Captrii Documentation
Welcome to Captrii documentation! Here, you’ll find everything you need to understand, set up, and make the most of Captrii.
Welcome
Welcome
Captrii maintains and reports on the capital owners of a business.
Capital owners, or stakeholders, are individuals or legal entities that provide funding for the business. In return, they own a stake in the company. These stakeholders, called Actors, gain rights such as the ability to vote, receive dividends, and buy or sell additional ownership.
Captrii keeps records of these capital owners and reconciles the books and records with accounting systems. People and legal entities can be integrated into existing CRM systems too.
Actors do not always own or control 100% of a business. They own financial instruments called Agreements. An Agreement is a contract between an Actor and the company issuing Assets, outlining the relationship between the legal entity and the stakeholder.
For example, Actor J Smith has an Agreement (Agreement 123) to buy and own 25% of the Ordinary A shares issued by the company Example Inc.
For example, Actor J Smith has an Agreement (Agreement 123) to buy and own 25% of the Ordinary A shares issued by the company Example Inc.
There are 3 key functions in using Captrii.
1. Maintenance
2. Reports
3. Admin
Maintenance are the pages where key data is stored and managed that is required to produce the Reports. Admin are pages used by super administrators.
Captrii keeps records of these capital owners and reconciles the books and records with accounting systems. People and legal entities can be integrated into existing CRM systems too.
Actors do not always own or control 100% of a business. They own financial instruments called Agreements. An Agreement is a contract between an Actor and the company issuing Assets, outlining the relationship between the legal entity and the stakeholder.
For example, Actor J Smith has an Agreement (Agreement 123) to buy and own 25% of the Ordinary A shares issued by the company Example Inc.
For example, Actor J Smith has an Agreement (Agreement 123) to buy and own 25% of the Ordinary A shares issued by the company Example Inc.
There are 3 key functions in using Captrii.
1. Maintenance
2. Reports
3. Admin
Maintenance are the pages where key data is stored and managed that is required to produce the Reports. Admin are pages used by super administrators.
Request to fix things
There is a dedicated Bugs page for logging bugs, enhancements or future requests. The status is updated by the IT team so you can see what the progress is.
Ways to Sign In
We use Single Sign-On (SSO) and app Sign-In.
Sign In, Sign On, Logon, Login are used but mean the same thing - the process of a user being authenticated so they can continue their journey and use the app.
What is SSO?
Single Sign-On (SSO) is an authentication process that allows a user to access multiple applications or systems with a single set of login credentials.
Once the user logs in through the SSO provider, they can use various services without needing to log in again for each one.
Advantages of Single Sign-On (SSO)For Users:
1. Convenience: Users only need to remember one set of credentials, reducing the likelihood of forgetting passwords and the need to reset them frequently.
2. Seamless Experience: Users can move between different services and applications without repeatedly logging in, improving their overall experience and productivity.
3. Enhanced Security: Users are less likely to use weak or repetitive passwords across different services, as they only need one strong password for the SSO provider.
For Organizations:
1. Centralised Management: IT administrators can manage user access and permissions centrally, making it easier to ensure that the right people have access to the right resources.
2. Improved Security: Organizations can implement and enforce strong security policies (such as Multi-Factor Authentication, Use of an Authenticator App) consistently across all services accessed via SSO.
3. Reduced IT Overhead: Fewer password-related support requests reduce the burden on IT support teams, leading to cost savings and improved efficiency.
4. Compliance: Centralized logging and monitoring of access help in meeting regulatory and compliance requirements.
Enhanced Security Features
Organizations can configure their SSO providers to enhance security further:
1. Authenticator Apps: Users can be required to use authenticator apps (like Google Authenticator or Authy) to generate time-based one-time passwords (TOTP) for an additional layer of security.
2. Two-Factor Authentication (2FA): SSO can enforce 2FA, requiring users to verify their identity with two different factors, such as a password and a code sent to their mobile device.
3. Multi-Factor Authentication (MFA): MFA can be implemented, which might involve additional factors like biometric verification (fingerprint or facial recognition) or hardware tokens.
Conventional App Logon
While Single Sign-On is preferred, our application also supports conventional app logon where users can log in with a username and password specific to the application.
