Unramp
Buy crypto now

Security

Security.

How we protect our service, what happens during a transaction, and what we ask of you to keep your crypto safe.

Security at Unramp is about three things. Protecting the service you use. Making the transaction journey safe. And being honest about what falls within your responsibility — because in a non-custodial model, parts of the journey are yours to control.

Our service

We operate an information-security management system aligned to ISO/IEC 27001, and we apply the requirements of the European Union Digital Operational Resilience Act (DORA) proportionate to our scale and risk profile as a Class 2 CASP.

The transaction

Every transaction is protected by encryption in transit, strong authentication on payment, and blockchain screening before delivery.

Your wallet

Once a crypto-asset is delivered to your wallet, it is no longer in our infrastructure. Keeping it safe from that point is your responsibility — and we set out below what that means in practice.

How we protect our service

A regulated firm, governed by ISO 27001 and DORA.

We are a regulated financial-services firm. The security of our service is governed by an Information Security Management System aligned with the ISO/IEC 27001 international standard, and by the European Union’s Digital Operational Resilience Act (Regulation (EU) 2022/2554, known as DORA). DORA sets out specific obligations for financial entities in respect of information and communications technology — covering risk management, incident reporting, resilience testing, and the management of third-party ICT providers.

In practice, this means we maintain a structured set of policies and controls covering the matters that materially affect the safety of our service:

Information-security governance

Documented policies for the operation of our security management system, with named owners, defined review cycles and senior-management oversight.

Risk management

An information-security risk-assessment framework that identifies, analyses and treats risks across our people, processes, technologies and information assets, reviewed regularly and on material change.

Access control

Identity and access management, role-based access controls, multi-factor authentication for staff, and prompt revocation of access on termination.

Encryption

All sensitive data is encrypted in transit and at rest, using algorithms and key lengths that meet recognised industry standards. Cryptographic keys are managed under a documented standard, with regular rotation.

Backup and recovery

Critical data and systems are backed up in line with a documented data-backup policy. We test restorations regularly so that recovery is not just theoretical.

Vulnerability and change management

Software changes go through code review, automated testing and a controlled deployment pipeline. There is no direct production access for individual operators; every change is tracked, reviewed and auditable.

Incident management and response

We maintain an incident management policy and a documented incident response plan. Incidents are classified, escalated, contained and remediated under defined procedures, with senior-management oversight for material incidents.

Business continuity and disaster recovery

A business-continuity and disaster-recovery framework that addresses how we keep critical services running through disruption, and how we restore service when something fails.

Third-party risk

Our third-party vendor-management policy governs how we select, contract with, and oversee the technology providers we rely on, including the heightened requirements that DORA imposes on providers of services supporting critical or important functions.

Internal audit

Independent internal audit of our security controls, reviewed periodically against ISO/IEC 27001 control objectives and DORA requirements.

These policies are internal documents. We do not publish them in full because they contain operational detail that would compromise the controls they describe. They are available, in extract or in full, on request to our supervisor and to qualified counterparties subject to appropriate confidentiality.

Security in the transaction journey

Every step has its own checkpoint.

From the moment you start a transaction to the moment a crypto-asset arrives in your wallet, the journey passes through several distinct security checkpoints. Each is there to protect a different risk.

  1. 01

    When you arrive at unramp.com

    Your connection to our website is encrypted using TLS. We monitor our perimeter for unusual or hostile activity, and we limit and screen automated traffic. Authentication credentials are never transmitted in clear text.

  2. 02

    During identity verification

    Your identity documents and the supporting checks are handled by specialist identity-verification providers operating under independent regulated regimes. The data they collect is processed for our legal AML/CFT obligations and for fraud prevention, and is retained only for the periods required by applicable law. Personal data is processed in accordance with our Privacy Policy.

  3. 03

    Before the payment is taken

    Payments are processed through licensed payment service providers that apply strong customer authentication (SCA) where required by the Payment Services Directive — typically a one-time code from your bank, a biometric check, or an in-app approval. We do not store your full card number. Card payments pass through a PCI-DSS compliant payment infrastructure.

  4. 04

    Before the crypto is delivered

    Before we transfer a crypto-asset to your wallet, the destination wallet address is screened against blockchain analytics that check for links to sanctioned addresses, criminal activity, or other high-risk patterns. Transactions that fail this screening are escalated for review.

  5. 05

    At delivery

    The transaction is signed using a multi-party-computation custody system operated by a specialist custody provider. The custody system applies its own internal controls — including transaction limits, governance and audit — before a transfer is broadcast to the blockchain. After it is broadcast, the transaction is irreversible: that is the nature of blockchain transactions, not a feature of our service. The transaction hash is included in your confirmation email so that you can verify the transfer independently on a blockchain explorer.

