Trust & security
Security you can audit.
Fintech is Your-Money-Your-Life territory, so we build for it: passkey auth, MPC custody, sanctions screening, and open-source code you can read yourself.
How we protect you
Passkey authentication
Sign-in and signing use WebAuthn passkeys bound to the site origin — phishing-resistant by design, with no password to steal.
Learn more →2-of-2 MPC custody
The signing key is split via multi-party computation, so no single device or party can move funds alone. No seed phrase exists to leak.
Learn more →Sanctions screening
Both sides of every payment are screened against sanctions lists before settlement.
Learn more →Travel Rule support
Originator/beneficiary data is supported for transfers that require it under FATF guidance.
Learn more →MiCA-aware design
EURC auto-swap and jurisdiction handling are built for EU compliance under MiCA.
Learn more →Open source
SDKs, CLI, MCP server, extension, and x402 facilitator are MIT-licensed on GitHub — auditable by anyone.
Learn more →Compliance status
We publish where we actually are — not aspirational badges. Controls marked live run in production today; formal certifications on the roadmap are dated as they progress.
Status as of July 2026. Enterprise customers can request current documentation under NDA via sales.
For enterprise security teams
Per-transaction audit trail
Every payment produces a signed, Arbiscan-verifiable receipt and an immutable on-chain record for audit and reconciliation.
Jurisdiction & KYC controls
Enforce jurisdiction blocks and KYC-tier gating per policy, applied before settlement.
Reconciliation exports
Structured payment and settlement data (CSV / ISO 20022) for finance and ERP reconciliation.
Incident response
Documented response process, a public status page, and disclosure via our responsible-disclosure policy.
Data handling
Documented retention and deletion, a subprocessors list, and DPA available for enterprise contracts.
Open-source auditability
Core SDKs, CLI, MCP server, and x402 facilitator are MIT-licensed, so your team can review the payment path directly.
Policies & disclosures
Frequently asked questions
How does Furlpay keep my funds secure?
Furlpay uses passkey (WebAuthn) authentication and 2-of-2 MPC custody, so signing is phishing-resistant and no single device or party can move funds alone. There is no seed phrase to lose or leak, and account recovery works through your passkey providers.
Is Furlpay open source?
Yes. The SDKs, CLI, MCP server, browser extension, and x402 facilitator are MIT-licensed on GitHub, so the code can be independently audited, forked, and self-hosted.
How do I report a security vulnerability?
Follow the responsible-disclosure policy at /legal/responsible-disclosure. It explains scope, how to submit a report, and what to expect after disclosure.
How does Furlpay handle compliance?
Payments are screened against sanctions lists, Travel Rule information is supported where required, and the platform is designed for MiCA in the EU (including EURC auto-swap). See the compliance and legal sections for specifics by jurisdiction.
Furlpay is not a bank. Crypto assets are not deposit-insured and can lose value. Specific compliance features vary by jurisdiction.