Skip to content
Pre-Launch · Filing seed · Series A — Q4 2026

Wavestar Technology · Security posture

Default to paranoid. Document every control.

Wavestar settles real operator funds and real orbital rights. Security failures are not bugs here — they are incidents. The posture below is what we operate today, not a roadmap. Where a control is in flight rather than live, the status column says so.
Security documentationResponsible disclosure
SOC 2 Type II
In flight · Q3 2026
ISO 27001
In flight · Q4 2026
Key store
HSM · FIPS 140-2 L3
Disclosure
security@wavestar.space

Certifications and audits

External validation, on a disclosed schedule.

We certify against recognised frameworks and publish the schedule so counterparties can plan onboarding against a known cadence. Interim attestations are issued monthly.
SOC 2 Type II
Audit underway · report due Q3 2026

Auditor: A&M Prescient Assurance. Scope: all production services across all three regions. Interim letter of engagement available under NDA.

ISO 27001:2022
Gap analysis complete · certification Q4 2026

ISMS established; Stage 1 audit scheduled for September 2026.

PCI-DSS
Not applicable by design

We never touch raw card data. Cash legs settle via USDC, Fedwire, or SWIFT. Stripe handles the small-dollar onboarding card flow out-of-band.

Penetration testing
Quarterly · third-party

Trail of Bits (crypto + clearing core), NCC Group (web + API), Leviathan (infra). Findings triaged within 72h of receipt.

Cryptographic review
Annual · NCC Group Cryptography Services

Covers BLS aggregation, COSE envelope formats, canonicalisation (RFC 8785), key-continuity proofs.

SSAE-18 SOC 1
Planned · post-SOC 2 Type II

Targeted at CCP counterparties with ICFR reporting obligations.

Key management

HSM-backed, rotated on a schedule, continuity-proved.

No key material ever lives on disk in development, in a container image, or in an environment variable. Operational keys are generated and used inside HSMs; application keys are generated inside the cloud provider’s KMS.
  • K1

    HSM-resident root keys

    The Trillian log signing key, the Wavestar ORCH CCP signing key, and each observer’s BLS signing key live exclusively in FIPS 140-2 Level 3 HSMs (Thales Luna for on-prem; AWS CloudHSM for regional). No private-key byte ever leaves the device.
  • K2

    90-day rotation

    Every cryptographic key has a documented rotation schedule, default 90 days. Rotation produces a key-continuity proof: the new key is signed by the prior key; the chain is itself logged. Resolvers refuse any DID document signed by an unrotated-past-grace key.
  • K3

    Revocation within 15 minutes

    Suspected compromise triggers a documented runbook: revoke in the registry, rotate the HSM slot, publish the new key, broadcast invalidation. 15-minute target across the three regions; tested quarterly in unannounced drills.
  • K4

    Key-continuity proof chain

    Every rotation is a signed event: E(new_pubkey, old_signature_over_new_pubkey, timestamp). The chain is append-only in the Trillian log. A client can walk from today’s key back to the genesis key for any module without asking Wavestar.
  • K5

    Separation of concerns

    Operational keys (API auth) are distinct from settlement keys (CCP signing) which are distinct from attestation keys (observer BLS). Different HSM slots, different access policies, different rotation cadences.
  • K6

    Post-quantum readiness

    Dilithium3 signing paths are wired throughout the stack behind feature flags. We ship PQ signatures as a secondary proof on settlement envelopes starting 2027; primary switchover is targeted for 2028 once NIST FIPS 204 is production-grade.

Tenant isolation

Every read path. Every write path. No exceptions.

A clearing house where operator A can accidentally read operator B’s positions is not a clearing house. The wrapper below is enforced at code-review time, at static- analysis time, and in the running system.
typescript
// Tenant scoping contract (TS / Rust / Go — same semantics everywhere)
//
// (1) The authenticated operator DID is extracted at the edge, ONCE,
//     from a short-lived JWT signed by Wavestar's auth service. Never
//     from a header, query string, or request body.
//
// (2) Every DB query is wrapped. The wrapper refuses to execute if the
//     target table does not have a tenant_did column, or if the session
//     tenant has not been threaded through context.
//
// (3) Cross-tenant reads are possible, but only through a named helper
//     with a reason string. Every invocation is logged to an append-only
//     audit stream, alerted on, and visible to the tenants whose data
//     was touched (unless a regulator-confidential flag is set).

