Vaultody

Solutions

Direct Custody

Direct Custody

Treasury Management

Treasury Management

Wallet as a Service

Wallet as a Service

Coming Soon
Tokenizations

Tokenizations

Coming Soon
Stable-coins Operations

Stable-coins Operations

Integrations

Blockchains
Exchanges
DeFi Connectivity
Backup & Recovery
Compliance
Staking
Vaultody MPC

Vaultody’s proprietary multi-party computation engine, enabling secure, governed, and scalable digital asset custody across all enterprise solutions.

Vaultody MPC
Who We Serve

Exchanges

Non-Custodial, Reliable, and Built for Zero Downtime Performance

OTC Desks

The Infrastructure Backbone for Secure, Non-Custodial Banking

Traditional Banks

Secure, Automated, Non-Custodial Infrastructure for High-Value Transactions

Neobanks

Non-custodial digital asset infrastructure for neobanks

Gaming & Metaverse

High-performance wallet infrastructure powering gaming & metaverse

+ 10 more

Vaultody MPC
Help Center

Help Center

API Reference

API Reference

Coming Soon
Status Page

Status Page

Pricing
Resources
Blog About Us Contact us
Login Register
Direct Custody

Direct Custody

Treasury Management

Treasury Management

Wallet as a Service

Wallet as a Service

Coming Soon
Tokenizations

Tokenizations

Coming Soon
Stable-coins Operations

Stable-coins Operations

Integrations
Blockchains
Exchanges
DeFi Connectivity
Backup & Recovery
Compliance
Staking

Exchanges

Non-Custodial, Reliable, and Built for Zero Downtime Performance

OTC Desks

The Infrastructure Backbone for Secure, Non-Custodial Banking

Traditional Banks

Secure, Automated, Non-Custodial Infrastructure for High-Value Transactions

Neobanks

Non-custodial digital asset infrastructure for neobanks

Gaming & Metaverse

High-performance wallet infrastructure powering gaming & metaverse

AI Agent Platforms

Policy-Driven, Non-Custodial Solutions for Autonomous AI Agents

+ 9 more

Vaultody MPC
Help Center

Help Center

API Reference

API Reference

Coming Soon
Status Page

Status Page

Pricing
Blog About Us Contact us
Login

Legal

  • Privacy Policy
  • Terms & Conditions
  • Data Security Policy
  • Complaints and Dispute policy
  • Subscription Cancellation Policy
  • Software-аs-а-Service Agreement
  • Electronic Signature Consent
  • Data Processing Addendum

Data Security Policy

Last Updated: 3 June 2026

This Data Security Policy ("Policy") describes the administrative, technical, organizational, and security measures that Vaultody Ltd. ("Vaultody", "Provider", "we", "our", or "us") applies to protect the confidentiality, integrity, and availability of the Services and the data processed through Provider-controlled systems.

This Policy should be read together with the Digital Wallet as a Service (DWaaS) Software as a Service Agreement (Non-Custodial), the Privacy Policy, the Data Processing Addendum, the Terms & Conditions, and other legal documents published by Vaultody.

Capitalized terms not defined in this Policy have the meanings given to them in the DWaaS Software as a Service Agreement.

1. Scope

This Policy applies to the Services, Provider-controlled systems, infrastructure, applications, operational environments, and processes used by Vaultody to provide, maintain, secure, support, and administer the Services.

This Policy does not apply to:

(a) Client-controlled systems, devices, servers, wallets, applications, networks, environments, or infrastructure;

(b) Client Applications;

(c) Client-managed private keys, key shares, seed phrases, recovery phrases, recovery materials, authentication devices, access tokens, API keys, or credentials;

(d) third-party blockchain networks, protocols, validators, bridges, smart contracts, wallets, infrastructure providers, or other third-party systems;

(e) data processed by Client outside the Services; or

(f) data processed in violation of the applicable legal documents.

2. Non-Custodial Security Clarification

Vaultody is a technology-only, non-custodial software-as-a-service provider.

Vaultody does not hold, custody, possess, control, administer, or manage Client Digital Assets.

Vaultody does not store or control Client private keys, seed phrases, recovery phrases, recovery material, or Client-controlled signing components.

Vaultody does not have the technical ability to independently access, reconstruct, combine, or use Client signing authority or transfer Client Digital Assets.

Vaultody's security responsibilities relate to Provider-controlled systems and the Services. Client remains responsible for securing its own systems, devices, credentials, key material, recovery material, access controls, integrations, Client Applications, and operational environment.

3. Security Program

Vaultody maintains a security program designed to protect the confidentiality, integrity, and availability of the Services and data processed within Provider-controlled systems.

