Our cold storage operations help protect customer digital currency deposits as well as the privileged role keys for USDC by storing them offline in geographically distributed vaults. Strong segregation of duty controls ensure that no single person can independently complete a transaction with these keys.
Circle operates a robust set of liquidity management processes to ensure that assets in cold storage can be brought online with rapid turn-around, always providing seamless liquidity for hot wallet USDC infrastructure.
Circle undergoes regular comprehensive financial and security audits. Full custody is audited by a leading global accounting firm, Grant Thornton. Our platform manages USDC minting limits, tokenization to USDC and redemption back to USD.
Our risk, liquidity and compliance services and controls also include detailed analytical tools to assist our risk and compliance operations analysts in ongoing AML and risk monitoring.
Circle’s information security program is based on industry standard security controls consistent with standards such as the NIST Cybersecurity Framework and ISO 27002. Circle’s security controls are documented in detailed security policies which inform procedures across the organization including procedures for technology management, customer information handling, software development, privacy, and many more. The security program’s key controls include periodic risk assessments, standard network and system security controls such as firewalls, intrusion detection, system hardening, and antivirus, the integration of security best practices into our dev/ops and ci/cd pipeline workflows, vulnerability management integrated into the ci/cd pipeline, mature identity and access management, strong cryptography, and incident response capabilities. The security program is further supported by management control testing including but not limited to peer code reviews, access control reviews, firewall reviews, network and application penetration testing, and vulnerability testing.
Overall control design and operating effectiveness is assured via numerous audits and assessments annually. Within the past year, Circle has conducted an IT Controls Audit, a SOC 1, type II audit, a PCI Assessment, multiple third party penetration tests, and had its IT general controls tested as part of its annual financial audit. Regulatory exams associated with our money transmitter licenses also frequently test these same controls. Circle is PCI Certified.
Finally, business continuity management, vendor risk management, and privacy controls round out Circle’s technology risk management posture. These risk management disciplines are fully integrated at Circle with secure information handling and privacy law requirements equally informing how our staff handle data and interact with customers, a vendor risk management program that extends security, compliance, privacy, and business continuity requirements to the third parties upon which our business relies, and incident response capabilities that equally address operational, security, privacy, compliance, business continuity, and pandemic events.