SSP Enterprise — Multi-Party Self-Custody Solution

Secure. Simple. Powerful. Enterprise.

Built on the proven SSP Wallet foundation – extending 2-of-2 multisig security to multi-party business coordination

SSP Enterprise transforms the battle-tested SSP Wallet ecosystem into a comprehensive multi-party cryptocurrency management solution for businesses, partnerships, and organizations. While maintaining the core principle of true self-custody, SSP Enterprise adds business-grade coordination features on top of the proven 2-of-2 multisignature architecture that has secured user funds since 2024.

🎯 Executive Summary

What is SSP Enterprise?

SSP Enterprise extends the revolutionary SSP Wallet ecosystem – a BIP48 true 2-of-2 multisignature crypto wallet that's already securing $3M+ in consumer wallets and over $100M in enterprise vaults – to multi-party business scenarios. Instead of a single user controlling two devices (browser + mobile), SSP Enterprise coordinates multiple parties, each with their own SSP Wallet + SSP Key setup. Live in production today with named customers including Flux Foundation and the Fusion Bridge.

Built on Proven Technology

The SSP ecosystem consists of three battle-tested components:

SSP Wallet: Browser extension holding one private key
SSP Key: Mobile app holding the second private key with biometric authentication
SSP Relay: Coordination server facilitating secure communication

Security Track Record: Three Halborn security audits passed with zero critical or high-severity findings (March 2025). Overall rating: EXCELLENT. Reports public at halborn.com/audits/influx-technologies.

Core Value Proposition

🔐 Proven Self-Custody: Extends SSP's battle-tested 2-of-2 architecture to business use
📱 Mobile-Native Security: Each party uses familiar SSP Key mobile authentication
🌐 True Multi-Chain: 12 mainnet chains live across UTXO and EVM (17 in consumer SSP Wallet including testnets), with our own open-source Solana multisig program rolling to mainnet
💰 No AUM Fees: Open-core SaaS pricing — no AUM-linked fees, 10-100x cheaper than custodial alternatives at the same security level
🔍 Open-Source Where It Counts: Clients, cryptographic SDKs, and our Solana multisig program are public on GitHub (AGPL v3) and Halborn-audited. Self-hostable. Industry-standard open-core model.
🚀 Enterprise-Grade: Production-grade policy engine, audit logs, analytics, and organization management
🛡️ Secure Data Model: Stores only non-sensitive coordination data (public keys, addresses) — never private keys or signing material

🏗️ Architecture Overview

Current SSP Ecosystem (Individual Users)

Single User with 2-of-2 Multisig Security:
┌─────────────────┐    ┌─────────────────┐
│   SSP Wallet    │    │    SSP Key      │
│  (Browser Ext)  │◄──►│   (Mobile App)  │
│                 │    │                 │
│ • One private   │    │ • Second private│
│   key stored    │    │   key stored    │
│ • Transaction   │    │ • Biometric/PIN │
│   construction  │    │   confirmation  │
│ • BIP48 paths   │    │ • Final signing │
└─────────────────┘    └─────────────────┘
         │                       │
         └──── SSP Relay ────────┘
              (Communication Only)

✅ Live in production — $100M+ secured in enterprise vaults, $3M+ in consumer wallets
✅ 12 mainnet chains live (17 in consumer SSP Wallet including testnets); Solana imminent
✅ WalletConnect v2, Account Abstraction (ERC-4337), Schnorr aggregated signatures
✅ 3 Halborn audits passed (zero critical/high findings, EXCELLENT rating)
✅ AGPL v3 open-source clients, self-hostable relay

SSP Enterprise Extension (Multi-Party Business Coordination)

