Security

Last updated: January 27, 2026

Non-Custodial Architecture

AsterPay is a non-custodial payment infrastructure. We never hold your funds. Payments go directly to your wallet with zero counterparty risk.

Architecture Security

🔐 Non-Custodial

Private keys never touch our servers. Funds go directly to your wallet.

🔑 HD Wallet System

Deterministic wallet generation using industry-standard BIP-32/BIP-44.

🌐 Multi-Chain Support

Secure integration with Base, Ethereum, Polygon, Arbitrum, and BSC.

📡 Webhook Signing

HMAC-SHA256 signature verification for all webhook deliveries.

🔒 API Authentication

API keys with optional IP whitelisting for enterprise customers.

🛡️ Rate Limiting

Automatic rate limiting to prevent abuse and DDoS attacks.

Audit Status

Smart Contract Audit

Status: Pending

We are planning a comprehensive smart contract audit for our payment infrastructure. Expected completion: Q2 2026.

Penetration Testing

Status: Planned

Regular penetration testing is scheduled for Q2 2026. We will publish results and remediation actions.

Infrastructure Security

HTTPS only: All API endpoints use TLS 1.3 encryption
Database encryption: All sensitive data encrypted at rest
Secrets management: API keys and credentials stored securely
Regular updates: Dependencies updated regularly for security patches

Threat Model

What We Protect Against

API key theft: Rate limiting, IP whitelisting, key rotation
Man-in-the-middle: TLS encryption, certificate pinning
DDoS attacks: Rate limiting, CDN protection, auto-scaling
Data breaches: Encryption at rest, minimal data collection
Smart contract vulnerabilities: Code reviews, planned audits

What We Don't Protect Against

Wallet compromise: You are responsible for your own wallet security
Blockchain network issues: We cannot control blockchain congestion or forks
User error: Sending funds to wrong addresses, phishing attacks

Incident Response

Security Contact

If you discover a security vulnerability, please contact us immediately:

Email: [email protected]
Response SLA: 24 hours acknowledgment
Please include: Description, steps to reproduce, potential impact

Bug Bounty Program

Status: Coming Soon

We are planning a bug bounty program for Q2 2026. Rewards will be based on severity and impact.

Disclosure Policy

We will acknowledge receipt within 24 hours
We will provide regular updates on remediation progress
We will credit researchers in our security advisories
We follow responsible disclosure practices

Compliance & Certifications

GDPR Compliance

Status: Compliant

We are GDPR-compliant and process all data in EU data centers.

SOC 2 Type II

Status: In Progress

SOC 2 Type II certification planned for Q3 2026.

MiCA Compliance

Status: Preparing

Preparing for MiCA (Markets in Crypto-Assets) compliance. Learn more →

Best Practices for Users

API Key Security

Never commit API keys to version control
Use environment variables for API keys
Rotate keys regularly
Use IP whitelisting for production keys
Monitor API usage for suspicious activity

Wallet Security

Use hardware wallets for large amounts
Never share your private keys
Verify wallet addresses before sending funds
Keep wallet software updated
Use multi-signature wallets for teams

Questions?

For security-related questions:

General: [email protected]
Investors: [email protected]