The security program may include policies, procedures, controls, monitoring, access management, incident response processes, vendor management, employee security practices, and other measures appropriate to the nature of the Services.

Vaultody may review and update its security program from time to time to address changes in technology, risks, business operations, legal requirements, industry practices, and security threats.

Vaultody may modify, replace, improve, or update security controls, provided that such changes do not materially reduce the overall level of protection described in this Policy.

4. Administrative Security Measures

Vaultody may maintain administrative security measures designed to support secure operation of the Services, including:

(a) internal security policies and procedures;

(b) role-based access management;

(c) personnel confidentiality obligations;

(d) internal access approval processes;

(e) security awareness and training where appropriate;

(f) onboarding and offboarding procedures for personnel with access to Provider-controlled systems;

(g) vendor and service provider review processes;

(h) incident response procedures;

(i) internal reporting and escalation channels; and

(j) periodic review of selected security practices.

Access to Provider-controlled systems is intended to be limited to personnel, contractors, or service providers who have a legitimate business need to access such systems.

5. Technical Security Measures

Vaultody may maintain technical security measures designed to protect Provider-controlled systems, including:

(a) authentication mechanisms;

(b) access controls;

(c) least-privilege access practices;

(d) secure configuration practices;

(e) encryption technologies where appropriate;

(f) network security controls;

(g) monitoring and logging;

(h) vulnerability management processes;

(i) malware protection where appropriate;

(j) secure development and change management practices;

(k) backup and recovery measures; and

(l) other safeguards determined by Vaultody to be appropriate based on the nature of the Services.

6. Access Controls

Vaultody applies access controls designed to restrict access to Provider-controlled systems.

Access privileges may be assigned based on role, job function, operational need, and security requirements.

Vaultody may review, modify, suspend, or revoke access where appropriate, including when personnel change roles, leave Vaultody, no longer require access, or where access presents a security risk.

Client is responsible for managing access to its own Account, users, credentials, authentication devices, API keys, access tokens, Client Applications, and internal systems.

7. Encryption and Data Protection

Vaultody uses commercially reasonable measures designed to protect data transmitted to and from the Services.

Where appropriate, Vaultody may use encryption, secure communication protocols, access restrictions, network isolation, or other safeguards to protect data in transit and data stored within Provider-controlled systems.

Client remains responsible for protecting sensitive data, credentials, key material, recovery material, and security components under its control.

Vaultody does not store or control Client private keys, seed phrases, recovery phrases, or Client-controlled signing components.

8. Logging and Monitoring

Vaultody may collect and review logs and technical information relating to use of the Services, including authentication events, API activity, system events, operational telemetry, security events, error logs, and infrastructure activity.

Such logs may be used to:

(a) operate and maintain the Services;

(b) detect and investigate security events;

(c) troubleshoot technical issues;

(d) prevent fraud, abuse, and unauthorized access;

(e) enforce applicable legal documents;

(f) support incident response;

(g) improve performance and reliability; and

(h) comply with legal, regulatory, or security obligations.

9. Vulnerability Management and Security Testing

Vaultody may maintain vulnerability management processes designed to identify, assess, prioritize, and remediate security vulnerabilities affecting Provider-controlled systems.

Such processes may include:

(a) internal security reviews;

(b) dependency and software component review;

(c) vulnerability scanning;

(d) patch management;

(e) secure development practices;

(f) code review or automated security testing where appropriate;

(g) penetration testing or external security assessments where appropriate; and

(h) remediation tracking.

Vaultody may determine remediation timelines based on severity, exploitability, impact, operational risk, and available mitigations.

10. Change Management

Vaultody may maintain change management procedures designed to reduce operational and security risks associated with changes to the Services, infrastructure, applications, configurations, and production environments.

Such procedures may include testing, review, approval, deployment controls, monitoring, and rollback planning where appropriate.

Vaultody may make emergency changes where reasonably necessary to address security, availability, legal, or operational risks.

11. Cloud Infrastructure and Service Providers

Vaultody may use cloud infrastructure providers, hosting providers, security providers, monitoring providers, communication providers, payment providers, and other vendors to support the Services.

Vaultody relies on certain infrastructure and physical security controls operated by such providers.

Vaultody uses commercially reasonable efforts to select service providers that maintain appropriate technical and organizational measures for the services they provide.

Where required by Applicable Law, Vaultody may enter into appropriate contractual arrangements with service providers that process personal data on Vaultody's behalf.

12. Backups and Recovery

Vaultody may maintain backup, recovery, redundancy, or continuity measures designed to support availability and resilience of Provider-controlled systems.

Backup and recovery measures may vary depending on the nature of the relevant system, environment, data, and operational requirements.

