Security & Compliance

11.1 Data Protection & Privacy

How Your Data is Protected:

  • Encryption: All data encrypted in transit (TLS 1.3) and at rest (AES-256)

  • Access Controls: Role-based access control (RBAC) limits data access

  • Audit Logging: All data access is logged and monitored

  • Regular Backups: Daily encrypted backups with disaster recovery plan

  • GDPR Compliance: Right to access, rectify, and delete personal data

Personal Information Collected:

  • Identity information (name, date of birth)

  • Contact information (email, phone)

  • Financial information (income, assets, net worth)

  • Investment history and preferences

  • Government ID documents (for KYC)

  • Wallet addresses

How Your Information is Used:

  • Verify your identity (KYC/AML)

  • Assess investment suitability

  • Process transactions

  • Send project updates and notifications

  • Comply with regulatory requirements

  • Improve platform services

Your Privacy Rights:

  • Access your personal data

  • Correct inaccurate data

  • Request data deletion (subject to legal retention)

  • Export your data

  • Opt-out of marketing communications

11.2 Access Controls & Permissions

User Authentication:

  • Password requirements: 12+ characters, uppercase, lowercase, number, special character

  • Multi-factor authentication (MFA) available

  • Session timeout after 30 minutes of inactivity

  • Failed login attempt lockout after 5 attempts

Role-Based Access Control:

Data Type
Platform Admin
Issuer Admin
Investor

All organizations

Full access

Own org only

No access

All projects

Full access

Own org only

Approved only

User PII

Full access

No access

Own only

Financial transactions

Full access

Own org only

Own only

Audit logs

Full access

No access

No access

KYC documents

Full access

No access

Own only

11.3 Audit Trails & Logging

All actions are logged, including:

  • User authentication (login, logout, failed attempts)

  • Role assignments and changes

  • Project creation, submission, approval/rejection

  • Organization changes and change requests

  • Document uploads and downloads

  • Investment transactions

  • Data exports

  • Admin actions

Log Retention:

  • Security logs: 7 years

  • Transaction logs: 10 years (regulatory requirement)

  • Access logs: 3 years

  • Session logs: 1 year

Audit Log Access:

  • Platform admins: Full access to all logs

  • Issuer admins: Access to own organization's logs

  • Investors: Access to own activity logs

  • Available via Settings → Security → Activity Log

11.4 Regulatory Compliance

Securities Regulations:

  • Reg D (506b, 506c): Private placement exemptions

  • Reg A+: Mini-IPO for up to $75M

  • Reg CF: Crowdfunding exemption up to $5M

  • All offerings comply with applicable securities laws

KYC/AML Compliance:

  • Know Your Customer (KYC) verification required for all investors

  • Anti-Money Laundering (AML) screening

  • Politically Exposed Persons (PEP) checks

  • Sanctions list screening (OFAC, EU, UN)

  • Ongoing transaction monitoring

Accredited Investor Verification:

  • Income verification ($200K+ individual, $300K+ joint)

  • Net worth verification ($1M+ excluding primary residence)

  • Professional certification (Series 7, 65, 82)

  • Third-party verification services integrated

Data Privacy Regulations:

  • GDPR (EU General Data Protection Regulation)

  • CCPA (California Consumer Privacy Act)

  • PIPEDA (Canadian privacy law)

  • Data protection officer appointed

  • Privacy by design principles

Investor Suitability:

  • Risk tolerance assessment required

  • Investment profile matching

  • Suitability warnings for high-risk investments

  • Accreditation requirements enforced

11.5 Smart Contract Security

Blockchain & Smart Contracts:

  • Smart contracts audited by third-party security firms

  • Multi-signature wallets for issuer funds

  • Time-locked token transfers

  • Emergency pause functionality

  • Transparent on-chain transactions

Supported Blockchains:

  • Ethereum (ERC-20, ERC-1400 security tokens)

  • Polygon (lower gas fees)

  • Other EVM-compatible chains

Token Standards:

  • ERC-1400: Security token standard with compliance features

  • Transfer restrictions based on investor accreditation

  • Automated compliance checks

  • Dividend distribution automation

11.6 Incident Response

Security Incident Response Plan:

  1. Detection: Automated monitoring alerts on suspicious activity

  2. Assessment: Security team evaluates severity and scope

  3. Containment: Immediate action to prevent further damage

  4. Eradication: Remove threat and vulnerabilities

  5. Recovery: Restore normal operations

  6. Notification: Inform affected users within 72 hours (if required)

  7. Post-Incident Review: Document lessons learned and improve processes

How to Report Security Issues:

  • Email: [email protected]

  • In-app: Settings → Security → Report Issue

  • Bug bounty program for responsible disclosure

11.7 Best Practices for Users

For All Users:

  • ✅ Use strong, unique passwords

  • ✅ Enable multi-factor authentication (MFA)

  • ✅ Never share your login credentials

  • ✅ Log out when using shared computers

  • ✅ Keep your email account secure

  • ✅ Beware of phishing emails

  • ✅ Verify URLs before entering credentials

  • ✅ Review your activity log regularly

For Issuer Admins:

  • ✅ Limit team member access to necessary functions only

  • ✅ Review and approve all project submissions carefully

  • ✅ Keep organization information up to date

  • ✅ Secure all uploaded documents

  • ✅ Monitor investor activity for anomalies

For Investors:

  • ✅ Use hardware wallets for large holdings

  • ✅ Keep wallet recovery phrases offline and secure

  • ✅ Verify token contract addresses before transactions

  • ✅ Be cautious of too-good-to-be-true returns

  • ✅ Review all legal documents before investing

  • ✅ Never send funds to unverified addresses

PreviousInvestor Registration & OnboardingNextAdditional Features

Last updated

Was this helpful?