Treasury operators and agents authenticate through Okta. Each identity carries its own policy scope within the org ceiling.
A transaction request is canonicalized and hashed. Spend caps, velocity limits, and size thresholds evaluate first, in deterministic policy.
Transactions above threshold require quorum approval. Each approver reviews the exact recipient, amount, and chain bound to the hash.
On approval, signing happens inside the enclave against the wallet platform. The signed transaction is the only output; keys never leave.
Exactly once execution prevents a retry storm from double signing. A consumed approval returns the cached result instead of re executing.
Every decision, approval, and signature lands in the append only audit log with its attestation document hash.
Direct, secure API integrations with Fireblocks, Fordefi, and Utila, plus support for any institutional MPC wallet.
Four eyes or full quorum sign off on high value operations, bound to the exact transaction parameters.
Org admins set ceilings that user policies can only narrow. A user cannot raise a limit an admin set.
Private keys exist in unwrappable form only inside enclave memory. The strongest form of the guarantee.
Hash chained record of every decision and signature, aligned to 13 month retention by default.
The signed transaction is the only output. Private keys exist in unwrappable form only inside enclave memory.
Approvals bind to subject, issuer, tenant, and payload hash. An approval issued to one operator cannot be replayed by another.
Lower policy layers can only narrow. A user cannot raise the spend ceiling an org admin set.
Every decryption records its attestation document hash, so an incident review can reconstruct the exact decision path.
Walk through the trust model, policy design, and rollout with our security and solutions team.