Security & compliance

The safest posture is the one that doesn't hold your money.

OpenSettle's custody model isn't a policy — it's the architecture. We can't move your funds because we never have them. That changes everything downstream.

Non-custodial

Funds settle direct to your wallet — we never take possession.

Sanctioned-region block

Merchants from comprehensively sanctioned jurisdictions (Iran, North Korea, Syria, Cuba, Crimea, Donetsk, Luhansk) are refused at signup. Payer-address screening against the OFAC SDN crypto list runs on every inbound payment — in-house, no vendor.

Signed everything

API responses, webhooks, and events all signed with rotating keys.

No stored card data

Stablecoin-only means we never hold PANs, PINs, or CVVs.

Certifications

Where we are, honestly.

Internal platform audit

Latest report May 2026 — public on GitHub

Available

SOC 2 Type I

Considered. Pursuit is gated by a post-launch commercial milestone; engagement letter will be published when signed.

Exploratory

SOC 2 Type II

Follows Type I by 12 months once Type I observation completes.

Exploratory

Sanctions address screening

In-house OFAC SDN match — no vendor; we maintain the list

Available

PCI DSS

Not applicable — we don't touch cards

N/A

Infrastructure

Defense in depth, not in paperwork.

API + Postgres on Hetzner (Nuremberg, eu-central). Worker process groups isolated from the request path; Cloudflare edge in front for TLS termination, WAF, and DDoS.
Internal platform audit report available on request — email security@opensettle.io. Covers wallet verification, refund recipient validation, address normalisation, webhook secret encryption.
Webhook signing secrets encrypted at rest with AES-256-GCM. Session cookies HMAC-signed. WebAuthn passkeys supported.
EU data residency by default (Hetzner Nuremberg, eu-central). US/APAC residency on the roadmap as customer demand justifies the duplication.
Step-up auth (AAL=2) required for wallet verification, workspace deletion, refunds, API key + webhook secret rotation.
Production preflight runner blocks deploys without required secrets, healthy worker heartbeats, and verified RPC config.

Compliance posture

Why we don't need a money transmitter license.

In the United States, money transmission is defined around "receiving funds for transmission to another person." OpenSettle never receives customer funds — they flow directly to the merchant's wallet on-chain. Our fee is accrued separately and billed in a monthly invoice, payable from the merchant's own balance — not from a pool we control.

The same architectural decision sidesteps MSB registration with FinCEN, CASP licensing under MiCA in the EU, and VASP registration in most other jurisdictions. We structure OpenSettle as a software platform, because that's what it is.

This is a summary for engineering and product teams, not legal advice. For questions about our compliance posture or to request the latest internal audit report, email security@opensettle.io.

Request audit report Read the docs

Researchers

Acknowledgements.

We credit security researchers who report valid issues here, with consent. No external researcher has been credited yet — this is the page where the first one will appear.

Reported something under our disclosure policy? Email security@opensettle.io to be listed (or to stay anonymous). Credit includes the issue summary, severity, your handle or name, and the resolution date.