This Policy does not create any service level agreement, uptime commitment, recovery time guarantee, recovery point guarantee, or service credit obligation.

Client remains responsible for maintaining its own backups, records, credentials, key material, recovery material, Client Applications, configurations, and operational continuity arrangements.

13. Incident Response

Vaultody maintains processes designed to identify, investigate, assess, respond to, and mitigate actual or suspected security incidents affecting Provider-controlled systems.

Incident response activities may include:

(a) detection and analysis;

(b) containment;

(c) investigation;

(d) mitigation;

(e) remediation;

(f) communication;

(g) recovery; and

(h) post-incident review where appropriate.

The nature and scope of the response will depend on the circumstances, severity, systems affected, data involved, legal requirements, and available information.

14. Data Security Incident Notification

In the event of a Data Security Incident affecting Provider-controlled systems and resulting in unauthorized access to Client Confidential Information or personal data, Vaultody will notify the affected Client without undue delay after becoming aware of the incident, subject to legal, regulatory, law enforcement, security, or confidentiality restrictions.

Where available and appropriate, Vaultody may provide information regarding:

(a) the nature of the incident;

(b) the categories of data affected;

(c) the likely consequences;

(d) measures taken or proposed to address the incident;

(e) recommended steps for the Client; and

(f) contact information for follow-up.

Vaultody's notification of or response to a Data Security Incident does not constitute an admission of fault, liability, or breach.

15. Client Cooperation

Client shall cooperate with Vaultody in connection with actual or suspected security incidents, unauthorized access events, vulnerability reports, abuse investigations, fraud investigations, or other events affecting the security, integrity, or availability of the Services.

Client shall maintain accurate and current contact information in its Account so that Vaultody can provide operational, security, billing, and legal communications.

Client shall promptly notify Vaultody if it becomes aware of unauthorized access, credential compromise, API key compromise, authentication device compromise, suspected fraud, misuse of the Services, or any security incident that may affect the Services.

16. Shared Security Responsibility

Security of the Services is a shared responsibility between Vaultody and Client.

Vaultody is responsible for commercially reasonable security measures relating to Provider-controlled systems.

Client is responsible for:

(a) securing its Account;

(b) managing user access and permissions;

(c) protecting passwords, API keys, access tokens, authentication devices, and credentials;

(d) securing its own systems, networks, devices, infrastructure, applications, and environments;

(e) securing Client Applications;

(f) configuring workflows, policies, and access controls appropriately;

(g) protecting private keys, key shares, seed phrases, recovery phrases, recovery material, and signing components under Client control;

(h) maintaining backups and recovery procedures for Client-controlled materials;

(i) monitoring activity within its own Account and systems;

(j) ensuring that its use of the Services complies with Applicable Law; and

(k) promptly reporting suspected security issues to Vaultody.

Vaultody shall not be responsible for losses, compromise, unauthorized access, or failures arising from Client-controlled systems, credentials, devices, integrations, key material, recovery material, Client Applications, misconfigurations, or third-party systems outside Provider's control.

17. Security of Client Applications and Integrations

Client is solely responsible for the development, operation, maintenance, configuration, security, testing, monitoring, and compliance of Client Applications and integrations that access or use the Services.

Client shall ensure that Client Applications use the Services securely and in accordance with applicable technical documentation, usage limits, authentication requirements, and legal documents.

Vaultody shall not be responsible for vulnerabilities, defects, misconfigurations, unauthorized access, transaction errors, data exposure, or losses arising from Client Applications or integrations controlled by Client or its contractors.

18. Data Minimization and Operational Metadata

Vaultody aims to process only such data as is reasonably necessary to provide, maintain, secure, support, improve, and administer the Services.

Data processed by Vaultody may include account information, onboarding information, legal acceptance records, billing information, usage information, support information, technical metadata, security logs, operational logs, and other information described in the Privacy Policy.

Vaultody does not require Clients to provide private keys, seed phrases, recovery phrases, recovery material, or Client-controlled signing components.

19. Confidentiality

Vaultody applies internal measures designed to protect Client Confidential Information from unauthorized disclosure or misuse.

Vaultody personnel, contractors, or service providers with access to Client Confidential Information are expected to use such information only for legitimate business purposes relating to the provision, support, security, administration, or improvement of the Services, or as otherwise permitted by applicable legal documents.

20. Security Documentation

Vaultody may, at its discretion, provide security-related information, responses to security questionnaires, summaries, or documentation to Clients or prospective Clients.

Vaultody may condition access to such information on confidentiality obligations, non-disclosure agreements, access restrictions, or other reasonable safeguards.

Vaultody is not required to disclose sensitive technical details, internal security procedures, vulnerability information, architecture details, or information that could compromise the security of Vaultody, Clients, users, or third parties.

