Legal & Security > Security

Our approach to security

We apply multiple layers of organizational and technical measures to ensure that all potential threats to our platform are properly mitigated.

These measures are based on thorough risk assessments, and we are proud to be ISO 27001:2022 certified. Our practices also follow the Cryptocurrency Security Standard (CCSS) and are aligned with the requirements of the Digital Operational Resilience Act (DORA) to strengthen operational resilience across the financial sector.

The platform is designed in accordance with the General Data Protection Regulation (GDPR), ensuring the highest level of protection for our clients’ personal identifiable information (PII) and safeguarding customer data at all times

Organizational measures

Highly Secure Cold Storage with Controlled Access

One of our main priorities is the protection of customer assets held in our custody. We apply strict segregation of client funds and safeguard more than 95% of digital assets using the highest industry-standard custody technology, including Multi-Party Computation (MPC) solutions, combined with controlled access procedures.

A Dedicated Monitoring Team

We have continuous 24/7 monitoring in place to ensure service availability and to detect and respond to unusual activities in real time.

Strict Operational Procedures

Management of custody solutions, as well as all other platform support and development operations, is governed by strict operational procedures. To prevent misuse, we apply a clear segregation of duties and a well-defined governance structure. The most sensitive operations require the application of the “four-eyes principle”, ensuring accountability and oversight at all times.

Security Testing and Continuous Risk Assessment

We follow secure coding practices, conduct regular penetration tests, and promptly remediate identified vulnerabilities. These efforts are supported by a continuous risk assessment process to adapt to the evolving threat landscape.

In order to make sure that the security controls are sufficient for the ever-changing security threat landscape, a regular risk assessment process is put in place.

Technical Measures

Encryption Mechanisms

All communications with the platform are encrypted to prevent man-in-the-middle attacks and data interception. Stored sensitive data is also protected using advanced encryption standards.

Network Security

Our platform follows network zoning principles, segmenting servers based on data sensitivity. Critical systems are isolated from less sensitive environments to reduce risk exposure.

Physical Security

Physical security measures protect against unauthorized access to servers and custody infrastructure. The physical locations are confidential and secured with access control systems, security guards, and surveillance mechanisms.

DDoS Protection and Web Application Firewall

Our platform is protected against DDoS attacks and application-level threats (e.g., SQL injections, file injections, XSS) through a comprehensive DDoS mitigation system and web application firewall.

24/7 Monitoring

We operate 24/7 monitoring systems to detect anomalies and respond to failures in real time, ensuring high availability and security.

Regulatory Compliance

MiCA Compliance

Kriptomat complies with the Markets in Crypto-Assets Regulation (MiCA) (Regulation (EU) 2023/1114), ensuring:

Robust internal controls, clearly defined roles, and governance accountability for crypto-asset operations.
Custody services that meet MiCA Article 68, including client asset segregation, periodic reconciliations, and strong access control protocols.
Incident response procedures that include internal escalation, risk evaluation, and regulatory notifications where applicable.
Comprehensive risk assessments addressing market abuse, operational risks, and custodial risks, in line with MiCA Article 40.

GDPR Compliance

We are committed to upholding the principles of the General Data Protection Regulation (GDPR) through:

Data protection by design and by default, ensuring only necessary data is processed and privacy settings are configured to the highest protection levels.
User rights: Clients can access, correct, delete, or restrict the processing of their personal data by contacting our Data Protection Officer at [email protected].
Data minimisation and retention: We store personal data only as long as required to meet legal and operational needs.
Third-country data transfers: All data transfers outside the EEA comply with Chapter V of the GDPR, supported by Standard Contractual Clauses or other approved mechanisms.

DORA Compliance

We align with the Digital Operational Resilience Act (DORA) (Regulation (EU) 2022/2554) by implementing:

ICT risk management framework covering identification, classification, and mitigation of technology and cyber risks.
Operational resilience testing, including penetration tests, vulnerability scans, and scenario-based exercises to evaluate critical systems.
Incident classification and reporting, ensuring ICT-related incidents are promptly escalated and notified to relevant authorities in line with DORA timelines.
Third-party risk oversight, with due diligence, contractual safeguards, and ongoing monitoring of ICT service providers and critical outsourcing partners.
Business continuity and disaster recovery planning, including backup strategies, redundancy, and tested recovery procedures for critical services.

Board-level accountability, ensuring that senior management is directly responsible for DORA compliance and operational resilience strategy.