We treat payments like the accident-sensitive infrastructure they are.
OpenUSDC is open-source, audited, and non-custodial. Below is an honest accounting of where we are, what we've shipped, and where we still have work to do.
The four things we never compromise on.
Non-custodial by default
OpenUSDC never custodies your funds. The gateway sees signed payment headers; settlements land in the wallet you designate at deploy time.
Open, auditable code
The gateway core, the SDKs, and the audit reports are public on GitHub. Every release is signed and reproducibly built.
Defense in depth
Hardware-backed signers, scoped wallet policies, signed receipts, and an append-only ledger — assume any one layer can fail.
Boring crypto
Ed25519 for receipts, secp256k1 / ed25519 for chain signatures. We do not roll our own primitives, ever.
External eyes on every layer of the stack.
We commission an independent audit on every component before each major version. Reports are published in full as soon as findings are resolved.
| Firm | Scope | Date | Status | Findings |
|---|---|---|---|---|
| Spearbit | openusdc/gateway-core | 2026-01 | Published | 0 critical, 1 high (resolved), 4 medium (resolved) report ↗ |
| Trail of Bits | openusdc/sdk-signer | 2026-06 | In progress | Report expected July 2026; preliminary findings shared in the GitHub issue tracker. report ↗ |
| Cure53 | openusdc/cloud-dashboard | 2026-03 | Published | 0 critical, 0 high, 3 medium (resolved), 5 informational report ↗ |
SOC 2, ISO 27001, and where we are on each.
- SOC 2 Type IIssued February 2026 by Prescient Assurance. Available under NDA.
- SOC 2 Type IIAudit window opened April 2026. Report expected November 2026.
- ISO 27001:2022Stage 1 audit complete. Stage 2 audit scheduled for Q3 2026.
- GDPR & UK-GDPREU and UK data residency options available on Cloud Growth and Enterprise plans.
Responsible disclosure program
We pay for clear, actionable security reports. Our scope covers the gateway core, the SDKs, the Cloud control plane, and any production domain at *.openusdc.ai.
- Critical findings: up to $25,000
- High findings: up to $7,500
- Medium findings: up to $1,500
- Public hall of fame for any acknowledged disclosure
Submit reports to security@openusdc.ai with a PGP-encrypted body where possible. Our key is at /.well-known/openusdc-security.asc.
Where your data lives, and what it does there.
Encryption at rest
AES-256-GCM with envelope encryption. Keys rotate every 90 days; customer-supplied KMS keys on Enterprise.
Encryption in transit
TLS 1.3 only. mTLS available on Enterprise. Public endpoints scored A+ on Qualys SSL Labs.
Hosting & residency
Primary regions are us-east, eu-west, and ap-southeast. EU and UK residency available; data never replicates out of region.
Backups
Continuous WAL streaming with point-in-time recovery to any second within 30 days. Backups are encrypted with a separate KMS key.
Access control
SSO + SCIM on Enterprise. Per-engineer credentials are short-lived, scoped by purpose, and recorded in our audit log.
Incident response
24/7 on-call rotation. Customer-facing incident reports on status.openusdc.ai; post-mortems within 14 days for any P1.