Compliance

Our commitment to regulatory compliance and security standards

Our Compliance Framework

At Evocrafty, we recognize that security and compliance are foundational to building trust with our customers. Our hardware wallets are designed to meet or exceed industry standards for security, privacy, and regulatory compliance.

We have implemented a comprehensive compliance framework that addresses various aspects of our business, from product design and manufacturing to customer data protection and business operations.

This page outlines our approach to compliance and the standards we adhere to. We are committed to transparency and continuously improving our compliance posture as regulations and best practices evolve.

Evocrafty Compliance Framework

Security Certifications

Our hardware and software components undergo rigorous security evaluations to ensure they meet industry standards.

Common Criteria

Our Secure Element chips are certified under Common Criteria EAL5+ (Evaluation Assurance Level 5+), providing high assurance of security in the design and implementation of the chip's security features.

Common Criteria is an international standard (ISO/IEC 15408) for computer security certification.

FIPS 140-2 Level 3

Our cryptographic modules comply with Federal Information Processing Standard (FIPS) 140-2 Level 3, validating the security of our cryptographic functions against tampering and unauthorized access.

FIPS 140-2 is a U.S. government standard for cryptographic modules used in security systems.

ISO 27001

Our development and manufacturing processes are aligned with ISO 27001 information security management standards, ensuring systematic management of sensitive information.

ISO 27001 is the international standard for information security management systems (ISMS).

Data Protection and Privacy

We comply with data protection regulations to safeguard customer information and privacy.

GDPR Compliance

While we are a U.S.-based company, we adhere to the principles of the European Union's General Data Protection Regulation (GDPR) for all our customers, regardless of their location. Our compliance measures include:

  • Data minimization and purpose limitation
  • Lawful basis for processing personal data
  • Transparent privacy policies and notices
  • Respect for individual rights (access, correction, deletion)
  • Security measures to protect personal data
  • Data breach notification procedures

CCPA/CPRA Compliance

As a company operating in California, we comply with the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). Our compliance measures include:

  • Providing notice at collection
  • Honoring consumer rights to access, delete, and correct personal information
  • Providing opt-out options for the sale or sharing of personal information
  • Maintaining reasonable security procedures
  • Training employees on privacy requirements
  • Regular assessments of our data processing activities

Privacy Shield Principles

Although the EU-U.S. Privacy Shield framework has been invalidated, we continue to adhere to its core principles as a matter of best practice for cross-border data transfers:

  • Notice to individuals about data collection and use
  • Choice to opt out of data collection and third-party disclosure
  • Accountability for onward transfers to third parties
  • Security measures to protect collected data
  • Data integrity and purpose limitation
  • Access rights for individuals to their personal data
  • Recourse, enforcement, and liability mechanisms
  • Regular verification of compliance

Business Compliance

We operate our business in accordance with applicable laws and regulations.

Anti-Money Laundering (AML) Policy

While we are not a financial institution or cryptocurrency exchange, we recognize the importance of preventing financial crimes in the cryptocurrency ecosystem. We have implemented appropriate measures to mitigate money laundering risks:

  • Customer identification procedures for large orders
  • Monitoring and reporting suspicious transactions
  • Record-keeping of relevant transaction data
  • Regular staff training on AML awareness
  • Cooperation with law enforcement when required by law

Consumer Protection Compliance

We adhere to consumer protection laws and regulations to ensure fair and transparent business practices:

  • Clear and accurate product descriptions
  • Transparent pricing and billing practices
  • Fair warranty and return policies
  • Truthful marketing and advertising
  • Responsive customer service
  • Protection of customer data and privacy
  • Compliance with e-commerce regulations

Export Compliance

We comply with U.S. export control laws and regulations, including the Export Administration Regulations (EAR) administered by the Bureau of Industry and Security (BIS). Our export compliance program includes:

  • Product classification under the Commerce Control List
  • Screening of customers against restricted party lists
  • Monitoring for red flags in transactions
  • Obtaining necessary export licenses when required
  • Record-keeping of export transactions
  • Regular training for staff involved in export activities

Product and Manufacturing Compliance

Our hardware wallets meet various product safety and compliance standards.

CE Marking

Our products comply with European health, safety, and environmental protection standards, allowing us to apply the CE marking to our hardware wallets sold in the European Economic Area (EEA).

The CE marking indicates conformity with EU Directives including:

  • Electromagnetic Compatibility Directive (2014/30/EU)
  • Low Voltage Directive (2014/35/EU)
  • Restriction of Hazardous Substances (RoHS) Directive (2011/65/EU)

FCC Certification

Our hardware wallets have been tested and comply with Federal Communications Commission (FCC) regulations for electronic devices sold in the United States.

FCC certification ensures that our devices:

  • Do not cause harmful interference to other devices
  • Accept any interference received, including interference that may cause undesired operation
  • Meet electromagnetic compatibility (EMC) standards

Environmental Compliance

We are committed to environmental sustainability and comply with regulations regarding the use of hazardous materials and product disposal:

  • RoHS compliance (Restriction of Hazardous Substances)
  • REACH compliance (Registration, Evaluation, Authorization and Restriction of Chemicals)
  • WEEE compliance (Waste Electrical and Electronic Equipment)
  • Battery Directive compliance for models with batteries
  • Packaging waste reduction and recyclability

Independent Security Audits

We regularly engage third-party security researchers to evaluate our products and systems.

Hardware Security Audits

Our hardware wallets undergo regular security audits by independent security researchers and specialized firms to identify and address potential vulnerabilities:

  • Physical attack resistance testing
  • Side-channel attack analysis
  • Fault injection testing
  • Hardware backdoor detection
  • Secure Element implementation review
  • Tamper-evidence verification

These audits help ensure that our devices maintain the highest level of security against various physical and hardware-based attacks.

Firmware and Software Audits

Our firmware and companion software applications are regularly audited by independent security firms for vulnerabilities:

  • Code security reviews
  • Vulnerability assessments
  • Penetration testing
  • Cryptographic implementation validation
  • Secure boot verification
  • Update mechanism security review

Security audit reports are thoroughly reviewed, and identified issues are promptly addressed to maintain the integrity and security of our software.

Bug Bounty Program

We maintain an active bug bounty program to encourage security researchers to responsibly disclose potential vulnerabilities in our products and systems. This program demonstrates our commitment to continuous security improvement and collaboration with the security research community.

Our bug bounty program covers:

  • Hardware vulnerabilities
  • Firmware security issues
  • Desktop and mobile application vulnerabilities
  • Website and API security flaws
  • Supply chain vulnerabilities
  • Security issues in open-source components

For more information about our bug bounty program or to report a security vulnerability, please contact [email protected].

Compliance Documentation

For business customers and partners who require compliance documentation.

We understand that our business customers and partners may require compliance documentation for their own regulatory requirements or due diligence processes. Upon request, we can provide appropriate documentation regarding our compliance with various standards and regulations.

Available documentation may include:

  • Certificates of compliance
  • Security audit attestations
  • Data processing agreements
  • Product safety certifications
  • Information security policies

To request compliance documentation or discuss specific compliance requirements, please contact our compliance team at [email protected] or call +1 (916) 214-4525.

Contact Our Compliance Team