However, we encourage the use of SSO for the following reasons:-
No Password Storage: With SSO, the application does not need to store or manage passwords, reducing the risk of password breaches and the associated security liabilities.
Streamlined Access: Users benefit from the convenience of accessing the application along with other integrated services without multiple logins.By opting for SSO, users and organizations alike benefit from enhanced security, greater convenience, and more efficient management of access controls.
Sign In, Sign On, Logon, Login are used but mean the same thing - the process of a user being authenticated so they can continue their journey and use the app.
What is SSO?
Single Sign-On (SSO) is an authentication process that allows a user to access multiple applications or systems with a single set of login credentials.
Once the user logs in through the SSO provider, they can use various services without needing to log in again for each one.
Advantages of Single Sign-On (SSO)For Users:
1. Convenience: Users only need to remember one set of credentials, reducing the likelihood of forgetting passwords and the need to reset them frequently.
2. Seamless Experience: Users can move between different services and applications without repeatedly logging in, improving their overall experience and productivity.
3. Enhanced Security: Users are less likely to use weak or repetitive passwords across different services, as they only need one strong password for the SSO provider.
For Organizations:
1. Centralised Management: IT administrators can manage user access and permissions centrally, making it easier to ensure that the right people have access to the right resources.
2. Improved Security: Organizations can implement and enforce strong security policies (such as Multi-Factor Authentication, Use of an Authenticator App) consistently across all services accessed via SSO.
3. Reduced IT Overhead: Fewer password-related support requests reduce the burden on IT support teams, leading to cost savings and improved efficiency.
4. Compliance: Centralized logging and monitoring of access help in meeting regulatory and compliance requirements.
Enhanced Security Features
Organizations can configure their SSO providers to enhance security further:
1. Authenticator Apps: Users can be required to use authenticator apps (like Google Authenticator or Authy) to generate time-based one-time passwords (TOTP) for an additional layer of security.
2. Two-Factor Authentication (2FA): SSO can enforce 2FA, requiring users to verify their identity with two different factors, such as a password and a code sent to their mobile device.
3. Multi-Factor Authentication (MFA): MFA can be implemented, which might involve additional factors like biometric verification (fingerprint or facial recognition) or hardware tokens.
Conventional App Logon
While Single Sign-On is preferred, our application also supports conventional app logon where users can log in with a username and password specific to the application.
However, we encourage the use of SSO for the following reasons:-
No Password Storage: With SSO, the application does not need to store or manage passwords, reducing the risk of password breaches and the associated security liabilities.
Streamlined Access: Users benefit from the convenience of accessing the application along with other integrated services without multiple logins.By opting for SSO, users and organizations alike benefit from enhanced security, greater convenience, and more efficient management of access controls.
Reporting
Reports
There are app produced reports and data extraction reports for analysis elsewhere.
Key reports include:
- Share Certificates (see /transactions)
- Cap Table analysisTransaction history
- Org Charts showing company relationships
- Valuation history
- Outstanding Due Diligence
Key reports include:
- Share Certificates (see /transactions)
- Cap Table analysisTransaction history
- Org Charts showing company relationships
- Valuation history
- Outstanding Due Diligence
Share Certificates
To view a share certificate, go to Reports - Actor Portfolios.Select the actor and view their holdings.Click on the certificate icon to view the certificate - this shows the latest position along with a statement of transactions.
Shareable links
Click on the copy icon and the share certificate can be viewed externally via a link.
If this link is clicked on more than 10 times, the key will be reset and the actor will have to request another link from the super admin. These links expire after 7 days too. To reactivate visit or refresh the Actor Portfolio page to create a new link.
Date
A share certificate typically includes the date of issuance. This is the date on which the company officially issues the shares to the shareholder. It is an important piece of information because it establishes when the ownership of the shares was transferred to the shareholder.
Shareable links
Click on the copy icon and the share certificate can be viewed externally via a link.
If this link is clicked on more than 10 times, the key will be reset and the actor will have to request another link from the super admin. These links expire after 7 days too. To reactivate visit or refresh the Actor Portfolio page to create a new link.
