Infrastructure

Security by
architecture.

Every secret lives in HashiCorp Vault. Every AI output is encrypted at rest with AES-256. Every compliance gate fails closed. Every database user operates with least privilege.

Posture

Defense-in-depth. Audit-grade.

Vault-rendered secrets, AES-256 at rest, fail-closed gates, and tamper-evident audit trails. Embedded in the architecture; not configurable away.

AES-256
At rest
0
Secrets in source
Fail-closed
Default posture
C-07
Control reference
Infrastructure

Secrets. Encryption. Least privilege.

Security decisions are embedded in the architecture. No developer can bypass them. No configuration can weaken them.

01

HashiCorp Vault

All secrets stored in Vault with AppRole authentication. Three roles with scoped policies. Vault Agent sidecars render secrets into environment files.

Secrets in source0
02

Fail-closed gates

Sanctions screening, risk assessment, and pre-screen checks reject transactions on any error or timeout. No silent failures.

PostureFail-closed
03

Audit trail

Every AI decision is logged to a tamper-evident audit table with encrypted input/output summaries. Full regulatory traceability.

Control refC-07
Pipeline

Six security layers protect every transaction.

Every transfer that hits the system passes through six controlled stages, end to end.

01·Ingest

Real-time ingestion

Go indexers connect via WebSocket. They capture stablecoin transfers at block confirmation and write to TimescaleDB. Dust below $1 is filtered.
4 indexer processes
02·Screen

Sanctions screening

Every address runs against OFAC SDN, threat labels, and mixer registries. Results cache in Redis. Fail-closed: timeouts trigger blocks.
1,332 OFAC addresses
03·Score

ML risk scoring

Seven detectors and a meta-learner produce a calibrated probability. SHAP explanations and BNN uncertainty bounds accompany each score.
15 models
04·Triage

AI triage

The triage agent classifies each alert: false positive, needs investigation, or immediate SAR. Structured output with confidence scores.
2-3s triage (SLO)
Continued

Investigation and filing, same controls.

Investigation and SAR generation run inside the same audit envelope. Every fact is bound to source data.

05·Investigate

Investigation

The investigation agent pulls 90-day history, entity profiles, and ZK-circuit analysis. Produces structured evidence with timeline and key findings.
18s investigation time
06·File

SAR filing

FinCEN Part V narratives with typology codes. A hallucination gate verifies every fact against source data. Transmission via SFTP.
0 fabricated facts
Talk to us

Review our security architecture.

Schedule a security review with our engineering team.