Each Party Uses Their Own SSP Wallet + SSP Key (2-of-2):
┌─────────────────────┐    ┌─────────────────────┐    ┌─────────────────────┐
│      Party A        │    │      Party B        │    │      Party C        │
│  (Uses SSP Wallet   │    │  (Uses SSP Wallet   │    │  (Uses SSP Wallet   │
│   ecosystem)        │    │   ecosystem)        │    │   ecosystem)        │
│ ┌─────────────────┐ │    │ ┌─────────────────┐ │    │ ┌─────────────────┐ │
│ │   SSP Wallet    │ │    │ │   SSP Wallet    │ │    │ │   SSP Wallet    │ │
│ │  (Browser Ext)  │ │    │ │  (Browser Ext)  │ │    │ │  (Browser Ext)  │ │
│ └─────┬───────────┘ │    │ └─────┬───────────┘ │    │ └─────┬───────────┘ │
│       │             │    │       │             │    │       │             │
│ ┌─────┴───────────┐ │    │ ┌─────┴───────────┐ │    │ ┌─────┴───────────┐ │
│ │    SSP Key      │ │    │ │    SSP Key      │ │    │ │    SSP Key      │ │
│ │  (Mobile App)   │ │    │ │  (Mobile App)   │ │    │ │  (Mobile App)   │ │
│ └─────────────────┘ │    │ └─────────────────┘ │    │ └─────────────────┘ │
└─────────────────────┘    └─────────────────────┘    └─────────────────────┘
          │                          │                          │
          └──────────────────────────┼──────────────────────────┘
                                     │
              ┌─────────────────────────────────────────┐
              │       SSP Enterprise Platform           │
              │      (New Business Coordination)        │
              │                                         │
              │ 🌐 Web portal for business management   │
              │ 🔗 Multi-party address generation       │
              │ 📋 Transaction proposal & approval      │
              │ 🔒 Business policy engine               │
              │ 📊 Audit trails & compliance reporting  │
              │ 👥 Role-based access control            │
              │ 🔄 Integrates with existing SSP infra   │
              └─────────────────────────────────────────┘

Key Innovation: SSP Enterprise leverages the existing, proven SSP ecosystem. Each business party continues using their familiar SSP Wallet + SSP Key setup, with the Enterprise platform coordinating multi-party decisions on top.

Enterprise Data Model

SSP Enterprise maintains the core security principle of never storing private keys or sensitive data, while enabling seamless business coordination:

Data Storage Model:
┌─────────────────────────────────────────────────────────┐
│              SSP Enterprise Data Architecture           │
├─────────────────────────────────────────────────────────┤
│                                                         │
│  ❌ NEVER STORED (Remains on user devices):             │
│  ├── Private keys (stay in SSP Wallet/Key)              │
│  ├── Seed phrases (user-controlled)                     │
│  ├── Transaction signing data                           │
│  └── Sensitive authentication tokens                    │
│                                                         │
│  ✅ COORDINATION DATA (Stored in SSP Relay):            │
│  ├── Public keys for address generation                 │
│  ├── Multi-party wallet addresses                       │
│  ├── Business policy configurations                     │
│  ├── Transaction proposals (unsigned)                   │
│  ├── Approval workflows and status                      │
│  ├── Audit trails and compliance logs                   │
│  └── User roles and permissions                         │
│                                                         │
│  🔒 SECURITY BENEFITS:                                  │
│  ├── Enables seamless enterprise integration            │
│  ├── Facilitates analytics and reporting                │
│  ├── Maintains true self-custody principles             │
│  └── Zero risk of private key exposure                  │
└─────────────────────────────────────────────────────────┘

Security Assurance: All stored data is non-sensitive by design. Even if the SSP Enterprise platform were compromised, no private keys or funds would be at risk since all signing operations occur on user-controlled devices.

Cryptographic Foundation of SSP Identity

SSP's entire architecture — from consumer wallet up to enterprise M-of-N vaults — rests on a single primitive we call SSP Identity: a 2-of-2 multisignature wallet split across two independent user-controlled devices (browser extension and mobile app). Every higher-level construct in the system reduces to combinations of SSP Identities. Understanding it is the foundation of understanding everything else.

The 2-of-2 multisignature identity

Each SSP user holds two BIP-32 hierarchical-deterministic seeds, generated independently on two different devices:

s_wallet — generated on first install of the SSP Wallet browser extension, stored encrypted at rest with a user-chosen passphrase
s_key — generated independently on first install of the SSP Key mobile app, stored in the OS-level secure enclave / Keychain with biometric unlock

These two seeds never meet — there is no point in the system where a single device, server, or process has access to both. From each seed, the device derives an extended public key (xpub_wallet, xpub_key) at the BIP-48 multisig branch and exchanges only the extended public keys with the other device via the relay (or out-of-band QR scan, for users who want zero-relay setup).

