Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.range.org/llms.txt

Use this file to discover all available pages before exploring further.

Range is the risk and compliance infrastructure platform for financial institutions operating onchain. This page summarizes the controls, processes, and policies that govern how we protect customer data and operate our services.

Security program

Range operates a security program covering identity, access, infrastructure, data protection, monitoring, and response.

Identity and access

  • Mandatory multi-factor authentication for all workforce accounts.
  • Single sign-on for internal systems.
  • Role-based access control with least-privilege defaults.
  • Production access restricted to authorized personnel.
  • Production and development environments are logically separated.
  • Infrastructure credentials and secrets are centrally managed and rotated.

Device security

All workforce devices are subject to:
  • Enforced MFA.
  • Automatic screen locking.
  • Full-disk encryption.
  • Endpoint protection.
  • Device compliance monitoring.

Encryption and data protection

Range uses industry-standard encryption to protect sensitive data.
  • Data in transit is protected with HTTPS and TLS.
  • Sensitive customer data is encrypted at rest.
  • Infrastructure secrets are securely stored and rotated.
Range does not custody assets or hold customer private keys. Where customers provide API credentials for read-only synchronization with their custodial accounts, those credentials are encrypted and access-restricted within our backend. We process blockchain, payment, and account-related data on a read-only basis. Range does not initiate transactions or payments on behalf of customers.

Monitoring and availability

Range runs centralized logging, monitoring, and alerting across production systems to detect operational anomalies and security events. On-call engineering and infrastructure teams monitor alerts continuously. We target 99.9% service availability for production systems.

Vulnerability management

Range maintains processes to identify, review, and remediate vulnerabilities, including:
  • Dependency and software package scanning.
  • Infrastructure patch management.
  • Mandatory code review on changes to production systems.
  • Penetration testing.
  • Remediation tracking and validation.
Findings from security assessments and penetration tests are reviewed and remediated according to internal risk procedures.

Incident response

Range maintains a formal Incident Response Plan covering identification, classification, containment, remediation, recovery, and notification. The plan defines:
  • Severity classification.
  • Escalation paths.
  • Documented response procedures.
  • Evidence preservation.
  • Root cause analysis.
  • Customer and regulatory notification processes.
  • Post-incident reviews.
  • Annual testing and continuous improvement.
The plan is maintained internally and reviewed regularly.

Backup and recovery

Range performs hourly backups of critical systems and data. Recovery procedures are tested:
  • Automatically each week.
  • Manually at least twice per year.

Compliance and privacy

Range is currently undergoing a SOC 2 Type II audit. We maintain policies and controls aligned to the SOC 2 Trust Services Criteria covering security, availability, confidentiality, and privacy. Range maintains processes for compliance with applicable privacy and data protection requirements, including GDPR.

Responsible disclosure

Range runs a bug bounty program for verified security findings. See Bug bounty for scope, rewards, and reporting guidelines, or email security@range.org directly.
Last modified on May 22, 2026