// normal read:
const balance = await withTenant(session.did, (tx) =>
  tx.sql`SELECT sum(amount) FROM ledger WHERE status='cleared'`
);

// cross-tenant (regulatory / settlement / support):
const view = await withCrossTenant(
  {
    reason: "CFTC 17 CFR 39.18 large-trade review · ticket RT-2026-04-18",
    requestor: session.did,
    approver:  "did:orbit:operator:wavestar:compliance-officer",
  },
  (tx) => tx.sql`SELECT ... FROM trades WHERE notional > $1 AND settled_at > $2`
);
// Emits:   audit.cross_tenant.read { requestor, approver, reason, tables[], row_count, ts }
// Logged:  append-only Trillian audit sub-log
// Alerted: Slack #sec-audit + PagerDuty for anomalous frequency

Cryptographic primitives

No home-rolled crypto. Audited libraries, pinned versions.

Signatures · operational
Ed25519

Libraries: ring (Rust), @noble/curves (TS), cryptography (Python), filippo.io/edwards25519 (Go). Used for session tokens, module-to-module mTLS, CCP envelope signing.

Signatures · quorum
BLS12-381 (threshold)

Libraries: blst (Rust), @noble/curves (TS). 8-of-12 aggregation, 96-byte aggregate signatures, 48-byte public-key shares.

Signatures · post-quantum
Dilithium3 (wired, secondary)

FIPS 204 draft-conformant. Dual-signed envelopes from 2027; primary switchover targeted 2028.

Hash
SHA-256 (primary) · SHA3-256 (PQ-ready)

Merkle log hashes are SHA-256 (RFC 6962). Internal digests optionally use SHA3 where the spec allows.

Symmetric
AES-256-GCM (at-rest) · ChaCha20-Poly1305 (edge)

Envelope encryption for object-store artifacts. KMS-managed data keys; rotated with the rest of the key fleet.

Canonicalisation
RFC 8785 (JCS)

Every payload that will be hashed or signed passes through JCS first. JSON.stringify is banned in signing paths (enforced by lint).

Envelope
COSE (RFC 8152)

CBOR-based, language-agnostic, supports multiple signers. Crosses every module boundary.

Random
CSPRNG only

crypto.randomBytes (Node), rand::rngs::OsRng (Rust), secrets.token_bytes (Python), crypto/rand (Go). Math.random and equivalents are banned.

Secrets and supply chain

The boring controls, rigorously applied.

  • 01

    No secrets in source

    Pre-commit hooks grep for common patterns (API keys, private keys, JWT secrets). CI runs gitleaks across the whole repo. .env files are gitignored and never baked into images.
  • 02

    Images are immutable

    Container images are built reproducibly, signed with cosign, and stored with SLSA Level 3 provenance. The admission controller refuses unsigned images in production.
  • 03

    SBOM per release

    Every release ships a CycloneDX SBOM. Transitive dependencies are scanned with Grype on every push; HIGH and CRITICAL CVEs block merge until patched or pinned through overrides.
  • 04

    Dependency licence policy

    MIT, Apache-2.0, BSD, ISC permitted in closed-source modules. GPL-3, AGPL-3, and SSPL explicitly banned. License check runs in CI.
  • 05

    Third-party SaaS review

    Every SaaS dependency (Stripe, Vercel, Cloudflare, Datadog, PagerDuty) has a DPA, a documented failure mode, and an exit plan. Reviewed annually by the security team.
  • 06

    Admin access

    Production access requires hardware security key (FIDO2) plus just-in-time approval. Sessions are time-boxed at 4 hours and logged to the audit stream. No standing admin.

Responsible disclosure

Report security issues. We respond fast.