The user's wallet address on each chain is then constructed as:

SSP Identity address  =  Multisig(pubkey_wallet, pubkey_key, threshold=2)
                         derived at BIP-48 path m/48'/coin'/account'/script_type'/0/i

For UTXO chains (Bitcoin, Litecoin, etc.), this materializes as a native P2WSH 2-of-2 script. For EVM chains, it's a Schnorr-aggregated key pair that controls an ERC-4337 smart account. For Solana, it's a 2-of-2 entry in our custom Anchor multisig program. In every case, both private keys must produce a signature for any transaction to be valid — there is no recoverable threshold of one.

Threat model: why 2-of-2 is strictly stronger than single-key custody

Single-key wallets (MetaMask, Phantom, Ledger-only setups) have a 1-device security model: compromise of the single device or seed = total loss. Standard 3-of-5 multisig in business contexts often degenerates in practice — keys are stored on the same machine, the same hardware vendor, or the same cloud KMS — collapsing back to single-point-of-failure.

SSP Identity is structurally resistant to the most common attack surfaces:

Attack	Effect on SSP Identity
Browser extension malware / supply-chain attack on Wallet	Attacker has 1 of 2 keys. Cannot sign.
Mobile device theft + biometric coercion	Attacker has 1 of 2 keys. Cannot sign.
Cloud backup leak (iCloud / Google Drive) when seeds backed up to different services per SSP guidance	Recovers at most 1 seed. Cannot sign.
Phishing of the user's wallet passphrase	Decrypts `s_wallet` only. Still missing `s_key`.
Compromise of SSP Relay infrastructure	Relay holds only public keys and ciphertext message envelopes. No keys exposed.
Lost device	Recover via the other device's seed export + reinstall. Funds intact.

The only attack that defeats 2-of-2 is simultaneous compromise of both devices — a meaningfully harder threshold than compromising any single device, and the foundation on which enterprise M-of-N is built.

Wallet ↔︎ Key identity proof: the `wk_sign` protocol

When an application needs to prove the user controls a particular SSP Identity — for relay authentication, SSP Enterprise login, or any signed-message workflow — both devices must produce a signature over a freshness-bound challenge. The protocol is intentionally minimal:

Message format:
  <13-digit ms timestamp> <random hex, 32+ chars>
  Total length 45–500 chars

Validation rules (enforced on the receiving device):
  • First 13 chars parse as a millisecond Unix timestamp
  • Timestamp is within ±5 min future drift and ≤ 15 min in the past
  • Message length between 45 and 500 chars
  • Random portion present and well-formed

Signing:
  • Both SSP Wallet and SSP Key sign the message under Bitcoin
    message signing (BIP-137 style) using their respective
    secp256k1 keys derived at the SSP Identity path
    m/48'/coin'/account'/script_type'/10/0
  • Combined response carries: walletSignature, walletPubKey,
    keySignature, keyPubKey, witnessScript, wkIdentity, message

Reference implementation: ssp-wallet/src/lib/wkSign.ts. The 15-minute validity window and 5-minute future-drift allowance are the only freshness mechanism — there is no separate replay database. Reuse is bounded by the sliding window; the verifier's only requirement is that the timestamp falls inside that window when checked.

Transaction signing is a separate flow that varies per chain family — UTXO uses progressive SIGHASH co-signing across both devices using P2WSH (or P2SH on chains without SegWit), EVM uses MuSig2 Schnorr aggregation with on-chain ERC-4337 verification, and Solana uses the custom Anchor program. In every case, both s_wallet and s_key must produce a signature for the transaction to be valid. Sensitive data clearing is enforced at the application layer — decrypted seed material is zeroed from memory after the signature is produced; this was hardened in the audit reviews after an early bug where the encryption password was cleared one step too early in the mobile flow.

What You See Is What You Sign — on-device transaction decoding

Every multisig wallet faces the same threat: an intermediary (relay, server, message bus) sends you a transaction to sign, and you have no way to be sure the summary you see matches the bytes you sign. A malicious or compromised intermediary could attach human-readable labels like "Send 100 USDC to alice.eth" while the underlying transaction actually transfers 1,000,000 USDC to an attacker. This is a well-known class of attack against any wallet that relies on a server-decoded preview.

