# Compliance and security Source: https://docs.settlemint.com/docs/compliance-security Choose the right DALP compliance and security guide for public-chain privacy, pre-launch review, source verification, the layered security model, and the per-asset compliance modules that enforce regulated operations. Use this section to pick the right DALP compliance or security page before a regulated programme goes live. Start with privacy when you need to know what becomes visible on EVM networks. Start with security when you need the control model. Start with compliance modules when you need per-asset transfer rules. Start with source verification when you need deployment and audit evidence. This is a review hub, not a legal opinion. DALP documents the platform controls and evidence surfaces. Your organisation still owns policy choices, jurisdictional approval, custody arrangements, recovery targets, and operating procedures. For SettleMint-hosted or managed deployments, procurement and security reviewers can also use the [SettleMint Trust Center](https://trust.settlemint.com/) for security questionnaires, compliance frameworks, and governance policies. Operators can check the [SettleMint status page](https://status.settlemint.com/) for published platform availability and incident history. The pages below cover documented platform behaviour. They do not commit to regulator-specific approval, custody terms, SLA terms, or non-EVM deployment support. Treat those as organisation-specific controls unless a detail page states the DALP behaviour explicitly. ## What DALP covers [#what-dalp-covers] DALP separates compliance and security review into four surfaces: public-chain privacy patterns, the layered security model, EVM compliance modules, and deployment evidence that lets an auditor reproduce what was deployed and what happened after. | Area | DALP defines | Your organisation defines | | -------------- | ---------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ | | Privacy | What stays off-chain by default, the public-chain visibility model, and supported routing patterns | Network selection, RPC and routing decisions, legal review of public disclosure, and pre-launch approval ownership | | Security | Identity, authentication, authorization, wallet verification, compliance, custody split, and routing | Operator role assignment, policy approvals, custody arrangements, secret rotation, and incident response | | Compliance | Per-asset compliance modules for identity, geography, supply, approvals, collateral, and timelock | Module configuration, policy thresholds, jurisdictional approvals, and review evidence | | Audit evidence | Source verification, deployment auditability, indexed events, and operating-record retention model | Retention policy, regulator-specific reporting, control testing, and escalation procedures | | Exclusions | Documented platform behaviour and supported review surfaces | Legal opinions, SLA commitments, custody arrangements, and bridge or cross-chain operating decisions | ## Pick the right path [#pick-the-right-path] | If you need to... | Start here | Then read | | -------------------------------------------------- | --------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Decide if a regulated asset can use a public chain | [Public chain privacy](/docs/compliance-security/privacy/overview) | [Public EVM visibility model](/docs/compliance-security/privacy/public-evm-visibility-model) for the chain-visible data set | | Inspect what is visible on EVM networks | [Public EVM visibility model](/docs/compliance-security/privacy/public-evm-visibility-model) | [Transaction ordering privacy](/docs/compliance-security/privacy/transaction-ordering-privacy) for pre-confirmation exposure | | Compare privacy architecture patterns | [Privacy architecture patterns](/docs/compliance-security/privacy/architecture-patterns) | [Pre-launch privacy review](/docs/compliance-security/privacy/pre-launch-review) before a regulated asset goes live | | Trace deployed contracts and operating evidence | [Source verification and deployment auditability](/docs/compliance-security/source-verification/overview) | The deployment, bytecode, upgrade, and indexed-event sections inside the same page | | Review the layered security control model | [Security overview](/docs/compliance-security/security) | [Authentication](/docs/compliance-security/security/authentication), [Authorization](/docs/compliance-security/security/authorization), [Wallet verification](/docs/compliance-security/security/wallet-verification) | | Inspect identity and compliance evidence | [Identity and compliance control model](/docs/compliance-security/security/identity-compliance) | [Compliance and custody split](/docs/compliance-security/security/compliance-custody-boundary) | | Review per-asset compliance modules | [Asset policy](/docs/compliance-security/compliance/asset-policy) | [Asset policy concept](/docs/architecture/concepts/asset-policy), [compliance modules overview](/docs/compliance-security/compliance), and the identity, country, supply, approvals, collateral, and timelock module pages | | Review cross-chain and stablecoin trust boundaries | [Bridge and cross-chain security](/docs/compliance-security/security/bridge-cross-chain) | [Stablecoin operating responsibilities](/docs/compliance-security/security/stablecoin-architecture-trust-boundaries) | ## Review model [#review-model] DALP separates compliance and security review into four surfaces: * Privacy review answers what becomes visible on EVM networks, when public-chain visibility is acceptable, and which controls belong in the deployment architecture. * Security review inspects the layered control model: authentication, authorization, wallet verification, identity and compliance enforcement, custody split, and routing decisions. * Compliance module review inspects the per-asset rules DALP enforces on EVM for identity, geography, supply, approvals, collateral, and holding periods. * Audit evidence review traces deployed contracts, upgrade history, indexed events, and operating records that document what was deployed and what happened after. Most regulated programmes go through all four. Use the privacy pages first when the network is undecided, the security pages when reviewing the platform controls, the compliance module pages when configuring per-asset policy, and the source verification page when packaging audit evidence. ## Privacy [#privacy] Decide what DALP keeps off-chain and which controls belong in the deployment architecture. Map the data that becomes visible on public EVM networks and the evidence that stays off-chain. Review pre-confirmation exposure through RPC, bundlers, builders, sequencers, and validators. Compare public eligibility, private evidence, permissioned networks, and metadata-minimisation patterns. Run the operator checklist for fields, evidence, routing, and approval owners before launch. ## Source verification and audit evidence [#source-verification-and-audit-evidence] Trace deployed EVM contract systems through addresses, bytecode checks, migrations, upgrade evidence, and indexed events. ## Security overview [#security-overview] Inspect the layered control model for identity, access, wallet verification, compliance, and custody. Review sessions, 2FA, passkeys, and API key authentication for browser and integration callers. Inspect platform RBAC, organisation context, and on-chain roles for governed actions. Connect participants, wallets, OnchainID claims, trusted issuers, and module evaluation. Separate identity and compliance decisions from custody approvals and signing policy. Tie EVM mint retries to one queued transaction while preserving nonce ordering and supply controls. Split DALP controls from third-party services for outsourcing, DORA, and vendor governance evidence. Route DALP transactions through a private or encrypted mempool service and review what stays operator-owned. Gate blockchain write operations behind PIN, TOTP, or backup-code verification. Review where DALP controls end and which external-route evidence operators must own. Map mint, burn, reserve, compliance, governance, and operator-owned responsibilities for stablecoins. ## Compliance modules [#compliance-modules] See how per-asset compliance modules enforce regulated EVM token operations. Combine identity, modules, lifecycle hooks, and governance into per-asset policy. Restrict eligibility and operations by jurisdiction. Allow or block transfer participants using identity lists. Block transfer participants by EVM address. Require verified identity claims before regulated operations execute. Configure transfer policy expressions on per-asset rules. Apply supply caps and investor-count limits to an asset. Require pre-transfer approval workflows for governed actions. Tie supply caps to collateral attestations for backed assets. Apply holding-period or vesting controls to regulated assets.