At Hex Trust, we don’t take client trust for granted. This is why we place security at the forefront of all our operations, with full commitment to meeting rigorous standards for security and privacy.
These pillars of our robust security infrastructure offer a holistic and tailored solution to protecting your digital assets and personal data at all times.
Hex Trust strives to meet the strictest regulatory and compliance standards in every jurisdiction we operate. Here are some of the licenses and registrations that attest to our commitment:
Custody Services
Broker-Dealer Services
Management and Investment Services
In March 2022, Hex Trust successfully completed the SOC 2 Type I assessment, conducted by Deloitte.
This evaluation validated that our information security policies, procedures, and operational practices met the stringent criteria for security, availability, processing integrity, confidentiality, and privacy.
In December 2023, Hex Trust completed the SOC 2 Type II assessment, conducted by AssuranceLab.
This evaluation confirmed the ongoing effectiveness of our internal controls and reinforced our commitment to security-first operational practices.
In February 2023, Hex Trust completed both the SOC 1 Type I and Type II assessments, independently conducted by Deloitte. The Type I assessment verified the design of our internal controls, while the Type II audit validated the effectiveness of those controls in practice.
These attestations demonstrate our adherence to high standards in customer financial reporting, asset segregation, and fiduciary responsibility.
In December 2023, Hex Trust achieved the CSA STAR Level 2 Certification, recognizing our commitment to advanced cloud security practices and officially designating us as a Trusted Cloud Provider.
This certification reflects our adherence to rigorous security and privacy standards for cloud services.
Hex Trust is also a corporate member of the Cloud Security Alliance, joining a global network of organizations dedicated to building and maintaining a trusted cloud ecosystem through shared knowledge, best practices, and collaboration.
The CSA STAR Registry is a publicly accessible database that documents the security and privacy controls implemented by cloud service providers.
Established in 2013 by the Cloud Security Alliance, the STAR Registry promotes transparency, continuous improvement, and accountability in cloud security. It is built on the principles outlined in the Cloud Controls Matrix (CCM), which maps leading industry standards and regulatory frameworks.
By publishing to the STAR Registry, Hex Trust demonstrates its security posture and compliance with global standards - providing current and prospective clients with clear, independently validated assurance of our cloud governance and risk management practices.
Security is embedded in every layer of our operations.
At Hex Trust, we adopt a security-first mindset across all processes to proactively mitigate risks and protect against a wide range of cyber threats.
Hex Trust is also committed to:
To ensure the resilience of our security architecture, Hex Trust undergoes on-going penetration testing conducted by Deloitte a CREST-accredited cybersecurity firm.
These assessments validate our systems against current threat landscapes and help close any potential security gaps.
Security is integral to our product development process. Our DevSecOps approach ensures that security considerations are embedded throughout the software development lifecycle. We work with trusted partners to enforce a robust, holistic Secure SDLC, protecting the Hex Trust platform against vulnerabilities every step of the way.
Our proprietary bank-grade platform is built on a secure, enterprise-grade infrastructure that includes FIPS 140-3 Level 3 hardware security modules, isolated execution environments, and strict access controls. This architecture ensures data confidentiality, integrity, and compliance with regulatory standards.
Sensitive data - such as account profiles, transaction approval rules, AML ratings, KYC documentation, compliance records, and statement data - is protected through enforced controls on external and privileged user access.
Hex Trust's platform provides institutions with the highest levels of security and privacy, designed specifically to meet the rigorous demands of digital asset custody and compliance.
LinuxONE is a hardware platform that is optimized to run on the Linux operating system and leverages its architecture for providing unique value. It can be utilized in both private and multi-cloud environments for various workloads and use-cases.
On LinuxONE, security is built into the hardware and software.
The Federal Information Processing Standard (FIPS) Publication 140-3 is a U.S. government standard that defines security requirements for cryptographic modules used in IT systems.
Hex Trust uses FIPS 140-3 Level 3 validated cryptographic modules, which meet stringent security standards suitable for highly regulated industries. Level 3 provides robust physical and logical protections, including:
While not as extreme as Level 4 - which is reserved for highly specialized environments - Level 3 offers strong assurance against both logical attacks and physical intrusion, making it the de facto standard for secure infrastructure in financial services, government, and enterprise-grade solutions.
All of Hex Trust’s applications are primarily hosted on Amazon Web Services (AWS) and Google Cloud Platform (GCP), giving our products and services the benefits they provide their clients such as physical/software/operational security, flexibility, reliability, and scalability.
We choose the AWS & GCP Cloud infrastructure for their robust controls in maintaining security and compliance of the cloud. AWS adopts strict IT standards which are broken out by Certifications & Attestations; Laws, Regulations & Privacy; and Alignments and Frameworks.
Through a strategic partnership with Chainalysis, Hex Trust adopts Chainalysis KYT (Know Your Transaction) and Chainalysis Reactor.
These integrations provide an additional layer of robust compliance features to Hex Safe, our institutional custody platform, giving our clients further peace of mind for all their digital asset transactions.
Read more ⟩At Hex Trust, we implement a comprehensive suite of security practices designed to protect digital assets at every level. Below are the key pillars of our security framework:
A process of converting readable data into encoded data, which can only be read or processed after decryption.
Encryption ensures a system’s sensitive information such as client data or cryptographic keys cannot be stolen or read by potential malicious actors.
Posture and technologies designed to safeguard and govern the cloud environment to address internal and external threats.
Organizations are increasingly turning to cloud-native environments for improved organizational flexibility, data security & stability/resiliency. However, it can bring about risks including misconfiguration and cybercriminal activity thus extra caution should be taken in cloud security.
A physical computing hardware device that provides tamper-evident, intrusion-resistant safeguarding & management of cryptographic keys.
Hardware Security Module provides the highest level of security for sensitive data like cryptographic keys or wallet private keys while meeting security standards/regulations, and flexibly adapts to organizations’ operations.
Chronologically captures & logs all events within a system including actions against assets, owners, user activity and more.
Security audit trails assist in detecting security violations, performance problems, compliance with regulatory requirements and more.
Development, Security, Operations – automates and embeds security requirements at every phase of software development lifecycle (from initial design to integration, testing, deployment & delivery).
DevSecOps helps to lower technical debt, increases cloud and application security with faster software delivery.
Top Security Considerations for Digital Asset Organizations
Download the PDF ⟩We maintain our own team of risk management and security specialists, analyzing and assessing both internal and external risks to ensure that customer assets are protected with the commensurate level of security.
With the rise of security concerns in the digital asset space, here’s our CISO discussing the processes and tools that digital asset organizations can leverage to prevent DeFi breaches and attacks.
The 10 Foundational Principles of a Licensed Digital Asset Custodian
Download the PDF ⟩