Plutope
Security & Compliance

Trust, engineered into every layer.

Plutope is non-custodial by architecture and regulated by partnership. Funds remain provably yours; movement is governed by licensed counterparties, hardware-backed key management, and continuous third-party audit. Below is the same dossier we share with banks, auditors, and institutional partners.

Download security dossierContact security team
Team KYC verified by CredShield
0
Customer funds held by Plutope
100%
Keys generated client-side
24/7
On-call security response
SOC 2
Type II in progress
Operating principles

Four commitments that shape every line of code.

These aren't policies. They're architectural constraints — enforced in the codebase, in our vendor selection, and in every partnership we sign.

Non-custodial by default

Private keys are generated and stored exclusively on user devices via Secure Enclave (iOS) and Keystore (Android). Plutope has no operational capability to move user funds. There is no admin override. There is no internal database of seed phrases. There is, by design, nothing to seize, subpoena, or breach.

Regulated by partnership

Where regulated activity is required — card issuing, fiat on/off-ramps, virtual accounts, settlement — Plutope operates exclusively through licensed counterparties: BIN sponsors, EMIs, MTLs, and partner banks across the EU, UK, MENA, and APAC. Each integration carries its own license stack and audit trail.

Verifiable, not promised

Source code for cryptographic primitives is open and reviewable. Smart contracts deployed by Plutope are audited and verified on-chain. Reserve attestations for stablecoin float are published quarterly. Trust is established through verification, not marketing.

Compliance as infrastructure

KYC, KYB, sanctions screening, and transaction monitoring run as first-class systems across every product. We use Sumsub, Chainalysis, and Onfido in production, with internal escalation paths reviewed by a dedicated compliance officer in every jurisdiction we operate.

Architecture

Four layers. Each independently verifiable.

Layer · Device

Key material never leaves the device

Generation
BIP-39 entropy from Secure Enclave / Android Keystore
Storage
Hardware-isolated; never written to Plutope servers
Authentication
Biometric (FaceID / fingerprint) + device PIN
Backup
User-controlled iCloud Keychain or encrypted phrase export
Layer · Network

Transport hardened end-to-end

TLS
TLS 1.3 only, HSTS preload, certificate pinning
Edge
Cloudflare WAF, bot management, DDoS mitigation
API
OAuth 2.0 + signed requests, mutual TLS for partners
Egress
All third-party calls allowlisted and logged
Layer · Application

Least privilege, top to bottom

Access
SSO + hardware key (YubiKey) for all production access
Reviews
Two-person code review, signed commits, branch protection
Secrets
Vaulted via HashiCorp; rotated on a 30-day cadence
Dependencies
SBOM published, daily SAST/DAST/SCA scanning
Layer · Settlement

Funds flow only through licensed rails

Cards
Issued by EU-regulated BIN sponsor (EMI license)
Fiat
MTL/EMI partners in IN, AE, SG, EU, UK, US
Stablecoins
USDC (Circle), USDT (Tether), with attested reserves
Reconciliation
Atomic ledger with double-entry against on-chain proofs
Certifications & Jurisdictions

Where we operate, and under whose authority.

Certifications & frameworks
  • SOC 2 Type II
    In progress · Q3 2026
    Audited by Big-4 firm
  • ISO 27001
    Gap assessment complete
    Targeting Q4 2026
  • PCI DSS
    Inherited via BIN sponsor
    Level 1 service provider
  • GDPR
    Compliant
    EU DPO appointed; SCCs in place
  • CCPA
    Compliant
    Consumer rights portal live
  • DPDP (India)
    Compliant
    Local data residency in IN region
Regulatory footprint
  • European Union
    Card issuing via EMI-licensed sponsor (Lithuania)
  • United Kingdom
    FCA-registered EMI partner for GBP rails
  • United Arab Emirates
    VARA-compliant VASP partnership (Dubai)
  • India
    PA-PG licensed partner for INR virtual accounts
  • Singapore
    MAS MPI partner for SGD and cross-border
  • United States
    MTL-licensed correspondent for USD settlement
Independent audits

Reviewed by the firms that review the rest of the industry.

Request full reports
FirmScopeOutcome
Trail of BitsSmart-contract & cryptographic review All high-severity findings resolved
HalbornMobile wallet & key-derivation audit Zero critical, two informational
Cure53Web application penetration test Clean report; published with permission
Big-4 firm (in progress)SOC 2 Type II observation window Quarterly control attestations available

Responsible disclosure

We work with the security research community under a public safe-harbor policy. Researchers acting in good faith are protected from legal action and credited at their discretion. Reports are triaged within one business day, with severity, scope, and remediation timeline confirmed within five.

Email: security@plutope.com
PGP: Fingerprint 9F4A 2C8D 71BB 03E5 …

Bug bounty

Plutope operates a private bounty programme on HackerOne, expanding to public in 2026. Payouts follow severity, with critical findings rewarded up to USD 150,000.

Critical
Up to $150,000
High
Up to $40,000
Medium
Up to $10,000
Low
Up to $2,000
Documentation

The dossier we send to enterprise diligence teams.

Talk to our security team.

Diligence questionnaires, SIG/CAIQ, partner security reviews — we respond within one business day.

Contact securityExplore the business platform