How do you ensure secure communication between Bridge and VASP servers?

Bridge connects to a VASP’s server with an encrypted SSL certificate (https). Every Sygna Bridge member VASP is assigned a unique API key to ensure a secure connection and data integrity.
Bridge uses the ECIES and ECDSA cryptography protocols to manage public key encryption and message signing.
Bridge also provides a static IP address server to VASPs that require it. for IP whitelisting purposes.

Does Bridge’s server have a static IP address?

For VASPs who wish to whitelist IP addresses of incoming requests to their server, the Bridge server supports static IP addresses.
Bridge accepts both dynamic and static IP addresses of incoming requests to Bridge server.

What happens if the beneficiary VASP is down?

The Originator VASP is allowed to set an expiration timestamp for each transfer request. Bridge can also queue and resend on behalf of the sender.

How is a beneficiary’s identity authenticated during a transmittal? Does the beneficiary VASP need to send its beneficiary customer’s personal information for confirmation?

The beneficiary address and personal information is entered by the sender at the originating VASP and sent to the beneficiary VASP for validation. The confirmation is a signature by the beneficiary VASP, which does not disclose the beneficiary user’s personal information. This is to ensure that

  1. The beneficiary VASP can verify the address’ ownership
  2. Makes phishing for beneficiary personal information impossible.

Is there a risk of sending to the incorrect beneficiary VASP? How does Bridge ensure the correct mapping of an address to a VASP?

A unique VASP code is assigned to every VASP. The sender can also select the beneficiary VASP from a scroll down menu with descriptive text (e.g. “Coinbase in New York, USA”)

How do we know whether VASPs have submitted accurate information?

In line with our data policy, we do not access private data during transmittal requests. Bridge member VASPs are contractually obligated to ensure their data integrity and have been qualified through standards and internal control measures. However, we are exploring resources and partners to establish specific ISO standards.

Are the compliance checks simultaneous or delayed in beneficiary VASP?

Checks are simultaneous because we require VASPs to do a daily sanction name screening and create their own blacklist. Accordingly, when a beneficiary VASP receives a transfer request from Bridge, their server only checks the beneficiary against its own blacklist, in order to automate the whole process.

How do you prevent the sending of personal information to non-secure entities?

In the FATF guidance, it recommends “Countries should designate one or more authorities that have responsibility for licensing and/or registering VASPs.”
Therefore we don’t validate the security level of one VASP. Instead we trust government or trusted third parties to validate VASPs.

Is there a risk of malware infection or attacks when connecting to the Sygna Bridge server?

Sygna Bridge uses its RESTful API to help transfer information from the originator VASP to the beneficiary VASP. Bridge relays only text-based information in the JSON standard to ensure that harmful actions for an interpreter or complier are not possible.