Trust is Our Product™
Protecting your cryptocurrency and your personal information is what we do — it’s how we earn your trust. Security is the cornerstone of our culture and we have operated with a security-first mentality from day one. Simply put, trust is our product.
Our Cryptocurrency Security
The majority of your cryptocurrency is held in our offline, air-gapped Cold Storage system. Only a small portion of your cryptocurrency is held in our fully-insured, online Hot Wallet.
Our Cold Storage System
- We use hardware security modules (HSMs) that have achieved a FIPS 140-2 Level 3 rating or higher.
- All private keys are generated onboard our HSMs and stored and managed there for their lifetime.
- We use a multisignature digital signature scheme (multisig) to eliminate single points of failure and improve our resilience against the loss or compromise of any individual private key.
- All HSMs are geographically distributed and stored in monitored, access-controlled facilities.
- All HSMs require the coordinated action of multiple employees to operate.
Our Hot Wallet
- Our Hot Wallet is hosted on Amazon Web Services (AWS). AWS has a proven track record for physical security and internal controls. More information can be found here.
- We follow the principle of least-privilege by applying tiered, role-based access-controls to our production environment. Administrative access requires multi-factor authentication.
- All Hot Wallet private keys are managed in the AWS CloudHSM service, which provides dedicated HSMs in the AWS cloud that have achieved a FIPS 140-2 Level 2 rating.
Gemini is a licensed New York trust company that undergoes regular bank exams and is subject to the cyber security regulations promulgated by the New York Department of Financial Services. In addition, we have successfully completed our SOC 2 Type 1 examination. This makes Gemini the world’s first cryptocurrency exchange and custodian to demonstrate this level of security compliance with respect to protecting customer data and funds.
SOC 2 TYPE 1 EXAMINATION
Your Account Security Features
- Two-Factor Authentication (2FA) via Authy OneTouch and Strong Passwords are required for logging in to your account and making withdrawals.
- Hardware Security Keys and WebAuthn support allow you to use hardware security keys to secure your account.
- Address Whitlelisting allows you to block all cryptocurrency withdrawal activity for your account, or restrict cryptocurrency withdrawals to cryptocurrency addresses you whitelist.
- Rate-limiting is applied to certain account operations, such as your login attempts, in order to thwart brute force attacks.
- Encryption is used to secure your passwords, personal information, and other sensitive information both in transit and at rest.
Our Infrastructure Security
- All of our website data is transmitted over encrypted Transport Layer Security (TLS) connections (i.e., HTTPS).
- We leverage the content-security policy (CSP) and HTTP Strict Transport Security (HSTS) features found in modern browsers.
- We partner with enterprise vendors to mitigate against distributed denial-of-service (DDoS) attacks.
- Internal-only sections of our website have separate access controls and are not exposed to the public Internet.
- Multiple signatories are required to transfer cryptocurrency out of our Cold Storage System.
- Our CEO (Tyler Winklevoss) and President (Cameron Winklevoss) are unable to individually or jointly transfer cryptocurrency out of our Cold Storage System.
- Our offices do not store or contain anything of value, including private keys. All private keys are stored offsite and geographically distributed in monitored, access-controlled facilities.
- All employees undergo criminal and credit background checks and are subject to ongoing background checks throughout their employment.
- All remote-access requires public-key authentication via credentials stored on hardware tokens — passwords, one-time passwords (OTPs), or other phishable credentials are not permitted.
If you have any questions or concerns about your Gemini account – or believe there has been an unauthorized login attempt and/or transaction that you do not recognize – please contact our customer support team through this form or call at +1 (866) 240-5113 (toll-free in the USA).
Careers at Gemini
We’re hiring in our New York and Portland, Oregon, and Chicago offices! If you’re interested in joining the Gemini Security Team, check out our careers page for more information.
