Trust & Security

Security

Non-custodial by design. We never hold your funds, and every paying agent is screened.

Last updated: July 5, 2026

Non-custodial architecture

AsterPay is non-custodial payment infrastructure. We never take custody of funds: agent payments settle wallet-to-wallet on-chain, and crypto-to-EUR conversion and bank payout run on licensed European partner rails.

Architecture security

Non-custodial

Private keys never touch our servers. On-chain payments settle directly between wallets.

Licensed partner rails

Stablecoin→EUR conversion and SEPA Instant payouts to your IBAN are executed by licensed EU partners after KYB.

Multi-chain support

Secure integration with Base, Ethereum, Polygon, Arbitrum, and Optimism.

Webhook signing

HMAC-SHA256 signature verification for all webhook deliveries.

API authentication

The public API is keyless: free reads need no auth, and paid calls authenticate by payment (x402 / MPP). API keys are optional, for dashboard usage tracking and merchant features, with optional IP whitelisting for enterprise customers.

Rate limiting

Automatic rate limiting to prevent abuse and DDoS attacks.

Audit status

Smart contract exposure Non-custodial

AsterPay does not deploy or operate its own fund-custody smart contracts. Payments settle through audited, industry-standard primitives (USDC / EIP-3009 transferWithAuthorization on Base, the ERC-8004 identity registry, EAS attestations) and licensed EU partner rails. Our own application code is covered by internal code reviews and the security reviews below; AsterPay never takes custody of user funds on-chain.

Penetration testing In progress

Our application code is covered by continuous internal security reviews. An independent third-party penetration test is planned; we will publish the provider, scope and date once it is completed.

Infrastructure security

Threat model

What we protect against

What we don't protect against

Incident response

Security contact

If you discover a security vulnerability, please contact us immediately:

Disclosure policy

Compliance & certifications

GDPR & data protection

EU data residency on the settlement path. Minimal PII retained; agent payment proofs are cryptographic, not identity-bearing.

SOC 2 Type II In preparation

SOC 2-aligned controls are implemented and operational across our infrastructure. An independent SOC 2 Type II attestation has not yet been completed.

MiCA-aligned partner routing Compliant

Crypto-to-fiat settlement is routed through MiCA-aligned licensed European payment partners. AsterPay operates as a technical service provider behind partner authorisations.

Best practices for users

API key security

Wallet security

Questions?

For security-related questions: [email protected]

Related documents