Security comes first, always
Protecting our customers’ digital assets is foundational to everything that we do at Bakkt. Bakkt employs enterprise security capabilities that protect Intercontinental Exchange’s thirteen exchanges around the world, including the New York Stock Exchange.
The emerging digital asset category brings with it a complex threat landscape. Bakkt practices a strict verification of all technologies and people before granting access to any portion of the business. This allows Bakkt to defend against external and internal threats and to protect against human error.
Bakkt stores client private keys on hardened systems in cold storage and on FIPS 140-2 level 3 HSMs in warm storage. Systems are sourced using approved procurement processes addressing supply chain risk. Bakkt-developed applications and those procured from external vendors are required to support multifactor authentication and are centrally controlled by a full-time, 24x7 cybersecurity team. All Bakkt managed devices (i.e. servers, laptops, network devices, mobile devices, etc.) have extensive security controls to prevent unauthorized access, limit authorized access, and safeguard against local and remote attacks.
Regular penetration tests are conducted including external, internal, and physical evaluations of all operations facilities. For the continuous improvement of our security and operational processes, Bakkt proactively seeks input from partners and law enforcement agencies.
- Stores a small balance of bitcoin held in the Bakkt Warehouse
- Private keys are created and stored on FIPS 140–2 level 3 hardware security modules (HSMs) and no individual has access to private key material
- Network connected, but all withdrawal requests are received, verified, and processed by dedicated staff located in multiple geographies; requests are validated, both manually and systematically, against a policy ruleset that controls for parameters such as amount, destination, and velocity of transactions
- 24x7 on-site, armed security
- Advanced insider threat and anti-collusion controls
- The majority of bitcoin stored in the Bakkt Warehouse is offline
- Systems are air-gapped and stored in bank-grade vaults with sophisticated physical security controls
- Wallet keys are sharded and encrypted at creation, with multiple key shards needed to sign a single transaction
- Geographically distributed multi-signature transaction operations
- Segregation of duties between internal teams
- 24x7 on-site, armed security
At Bakkt, the protection and secure recoverability of cryptographic material is a core competency. Bakkt has robust controls for Disaster Recovery (DR) and Business Continuity Planning (BCP) which help prepare for the restoration of normal services as quickly as possible in the event of a service outage due to unforeseen circumstances or a physical disaster. The Bakkt Warehouse is fully supported in both the primary and backup facilities and can operate independently from the location of ICE trading and clearing systems.