# Compliance and security

Source: https://docs.settlemint.com/docs/compliance-security
Choose the right DALP compliance and security guide for public-chain privacy,
pre-launch review, source verification, the layered security model, and the
per-asset compliance modules that enforce regulated operations.




Each DALP compliance or security topic answers a specific reviewer question. Open with privacy when you need to know what becomes visible on EVM networks. Turn to security when you need the control model. Use compliance modules when you need per-asset transfer rules. Use source verification when you need deployment and audit evidence.

This page is a navigation hub, not a legal opinion. DALP documents the platform controls and evidence surfaces. Your organisation still owns policy choices, jurisdictional approvals, custody arrangements, recovery targets, and operating procedures.

Security and procurement reviewers on SettleMint-hosted or managed deployments can also use the [SettleMint Trust Center](https://trust.settlemint.com/) for security questionnaires, compliance frameworks, and governance policies. Operators can check the [SettleMint status page](https://status.settlemint.com/) for published platform availability and incident history.

<Mermaid
  chart="`
flowchart TD
Reader[&#x22;Compliance, security, or audit reviewer&#x22;] --> Privacy[&#x22;Public-chain privacy&#x22;]
Reader --> Security[&#x22;Layered security controls&#x22;]
Reader --> Modules[&#x22;Per-asset compliance modules&#x22;]
Reader --> Evidence[&#x22;Deployment evidence and audit trails&#x22;]
Privacy --> Visibility[&#x22;Visibility, ordering, patterns, pre-launch review&#x22;]
Security --> Controls[&#x22;Identity, access, wallet verification, custody split&#x22;]
Modules --> Rules[&#x22;Identity, geography, supply, approvals, collateral, timelock&#x22;]
Evidence --> Sources[&#x22;Source verification, deployment, indexed events&#x22;]
`"
/>

The pages below cover documented platform controls. They do not commit to regulator-specific approval, custody terms, SLA terms, or non-EVM deployment support. Treat those as organisation-specific controls unless a detail page states the DALP position explicitly.

## What DALP covers [#what-dalp-covers]

DALP organises compliance and security review into four surfaces: public-chain privacy patterns, the layered security controls, EVM compliance modules, and deployment records that let an auditor reproduce what was deployed and what happened after.

| Area           | DALP defines                                                                                         | Your organisation defines                                                                                           |
| -------------- | ---------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------- |
| Privacy        | What stays off-chain by default, the public-chain visibility model, and supported routing patterns   | Network selection, RPC, and routing decisions, legal review of public disclosure, and pre-launch approval ownership |
| Security       | Identity, authentication, authorization, wallet verification, compliance, custody split, and routing | Operator role assignment, policy approvals, custody arrangements, secret rotation, and incident response            |
| Compliance     | Per-asset compliance modules for identity, geography, supply, approvals, collateral, and timelock    | Module configuration, policy thresholds, jurisdictional approvals, and review evidence                              |
| Audit evidence | Source verification, deployment auditability, indexed events, and operating-record retention model   | Retention policy, regulator-specific reporting, control testing, and escalation procedures                          |
| Exclusions     | Documented platform behaviour and supported review surfaces                                          | Legal opinions, SLA commitments, custody arrangements, and bridge or cross-chain operating decisions                |

