Organizational measures
Highly Secure Cold Storage with Controlled Access
One of our main priorities is the protection of customer assets held in our custody. We apply strict segregation of client funds and safeguard more than 95% of digital assets using the highest industry-standard custody technology, including Multi-Party Computation (MPC) solutions, combined with controlled access procedures.
A Dedicated Monitoring Team
We have continuous 24/7 monitoring in place to ensure service availability and to detect and respond to unusual activities in real time.
Strict Operational Procedures
Management of custody solutions, as well as all other platform support and development operations, is governed by strict operational procedures. To prevent misuse, we apply a clear segregation of duties and a well-defined governance structure. The most sensitive operations require the application of the “four-eyes principle”, ensuring accountability and oversight at all times.
Security Testing and Continuous Risk Assessment
We follow secure coding practices, conduct regular penetration tests, and promptly remediate identified vulnerabilities. These efforts are supported by a continuous risk assessment process to adapt to the evolving threat landscape.
Technical Measures
Encryption Mechanisms
All communications with the platform are encrypted to prevent man-in-the-middle attacks and data interception. Stored sensitive data is also protected using advanced encryption standards.
Network Security
Our platform follows network zoning principles, segmenting servers based on data sensitivity. Critical systems are isolated from less sensitive environments to reduce risk exposure.
Physical Security
Physical security measures protect against unauthorized access to servers and custody infrastructure. The physical locations are confidential and secured with access control systems, security guards, and surveillance mechanisms.
DDoS Protection and Web Application Firewall
Our platform is protected against DDoS attacks and application-level threats (e.g., SQL injections, file injections, XSS) through a comprehensive DDoS mitigation system and web application firewall.
24/7 Monitoring
We operate 24/7 monitoring systems to detect anomalies and respond to failures in real time, ensuring high availability and security.
Regulatory Compliance
MiCA Compliance
Kriptomat complies with the Markets in Crypto-Assets Regulation (MiCA) (Regulation (EU) 2023/1114), ensuring:
- Robust internal controls, clearly defined roles, and governance accountability for crypto-asset operations.
- Custody services that meet MiCA Article 68, including client asset segregation, periodic reconciliations, and strong access control protocols.
- Incident response procedures that include internal escalation, risk evaluation, and regulatory notifications where applicable.
- Comprehensive risk assessments addressing market abuse, operational risks, and custodial risks, in line with MiCA Article 40.
GDPR Compliance
We are committed to upholding the principles of the General Data Protection Regulation (GDPR) through:
- Data protection by design and by default, ensuring only necessary data is processed and privacy settings are configured to the highest protection levels.
- User rights: Clients can access, correct, delete, or restrict the processing of their personal data by contacting our Data Protection Officer at [email protected].
- Data minimisation and retention: We store personal data only as long as required to meet legal and operational needs.
- Third-country data transfers: All data transfers outside the EEA comply with Chapter V of the GDPR, supported by Standard Contractual Clauses or other approved mechanisms.
DORA Compliance
We align with the Digital Operational Resilience Act (DORA) (Regulation (EU) 2022/2554) by implementing:
- ICT risk management framework covering identification, classification, and mitigation of technology and cyber risks.
- Operational resilience testing, including penetration tests, vulnerability scans, and scenario-based exercises to evaluate critical systems.
- Incident classification and reporting, ensuring ICT-related incidents are promptly escalated and notified to relevant authorities in line with DORA timelines.
- Third-party risk oversight, with due diligence, contractual safeguards, and ongoing monitoring of ICT service providers and critical outsourcing partners.
- Business continuity and disaster recovery planning, including backup strategies, redundancy, and tested recovery procedures for critical services.
Board-level accountability, ensuring that senior management is directly responsible for DORA compliance and operational resilience strategy.