Date
A share certificate typically includes the date of issuance. This is the date on which the company officially issues the shares to the shareholder. It is an important piece of information because it establishes when the ownership of the shares was transferred to the shareholder.
Valuations
Assigning a value to a legal entity can pose significant challenges. Unlike entities listed on stock exchanges which benefit from a marketplace with active buyers and sellers assessing the fair value of businesses operating in illiquid markets where there are minimal buyers and sellers requires a reliance on historical data and goodwill valuations.
While in theory a company's value is traditionally grounded in the dividends it distributes, practical valuations often extend beyond historical performance. Prospective buyers frequently focus on future events and potential developments that could enhance a firms net revenues and market positioning. Numerous variables influence the demand and supply price of a business with sentiments playing a pivotal role. For instance businesses oriented towards artificial intelligence, AI, or frontier technologies may command valuations several times higher than their current or anticipated revenues.
The valuation of a business that has recently issued equity is calculated by multiplying the price paid for each equity unit by the number of issued shares. However when it comes to equity that provides controlling or near controlling stakes the price may significantly escalate.
Several factors contribute to the complexity of the valuation process including
Target Active Market
The Management Team
The Stickiness of Revenues
The Complexity or Simplicity of the Cap Table
Other Investors Involved
Tax Location
Adverse Media
Branding and Marketing
Sector Ranking
Future Prospects
This list illustrates that business valuation is a multifaceted endeavor influenced by a myriad of elements that extend beyond mere financial metrics.
Price per unit
In the Valuations page, an assumed price per unit can be applied and the valuation of the entity and individual stakeholders viewed. Select the assets to view valuations of these.
While in theory a company's value is traditionally grounded in the dividends it distributes, practical valuations often extend beyond historical performance. Prospective buyers frequently focus on future events and potential developments that could enhance a firms net revenues and market positioning. Numerous variables influence the demand and supply price of a business with sentiments playing a pivotal role. For instance businesses oriented towards artificial intelligence, AI, or frontier technologies may command valuations several times higher than their current or anticipated revenues.
The valuation of a business that has recently issued equity is calculated by multiplying the price paid for each equity unit by the number of issued shares. However when it comes to equity that provides controlling or near controlling stakes the price may significantly escalate.
Several factors contribute to the complexity of the valuation process including
Target Active Market
The Management Team
The Stickiness of Revenues
The Complexity or Simplicity of the Cap Table
Other Investors Involved
Tax Location
Adverse Media
Branding and Marketing
Sector Ranking
Future Prospects
This list illustrates that business valuation is a multifaceted endeavor influenced by a myriad of elements that extend beyond mere financial metrics.
Price per unit
In the Valuations page, an assumed price per unit can be applied and the valuation of the entity and individual stakeholders viewed. Select the assets to view valuations of these.
Understanding Cap Tables and Accounting
In straightforward terms, a capitalization table, or cap table, provides a comprehensive overview of the capital invested in a business. This capital, often referred to as equity (though it might encompass debt instruments as well), is a crucial aspect of financial reporting, adhering to standards like US GAAP or IFRS.In financial reports, equity is typically classified as long-term and is detailed as Share Capital calculated as the nominal value of shares multiplied by the number of shares issued and Share Premium, representing the amount paid for shares beyond their nominal value.It's essential for an accounting system to align with the cap table, ensuring accurate financial representation. Let's delve into an example to illustrate this concept:
Example: Charlie Ng's Investment
Charlie Ng acquires 500 shares, each with a nominal value of $1. She pays a total of $1000, indicating that she has contributed $500 above the nominal price.
The corresponding entry in the balance sheet, assuming she pays in cash for the shares, would look like this:
Debit Cash: $1000Credit
Share Capital: $500Credit
Share Premium: $500
On the cap table, Charlie Ng would be listed as the owner of 500 shares, with a total investment of $1000. The accounting system would concurrently display a Share Capital and Share Premium account, collectively amounting to $1000. This synchronization ensures that both the cap table and the accounting records accurately reflect the financial position of the business.
Example: Charlie Ng's Investment
Charlie Ng acquires 500 shares, each with a nominal value of $1. She pays a total of $1000, indicating that she has contributed $500 above the nominal price.
