Best Practice Guide to Secure & Compliant Digital Asset Operations

your primevault wallet workspace uses a multi layer, zero trust security architecture to ensure every wallet interaction is safe, cryptographically verified, and compliant however, your workspace is only as secure as the policies you configure implementing strong governance, rooted in the maker checker and least privilege principles , together with continuous monitoring of access policies, helps ensure the safety of your assets and the smooth running of your operations these guidelines cover all employees, contractors, and service providers who interact with company controlled wallets on primevault, including operational, treasury, and engineering personnel 1\ control objectives to maintain institutional grade security, focus on four key areas authorization defining exactly who can access wallets and approve transactions segregation of duties (maker checker) ensuring no single individual can initiate and execute a high risk action alone monitoring continuous oversight to detect anomalous or unauthorized activity in real time auditability maintaining immutable records for internal reviews and regulatory compliance 2\ primevault’s security, monitoring & compliance toolkit primevault leverages mpc (multi party computation), secure enclaves, a formally verified policy engine, and a rich hierarchy of orgs, vaults, and roles to enable extensive flexibility, modularity, safety, and auditability across every use case here are some tips on how to leverage these to configure a safe and compliant operational environment for your organisation workspace administration entity segregation create distinct workspaces for each legal entity to keep assets logically and legally separated vault stratification use separate vaults for customer funds vs corporate treasury (e g , "treasury ops" vs "omnibus wallet") role based access control (rbac) assign permissions via the console using the least privilege principle; no user should have access to more vaults or duties than necessary workspace owner high level management admin policy and infrastructure configuration user limited signer or transaction creator (maker) in specific vaults auditor view only access for compliance monitoring cold vs hot segregate reserve funds (cold/offline signing) from funds needed for active transfers (online signing) critical the "rule of three" for admins you should have at least 3 owners + admins in your workspace why? privileged operations (such as changing policies or whitelisting) often require a 2 signature quorum risk if you have only 2 admins and one loses their key, your workspace could be left in limbo, locking you out of administrative functions transaction policies configure the primevault policy engine to enforce the maker checker workflow approval quorums require multi approver workflows for transactions above specific thresholds high value vaults for main omnibus/treasury vaults, limit signing privileges to a small set of trusted users and enforce higher approval quorums admin policies all "admin quorum policies" (which govern sensitive workspace changes) should be set to at least 2 (ideally higher) destination restriction block transfers to unwhitelisted addresses unless specifically approved asset specific limits set daily outflow caps per asset limit asset types per team (e g , stablecoins only for the treasury team) advanced vigilance enforce higher approval thresholds for custom smart contract calls, raw signing, or transactions on unsupported blockchains this applies to pre authorized and batched transactions as well session & key security mfa enforced by default for all primevault logins hardware isolation separate transaction initiation and approval (signing) interfaces/devices are present by default identity management use scim or sso for seamless integration auto enforcement session timeouts and device level approvals are automatically enforced monitoring & alerts enable alerts to detect anomalies immediately large transfers set thresholds for immediate notification aml/kyc compliance depending on your jurisdiction, you may be required to monitor wallet activity primevault supports out of the box integrations with transaction monitoring services like elliptic 3\ internal processes & controls wallet usage policy document these clearly for your team access who can access which wallets? movement how and when funds can be moved approvals who is authorized to approve specific transaction types? key people & separation of duties (maker checker) dual control enforce dual control for all treasury transactions (ideally 2 of 3 quorums) maker checker the initiator (maker) cannot approve their own transaction admin vs approver where possible, approvers (signers) should be different individuals from the admins (policy managers) compliance review a compliance officer should perform periodic (ideally quarterly) reviews of all users, policies, and activity logs reconciliation & reporting reconciliation perform daily or weekly reconciliation of wallet balances against internal books logs maintain transaction logs for all internal fund movements audits conduct periodic internal audits and control reviews to ensure policies remain effective