sharing Scheme which requires reconstituting the key shares, exposing the system to attack.

Infrastructure Security

Physical Controls

checkmark
Our critical infrastructure is physically stored in military grade vaults (Class 5 IPS containers) with non-mechanical locks that require multi-person authentication.
checkmark
Private keys are geographically distributed and non-digitally replicated to safeguard against region-wide catastrophic events.

Application Security

checkmark
We follow best practices of modern web browser security by supporting HTTP Strict Transport Security (HSTS) and a Content Security Policy (CSP).
checkmark
All traffic is encrypted in transit via TLS 1.3.
checkmark
All application data is encrypted at rest with AES256-GCM.

Operational Security

checkmark
Non-critical operations leverage cloud infrastructure that has undergone SOC 2 Type II examinations.
checkmark
We use Google Cloud’s DDoS detection and traffic filter to guard against denial of service attacks.
checkmark
Security sensitive services are physically isolated on separate machines to defend against Spectre-class vulnerabilities.
checkmark
We’ve built an integrated monitoring system to automatically detect, alert, and mitigate potential attacks.

Your Account Security Features

security feature 1
We require multi-factor authentication (MFA) upon account creation. At least one of the following MFA methods are required:
checkmark
TOTP (e.g. Google Authenticator, 1Password, Duo)
checkmark
SMS/Text (Not recommended)
security feature 2
Your passwords are hashed via bcrypt with a work factor of 14.

Internal Controls

Organization

checkmark
We don’t keep anything of value in the office.
checkmark
Employees must use separate passwords and multifactor authentication with each device and service.
checkmark
Employees have limited access to personal identifiable information.
checkmark
Access to cold storage keys requires traveling to multiple geographically dispersed locations.

Code

checkmark
Code commits must be signed and are never merged without review.
checkmark
Code deployments require review from multiple parties.