Licenses & Certifications

Trust Center

At Hex Trust, we don’t take client trust for granted. This is why we place security at the forefront of all our operations, with full commitment to meeting rigorous standards for security and privacy. 

These pillars of our robust security infrastructure offer a holistic and tailored solution to protecting your digital assets and personal data at all times. 

  • Licensing across all operating jurisdictions
  • Accredited in-house security team
  • Regular penetration testing by CREST approved 3rd party
  • Industry leading security-first technology
  • SOC 1 & SOC 2 certified

Licensed & Compliant

Hex Trust strives to meet the strictest regulatory and compliance standards in every jurisdiction we operate. Here are some of the licenses and registrations that attest to our commitment:

Hong Kong

Trust Ordinance
Trust Company registration 
Trust or Company Service Provider (TCSP) license

Dubai, UAE

Dubai Virtual Assets Regulatory Authority
Virtual Asset Service Provider license Custody Services

Singapore

Monetary Authority of Singapore
Major Payment Institution (MPI) license for provision of Digital Payment Token (DPT) Services (In-Principle Approval)

France

Autorité des Marchés Financiers
Digital Asset Service Provider simple registration

Italy

Organismo Agenti e Mediatori
OAM registration

SOC 1 & SOC 2 Certified

In March 2022, Hex Trust completed the SOC 2 Type I assessment conducted by Deloitte. The assessment confirms that our information security practices, policies, procedures, and operations meet the rigorous standards for security, availability, processing integrity, confidentiality, and privacy.

Read More ⟩

In December 2023, Hex Trust completed the SOC2 Type II assessment conducted by AssuranceLab. The audit period for this assessment was from 1 October 2022 to 30 September 2023, covering a duration of one year. This assessment confirms the safety and effectiveness of Hex Trust's internal controls and security-first business processes.

Read More ⟩

In Feburary 2023, Hex Trust underwent the SOC 1 Type II assessment conducted by Deloitte for the audit period of 1 April 2023 to 30 September 2023, ensuring compliance with rigorous standards for customer financial reporting and asset segregation practices, and in February 2023, they completed the SOC 1 Type I assessment independently conducted by Deloitte, confirming their internal controls.

Read More ⟩

Cloud Security Alliance 

Hex Trust obtained the Cloud Security Alliance (CSA) STAR Level 2 Certification in December 2023, meaning we are officially a Trusted Cloud Provider committed to full cloud security competency. Hex Trust is also a Cloud Security Alliance corporate member, with access to an extensive network of cloud users that collaborate to create and maintain a trusted cloud ecosystem.

Security, Trust, Assurance, and Risk (STAR) Registry

The Security, Trust, Assurance, and Risk (STAR) Registry is a publicly accessible registry that documents the security and privacy controls provided by popular cloud computing offerings.

Founded in 2013 by the Cloud Security Alliance, the Security Trust Assurance and Risk (STAR) registry encompasses key principles of transparency, rigorous auditing, and cloud security and privacy best practices as outlined in the Cloud Controls Matrix (CCM).

Publishing to the registry allows organizations to show current and potential customers their security and compliance posture, including the regulations, standards, and frameworks they adhere to.

Find our listing ⟩

Secured at every level

We always take a security-oriented approach in our processes to protect our business from a variety of threats and security risks.

Our data centers are certified with:

  • ISO 9001:2015 (Quality of Organization)
  • ISO 27001:2013 (Maximum Information Security)
  • ISO 22301:2019 (Business Continuity)
  • ANSI/TIA-942-B Constructed Facility

We are also committed to:

Regular Penetration Testing
To ensure our security system has no gaps, we receive regular penetration testing from a CREST accredited cybersecurity services provider. This verifies the capabilities of our security architecture against potential cyber attacks.

A Secure SDLC
DevSecOps is a core pillar of our security model, and it’s our top priority to make sure the Hex Safe platform is the most secure possible. We work with partners to create a comprehensive, holistic, and integrated Secure SDLC, and protect our platform from any vulnerabilities.

Security-first technology

Our proprietary bank-grade platform, Hex Safe, is built on IBM Hyper Protect services. This includes enterprise-scale protected memory enclaves, FIPS 140-2 Level 4 hardware security modules, industry leading data confidentiality, and regulatory compliance support through strict controls on external and privileged user access to sensitive data such as account profiles, transaction approval rules, AML ratings, KYC documentation, compliance/audit, and statement data.

This strategic partnership with IBM provides our institutional custody platform the strictest security and privacy infrastructure underpinned by IBM LinuxONE.

Read more ⟩

IBM LinuxONE

LinuxONE is a hardware platform that is optimized to run on the Linux operating system and leverages its architecture for providing unique value. It can be utilized in both private and multi-cloud environments for various workloads and use-cases.

