MPC custody, $500M of insurance through Lloyd's of London, audited every 90 days, licensed in 38 jurisdictions. The kind of paranoid engineering that lets you sleep.
Defence in Depth
Every layer is independent. Compromising one tells you nothing about the others.
Keys are generated and split across three secure enclaves. No single party can sign alone. Recovery is mathematical, not human.
Face ID and Touch ID gate every withdrawal above your policy threshold. Optional hardware key step-up.
95% of assets sit in air-gapped storage. Withdrawals from warm storage capped at 5% rolling 24h.
Co-signers in Zurich, Singapore and Toronto. No single jurisdiction can freeze your assets.
Certifications
The certifications you'd expect from a major custodian — and a few you wouldn't.
Annually audited by Deloitte. Continuous monitoring across security, availability and confidentiality.
Information security management certified by Bureau Veritas.
Full crypto-asset service provider authorisation, Republic of Ireland.
Card production and processing certified to the highest tier.
Privacy-by-design. Data minimisation. Right to deletion enforced cryptographically.
Sumsub integration covers every jurisdiction with active rules.
Transparency
Every Aurapay vault is independently attested by Armanino LLP every 24 hours. The Merkle root is published on-chain. You can verify your own balance is included in under a minute.
Bug Bounty
We'd rather pay you to find it than read about it on Twitter.
40 pages on key generation, threat model, recovery and disaster scenarios. Written by engineers, reviewed by Trail of Bits.