Every signing key is sharded into three pieces via threshold signature schemes (TSS, GG20, or FROST). Two of three shards must cooperate via secure multi-party computation to produce a signature. No machine, engineer, or region holds the full key — including us.
Signer shards live exclusively inside FIPS 140-2 Level 3 hardware security modules (AWS CloudHSM in production). Air-gapped during provisioning. Attested at every boot. Tamper-resistant by design.
Withdrawal allowlists, multi-sig thresholds, time-locks, and velocity caps are enforced where signatures are produced — not at the API. A compromised API key cannot bypass a policy. Period.
Three independent regions. Three independent cloud providers. Three independent network paths. A region-level outage degrades the service but doesn't stop signing. A cloud-provider-level outage neither.
Recovery shard material is exportable on demand. Use our open-source recovery tool to sign transactions independently if Stableops ever becomes unavailable. We don't believe in custody lock-in.
Quarterly penetration tests by Trail of Bits and Halborn on the MPC signing layer. Public bug bounty program with payouts up to $250K. Monthly threat-model reviews with external advisors.
Renewed annually. Covers security, availability, and confidentiality controls across the platform.
Request report →Information security management certification. Audited by an accredited registrar.
Request certificate →Annual penetration test of MPC signing infrastructure. Public summary of findings and remediations.
Read summary →Annual smart-contract and infrastructure audit covering on-chain components and paymaster bundlers.
Read summary →$50M of crime insurance coverage through Lloyd's of London syndicates, covering custody-related losses.
Coverage details →Public program on HackerOne. Critical vulnerabilities up to $250K. Average payout 5 days.
Submit a report →A follow-the-sun ops team monitors signing, indexing, and webhook delivery in three regions. Incidents are paged in under 60 seconds with named on-call rotations across SF, Berlin, and Singapore.
Public status page (status.stableops.finance) updates within 5 minutes of any incident. Post-mortems published within 7 days for any customer-impacting event. Customers receive direct notification before public disclosure.