Regulated Design
How a Zafeguard custody whitelabel maps to the controls regulators expect — threshold MPC, documented approval flows, segregation of duties, audit emission across SDK + workflow execution + cluster audit logs, key sovereignty via self-hosted clusters, and right-to-revoke.
Regulated Design
A custody product lives inside a compliance framework. SOC 2, ISO 27001, regional licensing regimes (NYDFS BitLicense, MAS Payment Services Act, FCA crypto-asset registrations, EU MiCA) all impose the same broad shape of control: no single party can move funds unilaterally; approvals are documented and reviewable; operational duties are segregated; the audit trail is complete and tamper-evident; the regulator can examine and revoke when needed.
Building those controls from scratch on top of single-key wallets is months of custom engineering. Building them on Zafeguard's MPC primitives plus the workflow canvas gives you platform features that already implement most of the controls, and an audit surface that maps cleanly to what your auditor expects to see.
This page maps the platform's actual features to the controls regulators ask for. Where a control needs a feature the platform does not yet ship as an API, the page says so.
The five controls regulators ask for
Most custody compliance frameworks, stripped to essentials, ask for:
- No single party can move funds. Including you, including any single employee, including any single piece of infrastructure.
- Every fund-moving operation has a documented approval flow. Who approved, when, against what policy.
- Operational duties are segregated. The person who approves does not also sign. The person who configures policy does not also approve operations.
- The audit trail is complete and tamper-evident. Every operation, every approval, every policy evaluation is captured and verifiable.
- Sovereignty can be demonstrated. Where required, key material does not leave defined jurisdictional or organisational perimeters.
Control 1 — No single party can move funds
The cryptographic guarantee comes from threshold MPC. Every key is provisioned with m-of-n shares; no single party holds enough material to sign. This is enforced by the mathematics of the threshold protocol — not by access control on top.
| Wallet tier | Threshold shape | What it provides |
|---|---|---|
| Hot wallet | 2-of-3 or 3-of-4 across cluster nodes | Operational availability with cryptographic protection against single-party compromise. |
| Cold wallet | 4-of-5 across cohort + air-gapped device | Multi-party physical and cryptographic protection. Quorum of officers required for every signature. |
The property is built into the cryptographic protocol, not bolted on as a software access-control layer. Two architectural guarantees of the SDK back this up:
- Each signing node only ever sees its own share plus cryptographically-sealed envelopes from peers. The full private key never exists anywhere — every party's share is one Lagrange-evaluation of a polynomial that no one can reconstruct without
threshold-many shares. - The cluster never assembles a finalised signature. Signing ceremonies on the cluster produce partial signatures only; assembly happens off-line in the consuming SDK via
Scheme.finalizeSignature.
The cluster cannot sign on behalf of a user even if compromised — it can only produce partial signatures that the integrator combines off-line. A compromised platform operator cannot drain funds; a compromised cluster node cannot drain funds; only threshold-many parties cooperating can produce a valid signature.
Combining built-in and self-hosted parties strengthens this control. A cohort with two built-in nodes and one self-hosted node requires both your infrastructure and the platform's infrastructure to participate.
→ Hot Wallet → Cluster topology → Cold Wallet → Topology → MPC Agent → How it works → What the agent never does
Control 2 — Documented approval flow
Every signing operation runs inside a workflow. The workflow is a graph of typed components — policy checks, approval gates, operator authentication, time locks — that the platform executes faithfully and logs every step in full.
The execution log captures:
- Trigger. Who or what initiated (your application, an operator, a schedule, a webhook).
- Input. The full request payload, including destination, amount, asset, requesting operator's identity.
- Stage-by-stage execution. Every component that ran, its outcome (approved, rejected), its duration, its message.
- Signing event. The signing component's invocation against the MPC cluster, including the ceremony
sessionId. - Submission and confirmation. The chain broadcast, the transaction hash, the block of confirmation.
The structure of the log IS the documentation of the approval flow. An auditor asking "show me the approval flow for cold-tier withdrawals above $1M" gets a workflow definition; asking "show me an executed flow" gets a full execution log with operator identities, policy outcomes, and on-chain settlement.
