Trust is Our Product

Protecting your cryptocurrency and your personal information is what we do — it’s how we earn your trust. Security is the cornerstone of our culture and we have operated with a security-first mentality from day one. Simply put, trust is our product.

Our Cryptocurrency Security

The majority of your cryptocurrency is held in our offline, air-gapped Cold Storage system. Only a small portion of your cryptocurrency is held in our fully-insured, online Hot Wallet.

Our Cold Storage System

  • We use hardware security modules (HSMs) that have achieved a FIPS 140-2 Level 3 rating or higher.
  • All private keys are generated onboard our HSMs and stored and managed there for their lifetime.
  • We use a multisignature digital signature scheme (multisig) to eliminate single points of failure and improve our resilience against the loss or compromise of any individual private key.
  • All HSMs are geographically distributed and stored in monitored, access-controlled facilities.
  • All HSMs require the coordinated action of multiple employees to operate.

Our Hot Wallet

  • Our Hot Wallet is hosted on Amazon Web Services (AWS). AWS has a proven track record for physical security and internal controls. More information can be found here.
  • We follow the principle of least-privilege by applying tiered, role-based access-controls to our production environment. Administrative access requires multi-factor authentication.
  • All Hot Wallet private keys are managed in the AWS CloudHSM service, which provides dedicated HSMs in the AWS cloud that have achieved a FIPS 140-2 Level 2 rating.

Our Certifications

Gemini is a licensed New York trust company that undergoes regular bank exams and is subject to the cyber security regulations promulgated by the New York Department of Financial Services. In addition, we have successfully completed our SOC 2 Type 1 examination. This makes Gemini the world’s first cryptocurrency exchange and custodian to demonstrate this level of security compliance with respect to protecting customer data and funds.

SOC 2 TYPE 1 EXAMINATION

Your Account Security Features

  • Two-Factor Authentication (2FA) via Authy OneTouch and Strong Passwords are required for logging in to your account and making withdrawals.
  • Hardware Security Keys and WebAuthn support allow you to use hardware security keys to secure your account.
  • Address Whitlelisting allows you to block all cryptocurrency withdrawal activity for your account, or restrict cryptocurrency withdrawals to cryptocurrency addresses you whitelist.
  • Rate-limiting is applied to certain account operations, such as your login attempts, in order to thwart brute force attacks.
  • Encryption is used to secure your passwords, personal information, and other sensitive information both in transit and at rest.

Our Infrastructure Security

  • All of our website data is transmitted over encrypted Transport Layer Security (TLS) connections (i.e., HTTPS).
  • We leverage the content-security policy (CSP) and HTTP Strict Transport Security (HSTS) features found in modern browsers.
  • We partner with enterprise vendors to mitigate against distributed denial-of-service (DDoS) attacks.
  • Internal-only sections of our website have separate access controls and are not exposed to the public Internet.

Internal Controls

  • Multiple signatories are required to transfer cryptocurrency out of our Cold Storage System.
  • Our CEO (Tyler Winklevoss) and President (Cameron Winklevoss) are unable to individually or jointly transfer cryptocurrency out of our Cold Storage System.
  • Our offices do not store or contain anything of value, including private keys. All private keys are stored offsite and geographically distributed in monitored, access-controlled facilities.
  • All employees undergo criminal and credit background checks and are subject to ongoing background checks throughout their employment.
  • All remote-access requires public-key authentication via credentials stored on hardware tokens — passwords, one-time passwords (OTPs), or other phishable credentials are not permitted.

Questions?

If you have any questions or concerns about your Gemini account – or believe there has been an unauthorized login attempt and/or transaction that you do not recognize – please contact our customer support team through this form or call at +1 (866) 240-5113 (toll-free in the USA).

Careers at Gemini

We’re hiring in our New York and Portland, Oregon, and Chicago offices! If you’re interested in joining the Gemini Security Team, check out our careers page for more information.

