> ## Documentation Index
> Fetch the complete documentation index at: https://docs.anchorage.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Security architecture

> How Anchorage Digital secures digital assets and transaction flows.

Every product decision is informed by deep expertise in security. The result is a platform that sets the standard for digital asset security.

<CardGroup cols={3}>
  <Card title="No passwords" icon="lock-open">
    Anchorage Digital forgoes the use of usernames and passwords, which are susceptible to fraud, impersonation, and abuse.
  </Card>

  <Card title="No emails or texts" icon="envelope-open">
    Anchorage Digital does not use emails or phone numbers, so attackers cannot gain access by triggering email or SMS-based account recovery.
  </Card>

  <Card title="No unauthorized devices" icon="mobile-screen-button">
    Only pre-approved devices may access an account.
  </Card>
</CardGroup>

## How it works

Anchorage Digital's transaction flow is designed to prove with certainty that a given transaction reflects an organization's intent. Once all three steps are complete, we process the transaction within minutes.

### A 3-step transaction process

<Steps>
  <Step title="Multi-user approval">
    Every transaction requires approval from at least two members of the organization, using authentication through authorized devices. Each user's identity is tied to a unique and unforgeable cryptographic key, created and stored in the iOS Secure Enclave.
  </Step>

  <Step title="Transaction review">
    Using automated outlier detection and human oversight, Anchorage Digital authenticates each approval based on detailed behavioral analytics. Individual and organization behavioral data—including biometrics, transaction details, and location—is examined and compared against historical patterns to detect and flag any outliers. Every transaction is independently reviewed by Anchorage Digital; no transaction moves forward without human confirmation.
  </Step>

  <Step title="Hardware-enforced logic">
    Only when both the organization and Anchorage Digital have approved, Hardware Security Modules (HSMs) process the transaction. Private key material is generated and processed in air-gapped HSMs and is not exported outside the HSM boundary in plaintext. The system signs transactions without exposing sensitive key material. Custom logic verifies that each operation has a valid quorum of client approvals as well as Anchorage Digital approval.
  </Step>
</Steps>

## Why HSMs?

A **Hardware Security Module (HSM)** is a dedicated, tamper-resistant device built for one job: generating and using cryptographic keys without ever exposing them. They're the same class of hardware banks use to protect payment systems, and they're the answer to the core problem in digital asset security — a private key is just data, and data can be copied.

* **Key material stays inside secure hardware.** Private key material is generated and processed in HSMs with no direct connection to the internet. Key material is not exported outside the HSM boundary in plaintext; signing happens in protected hardware, which returns only the signature.
* **Tamper resistance is physical.** The HSMs are air-gapped and housed in protected data centers with 24/7 physical security. Attempts to physically open or probe the hardware destroy the keys rather than reveal them.
* **The approval logic runs in the hardware, not around it.** Custom logic on the HSM verifies that every operation carries a valid quorum of client approvals plus Anchorage Digital approval before it will sign. The rules can't be bypassed by compromising a server or an app, because the server and app never hold sensitive key material.

This is why losing a phone, a password, or even a server doesn't put assets at risk: there is no plaintext private key material available to steal.