## Pick the right path [#pick-the-right-path]

| If you need to...                                  | Start here                                                                                                | Then read                                                                                                                                                                                                                  |
| -------------------------------------------------- | --------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Decide if a regulated asset can use a public chain | [Public chain privacy](/docs/compliance-security/privacy/overview)                                        | [Public EVM visibility model](/docs/compliance-security/privacy/public-evm-visibility-model) for the chain-visible data set                                                                                                |
| Inspect what is visible on EVM networks            | [Public EVM visibility model](/docs/compliance-security/privacy/public-evm-visibility-model)              | [Transaction ordering privacy](/docs/compliance-security/privacy/transaction-ordering-privacy) for pre-confirmation exposure                                                                                               |
| Compare privacy architecture patterns              | [Privacy architecture patterns](/docs/compliance-security/privacy/architecture-patterns)                  | [Pre-launch privacy review](/docs/compliance-security/privacy/pre-launch-review) before a regulated asset goes live                                                                                                        |
| Trace deployed contracts and operating evidence    | [Source verification and deployment auditability](/docs/compliance-security/source-verification/overview) | The deployment, bytecode, upgrade, and indexed-event sections inside the same page                                                                                                                                         |
| Review the layered security control model          | [Security overview](/docs/compliance-security/security)                                                   | [Authentication](/docs/compliance-security/security/authentication), [Authorization](/docs/compliance-security/security/authorization), [Wallet verification](/docs/compliance-security/security/wallet-verification)      |
| Inspect identity and compliance evidence           | [Identity and compliance control model](/docs/compliance-security/security/identity-compliance)           | [Compliance and custody split](/docs/compliance-security/security/compliance-custody-boundary)                                                                                                                             |
| Review per-asset compliance modules                | [Asset policy](/docs/compliance-security/compliance/asset-policy)                                         | [Asset policy concept](/docs/architecture/concepts/asset-policy), [compliance modules overview](/docs/compliance-security/compliance), and the identity, country, supply, approvals, collateral, and timelock module pages |
| Review cross-chain and stablecoin trust boundaries | [Bridge and cross-chain security](/docs/compliance-security/security/bridge-cross-chain)                  | [Stablecoin operating responsibilities](/docs/compliance-security/security/stablecoin-architecture-trust-boundaries)                                                                                                       |

## Review model [#review-model]

The four review surfaces break down as follows:

* Privacy review answers what becomes visible on EVM networks, when public-chain visibility is acceptable, and which controls belong in the deployment architecture.
* Security review inspects the layered control model: authentication, authorization, wallet verification, identity enforcement, compliance enforcement, custody split, and routing. Start here when evaluating access controls or signer permissions.
* Compliance module review covers the per-asset rules DALP enforces on EVM. These include identity and geography restrictions, supply caps, transfer approvals, collateral requirements, and holding periods.
* Audit evidence review traces deployed contracts, upgrade history, indexed events, and operating records that document what was deployed and what happened after.

Most regulated programmes go through all four. Start with the privacy pages when the network is undecided, move to the security controls when reviewing platform access, open the compliance module pages when configuring per-asset policy, and use the source verification page when packaging audit records.

## Privacy [#privacy]

Use these pages to decide what becomes visible on a public EVM network, select an appropriate architecture pattern, and satisfy a pre-launch review checklist.

<Cards>
  <Card title="Public chain privacy" href="/docs/compliance-security/privacy/overview">
    Decide what DALP keeps off-chain and which controls belong in the deployment architecture.
  </Card>

  <Card title="Public EVM visibility model" href="/docs/compliance-security/privacy/public-evm-visibility-model">
    Map the data that becomes visible on public EVM networks and the evidence that stays off-chain.
  </Card>

  <Card title="Transaction ordering privacy" href="/docs/compliance-security/privacy/transaction-ordering-privacy">
    Review how transactions become visible before confirmation across the full pre-confirmation path from RPC endpoints through bundlers and builders to sequencers and validators. Use this page when a regulated asset runs on a public network without a private mempool.
  </Card>

  <Card title="Privacy architecture patterns" href="/docs/compliance-security/privacy/architecture-patterns">
    Compare public eligibility, private evidence, permissioned networks, and metadata-minimisation patterns. Choose a pattern before selecting a network for a regulated asset.
  </Card>

  <Card title="Pre-launch privacy review" href="/docs/compliance-security/privacy/pre-launch-review">
    Run the operator pre-launch checklist covering field exposure, evidence packaging, routing decisions, and approval ownership.
  </Card>
</Cards>

## Source verification and audit evidence [#source-verification-and-audit-evidence]

Use this page to trace deployed EVM contracts, reproduce bytecode, and assemble deployment records for an auditor.

<Cards>
  <Card title="Source verification and deployment auditability" href="/docs/compliance-security/source-verification/overview">
    Trace deployed EVM contract systems through addresses, bytecode checks, migrations, upgrade evidence, and indexed
    events.
  </Card>
</Cards>

## Security overview [#security-overview]

These pages cover the layered control model. A security or procurement reviewer typically starts at the overview, then drills into authentication and authorization before examining the custody split.