The corresponding entry in the balance sheet, assuming she pays in cash for the shares, would look like this:
Debit Cash: $1000Credit
Share Capital: $500Credit
Share Premium: $500
On the cap table, Charlie Ng would be listed as the owner of 500 shares, with a total investment of $1000. The accounting system would concurrently display a Share Capital and Share Premium account, collectively amounting to $1000. This synchronization ensures that both the cap table and the accounting records accurately reflect the financial position of the business.
Organization Chart
This is a high level view showing the relationships and ownerships of legal entities.
These reports can be configured and tailored by us if required.The charts are as deep as the relationships
These reports can be configured and tailored by us if required.The charts are as deep as the relationships
Configuration
Technical
Captrii is a web based app. Although it is configured to operate using our cloud, we are able to use your own servers or cloud if required.
Captrii works best in Chromium browsers like Edge or Chrome. If you use another browser then let us know and we can validate it can be used safely.
Captrii works best in Chromium browsers like Edge or Chrome. If you use another browser then let us know and we can validate it can be used safely.
Settings
Settings allow the user to configure their use of Captrii. These can be turned off by the SuperAdmin.
Examples include:
1. Set the base currency and location for legal entities.
2. Set up private keys for document encryption
3. Set up APIs to the various third party feeds
4. Choice of blockchain
Examples include:
1. Set the base currency and location for legal entities.
2. Set up private keys for document encryption
3. Set up APIs to the various third party feeds
4. Choice of blockchain
Maintenance
Terms we use
The key concept of Captrii is what we called the 'A' Protocol.
Actor
Describes an individual a group of individuals or a legal entity such as a corporation or partnership An Actor can assume multiple roles such as a share owner director or CEO The term Stakeholder is often used interchangeably Legal entities in this context are referred to as non naturals. An actor is owned by a user but can be shared with other users.
Asset
Represents a portion of the business that can be acquired either in fractions or as a whole particularly when owning 100 of the equity.
Agreement
Refers to the contract established by a stakeholder with a legal entity during the acquisition of an Asset. This is sometimes termed the Subscription agreement. Examples include option agreements such as SAFEs or the straightforward acquisition of shares with contract terms and conditions outlined in the constitutional documents of the legal entity such as the articles of association.
Allotment
Denotes the execution of the Agreement between the Asset owner the legal entity and the Actor acquiring the Asset To maintain a comprehensive history and audit trail of all transactions a mapping table is utilizede is used to keep a history and audit trail of all transactions.
Group
A group is a collection of legal entities with cap tables. In the actors page, a legal entity can be flagged as having a cap table. If yes, then c-ptable can be used to record details. If no, then the legal entity can only be used as an investor or signed a role such as a Director.
Subscription
If an actor subscribes, they have a contractual obligation to pay for the quantity of units acquired. An unsubcribed actor is someone who may subscribe.
Describes an individual a group of individuals or a legal entity such as a corporation or partnership An Actor can assume multiple roles such as a share owner director or CEO The term Stakeholder is often used interchangeably Legal entities in this context are referred to as non naturals. An actor is owned by a user but can be shared with other users.
Asset
Represents a portion of the business that can be acquired either in fractions or as a whole particularly when owning 100 of the equity.
Agreement
Refers to the contract established by a stakeholder with a legal entity during the acquisition of an Asset. This is sometimes termed the Subscription agreement. Examples include option agreements such as SAFEs or the straightforward acquisition of shares with contract terms and conditions outlined in the constitutional documents of the legal entity such as the articles of association.
Allotment
Denotes the execution of the Agreement between the Asset owner the legal entity and the Actor acquiring the Asset To maintain a comprehensive history and audit trail of all transactions a mapping table is utilizede is used to keep a history and audit trail of all transactions.
Group
A group is a collection of legal entities with cap tables. In the actors page, a legal entity can be flagged as having a cap table. If yes, then c-ptable can be used to record details. If no, then the legal entity can only be used as an investor or signed a role such as a Director.
Subscription
If an actor subscribes, they have a contractual obligation to pay for the quantity of units acquired. An unsubcribed actor is someone who may subscribe.
Steps to Create Your First Organization WIth A Cap Table
Select Actors
- Add an actor and assign it as a non natural person or company
- Ensure the cap table is checked.
