Skip to main content

Security model

Predicate enforces compliance through a scoped onchain role, not custody. You grant a role that authorizes freeze/block actions and nothing else; the signer can exercise only that role, and you can revoke it in a single transaction. This page covers the controls around that signer and the guarantees on enforcement delivery.
Security and engineering teams evaluating Predicate can request additional detail under NDA — covering key management, runtime hardening, and our threat model. The following is meant to be a high-level overview.

Onchain authorization

  • Scope. Predicate never holds asset-admin keys. Enforcement runs through the role you grant — FREEZE_MANAGER_ROLE on EVM, blocker on Stellar.
  • Bounded authority. The role authorizes only freeze/unfreeze and block/unblock. It cannot mint, burn, transfer, upgrade, or reassign roles. A full compromise of Predicate’s signer is therefore bounded to enforcement actions (freeze/unfreeze or block/unblock) — it cannot move, issue, or reassign the asset.
  • Revocation. Authorization is revocable in a single transaction and verifiable on your own contract.

Key management

  • Multi-factor protection. Signing keys are protected by multiple independent factors; no single operator can produce a signature.
  • No human access. Keys are never exposed to human operators in the course of operations.

Infrastructure and access

  • Isolation. Signing is isolated from application services behind independent controls; no single compromised component can produce a signed transaction.
  • Least privilege. Production access is scoped, logged, periodically reviewed, and revoked on offboarding.
  • Release process. Changes are peer-reviewed and built by CI, not developer machines. Production deploys require explicit human approval; no individual can deploy to production unilaterally.
  • External assessment. Security posture is validated through ongoing internal review and independent third-party assessment.

Delivery and availability

  • Retry. Enforcement actions are retried automatically on failure; contracts that persistently fail are surfaced and acted on.
  • Redundant endpoints. Multiple RPC endpoints maintain enforcement through provider outages.
  • Failover. The signing service is designed to survive infrastructure failure with tested failover.

Audit trail

Every enforcement action is recorded — source, wallet, transaction hash, and outcome — as an append-only log retained for regulatory or law enforcement review and surfaced in the dashboard.