Non-Custodial Security: Why We Don't Want Your Keys

The first question we get from every CTO is: "Do I have to give you my private keys?"

The answer is a hard NO.

Here is why Non-Custodial Security is the only viable architecture for Agentic Finance, and how PolicyLayer implements it.

The Risk of Centralized Custody

If a security provider holds your keys (even in an MPC enclave), they become a Single Point of Failure.

1. If they get hacked, you lose everything.
2. If they get subpoenaed, your funds can be frozen.
3. If they go offline, your business stops.

The PolicyLayer Model: "Check, Don't Hold"

We designed PolicyLayer to be an Enforcement Sidecar, not a Vault.

What We See

• Transaction Metadata: To: 0x123, Value: 10 USDC, Chain: 8453.
• Policy Rules: Limit: $100.

What We NEVER See

• Seed Phrases
• Private Keys
• API Secrets for other services

The Flow

1. You execute the code on your server.
2. Your server calculates the transaction intent.
3. You send only the intent to us.
4. We say "Yes/No" (cryptographically signed).
5. You sign the transaction on your server using your key.

Compliance Without Compromise

This architecture allows regulated entities to use PolicyLayer without violating custody rules. You remain the sole custodian of your assets at all times. We just provide the digital signature of approval.

Trust verify. Don't trust custody.