Security is the foundation of everything we build at Envestir. Unlike centralized exchanges where your funds are held in the platform's wallets, Envestir uses a fully noncustodial architecture. This means your private keys are generated on your device, encrypted on your device, and never transmitted to our servers. You are always in full control of your assets.
When you create an Envestir account, a new Solana wallet is generated using the BIP39 standard. This produces a 12-word recovery phrase that serves as the master key to your wallet. The private key derived from this phrase is encrypted using AES-256-GCM encryption before being stored locally. Even if someone gained access to the encrypted data, they would not be able to decrypt it without your password.
We implement multiple layers of security beyond the core wallet architecture. All communications between the app and our servers use TLS encryption. Authentication is handled through secure session tokens with short expiration windows. Sensitive operations like withdrawals can be protected with additional verification steps.
Your recovery phrase is the single most important piece of information in your Envestir account. If you lose access to your device, you can restore your wallet on a new device using this phrase. However, if you lose your recovery phrase and your device, there is no way for us or anyone else to recover your funds. This is the trade-off of noncustodial security — maximum control comes with maximum responsibility.
We strongly recommend writing down your recovery phrase on paper and storing it in a secure location. Never share it with anyone, never store it in a screenshot or note-taking app, and never enter it on any website other than the Envestir app itself. Our support team will never ask for your recovery phrase under any circumstances.