Frequently Asked Questions
Complete answers to every question we get from security teams, trading desks, and enterprise buyers.
Mathematically impossible. Your keys exist only inside AWS Nitro Enclaves — isolated compute environments with no persistent storage, no SSH access, and no operator visibility. Even ZeroCopy engineers cannot extract keys. This is enforced by hardware, not policy. The enclave's PCR0 hash is cryptographically signed by AWS, and your application verifies this attestation before every signing request.
Your keys remain sovereign. The enclave runs in YOUR AWS VPC, not ours. You control the Terraform, the IAM roles, and the key ceremony. We provide the software and license validation — if we vanish, you fork the open-source CLI and continue operating. There's no lock-in, no custody, no dependency on our infrastructure.
Remote attestation. Every Nitro Enclave produces a cryptographic attestation document containing PCR0 (code hash), PCR1 (kernel hash), and PCR2 (application hash). Your application verifies these hashes against expected values before establishing a connection. If anyone modifies the enclave image, the PCR values change and attestation fails. This is exactly how it works.
Yes. The cryptographic primitives use libsecp256k1 (Bitcoin Core's library, audited by Trail of Bits). The enclave architecture follows AWS Nitro Enclaves security model (reviewed by AWS's internal security team). The ZeroCopy codebase has undergone security review by independent auditors — reports available under NDA for enterprise customers. We also run a bug bounty program.
Yes. The architecture is designed for compliance: keys never leave the enclave, all operations are logged with tamper-proof audit trails, and access is controlled via IAM policies you define. We provide compliance documentation packages for SOC 2 Type II, ISO 27001, and PCI-DSS. The enclave's attestation provides cryptographic proof of the security boundary.
The enclave auto-recovers. If the Nitro Enclave crashes, the parent EC2 instance automatically restarts it within seconds. Your keys are regenerated from encrypted backups stored in AWS KMS (encrypted with your master key). For mission-critical deployments, we recommend running multiple enclaves across availability zones with load balancing. Downtime measured in seconds, not minutes.
Zero cold starts. The enclave runs continuously with pre-allocated memory pools. There's no JIT compilation, no lazy loading, no connection pooling delays. The first request after deployment is as fast as the millionth. We achieve this by eliminating all dynamic allocation in the hot path.
Parallel deployment. Run ZeroCopy alongside your existing solution, verify attestation and latency, then gradually shift traffic. The API is designed for drop-in replacement: same signing interface, same key formats. Most teams complete migration in 1-2 weeks with zero downtime. We provide migration guides for AWS KMS, Fireblocks, and HashiCorp Vault.
We measure it continuously in production. The zcp trace command lets you verify latency yourself — run it against your own deployment. Our benchmarks are reproducible: libsecp256k1 signing takes ~35µs, VSock overhead adds ~7µs. We publish P50/P99/P999 numbers because we're confident. If you measure higher latency, something is misconfigured — and we'll help you fix it.
Because 150ms AWS KMS latency costs you money. At $100M daily volume with medium volatility, the 'Jitter Tax' — the cumulative alpha loss from signing variance — exceeds $6.6M annually. This isn't theoretical: it's the price impact of being 3,500x slower than your competition. Our calculator shows your specific exposure.
Co-location + zero-copy architecture. The enclave runs inside your VPC with VSock (virtual socket) communication — no network roundtrip, no TLS handshake overhead, no cold starts. The signing operation uses libsecp256k1 optimized for x86, and memory is pre-allocated to eliminate allocation latency. Physics, not magic.
AWS KMS: ~$1/10k requests + 150ms latency tax. Fireblocks: ~$50k/year + 600ms MPC latency tax. ZeroCopy: Fixed license fee + 42µs latency. For firms with >$50M daily volume, ZeroCopy typically pays for itself within 60 days through reduced slippage alone. Run the calculator to see your specific numbers.
You can. The zcp CLI is open source. But the real cost is engineering time: Nitro Enclave debugging, attestation validation, key ceremony design, vsock integration, and ongoing security hardening. Most teams estimate 6-9 months to production-grade. We've done that work — you're buying time-to-market and battle-tested infrastructure.
The license scales with your deployment, not your volume. Whether you sign 1,000 or 1,000,000 transactions per day, the infrastructure cost is the same. As you scale, your cost-per-signature decreases. Enterprise customers with multi-region deployments get volume discounts on additional enclaves.
Any chain using secp256k1 (Ethereum, Bitcoin, Solana) or ed25519 (Solana, Cosmos) signatures. The enclave is algorithm-agnostic — it signs payloads, not transactions. Your application constructs the transaction and sends the raw bytes for signing.
45 minutes from zero to production pod. The zcp CLI handles Terraform provisioning, enclave image building, key ceremony initialization, and attestation verification. Most of that time is waiting for AWS to provision resources.
Enterprise SLA with 24/7 on-call for production issues. Slack channel with direct access to engineering. Quarterly security reviews and architecture consultations. We treat your deployment as if it were ours — because downtime for you is reputation damage for us.
Still have questions? Run a free audit or contact us.
Was this page helpful?