Workflow versions are tracked; an execution log for any historical transaction references the version that ran. Reconstructing the policy in force at any point in time is straightforward.
→ Hot Wallet → Policy enforcement → Cold Wallet → Multi-party approval flow
Control 3 — Segregation of duties
Segregation of duties is structural — it sits in the way you define roles, workflow access, and approval pools at the workspace level. The platform supports the structure; you implement the role definitions for your operating model.
The standard segregation pattern for a custody operation:
| Role | Can do | Cannot do |
|---|---|---|
| Treasury operator | Open hot-tier signing requests, propose cold-tier transactions. | Approve their own requests. Configure policy. Sign in the vault. |
| Approval officer | Approve cold-tier transactions in their assigned pool. | Open requests. Sign in the vault (in most operating models). Configure policy. |
| Policy administrator | Configure workflow stages, policy parameters, approval pools. | Approve transactions. Sign in the vault. |
| Vault operator | Operate the cold device during ceremonies and offline signing. | Open requests. Approve transactions. Configure policy. |
| Auditor | Read every workflow, every execution log, every policy version. | Modify anything. |
The workspace role and access surface lets you enforce these structurally — a treasury operator's workflow access is read-only on policy workflows and write on payout-request workflows. Conflict-of-interest detection (the requester cannot also be the approver) is a property your workflow's approval-collection component should check at execution time.
The platform-side primitives the canvas exposes for this:
- Workflow access rules. Restrict which roles can trigger or edit which workflows.
- Component-level approver lists. A "collect-approvals" component takes a
pooland aquorum— when the requester's identity is in the pool, the component rejects the approval for that operator.
Control 4 — Complete and tamper-evident audit
The audit trail spans three layers, each with its own surface:
Workflow execution log — captures every component execution in every workflow run, with timestamps, outcomes, and signed payloads.
Stream over SSE for live UI feedback or for SIEM ingestion:
GET /v1/sdk/workflows/executions/:runId/stream
Cluster ceremony audit log — captures every MPC ceremony event the cluster ran (envelope sealing failures, peer disconnects, license refusals, threshold convergence). Queryable per node:
const logs = await agent.sessions.auditLogs({
sessionId,
failuresOnly: false,
limit: 1000,
});Chain confirmation — the on-chain transaction hash and block. Independently verifiable; binds the cluster ceremony output to externally observable evidence.
Together these mean: an auditor cannot be told "we ran this workflow" without being able to verify the run. The ceremony's sessionId ties the workflow log to the cluster log; the workflow log's signed payload ties to the chain confirmation. Tampering with one breaks the chain.
Streaming to your SIEM
The standard production pattern: a worker in your environment subscribes to the workflow execution stream and forwards events to your SIEM target (Splunk, Elastic, Datadog). The cluster audit logs are polled per-node into the same SIEM. Events are replayable from the workflow execution endpoint so SIEM outages do not lose audit data.
The platform does not ship a workspace.observability.subscribe(...) SDK call today. The integration is done via the existing SSE workflow stream and the agent.sessions.auditLogs(...) cluster query.
Control 5 — Sovereignty
Some jurisdictions require key material to not leave a defined perimeter. Some clients require the same. The platform supports two patterns:
Mixed deployment
One or more cohort agents run in your self-hosted environment; the rest run on the platform's built-in infrastructure. The cryptographic guarantee — threshold required to sign — extends across the deployment. Sovereignty for the self-hosted agent is yours; sovereignty for the built-in ones is jointly enforced by the threshold property.
Fully self-hosted
Every agent runs in your environment. The platform provides the SDK, the workflow canvas, the audit emission, and the management surface — but no share leaves your perimeter. The workflows that orchestrate signing can also be hosted in your environment for end-to-end sovereignty.
The same SDK, the same workflows, the same operational shape; only the deployment topology differs.
→ See MPC Agent → Deployment for the cluster setup.