SSP eliminates this entire attack surface by independently decoding the raw transaction bytes on every signing device. Neither the SSP Wallet nor the SSP Key trusts a single byte of human-readable metadata from the relay. Both devices receive only the raw transaction data — the same bytes that will be broadcast to chain — and each device decodes them locally before presenting them to the user:

UTXO chains — both devices independently call utxolib.Transaction.fromHex() (and PSBT helpers where applicable) on the raw transaction hex. They extract sender, recipients, amounts, fees, and any non-change outputs from the actual bytes. A relay that tampered with a label would produce a transaction whose on-chain effect differs from the relay's claim; the local decode catches it.
EVM chains — both devices parse the ERC-4337 UserOperation JSON locally and run viem's decodeFunctionData against the standard erc20Abi (and against SSP's own aa-schnorr-multisig-sdk ABI for execute calls) to recover the real recipient, the real token contract, and the real base-unit amount. The relay never gets to label a transaction; the wallet and key apps each compute the label from on-chain bytes.
Solana — both devices decode the bundled transaction (which contains nonceAdvance + create_transaction + approve_transaction × threshold + execute_transaction + close_transaction) using on-device Solana SDK helpers, extract the instructions, and verify the inner program invocations.

This is implemented in ssp-wallet/src/lib/transactions.ts (decodeVaultTransaction) and ssp-key/src/lib/transactions.ts (same function name, same logic, separate codebase). Both EnterpriseVaultSignTx on the wallet side and VaultSignRequest on the key side render their UI from this locally-decoded data, not from anything the relay sent in a metadata field.

The user signs exactly what they see, and what they see came from the bytes that will hit the chain. A compromised SSP Relay — or a compromised SSP Enterprise backend, or a man-in-the-middle, or a malicious dApp speaking WalletConnect — cannot get either device to display a misleading preview, because neither device trusts the preview source. The same applies to the SSP Identity proof flow (wk_sign): the message that gets signed is the message both devices independently parse from the raw envelope, not a server-provided rendering of it.

Self-hostable, zero-trust relay design

The SSP Relay is deliberately minimal:

Stateless message forwarding with TTL-bounded mailboxes per WK Identity
No private key material, ever — only ciphertext envelopes and public coordination data (xpubs, addresses, unsigned proposals, audit logs)
Public, AGPL v3, self-hostable — any organisation that wants zero dependency on InFlux infrastructure can run their own relay endpoint and point their wallet + mobile app at it
No central authority — the relay cannot authorize, block, or modify any signature. It is a dumb pipe with a database of public coordination data

Even a fully compromised relay leaks no signing capability. The worst-case adversary model is a relay that drops messages or attempts replay — both of which are detected by the device-side validation in step 4 above.

⚙️ Technical Implementation

Multi-Chain Architecture

Each blockchain network has different technical capabilities, requiring tailored approaches:

Bitcoin Legacy/SegWit (P2SH/P2WSH)

Structure: 4-of-6 Multisig (Technical Reality)
┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│   Party A   │ │   Party B   │ │   Party C   │
├─────────────┤ ├─────────────┤ ├─────────────┤
│ Wallet A    │ │ Wallet B    │ │ Wallet C    │ 
│ Key A       │ │ Key B       │ │ Key C       │
└─────────────┘ └─────────────┘ └─────────────┘

Why 4-of-6: Bitcoin's ECDSA cannot combine signatures
Bitcoin Script: OP_4 <WA> <KA> <WB> <KB> <WC> <KC> OP_6 OP_CHECKMULTISIG
Note: Public keys are sorted in redeem script for deterministic address generation
Spending: Any 2 parties provide 4 signatures total

Address Example: 3FKjZ8rLJXhpBPx8r8ycRd5kq3x7fN2m5T (P2SH)
                bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh (P2WSH)

Bitcoin Taproot (Future Implementation)

Structure: 2-of-3 via Schnorr MuSig2
┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│   Party A   │ │   Party B   │ │   Party C   │
│ (Combined)  │ │ (Combined)  │ │ (Combined)  │
└─────────────┘ └─────────────┘ └─────────────┘

Process:
1. Each party combines Wallet + Key internally (MuSig2)
2. Three combined keys create 2-of-3 threshold Schnorr
3. Spending: Any 2 parties create single aggregated signature

Address Example: bc1p5d7rjq7g6rdk2yhzks9sm5p3rczyr5yz2zkt6qgkq (P2TR)

EVM Chains (Ethereum, Polygon, BSC, Base, etc.)

