1. Security principles
We aim to operate the Services according to the following baseline principles:
- least privilege for keys, tokens, roles, and infrastructure;
- separation of sensitive duties where feasible;
- non-custodial handling of user wallets and signatures;
- bounded retention, auditability, and evidence preservation;
- staged rollout of higher-risk features;
- abuse prevention and rate limiting; and
- investigation and response processes proportionate to the observed risk.
2. Security controls in scope
Depending on the feature and environment, the Services may use controls such as:
- signature-based authentication and short-lived session material;
- privileged-action audit trails;
- rate limiting and abuse throttling;
- sponsored-transaction policy controls;
- replay, idempotency, and reservation-integrity protections;
- moderation, notice, and appeal recordkeeping; and
- environment-specific monitoring and retention controls.
3. Responsible reporting
Suspected vulnerabilities should be reported through the published security contact path and handled under the Vulnerability Disclosure Policy.
4. Important qualification
No system is perfectly secure. We do not guarantee that the Services will be free from vulnerabilities, exploits, downtime, or third-party failures.
You remain responsible for the security of your own devices, wallets, seed phrases, signing tools, and local environments.