Karma
Karma wordmark

Security Overview

How we keep your money, your data, and your identity safe.

Security isn't a feature we bolt on — it's the foundation of how Karma is built. Below is a plain-English overview of how we protect your funds and your data. Technical specifics are deliberately kept high-level to avoid giving attackers a roadmap; the team is happy to share more under NDA with auditors, partners, and regulators.

1. Self-custody by default

Karma is a non-custodial platform. You control your wallet and your keys. Karma cannot freeze, seize, or move your funds because we never have access to them.

  • Private keys are generated and stored on your device.
  • Sensitive material is held in your device's secure storage (such as the iOS Keychain or Android Keystore) wherever available.
  • Passkey-based authentication adds hardware-backed key protection without a seed phrase to lose.
  • Because Karma is non-custodial, your on-chain funds remain accessible through any compatible Solana wallet using your keys.

2. Account & authentication security

  • Passkeys & biometrics: Face ID, Touch ID, and platform passkeys are used to authorize sensitive actions.
  • Device binding: Sessions are bound to the device that created them; new devices require re-verification.
  • Step-up auth: Higher-risk actions (large transfers, card controls, account changes) require additional confirmation.
  • Encrypted local storage: Authentication tokens and other sensitive data are stored in your device's secure storage, not plain local storage.

3. Infrastructure & data protection

  • Encryption in transit: All traffic between the app, our APIs, and partners is encrypted.
  • Encryption at rest: User data stored on our servers is encrypted at rest.
  • Least-privilege access: Production access is tightly restricted, multi-factor protected, and audit-logged.
  • Continuous monitoring: We watch for unusual sign-ins, transaction patterns, and infrastructure anomalies around the clock.

4. Compliance & regulated partners

Karma Fintech LTD is a financial technology company, not a bank. Regulated services are delivered through licensed partners:

  • Banking & off-ramp: regulated banking partners provide virtual accounts (USD routing numbers, EUR IBANs) and handle crypto-to-fiat settlement.
  • Card issuance: the Karma Visa debit card is issued by a regulated card-issuing bank under our card program.
  • KYC / AML: a third-party identity verification provider handles identity checks, sanctions screening, and ongoing transaction monitoring.
  • Key infrastructure: hardware-backed signing infrastructure is used where appropriate to protect authentication material.

A current list of named service providers is available in our Terms of Service. Karma operates in accordance with applicable UK and EU obligations, including GDPR for personal data and AML/KYC rules for financial services.

5. Fraud prevention

  • Risk checks on signups, payments, and card activity.
  • Wallet-address screening against sanctions and high-risk lists before transactions are processed.
  • Velocity and behavioural limits on transfers, with the ability to step up authentication or pause activity when needed.
  • In-app card controls such as freeze / unfreeze and recent activity views (subject to issuer support).

6. Your responsibilities

Self-custody means shared responsibility. To stay safe:

  • Use a strong device passcode and enable biometrics.
  • Keep your phone's operating system up to date.
  • Never share your recovery phrase, passkey codes, or one-time codes with anyone — including someone claiming to be Karma support.
  • Verify URLs and email senders before clicking. Karma will never DM you on social media to "help" with your account.
  • Report anything suspicious to team@karmapay.xyz.

7. Responsible disclosure

We welcome reports from security researchers. If you believe you've found a vulnerability in our website, mobile app, or APIs, please contact us at team@karmapay.xyz with enough detail to reproduce the issue.

We ask that you:

  • Give us a reasonable window to investigate and fix before public disclosure.
  • Avoid privacy violations, service degradation, or destruction of data during testing.
  • Test only against accounts you own.

We will acknowledge legitimate reports, keep you updated as we investigate, and credit researchers who would like recognition.

Contact

For security reports or any other inquiry, email team@karmapay.xyz. Please include enough detail for us to reproduce or investigate.

Note: Cryptocurrencies and self-custody involve risk. While Karma's design minimizes our ability to lose your funds, the security of your wallet ultimately depends on the security of your device and your behaviour online. Treat your recovery materials like cash.