Security

Last updated: 2026-04-25

The honest version: building a custodial crypto product is mostly a security exercise. Here's what we do today, what we plan to add, and how to talk to us.

Key custody — envelope encryption

Every tenant gets a unique data encryption key (DEK), which encrypts their HD-wallet master mnemonic with AES-256-GCM. The DEK itself is wrapped by a managed KMS provider (Google Cloud KMS in production) and only unwrapped on container start.

The runtime service account has Decrypt-onlypermission on the KMS key — even if someone took over the API process, they couldn't mint new wrapped keys or rotate them. The plaintext DEK exists only in the process memory of the running backend; it's never written to disk or logged.

Tenant isolation

Every Prisma query that touches money-moving data is required to scope by tenantId. We enforce this with a static analysis test in CI that fails the build if a route file calls findFirst/update/delete by id alone without referencing tenantId in the surrounding handler.

Webhooks

  • Inbound webhooks (Tatum, Stripe, Postalynk) are HMAC-verified against the raw request body before any side effect.
  • Outbound webhooks to your endpoints are signed with a per-webhook HMAC secret you can rotate from settings.
  • Failed webhooks retry with exponential backoff and auto-disable after sustained failure (you get an email when this happens).

Auth

  • Passwords hashed with bcrypt at cost 12.
  • JWT access tokens (15-minute lifetime), refresh tokens (7-day lifetime).
  • hCaptcha on register/login/forgot-password.
  • Google sign-in uses the OAuth 2.0 authorization-code flow with id-token nonce verification (binding by Google sub, not email — to prevent email-impersonation takeover).
  • 2FA (TOTP) — work in progress; will roll out to admins first.

Operational practices

  • Production database backed up nightly to encrypted off-site storage with 14-day retention.
  • Production access requires SSH keys; root password auth is disabled.
  • Every deploy runs an automated paranoid security review on the diff before merge.
  • All inbound traffic terminates at TLS 1.3; LE certs auto-renewed by certbot.

Pre-GA roadmap

What's honestly NOT yet done, in order of priority:

  • SOC 2 Type II audit. Currently controls are in place, attestation is not.
  • Formal pentest by an independent firm.
  • Bug bounty program (hosted on a public platform).
  • Multi-region failover for the database.
  • 2FA enforcement for all customer-side users.

Reporting a vulnerability

Email security@swydex.com. We respond within 48 hours and aim to triage within five business days. We'll credit reporters in the changelog (or honor a request for anonymity), and we don't threaten or pursue good-faith research.

Please don't test against tenant accounts you don't own, and don't pull data beyond what's strictly needed to demonstrate the issue.