Your assets, protected end to end
Cold-storage custody by default, hardware-backed key management, comprehensive insurance, hardware-key 2FA, continuous monitoring — and every claim is independently audited.
Custody by design
Deep cold storage
98% of customer virtual assets sit in air-gapped, geographically distributed cold-storage vaults. No internet connection, no single point of failure, no fast-path to a hot wallet.
No single signer
Withdrawal keys are sharded across multiple devices using multi-party computation (MPC), each shard held inside an FIPS 140-2 Level 3 hardware security module. No one device — and no one person — can move funds alone.
Fully segregated
Customer assets are held in segregated wallets, ring-fenced from the operating treasury. Independently attested every quarter — see the proof-of-reserves report.
Never rehypothecated
Your assets are not lent out, leveraged, or repledged without explicit, informed consent. Yield products are clearly labelled as such and run on a separate, opt-in basis.
Your account, your control
Phishing-resistant 2FA
Hardware-key (FIDO2/WebAuthn) two-factor authentication is the default for all new accounts. SMS 2FA is still available but no longer recommended — see why we moved the default.
Address whitelisting
Optional address allowlist with a 24-hour cooling-off period on new entries. Once enabled, withdrawals only ever go to addresses you have pre-approved.
Anti-phishing code
Set a personal anti-phishing code that appears in every legitimate email we send. Any "bitexasia" email without your code is a phishing attempt — report it via the in-product flow.
Device and session control
See every device that has logged in, every active session, every recent withdrawal. Revoke a session or sign out everywhere with one click. Suspicious-login email alerts on every new device.
Insurance on top of segregation
Crime & cyber-crime insurance
We maintain a comprehensive crime and cyber-crime policy with a syndicate of Lloyd's of London-rated insurers, with material coverage for third-party theft from hot wallets, internal collusion, social-engineering loss, and cyber-incident response costs. Coverage limits are reviewed annually and disclosed to enterprise customers under NDA.
Insurance complements, but does not replace, the segregation and custody framework above. It is a backstop for the residual tail of operational risk that no control framework eliminates entirely.
Watched continuously, audited externally
SOC 2 Type II
Schellman & Co independently audit the operating effectiveness of security, availability, processing integrity, confidentiality and privacy controls over a 12-month period.
3-year cycleISO/IEC 27001:2022
Information Security Management System certified by BSI Group against all 93 Annex A controls (91 applicable, 2 documented exclusions).
QuarterlyExternal penetration testing
Trail of Bits conducts a comprehensive black/grey-box engagement annually, with quarterly targeted re-tests. Public summaries of findings and remediation are published.
QuarterlyProof-of-reserves attestation
Independent quarterly attestation by The Network Firm that on-chain reserves fully cover customer balances, with per-account Merkle-tree inclusion proofs.
Continuous monitoring
24/7 Security Operations Centre with SIEM, behavioural analytics, anomaly detection on wallet activity, on-call rotation, and a published status page.
Responsible disclosure
Active bug bounty programme rewarding the security community for verified vulnerability disclosures. Scope, rewards and PGP key for encrypted reports: security@bitexasia.com.
Disclose responsibly, get paid
Report security issues to security@bitexasia.com. PGP key available on request. We acknowledge within 24 hours and pay verified bounties on a published severity scale.