# Audits & Responsible Disclosure

{% hint style="info" %}
Operator and jurisdiction: BASIS is operated by BASIS DIGITAL INFRASTRUCTURE LTD, a Seychelles IBC (LEI: [254900IX2F2KCWNSSS64](https://lei.bloomberg.com/leis/view/254900IX2F2KCWNSSS64)).
{% endhint %}

BASIS documents how its systems are reviewed, how vulnerabilities are reported, and how material changes are disclosed. This includes on-chain components where applicable, custody workflows, platform infrastructure, and the BHLE execution environment used for structural alpha capture. As part of its control framework, BASIS operates within internationally accredited management systems for information security and IT service management, supporting an institutional-grade approach to governance, change control, and operational resilience.

## Current audit status

BASIS maintains a continuous security review program across smart contract surfaces, custody controls, platform infrastructure, and the execution stack. Independent external review is combined with internal control testing, remediation tracking, and release gating. This review program operates alongside BASIS's active ISO/IEC 27001:2022 and ISO/IEC 20000-1:2018 certifications, reinforcing a structured approach to security governance, service operations, and controlled change management.

{% tabs %}
{% tab title="Execution systems" %}
Review scope includes the BHLE execution layer, sub-50μs latency targets, 100K+ OPS throughput assumptions, proprietary routing infrastructure, API authentication, deterministic execution guarantees, and state machine risk controls.
{% endtab %}

{% tab title="On-chain components" %}
Where BASIS deploys on-chain logic, review scope includes staking token accounting, mint and burn permissions, reward distribution, same-token swap logic, access controls, upgrade paths, and pause conditions.
{% endtab %}

{% tab title="Custody and key management" %}
Review scope includes key generation, storage boundaries, approval workflows, withdrawal controls, segregation of duties, and incident response procedures.
{% endtab %}

{% tab title="Infrastructure and operations" %}
Review scope includes deployment pipelines, secrets handling, monitoring, logging integrity, network controls, penetration testing, backup recovery, and operational resilience.
{% endtab %}
{% endtabs %}

Audit reports, executive summaries, and remediation notes are published when release does not create unnecessary attack surface. Where redaction is required for operational safety, BASIS will still disclose scope, findings class, and remediation status.

## 1. Smart contract audits

When BASIS deploys externally accessible contracts, the minimum disclosure standard includes:

* independent third-party review
* contract scope and version disclosure
* severity classification of findings
* remediation status and change log
* explicit statement when a feature is off-chain and outside contract scope

If a product flow has no user-facing on-chain contract exposure, BASIS states that directly.

## 2. Infrastructure and operational audits

Security review is not limited to contracts. BASIS also reviews the systems that support deterministic execution and fund safety. These reviews are supported by formal management processes consistent with BASIS's internationally accredited ISO/IEC 27001:2022 and ISO/IEC 20000-1:2018 certifications.

| Area                | Control focus                                                          |
| ------------------- | ---------------------------------------------------------------------- |
| Access control      | Least privilege, role separation, approval boundaries                  |
| Key management      | Generation, storage, rotation, withdrawal authorization                |
| Execution integrity | Deterministic routing behavior, math constraints, state machine checks |
| API security        | Authentication, rate limiting, replay protection, permission scoping   |
| Release management  | Staged deployment, rollback paths, change approval, audit trail        |
| Resilience          | Monitoring, alerting, incident drills, backup recovery                 |

{% hint style="warning" %}
Certain operational details remain confidential, including venue-level routing specifics and environment-specific security configurations. Policy-level controls, review scope, certification status, and material user-impacting changes remain public.
{% endhint %}

## 3. Responsible disclosure

Security contact: <compliance@basis.pro>

If the issue involves legal process, privacy, or sanctions exposure, copy <legal@basis.pro>.

{% stepper %}
{% step %}
Send an email to <compliance@basis.pro> with the subject line shown below.
{% endstep %}

{% step %}
Describe the affected component, impact, and reproduction steps. Include logs, transaction hashes, screenshots, or proof-of-concept material where relevant.
{% endstep %}

{% step %}
Avoid actions that could harm users, degrade service, access private data, or move funds without written authorization.
{% endstep %}

{% step %}
Wait for triage guidance before expanding testing against production systems.
{% endstep %}
{% endstepper %}

{% hint style="warning" %}
**Security Disclosure Submission**

To report a vulnerability, email <compliance@basis.pro> with the following:

* **Subject:** \[SECURITY DISCLOSURE] Brief issue title
* Affected component or endpoint
* Description of the issue
* Steps to reproduce
* Potential impact
* Your contact details (optional)
  {% endhint %}

### Timeline commitments

| Stage                                      | Target                  |
| ------------------------------------------ | ----------------------- |
| Acknowledgment                             | Within 2 business days  |
| Initial triage                             | Within 5 business days  |
| Remediation timeline or next-action update | Within 10 business days |

Good-faith researchers who act within this policy, avoid user harm, and report issues privately will be handled through a coordinated disclosure process. BASIS is evaluating a formal bug bounty program as part of its ongoing security roadmap.

