# Security & Compliance **Tesseract Investment Oy** holds the regulatory authorisations and security certifications expected of an institutional yield provider. ### Licenses & certifications * **MiCA CASP authorisation (Tesseract Investment Oy)** — The DCV service operates within the custody, portfolio management, and transfer services limbs of Tesseract Investment Oy's CASP authorisation. The full authorisation also covers investment advice and reception / transmission of orders. Certificate of registration available on request under NDA. * **ISO/IEC 27001:2022 (Tesseract Earn Oy)** — valid to October 2027, audited by Prescient Security. Reports available on request under NDA. * **SOC 2 Type II (Tesseract Earn Oy)** — three consecutive years, audited by Prescient Security. Reports available on request under NDA. ### Risk management **Smart contract & protocol.** All vault contracts are audited before mainnet deployment. Only pre-approved, vetted DeFi protocols may be used; new protocol whitelisting and key-management changes require multisig approval. DeFi counterparties and institutional lending borrowers go through the same due-diligence process before onboarding. **Operational.** 24/7 automated monitoring of positions, with auto-deleveraging when risk thresholds are breached. Vault execution is constrained to pre-approved interactions with whitelisted protocols. Under the Vault Services Agreement, Tesseract Investment Oy has the right to invoke an emergency freeze on vault operations in defined incident scenarios, exercisable only in accordance with the VSA and applicable law. **Per-client isolation (DCVs).** Each vault is a standalone smart contract; one client's risk exposure cannot affect another's. Yield auto-compounds at the vault level. Withdrawals clear instantly from available liquidity or through the scheduled-withdrawal flow for larger amounts. **Lending.** Delta-neutral strategy eliminates directional price exposure. Loans are diversified across vetted institutional borrowers and collateral is held with third-party custodians. Borrower creditworthiness is monitored on an ongoing basis. **Regulatory.** Proactive dialogue with FIN-FSA on service developments. Implements Travel Rule obligations under Regulation (EU) 2023/1113 via Sumsub. AML / KYC via Sumsub with TRM for transaction monitoring. **Transparency & reporting.** Vault state, transaction history, and performance time-series are exposed through the reporting API. Non-transferable share tokens provide cryptographic proof of client ownership verifiable on-chain without Tesseract's cooperation. Monthly performance reports are published for the Lending product. ### Audits Each product is independently audited where applicable. Product-specific audit reports are linked from the relevant section — for DCVs, see [Audit Reports](/dedicated-client-vaults/reference/audit-reports.md). *** > *Tesseract Investment Oy is authorised as a Crypto Asset Service Provider (CASP) under Regulation (EU) 2023/1114 (MiCA). On-chain yield vaults involve significant risks, including smart contract vulnerabilities, liquidity risk, and the risk of total loss of capital. Past performance is not indicative of future results.* --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.tesseract.fi/tesseract/security-and-compliance.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.