← Back to AsterPay
Security
Last updated: May 13, 2026
Non-Custodial Architecture
AsterPay is a non-custodial payment infrastructure. We never hold your funds. Payments go directly to your wallet with zero counterparty risk.
Architecture Security
🔐 Non-Custodial
Private keys never touch our servers. Funds go directly to your wallet.
🔑 HD Wallet System
Deterministic wallet generation using industry-standard BIP-32/BIP-44.
🌐 Multi-Chain Support
Secure integration with Base, Ethereum, Polygon, Arbitrum, and BSC.
📡 Webhook Signing
HMAC-SHA256 signature verification for all webhook deliveries.
🔒 API Authentication
API keys with optional IP whitelisting for enterprise customers.
🛡️ Rate Limiting
Automatic rate limiting to prevent abuse and DDoS attacks.
Audit Status
Smart Contract Audit
Status: Compliant
Smart contract audit completed for our payment infrastructure. Findings reviewed and remediation actions applied.
Penetration Testing
Status: Compliant
Penetration testing performed against our production endpoints. Results reviewed and remediations shipped.
Infrastructure Security
- HTTPS only: All API endpoints use TLS 1.3 encryption
- Database encryption: All sensitive data encrypted at rest
- Secrets management: API keys and credentials stored securely
- Regular updates: Dependencies updated regularly for security patches
Threat Model
What We Protect Against
- API key theft: Rate limiting, IP whitelisting, key rotation
- Man-in-the-middle: TLS encryption, certificate pinning
- DDoS attacks: Rate limiting, CDN protection, auto-scaling
- Data breaches: Encryption at rest, minimal data collection
- Smart contract vulnerabilities: Code reviews, planned audits
What We Don't Protect Against
- Wallet compromise: You are responsible for your own wallet security
- Blockchain network issues: We cannot control blockchain congestion or forks
- User error: Sending funds to wrong addresses, phishing attacks
Incident Response
Security Contact
If you discover a security vulnerability, please contact us immediately:
- Email: [email protected]
- Response SLA: 24 hours acknowledgment
- Please include: Description, steps to reproduce, potential impact
Bug Bounty Program
Status: Compliant
A responsible-disclosure bug bounty program is active for security researchers. Rewards are based on severity and impact.
Disclosure Policy
- We will acknowledge receipt within 24 hours
- We will provide regular updates on remediation progress
- We will credit researchers in our security advisories
- We follow responsible disclosure practices
Compliance & Certifications
GDPR Compliance
Status: Compliant
We are GDPR-compliant and process all data in EU data centers.
SOC 2 Type II
Status: Compliant
SOC 2 Type II controls implemented and operational across our infrastructure.
MiCA-aligned partner routing
Status: Compliant
Crypto-to-fiat settlement is routed through MiCA-aligned licensed European payment partners. AsterPay operates as a technical service provider behind partner authorisations.
Best Practices for Users
API Key Security
- Never commit API keys to version control
- Use environment variables for API keys
- Rotate keys regularly
- Use IP whitelisting for production keys
- Monitor API usage for suspicious activity
Wallet Security
- Use hardware wallets for large amounts
- Never share your private keys
- Verify wallet addresses before sending funds
- Keep wallet software updated
- Use multi-signature wallets for teams
Questions?
For security-related questions:
Related Documents