Select Assets
-Add a share, such as an Ordinary A share.
Create an Agreement
- Draft a share agreement to obtain the asset, either in full or in part.
Select Allotments
- Assign the share agreement to the asset.Allocate this asset to an actor.
- Record the quantity of shares purchased.
Generate Reports
- Go to the Reports section and select "Entity Cap Table."
- View your holdings in comparison to other stakeholders.
View Transactions
- Search for the actor in the Transactions section.
- Click on the certificate associated with the transaction.
- View the blockchain to see the timestamp of the transaction.
- These steps should provide a clear and concise guide for creating your first organization and managing its shares and agreements.
- Add an actor and assign it as a non natural person or company
- Ensure the cap table is checked.
Select Assets
-Add a share, such as an Ordinary A share.
Create an Agreement
- Draft a share agreement to obtain the asset, either in full or in part.
Select Allotments
- Assign the share agreement to the asset.Allocate this asset to an actor.
- Record the quantity of shares purchased.
Generate Reports
- Go to the Reports section and select "Entity Cap Table."
- View your holdings in comparison to other stakeholders.
View Transactions
- Search for the actor in the Transactions section.
- Click on the certificate associated with the transaction.
- View the blockchain to see the timestamp of the transaction.
- These steps should provide a clear and concise guide for creating your first organization and managing its shares and agreements.
Users and access
There are a number of user types such as Reporter, Signatory, Default and Admin. You may have one or more of these types.
Your Organization administrator(s) will be assign an admin role which means they allocate users to various functions.
A user is assigned to a Group. The user can create legal entities. These are then part of the Group. Those that have cap tables are called cap table legal entities.
The upper corner of the app shows the Group the user belongs too and the captable legal entities that are part of that Group.
New User
- User will register on the website. They can register using SSO such as Google, Apple or Microsoft. They can also register with an email. These processes work slightly differently. You maybe invited to logon by your group admin.
- Email: An encrypted user name and a hashed password are inserted into the users table. The is Live flag is set to 0 (i.e not Live). The registration json is inserted into the Registration field.
- Email - Make go live. There are number of conditions that must be set. The isLive =1. Also the client or clients associated with this user must be added to the ClientId field. They are integers and are comma delimited. The ClientId is also called the Group Id.
- SSO: A record is created in the users table. The SSO id is entered into the relevant field. The registration json is inserted into the registration field.
- SSO - Make go live. There are number of conditions that must be set. The isLive =1. Also the client or clients associated with this user must be added to the ClientId field. They are integers and are comma delimited. The ClientId is also called the Group Id. The user column will be null. This must be a value otherwise the authentication will not work. Copy in the goid or hash the goid instead.
- The new user will not be assigned to any groups so a group must be set up.
- Go to Subscriptions and add a new group for this user. Note the group id and sent in the Users record.
- When the user signs in they will be able to select this new group and then create new cap table legal entities.
Assigning users to a group
- Other users can be given access to this group controlled by the user above. The user record is updated to reflect they can access other groups - the group id is used, seperated by commas.
Your Organization administrator(s) will be assign an admin role which means they allocate users to various functions.
A user is assigned to a Group. The user can create legal entities. These are then part of the Group. Those that have cap tables are called cap table legal entities.
The upper corner of the app shows the Group the user belongs too and the captable legal entities that are part of that Group.
New User
- User will register on the website. They can register using SSO such as Google, Apple or Microsoft. They can also register with an email. These processes work slightly differently. You maybe invited to logon by your group admin.
- Email: An encrypted user name and a hashed password are inserted into the users table. The is Live flag is set to 0 (i.e not Live). The registration json is inserted into the Registration field.
- Email - Make go live. There are number of conditions that must be set. The isLive =1. Also the client or clients associated with this user must be added to the ClientId field. They are integers and are comma delimited. The ClientId is also called the Group Id.
- SSO: A record is created in the users table. The SSO id is entered into the relevant field. The registration json is inserted into the registration field.
- SSO - Make go live. There are number of conditions that must be set. The isLive =1. Also the client or clients associated with this user must be added to the ClientId field. They are integers and are comma delimited. The ClientId is also called the Group Id. The user column will be null. This must be a value otherwise the authentication will not work. Copy in the goid or hash the goid instead.
