Security Architecture

Security built for institutional trust.

QOVA's security model was designed from first principles — layered defenses, cryptographic custody, regulatory compliance, and real-time monitoring working together to protect every transaction and every client.

Majority of Assets
Cold Storage
Required on All Withdrawals
Multi-Sig
24/7 Automated
Monitoring
99.9%
Uptime SLA
Six Layers of Protection

Defense in depth.

01

Cold Storage

Offline Asset Custody

The majority of client assets are held in air-gapped cold storage wallets — physically isolated from any internet-connected system. Private keys are generated and stored on hardware security modules (HSMs) in geographically distributed, access-controlled facilities.

  • HSM-based key generation and storage
  • Air-gapped signing environment
  • Geographic distribution across secure vaults
  • Periodic on-chain audit verification
02

Multi-Signature Authorization

Multi-Party Control

All outgoing transactions require multiple independent cryptographic signatures from key custodians distributed across different geographic locations. No single point of failure or single person can authorize a withdrawal unilaterally.

  • M-of-N multi-signature threshold signing
  • Geographically distributed key custodians
  • Time-lock delays on large withdrawals
  • Dual-control policy for all key operations
03

Segregated Client Funds

Ring-Fenced Accounts

Client assets are held in accounts legally and operationally segregated from QOVA's own treasury. In the event of any operational issue, client funds cannot be used to cover operational liabilities. This structure is mandated by our BCR license.

  • Client funds never commingled with operational treasury
  • Per-client accounting with daily reconciliation
  • Regulatory mandate under BCR framework
  • Independent custodian confirmation available on request
04

Real-Time Threat Monitoring

24/7 Automated Vigilance

Every transaction is screened in real-time against multiple risk signals: behavioral anomalies, velocity checks, blacklisted addresses, and AML scoring. Alerts trigger immediate automated holds pending human review by our compliance team.

  • Blockchain address screening (sanctions + known bad actors)
  • Velocity and pattern anomaly detection
  • Automated hold triggers with manual review
  • 24/7 on-call compliance officer
05

On-Chain Audit Trail

Immutable Blockchain Record

Every transaction settled through QOVA is permanently recorded on-chain — on Tron (TRC-20) or Ethereum (ERC-20). The record is public, immutable, and verifiable by any counterparty at any time. This eliminates any risk of record falsification.

  • TxHash provided for every settled transaction
  • Public blockchain verifiability
  • Tamper-proof immutable record
  • Queryable via standard block explorers
06

Access Control & Authentication

Zero-Trust Identity Architecture

All platform access requires strong multi-factor authentication. API keys are scoped with least-privilege permissions. IP whitelisting, withdrawal address whitelisting, and session anomaly detection are enforced at every layer.

  • Mandatory 2FA for all accounts
  • API key scoping with IP whitelisting
  • Withdrawal address whitelisting
  • Session fingerprinting and anomaly detection
Regulatory Compliance

Licensed. Compliant. Auditable.

BCR Licensed
Exchange & Payment Institution · El Salvador
FATF Compliant
Global AML/CTF Standards
Bitcoin Law
El Salvador Official Regulatory Framework
LAEID
Digital Assets Issuance Law — El Salvador
Payment Systems Act
Ley del Sistema de Pagos — El Salvador
AML/CTF Policy
Tier-Based Risk Assessment Framework
View Proof of Reserves →