AsterPay is non-custodial payment infrastructure. We never take custody of funds: agent payments settle wallet-to-wallet on-chain, and crypto-to-EUR conversion and bank payout run on licensed European partner rails.
Architecture security
Non-custodial
Private keys never touch our servers. On-chain payments settle directly between wallets.
Licensed partner rails
Stablecoin→EUR conversion and SEPA Instant payouts to your IBAN are executed by licensed EU partners after KYB.
Multi-chain support
Secure integration with Base, Ethereum, Polygon, Arbitrum, and Optimism.
Webhook signing
HMAC-SHA256 signature verification for all webhook deliveries.
API authentication
The public API is keyless: free reads need no auth, and paid calls authenticate by payment (x402 / MPP). API keys are optional, for dashboard usage tracking and merchant features, with optional IP whitelisting for enterprise customers.
Rate limiting
Automatic rate limiting to prevent abuse and DDoS attacks.
Audit status
Smart contract exposure Non-custodial
AsterPay does not deploy or operate its own fund-custody smart contracts. Payments settle through audited, industry-standard primitives (USDC / EIP-3009 transferWithAuthorization on Base, the ERC-8004 identity registry, EAS attestations) and licensed EU partner rails. Our own application code is covered by internal code reviews and the security reviews below; AsterPay never takes custody of user funds on-chain.
Penetration testing In progress
Our application code is covered by continuous internal security reviews. An independent third-party penetration test is planned; we will publish the provider, scope and date once it is completed.
Infrastructure security
- HTTPS only: All API endpoints use TLS 1.3 encryption
- Database encryption: All sensitive data encrypted at rest
- Secrets management: API keys and credentials stored securely
- Regular updates: Dependencies updated regularly for security patches
Threat model
What we protect against
- API key theft: Rate limiting, IP whitelisting, key rotation
- Man-in-the-middle: TLS 1.3 encryption, HSTS
- DDoS attacks: Rate limiting, CDN protection, auto-scaling
- Data breaches: Encryption at rest, minimal data collection
- Smart contract risk: Non-custodial design, audited standard token contracts (USDC/EIP-3009), application-level code reviews
What we don't protect against
- Wallet compromise: You are responsible for your own wallet security
- Blockchain network issues: We cannot control blockchain congestion or forks
- User error: Sending funds to wrong addresses, phishing attacks
Incident response
Security contact
If you discover a security vulnerability, please contact us immediately:
- Email: [email protected]
- Response SLA: 24 hours acknowledgment
- Please include: Description, steps to reproduce, potential impact
Disclosure policy
- We will acknowledge receipt within 24 hours
- We will provide regular updates on remediation progress
- We will credit researchers in our security advisories
- We follow responsible disclosure practices
Compliance & certifications
GDPR & data protection
EU data residency on the settlement path. Minimal PII retained; agent payment proofs are cryptographic, not identity-bearing.
SOC 2 Type II In preparation
SOC 2-aligned controls are implemented and operational across our infrastructure. An independent SOC 2 Type II attestation has not yet been completed.
MiCA-aligned partner routing Compliant
Crypto-to-fiat settlement is routed through MiCA-aligned licensed European payment partners. AsterPay operates as a technical service provider behind partner authorisations.
Best practices for users
API key security
- Never commit API keys to version control
- Use environment variables for API keys
- Rotate keys regularly
- Use IP whitelisting for production keys
- Monitor API usage for suspicious activity
Wallet security
- Use hardware wallets for large amounts
- Never share your private keys
- Verify wallet addresses before sending funds
- Keep wallet software updated
- Use multi-signature wallets for teams
Questions?
For security-related questions: [email protected]