Skip to main content
Security is the precondition for institutional integration. Path is non-custodial intelligence: the trust boundary is narrow by design, and this page documents where that boundary sits.

Custody model

Path never holds user funds. Capital deposited into a partner rail stays with that rail’s custodian or, where the rail allocates directly, inside the underlying yield protocol’s smart contracts. Path is read- only against on-chain state and produces signals; the partner’s execution stack is what moves capital.

What Path holds

Nothing. No custody and no withdrawal authority over user funds.

What the partner holds

Full custody, full execution authority, full discretion over which signals to act on and which to defer.
The trust boundary is: Path produces signals, the partner executes. Anything that crosses that boundary is a partner decision.

Operational security

  • Data isolation. Production and staging are separated at the infrastructure level. Secrets live in a managed secret store, never in source control.
  • Continuous verification. Every number published on a Path surface is re-computed from canonical SQL on a regular cadence; drift beyond the published tolerance auto-files an incident and pages on-call.
  • Access controls. Database access is role-isolated. Read access is logged. Write access to production data is restricted to the pipeline service account and a small set of operator identities.
For specific audit, penetration test, or vendor risk questions during an integration review, reach out at path@pathprotocol.finance and we will route to the right person.