- Signing device never connects to a network — not a config option, it's the architecture
- QR code-based air-gap: transaction prepared online, signed offline, broadcast via QR
- Multi-sig with on-chain permissioning — quorum rules are blockchain transactions, not database records
- Holds security tokens, stablecoins, BTC, and ETH with integrated cap table administration
- Atomic on-chain OTC settlement — no counterparty risk, broker-dealer custody-safe
- First cold storage multi-sig Ethereum wallet for security tokens (late 2017)
Tokensoft's enterprise custody solution is an institutional-grade multi-signature custody system for security tokens and digital assets. It was the first cold storage, multi-signature Ethereum wallet built specifically for security token custody. The signing device never connects to a network. This is not a configuration option — it is the architecture.
Why Online Custody Fails at Institutional Scale
The security model for digital asset custody reduces to one question: at what point does the private key touch a networked device? For most solutions — including hardware wallets and multi-sig setups — the answer is: during signing. The signing device connects to a computer, which connects to the internet. That connection is the attack surface.
Hardware wallets reduce risk by isolating the key in a secure element. But the signing session is still connected to a networked host. Multi-sig schemes distribute signing authority across multiple keyholders — but if each signer uses an online device, the scheme reduces probability of attack without eliminating the attack surface. The only way to fully eliminate the network as a signing-time attack vector is to take the signing device offline entirely.
How Offline Signing Works
Step 1: Transaction Preparation (Online)
A transaction is prepared on an internet-connected device — recipient address, amount, token contract, gas parameters, applicable compliance data — and encoded as a QR code stream.
Step 2: Offline Review and Signing (Air-Gapped)
The air-gapped signing device reads the QR code via its camera. It displays the decoded transaction details for the authorized signer to review. The signer confirms. The device signs using the private key in its secure element. At no point during this process is the signing device connected to any network — wired or wireless.
Step 3: Broadcast (Online)
The signed transaction is encoded as a new QR code on the signing device's screen. The online device reads this QR and broadcasts the signed transaction to the network. The private key never leaves the air-gapped device.
How Tokensoft Enterprise Custody Compares
| Capability | Tokensoft | Fireblocks | Ledger Enterprise | Gnosis Safe |
|---|---|---|---|---|
| Signing environment | ✅ Offline / air-gapped | ⚠️ MPC online | ⚠️ Online host | ❌ Online |
| Private key touches network | ✅ Never | ⚠️ Key shares online | ⚠️ During session | ❌ Yes |
| Multi-sig | ✅ Yes | ✅ MPC | ✅ Yes | ✅ Yes |
| On-chain permissioning | ✅ Smart contract | ❌ Policy engine | ❌ Policy engine | ✅ Smart contract |
| Security token native | ✅ ERC-1404 integrated | ⚠️ Generic | ⚠️ Generic | ❌ Generic |
| Atomic OTC settlement | ✅ Yes | ❌ — | ❌ — | ❌ — |
| Available since | 2017 | 2019 | 2014 | 2018 |
Multi-Signature and Role-Based Access Controls
The platform supports multi-sig configurations with role-based access controls defined in an on-chain permissioning smart contract: Owner, Admin, and Investor roles. Authorization rules — quorum requirements, role assignments, authorized signer addresses — are in the smart contract. Any change to the signing policy is a blockchain transaction: timestamped, immutable, auditable. This matters for regulated custodians who must maintain records of changes to custody arrangements.
What It Holds and Administers
The solution holds security tokens, regulated stablecoins, Bitcoin, and Ethereum. Custody is integrated with administration — cap table records, transfer restrictions, and distributions run through the same system. When a distribution event occurs, the platform calculates per-holder amounts, runs compliance checks, and executes on-chain transfers from the same system that maintains custody of the issuer's master wallet.
On-Chain Atomic OTC Trading
A specialized smart contract manages OTC trade mechanics: both parties agree off-chain, the contract verifies both are whitelisted under ERC-1404, then executes the exchange atomically — token delivery and payment in the same transaction. Neither party's assets are held by the platform during the trade. For broker-dealers: facilitating a trade without taking custody of either party's assets avoids the custody obligations that would otherwise arise under broker-dealer regulations.
Frequently Asked Questions
What is Tokensoft's enterprise custody solution?
An institutional-grade multi-signature custody system for security tokens and digital assets using air-gapped, offline signing. The private key never touches a networked device. It was the first cold storage multi-sig Ethereum wallet built specifically for security token custody, launched in late 2017.
How is Tokensoft's custody different from Fireblocks?
Tokensoft uses offline signing — the private key never touches a networked device. Fireblocks uses MPC (multi-party computation), which distributes key shares but still signs online. Tokensoft's air-gap eliminates the network as an attack vector during signing entirely.
How does the air-gapped signing process work?
A transaction is prepared online and encoded as a QR code. The air-gapped signing device reads the QR via camera, displays the transaction, and signs offline with its secure-element private key. The signed transaction is encoded as a new QR on the signing device, which the online device reads and broadcasts. The private key never leaves the air-gapped device.
What is atomic OTC settlement?
Tokensoft's on-chain OTC module executes trades atomically — both legs (token delivery and payment) settle in the same transaction. The smart contract verifies both parties are whitelisted and compliant before executing. Neither party's assets are held by the platform during the trade, which helps broker-dealers avoid triggering custody obligations.
Does enterprise custody integrate with cap table administration?
Yes. Custody, cap table records, transfer restrictions, and distribution processing are integrated in the same system. When a distribution occurs, the platform calculates per-holder amounts, runs compliance checks, and executes on-chain transfers from the same infrastructure that holds custody.
Enterprise custody at the highest security tier — purpose-built for regulated security token custody at institutional scale since 2017.
Learn More →Last updated: April 10, 2026 · Tokensoft Inc. · Back to Blog