Trust, but with a paper trail.
Custody is a posture, not a promise. Below is what the posture is made of — the standards we hold ourselves to, the design of the perimeter, and the documents an auditor sees when one is invited in.
Standards we are measured against.
These are the ones that mean something for a custody business. We avoid the decorative seals; what is listed here corresponds to a binder of evidence and a reviewer who put their name on it.
ISO/IEC 27001
Information Security Management System — audited annually.
ISO/IEC 27701
Privacy Information Management — extends 27001 for PII.
SOC 2 Type II
Continuous adherence over an evaluation window, not a snapshot.
W3C VC 2.0
Verifiable Credentials, the open standard for selective disclosure.
MyData Global
Human-centric data control principles.
Europrivacy
EU GDPR certification scheme (Regulation (EU) 2016/679 Art. 42).
CIPP/E · CIPT
Certified personnel under the privacy and technology disciplines.
CISSP-certified
Security architecture and engineering, on-staff.
Letters and bridge reports are released under NDA to qualified clients. Write to support@sprime.io for the package.
A closed network with named doors.
There is no shared bucket, no public read path, and no service account with blanket access. Every workload is on its own segment with its own identity, and every request between segments is signed and verified.
Zero-trust by construction
"Never trust, always verify" applied at the host, the service, and the data layer. Every device, every service, every internal call carries a short-lived credential. Lateral movement has nowhere to go: each segment is a peninsula, not a corridor.
Microsegmentation
Financial records, identity attestations, document store, audit log, and key material live in separate networks with mutually exclusive credentials. A compromise of any one segment cannot read another.
Encryption that means something
AES-256-GCM at rest, TLS 1.3 in transit, X25519 for key exchange. Vault data is wrapped with per-tenant keys held in a hardware security module. Recovery requires presence, not a password reset.
Cryptographic deletion
At end of service, encryption keys for your vault are destroyed. The ciphertext becomes unreadable mathematics. This is faster, more verifiable, and more permanent than physical erasure of disks.
Selective disclosure
W3C Verifiable Credentials let you prove a claim — age, residence, accreditation, net-worth band — without exposing the underlying values. The verifier learns only what they need to act.
Tamper-evident audit log
Every access, every nomination, every disclosure is appended to a hash-chained log. A change to a past entry would invalidate every entry that followed it. You may export your slice on request.
Off-grid is a real place.
For Estate clients we operate dedicated hardware on a private property under a custody agreement. Solar generation, a battery bank sized for seven-day autonomy, and a multi-path uplink with low-earth-orbit satellite primary. The node is enrolled in our network through a sealed certificate; if the certificate is revoked, the node continues to serve you locally, on your own LAN.
The point is straightforward: a public cloud outage, a regulatory subpoena to a third party, or the dissolution of a vendor does not change your access. The hardware is yours. The custody arrangement says so in writing.
Who decides what, and who watches.
Two-person rule
Production changes that touch customer data require two named engineers and a signed change record. There is no break-glass account that one person can use alone.
Counsel of record
Estate clients receive the name and contact of our continuity counsel, retained to act on their behalf if the firm itself becomes unavailable.
Vendor discipline
Every subprocessor is bound by a Data Processing Agreement that prohibits secondary use. The current list is on file and disclosed in your onboarding packet.
Bug bounty
Researchers who disclose responsibly are paid. The program scope and current scoreboard are posted to a private page on request.
Incident posture
If a material event ever occurs, affected clients are informed in writing within the regulatory window, with a plain-language explanation and the action being taken.
Right to leave
You may export your vault in open formats at any time. Cryptographic deletion follows export on your signal. We retain only the records the law obligates us to keep.