Trust is OurProduct

Gemini has operated with a security-first mentality from day one. Our security philosophy adheres to three principles.

Defending against external threats

Defending against external threats

Protecting against human error

Protecting against human error

Guarding against misuse of insider access

Guarding against misuse of insider access

  • Asset Security
  • Account Security
  • Compliance and Certifications
  • Infrastructure Security
  • Internal Controls

The majority of assets are held in our offline, air-gapped Cold Storage system. Only a small portion is held in our fully-insured, online Hot Wallet.

Gemini Offline ‘Cold’ Storage

  • Gemini’s hardware security modules (HSMs) that have achieved aFIPS 140-2 Level 3 rating or higher.

  • We use a multisignature digital signature scheme (multisig) to eliminate single points of failure and improve our resilience against the loss or compromise of any individual private key.

  • All private keys are generated onboard our HSMs and stored and managed there for their lifetime.

  • All HSMs are geographically distributed and stored in monitored, access-controlled facilities.

  • All HSMs require the coordinated action of multiple employees to operate.

Gemini ‘Hot Wallet’

  • We use hardware security modules (HSMs) that have achieved a FIPS 140-2 Level 3 rating or higher.

  • We follow the principle of least-privilege by applying tiered, role-based access-controls to our production environment. Administrative access requires multi-factor authentication.

Asset Security

The majority of assets are held in our offline, air-gapped Cold Storage system. Only a small portion is held in our online Hot Wallet.

Gemini Offline ‘Cold’ Storage

  • We use hardware security modules (HSMs) that have achieved a FIPS 140-2 Level 3 rating or higher.

  • All private keys are generated onboard our HSMs and stored and managed there for their lifetime.

  • We use a multisignature digital signature scheme (multisig) to eliminate single points of failure and improve our resilience against the loss or compromise of any individual private key.

  • All HSMs are geographically distributed and stored in monitored, access-controlled facilities.

  • All HSMs require the coordinated action of multiple employees to operate.

Gemini ‘Hot Wallet’

  • We use hardware security modules (HSMs) that have achieved a FIPS 140-2 Level 3 rating or higher.

  • We follow the principle of least-privilege by applying tiered, role-based access-controls to our production environment. Administrative access requires multi-factor authentication.

Account Security

  • Two-Factor Authentication (2FA) via Authy OneTouch and Strong Passwords are required for logging in to your account and making withdrawals.

  • Hardware Security Keys and WebAuthn support allow you to use hardware security keys to secure your account.

  • Address Whitelisting allows you to block all cryptocurrency withdrawal activity for your account, or restrict cryptocurrency withdrawals to cryptocurrency addresses you whitelist.

  • Rate-limiting is applied to certain account operations, such as your login attempts, in order to thwart brute force attacks.

  • Encryption is used to secure your passwords, personal information, and other sensitive information both in transit and at rest.

Compliance and Certifications

Gemini is a licensed New York trust company that undergoes regular bank exams and is subject to the cyber security regulations promulgated by the New York Department of Financial Services. In addition, we have successfully completed our Soc 1 Type 1 and SOC 2 Type 2. This makes Gemini the world’s first cryptocurrency exchange and custodian to demonstrate this level of security compliance with respect to protecting customer data and funds.

Infrastructure Security

  • All of our website data is transmitted over encrypted Transport Layer Security (TLS) connections (i.e., HTTPS).

  • We leverage the content-security policy (CSP) and HTTP Strict Transport Security (HSTS) features found in modern browsers.

  • We partner with enterprise vendors to mitigate against distributed denial-of-service (DDoS) attacks.

  • Internal-only sections of our website have separate access controls and are not exposed to the public Internet.

Internal Controls

  • Multiple signatories are required to transfer cryptocurrency out of our Cold Storage System.

  • Our CEO (Tyler Winklevoss) and President (Cameron Winklevoss) are unable to individually or jointly transfer cryptocurrency out of our Cold Storage System.

  • Our offices do not store or contain anything of value, including private keys. All private keys are stored offsite and geographically distributed in monitored, access-controlled facilities.

  • All employees undergo criminal and credit background checks and are subject to ongoing background checks throughout their employment.

