Enterprise ready custody & security of digital currency

Built for regulated financial institutions, Circle is a leader in providing secure custody of digital assets specializing in digital dollar stablecoin infrastructure.
Lock
Circle has a robust insurance program in place covering theft and loss of digital assets resulting from both external breaches and employee fraud. The program is underwritten by A-rated insurers and brokered by Marsh’s Digital Asset Risk Transfer (DART) team. ”
logo-marsh

Cold storage

Our cold storage operations protect the majority of customer digital currency deposits as well as the privileged role keys for USDC by storing them offline in geographically distributed vaults. Strong segregation of duty controls ensure that no single person can independently complete a transaction with these keys.
 
Circle operates a robust set of liquidity management processes to ensure that assets in cold storage can be brought online with rapid turn-around, always providing seamless liquidity for hot wallet USDC infrastructure.

Hot wallet security

Circle operates a proprietary, hardened hot wallet and key management solution that protects online assets from the attacks commonly used to target digital asset wallets.

Digital asset theft insurance coverage

Circle’s digital currency custody and storage is insured with one of the most broad digital asset theft insurance programs, a market the company helped to pioneer in 2014 with Marsh and a leading syndicate of A-rated insurance underwriters. Circle maintains $150M in insurance covering theft and loss associated with breaches of Circle’s cold storage and hot wallets, including theft from employee fraud.

Risk & liquidity management controls

Circle undergoes regular comprehensive financial and security audits. Full custody is audited by a leading global accounting firm, Grant Thorton. Our platform manages USDC minting limits, tokenization to USDC and redemption back to USD.

Our risk, liquidity and compliance services and controls also include detailed analytical tools to assist our risk and compliance operations analysts in ongoing AML and risk monitoring.

Custody & security embedded into our platform services

Circle Business Accounts and platform APIs provide customers with custody and security solutions embedded into all wallets infrastructure at no additional cost.

Security

Circle’s information security program is based on industry standard security controls consistent with standards such as the NIST Cybersecurity Framework and ISO 27002. Circle’s security controls are documented in detailed security policies which inform procedures across the organization including procedures for technology management, customer information handling, software development, privacy, and many more. The security program’s key controls include periodic risk assessments, standard network and system security controls such as firewalls, intrusion detection, system hardening, and antivirus, the integration of security best practices into our dev/ops and ci/cd pipeline workflows, vulnerability management integrated into the ci/cd pipeline, mature identity and access management, strong cryptography, and incident response capabilities. The security program is further supported by management control testing including but not limited to peer code reviews, access control reviews, firewall reviews, network and application penetration testing, and vulnerability testing.

Overall control design and operating effectiveness is assured via numerous audits and assessments annually. Within the past year, Circle has conducted an IT Controls Audit, a SOC 1, type II audit, a PCI Assessment, multiple third party penetration tests, and had its IT general controls tested as part of its annual financial audit. Regulatory exams associated with our money transmitter licenses also frequently test these same controls. Circle is PCI Certified
 
Finally, business continuity management, vendor risk management, and privacy controls round out Circle’s technology risk management posture. These risk management disciplines are fully integrated at Circle with secure information handling and privacy law requirements equally informing how our staff handle data and interact with customers, a vendor risk management program that extends security, compliance, privacy, and business continuity requirements to the third parties upon which our business relies, and incident response capabilities that equally address operational, security, privacy, compliance, business continuity, and pandemic events.
21972-312_SOC_NonCPA
We maintain a money transmission license (or the statutory equivalent) in various U.S. states and territories, as well as a virtual currency license in the State of New York, and are therefore subject to the requirements of such statutes. We are not a trust company nor do we maintain a trust company charter in any U.S. state or territory. Accordingly, any regulated services we provide to users located in the United States are characterized as money transmission and/or virtual currency business activity, and not as trust services. Additionally, for the avoidance of doubt, Circle is not a fiduciary, and Circle does not provide any trust or fiduciary services to any user in the course of such user visiting, accessing, or using the Circle website or services. Any reference to custody services in any User Agreement refers only to our custody of digital assets on a user’s behalf pursuant to the authority granted under our money transmission and/or virtual currency licenses. Circle is not (i) a Qualified Custodian pursuant to 17 C.F.R. § 275.206(4)-2 or (ii) a “digital custodian” as such term is defined by the Nevada Financial Institutions Division.