Production controls
for a regulated rail.

Production targets for the regulated platform. Not yet certified — completed before any live investor funds are accepted.

• SOC 2 Type IITARGET

  Continuous control attestation across security, availability, and confidentiality.

• ISO 27001TARGET

  Information security management system across all engineering and operations.

• ISO 27017 — Cloud securityTARGET

  Cloud-specific controls layered on top of ISO 27001.

• ISO 27018 — PII in the cloudTARGET

  Personally identifiable information protections aligned with DPDP.

Institutional-grade key management — no single human or machine can move funds.

• MPC custody (Fireblocks / BitGo-class)

  Multi-party computation; private keys never exist whole.

• 4-of-7 multi-sig

  Quorum spread across separated geographies and roles.

• HSM-protected keys + policy engine

  Hardware security modules; transfer policies enforced at the signer.

• Withdrawal allowlists

  Funds can only move to pre-approved, address-pinned destinations.

• Air-gapped cold storage

  Treasury reserves held offline; ceremony-based access only.

• Social recovery via nominee

  Managed wallets recoverable through a nominee — not a recovery phrase.

ERC-3643 / T-REX implementations audited before and after every material change.

• Two independent audits (CertiK / Trail of Bits / Hacken-class)

  Sequential audits with public reports before mainnet issuance.

• Re-audit on every material change

  No code path reaches production without a fresh review.

• Public bug-bounty program

  Tiered payouts — critical findings rewarded materially.

• Formal verification on critical modules

  Mathematical proofs on the compliance engine and transfer gate.

Hardened from the source code to the cloud edge.

• Periodic VAPT / penetration testing

  Annual third-party penetration tests and quarterly internal red-team exercises.

• Secure SDLC

  Threat modelling, SAST/DAST, signed builds, reproducible deploys.

• Secrets management

  Vault-backed secrets; no plaintext credentials in code or CI.

• Least-privilege access

  Just-in-time elevation; every production action audit-logged.

• Encrypted at rest + in transit

  TLS 1.3 everywhere; AES-256 for stored data and backups.

Indian regulatory obligations are first-class — not afterthoughts.

• CERT-In incident reporting

  Incidents reported within 6 hours of detection, per CERT-In directives.

• DPDP Act 2023 breach notification

  Detailed report within 72 hours; user notification per Board guidance.

• India data-localisation

  KYC, V-CIP, and lending data stored within India.

• PMLA / FIU-IND reporting

  Designated principal officer; STR / CTR reporting workflow.

• Sanctions / PEP screening

  Continuous OFAC, EU, UN, MEA, and PEP screening on every wallet.

Investors can independently verify that what is on-chain matches what is held.

• Proof-of-Reserve attestations

  Signed by the independent custodian on a defined cadence.

• On-chain ↔ RTA register reconciliation

  The statutory register at the SEBI-registered RTA reconciles to the on-chain registry.

• Independent trustee oversight

  Debenture / investor trustee co-signs every waterfall release.

A backstop layer for the events controls are designed to prevent.

• Digital-asset crime & custody insuranceTARGET

  Coverage for theft, internal collusion, and key-material loss.

• Per-investor coverage targetTARGET

  Illustrative ₹5 Cr per managed wallet — finalised at provisioning.