  • All remote-access requires public-key authentication via credentials stored on hardware tokens — passwords, one-time passwords (OTPs), or other phishable credentials are not permitted.

Questions

If you have any questions or concerns about your account — or believe there has been an unauthorized login attempt and/or transaction that you do not recognize — please email our Customer Support Team at support@gemini.com or call +1 (866) 240-5113 (toll-free in the USA).

Reporting Security Issues

If you believe you have identified a security vulnerability on our platform, we would like to hear from you. Please email our Security Team at security@gemini.com. To encrypt your communications, please use our PGP public key:

-----BEGIN PGP PUBLIC KEY BLOCK-----mQINBF8h3SABEADD0jNK7Bdn7eQCcORYTJNCQPq/ep1+Z49buoG5MJXifHU/JVj5MYuzBo5yyi6Xp1xSg+vaQwZdmG4Ezv4AElJfoAJbNt1ZFrd9yiAG58X3EWIDjJhpMc3L+e3hzdjfiCZzUFhrkLhRQJnhvcZR3wjGzd4F8ZqMP5quA8M9rJ//Iz+NHSinPhIWDJ3PIzx3NTxdWZsVgK9DFUYRHQkdRhmFQiKkuosECn0BBF9W33+ASOk+kmKQ2X6ZBFKa7do6lW9GjyL+DZZXupP5wtfwHjBi7RO1ewunSZTtVp5AbmU5ecWwg9FTrSPU9cGjW39FC6KYB0rM9ZwqrOdcwIhYDmHDsvFlZLX4fxT4/Suh41j0Hb8pYYM2UVh/srZqiofqEkBsdzUJwnXljIXZjPew8V50Ie7waHByw7eP/dtmEuIvbOdIRRJB7afQjMKoEbSu3ZmrF9fTqUDXu4nI09ujHuLCshLzR383oPmtTdzSKGk8/ujxYHQ4ntABXw75cSjBR1mwkl83P5edR4MCBfMjzl691MVP3JIXYapheApih1/qQFM78++xZPxMMrJzFakhQ/lcHTEJSn4I4hqDmI6DANT4uEN5dj8kEDB0SsrNvsOC+ewcsNt59QzGNzr/6e56SokYDsVP0TTejkqcc0BFmT7GxPlCANcWoEc9zwivblPwIQARAQABtCpHZW1pbmkgU2VjdXJpdHkgVGVhbSA8c2VjdXJpdHlAZ2VtaW5pLmNvbT6JAlQEEwEKAD4WIQTQ0+8dAxl2S1L41LmPHL4ftzStegUCXyHdIAIbAwUJB4jCgAULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRCPHL4ftzSterseD/4hM6m3rWjgiv2sR2+b5p5bfb+nUYMM+2aFvYqjT6anV3F2/xM7DfVM22hK/AXmreblGehlPytgPrAydqVIGJxBXGRtA+Ynd6/QxXpTRZZL2BaWQ7P6t9nQayEulX3ynzOt2m7aMNWk3arHT0uiHhkzJHsy6QtEUffwykipQaUpDhzUeK7Q5fO3GB78d612ndIibzYhZQciKFRvsbHQqkN2DicG8NxAw4T+wxipCqNXeQJLlBAM7uuGRsdst0RFKtFTFPGsmrq1CwnlQGhf+zoUunRVDvOOUxMh3+Ki0BiOnhLuqVVaJ8GI6SWLT60ss+YHsXaKXdHsjKPXGIVdn69a0uvCYbhsXjDgZWzKXBXZVdyPdzxHvRJO1YS9Xkog+o8acv+TU2pwgziYAlDqZoEyr63WExXnuZ5M/JE0CW0KYD/iHDS858/S2iPicOatHj77Pmza1dOBRkny5R+jJDVLBdyUVKHKgp6UDyibbqehu/kuNWuRgx3IsZuAxI5sIn263QAi/p1wvqIYLmrWsASzXyYN6ddOPPXH2Xpe0qFwZ0W7lz2jS+NWanIvv5ApVO/wigrbWZW2TUT+gLAT5ZwTdIj7gnJYcr56uHw90Db7c/tS6kd4bdpVzPCRiQ0tBVe6zIWFEyE3RXdPoso4hlBuYpVaH+GIFZcpFfpx87