MonolithMonolith
Start investing
Security & Infrastructure

Built for regulated digital markets

Defense-in-depth across architecture, data, and operations. Compliance by design with auditable controls, encryption everywhere, and enterprise-grade observability.

Download Security OverviewRequest Due Diligence Pack
Reference architecture (MVP)
Next.js + NestJS, Postgres (RLS multi-tenant), Redis (BullMQ), S3/MinIO, Docker, single-region EU.
Web: Next.js (App Router)
API: NestJS
DB: Postgres + RLS
Cache/Jobs: Redis + BullMQ
Storage: S3/MinIO
Observability: OpenTelemetry
Auth: OIDC + short-lived JWT
Infra: Docker (compose) → Cloud
Encryption
In transit & at rest, keys rotated
  • TLS 1.2+ everywhere; HSTS; modern ciphers.
  • Data at rest encrypted (DB, object storage, backups).
  • Key rotation policy; split custody for secrets.
Secrets & key management
Short-lived tokens, least privilege
  • Short-lived JWT; rotating refresh; session binding.
  • Env secrets rotated and audited; no secrets in code.
  • Separate KMS per environment; 4-eyes on key changes.
Data protection (GDPR)
PII minimization and residency
  • Data minimization; explicit purposes; retention policies.
  • EU data residency; SCCs for sub-processors; DPA in place.
  • Data subject rights tooling: export/delete upon request.
Backups & disaster recovery
RPO/RTO targets with regular testing
  • Automated daily snapshots; point-in-time restore.
  • Cross-storage redundancy; quarterly recovery drills.
  • Documented RPO/RTO; immutable backup copies.
Observability & monitoring
Traces, metrics, logs with SLOs
  • OpenTelemetry tracing; p95 latency tracked.
  • Error budgets & SLOs; on-call with runbooks.
  • Immutable audit logs for sensitive actions.
Vulnerabilities & pentest
Regular scans, third-party testing, SLAs
  • Automated SCA/SAST in CI; dependency pinning.
  • Annual external pentest; remediation SLAs by severity.
  • Secure coding standards; supply-chain controls.
Access control
Least privilege & 4-eyes approvals
  • RBAC across services; JIT admin; MFA enforced.
  • 4-eyes for payouts, wallet addresses, and key changes.
  • Periodic access reviews; session anomaly detection.
Compliance mapping
EU-first: MiCA, DLT Pilot, GDPR; plus local regimes
  • Policies aligned with MiCA and EU DLT Pilot considerations.
  • Jurisdictional allowlists/limits; investor categorization.
  • Surveillance & reporting hooks for regulators/partners.
Incident response
Playbooks, RACI, and post-mortems
  • 24/7 escalation tree; severity classifications; comms templates.
  • Forensics workflow; customer notification SLAs.
  • Blameless post-mortems with tracked action items.
Status & uptime
Public page for uptime and incidents

We maintain a public status page with real-time uptime and latency metrics, plus incident history.

View status
Responsible disclosure & bug bounty
Secure channels, scope, and rewards
  • Coordinated vulnerability disclosure (CVD) policy with PGP.
  • Clear scope: apps, APIs, infrastructure; exclusions listed.
  • Reward tiers by impact/severity; response time targets.
Submit a vulnerabilityGet PGP key
Do you support data deletion/export for GDPR?

Yes. We provide data subject request workflows and audit trails for exports and deletions.

What are your pentest and remediation SLAs?

Annual external tests minimum; critical findings triaged immediately with fix SLAs based on severity.

Where is data hosted?

EU region by default; single-region to start with options for expansion and redundancy.

Important

This page summarizes our current baseline controls and target architecture. Some features depend on jurisdiction, partners, and rollout stage. For a signed security package, request the latest documentation.