A defensible posture, written down once.
Non-custodial wallets by default. Scoped API keys with hard limits. A full audit log on every action. This is the page you forward to your security reviewer.
Posture
How the platform is built.
Key custody.
Wallets are non-custodial by default. Multi-party computation splits private key material across operator-isolated shards. No single FabricBloc system can sign on a user's behalf.
API authentication.
Every public API call is authenticated with an API key tied to a workspace and environment. Keys are scoped — they only authorize the operations and assets they were issued for, and can carry hard per-asset spend caps.
Infrastructure.
Workloads run on hardened cloud infrastructure with VPC isolation, encrypted-at-rest storage, and TLS-only ingress. Backups are encrypted with rotating keys and retained per the published retention policy.
Audit log.
Every key operation, asset event, and console action is recorded to an append-only audit log scoped to the workspace. Logs are streamable to your own SIEM on Enterprise.
Incident process.
Customer-impacting incidents are published to https://status.fabricbloc.com/ with a postmortem within five business days. Enterprise customers receive direct notification through their named contact and Slack Connect channel.
Responsible disclosure.
Security researchers can submit findings to security [at] fabricbloc.com. We commit to acknowledging within one business day and triaging severe issues within five.
Agents
Agents get only what they need.
Scoped API keys define exactly which operations an agent can perform and how much it can spend. The FabricBloc API enforces these limits server-side — agents cannot escalate permissions.
- Granular permissions:
wallets:readtokens:transfervaults:deposit - Per-asset spend caps with hard limits
- Key expiry — automatic revocation after TTL
- Full audit log for every action taken by a key
FAQ
Common security questions.
Who holds wallet private keys?
FabricBloc wallets are non-custodial MPC wallets by default. Key material is split across operator-isolated shards. The end user is the cryptographic owner; FabricBloc cannot unilaterally sign on their behalf.
How do scoped agent keys work?
Scoped keys define exactly which API operations an agent can call and how much it can spend per asset. Limits are enforced server-side. Keys can be expired or rotated programmatically.
Where is data stored?
Operational data is stored in a primary region with encrypted-at-rest snapshots. Enterprise contracts can specify regional data residency. Wallet key shards are stored in operator-isolated regions independent of application data.
Do you have a SOC 2 report?
SOC 2 is on our roadmap. We do not hold a current SOC 2 report yet. Enterprise customers can ask about our control posture and timeline under NDA, and we will share the report through the contact form once it issues.
How do I report a security issue?
Send a written report to security [at] fabricbloc.com. We acknowledge within one business day. Severe issues are triaged within five business days and patched as priority work.
Send this page to your reviewer.
Then bring the unanswered questions to us. We respond same-day on weekdays.