BlockSign Asset Operations
ISO 27001 Certified

Enterprise Security Architecture

Defense-in-depth security with four wallet security models, policy-driven approvals, and comprehensive audit logging. Built for institutional compliance requirements.

Request Security DemoView Trust Center

Wallet Security Models

Choose the right balance of security and usability for your organization

5/10

HD Wallet

Hierarchical Deterministic wallet with encrypted master seed. Single-key simplicity for smaller operations.

7/10

MPC-Shamir

Shamir's Secret Sharing with k-of-n threshold reconstruction. Key reconstructed only during signing.

10/10

MPC-FROST

Threshold signatures with DKG. Private key is NEVER reconstructed - highest security available.

9/10

Hardware Wallet

Air-gapped Keystone device integration with QR-based signing for physical security.

FROST Threshold Signatures

FROST (Flexible Round-Optimized Schnorr Threshold Signatures) represents the highest security level available. Unlike traditional multi-signature or Shamir's Secret Sharing, FROST never reconstructs the complete private key at any point.

Distributed Key Generation (DKG)
Keys are generated collaboratively - no single party ever holds the complete key
Threshold Signing
t-of-n guardians produce partial signatures that aggregate into a valid signature
Guardian Resharing
Replace guardians without key reconstruction or wallet migration
// FROST DKG Ceremony
Round 1: Commitment Generation
→ Each guardian generates polynomial commitment
Round 2: Share Exchange
→ Guardians exchange encrypted shares
Round 3: Verification
→ Public key derived, shares verified
Private key NEVER reconstructed

Policy Engine + MPC Threshold

Separate business approval policies from cryptographic signing requirements for maximum flexibility

Key Concept: Approvals ≠ Signatures

The Policy Engine can require MORE business approvals than the MPC threshold requires for cryptographic signing. Example: MPC 2-of-3 means only 2 guardians are needed for the cryptographic signature, but the policy can require 4 different employees to approve before the MPC ceremony begins.

MPC Threshold

Cryptographic requirement

2-of-3
Guardians required for signing
  • Defines minimum key shares needed
  • Controls cryptographic signature generation
  • Technical security boundary

Approval Policy

Business requirement

2-4
Approvals per action type
  • Can exceed MPC threshold
  • Action-specific requirements
  • USD limits and conditions

Action-Based Policy Configuration

Define different approval requirements for each action type. The policy engine validates business approvals BEFORE initiating the MPC signing ceremony.

Action
Required Approvals
Conditions
Voting
Governance votes
1
2
3
4
Always requires 4 approvals
Sign Data
Message signing
1
2
3
4
Low-risk, 2 approvals sufficient
Sign Transaction
Outgoing payments
1
2
3
4
Up to €10,000: 3 approvals
Above €10,000: 4 approvals
Delegate Stake
Staking operations
1
2
3
4
High-impact, 4 approvals required
Withdraw Rewards
Staking rewards
1
2
3
4
Treasury impact, 4 approvals required

Approval → Signing Workflow

Request
Employee initiates action
Policy Check
Collect required approvals
MPC Ceremony
Guardians sign (2-of-3)
Broadcast
Transaction submitted

Comprehensive Audit Logging

Every action is logged with cryptographic integrity verification for regulatory compliance

Immutable Records

Append-only log storage with cryptographic hash chains prevents tampering

Real-Time Logging

All events captured instantly with millisecond precision timestamps

Compliance Ready

Meets ISO 27001, MiCA, and GDPR audit trail requirements

Logged Event Categories

Authentication Events

  • User login (success/failure)
  • User logout
  • MFA configuration
  • MFA verification
  • Session timeout
  • Password changed

Wallet Operations

  • Wallet created
  • Wallet imported
  • Guardian added
  • Guardian removed
  • Key rotation ceremony
  • Threshold modified

Transaction Events

  • Transaction created
  • Transaction approved
  • Transaction rejected
  • Transaction signed (MPC)
  • Transaction broadcast
  • Transaction confirmed

Policy Management

  • Policy created
  • Policy modified
  • Policy deleted
  • Spending limit changed
  • Role assigned to user

Administration

  • User account created
  • User deactivated
  • Role created
  • Permission changed
  • Settings modified
audit_log.json
{
  "id": "evt_abc123xyz",
  "timestamp": "2024-12-02T14:32:15.123Z",
  "eventType": "TRANSACTION_APPROVED",
  "actor": {
    "userId": "usr_treasury_manager",
    "email": "manager@company.com",
    "role": "Treasury Manager"
  },
  "target": {
    "type": "Transaction",
    "id": "tx_def456",
    "amount": 15000.00,
    "currency": "ADA"
  },
  "context": {
    "ipAddress": "192.168.1.***",
    "userAgent": "Mozilla/5.0...",
    "sessionId": "sess_xyz789"
  },
  "result": "SUCCESS",
  "metadata": {
    "approvalsReceived": 3,
    "approvalsRequired": 3,
    "policyName": "Standard Payment Policy"
  },
  "hash": "sha256:8f14e45f..."
}

Log Retention

Configurable retention periods to meet regulatory requirements

Standard Business7 Years
Financial Institutions10 Years
Custom RequirementConfigurable

Export & API Access

Export logs for external analysis or integrate via API

CSV
JSON
PDF
Full REST API access for external audit systems

Security Certifications

Independently verified security and compliance standards

SOC 2 Type II

Comprehensive security, availability, and confidentiality controls

ISO 27001

International information security management standard

MiCA Compliant

EU Markets in Crypto-Assets regulatory framework

GDPR Compliant

EU data protection and privacy regulation