Reporting Security Issues

If you believe you have identified a security vulnerability on our platform, we would like to hear from you. Please email our Security Team at security@gemini.com. To encrypt your communications, please use our PGP public key:

  
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBFk60lUBEADr5sxL1Vpi6aqZ4mrgJeylFWD3kkkLwtVFhgQizSpyU/V9+zxi
NG9Zna0pMl12vNF7xyB58jU2EpAgY3t94hV8KHsaiw11d673PHWaPZzPCey+gQw4
qRovUPkRN/E0zHJPCR+mfa4H/s0UZ5WiliquIz0Img8rp/0VM7yJgROfNOp+HPFu
EkXkkYzrxb8A4lvY4Z3IjaLby80C59upY/CIOsyWGB5mjNyK6N1wA55jJK1xP08A
/otcBWzGMv7rKxrdVhtIQfMoQTlHgUAxLzt/o70Dq1HAsV4FQi3deQjR3c1X99yh
EAN1cVqMJ+NeW31yjXmRBXzTlqoFTwT24YZWgE5QWd3scl3daop65yi0DFCH+J7Q
6JIRSol4JYnpqfnIN6VAu08EJUaiQ/6IL3hDT+FfOt+hkzoC4krvoiUuyOWc3IdA
uq2mxYtONmkOoseAeVKoTvYkQfbeBg22QzOgmpE9Hl6kW0NIz4PVS5y+1Ohp+YTM
vnG6m3tP+aPEObCxt/s/FrT7msAUVPvsqhBN4UwKCbduvPLj+AWKqwBecMBIYT/w
bdz50JxYhewdzoRjw/IuQbxL+XzX4Pd8J60xjmg51t0u+FfOV7Wy76YSj+jq/wjU
wfnrk0avDbgzObLmc+Qa7QxHiRDYnR2k4Qgj94PKCgETVxaGJ/6UPUi0CQARAQAB
tCpHZW1pbmkgU2VjdXJpdHkgVGVhbSA8c2VjdXJpdHlAZ2VtaW5pLmNvbT6JAj0E
EwEIACcFAlk60lUCGwMFCQWk7AAFCwcJCAMFFQgJCgsFFgIDAQACHgECF4AACgkQ
g1vB4LIpRo4dCxAA0kWRYDFEnZi0WF8kzDS7aZ0ogO87ibHcTxuxTL+sL5xJMipI
+p1eNv9/dAdYXgrc0im4wgRSWkRvghu8sjXj927TGMgK9wDqNmgybGEqXjCHiX5/
mUMAlj/AvgJ56RrOZBh6m3IG4InQA9mH8cCJrG3onCR996cNvLFczp5t+wlJsB1y
HhWj38W6gQNBkL+HKBwk6UgwPatWzx+l3SFjdeeN1PEu+VPZ/bXLUNBLul01Wrnp
Cl/Jx10NE8j3LOobdwsuIhGZkouN0EU56AKIiWhaCmN6u/zFEHWXRroIxk/i+0Me
/lKL6640Y79Uy4qXpVQz3ZsHt6zDyObaqx570brDU+4GAM6bJk3BhRj13csYvgjO
bVi77omkljtmhqChM7wDbvPfcWmh1j41RouiaySPRZoUHvz2uKiHECmlKnl7fKqg
vkyS63GtgTRzqdvj5nYDMQgkXClEcA8uueABi/DSAj3idz0SwNiJJ2dLIAQaiCAO
Cfx4AsPJ9lzkPN6VggDZkhR/ORIeWaI/YovVzA1I9FLOhN9KENsvIBJ2uccoO1RT
nddX5lzSZlqZIQbpfR/Sbl/NvIPgrhpfXOgAknLUUtGdQ9iZuseypxYRpd6Xba7f
nz4EcSfIg/ZDoeZDrnrnh16k46tmZBroEFwTyevN182PZAL1DqKcySboJve5Ag0E
WTrSVQEQANIf+syvC/2yzLe6wIrtZas8k3agZf2N8rtF5RVOc/IB1RPnSA7dylgb
Mq6ICOquF9lxN+MhqieDgkjEvllNeSOIqZdqdMNQ6gELlBF3nARSRWXf6uSu2E5B
NzRYEIAcQNi86j/XOLzCOMR+vQbM9cW4EwjYXvHyRdGq81Y3g72izqjE4Kb+Qy5O
oYmIVM5ScFVrATN9w4v5SpuwQktIFcqX49USXJN+/F3jV4amgiTjF6V30qdkhL2K
jla+f7aOYbSxsZ1YE3Bhk6ByJVj/zmwKXTTEp/uGOqxWA411Mo3u0g7L0QC8su6v
