Audit & Compliance
Planbok provides organizations with the tools and transparency required to meet strict regulatory and operational standards, including SOC2 Type II and ISO 27001.
Immutable Audit Logs
Every action that impacts the security or status of your assets is captured in a permanent, tamper-resistant audit trail.
Logged Operations
- System Events: API Key creation/deletion, Organization Secret registration, Webhook configuration.
- Wallet Events: Wallet set creation, address derivation, export requests.
- Transaction Events: Signing initiation, partial signature generation, broadcast status.
Forensic Detail
Each audit entry includes:
- Actor ID: The user or API key that initiated the request.
- Source Context: IP address, user-agent, and geographic data.
- Timestamp: High-precision UTC timing.
- Metadata: Request parameters (excluding sensitive private data).
[!TIP] Audit logs are available for export via the Control Panel and API, allowing you to ingest them into your internal SIEM or compliance reporting tools.
Role-Based Access Control (RBAC)
We enforce a least-privilege model at the organizational level to ensure that sensitive operations are only performed by authorized personnel.
| Role | Permissions | Use Case |
|---|---|---|
| Owner | Full system control + Billing + Secret Management | Organization Founders |
| Admin | Member management + Wallet operations | Security & IT Managers |
| Member | Read-only access + Permitted signing | Developers / Operations |
API Key Security
API keys inherit the permissions of the creating user but can be further restricted:
- Read-Only Keys: Restricted to
GETendpoints. - IP Pinning: Required for all production-grade integration keys.
Shared Responsibility Model
Security is a partnership between Planbok and our customers.
Planbok's Responsibility
- MPC Protocol: Maintaining the cryptographic integrity of Node 1 and Node 2.
- Infrastructure: Hardening the network, HSMs, and isolated node environments.
- Platform Availability: Ensuring the API and signing engines are resilient.
Customer's Responsibility
- Secret Management: Safekeeping of PINs and Organization Secrets.
- Access Control: Managing organization members and API key lifecycle.
- Integration Security: Following best practices for webhook verification and signature checking.
Data Privacy
Planbok adheres to strict privacy standards. We minimize the collection of PII (Personally Identifiable Information) and ensure all customer data is encrypted at rest and in transit.