On LinuxONE, security is built into the hardware and software.

  • The IBM Secure Service Container technology provides: workload isolation, restricted administrator access, and tamper protection against internal threats including system administrators.
  • Hardware accelerated encryption of data is delivered with minimal overhead using on-chip Central Processor Assist for Cryptographic Function (CPACF), and a dedicated Crypto Express adapter.
  • Virtualization and advanced isolation capabilities supported: PR/SM, EAL 5+ LPARs, DPM, KVM, and IBM z/VM®.
  • LinuxONE security capabilities included with other technologies that use it.

FIPS 140-2 Level 4 Certification

The Federal Information Processing Standard (FIPS) Publication 140-2 is a U.S. government standard that sets rules for the minimum level of security for cryptographic modules in IT products.

  • Security Level 4 is the highest level of security provided in the standard. There are currently only two companies globally which serve Level 4 certified products, including IBM.
  • Physical security mechanisms such as detection and response to unauthorized physical access attempts are included.
  • Penetration of the cryptographic module enclosure from any direction will likely be detected, and result in the immediate deletion of all plaintext CSPs.
  • Security Level 4 cryptographic modules can be used in unprotected environments and protect against security breaches caused by changes in environment.
  • The cryptographic module must also be tested or have special features to ensure it can withstand environmental changes that may compromise its security.

All of Hex Trust’s applications are primarily hosted on Amazon Web Services (AWS) and Google Cloud Platform (GCP), giving our products and services the benefits they provide their clients such as physical/software/operational security, flexibility, reliability, and scalability.

We choose the AWS & GCP Cloud infrastructure for their robust controls in maintaining security and compliance of the cloud. AWS adopts strict IT standards which are broken out by Certifications & Attestations; Laws, Regulations & Privacy; and Alignments and Frameworks.

Compliance-focused custody

Through a strategic partnership with Chainalysis, Hex Trust adopts Chainalysis KYT (Know Your Transaction) and Chainalysis Reactor.

  • Chainalysis Know Your Transaction: a compliance solution for real-time transaction monitoring 
  • Chainalysis Reactor: an investigative tool for enhanced due diligence

These integrations provide an additional layer of robust compliance features to Hex Safe, our institutional custody platform, giving our clients further peace of mind for all their digital asset transactions. 

Read more ⟩

Security tools, tactics, and measures

1

Encryption

A process of converting readable data into encoded data, which can only be read or processed after decryption.

Encryption ensures a system’s sensitive information such as client data or cryptographic keys cannot be stolen or read by potential malicious actors.

2

Cloud Security

Posture and technologies designed to safeguard and govern the cloud environment to address internal and external threats.

Organizations are increasingly turning to cloud-native environments for improved organizational flexibility, data security & stability/resiliency. However, it can bring about risks including misconfiguration and cybercriminal activity thus extra caution should be taken in cloud security.

3

Hardware Security Module (HSM)

A physical computing hardware device that provides tamper-evident, intrusion-resistant safeguarding & management of cryptographic keys.

Hardware Security Module provides the highest level of security for sensitive data like cryptographic keys or wallet private keys while meeting security standards/regulations, and flexibly adapts to organizations’ operations.

4

Security audit trails

Chronologically captures & logs all events within a system including actions against assets, owners, user activity and more.

Security audit trails assist in detecting security violations, performance problems, compliance with regulatory requirements and more.

5

DevSecOps

Development, Security, Operations – automates and embeds security requirements at every phase of software development lifecycle (from initial design to integration, testing, deployment & delivery).

DevSecOps helps to lower technical debt, increases cloud and application security with faster software delivery.

Top Security Considerations for Digital Asset Organizations

Download the PDF ⟩

Why choose Hex Trust as your custodian?

We maintain our own team of risk management and security specialists, analyzing and assessing both internal and external risks to ensure that customer assets are protected with the commensurate level of security.

With the rise of security concerns in the digital asset space, here’s our CISO discussing the processes and tools that digital asset organizations can leverage to prevent DeFi breaches and attacks.

Asset segregation

Flexible Approvals

Tailored Client Support

Extensive Reviews

Bank-grade Processes

Third-party Due Diligence

Applicable Regulation

Internal & External Risk Management

Flexible Wallet Options

Robust Contingency Measures

The 10 Foundational Principles of a Licensed Digital Asset Custodian

Download the PDF ⟩

Access the
Hex Trust Advantage

We use cookies, including third-party cookies, to ensure that we give you the best experience on our website. By continuing to browse, you consent to the use of cookies. Learn more about cookies and how to control whether they are enabled. View our Privacy Policy for more information.
Cookie preferences