Get StartedValidator Security & Controls
The validator is a high-value target. This is the technical security posture we apply on every managed-validator host — key management, slashing protection, sanctions screening, audit trail, and the on-call discipline behind it.
A note on certifications
We do not currently hold SOC 2 Type II or ISO 27001 certifications. We operate to controls consistent with those frameworks — encryption, least-privilege, audit logging, change management, separation of duties — and will publish a certification status here when it changes. The intent of this page is to describe the technical controls in place, not to claim a regulatory attestation we do not hold.
Buyers who need a hard certification today should treat that as a procurement gate and discuss the path forward with us directly. For most institutional buyers, the technical controls below are the substance of the question — the certificate is the wrapper around them.
Technical controls
Hardware-isolated key management
Validator identity and vote keys are generated and held in hardware-isolated environments. The validator binary has access; no other process does. Keys are not in cloud blob storage, not in container layers, not on shared filesystems. Rotation is operator-initiated and logged.
Slashing-protection-aware failover
Hot standby promotion checks the slashing-protection record before voting resumes. The cutover path refuses to let two nodes sign for the same slot range. Engineered so a misbehaving operator command cannot trip a slashable double-vote.
Least-privilege operator access
Named SSH keys to bastion hosts; per-operator audit log; no shared accounts; no casual root. Every command on a validator host is captured with operator identity and timestamp. Operators can subscribe to their validator's audit feed.
Encryption at rest and in transit
All operational data — ledger snapshots, monitoring telemetry, configuration, audit logs — is encrypted in transit (TLS 1.3) and at rest on managed hardware. Key material for encryption is rotated on a documented schedule.
OFAC SDN screening (optional)
For operators that require sanctions-aware infrastructure, OFAC SDN address screening can be applied at the validator transaction-processing layer. Screening list is sourced from the canonical OFAC publication and refreshed on each update.
Change management on every upgrade
Every config change, binary upgrade, identity rotation, and failover event is proposed, peer-reviewed, applied, and recorded. The audit trail is verifiable; we can produce the change history for any operator-impacting event on demand.
24/7 incident response
Named on-call rotation with paged response for SLA-impacting events. Triage → mitigation → post-mortem. Operators receive an incident report for any event that affects their validator's SLA, with a clear timeline and remediation.
Hardware isolation
Each managed validator runs on dedicated bare-metal hosts — no co-tenant workloads. The standby node runs on separate hardware in the same region. Validator hosts are not shared across operators.
Want the full security brief?
For institutional buyers running formal procurement, we can share the security brief, sample audit log, and incident-report format under NDA.
FAQ
Are you SOC 2 or ISO 27001 certified?
We operate to controls consistent with SOC 2 Type II and ISO 27001 expectations — encryption at rest and in transit, least-privilege access, full audit logging, change management, separation of duties — but we do not currently hold either certification. We will publish the certification status here when it changes. Treat this page as a description of technical controls, not a regulatory attestation.
Who has access to the validator host?
A small, named set of on-call engineers, authenticated via individual SSH keys to bastion hosts, with all sessions logged. No shared accounts. No casual root access. Every command run on a validator host is recorded.
How are identity and vote keys stored?
Identity and vote keys are generated and held in hardware-isolated environments. Access is tightly scoped — the validator binary needs them, no other process does. Keys are not in containers, not in cloud blob storage, and not on shared filesystems.
How do you prevent slashing during failover?
Slashing protection bookkeeping is persisted and checked on every promotion from standby to primary. The cutover path is engineered to never let two nodes sign for the same vote-slot range; the standby refuses to vote until the primary has been confirmed down and the slashing-protection record handed off.
What is your OFAC SDN screening policy?
OFAC SDN screening is available as an optional layer at the validator's transaction-processing path for operators that require sanctions-aware infrastructure. The screening is applied before transactions are included in produced blocks. We do not impose this screening by default — it is an opt-in operator policy.
What does the audit trail capture?
Every config change, binary upgrade, identity rotation, failover event, and operator command on a validator host is logged with operator identity, timestamp, and full context. Operators can subscribe to the audit feed for their validator and consume it in their own SIEM.
How are upgrades handled safely?
Client upgrades are tested on the standby node first, then promoted via the slashing-protection-aware cutover. Config and binary changes follow a change-management workflow — proposed, peer-reviewed, applied, recorded. No after-hours cowboy upgrades.
What is your incident response process?
24/7 on-call rotation with paged response for SLA-impacting events. Incidents are triaged, mitigated, and post-mortemed. Operators receive an incident report for events that affect their validator's SLA.
More on Managed Validator
Different angles of the same managed-validator program — pick the one that matches your buying context.
White-label Solana validator under your brand. 99.9% SLA, Agave + Firedancer, Jito MEV.
Add white-label Solana staking to your exchange without running nodes. API-integrated, custody-friendly.
Embed native SOL staking in your wallet UX. Revenue-share, deep-link flows, SDK-friendly.
Zero-downtime migration from self-hosted to managed. Vote-key handover and hot-standby cutover.
Pair a dedicated validator with a branded liquid-staking token. Sanctum + SPL stake pool support.