Four layers, audited annually by independent third parties. The details of what happens where.
All customer data is encrypted at rest with AES-256 — the current industry standard for symmetric data encryption. Sensitive fields (identity documents, source-of-funds evidence) are additionally encrypted at the field level, with keys held in a separate key management service (HSM-backed). In transit, all traffic uses TLS 1.3.
Two-factor authentication is mandatory and cannot be disabled. We support two methods: TOTP applications (Google Authenticator, Authy, 1Password) and WebAuthn hardware keys (YubiKey, Titan). We explicitly recommend WebAuthn for security-conscious users — it is immune to phishing, unlike SMS-based 2FA which we do not offer.
Kenvestium is not custodian of your capital. Customer funds are held in segregated accounts at regulated prime brokers in and regulated brokers in the EU. This means specifically: (1) your funds are legally separated from Kenvestium's corporate capital, (2) in the unlikely event of Kenvestium insolvency, your funds are not part of the bankruptcy estate, (3) each prime broker is itself applicable securities regulators- or equivalent international frameworks-regulated and subject to national investor compensation schemes — applicable investor compensation, equivalent in EU member states.
Kenvestium is not a custodian. We are a technology service provider. Your capital sits at regulated prime brokers in segregated accounts — not at Kenvestium.
Internally, we operate on a zero-trust model: no employee and no internal service can access customer data without explicit authorisation. All access logs are retained for 12 months and reviewed during annual audits. Production systems and development environments are strictly separated.
We operate fully redundant infrastructure across two geographically redundant data centers. Daily encrypted backups are retained for 30 days. Recovery Time Objective (RTO): under 4 hours. Recovery Point Objective (RPO): under 15 minutes.
Reporting a vulnerability. If you discover a potential security vulnerability, please write to [email protected]. We acknowledge receipt within 24 hours.