Understanding privacy and security at Unchained

Our privacy practices ensure we collect the minimum information necessary

Unchained is a financial institution as defined by the Bank Secrecy Act (BSA). As a financial institution, we are required to follow Anti-Money Laundering (AML) and Know Your Customer (KYC) practices. To comply, we must collect and verify sufficient information to form a reasonable belief that we know the true identity of the customer.

We take a risk-adjusted approach to each of our products to ensure that we collect the minimum information necessary as determined by our legal and regulatory advisors. We will continue to do so as we expand our suite of financial services. We take your privacy seriously; read our privacy policy to learn more about what we collect and how we use it.

Our security practices ensure that we are your most trusted financial services partner

Our systems use unique per-customer, multisignature P2SH addresses. With vaults and multi-institution loans, these addresses are partially derived using a customer’s extended public keys. We never have access to user private keys, ever. All Unchained keys use hierarchical deterministic (HD) wallets that are cold-stored on hardware devices, including offline air-gapped machines. We use well-tested, industry-standard, open-source software to author and audit transactions.
We maintain an internal security policy and ensure that includes personnel training. We store our hardware devices in geographically separated, physically secure locations that require identity verification for access. We store wallet seeds in physically secure locations separate from the wallets they restore. We never store devices or seeds at Unchained corporate offices.
We employ high-level security throughout our IT infrastructure in accordance with PCI-compliance standards. We operate within a secure, private, firewalled network. We encrypt all data to, from and within our environment (in motion and at rest) using industry-standard AES-256 encryption. We require two-factor authentication (2FA) to access all sensitive resources. Our centralized identity management infrastructure uniquely identifies employees. All access to systems are limited, minimal, and controlled by this infrastructure. We aggressively monitor all traffic to, from and within our environment, and we retain access, system, and application logs indefinitely (with user/system/employee identifiers).
We help our customers achieve a higher degree of security by offering a cosigning service. If requested by customers, we will verify both the identity and intent of a customer transaction prior to cosigning. A customer has the option to record a video verification of their identity that Unchained uses to validate transaction signing requests and 2FA resets. This opt-in feature is only active if requested and includes the option to set transaction amount thresholds for active identity and intent verfication. This service helps high-net-worth customers enhance the operational security of high-value transactions.
In case of unforeseen disasters and equipment failures, we maintain and regularly review business continuity and disaster recovery procedures. Bitcoin secured using the Unchained platform can always be accessed directly through the bitcoin network using open-source software, even in the event of Unchained system downtime, as long as the client retains control over a minimum of two keys and their mulltisig config file.