Reporting Security Issues
If you believe you have identified a security vulnerability on our platform, we would like to hear from you. Please email our Security Team at email@example.com. To encrypt your communications, please use our PGP public key:
-----BEGIN PGP PUBLIC KEY BLOCK----- mQINBFk60lUBEADr5sxL1Vpi6aqZ4mrgJeylFWD3kkkLwtVFhgQizSpyU/V9+zxi NG9Zna0pMl12vNF7xyB58jU2EpAgY3t94hV8KHsaiw11d673PHWaPZzPCey+gQw4 qRovUPkRN/E0zHJPCR+mfa4H/s0UZ5WiliquIz0Img8rp/0VM7yJgROfNOp+HPFu EkXkkYzrxb8A4lvY4Z3IjaLby80C59upY/CIOsyWGB5mjNyK6N1wA55jJK1xP08A /otcBWzGMv7rKxrdVhtIQfMoQTlHgUAxLzt/o70Dq1HAsV4FQi3deQjR3c1X99yh EAN1cVqMJ+NeW31yjXmRBXzTlqoFTwT24YZWgE5QWd3scl3daop65yi0DFCH+J7Q 6JIRSol4JYnpqfnIN6VAu08EJUaiQ/6IL3hDT+FfOt+hkzoC4krvoiUuyOWc3IdA uq2mxYtONmkOoseAeVKoTvYkQfbeBg22QzOgmpE9Hl6kW0NIz4PVS5y+1Ohp+YTM vnG6m3tP+aPEObCxt/s/FrT7msAUVPvsqhBN4UwKCbduvPLj+AWKqwBecMBIYT/w bdz50JxYhewdzoRjw/IuQbxL+XzX4Pd8J60xjmg51t0u+FfOV7Wy76YSj+jq/wjU wfnrk0avDbgzObLmc+Qa7QxHiRDYnR2k4Qgj94PKCgETVxaGJ/6UPUi0CQARAQAB tCpHZW1pbmkgU2VjdXJpdHkgVGVhbSA8c2VjdXJpdHlAZ2VtaW5pLmNvbT6JAj0E EwEIACcFAlk60lUCGwMFCQWk7AAFCwcJCAMFFQgJCgsFFgIDAQACHgECF4AACgkQ g1vB4LIpRo4dCxAA0kWRYDFEnZi0WF8kzDS7aZ0ogO87ibHcTxuxTL+sL5xJMipI +p1eNv9/dAdYXgrc0im4wgRSWkRvghu8sjXj927TGMgK9wDqNmgybGEqXjCHiX5/ mUMAlj/AvgJ56RrOZBh6m3IG4InQA9mH8cCJrG3onCR996cNvLFczp5t+wlJsB1y HhWj38W6gQNBkL+HKBwk6UgwPatWzx+l3SFjdeeN1PEu+VPZ/bXLUNBLul01Wrnp Cl/Jx10NE8j3LOobdwsuIhGZkouN0EU56AKIiWhaCmN6u/zFEHWXRroIxk/i+0Me /lKL6640Y79Uy4qXpVQz3ZsHt6zDyObaqx570brDU+4GAM6bJk3BhRj13csYvgjO bVi77omkljtmhqChM7wDbvPfcWmh1j41RouiaySPRZoUHvz2uKiHECmlKnl7fKqg vkyS63GtgTRzqdvj5nYDMQgkXClEcA8uueABi/DSAj3idz0SwNiJJ2dLIAQaiCAO Cfx4AsPJ9lzkPN6VggDZkhR/ORIeWaI/YovVzA1I9FLOhN9KENsvIBJ2uccoO1RT nddX5lzSZlqZIQbpfR/Sbl/NvIPgrhpfXOgAknLUUtGdQ9iZuseypxYRpd6Xba7f nz4EcSfIg/ZDoeZDrnrnh16k46tmZBroEFwTyevN182PZAL1DqKcySboJve5Ag0E WTrSVQEQANIf+syvC/2yzLe6wIrtZas8k3agZf2N8rtF5RVOc/IB1RPnSA7dylgb Mq6ICOquF9lxN+MhqieDgkjEvllNeSOIqZdqdMNQ6gELlBF3nARSRWXf6uSu2E5B NzRYEIAcQNi86j/XOLzCOMR+vQbM9cW4EwjYXvHyRdGq81Y3g72izqjE4Kb+Qy5O oYmIVM5ScFVrATN9w4v5SpuwQktIFcqX49USXJN+/F3jV4amgiTjF6V30qdkhL2K jla+f7aOYbSxsZ1YE3Bhk6ByJVj/zmwKXTTEp/uGOqxWA411Mo3u0g7L0QC8su6v