XGnpZ2hc8gWDK1B/ZBzqcbW8OUi0APdrjGExg6Kyn1ozGM/lD5TjFyfpX/YCX9b3
b8SL0RX8GOmizvr9OBbWabjA3PiLhfVv6B8idwOQ1YnX1s4k+9lXZWfRKA29NJ0y
rO/2Vq+qpZf8SNINTXeBZN/ArMSIuqYaleTwswoX81gjqqvCT6XAcBpoFPyuCB6Q
/aUWTwq6oP/DajwSuzVHowNBsx8MZcW8BLdoBvda28IF9Cz5X07crWUDA1MfPSum
oOiMAqT6R0j83JcGcw788Dxt+uk5xyQ9zhPi0WdkwmIXkLapOOg0/FeU6HVj4gW+
ig+PYDSx62pJywQNUy2cKyS9nWviBHAmlEnKnxFuc9RwHu9pzA7HABEBAAGJAiUE
GAEIAA8FAlk60lUCGwwFCQWk7AAACgkQg1vB4LIpRo7ETA/6AiobX9SNfnjMgCeO
i/yv+Hy1SDSgfkVgBgfXDAkiNeWBatrXOJ782g2n9TdS6Tke9hnP8yK6bLWx8CjX
e1MwoigX5gTwBw+I7Z//5nZaCkAHk6ALqZHJ6oeeli4a6IdwrhLYf9ryTPmOxUwa
7naEwdwH103/HhoZmov3uAX2J2Pa+2xxqnc7tLQp4LyHANkCh+FmNG0Fw7+0eUue
tslt/6mq3BT6lifEiukd3YI/DimDSY2djPxj9XykiXVnAYMv4+o7QkKL1h4ArHBO
IHpyNasOrGEJvB242djL1+w1Tp6BUEovUs+CsHsq8b/QZGg1HEsYbjFD3HeIuYtv
BsAs6zZwweXOtPa3X/HrE8xtX6yVr89vbcLKw/0+GBUH698ltDVkXrG2x0ONiY8C
UGm2v+aXdRR758o/KS+aqx423tzMZLbhL8d/69KxKga9eyHsYURlImpE2uN+XFSm
Z+vAn2jqNFT+uXKc6Sg4YqnzwWwyCyEJ1hPl6CM6wyGl6FIywZRLwYsY5xiH1tKt
DPqLevFgxqbL1HWq8+nlpVqRtHCmhBZrwEdD7agqWBdOTt+2JJEUy5tDyGA+B7bW
sKBxv07AMMejVKk/HUrZ6MXIq0gmS/7cFTLn423OsoyRa52XtnnR8H02Et3TOt4D
FFYeZjYxBKfgUedvMDP9E6ZAE9k=
=D9fK
-----END PGP PUBLIC KEY BLOCK-----

Our Security Philosophy

Gemini's security philosophy follows from three principles:

Building defense-in-depth against external threats
Protecting against human error
Guarding against misuse of insider access

Vulnerability Disclosure Philosophy

Our security team supports responsible disclosure. We will acknowledge valid and original (i.e., the first reported instance) discoveries on our website with the name of the security researcher(s) responsible. While we do not have a formalized bug-bounty program at this time, we may choose to do so in the future. In the event that a monetary rewards system is developed, we may, in our discretion, pay monetary rewards in bitcoin, subject to applicable laws.

Our commitment to security researchers is simple: we will not retaliate against researchers who report issues privately and in a responsible manner. We will do our best to reply to reports in a timely fashion and periodically update you on our progress with respect to investigating or remediating any issues you may have identified.

Gemini Security Team