Under developmentBitcoin Quay is an early commercial beachhead — not a production offering and not for member data. Not affiliated as upstream Bitcoin Commons.

Security & compliance stance

Scope discipline over stickers

Institutions need honest vendor fitness — architecture, process, and evidence kits — not a claim that consensus code is “CU-compliant.”

Evidence-first

The console is designed so sensitive actions leave a trail examiners can follow. Export packs and control mapping are product workstreams — we do not claim SOC, PCI, or NACHA certification on this site.

Approved Integration Boundary

Third-party risk is managed through an allowlist. Core, OFAC/AML, and ACH run via customer vendors and processors — Bitcoin Quay does not become the ODFI or the BSA system of record.

Data minimization

GLBA-minded query-through patterns; no PAN in product scope (PCI out of CDE by design). Beachhead and marketing forms never collect member NPI.

Dual-control by design

Sensitive actions require maker/checker flows. Money movement is modeled as intents correlated to vendor decision IDs — not freeform sends.

This page is posture narrative for early conversations. It is not a security whitepaper, attestation, or substitute for your institution's TPRM process.

Request a briefing