Exploring Digital Asset Custody: Key Questions Answered by Zand

20th May 2025
In the rapidly evolving world of digital finance, understanding how digital asset custody works is crucial for corporates, institutions, and wealth clients alike. At Zand, we prioritize transparency and security in our custody solutions, leveraging cutting-edge technology to safeguard your assets. Here, we address some of the most common questions about our digital asset custody services:
1. How does Zand’s FIPS 140-3 compliant HSM manage key storage, encryption, and destruction after use?
Zand employs FIPS 140-3 compliant Hardware Security Modules (HSMs) to ensure the highest standards of security for key management. Our master seeds are generated through a secure key ceremony, witnessed by PwC, and stored within HSMs. This process minimizes exposure risks. We use Transport Layer Security (TLS) and JSON Web Token (JWT) for data protection, with hardware-based signing and operator authentication. Private keys are stateless, generated within HSMs for transaction signing, and destroyed immediately after use. Zand has the ability to initiate key re-generation, update access policies, and issue revocation certificates, ensuring secure destruction.
2. How does Zand implement TSS and multi-signature mechanisms for transaction approvals?
Zand uses a Threshold Signature Scheme (TSS) to manage secret keys transiently within HSMs. Governance rules, managed by Superadmins, are cryptographically linked during the key ceremony. Our m-of-n approval quorum is secured by hardware and software measures, with transaction approval rights managed by separate teams to decentralize risk. Zand’s risk-based approach requires approvals from multiple authorized parties, ensuring no single point of failure. At Zand Vault, all transactions require manual human approval, adding layers of oversight and security.
3. How does Zand Vault ensure secure key signing while keeping HSM connectivity restricted?
HSM connectivity at Zand is enabled only when necessary for signing, with Transmission Control Protocol (TCP) connectivity tightly managed. Firewalls restrict connectivity, overseen by segregated teams. During transaction signing, only whitelisted IPs can communicate with the HSM, reinforcing secure operations and limiting unauthorized access.
4. How does Zand ensure wallet segregation and data privacy in its multi-tenant custody mode?
Zand provides dedicated wallet addresses per blockchain for each client, ensuring transparency and accuracy of balances. Our Data Governance, Protection & Privacy Policy enforces strict data privacy standards, covering data collection, storage, processing, and disposal protocols.
5. What are the scaling capabilities of Zand’s custody infrastructure, and how does it address future security challenges?
Zand's custody infrastructure is designed for scalability, with hot wallet solutions and API services in development to enhance access and transfer speeds. We employ multi-signature and TSS for transaction approvals, hardware-based security, and extensive logging for accountability. Regular architecture reviews and external penetration testing help us meet future security challenges.
At Zand, we are committed to providing secure, innovative, and reliable digital asset custody solutions, empowering our clients to navigate the digital economy with confidence.