VastelVastel
LoginGet Started
Back to home
Security

Built on infrastructure you can trust.

Vastel takes the same approach to security that banks and exchanges do — only better, because we hold less.

256-bit TLS everywhere

Every byte between your device and our servers is encrypted in transit with TLS 1.3 and strong cipher suites.

Biometric & 2FA login

Face ID, Touch ID and TOTP-based two-factor authentication. SMS 2FA available as a fallback.

Non-custodial by design

We never hold your crypto. Coins go directly to a wallet address you provide — Vastel doesn't have a hot wallet that pools customer funds.

PCI-DSS card infrastructure

Card issuing runs on a PCI-DSS Level 1 certified partner. Card numbers, CVVs and PANs never touch Vastel servers — they are streamed directly from the issuer to your device.

24/7 fraud monitoring

Every transaction is screened in real time against our internal risk engine and partner networks. Suspicious activity triggers a step-up challenge.

Encrypted at rest

All PII and sensitive metadata is encrypted at rest using AES-256-GCM with per-tenant keys managed in AWS KMS.

How we protect your account

  • Device binding. Sign-in from a new device requires email or SMS confirmation, plus 2FA if enabled.
  • Withdrawal allow-list. Lock external wallet addresses to a personal allow-list with a 24-hour cool-down on new additions.
  • Step-up authentication. Large transfers and security setting changes require biometrics or a fresh 2FA challenge.
  • Session control. Review and revoke active sessions from Profile → Security → Sessions.
  • Anti-phishing code. Set a personal code that appears in every email we send so you can spot fakes instantly.

How we protect our platform

  • Least-privilege IAM, hardware-backed SSH keys, and mandatory peer review for every production change.
  • Continuous vulnerability scanning across our application, dependencies and infrastructure.
  • Annual penetration tests by an independent CREST-accredited firm.
  • Immutable, encrypted audit logs of every privileged action for at least 7 years.
  • Quarterly disaster-recovery drills with full restore from cold backup.

Your money, your custody

Crypto purchases are delivered directly to a wallet you control. We don't run a hot wallet, we don't lend out your assets, and we can't be hacked into draining customer funds — because there are no customer funds to drain.

If something feels wrong

Vastel will never ask for your password, OTP, PIN, or recovery phrase. If anyone — even someone claiming to be from Vastel support — asks for them, stop the conversation and report it to us right away.

Responsible disclosure

Found a vulnerability?

We run an always-on bug bounty programme. Email security@vastel.app with a clear proof of concept. We acknowledge every report within 24 hours and pay bounties between $100 and $5,000 USDT based on severity and impact.

  • · Critical: $2,500 – $5,000
  • · High: $1,000 – $2,500
  • · Medium: $300 – $1,000
  • · Low: $100 – $300
Report a vulnerabilityView system status