Range is the risk and compliance infrastructure platform for financial institutions operating onchain. This page summarizes the controls, processes, and policies that govern how we protect customer data and operate our services.
Security program
Range operates a security program covering identity, access, infrastructure, data protection, monitoring, and response.
Identity and access
- Mandatory multi-factor authentication for all workforce accounts.
- Single sign-on for internal systems.
- Role-based access control with least-privilege defaults.
- Production access restricted to authorized personnel.
- Production and development environments are logically separated.
- Infrastructure credentials and secrets are centrally managed and rotated.
Device security
All workforce devices are subject to:
- Enforced MFA.
- Automatic screen locking.
- Full-disk encryption.
- Endpoint protection.
- Device compliance monitoring.
Encryption and data protection
Range uses industry-standard encryption to protect sensitive data.
- Data in transit is protected with HTTPS and TLS.
- Sensitive customer data is encrypted at rest.
- Infrastructure secrets are securely stored and rotated.
Range does not custody assets or hold customer private keys. Where customers provide API credentials for read-only synchronization with their custodial accounts, those credentials are encrypted and access-restricted within our backend.
We process blockchain, payment, and account-related data on a read-only basis. Range does not initiate transactions or payments on behalf of customers.
Monitoring and availability
Range runs centralized logging, monitoring, and alerting across production systems to detect operational anomalies and security events. On-call engineering and infrastructure teams monitor alerts continuously.
We target 99.9% service availability for production systems.
Vulnerability management
Range maintains processes to identify, review, and remediate vulnerabilities, including:
- Dependency and software package scanning.
- Infrastructure patch management.
- Mandatory code review on changes to production systems.
- Penetration testing.
- Remediation tracking and validation.
Findings from security assessments and penetration tests are reviewed and remediated according to internal risk procedures.
Incident response
Range maintains a formal Incident Response Plan covering identification, classification, containment, remediation, recovery, and notification. The plan defines:
- Severity classification.
- Escalation paths.
- Documented response procedures.
- Evidence preservation.
- Root cause analysis.
- Customer and regulatory notification processes.
- Post-incident reviews.
- Annual testing and continuous improvement.
The plan is maintained internally and reviewed regularly.
Backup and recovery
Range performs hourly backups of critical systems and data. Recovery procedures are tested:
- Automatically each week.
- Manually at least twice per year.
Compliance and privacy
Range is currently undergoing a SOC 2 Type II audit. We maintain policies and controls aligned to the SOC 2 Trust Services Criteria covering security, availability, confidentiality, and privacy.
Range maintains processes for compliance with applicable privacy and data protection requirements, including GDPR.
Responsible disclosure
Range runs a bug bounty program for verified security findings. See Bug bounty for scope, rewards, and reporting guidelines, or email security@range.org directly. Last modified on May 22, 2026