21. Third-Party Systems and Blockchain Networks

The Services may interact with or depend on third-party systems, cloud providers, infrastructure providers, blockchain networks, validators, bridges, protocols, smart contracts, wallets, analytics providers, payment providers, communication providers, or other third-party services.

Vaultody does not control and is not responsible for the security, availability, performance, functionality, or operation of third-party systems or blockchain networks.

Client's use of third-party systems is subject to the terms, policies, risks, and security practices of those third parties.

22. No Absolute Security Guarantee

Vaultody uses commercially reasonable security measures designed to protect the Services and Provider-controlled systems.

However, no system, software, infrastructure, network, blockchain, protocol, method of transmission, or security control can be guaranteed to be completely secure, uninterrupted, error-free, or immune from unauthorized access, vulnerabilities, attacks, or security incidents.

This Policy does not guarantee complete security and does not create any warranty, service level agreement, uptime commitment, recovery commitment, or service credit obligation.

23. Changes to This Policy

Vaultody may update this Policy from time to time.

Updated versions will be published on the website and will become effective on the date specified in the updated version.

Vaultody will use commercially reasonable efforts to provide advance notice of material changes where appropriate.

Continued access to or use of the Services after the effective date of an updated Policy constitutes acknowledgement of the updated Policy.

24. Contact Information

Questions or security-related communications regarding this Policy may be directed to:

Vaultody Ltd.
Sofia, Studentski grad, Doctor Yordan Yosifov str., 1A
Republic of Bulgaria

Email: [email protected]

 

Vaultody

Vaultody is a trusted digital asset wallet infrastructure, enabling organizations to build and grow their blockchain businesses.

GitHub LinkedIn X

Get Vaultody updates - news, guides & tips

Certificate

SOC 2 Type 1

Ongoing
Certificate

ISO 27001

Ongoing
Hey AI, learn about us

Vaultody LTD

“Doctor Yordan Yosifov” 1a, 3th floor, 1700 Sofia, Bulgaria

General

  • Pricing
  • Integrations
  • Vaultody MPC

Solutions

  • Direct Custody
  • Treasury Management
  • Wallet as a Service
  • Tokenizations (Coming Soon)
  • Stable-coins Operations (Coming Soon)

Developers

  • API Reference
  • Help Center
  • Status Page (Coming Soon)

Who We Serve

  • Exchanges
  • OTC Desks
  • Traditional Banks
  • Neobanks
  • Gaming & Metaverse
  • AI Agent Platforms
  • Wallet Providers
  • Payment Processors
  • Lending Platforms
  • DAOs
  • DeFi & Web3
  • Financial Institutions
  • Private Equity & VCs
  • Hedge Funds
  • Real-World Assets

Resources

  • Blog
  • About Us
  • Contact us

Legal

  • Privacy Policy
  • Terms & Conditions
  • Data Security Policy
  • Complaints and Dispute policy
  • Subscription Cancellation Policy
  • Software-аs-а-Service Agreement
  • Electronic Signature Consent
  • Data Processing Addendum
Vaultody

Vaultody is a trusted digital asset wallet infrastructure, enabling organizations to build and grow their blockchain businesses.

GitHub LinkedIn X

Get Vaultody updates - news, guides & tips

General

  • Pricing
  • Integrations
  • Vaultody MPC

Solutions

  • Direct Custody
  • Treasury Management
  • Wallet as a Service
  • Tokenizations (Coming Soon)
  • Stable-coins Operations (Coming Soon)

Developers

  • API Reference
  • Help Center
  • Status Page (Coming Soon)

Who We Serve

  • Exchanges
  • OTC Desks
  • Traditional Banks
  • Neobanks
  • Gaming & Metaverse
  • AI Agent Platforms
  • Wallet Providers
  • Payment Processors
  • Lending Platforms
  • DAOs
  • DeFi & Web3
  • Financial Institutions
  • Private Equity & VCs
  • Hedge Funds
  • Real-World Assets

Resources

  • Blog
  • About Us
  • Contact us

Legal

  • Privacy Policy
  • Terms & Conditions
  • Data Security Policy
  • Complaints and Dispute policy
  • Subscription Cancellation Policy
  • Software-аs-а-Service Agreement
  • Electronic Signature Consent
  • Data Processing Addendum
Certificate

SOC 2 Type 1

Ongoing
Certificate

ISO 127001

Ongoing
Hey AI, learn about us

Vaultody LTD

“Doctor Yordan Yosifov” 1a, 3th floor, 1700 Sofia, Bulgaria

Vaultody

Vaultody 2026 - All Rights Reserved