// TRUST CENTER

Security & Compliance

We assume the operator is malicious, the cloud provider is compromised, and the network is hostile. We trust only the physics of the hardware.

System Status

All Systems Operational

Last Audit

07 Feb 2026

Internal & Static Analysis

Compliance

SOC 2 Type 1

In Preparation

Bug Bounty

Active

Submit Report →

01. Threat Model

Adversaries We Block

1
Rogue Cloud Operator (AWS)
AWS staff cannot dump enclave memory or decrypt traffic. The Nitro Hypervisor enforces strict isolation.
2
Malicious Insider (You/Us)
Even with root access to the EC2 host, keys cannot be extracted. The enclave has no interactive shell.
3
Network Man-in-the-Middle
All traffic is end-to-end encrypted locally via vsock. No sensitive data touches the network card unencrypted.

The Guarantee

"We do not rely on operational security or 'best practices.' We rely on cryptographic proofs generated by the hardware itself."

Memory EncryptionHardware (MEK)

StorageEphemeral (RAM only)

AttestationPCR0 Signing

02. Compliance & Regulation

SEC 17a-4

Immutable Record Keeping. Our logs are written to write-once storage if configured, satisfying broker-dealer requirements.

Supported

EU AI Act

Transparency & Governance. Deterministic execution policies provide the audit trail required for High-Risk AI Systems.

Native

MiCA (CASP)

Custody Requirements. Our self-custody architecture typically exempts you from CASP custody obligations (consult legal).

Architectural Exemption