Security & Compliance

Security is enforced across authentication, authorization, data protection, transactions, and deployment.

Principles

Environment‑based secrets, no hardcoded keys
RBAC and least privilege
PII encryption at rest, TLS 1.3 in transit
Audit logging and immutable trails

Controls

Auth: JWT sessions, wallet auth, session timeouts
Rate limiting: conversions, withdrawals, API calls
Fraud/risk scoring and manual review paths
Secure key management and HSM integration (where applicable)

Audit Summary

See repository root SECURITY_AUDIT_REPORT.md for findings and checklists. Current status: ready for public release with strong .gitignore and secret hygiene.

Operational Guidance

Rotate credentials regularly; enforce strong passwords for admin tools
Lock down admin dashboard with IP allowlists/VPN
Separate staging/production with distinct secrets and providers

Principles​

Controls​

Audit Summary​

Operational Guidance​

Principles

Controls

Audit Summary

Operational Guidance