Security

SpendSafe keeps keys offline, enforces fail-closed policies, provides audit artefacts. This page summarises safeguards and secure operations.

Architectural Guarantees

Non-custodial – Private keys never leave your environment; SDK signs locally
Fail-closed – If policy service, Gate 2, or RPC fails, SDK throws and refuses to sign
Two-gate validation – Gate 1 evaluates policy rules; Gate 2 verifies authorisation token before signing
Policy hashes – Compare asset rule hashes against API responses to detect configuration drift
Decision proofs – Every allow/deny includes signature and fingerprint for audit. See Trust Model

Data	Location	Notes
Transaction intent metadata (`to`, `amount`, `asset`)	SpendSafe API	Used solely for policy evaluation; stored for audit per retention tier
Private keys / signed payloads	Your infrastructure	Never transmitted to SpendSafe
Decision proofs	Both sides	Signed proof is returned to you and stored in the dashboard audit log
API keys	Dashboard + your secret store	Each agent receives one; treat them like credentials

All API communication uses HTTPS with TLS 1.2+. Rate limits shield against brute force and abuse.

Store API keys securely – Use secret manager or vault, not environment files in git
Rotate keys periodically – Rotate agent keys quarterly and immediately after personnel changes
Monitor Value Protected – Large increases signal attempted abuse; investigate transactions tab
Capture decision proofs – Log alongside internal transaction records for dispute handling
Set up incident contacts – Define alert recipients when policies block critical flows

Policy blocked legitimate transfer – Update rule, copy new policy hash, retry transaction
Suspected compromise – Revoke agent in dashboard, rotate API key, review audit logs
SpendSafe outage – Integration fails closed; queue transactions, replay when API available.

Audit logging retention scales with plan level (7 days → 12 months → 7 years)
SOC 2 Type I/II, ISO 27001, regional data residency planned. Contact for timeline