Security & Custody
IronXLedger treats every layer of the stack — from key material to staff access — as an adversarial environment. We assume compromise, design for containment, and rehearse recovery before we need it.
The substantial majority of client digital assets are held in geographically distributed, air-gapped cold-storage vaults using HSM-backed multi-signature schemes. Hot-wallet float is sized to operational withdrawal demand only and is reconciled hourly.
Signing keys are sharded under m-of-n thresholds, with shard custodians drawn from independent operational and executive control planes. No single individual — including founders — can authorise a withdrawal, restore a vault, or roll a signing ceremony unilaterally.
All accounts support strong password requirements, optional hardware-token (WebAuthn) second factors, withdrawal address allow-listing, and time-locked first-time withdrawals to newly registered destinations.
Our production estate is segmented into least-privilege control planes with break-glass auditing, immutable infrastructure pipelines, signed builds, and continuous configuration attestation. Engineering access is JIT-granted and recorded.
We engage external firms for periodic penetration testing, smart-contract review (where applicable), and SOC-style controls assessment. Findings are tracked to remediation in a public-facing severity register for institutional clients.
Our 24/7 security operations function maintains documented runbooks for credential compromise, key-shard incident, infrastructure breach, and counter-party failure. We commit to client notification within statutory timelines and to a written post-incident review.
Even the most rigorous custody program is only as strong as the discipline of the account holder. We strongly recommend every IronXLedger user enable a hardware-backed second factor, keep a unique high-entropy password stored in a reputable password manager, register a withdrawal address allow-list, and never disclose recovery codes, one-time passwords or session cookies to any third party — including individuals claiming to represent IronXLedger.
IronXLedger personnel will never ask you for your password, your second-factor seed, or your private wallet keys. Any such request — by email, telephone, chat, or in person — must be treated as fraudulent and reported to support@ironxledger.com.
We welcome reports from independent security researchers. If you believe you have identified a vulnerability affecting IronXLedger, contact us at support@ironxledger.com with a clear technical description, reproduction steps and a reasonable disclosure window. We commit to acknowledging your report within two business days and to engaging in good faith on remediation, attribution, and — where appropriate — discretionary bounty.