Self-Custody Infrastructure

Be the owner of your funds without compromising speed and security using Venlys' self-custody infrastructure

Venlys' Self-Custody Infrastructure is a secure and reliable process to store your digital assets in secure digital wallets. With our robust APIs and multi-layer security, you can rely on our work to keep your assets safe and accessible.

How do we do it at Venly?

Web Authentication Service

Venly utilizes an identity provider and web authentication service as the initial layer of authentication. Users can authenticate using their email and password or via a social login, acquiring access to the developer portal. Clients' requests to Venly (web, browser extension, or mobile) must first be authenticated to gain access to credentials via the developer portal.

Authentication via a Bearer token

Next, the user must obtain a bearer token using their access credentials, client ID and client secret, obtained from the developer portal. The bearer token is the user's entry for using API calls.

📘

The bearer token is only valid for six minutes and must be refreshed to obtain a new one.

Signing Methods

To this end, we implement an additional authorization layer called signing methods. These signing methods are only known to end-users and are used to unlock their wallets.

Every sensitive operation (for example, signing a transaction, initiating a transaction, or exporting a wallet) requires the end-user to authorize the request to perform that operation using their signing method.

We allow three types of signing methods:

  1. PIN: A six-digit pincode only known by the end-user.
  2. Emergency Code: A complex password that serves as a gateway to unlock a wallet or recover a lost PIN. It is 25 characters long and has a minimum of 128 bits of entropy.
  3. Bimoterics: This signing method allows users to utilize biometric features such as Face ID or Touch ID for authentication.

Shamir's secret sharing

A wallet's private key is divided into two shares: user-owned share and application share. These shares are further encrypted and stored in a key vault.

The user-owned share can be decrypted using that user's signing method. The application share is decrypted using the credentials: client ID and client secret.

Both of these shares are combined and unlock an end user's wallet. If a malicious entity gains access to one of the two shares, it is practically useless for them, as both shares must be combined to gain access to a wallet.

Isolated generation of the private key

Venly uses Amazon Fargate to generate the private key of a wallet when required temporarily. With the Fargate launch type, you package your application into containers and specify how much CPU power and memory it needs. You also set up networking and security rules. Each Fargate task runs in its own isolated environment, meaning it doesn't share its core resources—like CPU, memory, or network connection—with any other task. This ensures your application runs isolated and secure.

Segregated Model

Venly's offerings, namely the Wallet-API and Widget solutions, follow a segregated model, reflecting a commitment to providing users with a high level of individual control, security, and transparency in managing their digital assets.

Each user is treated as a separate and unique entity. Tokens are not pooled together, and the wallet's owner is the sole custodian of that wallet.

Under Venly's segregated accounts model, each user becomes the sole custodian of their wallet. This means that the ownership and control of the wallet's private keys rest entirely with the individual user.

Clean and simple integration

Our service offerings are designed for easy implementation and seamless integration with your applications. We understand that an easy integration process is key to minimizing issues and maximizing efficiency. On the other hand, more complex integrations, such as the one required for MPC (Multi-Party Computation), can lead to increased challenges and potential vulnerabilities.

While MPC offers advanced security features, its integration process can be more involved, potentially leading to compatibility issues or vulnerabilities like the Zero Day vulnerability

Proven Security

Venly boasts an impressive six-year track record of impeccable security, having never experienced a single security breach since its inception.

With over 6 million wallets powered by Venly, our commitment to safeguarding users' assets underscores our reliability and trustworthiness in the ever-evolving digital landscape.

Venly's unwavering dedication to security has ensured that user wallets remain uncompromised, maintaining our impeccable track record in the industry.

SOC 2 Type II Certification

Venly, the leading blockchain technology solutions provider, is pleased to announce that it has successfully completed the Service Organization Control 2 (SOC 2) Type 2 compliance assessment. This achievement reflects Venly's dedication to upholding its services' highest data security, privacy, and reliability standards.

By achieving SOC 2 Type II compliance, Venly demonstrates its proactive approach to safeguarding customer data and confidential information. The rigorous assessment process involved a comprehensive evaluation of Venly's systems, policies, and procedures, ensuring they meet the strictest industry standards.

Cobalt.io Audits

We at Venly quickly identify and reduce risk with Audits performed by Cobalt.io. They offer instant access to expert testers and real-time security findings. We seamlessly scale our security efforts as needs change. We stay ahead of threats with continuous offensive security testing, relying on seasoned experts to safeguard our organization. As a reliable partner, Cobalt combines expert insights to carry out detailed audits of security.

Bug Bounty Program

We also offer a bug bounty program via Intigriti - (cybersecurity bug bounty program). By leveraging the skills of a diverse pool of ethical hackers, we can identify and address vulnerabilities more effectively than relying solely on our internal team.

With a bug bounty program, our systems are continuously tested, ensuring that new vulnerabilities are identified and resolved promptly. The insights gained from bug reports lead to better code quality and more secure product development practices.

Encrypted Databases

Within Venly's framework, encryption isn't just an afterthought; it's a foundational principle of operations. Each piece of data stored within the databases is encrypted using robust encryption algorithms, rendering it indecipherable to anyone without the proper cryptographic keys.

This approach ensures that even if a malicious actor were to gain access to the database, the information would remain safely locked away, beyond their reach.

ISO27001 Certification

Venly has received its official ISO 27001 certification, the world’s best-known standard for information security management systems.

Being so certified “proves that we have consistently implemented rigorous controls,” commented Venly CEO Tim Dierckxsens, “and demonstrates our dedication to maintaining the highest security and compliance standards.”

These standards comprise a systematic approach to managing sensitive information and reducing the risk of security breaches. They provide best practices in:

  1. Risk assessment and management
  2. Access control and user management
  3. Incident management and response
  4. Business continuity planning
  5. Compliance with legal and regulatory requirements
  6. Physical and environmental security

Enterprise-grade Security