Trust Centre
Security you can check, not just claims.
We hold ourselves to the standard a regulated lender should meet, and we'd rather show you what's true today than promise what isn't. Everything in the first section below is live now and independently verifiable. The second section is what we are working toward, stated honestly as a roadmap, not as a credential we already hold.
In place today
Tamper-evident loan ledger
Every loan event is written to an append-only hash chain: each record commits to the hash of the one before it, so altering any past record breaks every link after it. You receive a receipt for each event and can verify it yourself, in your own browser, against our published Ed25519-signed checkpoint. Don't trust, verify.
Verifiable reserve register (beta)
Every borrower's collateral is committed to a signed Merkle root we publish. You can confirm, in your own browser, that your holdings are counted in the published total, with nothing omitted or understated. Independent custodian attestation that the assets are held in full is the complementary step (see roadmap).
Two-factor authentication
Every borrower account can enrol app-based two-factor authentication (TOTP, RFC 6238). Codes are required at every sign-in and at any change to the security factor itself.
Hardened transport & headers
HSTS with preload, a strict Content-Security-Policy, clickjacking and MIME-sniffing protections, and a tight permissions policy are enforced on every response. They are present in any HTTP response and checkable with a public header scanner such as securityheaders.com.
Segregated, non-rehypothecated custody
Reserve does not custody assets itself. Collateral is held by third-party, FCA-regulated custodians in segregated, per-borrower wallets, governed by a tri-party account control deed between the borrower, the custodian and Reserve. It is never pooled or rehypothecated, and beneficial ownership is retained by the borrower.
Responsible disclosure programme
A published vulnerability disclosure policy with safe harbour for good-faith research, a machine-readable security.txt (RFC 9116), and a monitored security inbox.
Auditable access controls
Rate-limited authentication and an append-only log of administrative actions. How we handle personal data is described concretely in our privacy notice.
No third-party trackers
No analytics, advertising, or third-party tracking cookies. The site sets only the strictly necessary cookies listed in our cookie policy, and nothing about you is shared with an ad network.
On the roadmap
Targeted around our FCA authorisation timeline. We will publish each item here when it is independently confirmed, and not before.
Public Bitcoin anchoring
Each ledger checkpoint is signed with an Ed25519 key today. Next, we will anchor each checkpoint's head hash to the Bitcoin blockchain, so the existence and order of records is provable against an independent public timestamp, not just our signature.
SOC 2 Type II
Independent attestation of our security, availability and confidentiality controls over time. Type I (point-in-time) first, then Type II (operating-effectiveness over a monitoring window). We will name the auditor and cite the AICPA attestation standard when it is complete.
ISO 27001
Certification of a formal Information Security Management System against the international standard.
Cyber Essentials Plus
The UK government-backed, independently-tested baseline for cyber hygiene.
Independent penetration testing
Regular CREST-accredited penetration tests, with summary results shared with counterparties under NDA.
Custodian asset attestation
Independent attestation from our custodians that the pledged collateral is held in full, completing proof-of-reserves on the asset side to match the verifiable reserve register that is already live above. When live, we will name the attesting firm, date each attestation, and cite the standard it is performed under.
Report a vulnerability
Found something? We want to hear from you, and we offer safe harbour for good-faith research. See our disclosure policy or email security@reservebtc.co.
Bitcoin Asset Reserve Ltd is not currently authorised or registered by the Financial Conduct Authority; we intend to apply when the FCA's cryptoasset gateway opens. The roadmap items above are planned, not yet held. Cryptoassets are not protected by the Financial Services Compensation Scheme.