## 4. Transparency and confidentiality

BASIS aims for policy transparency without exposing live attack surfaces.

Publicly disclosable items include:

* audit scope
* findings categories and remediation status
* security policies
* material operational changes
* incident postmortem summaries where appropriate
* publicly verifiable certification status for internationally accredited management systems

Operationally sensitive items that may remain confidential include:

* venue allocation details
* low-level routing heuristics for structural alpha capture
* specific infrastructure topologies
* environment-specific hardening details

## 5. Change control

For any critical change to user-impacting rules or risk controls, BASIS documents:

* effective date
* rationale
* affected systems or products
* backward compatibility notes
* user action required, if any

At minimum, this applies to changes involving:

* fees, including the current baseline of deposit 0%, withdrawal 0.05%, and swap 0.01%
* withdrawal processing rules and security holds
* staking eligibility or reward accounting
* fixed-pool lock-up behavior
* same-token 1:1 swap mechanics
* execution constraints and risk-trigger logic

{% hint style="success" %}
Security at BASIS is an ongoing control function. Trust comes from deterministic execution, constrained system design, reviewable changes, evidence-backed operations, and internationally accredited management systems that are publicly verifiable.
{% endhint %}

## 6. Certification disclosure

BASIS integrates certification status directly into its security and operational governance model. The active ISO/IEC 27001:2022 certification below provides public evidence that BASIS DIGITAL INFRASTRUCTURE LTD operates an internationally accredited Information Security Management System covering software development, quantitative research systems, associated IT infrastructure, and information security management.

### ISO/IEC 27001:2022 certification details

| Field              | Details                                                                                                                                              |
| ------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------- |
| Certificate Number | SC62455E                                                                                                                                             |
| Standard           | ISO/IEC 27001:2022                                                                                                                                   |
| Status             | Active                                                                                                                                               |
| Last Updated       | March 27, 2026                                                                                                                                       |
| Certified Entity   | BASIS DIGITAL INFRASTRUCTURE LTD                                                                                                                     |
| Address            | Room 306, Victoria House, P.O Box 673, Victoria, Mahe, Seychelles                                                                                    |
| Scope              | The Design and Development of Software and Quantitative Research Systems and the Management of Associated IT Infrastructure and Information Security |
| Accreditation      | IAF (International Accreditation Forum)                                                                                                              |
| Verification       | [Verify on IAF CertSearch](https://www.iafcertsearch.org/certification/VDrwBpB8mD2nw5ykj5zxSANH)                                                     |

BASIS DIGITAL INFRASTRUCTURE LTD also maintains an active ISO/IEC 20000-1:2018 certification for IT Service Management. Together, these internationally accredited certifications support BASIS's institutional-grade operating model and provide independent confirmation that key information security and service management processes are governed under internationally recognized standards.

| Record                  | Details                                  | Verification                                                                                               |
| ----------------------- | ---------------------------------------- | ---------------------------------------------------------------------------------------------------------- |
| ISO/IEC 20000-1:2018    | BASIS DIGITAL INFRASTRUCTURE LTD, Active | [Verify on IAF CertSearch](https://www.iafcertsearch.org/certification/1IbVSdVuBbykRHSgkfAo8mBE)           |
| Certified entity record | BASIS DIGITAL INFRASTRUCTURE LTD         | [Entity Record on IAF CertSearch](https://www.iafcertsearch.org/certified-entity/WTmKlSOrxvhkPKrCUIdWYEgv) |

Public certification records can be reviewed directly on IAF CertSearch.

***

## Compliance Certifications

BASIS has obtained third-party compliance certifications verifiable through the SE Registrar certificate verification portal.

### SOC Compliance Certificate

| Field             | Detail                                                    |
| ----------------- | --------------------------------------------------------- |
| Certificate ID    | `6489580/COC/SC`                                          |
| Certificate Type  | Certificate of Compliance                                 |
| Issuing Authority | SE Registrar                                              |
| Verification      | [Verify](https://seregistrar.us/verify-your-certificate/) |

### GDPR Compliance Certificate

| Field             | Detail                                                    |
| ----------------- | --------------------------------------------------------- |
| Certificate ID    | `6489581/COC/SC`                                          |
| Certificate Type  | Certificate of Compliance                                 |
| Issuing Authority | SE Registrar                                              |
| Verification      | [Verify](https://seregistrar.us/verify-your-certificate/) |

These certifications reflect BASIS's commitment to data protection, operational security, and regulatory compliance standards applicable to institutional-grade financial infrastructure.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.basis.pro/technical-architecture/audits-and-disclosure.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.