<Cards>
  <Card title="Security overview" href="/docs/compliance-security/security">
    Inspect the layered control model covering identity, access controls, wallet verification, compliance enforcement, and custody.
  </Card>

  <Card title="Authentication" href="/docs/compliance-security/security/authentication">
    Review how the platform authenticates both browser callers and server-to-server integration clients through session tokens, passkeys, 2FA flows, and API key credentials.
  </Card>

  <Card title="Authorization" href="/docs/compliance-security/security/authorization">
    Inspect platform RBAC, organisation context, and on-chain roles for restricted operations.
  </Card>

  <Card title="Identity and compliance" href="/docs/compliance-security/security/identity-compliance">
    Connect participants, wallets, OnchainID claims, trusted issuers, and module evaluation.
  </Card>

  <Card title="Compliance and custody split" href="/docs/compliance-security/security/compliance-custody-boundary">
    Separate identity and compliance decisions from custody approvals and signing policy. Operators and auditors use this page to map which party owns each control.
  </Card>

  <Card title="Mint replay and idempotency" href="/docs/compliance-security/security/replay-idempotency-mint-controls">
    Tie EVM mint retries to a single queued transaction so supply limits hold even when a transaction is resubmitted. The platform preserves nonce ordering and supply controls across retries.
  </Card>

  <Card title="Vendor governance" href="/docs/compliance-security/security/vendor-governance">
    Split DALP controls from third-party services. Use this page for outsourcing reviews, DORA compliance, and vendor governance evidence.
  </Card>

  <Card title="Private mempool routing" href="/docs/compliance-security/privacy/private-mempool-routing">
    Route DALP transactions through a private or encrypted mempool service. This page identifies which routing decisions stay operator-owned.
  </Card>

  <Card title="Wallet verification" href="/docs/compliance-security/security/wallet-verification">
    Gate blockchain write operations behind PIN, TOTP, or backup-code verification.
  </Card>

  <Card title="Bridge and cross-chain security" href="/docs/compliance-security/security/bridge-cross-chain">
    Review where DALP controls end and which external-route evidence operators must own. Use this page before any cross-chain deployment.
  </Card>

  <Card title="Stablecoin operating responsibilities" href="/docs/compliance-security/security/stablecoin-architecture-trust-boundaries">
    Map which party owns each stablecoin responsibility. Covers minting and burning, reserve management, compliance decisions, governance choices, and which controls the operator must hold directly.
  </Card>
</Cards>

## Compliance modules [#compliance-modules]

Each page below covers a module that the platform enforces on-chain. Operators configure these modules per asset to control who can hold and transfer tokens.

<Cards>
  <Card title="Compliance modules overview" href="/docs/compliance-security/compliance">
    See how per-asset compliance modules enforce regulated EVM token operations. Start here before configuring individual modules.
  </Card>

  <Card title="Asset policy" href="/docs/compliance-security/compliance/asset-policy">
    Combine identity, modules, lifecycle hooks, and governance into per-asset policy.
  </Card>

  <Card title="Country" href="/docs/compliance-security/compliance/country">
    Restrict eligibility and operations by jurisdiction. The platform evaluates country claims on every regulated operation.
  </Card>

  <Card title="Identity lists" href="/docs/compliance-security/compliance/identity-lists">
    Allow or block transfer participants using identity lists.
  </Card>

  <Card title="Address block list" href="/docs/compliance-security/compliance/address-block-list">
    Block transfer participants by EVM address.
  </Card>

  <Card title="Identity verification" href="/docs/compliance-security/compliance/identity-verification">
    Require verified identity claims before regulated operations execute. The platform blocks the operation until the issuer confirms the claim.
  </Card>

  <Card title="Policy-based transfer controls" href="/docs/compliance-security/compliance/policy-based-transfer-controls">
    Configure transfer policy expressions on per-asset rules.
  </Card>

  <Card title="Supply and investor limits" href="/docs/compliance-security/compliance/supply-investor-limits">
    Apply supply caps and investor-count limits to an asset. Both limits are enforced at the contract layer on every mint and transfer.
  </Card>

  <Card title="Transfer approval" href="/docs/compliance-security/compliance/transfer-approval">
    Require pre-transfer approval workflows for restricted transfers. The platform holds the transfer until an authorised approver confirms.
  </Card>

  <Card title="Supply cap collateral" href="/docs/compliance-security/compliance/supply-cap-collateral">
    Tie supply caps to collateral attestations for backed assets.
  </Card>

  <Card title="Timelock" href="/docs/compliance-security/compliance/timelock">
    Apply holding-period or vesting controls to regulated assets.
  </Card>
</Cards>
