Self-custody (default)
Your treasury keys are held in an Arsenal vault — our credential broker. Encrypted at rest with a user-owned passphrase, zeroized in memory after every use, never accessible to Orgs operators. Hardware keys (YubiKey, Ledger Nano, Trezor) are supported for founder-signed operations. When a founder signs via hardware key, the signature is injected into the transaction without the private key ever leaving the device.When to use institutional custody
If your crypto treasury exceeds $1M, we strongly recommend institutional custody. Self-custody at that scale demands operational security posture most entities don’t have.Coinbase Custody
- SOC 2 Type II, FDIC-equivalent insurance
- Multi-party approval for withdrawals
- Integrates with Orgs governance — proposals flow through to their signing
- $100K minimum, ~25 bps annual custody fee
BitGo
- Qualified custodian status (South Dakota trust)
- Multi-sig with BitGo as one signer
- $100K minimum, negotiable fees
Chain adapters
Orgs supports three execution adapters plus an in-memory mock:Solana Realms
Production. Proposals, votes, and treasury disbursement execute on-chain via SPL Governance program. Multi-sig treasury via SPL Governance native multisig.Sigil
L1fe-native governance chain. MACA 4-round BFT consensus. 58 transaction types including governance, treasury, membership. Single-block finality.Ethereum
Beta. Works with Safe (formerly Gnosis Safe) for multi-sig + custom Orgs governance modules. L2 support via the same Safe infrastructure (Base, Optimism, Arbitrum).Mock
In-memory adapter with identical interface. Used in tests and for local development.Key rotation
Keys rotate on schedule:- ACT (Arsenal Capability Tokens) — 1 hour default
- Per-entity treasury signing key — 90 days recommended
- Hardware-backed founder key — on founder change only
- Master recovery key — never rotated except in documented emergency