Security

Security built for institutions

Archway is designed from the ground up so that your funds, your wallet, and your data stay under your control. Every layer of the platform prioritizes institutional-grade security and operational resilience.

Noncustodial architecture

Your fund owns its own embedded wallet, powered by Fireblocks. Archway constructs transactions on your behalf, but only your fund can sign and execute them. Archway never holds, controls, or has access to your assets.

Fund-owned wallets. Each fund has a dedicated Fireblocks embedded wallet with isolated key material secured through Fireblocks' institutional-grade key management infrastructure.

Transaction construction only. Archway prepares and presents transactions. Signing authority rests entirely with authorized fund personnel.

Passkey authentication

Every transaction requires biometric or hardware key confirmation via Fireblocks passkeys. There are no shared secrets, no seed phrases to manage, and no way for Archway to sign on your behalf.

Biometric signing. Face ID, Touch ID, or hardware security keys. Every transaction requires direct physical confirmation from an authorized signer.

Archway cannot move funds. Signing authority is bound to your biometric identity. No Archway employee, system, or process can initiate a transaction on your behalf.

Role-based access control

Define exactly who can do what. Assign granular roles, set transaction limits per user, and require multiple approvers for large or sensitive operations.

Granular roles. Admin, Trader, Viewer, and Compliance Officer roles with distinct permission sets. Each role sees only what it needs.

Transaction limits. Set per-role and per-user transaction size limits. Large transactions can require multi-approver workflows before execution.

Multi-approver workflows. Require two or more authorized signers for transactions above configurable thresholds. Enforced at the wallet level.

Audit trail. Every action, approval, and configuration change is logged with timestamps, user identity, and IP address.

Session security

Configurable controls to protect active sessions and prevent unauthorized access from compromised devices or networks.

Idle timeout. Sessions automatically lock after a configurable period of inactivity. Admins set the timeout duration per organization.

IP allowlisting. Restrict platform access to approved IP addresses or CIDR ranges. Connections from unrecognized networks are blocked.

Device trust management. Register and manage trusted devices. Unrecognized devices trigger additional verification before granting access.

Concurrent session limits. Control how many active sessions a single user can maintain. Prevent credential sharing and reduce attack surface.

Compliance and monitoring

Built-in transaction monitoring, sanctions screening, and audit-ready logs. Archway is pursuing SOC 2 Type II and ISO 27001 certifications. Current security controls are designed to align with these frameworks.

Transaction monitoring. Integrated with Chainalysis and Hypernative for real-time onchain risk detection and alerting.

Sanctions screening. Automated screening against OFAC, EU, and UN sanctions lists. Flagged transactions are held for manual review.

Audit-ready exports. Full transaction logs with counterparty details, timestamps, and approval chains. Export in formats your auditors expect.

SOC 2 and ISO 27001 roadmap. SOC 2 Type II and ISO 27001 certification are on our compliance roadmap. Current controls align with these frameworks.

Business continuity

Your assets remain under your control, your data is always exportable, and your operations are never locked in. Even if Archway ceases to operate, your fund continues without interruption.

Assets under your control. Noncustodial design means your assets live in your wallet. If Archway goes offline, your funds remain fully accessible.

Data always exportable. Export all transaction history, reports, and configuration data at any time. No proprietary lock-in on your operational data.

Source code escrowed. Source code escrow with a third-party agent planned as part of business continuity. Released to clients if Archway ceases operations.

90-day transition commitment. Standard contracts include a 90-day transition period with support, data migration assistance, and operational handoff.

Ready to see it in action?

Reach out to discuss your fund's security requirements in detail.

Launch Demo Contact Us