Keys are generated client-side at account creation. Our servers receive a public address — never a private key, mnemonic, or signed transaction template. If we vanished tomorrow, your funds are still in your wallet.
AWS GovCloud regions, hardware-backed HSMs, mTLS everywhere, and zero-trust network policies. Every internal call is authenticated; every secret has a 30-day rotation; every deploy is signed.
Our payment-handling smart contracts are open source, formally verified, and audited annually by Trail of Bits and Zellic. Reports linked below; we don't ship contract changes without a fresh audit.
FCA-registered crypto-asset business. KYC and Travel Rule are scoped to you, the merchant — your customers don't fill out forms to pay. We share with regulators only what UK law requires, and we publish every request.
Audited Apr 2025 by Prescient Assurance.
Type II report on requestUK Crypto-asset business · Reg. 1011247.
5MLD & Travel Rule compliantStage 2 audit underway. Cert. expected Q2 2026.
Stage 1 complete · in progressEU/UK data only. DPA available; DPO on staff.
Sub-processors listed publiclySAQ-A scope for the (rare) card flows we expose.
Most flows have zero card scopeBAAs available for healthcare merchants on Enterprise.
On requestReal-time SLA tracking. 99.997% uptime over the past 90 days.
View status →Up to £75,000 for critical findings. 47 researchers paid; 0 active disputes.
Submit a report →Every external audit, signed and dated. Published the day they finish.
Browse archive →Every vendor that touches data, with what they touch and where it lives.
View list →Smart contract source on GitHub. Reproducible builds, signed releases.
View on GitHub →Quarterly: every government data request, granted or refused, with totals.
Q3 2025 report →