We operate a permanent disclosure programme for researchers. Good-faith research against scope is safe harbour under our policy. We pay for valid findings; we credit researchers who want to be credited and protect those who do not.

Disclosure programme

Contact
security@wavestar.space · PGP 0xA4F2...

Signal available on request after initial contact. We acknowledge within 24h business.

In scope
All *.wavestar.space services · SDKs · protocol docs

Smart contracts, resolver, clearing API, Terminal, Market, Attest observer clients.

Out of scope
Third-party infra (Cloudflare, Vercel, etc.)

Please report those to the respective vendor. We'll help co-ordinate if it affects our surface.

Reward ceiling
$250,000 · critical protocol flaw

Scaled by severity (CVSS v3.1) and exploitability. Settlement-integrity bugs are the highest tier.

Reward floor
$500 · verified low-severity

Duplicates receive a small acknowledgement bonus if within 24h of the primary report.

Triage time
Acknowledgement < 24h · triage < 72h

Fix timeline is negotiated with the reporter and published in a post-incident report once patched.

Safe harbour
Good-faith research against scope

No legal action, no law-enforcement referral, no account termination — provided you do not attempt to access another operator's data, exfiltrate private keys, or disrupt production.

Penetration test summary

Q1 2026 · most-recent third-party engagement.

The table below summarises findings from our Q1 2026 cycle across three firms. Every finding is closed or accepted with written rationale. Full reports are available under NDA to counterparties evaluating us for clearing membership.
Trail of Bits · clearing + crypto
1 medium · 3 low · 6 informational

Medium finding: a malleability edge case in the COSE envelope library (third-party). Upstream patched; we pinned through overrides. No exploitable impact.

NCC Group · web + API
0 critical · 2 medium · 5 low

Both mediums related to rate-limiting on public read endpoints (registry resolver). Remediated with adaptive limits and monitoring. Re-test clean.

Leviathan · infra + cloud
0 critical · 1 high · 4 medium · 3 low

High finding: a stale IAM policy that granted broader S3 access than intended to a deprecated service account. Role deleted; access reviewed across the fleet. Re-test clean.

Cure53 · protocol envelopes
0 critical · 0 high · 3 medium · 7 low

All mediums addressed through JCS canonicalisation hardening. See ADR-0018 for the full write-up.

Principle

A clearing house is a trust institution wearing a technology skin. The technology has to be as rigorous as the trust. If we can’t explain a control to a counterparty in five minutes, we don’t run it.
Wavestar security charter·§ 1.1

Transport and headers

The edge is locked, and we publish what locks it.

http
# Public endpoints (https://wavestar.space, https://resolver.wavestar.space)
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
Content-Security-Policy:   default-src 'self';
                           script-src 'self' 'nonce-<random>';
                           style-src 'self' 'nonce-<random>';
                           img-src 'self' data:;
                           connect-src 'self' https://api.wavestar.space;
                           frame-ancestors 'none';
                           base-uri 'self';
                           form-action 'self'
X-Frame-Options:           DENY
X-Content-Type-Options:    nosniff
Referrer-Policy:           strict-origin-when-cross-origin
Permissions-Policy:        geolocation=(), microphone=(), camera=()
Cross-Origin-Opener-Policy:   same-origin
Cross-Origin-Embedder-Policy: require-corp

# Authenticated APIs (https://api.wavestar.space)
# mTLS required for clearing member endpoints.
# JWT assertion profile: RFC 7521, signed by operator Ed25519 key,
# max exp 15min, replay-protected by nonce + jti tracking.

Security by the numbers

What we measure.

Key rotation cadence
90 days
Compromise revocation
< 15 min
Disclosure ack
< 24 h
Pen test cadence
Quarterly
Production admin access
JIT · 4h max
HSM FIPS level
140-2 L3
CVE SLA · HIGH
7 days
CVE SLA · CRITICAL
24 hours

Report a vulnerability

We'd rather you reach us than a headline.

Email security@wavestar.space with PGP-encrypted details if you have PGP, or request a Signal contact first if you don't. We acknowledge within 24 business hours and pay for valid findings.

Email security@wavestar.spaceFull disclosure policy