Security

has audited all SukuPay operations.

During our testing of Suku Labs’ web payment application, the testing team discovered that the reviewed source code version adhered to the current best practices in cloud security and the Open Web Application Security Project (OWASP).

After addressing the findings and observations captured in this report and providing no further significant post-code changes, we believe that the security posture of the SukuPay product is satisfactory for mitigating potential risks from threat actors.

Furthermore, through our review, we found that the architecture of the SukuPay wallet is sufficiently segmented, so Suku Labs personnel cannot access any client wallet's private keys or any recovery material. All key sharding operations and wallet recovery are handled by a third party, Privy.io, and are outside the scope of Suku Labs’ control.

The Suku Labs team was able to provide documentation on the expected operation of the product and was responsive to the team's feedback. No critical-rated findings were identified during the testing.