Security at Foundry

Foundry builds decentralized infrastructure to empower institutions on a global scale.

Adhering to robust security and compliance measures allows us to fulfill our mission while mitigating risks, optimizing the resiliency of our bare-metal infrastructure, and meeting integrity standards across all of our business lines.

Compliance and Risk

Last Updated: September 5th, 2023

Foundry USA Pool has achieved SOC 1 Type II and SOC 2 Type II audit certifications by meeting examination requirements laid out by the American Institute of Certified Public Accountants (AICPA). Contact us here to request a copy of our current audit reports.

As of September 2023, Foundry is going through the SOC 2 Type I verification process with an independent auditor for its ETH staking product.

Data Protection

Last Updated: March 1st, 2023

Foundry has security standards and procedures in place designed to prevent unauthorized access to customer data. Foundry regularly reviews and implements appropriate and reasonable technical and organizational security measures to keep customer data safe. Employees are trained to handle customer data securely and with the utmost respect.

Privacy

Last Updated: March 1st, 2023

Terms and Conditions

Effective Date: February 1, 2023

Organizational Security

Last Updated: September 5th, 2023

Risk Assessment Process

Foundry’s risk assessment process requires management to identify significant risks involved with running validators for the supported protocol networks and implement appropriate measures to address those risks. The assessment includes the documentation and rating of risks associated with network architecture and vulnerabilities, staking operations, and existing integrations. This process is performed on a quarterly basis to ensure a timely response to risks identified.

Onboarding Compliance Requirements

Foundry’s Know Your Customer (KYC) process is required for all customers and business partners as part of onboarding on both the mining and staking sides of the business. The decision engine behind Foundry’s KYC powers business verification (KYB), Anti-Money Laundering (AML), and fraud checks on Ultimate Beneficial Owners (UBOs) and other stakeholders.

Employee Security Training

Foundry has a mandatory cybersecurity awareness program for all employees. New hires are trained on multiple topics, including identifying security threats on various channels and reporting phishing attempts to the internal security operations team. The program is updated on an annual basis and required for all team members.

Access Management

Foundry has internal policies to manage access to data and physical systems. Access to proprietary systems and third-party platforms is granted on a role basis, and permission sets must be pre-approved by the internal security team.

Vendor Management

Foundry conducts proactive vendor risk reviews, including a third-party risk categorization system. Vendor relationships, including vendor onboarding and offboarding, are documented in an audit-compliant manner. Any initiation or renewal of a vendor relationship must be accompanied by documented due diligence activities. All continuous vendor relationships involve a contractual agreement reviewed and approved by Foundry’s legal counsel and compliance team.

Threat Management and Penetration Testing

Last Updated: September 5th, 2023

Foundry’s bare-metal physical infrastructure is hosted in ISO 27001 certified third-party facilities that have been attested to comply with SOC 1 Type 2, SOC 2 Type 2, and SOC 3 requirements. The Tier 5 data centers are equipped with 24/7/365 elite mission control centers and military-grade security, run on 100% green power, and offer a 100% power uptime guarantee.

Data Center Infrastructure

Last Updated: September 5th, 2023

Foundry’s bare-metal physical infrastructure is hosted in ISO 27001 certified third-party facilities that have been attested to comply with SOC 1 Type 2, SOC 2 Type 2, and SOC 3 requirements. The Tier 5 data centers are equipped with 24/7/365 elite mission control centers and military-grade security, run on 100% green power, and offer a 100% power uptime guarantee.

Contact us here to request a copy of our data centers’ current audit reports.

Availability and Reliability

Last Updated: September 5th, 2023

Slashing Protections

Foundry’s bare metal infrastructure with failover at co-location facilities was designed and built to minimize the likelihood of slashing events. Foundry commits to provide a 99.9% production uptime to prevent missed attestations and has policies in place to account for slashing events and missed rewards in specific instances.

Service Monitoring

Foundry monitors all its staking nodes 24 hours a day, seven days per week. Foundry informs customers of all scheduled maintenance that might impact block production at least seven days in advance. The Foundry team is available to assist customers and integrated partners with security, account, and operations issue resolution.

Distributed Denial of Service (DoS) Protection

Foundry has multiple layers of protection for Distributed Denial of Service (DDoS) prevention, including engaging a DNS provider. Foundry runs failover infrastructure to monitor and mitigate the risk that a DDoS attack poses to a validator and the tokens delegated to it. Foundry maps DDoS risk and protection measures on a protocol basis according to architectural features of the supported networks (whether they use sentry nodes, for example).

Access Management

Foundry has internal policies to manage access to data and physical systems. Access to proprietary systems and third-party platforms is granted on a role basis, and permission sets must be pre-approved by the internal security team.

Key Management

Foundry utilizes multi-cloud tooling for infrastructure provisioning, container orchestration, and secret management, which includes a proprietary ETH staking vault plugin for key generation. This process allows for programmatic generation and storing of keys without any human interaction. Vault privileges follow the principle of least privilege, and keys generated are only accessible by the management process for loading keys to the validator or generating validator exit messages.

Incident Management and Response

Last Updated: September 5th, 2023

Foundry has incident management processes and policies in place to minimize operational issues and expedite service normalization. Response times and escalation levels are determined by a fault classification system. Any incidents with our staking operational systems are reported and documented on status.foundrystaking.com.

Business Continuity and Disaster Recovery

Last Updated: September 5th, 2023

For all its critical staking systems and processes, Foundry maintains Business Continuity Plans that outline how a validator will continue to operate and/or be repaired to a working state in the event of an interruption. Foundry’s bare metal infrastructure with failover redundancy is also part of its disaster recovery plans, which include detailed documentation on node migration to avoid slashing events.

These plans are tested on a quarterly basis with risk analyses and mitigation measures to support the latest versions of Foundry’s systems and service offerings.