
11 min read
7 Questions to Ask Your Crypto Custody Provider Before You Sign
The question that decides a crypto custody contract is whether the provider can move your funds without you.
If a provider holds the keys, it can, and your security then depends on that provider's internal controls instead of your own. You are three vendors deep into a custody shortlist and every deck says the same things: secure, compliant, trusted by leading exchanges. None of that answers the key-control question. Ask about key control first, and most of the shortlist thins out fast.
The stakes are not abstract. In 2025, crypto theft exceeded $3.4 billion, and the single largest event, the $1.5 billion ByBit hack, came from a compromise of private-key infrastructure and signing processes rather than a smart-contract bug. When a provider controls the keys, its signing pipeline becomes your single point of failure. The seven questions below are built to find that failure point before it finds you.
1. Can you move our funds without us?
Why it matters: This is the question the whole evaluation turns on. If a provider can sign and broadcast a transaction using only keys it holds, then your funds are exposed to that provider's internal access controls, insider risk, and breach surface. A self-custody architecture removes the provider from the signing path entirely. You hold the keys, so no vendor action can move your money on its own.
What a weak answer sounds like: "Your assets are held securely in our high-security vaults with multiple layers of protection." That describes where funds sit, not who can move them. It is a description of custody, not of control.
What a real answer sounds like: "No. You control your private keys and we never hold them, so we have no technical ability to move your funds."
CoinsDo runs on exactly this model: you control your private keys, and CoinsDo never holds them. That is the difference between a provider you trust and a provider you depend on.
2. Where do the keys actually live, and who can authorize a signature?
Why it matters: "You hold the keys" only means something if the authorization process behind a signature is enforced and auditable. A provider should be able to show you how a transaction gets approved, who signs, and what stops a single compromised account from pushing funds out. Governance around the signature is as important as where the key sits.
What a weak answer sounds like: "Our security team reviews all outgoing transactions." Human review with no described tiers, thresholds, or expiry is a promise, not a control. Ask what happens when that reviewer's laptop is compromised.
What a real answer sounds like: "Approvals run through custom flows with reviewer tiers, thresholds, and escalation logic for high-value transactions, and each dispatch record carries a configurable expiry."
CoinSend supports exactly that: custom approval flows, approval expiry controls per dispatch record, and sub-account role management where the main account controls each sub-account's session validity. It also adds a signing feature using RSA and HMAC-SHA256 that produces an unforgeable authorization trail across mobile, PC, and browser extension.
For a closer look at how custodial and non-custodial models differ here, read this piece.
3. What is your certification, and can you name it precisely?
Why it matters: "Regulated" and "compliant" are not certifications. A provider making a security claim should be able to name a specific standard, the certificate number, the issuing body, and the validity date. Vague compliance language is the easiest thing in a sales deck to say and the hardest to verify, so make them be specific.
What a weak answer sounds like: "We are fully compliant and hold all relevant industry certifications." No standard and no certificate number. If they cannot name it in one sentence, treat it as unverified.
What a real answer sounds like: "We hold certifications XYZ , valid till xxx date, covering the management and operation of a crypto platform."
4. Does our wallet infrastructure survive the end of this contract?
Why it matters: Vendor lock-in is a security and continuity risk before it is a commercial one. If your wallet addresses stop working when the partnership ends, you are hostage to renewal terms and to the provider's own survival. Portability means your operational continuity does not depend on the relationship lasting forever.
What a weak answer sounds like: "We would work with you on an orderly migration if you ever decided to leave." Migration-as-a-favor means the addresses are theirs, not yours. Ask whether the wallets keep working with no migration at all.
What a real answer sounds like: "Your wallet addresses remain usable even if the partnership ends, so there is nothing to migrate."
CoinsDo is built this way: wallet addresses stay usable after the relationship ends.
Understanding this is easier if you know how the underlying wallet infrastructure is put together.
5. How do you screen funds coming in and route funds going to storage?
Why it matters: Custody is not only about outbound signing. Funds you collect can carry compliance risk from their source, and funds you hold should not sit in a hot environment longer than necessary. A provider should screen incoming addresses and move collected balances to cold storage without a manual step someone can forget.
What a weak answer sounds like: "We monitor for suspicious activity across the platform." Monitoring is passive. Ask whether risk screening runs on the sending address before funds are accepted, and whether cold-storage routing is automatic.
What a real answer sounds like: "Incoming funds are screened with automatic know-your-transaction address risk screening, and collected balances auto-route to cold storage."
CoinGet does both: automatic KYT address risk screening of sending addresses, and cold storage transfer integration that routes collected funds automatically.
6. Can you verify the identity of the people behind the wallets?
Why it matters: For an exchange or PSP, custody sits next to onboarding and fraud controls. A provider that can pair wallet infrastructure with identity verification saves you from bolting a separate KYC stack onto the signing layer. Identity screening at the edge keeps sanctioned or fraudulent actors out before they touch your custody environment.
What a weak answer sounds like: "You can integrate any third-party KYC tool you like." Possible, but it pushes integration risk onto you and leaves a seam between identity and custody. Ask what the provider offers natively.
What a real answer sounds like: "We include an identity verification engine with document OCR, liveness detection, facial recognition, and blacklist and fraud screening."
CoinFace provides exactly that engine, so identity checks and custody live in the same system rather than two integrations you have to keep in sync.
7. How fast can you support a chain we need but you do not yet list?
Why it matters: Your roadmap will outrun any provider's current chain list. What matters is the cadence at which a provider adds networks you request, because a slow or vague answer here becomes a blocker on your product roadmap later. Ask for a real interval, not a "we are always expanding."
What a weak answer sounds like: "We support all major chains and are constantly adding more." That commits to nothing. Ask how long it took to add the last client-requested network.
What a real answer sounds like: "New chains for client requests go live on roughly a one-month cadence."
CoinsDo works to that cadence for client-requested networks, which gives you a planning number instead of a promise.
If you are still weighing signing models underneath all this, our MPC vs multisig explainer is worth reading before you commit.
Frequently asked questions
What makes a crypto custody provider safe?
A custody provider is safe when it cannot move your funds on its own. The strongest posture is a self-custody model where you hold the private keys and the provider never does, backed by enforced approval flows and a named security certification you can verify.
What is the difference between custodial and self-custody crypto custody?
Custodial providers hold your private keys and can sign transactions for you, which makes their internal controls your point of failure. Self-custody keeps the keys with you, so no provider action can move your funds without your own authorization.
Is institutional crypto custody the same as regulated crypto custody?
Not necessarily. "Regulated" describes a provider's licensing status, while institutional custody describes its controls and certifications. Ask for a specific standard and certificate number rather than accepting "regulated" or "compliant" as proof of a security posture.
Why does key control matter more than storage in crypto custody solutions?
Storage describes where assets sit; key control describes who can move them. Most major thefts trace back to compromised keys and signing processes, so the provider that never holds your keys removes the single largest failure point from the equation.
Score your shortlist
Go back through your candidates with these seven questions in hand. If one or two got a shaky answer, press for specifics: a named certificate, a described approval flow, a real chain cadence. Vague answers on the edges are worth a follow-up, not an immediate no.
If three or more got vague, deflecting, or storage-flavored answers to questions about control, you are looking at a provider whose security depends on you trusting them rather than on you holding the keys. That is the shortlist you cut.
The cleanest way to close question one is to remove the provider from the signing path entirely.
Evaluate CoinsDo self-custody WaaS, you keep the keys.
