Boli
Security & regulatory posture

Boli ships software. Not licenses.

Stripe is not a bank. Twilio is not a telecom carrier. Plaid is not a financial institution. Boli is not a financial institution either. Every regulated activity in the stack is performed by the customer or a licensed partner.

Activity map

What's regulated. And who holds it.

Boli is on the hook for software quality, uptime, security, and data protection. The customer (issuer, law firm, fund admin, transfer agent, project developer, registry, or government agency) is on the hook for the regulated activity it chooses to perform.

Activity
Regulated?
Who holds it
Writing, hosting, and licensing software
No
Boli
Issuing a security / ARVA / token
Yes
Customer (issuer, SPV, fund)
Acting as broker-dealer / placement agent
Yes
Customer's licensed BD
Maintaining the book of record
Yes
Customer's registered transfer agent
Fund administration, NAV, reporting
Yes
Customer's fund administrator
Qualified custody of digital assets
Yes
Customer's chosen qualified custodian (e.g., Fireblocks, BitGo, Anchorage, Copper, Taurus, Komainu). None integrated today; each a planned adapter.
Running an ATS / exchange / MTF
Yes
Customer's chosen venue (e.g., Securitize, tZERO, Archax, ADDX, Plume, NYSE Digital). Integration targets — not live listings.
Stablecoin issuance
Yes
Third-party issuer (e.g., Circle, PayPal, Ripple, Paxos, Société Générale). Cash-leg adapters in scope; none live today.
VASP / CASP / DTSP licensing
Yes
Venue / custodian / exchange partner
Sanctions / AML as program of record
Yes
Customer's compliance officer
What Boli warrants

Contractual scope.

  • SOFTWARE CORRECTNESS

    The code does what the customer tells it to do. Compliance primitives behave as configured; settlement primitives are atomic; MRV oracles report what the upstream provider attested.

  • UPTIME AND OPERATIONAL SLA

    Region-isolated, multi-tenant or dedicated deployments with published SLAs and transparent incident history.

  • SECURITY AND AUDIT POSTURE

    SOC 2 Type II, ISO 27001, penetration testing, signed smart-contract audits, and continuous third-party monitoring of production workloads.

  • DATA PROTECTION

    GDPR, UK GDPR, and India DPDP-aligned. Encryption at rest and in transit, key-management integrations with customer HSMs, right-to-erasure workflows.

Out of scope

What Boli does not warrant.

  • Fitness of the customer's offering for any specific jurisdiction
  • Suitability of any security for any investor
  • That any downstream venue, bridge, or custodian remains operational or licensed
  • Regulatory outcomes — the customer's counsel signs off on filings, not Boli
Certifications
SOC 2 Type II · ISO 27001 · GDPR · Annual penetration testing · Signed smart-contract audits · Responsible-disclosure program
Request access

Need our compliance & security package?

We share our SOC 2 report, ISO 27001 certificate, penetration-test summaries, threat model, and audit history under NDA. Reach out with your counsel and we'll get you a data-room link.

Request the security packRead the architecture