Structure: 2-of-3 Smart Contract
┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│   Party A   │ │   Party B   │ │   Party C   │
│ (Combined)  │ │ (Combined)  │ │ (Combined)  │
└─────────────┘ └─────────────┘ └─────────────┘

Smart Contract Implementation:
contract SSPEnterpriseWallet {
    mapping(address => bool) public signers;
    uint256 public threshold = 2;
    
    function executeTransaction(
        address to,
        uint256 value,
        bytes memory data,
        bytes[] memory signatures
    ) external {
        require(verifySchnorrSignatures(signatures), "Invalid sigs");
        require(signatures.length >= threshold, "Insufficient sigs");
        // Execute transaction
    }
}

Address Example: 0x742d35Cc6671C4e3b8d8B8e9D2f7e2f1A5A5A5A5

SSP EVM Schnorr Multisig + Account Abstraction — Deep Dive

Enterprise EVM multisig today means one of three architectures, each with a real tradeoff:

Qualified custodians (Anchorage, BitGo, Coinbase Custody) — you give up keys to a regulated third party. AUM-linked fees and counterparty risk.
MPC platforms (Fireblocks, Copper, DFNS) — marketed as self-custody but the cryptography is off-chain, proprietary, and not on-chain verifiable. Cannot meet U.S. qualified-custodian standards.
ECDSA threshold contracts (Safe / Gnosis Safe) — genuinely self-custodial, but every signer's ECDSA signature is stored separately on-chain. Three concrete consequences:
- Gas cost scales linearly with signer count. A 3-of-5 Safe spend pays for 3 full signatures, every transaction. A 5-of-7 pays for 5. Treasuries with larger signer groups pay this every time.
- The signing subset is publicly visible. Anyone watching the chain sees exactly which members co-signed each transaction.
- No native AA features. Sponsored gas, batched user operations, programmable policy at the protocol level — all require bolt-on solutions.

SSP takes a fourth path. We combine Schnorr aggregated signatures with ERC-4337 Account Abstraction. M-of-N signers produce a single combined Schnorr signature client-side (via MuSig2); the smart account verifies one signature on-chain.

Structure: Schnorr Aggregated M-of-N via ERC-4337
┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│   Member A  │ │   Member B  │ │   Member C  │ │     ...     │
│  (Wallet+   │ │  (Wallet+   │ │  (Wallet+   │ │  any M-of-N │
│   Key)      │ │   Key)      │ │   Key)      │ │  threshold  │
└─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘

Each member's signature is itself a MuSig2 aggregation of their
SSP Wallet + SSP Key signatures (the proven 2-of-2 SSP Identity).

Client-side signing flow:
  1. Each participating member produces a partial Schnorr signature
     (using their SSP Identity, no key material leaves their devices).
  2. Partials are aggregated into a single 64-byte combined signature.
  3. The combined signature is passed in a single ERC-4337 UserOperation.

On-chain verification (smart account contract):
  function executeTransaction(
      UserOperation calldata op,
      bytes calldata aggregatedSchnorrSig
  ) external {
      require(verifySchnorr(challengeHash, aggregatedSchnorrSig, aggPubKey),
              "Invalid aggregated signature");
      _execute(op.callData);
  }

Properties:
  • One 64-byte signature on-chain regardless of M or N.
  • Gas cost identical to a single-signature transaction.
  • Signing subset is NOT revealed on-chain — verifier only sees
    the aggregated key, not which members participated.
  • Native ERC-4337 features: paymaster gas sponsorship,
    bundled UserOps, batched calls, programmable policy modules.
  • Bundler-agnostic: works with Alchemy, Etherspot, Stackup, or
    any standards-compliant ERC-4337 stack.

Why Schnorr. This is the same primitive Bitcoin adopted for Taproot — efficient, linear under addition (which is what makes aggregation possible), and proven secure in the random-oracle model. Bringing it to enterprise EVM multisig through account abstraction was technically possible for years; SSP is the first to ship it audited and in production.

SSP Identity all the way down. Each "member" of an enterprise vault is itself a 2-of-2 SSP Identity (browser extension + mobile app). So a 3-of-5 enterprise vault is really 3-of-5 SSP Identities, where each SSP Identity is 2-of-2 within itself. The cryptography aggregates cleanly through both layers — the final on-chain signature is still one combined Schnorr point.

Halborn-audited. Three audits covered the wallet/key/relay clients, the smart contracts (ERC-4337 AA + Schnorr verifier), and the SDK that produces the client-side signatures. Zero critical, zero high-severity findings across all three. Reports public at halborn.com/audits/influx-technologies.

