// KNOWLEDGE BASE

Frequently Asked Questions

Everything you need to know about ZeroCopy's sovereign signing infrastructure.

01.Custody & Security

Is ZeroCopy a custodian?

No. ZeroCopy is infrastructure software that you deploy and run. We never see, hold, or have access to your private keys. The keys are generated inside the Nitro Enclave and never leave its memory boundary. You are the sole custodian.

Can ZeroCopy employees access my keys?

No. The architecture makes this impossible, not just against policy. AWS Nitro Enclaves have no shell access, no SSH, no debugging interfaces. Even with root access to the host EC2 instance, the enclave memory cannot be dumped. Our engineers physically cannot extract your keys.

What happens if ZeroCopy goes out of business?

Nothing changes for your operation. The enclave runs in your AWS account, on your infrastructure. You own the Terraform code. There is no dependency on our servers for signing operations. We provide software, not a service.

How do I know the enclave is running the code you claim?

Every signing operation returns an Attestation Document signed by AWS Nitro. This document contains PCR (Platform Configuration Register) measurements that cryptographically prove exactly what code is running. You can verify these against our published hashes, or build the enclave yourself from source.

02.Technical Requirements

Do I need AWS Nitro Enclaves specifically?

Yes. Our security model is built on the hardware isolation guarantees of AWS Nitro. These include memory encryption (MEK), hypervisor-enforced isolation, and cryptographic attestation. Other TEE technologies (SGX, SEV) have different threat models and are not currently supported.

Which AWS instance types support Nitro Enclaves?

Most modern instance families: c6i, m6i, r6i, c6g, m6g, r6g, c7g, and their metal variants. Nitro Enclaves require at least 2 vCPUs and 256MB RAM dedicated to the enclave. We recommend c6i.xlarge or larger for production.

Can I run this on-premise or in another cloud?

Not currently. Nitro Enclaves are AWS-specific hardware. We are exploring Azure Confidential Computing (SEV-SNP) and GCP Confidential VMs for future releases, but these have different security properties and require separate validation.

What signing algorithms are supported?

EdDSA (Ed25519) and ECDSA (secp256k1, secp256r1). These cover Solana, Ethereum, Bitcoin, and most major blockchains. RSA and other algorithms can be added on request.

03.Deployment & Operations

How long does deployment take?

About 45 minutes from zero to first signed transaction. This includes Terraform provisioning, enclave boot, and key generation or import. There is no vendor onboarding, no key ceremony scheduling, no approval workflows.

Do I need to manage the infrastructure?

Minimal. The enclave is stateless; it can be destroyed and recreated at will. Keys are encrypted and stored in your S3 bucket (encrypted with your KMS key). Standard EC2 monitoring applies. We provide Terraform modules and CloudWatch dashboards.

What happens during an enclave restart?

The enclave boots fresh, loads encrypted keys from S3, decrypts them using KMS (which only succeeds if the PCR measurements match), and resumes signing. This takes ~30 seconds. For zero-downtime, run multiple pods behind a load balancer.

Can I bring my own keys?

Yes. You can import existing keys via a secure bootstrap process. The keys are encrypted to the enclave's public key (which is attested) before transmission. Alternatively, you can generate fresh keys inside the enclave and export the public key / address.

04.Pricing & Licensing

How is ZeroCopy priced?

We offer annual licensing per signing pod. This includes the enclave software, Terraform modules, monitoring templates, and support. AWS infrastructure costs (EC2, KMS, S3) are separate and paid directly to AWS. Contact our team via /institutional to discuss your specific deployment.

How do I evaluate ZeroCopy before committing?

We run a pilot program for qualified institutional teams. The pilot includes a full Sentinel deployment in your AWS account with limited-duration licensing, white-glove onboarding, and direct founder access. Start by booking a discovery call via /book.

Is the code open source?

The core signing engine is source-available for audit and reproducibility. You can build the enclave image yourself to verify PCR measurements. The policy engine and enterprise features are proprietary.

05.Compliance

Does using ZeroCopy make me a custodian under MiCA/CASP?

Generally no, but consult your legal counsel. Because ZeroCopy is self-custody infrastructure (keys never leave your control), you typically do not fall under Crypto-Asset Service Provider custody requirements. The regulatory treatment depends on your specific use case and jurisdiction.

Is ZeroCopy SOC 2 certified?

SOC 2 Type II: Examination Scheduled Q3 2026. Note that SOC 2 covers our development and operational practices; your deployment runs entirely in your AWS account under your security controls.

Does ZeroCopy support SEC 17a-4 compliance?

Yes. We can configure immutable audit logs written to WORM-compliant storage (S3 Object Lock). This satisfies broker-dealer record-keeping requirements when properly configured.

Still have questions?

Our engineering team is happy to discuss your specific requirements.

Request a Call Read Documentation