Security
Built for the smallest blast radius.
Boli is an operating layer, not a custodian. Settlement assets live with their issuers; wallets are MPC with the user holding one share; regulated venues remain the licensed party's domain. There is no central honeypot of customer assets, because Boli never accepts the deposit.
No custody of funds
Boli never accepts customer money. Settlement assets (stablecoins, tokenized deposits, wholesale CBDC arms) live with their issuers and the licensed venues. AllocationV1 settles cash legs against assets atomically on Canton — Boli is the operating layer that wires the call, not a counterparty in it.
No custody of keys
Wallets are MPC. The user's share is on the user's device; Boli never holds both shares. We persist the public DID and wallet addresses, never long-lived bearer tokens, and never private key material. If our infrastructure were fully compromised tomorrow, an attacker could not move user assets.
Compliance runs at the chain level
Compliance modules (jurisdiction, holder limits, lockups, accreditation, sanctions) run on every transfer at the Daml layer. They are not a UI gate. A misconfigured app or a bypassed integration cannot transfer an asset that the on-chain pack disallows — preflight rejects it with a structured reason.
Identity is anchored, not federated
Identities use Tenzro DIDs (
did:tenzro:human:{uuid}) minted from Boli's internal UUIDs — never from a federated profile field. KYC providers attach claims to the DID; we persist the claim, not the underlying PII. Provider lock-in is impossible because the anchor is ours.Open-source where it counts
The Daml registry packages, the Tenzro SDKs, and tenzro-wallet are open source. Customers can audit the model their assets run on without an NDA. The packs themselves are configured by the licensed party and reviewed by their counsel — Boli does not set the policy, only ships the engine.
Disclosure
If you have found a vulnerability or a soundness issue, please reach us before disclosing. We respond within one business day in UAE hours and will coordinate a fix and disclosure window with you.