Security, documented.

Certification and audit program

Every partner gets the current posture snapshot with their compliance pack, including audit schedule, auditor identity, and scope.

Program	Status	Milestone
SOC 2 Type I	In progress	Report H2 2026
SOC 2 Type II	Scheduled	Observation window opens after Type I
ISO 27001	In progress	Stage 1 audit H2 2026
GDPR	Active	Art. 28 DPA with every partner. DPO engaged.
MiCA posture	Active	Legal opinion on file. Shared with partners under NDA.
Smart-contract audits	Scheduled	Pre-mainnet for every contract. Tier-1 auditor. Reports published post-remediation.
External pen-test	Scheduled	Annual cadence. First report available to enterprise partners.
Responsible disclosure	Active	Formal program. Bounty platform partnership in selection.

Architecture principles

1. Non-custodial by default. End-user funds sit in ERC-4337 smart-contract wallet accounts. The user's passkey (or MPC share plus recovery key) holds signing authority. We don't hold keys or funds. You don't hold keys or funds.
2. Least-privilege everywhere. Session keys are time-boxed and scope-limited. Service-account keys are scoped to each microservice. Partner API keys are scoped to the partner namespace.
3. Audit-log everything. Every state change emits a signed event. Merkle-rolled, periodically anchored on-chain. Retention 7 years by default.
4. Key management. Production keys live in cloud-KMS. No private keys in Git, env files, or logs. 90-day rotation.
5. Network segmentation. Production VPCs are isolated. Webhook sender IPs are published. Admin access goes through the cloud-provider session manager with MFA.

Responsible disclosure

Email security@ovaal.io. PGP key published at /.well-known/pgp-key.asc.

Acknowledgement within 24 hours. Triage and severity within 72 hours. Remediation timeline within 1 week. Disclosure coordination per OWASP standard.

High-severity researchers get paid cash rewards. Scope and reward bands publish on our bounty-platform partner once the managed program goes live.