What happens if my API key is leaked?

Revoke the key immediately in Settings. Scoped permissions limit blast radius. Sweep destination changes may require a cooldown before funds move.

How do I report a security issue?

Email security@settlematic.com with reproduction steps. We respond to valid reports and coordinate disclosure.

Are webhooks authenticated?

Yes. Every webhook delivery includes an HMAC-SHA256 signature. Verify signatures before processing events in your backend.

What is a sweep destination cooldown?

When you add or change a treasury destination, a waiting period can apply before sweeps execute — reducing risk if an attacker modifies your settings.

Security

Your keys, your funds

Settlematic never takes custody of merchant or payer funds. Security is built into every module — from deposit addresses to sweep cooldowns.

Definition

What is non-custodial payments?

Non-custodial means Settlematic never holds your private keys or customer balances. Payments land at invoice-scoped addresses and sweep only to wallets you configure.

Businesses invoice in USD or EUR, clients pay in crypto across 6 networks, and funds settle to wallets the merchant controls. Settlematic never holds private keys or customer balances.

Non-custodial by design

Settlematic never takes custody of merchant or payer funds. Invoice-scoped deposit addresses receive payments; sweeps move value only to destinations you configure. We cannot freeze, redirect, or hold your balances.

Key handling

We do not store merchant private keys. API keys are hashed at rest. Sweep destination changes can trigger cooldown periods before funds move — reducing blast radius if an account is compromised.

Infrastructure

Worker isolation, signed HMAC webhooks, role-based access across Collect and Gateway, rate limiting, and audit logs for sensitive operations like payout approval and treasury rule changes.

Access control

Team seats with scoped permissions, optional TOTP for operators, and separate sandbox vs mainnet environments so test data never mixes with production funds.

Data protection

TLS in transit, encrypted secrets at rest, and minimal retention of payer PII — checkout collects only what reconciliation requires.

Responsible disclosure

Report vulnerabilities to [email protected]. We acknowledge valid reports and work with researchers on coordinated disclosure.

[email protected]

Architecture

Funds never sit in a pooled wallet

Each payment uses an invoice-scoped deposit address. Confirmed funds sweep only to destinations you configure — cold storage, operating wallets, or multisig treasuries. Settlematic orchestrates detection; you retain custody.

See the payment flow

Settlematic invoice INV-1042 for Alex Chen with consulting line items, $80 balance due, and timeline showing sent and viewed status

Operations

Controls finance teams expect

Role-based access, optional TOTP for operators, separate sandbox and mainnet environments, and audit logs for payout approval and treasury rule changes — built for teams who reconcile books.

Explore Treasury

Security in practice

Controls operators and developers rely on every day.

Invoice-scoped addresses

Each payment gets a unique deposit address — easier reconciliation and reduced address reuse risk.

Signed webhooks

Verify HMAC signatures on every delivery. Replay protection and delivery logs for debugging.

Sweep cooldowns

Destination wallet changes can require a waiting period before funds move.

Architecture

Non-custodial by design

Funds never pass through Settlematic.

No. Settlematic is non-custodial. Payments arrive at invoice-scoped addresses and sweep to wallets you configure. We do not store your private keys.

Questions about security?

Our team responds to security inquiries and vulnerability reports promptly.

Contact security Read FAQ