Secure infrastructure for world-class products

We’re trusted to onboard millions of users to their favorite products. We sweat the details so you can operate securely.

Independently audited

Battle-tested and retested

A secure stack must be designed for failures. Privy works with security experts to review and threat model all systems and infrastructure. Our infrastructure has gone through several rounds of security reviews and pentests, and we undergo these reviews on a regular basis to surface and address new issues.

Designed for user control

Self-custodial architecture

Whether they connect with third-party wallets or leverage embedded wallets, your users’ keys are their own. All Privy architecture is designed to be self-custodial, meaning only your user can access their private keys, and they must always be present to take action with their assets.

Robust infrastructure

Built on a secure cloud

Privy leverages best-in-class infrastructure to secure all user data. We run on Amazon Web Services (AWS). All data is encrypted at rest via AES-256-GCM and transferred encrypted using HTTPS/TLS 1.2. We leverage modern key management systems to encrypt and tokenize sensitive information so it can only be accessed by authorized parties.

OPSEC included

Defense in depth

All engineering is security engineering at Privy. We build layered security measures into our product, infrastructure, and operational work. Product and architecture design starts with threat modeling all systems and infrastructure - we set security requirements hand-in-hand with product requirements. In our implementation, we maintain strict review, CI/CD, and isolate access to data by least-privilege.

Product security

Read more about how Privy works. Audits available to enquiring customers.

Secure authentication

Privy leverages industry best practices around secure authentication. We verify accounts with short-lived one-time codes enforcing rate limits, and request origins. Access tokens are JWTs signed by Ed25519 keys specific to your app.

Data access and encryption

All traffic is encrypted with TLS >= 1.2 and HSTS and is routed through Cloudflare. Services are run in private VPCs on AWS. All API requests must be authenticated with an API secret.

Key management

At wallet creation, an isolated iframe generates a keypair with 128 bits of entropy chosen at random using a CSPRNG, and converting these via BIP-39. Private keys are split using Shamir’s Secret Sharing. The full private key is never persisted anywhere so only the user can access it.

Progressive defenses

We know wallets are not one-size-fits-all. We set strong standards and enable users to upgrade systems to match their needs. Users can layer on defenses like linking additional sign-in methods and adding auth and transaction MFA to their accounts as their assets grow in value.

Vulnerability disclosure

We want to work with security researchers

Think you’ve found something? We’d like to hear from you. Want to get access to our BBP? Reach out to for an invite.

Submit a Vulnerability Report

Ask us about our audits

Privy works with internal stakeholders, advisors and third-party auditors and pentesters on our security posture. Our work here is never done and we are continually improving our systems to meet an evolving threat landscape.

Cure53 logo

Cryptography audit

February 2023

Status: Complete
Zellic logo

Cryptography audit

June 2023

Status: Complete
SOC 2 Type I logo
SOC 2 Type I

Soc 2 Attestation

May 2024

Status: Complete
SOC 2 Type II logo
SOC 2 Type II

Soc 2 Attestation

December 2024

Status: In progress
SwordBytes logo


December 2023

Status: Complete
Doyensec logo

Infrastructure Audit

February 2024

Status: Complete
Backed by
  • Paradigm
  • Sequoia
  • BlueYard
  • Electric Capital
  • Archetype
  • Protocol Labs
And many more