Compliance and security
Choose the right DALP compliance and security guide for public-chain privacy, pre-launch review, source verification, the layered security model, and the per-asset compliance modules that enforce regulated operations.
Use this section to pick the right DALP compliance or security page before a regulated programme goes live. Start with privacy when you need to know what becomes visible on EVM networks. Start with security when you need the control model. Start with compliance modules when you need per-asset transfer rules. Start with source verification when you need deployment and audit evidence.
This is a review hub, not a legal opinion. DALP documents the platform controls and evidence surfaces. Your organisation still owns policy choices, jurisdictional approval, custody arrangements, recovery targets, and operating procedures.
For SettleMint-hosted or managed deployments, procurement and security reviewers can also use the SettleMint Trust Center for security questionnaires, compliance frameworks, and governance policies. Operators can check the SettleMint status page for published platform availability and incident history.
The pages below cover documented platform behaviour. They do not commit to regulator-specific approval, custody terms, SLA terms, or non-EVM deployment support. Treat those as organisation-specific controls unless a detail page states the DALP behaviour explicitly.
What DALP covers
DALP separates compliance and security review into four surfaces: public-chain privacy patterns, the layered security model, EVM compliance modules, and deployment evidence that lets an auditor reproduce what was deployed and what happened after.
| Area | DALP defines | Your organisation defines |
|---|---|---|
| Privacy | What stays off-chain by default, the public-chain visibility model, and supported routing patterns | Network selection, RPC and routing decisions, legal review of public disclosure, and pre-launch approval ownership |
| Security | Identity, authentication, authorization, wallet verification, compliance, custody split, and routing | Operator role assignment, policy approvals, custody arrangements, secret rotation, and incident response |
| Compliance | Per-asset compliance modules for identity, geography, supply, approvals, collateral, and timelock | Module configuration, policy thresholds, jurisdictional approvals, and review evidence |
| Audit evidence | Source verification, deployment auditability, indexed events, and operating-record retention model | Retention policy, regulator-specific reporting, control testing, and escalation procedures |
| Exclusions | Documented platform behaviour and supported review surfaces | Legal opinions, SLA commitments, custody arrangements, and bridge or cross-chain operating decisions |
Pick the right path
| If you need to... | Start here | Then read |
|---|---|---|
| Decide if a regulated asset can use a public chain | Public chain privacy | Public EVM visibility model for the chain-visible data set |
| Inspect what is visible on EVM networks | Public EVM visibility model | Transaction ordering privacy for pre-confirmation exposure |
| Compare privacy architecture patterns | Privacy architecture patterns | Pre-launch privacy review before a regulated asset goes live |
| Trace deployed contracts and operating evidence | Source verification and deployment auditability | The deployment, bytecode, upgrade, and indexed-event sections inside the same page |
| Review the layered security control model | Security overview | Authentication, Authorization, Wallet verification |
| Inspect identity and compliance evidence | Identity and compliance control model | Compliance and custody split |
| Review per-asset compliance modules | Asset policy | Asset policy concept, compliance modules overview, and the identity, country, supply, approvals, collateral, and timelock module pages |
| Review cross-chain and stablecoin trust boundaries | Bridge and cross-chain security | Stablecoin operating responsibilities |
Review model
DALP separates compliance and security review into four surfaces:
- Privacy review answers what becomes visible on EVM networks, when public-chain visibility is acceptable, and which controls belong in the deployment architecture.
- Security review inspects the layered control model: authentication, authorization, wallet verification, identity and compliance enforcement, custody split, and routing decisions.
- Compliance module review inspects the per-asset rules DALP enforces on EVM for identity, geography, supply, approvals, collateral, and holding periods.
- Audit evidence review traces deployed contracts, upgrade history, indexed events, and operating records that document what was deployed and what happened after.
Most regulated programmes go through all four. Use the privacy pages first when the network is undecided, the security pages when reviewing the platform controls, the compliance module pages when configuring per-asset policy, and the source verification page when packaging audit evidence.
Privacy
Public chain privacy
Decide what DALP keeps off-chain and which controls belong in the deployment architecture.
Public EVM visibility model
Map the data that becomes visible on public EVM networks and the evidence that stays off-chain.
Transaction ordering privacy
Review pre-confirmation exposure through RPC, bundlers, builders, sequencers, and validators.
Privacy architecture patterns
Compare public eligibility, private evidence, permissioned networks, and metadata-minimisation patterns.
Pre-launch privacy review
Run the operator checklist for fields, evidence, routing, and approval owners before launch.
Source verification and audit evidence
Security overview
Security overview
Inspect the layered control model for identity, access, wallet verification, compliance, and custody.
Authentication
Review sessions, 2FA, passkeys, and API key authentication for browser and integration callers.
Authorization
Inspect platform RBAC, organisation context, and on-chain roles for governed actions.
Identity and compliance
Connect participants, wallets, OnchainID claims, trusted issuers, and module evaluation.
Compliance and custody split
Separate identity and compliance decisions from custody approvals and signing policy.
Mint replay and idempotency
Tie EVM mint retries to one queued transaction while preserving nonce ordering and supply controls.
Vendor governance
Split DALP controls from third-party services for outsourcing, DORA, and vendor governance evidence.
Private mempool routing
Route DALP transactions through a private or encrypted mempool service and review what stays operator-owned.
Wallet verification
Gate blockchain write operations behind PIN, TOTP, or backup-code verification.
Bridge and cross-chain security
Review where DALP controls end and which external-route evidence operators must own.
Stablecoin operating responsibilities
Map mint, burn, reserve, compliance, governance, and operator-owned responsibilities for stablecoins.
Compliance modules
Compliance modules overview
See how per-asset compliance modules enforce regulated EVM token operations.
Asset policy
Combine identity, modules, lifecycle hooks, and governance into per-asset policy.
Country
Restrict eligibility and operations by jurisdiction.
Identity lists
Allow or block transfer participants using identity lists.
Address block list
Block transfer participants by EVM address.
Identity verification
Require verified identity claims before regulated operations execute.
Policy-based transfer controls
Configure transfer policy expressions on per-asset rules.
Supply and investor limits
Apply supply caps and investor-count limits to an asset.
Transfer approval
Require pre-transfer approval workflows for governed actions.
Supply cap collateral
Tie supply caps to collateral attestations for backed assets.
Timelock
Apply holding-period or vesting controls to regulated assets.