Right-to-revoke
Regulated custody products need the ability to revoke an operator's access, retire a compromised key, or wind down a client relationship. The platform supports each:
Operator revocation
Removing an operator's signing or approval rights is a workspace role change. After revocation:
- The operator cannot authenticate to the cohort agents.
- Pending workflows requiring their approval mark them as unavailable; quorum is recomputed against the remaining pool.
- Historical signing events the operator participated in remain in the audit log — revocation does not retroactively void past operations.
Key retirement
Retiring a compromised or end-of-life key is a controlled move-funds-out operation:
- Provision a successor key with the same topology and policy (DKG ceremony via
agent.sessions.createKeyShare(...)). - Build a transfer workflow that drains the old key's balances to the successor.
- Optionally delete the old key share from the cluster via
agent.keyShares.delete(id)after a documented retention period — though most operations keep the share inert in storage so historical audit can re-verify past signatures against the retired key.
Client wind-down
For custody-as-a-service operators with multiple clients, ending a client relationship is the same key-retirement pattern scoped to that client's keys, plus archival of the relevant workflows. The audit trail for the wound-down client is exportable to your records and to the client's records before any platform-side cleanup.
Mapping table (for your compliance team's reference)
| Regulatory expectation | Platform feature | Where to read |
|---|---|---|
| No single party holds keys | Threshold MPC, configurable per-key shape | Hot Wallet, Cold Wallet |
| Cluster cannot reassemble keys | Architectural rule (no cluster-side signature assembly) | MPC Agent → How it works |
| Documented approval flow | Workflow canvas, execution log, versioned policy | Hot Wallet → Policy enforcement |
| Multi-party signing approval | Cold-tier quorum approval workflow | Cold Wallet → Multi-party approval flow |
| Segregation of duties | Workspace roles + workflow access + approval-pool conflict checks | This page, control 3 |
| Workflow execution audit | SSE stream of every component execution | This page, control 4 |
| Cluster ceremony audit | agent.sessions.auditLogs(...) per node | This page, control 4 |
| On-chain settlement audit | Standard chain confirmation; broadcast component returns the txid | Workflow execution log |
| Right-to-revoke | Workspace role change + key retirement workflow + agent.keyShares.delete | This page, right-to-revoke |
| Key sovereignty | Mixed and fully self-hosted MPC cluster deployment | This page, control 5 |
| Disaster recovery | Multi-party cold recovery via ClusterAgent.exportRecoveryBundle + RecoveryBundle.recover | Cold Wallet → Lost-device recovery |
What the platform does not give you
The platform does not write your compliance policy. It does not decide:
- What the threshold should be for any given key.
- Who counts as an authorised operator, an approval officer, or an executive guardian.
- What velocity limits, denylists, or jurisdictional restrictions to apply.
- How to design the approval pool for cold-tier operations.
- How long the time-lock window should be.
- Which jurisdiction's audit requirements take precedence.
These are policy decisions your compliance program designs. The platform gives you the primitives — MPC keys with configurable thresholds, workflow components for every policy check you can describe, a workflow canvas to compose policy in, a structured audit surface across the SDK and cluster — and faithfully executes the policy you specify.
The split is important. A platform that made policy decisions for you would not be defensible in a regulator's review. A platform that executes the policy you wrote, with full evidence of every execution, is what an auditor wants to see.
Next
- Dynamic Configuration — multi-tenant patterns, per-client policy, runtime policy reconfiguration.
- Hot Wallet — the 24/7 tier's mechanics in detail.
- Cold Wallet — the air-gapped tier's mechanics in detail.
- MPC Agent reference — every cluster-side option.
Cold Wallet
Device-side EmbeddedAgent with a locally-stored presignature pool. The cold host generates its own share during DKG, holds it in HSM-backed storage, and signs against the cohort with a single short round-trip per call by consuming pre-minted presignatures. Refill is an explicit, witnessed event.
Dynamic Configuration
Runtime configuration for a custody whitelabel — how multi-tenant policy lives in your application + the workflow canvas, how SDK constructors handle per-tenant cohort shape, and chain support extension.