XNuLkCDQRfId0gARAArSI1ox9quZa66m4KtwzAPBGMDG4rTKC6I+XNpb9dOQIQxyGyxR9i7lfGG7lRrMnjNweoOd1zaUj1kQPOOIRVt0LKGErWzekORgWIh8U18Nf4vFXuSPWmGOSSgTMBjbwQdJWr14hcD9nMgYk97rfR294sR1Sb9/XRKZFdYVB6SjiQHH/Uo9vYbfGg0hzXftkv6LXo/RqyHHqyCgA1SiG2n0BMQasyiW3eS0fKFP1/fPCQ/joN1oXmRI2pRKsOANu2R1Lgj68VkIGNfVLua/4Csu3xIk6x0gy6VBjZx8sKRBSBch1OGlXvZmFvKvUZ/0mLcSgIKD5AkqjuZ081GooRwSD7VbQtiuuYDUj08E8Z1FYTYI638qnCpowU8hIw0oKsvOuq0BHhAqi2eqVDZeI5PwGMN2j9IU/shZ4nRgRTSYgS0LAn+lpzuMJ7bjzN1rfil301N4vFEqv+yf5i1GGkFPEO3FBx8P8LtGw6j+rEREj80z28zUdiUEQ0XRDT0eZyvUbqXpJK8of7RhH2ZDlsycHfgnEhGLOjdb54ey4WDF3PQi2ASlI5NHRz1J4+qSj1iY2kgE/0eZRkHPdst2OSXCsx5j5UAaj8t+wvcD1pclLmDe5PzwL8qrpsmTWlse8fpOPPSgTHuKXoBqGrm1eaXHYE3BES2yazrZENgApmaRcAEQEAAYkCPAQYAQoAJhYhBNDT7x0DGXZLUvjUuY8cvh+3NK16BQJfId0gAhsMBQkHiMKAAAoJEI8cvh+3NK160kMP/iIkSu7BVfuZbuwEVHPu6J7LEJUQXvtYtwCUWLAscNIVr0WrxM9U4iCmSUTtqM3gwM0vNPJdD6/1/Ktc8Bp8TCCqu7F3z7QdcesFagPSyqWc6WLcOzo0sKWClUfN80kLOhhL+izgJXuMg0uaTdYdRELD2KK91b+qu686EWyjpUnlChZJ6+FjNmccwp9/uvdSxiZdfhyPFBPQsoxte7iLqmOedVM4UNvxmcO6ctiBEOYHNUb3QCeEUfz76aD+0OVgBNDEjilIb0CeJ+5rToviMthmCDIOwfjRwr38JESs0qmWPpGoTI8Szprf7zcr3eFVDjJcHvuymo3RY1cZE791HZA1uYhNunnk24zEyVYGX9ErKrPc/Ymmw+CyvT8hhJlcWfkcjqz1jFrMQuDRUZmM0IVLGSLLUPSdEyc2yRM1WckqCCO0DD8K6m2+vypgeoVIWTRBII0LbkTYKRwIOGguleo7m3P3XIVDaTKaWNDexNLYMoR6LAuj4cgeVghcY39lOaI8DMzPZm2ueZp1VcXmX1uJaCP0jh6c6IgSontFTnc617DXl0pBB9MaR8d/vNmiP0SMjds3stL5DduiG1LY3/M42BPjs/DmdWfV/Fdm3+gwqwkZUH/MCbHIgbjk39SO/MPkhKfmohERIYnhM69XyHf8xLRreVtadOiSUs381K1l=VUGn-----END PGP PUBLIC KEY BLOCK-----

Vulnerability Disclosure Policy

Our security team practices responsible disclosure. We will acknowledge valid and original (i.e., the first reported instance) discoveries on our website with your name, if you would like us to. While we do not have a formalized bug-bounty program at this time, we may implement one in the future. In the event that we develop a reward system, we may, at our discretion, pay you a reward in bitcoin (or another supported cryptocurrency), subject to applicable laws.

Our commitment to security researchers is simple: we will not take action against anyone who reports an issue privately and in a responsible manner. We will do our best to reply to you in a timely fashion and periodically update you on our progress with respect to investigating or remediating any issues you may have identified.