Compliance and security
Choose the right DALP compliance and security guide for public-chain privacy, pre-launch review, source verification, the layered security model, and the per-asset compliance modules that enforce regulated operations.
Each DALP compliance or security topic answers a specific reviewer question. Open with privacy when you need to know what becomes visible on EVM networks. Turn to security when you need the control model. Use compliance modules when you need per-asset transfer rules. Use source verification when you need deployment and audit evidence.
This page is a navigation hub, not a legal opinion. DALP documents the platform controls and evidence surfaces. Your organisation still owns policy choices, jurisdictional approvals, custody arrangements, recovery targets, and operating procedures.
Security and procurement reviewers on SettleMint-hosted or managed deployments can also use the SettleMint Trust Center for security questionnaires, compliance frameworks, and governance policies. Operators can check the SettleMint status page for published platform availability and incident history.
The pages below cover documented platform controls. They do not commit to regulator-specific approval, custody terms, SLA terms, or non-EVM deployment support. Treat those as organisation-specific controls unless a detail page states the DALP position explicitly.
What DALP covers
DALP organises compliance and security review into four surfaces: public-chain privacy patterns, the layered security controls, EVM compliance modules, and deployment records that let an auditor reproduce what was deployed and what happened after.
| Area | DALP defines | Your organisation defines |
|---|---|---|
| Privacy | What stays off-chain by default, the public-chain visibility model, and supported routing patterns | Network selection, RPC, and routing decisions, legal review of public disclosure, and pre-launch approval ownership |
| Security | Identity, authentication, authorization, wallet verification, compliance, custody split, and routing | Operator role assignment, policy approvals, custody arrangements, secret rotation, and incident response |
| Compliance | Per-asset compliance modules for identity, geography, supply, approvals, collateral, and timelock | Module configuration, policy thresholds, jurisdictional approvals, and review evidence |
| Audit evidence | Source verification, deployment auditability, indexed events, and operating-record retention model | Retention policy, regulator-specific reporting, control testing, and escalation procedures |
| Exclusions | Documented platform behaviour and supported review surfaces | Legal opinions, SLA commitments, custody arrangements, and bridge or cross-chain operating decisions |
Pick the right path
| If you need to... | Start here | Then read |
|---|---|---|
| Decide if a regulated asset can use a public chain | Public chain privacy | Public EVM visibility model for the chain-visible data set |
| Inspect what is visible on EVM networks | Public EVM visibility model | Transaction ordering privacy for pre-confirmation exposure |
| Compare privacy architecture patterns | Privacy architecture patterns | Pre-launch privacy review before a regulated asset goes live |
| Trace deployed contracts and operating evidence | Source verification and deployment auditability | The deployment, bytecode, upgrade, and indexed-event sections inside the same page |
| Review the layered security control model | Security overview | Authentication, Authorization, Wallet verification |
| Inspect identity and compliance evidence | Identity and compliance control model | Compliance and custody split |
| Review per-asset compliance modules | Asset policy | Asset policy concept, compliance modules overview, and the identity, country, supply, approvals, collateral, and timelock module pages |
| Review cross-chain and stablecoin trust boundaries | Bridge and cross-chain security | Stablecoin operating responsibilities |
Review model
The four review surfaces break down as follows:
- Privacy review answers what becomes visible on EVM networks, when public-chain visibility is acceptable, and which controls belong in the deployment architecture.
- Security review inspects the layered control model: authentication, authorization, wallet verification, identity enforcement, compliance enforcement, custody split, and routing. Start here when evaluating access controls or signer permissions.
- Compliance module review covers the per-asset rules DALP enforces on EVM. These include identity and geography restrictions, supply caps, transfer approvals, collateral requirements, and holding periods.
- Audit evidence review traces deployed contracts, upgrade history, indexed events, and operating records that document what was deployed and what happened after.
Most regulated programmes go through all four. Start with the privacy pages when the network is undecided, move to the security controls when reviewing platform access, open the compliance module pages when configuring per-asset policy, and use the source verification page when packaging audit records.
Privacy
Use these pages to decide what becomes visible on a public EVM network, select an appropriate architecture pattern, and satisfy a pre-launch review checklist.
Decide what DALP keeps off-chain and which controls belong in the deployment architecture.
Map the data that becomes visible on public EVM networks and the evidence that stays off-chain.
Review how transactions become visible before confirmation across the full pre-confirmation path from RPC endpoints through bundlers and builders to sequencers and validators. Use this page when a regulated asset runs on a public network without a private mempool.
Compare public eligibility, private evidence, permissioned networks, and metadata-minimisation patterns. Choose a pattern before selecting a network for a regulated asset.
Run the operator pre-launch checklist covering field exposure, evidence packaging, routing decisions, and approval ownership.
Source verification and audit evidence
Use this page to trace deployed EVM contracts, reproduce bytecode, and assemble deployment records for an auditor.
Security overview
These pages cover the layered control model. A security or procurement reviewer typically starts at the overview, then drills into authentication and authorization before examining the custody split.
Inspect the layered control model covering identity, access controls, wallet verification, compliance enforcement, and custody.
Review how the platform authenticates both browser callers and server-to-server integration clients through session tokens, passkeys, 2FA flows, and API key credentials.
Inspect platform RBAC, organisation context, and on-chain roles for restricted operations.
Connect participants, wallets, OnchainID claims, trusted issuers, and module evaluation.
Separate identity and compliance decisions from custody approvals and signing policy. Operators and auditors use this page to map which party owns each control.
Tie EVM mint retries to a single queued transaction so supply limits hold even when a transaction is resubmitted. The platform preserves nonce ordering and supply controls across retries.
Split DALP controls from third-party services. Use this page for outsourcing reviews, DORA compliance, and vendor governance evidence.
Route DALP transactions through a private or encrypted mempool service. This page identifies which routing decisions stay operator-owned.
Gate blockchain write operations behind PIN, TOTP, or backup-code verification.
Review where DALP controls end and which external-route evidence operators must own. Use this page before any cross-chain deployment.
Map which party owns each stablecoin responsibility. Covers minting and burning, reserve management, compliance decisions, governance choices, and which controls the operator must hold directly.
Compliance modules
Each page below covers a module that the platform enforces on-chain. Operators configure these modules per asset to control who can hold and transfer tokens.
See how per-asset compliance modules enforce regulated EVM token operations. Start here before configuring individual modules.
Combine identity, modules, lifecycle hooks, and governance into per-asset policy.
Restrict eligibility and operations by jurisdiction. The platform evaluates country claims on every regulated operation.
Allow or block transfer participants using identity lists.
Block transfer participants by EVM address.
Require verified identity claims before regulated operations execute. The platform blocks the operation until the issuer confirms the claim.
Configure transfer policy expressions on per-asset rules.
Apply supply caps and investor-count limits to an asset. Both limits are enforced at the contract layer on every mint and transfer.
Require pre-transfer approval workflows for restricted transfers. The platform holds the transfer until an authorised approver confirms.
Tie supply caps to collateral attestations for backed assets.
Apply holding-period or vesting controls to regulated assets.