Non-custodial by design. By default. By code.
Six security principles, the cryptography behind them, and the boundaries every UTXO product respects. Plain-language. No marketing claims we can't back up.
What 'security-first' actually means for UTXO
Non-custodial by design
We literally cannot move your funds. Seed phrases, private keys and the master password never leave your device unencrypted. Our servers don't have a copy because they were never sent one.
SafeSign on every signature
Every wallet request — connect, sign, approve, send, chain change — is decoded by the local Security Core kernel before it reaches the confirmation popup. Unlimited approvals, off-chain Permit drains and raw eth_sign are flagged in plain language.
Local-first storage
Documents, vaults, customer records and Guard activity logs live in a namespaced vault on your machine. Encrypted cloud sync is opt-in, not the default. Cancel a subscription and your data stays where it is.
No auto-sign, no auto-broadcast
Every sensitive action requires your explicit confirmation. There is no 'approve all' button. There is no transaction queue that fires while you're away.
BYOK AI — wallet data never reaches AI providers
AI features run against the API key you supply (Anthropic / OpenAI / Gemini / Mistral / local Ollama). Seeds, keys and balance data are filtered in code before any prompt leaves the device.
Zero telemetry
No analytics, no third-party tracking pixels, no usage funnels. Guard's activity log lives in chrome.storage.local and never leaves the browser. We charge for software, not your data.
The primitives inside the vault
The wallet vault is encrypted on-device using audited browser primitives. We deliberately picked the standard library (WebCrypto SubtleCrypto) over rolling our own — implementing cryptography from scratch is how funds get drained.
Who sees what inside the wallet extension
The browser extension is split across four execution contexts. Each layer only has what it needs to do its job. The vault and signing operations live exclusively in the background service worker.
Reporting a security issue
We take security disclosures seriously. If you've found a vulnerability in any UTXO product, please email [email protected] — we respond within one business day. PGP key on request.
- Please don't publicly disclose until we've had a chance to fix it.
- Reproducible steps are gold. Screenshots help.
- Severe issues that allow fund extraction qualify for our bounty (formal program launches alongside the Wallet audit).
- Out of scope: clickjacking on pages without auth, missing best-practice HTTP headers without a demonstrable impact, theoretical attacks without working PoC.
Honest answers about the things we get asked
Has UTXO Wallet been externally audited?
First external audit is scheduled before the Chrome Web Store listing publishes. Until then, UTXO Wallet ships as a labeled Beta and is not recommended for storing large balances. Use Guard alongside your existing wallet in the meantime — Guard is read-only and carries no audit risk.
Where does the master password live?
Only in memory while you have the wallet unlocked. We never persist it. We never sync it. When the idle-lock fires, the in-memory copy is zeroed and you have to re-enter it.
What happens if I forget the master password?
We cannot help you recover it — we don't have it. You can restore from your BIP39 seed phrase backup. This is the whole point of self-custody.
Is Guard required to use the wallet?
No. Guard's SafeSign decoder is embedded inside the wallet directly. Guard is a standalone product for users who use other wallets and want the same pre-confirmation review.
Do you collect anything?
Account email + plan SKU for billing. That's it. Documents, vault contents, wallet balances, Guard activity, AI prompts — none of those reach our servers. See the Privacy Policy.