35 Million+
Wallets and counting
Billions
in annual volume
50 Million+
Monthly signatures
< 20 ms
Signature time
Privy’s security model is built from first principles and grounded in defense in depth.
From TEEs to key sharding and programmable controls, every layer is designed to minimize risk and enforce secure access across the stack.
Cryptographically verifiable self-custody
All signing operations occur inside isolated, hardware-backed environments (TEEs). Enclave memory is inaccessible to Privy and the host, with cryptographic attestation ensuring code and data integrity at runtime.
Key sharding to improve security and trust
Private keys are split using Shamir’s Secret Sharing (SSS) — a more battle-tested scheme than TSS-based MPC. Shares are stored across isolated boundaries and only recombined inside the enclave, eliminating single points of compromise.
Authentication gates access to signing and key use
Signing is tied to short-lived, verified user sessions. Tokens expire quickly and cannot be reused, ensuring keys can only be accessed in the correct user context.
Wallets are programmable accounts, not static keypairs
Privy’s APIs expose fine-grained, provable controls over key usage and access. Define policy rules per user, including biometrics, asset limits, and trusted devices, with enforcement cryptographically attested at runtime.
As a Stripe company, Privy follows the same rigorous internal standards and controls. These cover everything from production systems and key access to developer workflows, ensuring end-to-end system integrity.
We monitor all production systems with real-time alerting, tamper-proof logs, and ongoing third-party review. Privy runs an active bug bounty and undergoes quarterly independent audits.
We enforce least-access across hardened infrastructure: standing permissions are disallowed, credentials are time-bound, duties are segregated, and all activity is fully auditable, even internally.
Security architecture deep dive
From login to signature: how Privy enforces custody
Progressive security in practice
Designing flexible wallets for real-world apps
Security that ships: how top teams use Privy in production
Audit readiness and incident response at Privy
External reviews ensure our architecture meets the highest standards.
Privy undergoes regular third-party audits across our infrastructure, cryptography, and production systems to uphold the highest standards of security and integrity.
Cure 53
February 2023
Status: Complete
Zellic
June 2023
Status: Complete
SwordBytes
December 2023
Status: Complete
Doyensec
February 2024
Status: Complete
SOC 2 Type II
December 2024
Status: Complete
Hackerone
Bug Bounty Program
Status: Active