At Hex Trust, we don’t take client trust for granted. This is why we place security at the forefront of all our operations, with full commitment to meeting rigorous standards for security and privacy.
These pillars of our robust security infrastructure offer a holistic and tailored solution to protecting your digital assets and personal data at all times.
Hex Trust strives to meet the strictest regulatory and compliance standards in every jurisdiction we operate. Here are some of the licenses and registrations that attest to our commitment:
Custody Services
Broker-Dealer Services
Management and Investment Services
In March 2022, Hex Trust completed the SOC 2 Type I assessment conducted by Deloitte. The assessment confirms that our information security practices, policies, procedures, and operations meet the rigorous standards for security, availability, processing integrity, confidentiality, and privacy.
Read More ⟩In December 2023, Hex Trust completed the SOC2 Type II assessment conducted by AssuranceLab. The audit period for this assessment was from 1 October 2022 to 30 September 2023, covering a duration of one year. This assessment confirms the safety and effectiveness of Hex Trust's internal controls and security-first business processes.
Read More ⟩In Feburary 2023, Hex Trust underwent the SOC 1 Type II assessment conducted by Deloitte for the audit period of 1 April 2023 to 30 September 2023, ensuring compliance with rigorous standards for customer financial reporting and asset segregation practices, and in February 2023, they completed the SOC 1 Type I assessment independently conducted by Deloitte, confirming their internal controls.
Hex Trust obtained the Cloud Security Alliance (CSA) STAR Level 2 Certification in December 2023, meaning we are officially a Trusted Cloud Provider committed to full cloud security competency. Hex Trust is also a Cloud Security Alliance corporate member, with access to an extensive network of cloud users that collaborate to create and maintain a trusted cloud ecosystem.
The Security, Trust, Assurance, and Risk (STAR) Registry is a publicly accessible registry that documents the security and privacy controls provided by popular cloud computing offerings.
Founded in 2013 by the Cloud Security Alliance, the Security Trust Assurance and Risk (STAR) registry encompasses key principles of transparency, rigorous auditing, and cloud security and privacy best practices as outlined in the Cloud Controls Matrix (CCM).
Publishing to the registry allows organizations to show current and potential customers their security and compliance posture, including the regulations, standards, and frameworks they adhere to.
We always take a security-oriented approach in our processes to protect our business from a variety of threats and security risks.
We are also committed to:
Regular Penetration Testing
To ensure our security system has no gaps, we receive regular penetration testing from a CREST accredited cybersecurity services provider. This verifies the capabilities of our security architecture against potential cyber attacks.
A Secure SDLC
DevSecOps is a core pillar of our security model, and it’s our top priority to make sure the Hex Safe platform is the most secure possible. We work with partners to create a comprehensive, holistic, and integrated Secure SDLC, and protect our platform from any vulnerabilities.
Our proprietary bank-grade platform, Hex Safe, is built on IBM Hyper Protect services. This includes enterprise-scale protected memory enclaves, FIPS 140-2 Level 4 hardware security modules, industry leading data confidentiality, and regulatory compliance support through strict controls on external and privileged user access to sensitive data such as account profiles, transaction approval rules, AML ratings, KYC documentation, compliance/audit, and statement data.
This strategic partnership with IBM provides our institutional custody platform the strictest security and privacy infrastructure underpinned by IBM LinuxONE.
LinuxONE is a hardware platform that is optimized to run on the Linux operating system and leverages its architecture for providing unique value. It can be utilized in both private and multi-cloud environments for various workloads and use-cases.
On LinuxONE, security is built into the hardware and software.
The Federal Information Processing Standard (FIPS) Publication 140-2 is a U.S. government standard that sets rules for the minimum level of security for cryptographic modules in IT products.
All of Hex Trust’s applications are primarily hosted on Amazon Web Services (AWS) and Google Cloud Platform (GCP), giving our products and services the benefits they provide their clients such as physical/software/operational security, flexibility, reliability, and scalability.
We choose the AWS & GCP Cloud infrastructure for their robust controls in maintaining security and compliance of the cloud. AWS adopts strict IT standards which are broken out by Certifications & Attestations; Laws, Regulations & Privacy; and Alignments and Frameworks.
Through a strategic partnership with Chainalysis, Hex Trust adopts Chainalysis KYT (Know Your Transaction) and Chainalysis Reactor.
These integrations provide an additional layer of robust compliance features to Hex Safe, our institutional custody platform, giving our clients further peace of mind for all their digital asset transactions.
Read more ⟩A process of converting readable data into encoded data, which can only be read or processed after decryption.
Encryption ensures a system’s sensitive information such as client data or cryptographic keys cannot be stolen or read by potential malicious actors.
Posture and technologies designed to safeguard and govern the cloud environment to address internal and external threats.
Organizations are increasingly turning to cloud-native environments for improved organizational flexibility, data security & stability/resiliency. However, it can bring about risks including misconfiguration and cybercriminal activity thus extra caution should be taken in cloud security.
A physical computing hardware device that provides tamper-evident, intrusion-resistant safeguarding & management of cryptographic keys.
Hardware Security Module provides the highest level of security for sensitive data like cryptographic keys or wallet private keys while meeting security standards/regulations, and flexibly adapts to organizations’ operations.
Chronologically captures & logs all events within a system including actions against assets, owners, user activity and more.
Security audit trails assist in detecting security violations, performance problems, compliance with regulatory requirements and more.
Development, Security, Operations – automates and embeds security requirements at every phase of software development lifecycle (from initial design to integration, testing, deployment & delivery).
DevSecOps helps to lower technical debt, increases cloud and application security with faster software delivery.
Top Security Considerations for Digital Asset Organizations
Download the PDF ⟩We maintain our own team of risk management and security specialists, analyzing and assessing both internal and external risks to ensure that customer assets are protected with the commensurate level of security.
With the rise of security concerns in the digital asset space, here’s our CISO discussing the processes and tools that digital asset organizations can leverage to prevent DeFi breaches and attacks.
The 10 Foundational Principles of a Licensed Digital Asset Custodian
Download the PDF ⟩