Security

PolyFund combines blockchain transparency with enterprise-grade security practices to protect every transaction and piece of data on our platform:

• Secure smart contracts on Base blockchain
• End-to-end encryption for all data transmission
• KYC verification through Coinbase's secure infrastructure
• Regular security audits and monitoring

PolyFund operates on the Base blockchain, an Ethereum Layer 2 network built by Coinbase. This provides:

• Immutability: Transactions cannot be altered or reversed once confirmed
• Transparency: All transactions are publicly verifiable
• Decentralization: No single point of failure
• Proven Security: Built on Ethereum's battle-tested infrastructure

Our smart contracts handle the routing of USDC donations from donors to campaign wallets. Security measures include:

• Professional third-party security audits
• Formal verification of critical contract logic
• Multi-signature requirements for administrative functions
• Time-locked upgrades with community visibility
• Bug bounty program for responsible disclosure

PolyFund integrates with Thirdweb for secure wallet connections. We support multiple wallet options and never have access to your private keys:

• Non-custodial: You maintain full control of your wallet
• Secure connection protocols (WalletConnect, injected providers)
• Transaction signing happens in your wallet, not on our servers
• Support for hardware wallets for maximum security

We protect your personal information with industry-standard encryption:

• In Transit: TLS 1.3 encryption for all communications
• At Rest: AES-256 encryption for stored data
• Database: Encrypted PostgreSQL with secure access controls
• Backups: Encrypted and stored in geographically distributed locations

Identity verification is handled by Coinbase, a publicly traded, regulated financial institution. Coinbase provides:

• SOC 2 Type II certified infrastructure
• Bank-grade identity verification processes
• Secure handling of government ID documents
• Compliance with financial services regulations

We receive only verification status, not copies of your identity documents.

Internal access to PolyFund systems is strictly controlled:

• Role-based access control (RBAC) for all systems
• Multi-factor authentication required for all team members
• Principle of least privilege for data access
• Comprehensive audit logging of all administrative actions
• Regular access reviews and deprovisioning

We continuously monitor for security threats:

• 24/7 automated security monitoring
• Intrusion detection and prevention systems
• Anomaly detection for suspicious transaction patterns
• Real-time alerting for potential security incidents

In the event of a security incident, we have established procedures:

• Documented incident response plan
• Dedicated security team for rapid response
• User notification within 72 hours of confirmed breaches
• Coordination with law enforcement when appropriate
• Post-incident analysis and remediation

We welcome responsible security research. If you discover a vulnerability:

• Email us at security@polyfund.us
• Include detailed steps to reproduce the issue
• Allow reasonable time for us to respond and fix
• Do not publicly disclose until we've addressed the issue

We appreciate security researchers who help us protect our users.