Security
The security of your users’ data and digital assets is our top priority at Privy. We secure over 50 million users’ wallets and have facilitated billions of dollars in transaction value through our secure, flexible infrastructure.
Privy wallets are non-custodial and have a fully programmable control model. Privy’s flexible configuration enables the full spectrum from user-custodial wallets to powerful service-level controls.
Our security approach
At Privy, we’ve built our security foundation on unwavering principles. Our systems are non-custodial by design, ensuring that only authorized users can access their keys through sophisticated key splitting and secure execution environments. We implement defense in depth, with multiple independent security boundaries protecting your users’ assets—from cryptographic guarantees to hardware-level isolation.
We believe security requires constant vigilance. We maintain continuous validation through regular third-party audits, an active bug bounty program, and 24/7 security monitoring to ensure our systems remain secure as threats evolve.
Core architecture
The strength of Privy’s security comes from our battle-tested approach to protecting sensitive operations and data:
Key sharding and cryptography
We use robust, scalable cryptographic techniques to shard private keys, ensuring they are never stored in complete form and can only be accessed by authorized parties.
Secure execution environments
Every sensitive operation in our system takes place within strictly isolated environments:
- Client-side operations execute on user devices in browser-enforced iframes, which provide the same security boundaries that protect the most sensitive online applications, including identity and banking.
- Server-side operations execute in Trusted Execution Environments (TEEs), also known as secure enclaves, offering deep system isolation guaranteed by the processor itself.
These environments ensure sensitive operations remain protected even if the surrounding system is compromised.
Security validation
We regularly validate our security through comprehensive assessments:
- Multiple independent security audits from firms including Cure53, Zellic, and Doyensec
- SOC2 Type I and Type II certified
- Active bug bounty program on HackerOne
- 24/7 incident response with rapid response SLAs
Our commitment to security extends to transparency—our cryptographic implementations are open-source and have undergone dedicated third-party audits, available on our GitHub repository.
Getting started
Our documentation will guide you through implementing Privy securely in your application. We recommend starting with our security checklist for a complete overview of security best practices, or diving into our architecture details to learn more about our security model.
Security researchers can learn more about our vulnerability disclosure program at privy.io/vulnerability-disclosure or reach out to [email protected].