- The new user will not be assigned to any groups so a group must be set up.
- Go to Subscriptions and add a new group for this user. Note the group id and sent in the Users record.
- When the user signs in they will be able to select this new group and then create new cap table legal entities.
Assigning users to a group
- Other users can be given access to this group controlled by the user above. The user record is updated to reflect they can access other groups - the group id is used, seperated by commas.
Bulk upload of actors, assets, agreements and allotments.
To speed up onboarding an existing cap table, a templated spreadsheet can be used. This will allow for immediate population of actors, assets, agreements and allotments with most key fields accounted for.
The process is to use the spreadsheet to add the data required and then create a JSON file for upload. This is plain test so should be treated carefully. If the actors already exist there will be duplicates so it advisable this is used to initially onboard.
It has been tested for up to 3 levels of ownership (HoldCo ->Sub ->Sub of Sub)
Roll back
In Captrii there is a menu option to upload the JSON. Previously upload JSON can be Deleted.
The process is to use the spreadsheet to add the data required and then create a JSON file for upload. This is plain test so should be treated carefully. If the actors already exist there will be duplicates so it advisable this is used to initially onboard.
It has been tested for up to 3 levels of ownership (HoldCo ->Sub ->Sub of Sub)
Roll back
In Captrii there is a menu option to upload the JSON. Previously upload JSON can be Deleted.
General
Blockchain
We leverage blockchain technology to provide proof of records We do not store any confidential data or information that could be traced back to its origin Instead we use blockchain to create immutable timestamps and verify events.
While many blockchain applications focus on managing and tracking digital assets like Bitcoin we utilize its key advantages for record validation One of the most significant benefits of blockchain is its reliability it operates 247 and is accessible globally with some exceptions due to censorship.
Each transaction is securely timestamped and with the help of user-friendly and fast search tools known as explorers verifying the timestamp of a record becomes quick and efficient.
While many blockchain applications focus on managing and tracking digital assets like Bitcoin we utilize its key advantages for record validation One of the most significant benefits of blockchain is its reliability it operates 247 and is accessible globally with some exceptions due to censorship.
Each transaction is securely timestamped and with the help of user-friendly and fast search tools known as explorers verifying the timestamp of a record becomes quick and efficient.
Technicals
Blockchain security process
Writing and reading to a blockchain involves transmitting sensitive security data such as private keys to the client.
Logon Process
User Authentication
- A user must log in to the server.
- Upon successful login, the server places an HTTPS-protected cookie on the user's device. This cookie cannot be read by the user or any third-party software. It serves as a session value, acting as a handshake between the client and the server to ensure authenticated communication.
Multi-Factor Authentication (MFA)
- Users are required to authenticate using multiple factors (e.g., SMS-based codes, authenticator apps, or biometric verification).
- URL Validation and CORS Implementation:
- The URL the user logs in from is validated against the server's whitelist. With CORS implemented, the server will only communicate with the URLs it has served.
- The server records the user's IP address to ensure it matches previous IP addresses. If there is a new IP address from another country, the server may challenge the user for additional verification.
- IP Whitelisting: Access is restricted to pre-approved IP addresses, especially for administrative or high-privilege accounts.
JavaScript Integrity Check
- The server serves the JavaScript used by the client to interact with the blockchain. The script is hashed and compared with the hashed script used by the client to prevent JavaScript injections or modifications. If the hashes do not match, the client will be disconnected from the server.
Secure Transmission of Private Keys
- When a private key is sent to the client, it is encrypted using a credential known to both the server and the client, such as a hash of the username and password with a salt (e.g., the date and time of the user's login).
The client decrypts the JSON containing the private key using end-to-end HTTPS as common practice. Once the JSON is decrypted and the private key is used, the JSON is set to null and disposed of immediately, ensuring it is not stored on the device.
- Client-Side Encryption: Sensitive data is encrypted on the client side before being sent to the server for an extra layer of security.
- Time-Limited Access Tokens: Tokens generated for accessing the private key expire after a short period, limiting the window for potential misuse.
- Secure Storage Solutions: Use hardware security modules (HSMs) or secure enclaves for key management to protect private keys and other sensitive data from extraction.
