How we protect merchant funds, account access, and regulatory standing. This page describes the controls currently in production. Live system status lives at /status.
Enrol any authenticator app — Google Authenticator, 1Password, Authy — from Settings → Security in your merchant dashboard.
Phase 1 (today): enrollment + factor management is live.
Phase 2 (rolling out): the second factor is required at sign-in for accounts with an enrolled factor. Pre-enrolling today guarantees you are not locked out when enforcement turns on.
Every merchant onboarding runs against the US Treasury OFAC Specially Designated Nationals list. The cached list is refreshed weekly; admin can trigger an on-demand refresh.
Screening returns one of: clear (no match), review (entity match — admin reviews), block (individual match — onboarding halted).
Required compliance control for a US-domiciled crypto-payment business.
Every wallet credit and debit is protected by a unique database index on (merchant_id, reference_type, reference_id, type). An Inngest retry or a duplicated webhook cannot double-charge or double-credit you.
BTC deposits additionally carry a unique (txid, vout) constraint, so the same on-chain UTXO can never credit twice.
A separate idempotency_keys table covers non-wallet operations (refunds, address provisioning).
The BTC/USD rate at the moment of order creation is persisted on the order row (quoted_btc_usd, quoted_at, quoted_source). If BTC moves 10% between checkout and ship, what you owed at checkout does not change.
The mandatory compliance reserve is denominated in USD ($500), held in BTC at the live rate. The dashboard shows both the USD figure and the current BTC-equivalent.
The rate is fetched from four independent providers — CoinGecko, mempool.space, Coinbase, Kraken — with sanity bounds and a Postgres last-known-good cache. A single-provider outage cannot break order pricing.
Every night a scheduled job sums confirmed BTC deposits per merchant and compares against credited wallet balances. Any drift surfaces in the admin dashboard and an alert email is sent.
Discrepancies are never silently corrected — each finding is an audit row with timestamp, amount, and reason, available to merchants on request.
Every state-changing API request (POST/PUT/PATCH/DELETE) must come from an allowed Origin. Cross-origin POSTs against authenticated routes are rejected at the middleware layer.
Server-to-server callers (the WooCommerce plugin, Inngest webhooks) authenticate by HMAC signature and bypass the Origin check by design.
Public health probe at /status. JSON endpoint at /api/v1/public/health for external monitors — check the aggregate field (green/yellow/red).
Checks: database reachability, BTC/USD rate cache freshness, OFAC list cache age, mempool.space (BTC chain data provider) responsiveness.
We never see merchant private keys. Each deposit address is derived from an extended public key (xpub/zpub) on a one-way path; the corresponding private keys live exclusively in cold storage operated by the platform owner.
Address rotation is enforced — each deposit gets a fresh address with no reuse.
We treat security reports as urgent. Email Team@ruowhitelabel.com with a description and reproduction steps; we respond within one business day. Please do not file a public GitHub issue or post on social media before we have a chance to respond.