Your part

Protecting your transaction and your wallet.

In our non-custodial model, there is a clear point at which the security of the transaction passes from us to you: the moment the crypto-asset arrives in your wallet. Up to that point, our controls do most of the work. After that point, your controls do.

Protecting your email and communications

We communicate with you by email — for transaction confirmations, identity verification, and any service notices. Your email address is the contact point between you and Unramp. Keep it secure.

  • Keep your email account secure. If a malicious actor takes over your email, they may be able to intercept transaction confirmations or impersonate you.
  • Do not share one-time codes or verification links you receive from us with anyone — including anyone claiming to be Unramp support. We will never ask for them.
  • If you believe your email account has been compromised and you have an active or recent transaction with us, contact us immediately at [email protected].

Protecting your wallet

Your wallet is your own. We do not control it, cannot see inside it, and cannot recover its contents if it is lost or compromised. A few practical points:

  • Choose a wallet you trust — a reputable software wallet from a known provider, or a hardware wallet for amounts you do not want to risk.
  • Write down your wallet recovery phrase on paper and store it somewhere safe. Never store it digitally on a device that is connected to the internet, and never share it with anyone.
  • Before you confirm a transaction, double-check the wallet address, the network, and the amount. We cannot recover crypto sent to a wrong address or wrong network.
  • Be sceptical of anyone — including someone claiming to be Unramp — who tells you to install software, share screen access, or send crypto to an address they provide.

Recognising impersonation

Phishing is the most common way people lose money.

Phishing, fake support, and impersonation are the most common ways individual crypto users lose money. They are far more common than any kind of technical attack on a regulated platform. Here is how to recognise the most frequent patterns.

Unramp will never

  • Ask you for your wallet’s private key, recovery phrase or seed words. Not for any reason. There is no scenario in which we need them — they are yours alone.

  • Ask you to install software, browser extensions, or remote-desktop access on your device to resolve a problem with your transaction.

  • Tell you to send crypto-assets to an address we provide, in order to verify a balance, unlock a transaction, recover funds, or for any other reason.

  • Telephone you out of the blue to discuss your transaction or to offer a recovery service. We do not place outbound calls to clients.

  • Contact you through Telegram, WhatsApp, Discord, Instagram or any direct-message platform, even if the account uses our name or logo.

If any of these things happen, you are not talking to Unramp. Stop, do not respond, and let us know at the address below. The single canonical web domain for our service is unramp.com. Always check the URL before entering credentials or copying any address.

Incidents and breach notification

When something goes wrong, we have a plan.

Even with strong controls, no service is ever immune to incidents. When something goes wrong, we have a defined response: contain the problem, assess its impact, notify whoever needs to be notified, fix the cause, and learn from it. Our incident-management framework is aligned to DORA’s requirements on ICT-incident classification and reporting.

  1. 1Contain
  2. 2Assess
  3. 3Notify
  4. 4Fix
  5. 5Learn

Where an incident affects clients, we will tell affected clients directly through the contact details on their client profile. Where an incident reaches the threshold of a personal-data breach within the meaning of the General Data Protection Regulation, we will notify the Commission for Personal Data Protection of the Republic of Bulgaria within the time limits set by law, and we will notify affected data subjects where required.

Reporting a vulnerability or a security concern

Found something? We want to hear from you.

If you believe you have found a security vulnerability in our service, or if you have observed a security concern of any kind — including impersonation, phishing or fraud directed at Unramp clients — we want to hear from you.

Security reporting channel

[email protected]

Please include a description of what you observed, the steps to reproduce (where relevant), and any supporting evidence. We acknowledge security reports promptly and keep reporters informed as we investigate. We do not currently operate a public bug bounty programme. Researchers who report vulnerabilities responsibly can expect to be treated with respect: we will not pursue legal action against good-faith research that adheres to a coordinated disclosure approach, does not disrupt our services or our clients, and does not access data that is not theirs.

Verifying that you are dealing with the real Unramp

Three quick checks before you transact.

Before you transact, before you click on anything, and any time you have a doubt: make sure you are dealing with the real Unramp. Three quick checks.

01

Check the URL

The single canonical web domain for our service is unramp.com. Lookalike domains and subdomains hosted elsewhere are not us.

02

Check the regulatory status

Unramp OOD is registered as a Virtual Asset Service Provider with the Financial Supervision Commission of the Republic of Bulgaria under registration BB-128/28.11.2022. You can verify this on the FSC's public register, linked from our Licenses page.