Risk Lens cards
Custody risk lens: kept out-of-scope by design.
Operational risk lens: policy + audit + human gates.
Model risk lens: AI assistance restricted from key control.
Security model
Bitcoin Bastion Security
A no-custody, operator-controlled model for serious users and developers. Claims below are scoped to baseline reality and clearly mark future capabilities.
No-Custody Visual Seal
No seed phrases. No private keys. No custodial control. No automatic transaction signing.
Human Confirmation Firewall (demo)
Step 1
Policy trigger
High-risk condition detected.
Step 2
Human review
Operator validates evidence and context.
Step 3
Explicit confirmation
Only then can downstream action proceed.
Demo flow for model explanation; not a claim of fully automated production workflow coverage.
Security model diagram
Watch-only data → Policy Engine → Human Confirmation Firewall → External signer (future/required)
Bastion remains advisory; signing authority stays external.
Security controls and capability status
No seed phrases
Implemented baseline
Bitcoin Bastion does not accept, process, or request mnemonic seed phrases.
No private key storage
Implemented baseline
Private keys are outside platform scope and must remain in external custody systems.
No custodial control
Implemented baseline
The platform is advisory-only and does not hold funds or signing authority.
No automatic transaction signing
Implemented baseline
No autonomous signing or broadcast pipeline is provided.
Watch-only direction
Implemented baseline
Data surfaces are designed for watch-only intelligence and risk review workflows.
PSBT-first future direction
Planned direction
Future integration direction prioritizes PSBT-compatible boundaries with external signers.
External signing model
Planned direction
Signing should remain external to Bastion via user-controlled hardware/software signers.
Human Confirmation Firewall
Implemented baseline
Risky actions require explicit human confirmation and auditable checkpoints.
Policy Engine
Implemented baseline
Policy constraints drive advisory outputs and operational guardrails.
Audit Log
Implemented baseline
Operator-relevant events are expected to be captured for review and traceability.
Role-based access
Baseline / evolving
Access boundaries are role-oriented and continue maturing with enterprise controls.
AI action restrictions
Implemented baseline
AI-assisted flows are constrained from custody operations and key-material interactions.