Trust center

Built to be trusted with the moment money moves.

Non-custodial by design, enforceable under Swiss law, and provable end-to-end.

Non-custodial architecture

Pontis never holds your funds. Regulated partners do.

Money sits in segregated accounts at a regulated banking partner. Pontis records claims and instructs release through a RailAdapter — it never takes custody of a balance. A double-entry ledger keeps every movement balanced (Σ debits == Σ credits), enforced in the app and by a database trigger.

Swiss legal foundation

Enforceable under the Code of Obligations, Art. 151–157.

Each obligation renders a Swiss-law contract bound to the obligation by SHA-256 (Ricardian). The condition is the legal trigger for release. Governing law is explicit on every obligation and Contract Link.

Tamper-evident audit

Every step, hash-chained from signature to settlement.

Each state transition appends an append-only audit entry linked by SHA-256 to the previous one. The chain is recomputable and exportable. Database triggers make the audit table, posted ledger, and verification history immutable — UPDATE and DELETE are blocked.

Data protection (nFADP)

EU / Swiss data residency, with erasure that preserves the chain.

Personal data lives in the EU (eu-central-1). Erasure nulls PII while preserving the hash-linked audit events — the chain stays intact (tombstone pattern). Consent is recorded per processing purpose, and retention policies are enforced.

Security

Encryption, RBAC, signed webhooks, rate limiting.

API keys are argon2-hashed with a pepper and shown once. Access is scoped by RBAC. Outbound webhooks are HMAC-signed and replayable. Documents are stored encrypted (S3, SSE) with only a reference and hash in the database.

Measured, not promised

Live numbers from the systems this page describes.

API p95 latency · 24h

467 ms

API error rate · 24h

0.00%

Webhook delivery · 7d

7.61%

Audit events hash-chained

6'587

Read straight from the request log, the webhook ledger and the audit chain (refreshed every minute) — component checks and the honest incident history live on the status page.

Compliance postureKYB/KYC gating before sign/fund, AML sanctions + PEP screening, FATF Travel Rule recording above threshold, and SAR (MROS) support. Certifications (SOC 2 / ISO 27001) are on the roadmap and stated honestly as achieved.