At Stackup we take a holistic approach to security in order to optimize for self-custodial control, enterprise-grade protection, and a simplified user experience. All critical components of our stack have been independently audited.
Need to talk to a real person?
If you have questions about Stackup's security architecture or need to report an issue, contact us at support@stackup.fi.
Smart contract accounts
The smart contract account is the deterministic address that stores your funds onchain across all EVM networks. The implementation is based on a scalable keystore architecture built by the Stackup team and audited by Spearbit.
We highly recommend users to learn more about our smart accounts using the following resources:
Stackup has no control over a customer’s onchain account. In other words, your accounts will always remain self-custodial.
Managing access configuration
The keystore account is built to be highly gas efficient and private by default. In practice, this means your access configurations are stored offchain in a Merkel tree data structure while only the root hash is committed onchain. During transactions, cryptographic proofs are generated to ensure signing authority.
The Merkel tree configuration is treated as sensitive data due to having information about every signer associated to your account. However it is not confidential like a private key, it cannot be used to access funds on your account. Stackup stores this data in accordance with our SOC2 compliance, which includes daily backups and storage redundancies during state transitions.
This data can also be exported and independently verified to ensure it matches exactly with what is stored onchain. See this example script on how you can do this yourself with OpenZeppelin’s Merkel tree library.
Web platform
The Stackup platform is the dashboard and developer APIs built for customers to manage their self-custodial smart contract accounts. We make several architectural and design decisions to ensure the security of your assets.
SOC2 compliance
The Stackup platform was built from the ground up to be compliant with the SOC2 framework.
What is SOC2?
SOC2 is a compliance framework that verifies a company securely manages customer data according to five trust principles: security, availability, processing integrity, confidentiality, and privacy. Its purpose is to assure customers that we have effective controls in place to protect sensitive information.
For more details on compliance, see our trust centre at trust.stackup.fi.
How we collect and process data
We collect only what's necessary to operate your account. For the most part, we use transaction data from the blockchain as the single source of truth. We then hydrate this with platform specific data such as “contacts” for a better user experience.
Certain flows such as on and off ramps to a US bank account requires KYB for legal compliance. However this is only enforced if such features are required by your business.
Stackup operates on AWS infrastructure in the United States, chosen for its security certifications and global reliability. All data is encrypted at rest using AES-256 encryption. Data in transit uses TLS 1.3 or higher.
Our privacy policy explains exactly what we collect, why, and how you can control it.
Authentication with passkeys
Our platform is committed to a 100% passwordless environment using passkeys. We believe this to be the optimal balance between enterprise-grade protection and user experience. Based on industry statistics, passkeys have been shown to eliminate credential stuffing and phishing attacks while dramatically improving key metrics around authentication.
At its core, passkey authentication is based on asymmetric key cryptography using the P-256 curve. The private key remains on your device or end to end encrypted with your password manager. Stackup only stores the public key for platform authentication. The public key is also associated with your onchain smart account for validating transactions.
Authorization of users and applications
Stackup handles authorization of the web platform by recognizing varying levels of access.
Admins: Full read and write access to the entire organization.
Members: Restricted read only access to wallets assigned by admins.
Applications: Access to the developer APIs using API keys created by admins.
Note that these roles apply only to the web platform. Each wallet can further fine tune their individual transaction policies based on the operational requirements.
The Stackup team
Our entire smart account stack is built by domain experts in account abstraction backed by extensive experience building at all layers of the stack from protocol and infrastructure to applications. Our accounts infrastructure has been used at scale by high throughput applications like Coinbase Wallet and Trust Wallet. And our financial platform is used by tier one firms like Spearbit to manage onchain operations.
The Stackup team is also backed by years of experience in aerospace and fintech where security and safety is mission critical. We are committed to ensuring Stackup remains a safe and secure platform for businesses to manage their onchain operations at any scale.