XGnpZ2hc8gWDK1B/ZBzqcbW8OUi0APdrjGExg6Kyn1ozGM/lD5TjFyfpX/YCX9b3 b8SL0RX8GOmizvr9OBbWabjA3PiLhfVv6B8idwOQ1YnX1s4k+9lXZWfRKA29NJ0y rO/2Vq+qpZf8SNINTXeBZN/ArMSIuqYaleTwswoX81gjqqvCT6XAcBpoFPyuCB6Q /aUWTwq6oP/DajwSuzVHowNBsx8MZcW8BLdoBvda28IF9Cz5X07crWUDA1MfPSum oOiMAqT6R0j83JcGcw788Dxt+uk5xyQ9zhPi0WdkwmIXkLapOOg0/FeU6HVj4gW+ ig+PYDSx62pJywQNUy2cKyS9nWviBHAmlEnKnxFuc9RwHu9pzA7HABEBAAGJAiUE GAEIAA8FAlk60lUCGwwFCQWk7AAACgkQg1vB4LIpRo7ETA/6AiobX9SNfnjMgCeO i/yv+Hy1SDSgfkVgBgfXDAkiNeWBatrXOJ782g2n9TdS6Tke9hnP8yK6bLWx8CjX e1MwoigX5gTwBw+I7Z//5nZaCkAHk6ALqZHJ6oeeli4a6IdwrhLYf9ryTPmOxUwa 7naEwdwH103/HhoZmov3uAX2J2Pa+2xxqnc7tLQp4LyHANkCh+FmNG0Fw7+0eUue tslt/6mq3BT6lifEiukd3YI/DimDSY2djPxj9XykiXVnAYMv4+o7QkKL1h4ArHBO IHpyNasOrGEJvB242djL1+w1Tp6BUEovUs+CsHsq8b/QZGg1HEsYbjFD3HeIuYtv BsAs6zZwweXOtPa3X/HrE8xtX6yVr89vbcLKw/0+GBUH698ltDVkXrG2x0ONiY8C UGm2v+aXdRR758o/KS+aqx423tzMZLbhL8d/69KxKga9eyHsYURlImpE2uN+XFSm Z+vAn2jqNFT+uXKc6Sg4YqnzwWwyCyEJ1hPl6CM6wyGl6FIywZRLwYsY5xiH1tKt DPqLevFgxqbL1HWq8+nlpVqRtHCmhBZrwEdD7agqWBdOTt+2JJEUy5tDyGA+B7bW sKBxv07AMMejVKk/HUrZ6MXIq0gmS/7cFTLn423OsoyRa52XtnnR8H02Et3TOt4D FFYeZjYxBKfgUedvMDP9E6ZAE9k= =D9fK -----END PGP PUBLIC KEY BLOCK-----
Our Security Philosophy
Gemini's security philosophy follows from three principles:
Building defense-in-depth against external threats
Protecting against human error
Guarding against misuse of insider access
Vulnerability Disclosure Philosophy
Our security team supports responsible disclosure. We will acknowledge valid and original (i.e., the first reported instance) discoveries on our website with the name of the security researcher(s) responsible. While we do not have a formalized bug-bounty program at this time, we may choose to do so in the future. In the event that a monetary rewards system is developed, we may, in our discretion, pay monetary rewards in bitcoin, subject to applicable laws.
Our commitment to security researchers is simple: we will not retaliate against researchers who report issues privately and in a responsible manner. We will do our best to reply to reports in a timely fashion and periodically update you on our progress with respect to investigating or remediating any issues you may have identified.
Gemini Security Team