Security Whitepaper

Executive Summary

ZeroCopy Systems provides hardware-isolated signing infrastructure built on AWS Nitro Enclaves. Our architecture eliminates the need for trust in operators, administrators, or cloud providers by enforcing cryptographic isolation at the hardware level.

Core Security Properties

• ✓Hardware Isolation: Private keys exist only in encrypted enclave memory. No root access, no SSH, no debugging interfaces.
• ✓Cryptographic Attestation: Every request includes a PCR0 measurement proving the exact enclave code running.
• ✓Zero-Knowledge Architecture: ZeroCopy employees cannot access keys, even under subpoena.
• ✓Deterministic Builds: Reproducible enclave images allow independent verification of source code.

Threat Model

Architecture Overview

The system consists of three layers:

1. Client Layer: User-controlled application (trading bot, wallet, etc.)
2. Sidecar Layer: Vsock proxy running on parent EC2 instance
3. Enclave Layer: Nitro Enclave with signing logic and policy engine

Compliance

Our architecture is designed to meet the following regulatory requirements:

• • SEC 17a-4: Immutable audit logs with hash chaining
• • MiCA (EU): Operational resilience and key custody controls
• • SOC 2 Type II: In progress (Q2 2026)

Independent Verification

All claims in this whitepaper can be independently verified:

Contact

For security inquiries or to report vulnerabilities, contact: security@zerocopy.systems