Our Security Commitment
Blockchain Integrity Meets Regulatory Trust
We are building security and compliance practices around early trade pilots—no claim that every control is already at full production scale. Learn how we handle data in our privacy policy and terms of service. Program context: assets.
Issuance targets VARA-aligned distribution in the UAE; that is a design goal—not a statement that every activity is licensed or that “all investments” are covered by a single insurance tower. Controls tighten as live products and counterparties come online.
Our Blockchain & Compliance Framework
We employ multiple layers of security to protect your investments and personal data. Learn about our privacy policy and terms of service.
- • Encryption: We use modern TLS for transport and aim for strong standards at rest; exact scopes are documented as services harden for production.
- • Assessments: Third-party reviews and pen tests are part of the roadmap toward issuance—not asserted here on a fixed quarterly cadence until engaged and published.
- • Key management: Where on-chain value moves, we target multi-party approvals and custody practices appropriate to the instrument—not a generic “all txs are multisig” claim before flows are live.
KYC/KYB Verification
Identity verification for participants as required by product and jurisdiction—implemented with reputable providers where integrated.
Secure Custody
Custody architecture depends on the instrument—cold / warm splits, policies, and any insurance are described in offering materials, not as a blanket platform guarantee.
Oracle Attestations
Third-party or operational attestations when they add diligence value; on-chain references only where they match what the product actually proves.
Data Encryption
End-to-end encryption for all data transmission and storage using AES-256 encryption standards.
Monitoring & response
Logging, alerting, and incident runbooks scale with production traffic—we do not claim a fully staffed 24/7 SOC for an early prototype unless and until that is true.
Regulatory Compliance
Regulatory posture is built instrument-by-instrument toward VARA-aligned issuance; “full compliance” statements belong in signed legal opinions for a specific product, not marketing copy.
Security roadmap & posture
We do not list certifications we have not earned. As pilots move to production, we expect SOC reports, pen tests, and payment-scope controls to be scoped with vendors and counsel—and disclosed where appropriate. Read our privacy policy and terms of service.
What we are building toward
Evidence-based claims
SOC 2, ISO 27001, PCI DSS, and similar badges belong on this page only after they are true for the entity and scope described—ask for the latest diligence pack under NDA.
Data protection
Privacy practices for the UAE and other jurisdictions we touch are documented in the privacy policy and updated as products expand.
Payments scope
Card and fiat rails, when used, are expected to lean on certified processors to minimize PCI scope rather than claiming Level 1 merchant certification by default.
GDPR / EU data
Where EU personal data is processed, we align to GDPR requirements; applicability depends on who uses the platform and from where.
Technical controls (targets)
Multi-factor authentication
MFA for privileged and customer accounts as flows go live—requirements tighten with asset-bearing features.
Key protection
HSMs or cloud KMS patterns where keys protect real value; exact design is per environment and reviewed before mainnet funds.
Least privilege access
Zero-trust style reviews for production systems: verify each request, minimize standing access, audit trails for admin actions.
Penetration testing
Engagements scheduled around releases; summaries shared with counterparties under NDA—not a substitute for your own testing.
Insurance & liability
Cargo, custody, errors & omissions, and other policies are placed per instrument and counterparty—not as a single fabricated “$500M” tower across the whole site. When an offering is live, its documents name carriers, limits, exclusions, and beneficiaries.
Ask for the diligence pack on the specific pilot: what is insured, who is the loss payee, and what risks remain uninsured. Marketing pages are not the place for made-up aggregate limits.
Security Frequently Asked Questions
Everything you need to know about our security measures
How are my assets protected?
Protection depends on the product: custody design, insurance if placed, and legal structure are described per offering. We do not claim blanket “exceeds industry standards” coverage for assets that have not yet issued.
What happens if there's a security breach?
If an incident occurs, response follows documented runbooks, vendor obligations, and applicable law—not a promise that every loss is insured. Monitoring and on-call coverage scale with production systems.
How often are security audits performed?
Audit and pen-test cadence is tied to releases and institutional requirements—not asserted here as “annual SOC 2 + quarterly pen tests” until those reports exist and are scoped to our environment.
Can I access my account from anywhere?
Remote access is supported where product features are enabled; we aim for MFA on sensitive accounts and least-privilege access as those flows mature—not a claim that every legacy path is already wired for MFA in prototype sandboxes.
Diligence-first security
Ask direct questions—we are early stage and prefer precise answers over marketing comfort. Review our privacy policy and terms of service, then decide if the pilot fits your risk framework.