Audit Trail
- After the blockchain interaction is completed, an audit trail is sent to the server as a log item.
- Detailed Logging and Monitoring: Maintain detailed logs of all activities and monitor them for suspicious behavior to quickly detect and respond to potential security incidents.
Additional Security Measures
- Device Fingerprinting: Use device fingerprinting to uniquely identify the client device, ensuring consistent device usage.
- Rate Limiting: Implement rate limiting to prevent brute force attacks.
- Session Timeout and Re-authentication: Set short session timeouts and require re-authentication for critical actions to minimise the risk of session hijacking.
- Regular Security Audits: Conduct regular security audits and penetration testing to identify and rectify potential vulnerabilities.
- Data Anonymisation: Anonymise user data where possible to reduce the risk in case of data leakage.
Security Measures
- This approach minimizes the leakage of private keys.
The monetary value in the wallet is limited to less than 100 USD.
- Each blockchain write operation uses a newly created wallet.
Logon Process
User Authentication
- A user must log in to the server.
- Upon successful login, the server places an HTTPS-protected cookie on the user's device. This cookie cannot be read by the user or any third-party software. It serves as a session value, acting as a handshake between the client and the server to ensure authenticated communication.
Multi-Factor Authentication (MFA)
- Users are required to authenticate using multiple factors (e.g., SMS-based codes, authenticator apps, or biometric verification).
- URL Validation and CORS Implementation:
- The URL the user logs in from is validated against the server's whitelist. With CORS implemented, the server will only communicate with the URLs it has served.
- The server records the user's IP address to ensure it matches previous IP addresses. If there is a new IP address from another country, the server may challenge the user for additional verification.
- IP Whitelisting: Access is restricted to pre-approved IP addresses, especially for administrative or high-privilege accounts.
JavaScript Integrity Check
- The server serves the JavaScript used by the client to interact with the blockchain. The script is hashed and compared with the hashed script used by the client to prevent JavaScript injections or modifications. If the hashes do not match, the client will be disconnected from the server.
Secure Transmission of Private Keys
- When a private key is sent to the client, it is encrypted using a credential known to both the server and the client, such as a hash of the username and password with a salt (e.g., the date and time of the user's login).
The client decrypts the JSON containing the private key using end-to-end HTTPS as common practice. Once the JSON is decrypted and the private key is used, the JSON is set to null and disposed of immediately, ensuring it is not stored on the device.
- Client-Side Encryption: Sensitive data is encrypted on the client side before being sent to the server for an extra layer of security.
- Time-Limited Access Tokens: Tokens generated for accessing the private key expire after a short period, limiting the window for potential misuse.
- Secure Storage Solutions: Use hardware security modules (HSMs) or secure enclaves for key management to protect private keys and other sensitive data from extraction.
Audit Trail
- After the blockchain interaction is completed, an audit trail is sent to the server as a log item.
- Detailed Logging and Monitoring: Maintain detailed logs of all activities and monitor them for suspicious behavior to quickly detect and respond to potential security incidents.
Additional Security Measures
- Device Fingerprinting: Use device fingerprinting to uniquely identify the client device, ensuring consistent device usage.
- Rate Limiting: Implement rate limiting to prevent brute force attacks.
- Session Timeout and Re-authentication: Set short session timeouts and require re-authentication for critical actions to minimise the risk of session hijacking.
- Regular Security Audits: Conduct regular security audits and penetration testing to identify and rectify potential vulnerabilities.
- Data Anonymisation: Anonymise user data where possible to reduce the risk in case of data leakage.
Security Measures
- This approach minimizes the leakage of private keys.
The monetary value in the wallet is limited to less than 100 USD.
- Each blockchain write operation uses a newly created wallet.
Settings
Settings allow the user to configure their use of Captrii. These can be turned off by the SuperAdmin.
Examples include:
1. Set the base currency and location for legal entities.
2. Set up private keys for document encryption
3. Set up APIs to the various third party feeds
4. Choice of blockchain
Examples include:
1. Set the base currency and location for legal entities.
2. Set up private keys for document encryption
3. Set up APIs to the various third party feeds
4. Choice of blockchain
