The ByBit hack was the single largest theft in history. The culprits stole $1.5 billion in cryptocurrency from one of the world's most trusted and well-run exchanges. If it wasn't safe there, then where is it safe?
For those who want absolute security, the obvious answer might be to take control of their own Bitcoin—storing it in a hardware wallet, keeping private keys offline, and avoiding third-party platforms altogether. No internet connection means no remote theft, placing your Bitcoin beyond the reach of cyberattacks. This approach drastically reduces the risk of exchange hacks but comes with its own problems. It makes your Bitcoin harder to access when you need to spend it. It increases the risk of accidental loss—if you misplace your seed phrase or hardware wallet, your Bitcoin will be gone forever. There is no recovery option if you forget your credentials.
Even self-custody, while empowering, puts the full weight of responsibility on your shoulders. One wrong click, one successful phishing attempt (they only have to be lucky once), one moment of forgetfulness and your Bitcoin could be lost forever.
So, how do you protect your Bitcoin without locking it away?
That's why Xapo Bank exists.
Beyond the standard: How Xapo Bank ensures uncompromising security
We built Xapo Bank to give you the best of both worlds—uncompromising security and everyday usability. As a fully licensed bank and Bitcoin custodian, Xapo protects your assets with the same rigour as the world's most trusted financial institutions while giving you the access to your own money that you expect. Plus, we don't just promise security—it's built into everything we do. That's why we pursued and received SOC 2 certification as soon as we could. SOC 2 compliance is voluntary and therefore rare in the crypto space.
What is SOC 2 certification?
System and Organization Controls 2, or SOC 2, is a cyber-security compliance framework developed by the American Institute of Certified Public Accountants. It ensures that service organisations securely manage and protect customer data, focusing on security, availability, processing integrity, confidentiality, and privacy.
SOC 2 certification comes in two tiers—Type 1 and Type 2—each reflecting a different level of rigorous testing. SOC 2 Type 1 assess the design of security controls at a single point in time, while SOC 2 Type 2 assesses the design and effectiveness of those controls over time. Xapo Bank secured Type 2 certification to demonstrate our sustained commitment to security practices and that our controls worked no matter what real-world operations threw at us.
Independent auditors examined every aspect of our processes, from access controls and data handling to operational uptime and risk monitoring. For twelve months, we had to prove that our internal policies were followed day in and day out. The auditors exhaustively documented, tested and verified all our procedures.
What does SOC 2 mean for Xapo Bank customers?
You share a lot of personal and sensitive information with your bank—your name, login information, and, of course, your financial data—so it’s important to know that its protected. SOC 2 Type 2 certification means that Xapo Bank:
Encrypts your data so hackers can’t read it
Restricts access so only the right people can see your information
Continuously monitors systems to catch and shut down suspicious activity
Backs up data so it cannot be lost
Keeps systems up to date to close security gaps.
Read our SOC 2 FAQs below to learn more.
Our wider security strategy
SOC 2 is just one part of the picture. At Xapo Bank, we align our security standards and procedures with globally recognised frameworks like ISO 27001 and the NIST Cybersecurity Framework. Our approach is not just robust—it adapts to evolving threats.
Moreover, as a fully licensed bank, we meet the stringent capital and risk management requirements of Basel III—a standard that few crypto-native institutions can claim. These reinforcing layers of protection give you peace of mind, knowing your assets are in safe hands.
Always looking ahead
Security threats evolve swiftly, so we can't rest on our laurels. Security at Xapo Bank is a living system—constantly reviewed, refined, and strengthened. We regularly run internal audits, invest in emerging security technologies, and train our teams to be vigilant.
Soon, we'll be launching Safe Place, a new feature designed to enhance how members manage and safeguard their assets. It's part of a broader security-focused redesign of our app, making it easier than ever to access powerful protection for your Bitcoin without friction or compromise.
You shouldn't have to choose between safety and convenience. Xapo Bank means you don't have to. We offer both peace of mind and instant access without trade-offs.
SOC 2 Type II Frequently Asked Questions
1. What is SOC 2 Type II certification?
SOC 2 Type II is a security certification that shows we protect your personal and financial data using strict, industry-standard controls. Independent auditors issue it after a detailed review of how we manage data security over time (not just once).
2. Why does SOC 2 Type II certification matter to me?
SOC 2 Type II certification ensures we continuously protect your funds and personal data with rock-solid security measures. It means:
Your data (like login info, balances, and personal details) is encrypted and secure.
We monitor our systems 24/7 to detect and stop threats.
Only authorised staff can access sensitive information.
We have regular audits to keep our security practices up to date.
3. What’s the difference between SOC 2 Type I and SOC 2 Type II?
Type II certification is more thorough and trusted. While Type I checks if the proper security controls are in place on a specific date, Type II checks if those controls worked consistently over many months.
4. Who performs SOC 2 audits?
An independent, third-party auditing firm conducts the review. They evaluate our security, availability, and data-handling processes to ensure we meet strict standards.
5. Does SOC 2 Type II mean my data is 100% safe?
No system is 100% bulletproof, but SOC 2 Type II shows we’re doing everything a responsible bank should do to protect your data with the utmost care. It’s one of the strongest security signals a bank can provide.
6. How often do you renew your SOC 2 Type II certification?
Our commitment to your security is ongoing. We conduct SOC 2 Type II audits annually, covering 6 to 12 months of operations. And we stay compliant year-round to make sure your data is always protected.
*Crypto asset services are provided by Xapo Vasp Limited, a company regulated by the Gibraltar Financial Services Commission as a ‘Distributed Ledger Technology Provider’ under Permission No. 26061 and not by Xapo Bank Limited. Xapo Bank Limited provides services exclusively in respect of fiat balances. Crypto asset deposits are not covered by the Gibraltar Deposit Guarantee Scheme. *For more information on the security features available at Xapo Bank Limited and Xapo Vasp Limited, please visit this page.
