Security Overview

TLDR

• Same security tech used by leading wallet providers.

• Acts as secondary permissions layer on top of Provider’s existing API permissions & policy

• API Credentials are stored encrypted within TEEs (trusted execution environments); can only be decrypted and used within that hardened environment.

• API Credentials can be generated directly within the TEE, or imported encrypted in-browser with TEE-generated encryption keys

• User grants specific permission on specified accounts as part of the Connection; TEE will enforce these permissions.

• App is given a scoped access token bound to their own private key. The token alone cannot be used, and the app can't use the Credentials outside of the User-consented action.

1. Credential Security

We use the same highly secure encrypted storage methods that leading wallet providers use for wallet keys. API Credentials are stored encrypted within TEE (trusted execution environments), AWS Nitro Enclaves. They can only be decrypted & used within that trusted environment. Credentials are encrypted in the browser with the TEE-generated encryption key, ensuring the App and Narval have no way to decrypt in transit.

2. Authorization Security

Narval's authorization proxy will only sign & forward api requests for permitted actions. When a new Connection is created (encrypted credentials being uploaded), the User specifies the account(s) and permissions they are granting the app. The App is then given an Access Token for only those permissions, bound to a private key only known to the App. All requests to Narval's system include a signature from the App as authentication. Put together, this means the App cannot use the Connection without a user-granted Access Token, and the Access Token cannot be used without the App's private key. These permissions are enforced within the TEE.

3. Data Security

• TLS encryption in transit everywhere

• All data encrypted at rest

• Sensitive data additionally encrypted at the field-level with unique TEE-based keys.

• Services run in private VPC without direct internet connectivity

4. Operational Security

Narval employs best-practices for system and company security, including automation of all infrastructure, automated testing & CI/CD deployments, enforced peer review of changes, least-privilege access to all operational systems, and audit trails and threat monitoring.

FAQ

Q: What can Narval do with my API credentials?

Nothing. Confidential Computing (TEEs) allows Narval to operate the service without the ability to see or change the data being processed.

Q: What can the App do with my API credentials?

Only what you permit. The Connection is cryptographically owned by the end user who creates it, and the App can only trigger requests that have been authorized by the user.

All requests include http signature authentication in addition to an access token, ensuring authenticity of who originated a request.

Q: Does this replace the permissions & policy of my wallet/custody provider?

No, Narval adds an additional access control layer on top, providing App developers with a unified connectivity solution, while providing Users with granular control over how they delegate access to the App.

It’s expected you will configure initial restrictions directly on the provider, such as whitelisting only Narval’s IP address, restricting to only the account(s)/assets in question, and possibly adding a quorum approval