Compliance & Certifications
KryptoGO is a Taiwan-licensed VASP, ISO 27001 and ISO 27701 certified, SOC 2 Type II examined, and independently security-audited by Cure53. Partners inherit this posture without having to build their own.
What we hold today
| Credential | Scope | Status |
|---|---|---|
| Taiwan VASP registration | Virtual Asset Service Provider operating under Taiwan’s anti-money-laundering framework | Active |
| ISO/IEC 27001 | Information Security Management System — the international standard for how a company protects information assets | Certified |
| ISO/IEC 27701 | Privacy Information Management System — the international standard for personal-data handling, building on ISO 27001 | Certified — KryptoGO was the first blockchain company in Taiwan to hold both ISO 27001 and ISO 27701 |
| SOC 2 Type II | American Institute of CPAs framework covering security, availability, processing integrity, confidentiality, and privacy controls — Type II covers operating effectiveness over time, not just design | Examination completed |
| Cure53 independent audit | Black-box and white-box security audit by Cure53, a Berlin-based security research firm | Completed |
These credentials are visible publicly on www.kryptogo.tw and on our compliance trust portal at trust.kryptogo.com .
What this means in practice for a partner
A partner integrating with KryptoGO inherits a compliance posture that would otherwise take 18 to 24 months and a dedicated security team to build:
- Customer data is encrypted at the application layer, not just at rest. Personally identifiable information stored in our compliance database lives in dedicated encrypted columns, not in plaintext.
- All API traffic uses TLS 1.2 or higher, both for partner-facing endpoints and for our own service-to-service calls.
- Wallet private keys are protected by a managed key vault. Plaintext private keys are never stored. For embedded self-custody wallets, the additional Shamir’s-Secret-Sharing layer means no single party — not even KryptoGO — can reconstruct the full key.
- Quarterly access reviews are run against all production systems. Multi-factor authentication is enforced for every administrator account. Source-code changes to authentication, payment, and key-management directories require designated-reviewer sign-off via a CODEOWNERS policy.
- Independent third-party penetration testing runs at least annually, in addition to the Cure53 audit referenced above.
- Incident response is documented and rehearsed. Reportable security incidents and personally-identifiable-information breaches follow a five-step procedure (report, assess, contain, correct, escalate) with defined timelines.
KYC, KYB, and AML
We operate KYC and KYB workflows for partners who need to onboard end users or business customers under regulated terms.
| Capability | What it covers |
|---|---|
| Individual KYC | Identity-document capture, biometric liveness, and policy-driven decision routing. Powered by leading IDV (identity verification) providers. |
| Business KYB | Beneficial-owner identification, ultimate-beneficial-owner (UBO) KYC, business-document capture, sanctions screening of corporate entities, optional internal compliance review. |
| Sanctions and PEP screening | Inline screening of end users and counter-party addresses against major sanctions lists (OFAC, Dow Jones-curated PEP and sanctions data, and others) on every onboarding event and on every flagged transaction. |
| Address-level AML risk scoring | On-chain wallet-address risk scoring inline with payment acceptance; configurable per-organisation policy. |
| Travel Rule | Domestic Travel Rule compliance has been approved by the relevant Taiwan oversight body. Cross-border Travel Rule support is expanding alongside regulator guidance in partner jurisdictions. |
A partner integrating our payment or treasury surfaces does not need to procure a separate KYC vendor or sanctions-screening service — those are built in.
Information Security Management System
We operate a four-tier ISMS document hierarchy in line with ISO 27001:
- Tier 1 — Policy. Information Security & Privacy Policy and the ISMS Handbook.
- Tier 2 — Procedures. Incident management, internal audit, risk management, corrective actions, and business continuity procedures.
- Tier 3 — Standards. Access control, key management, system development, HR security, and communications security standards.
- Tier 4 — Records & Forms. Org chart, incident report forms, access records, account-change requests, firewall rules.
Documents are managed on the Vanta compliance platform and are made available to partners during procurement under NDA.
Audit cadence
| Activity | Frequency |
|---|---|
| ISO 27001 / 27701 external surveillance audit | Annual |
| ISMS internal audit | Annual |
| Access reviews (production systems and admin consoles) | Quarterly |
| Risk assessments | Annual |
| Business-continuity and disaster-recovery tests | Annual |
| Policy reviews | Annual |
| Independent penetration test | Annual, plus event-driven (after major architecture changes) |
Documents available on request
- Cure53 security audit summary
- SOC 2 Type II report
- ISO 27001 and ISO 27701 certificates
- ISMS policy summary
- DPIA template
- Subprocessor list
- Travel Rule policy
Send a request through your KryptoGO partner contact, or reach our compliance team via the address on www.kryptogo.tw .
Where to go next
- See Custody Options for how the security posture translates to where private keys live.
- See KYB/KYC Workflow for the use-case page.
- See Architecture Overview for how compliance controls fit into the wider system.
Last updated on