1. Governance framework
We base our program on the Brazilian Central Bank VASPs guidelines, CVM recommendations, and best practices from FATF and GDPR.
- Risk assessments conducted semi-annually covering technology, partners, and vendors.
- Policies reviewed every six months with board oversight and documented approvals.
2. Security controls
Security is embedded through automated checks, least-privilege access, and continuous monitoring across our infrastructure.
- MPC key management with hardware-backed enclaves and biometric recovery workflows.
- Independent penetration tests performed annually with remediation tracking.
- Incident response playbooks aligned with ISO/IEC 27035.
3. Transaction monitoring
We monitor blockchain activity through risk scoring, sanctions screening, and anomaly detection to identify suspicious behavior early.
- Automated alerts for flagged wallet addresses and velocity thresholds.
- Case management for compliance analysts with audit-ready documentation.
4. Data requests & cooperation
Lawful requests from authorities are reviewed by our legal team and answered when valid data is available.
- We require official documentation and only disclose the minimum necessary information.
- Users are notified when legally permitted, especially in cross-border scenarios.
5. Audits & certifications
Our roadmap includes SOC 2 Type I in 2025 and Type II in 2026 alongside continuous LGPD readiness reviews.
- Vulnerability management metrics shared quarterly with enterprise partners.
- Vendors must pass security questionnaires and sign DPAs before integration.
