Trust is built through control, evidence, and operating discipline.
This section exists to explain principles, controls, boundaries, and operating assumptions — with disciplined language.
Security principles
Segregation by design
Each client operates in an isolated context — data, keys, policies, and limits are separated by construction, not configuration.
End-to-end encryption
TLS 1.3 in transit. AES-256-GCM at rest. Custody keys protected by distributed MPC.
Continuous authentication
Each operation evaluates session context, device, location, and risk before authorizing.
Least privilege
Each actor operates with minimum necessary permissions. Temporary access expires automatically.
Operational controls
Limits and approvals
Operations above configurable thresholds require approval from multiple authorizers.
Controlled delegation
Permissions delegated by time, scope, and context. Revocable at any time with complete trail.
Automatic reconciliation
Each transaction reconciled between internal ledger, execution rail, and on-chain proof.
Data handling
LGPD / GDPR
Personal data processed in accordance with LGPD, GDPR, and applicable jurisdictional regulations.
Immutable logs
Immutable operational logs, retained for the regulatory period. Access audited and restricted by role.
Custody data
Keys, balances, and movements segregated by client and protected by hardware cryptography.
Compliance scope
Multi-jurisdiction
Brazil (BCB, CVM), European Union (MiCA, PSD2), United States (FinCEN, SEC), and international frameworks (FATF, Basel III).
Native compliance
Evaluated before each execution, as part of the Trust Policy Layer decision flow.
Automatic reports
Regulatory reports generated automatically and exportable in required formats.
Incidents and continuity
Incident response
Documented plan with notification SLAs. Communication per regulatory and contractual requirements.
Business continuity
Geographic redundancy, automatic failover, and RPO/RTO defined by service tier.
Independent pentests
Periodic penetration tests by independent third parties. Results under NDA for enterprise clients.
Detailed regulatory context
Infracash was designed to operate in compliance with major international and Brazilian regulatory frameworks. Below, the specific references that guide each platform layer.
Brazil
Crypto Asset Legal Framework — asset segregation, governance, and investor protection.
VASP regulation — capital requirements, governance, and compliance for virtual asset service providers.
Asset tokenization and investment fund framework — rules for token issuance and trading.
Brazilian CBDC infrastructure — Infracash is prepared for integration with the Drex ecosystem.
International
Recommendations 15 and 16 (Travel Rule) for VASPs — the platform implements originator and beneficiary data transfer as required.
Principles for Financial Market Infrastructures — foundation for governance, risk management, and settlement finality.
Markets in Crypto-Assets Regulation — European framework for crypto-assets, stablecoins, and service providers.
Capital and liquidity requirements for digital asset exposure — the platform supports RWA calculations and reporting.
Legal and jurisdiction note
Infracash operates as technology infrastructure. It is not a financial institution, regulated custodian, or money transmitter. Clients are responsible for obtaining the necessary licenses in their jurisdictions. The platform is configurable by jurisdiction — rules, limits, and compliance requirements are adapted to the regulatory context of each operation.