Best Practice Guide to Secure & Compliant Digital Asset Operations

these guidelines cover all employees, contractors, and service providers who interact with company controlled wallets on primevault, including operational, treasury, and engineering personnel your primevault wallet workspace uses a multi layer, zero trust security architecture to make sure every wallet interaction in your org is safe, cryptographically verified and compliant with the rules configured in the policy engine but your workspace is only as secure as the policies (configured by you) that govern every user action in your org implementing strong governance, together with continuous monitoring of access policies and user activity, helps ensure the safety of your and your customers’ assets and the smooth running of your operations 1\ control objectives focus on four areas authorisation – who can access wallets and approve transactions segregation of duties – avoid single points of failure monitoring – detect anomalous or unauthorised activity auditability – maintain records for compliance 2\ primevault’s security, monitoring & compliance toolkit primevault uses mpc, secure enclaves, a verified policy engine, diverse user roles, and a rich hierarchy of orgs, sub orgs, vaults, addresses and policy templates to allow for extensive flexibility, modularity, safety and auditability of every use case here are some tips on how to leverage these to configure a safe and compliant operational environment for your organisation workspace administration create distinct workspaces for each legal entity for the segregation of assets create separate vaults for customer funds and for distinct wallet groups (e g treasury ops, omnibus wallet) assign roles and permissions via the primevault console workspace owner admin user (limited signer / tx creator in certain vaults) auditor view only, for audits and compliance monitoring use the least privilege principle no user should have access to more vaults or administrative privileges or duties than necessary segregate reserve funds (cold/offline signing) from funds needed for active transfers (online signing) there should be at least 3 owners + admins in your workspace to prevent accidentally locking down administrative functions in your workspace e g , several privileged operations (such as approval workflows for changing policies or whitelisting a trading venue) require a minimum of 2 admin signatures if you have only 2 admins/owners in your workspace and one of the admins loses their key, the workspace can be left in a state of limbo high value vaults such as the main (omnibus) treasury vaults should be configured such that transacting/signing privileges are limited to a small set of highly trusted users, and higher approval quorums should be enforced, while allowing for some operational flexibility all “admin quorum policies” should be at least 2 and ideally higher (since these govern highly sensitive actions that are able to modify the workspace – change policy template, rules for onboarding/offboarding and whitelisting addresses and dapps, etc ) other users should be given user privileges and added to only the vaults they need to access (principle of least privilege) transaction policies set rules in the primevault policy engine, such as approval quorums require multi approver workflows for transactions above a threshold destination restriction block transfers to unwhitelisted addresses unless specifically approved asset specific limits set per asset daily outflow caps limit asset types per team (e g , stablecoins only for the treasury team) custom contract calls / raw signing function calls in custom smart contracts or transactions on unsupported blockchains can sometimes require greater vigilance and ideally higher approval thresholds txn pre authorization / automations like custom transactions, pre authorized transactions and batched transactions should use a higher approval quorum as well session & key security enforce mfa for primevault logins (enforced in pv by default) separate transaction initiation and approval (signing) interfaces/devices (present by default) use scim or sso for identity management integration session timeouts and device level approvals (auto enforced) monitoring & alerts enable alerts for large transfers transaction monitoring for aml/kyc depending on the regulator/jurisdiction, you may be required to monitor wallets and transactions primevault supports integrations with transaction monitoring services such as elliptic right out of the box 4\ internal processes & controls wallet usage policy document clearly who can access which wallets how and when funds can be moved who needs to approve what key people & separation of duties dual control for all treasury transactions (ideally 2 of 3) additional approvers for larger transactions the initiator can't approve their own transaction by themselves where possible, approvers should be separate from admins compliance officer who does periodic (ideally quarterly) review of all users, policy and activity reconciliation & reporting daily or weekly reconciliation of wallet balances vs internal books maintain transaction logs for all internal fund movements periodic internal audits and control reviews