This page describes the controls ISTRUCTURE currently operates. It's maintained by the ISTRUCTURE team; it isn't an independent audit or certification. Where we depend on third parties, we say so.
Every investor completes identity verification before they can buy, trade, or withdraw. We collect government-issued ID and address proof, matched against sanctions and PEP lists.
Documents are stored in an encrypted, access-restricted bucket. Only reviewers on our compliance team can view them, and every access is logged in our admin audit trail.
Property title is held by a Nigerian SPV set up per listing. Investors own a fractional beneficial interest in that SPV, tracked as tokens on the platform.
Fiat balances (USD, USDC, USDT) are held in segregated wallets — separate from operating accounts, and reconciled against our on-platform ledger daily.
We do not co-mingle investor funds with company treasury.
All traffic is HTTPS-only with HSTS. Authentication uses time-based OTP (TOTP) or provider-managed OAuth (Google). Admin accounts require step-up MFA before any privileged action.
The database enforces row-level security: users can only read and write their own data. Privileged operations pass through a role-checked audit log recording actor, action, and before/after state.
Secrets are stored in a managed vault, never in source control. We rotate signing keys and API keys on a defined schedule.
Buy orders lock funds in your wallet before placing — you can't spend the same dollar twice, and cancellations release the reservation instantly.
Every trade writes a matched pair of ledger entries (debit + credit) and a price tick. The ledger is append-only; corrections happen through offsetting entries, not edits.
Fees are transparent: taker 1.0%, maker 0.5%, and 2.0% origination on new pledges. There are no hidden spreads.
We collect only what we need to operate the platform and satisfy KYC/AML law. You can request an export or deletion of your data by emailing privacy@istructure.app.
We do not sell your personal information. See our full privacy policy for details.
ISTRUCTURE handles platform security, custody controls, and settlement integrity. You are responsible for keeping your account credentials, MFA device, and payout method details safe.
Use a strong unique password, enable MFA, and never share your one-time codes with anyone — including someone claiming to be from ISTRUCTURE support.
Found a security issue? Please email security@istructure.app with a description and reproduction steps. We acknowledge every report within one business day and don't take legal action against good-faith researchers.
SOC 2, ISO 27001, and independent penetration test reports are on our roadmap — we'll list them here once they're complete. If you're a partner, custodian, or institutional investor and need answers to a security questionnaire, email security@istructure.app and we'll respond within one business day.