SSP EVM Schnorr+AA vs. Safe (Gnosis Safe)

Property	SSP EVM Schnorr + AA	Safe (Gnosis Safe)
Signature scheme	Schnorr aggregated (MuSig2)	ECDSA threshold
On-chain signatures per spend	1, regardless of M-of-N	M (one per signer)
Gas cost vs single-sig	~same	Linear in M
Signer privacy on-chain	✓ — subset not revealed	✗ — every signer's addr visible
Native ERC-4337 (paymaster, bundled UserOps, policy modules)	✓	Limited; via separate modules
Gas sponsorship out of the box	✓ via paymaster	Requires GelatoNetwork / relayer setup
Programmable transaction policy	✓ — AA-native	✓ — Safe Modules
Halborn-audited contracts + SDK	✓	Mixed history of audits
Multi-chain (works on every ERC-4337 chain)	✓	✓ — EVM only
Combined with non-EVM in one platform	✓ — UTXO P2WSH + Solana under same identity	✗ — EVM-only protocol

Status: Live in production today across Ethereum, Polygon, Base, BNB Chain, and Avalanche, and operational on every ERC-4337-enabled chain. Compatible with Alchemy and Etherspot bundler / paymaster infrastructure out of the box. Arbitrum, Optimism, and XDC are on the active integration roadmap.

Why this matters for SSP Enterprise: an enterprise treasury operating a 5-of-7 vault on Safe pays for 5 ECDSA signatures every single spend, and broadcasts to the entire chain which 5 of 7 members signed. The same vault on SSP pays for one signature and reveals no signing subset — and the same SSP Identity can sign on Bitcoin (P2WSH), Solana (custom Anchor program), and every supported chain through the same wallet+mobile flow. One operational model, three chain families, audited cryptography end-to-end.

Solana (Custom Anchor Program — Self-Initiating Multisig)

Solana is fundamentally different from EVM. There are no smart contract accounts you can deploy in advance and there is no Bitcoin-style script — every account is owned by a single program, and program-derived addresses (PDAs) must be initialized on-chain by someone. The dominant Solana multisig today, Squads V4, solves this by requiring a privileged creator account to call multisig_create_v2 with a random create_key. That introduces three operational problems:

The multisig address is unknowable until creation — you cannot pre-fund or pre-derive it.
The creator is a single point of trust at setup time; the random create_key must be securely transferred or destroyed.
Permissionless treasury provisioning (a relay paymaster initializing on behalf of members) is impossible.

SSP's open-source Anchor program takes a different approach — truly self-initiating M-of-N, the same property Bitcoin's P2WSH multisig has on UTXO chains.

Structure: Self-Initiating M-of-N (Anchor program)
┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│   Member A  │ │   Member B  │ │   Member C  │ │     ...     │
│ (Combined)  │ │ (Combined)  │ │ (Combined)  │ │   up to 30  │
└─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘

Vault PDA derivation (off-chain, deterministic, knowable before any tx):
  multisig_pda = find_program_address(
      [ b"multisig", sha256(sorted_members), &[threshold] ],
      program_id
  )
  vault_pda    = derive(multisig_pda, vault_index)

Properties:
  • Same (members, threshold) → same address. Always.
  • Vault is pre-fundable: send SOL/SPL before init exists.
  • Permissionless init: anyone (or a relay paymaster) can call
    initialize_multisig(member_hash, threshold, [members])
    with no member signatures — the program recomputes the hash on-chain
    and rejects mismatched member sets.
  • No creator role. No upgrade authority. No admin keys.

Threshold enforcement on spend:
  create_transaction  → only members can propose
  approve_transaction → members accumulate Ed25519 approvals on-chain
  execute_transaction → CPI executes when approvals.len() ≥ threshold

Why the full 32-byte hash matters. Many Solana PDAs truncate sha256 to 8 bytes to fit common seed-size assumptions, which exposes ~2^64 collision space. SSP uses all 32 bytes — collisions are not a practical attack surface.

Composability is preserved. Vaults are system-owned PDAs, hold SOL and SPL tokens natively, and execute via CPI — so vault transactions can call Jupiter swaps, token programs, or any other Solana program. The program rejects address-table-lookups (ALTs) in proposals to prevent executor-side substitution attacks, and the executed flag is flushed to storage before any CPI to prevent re-entrancy.

SSP Solana Multisig vs. Squads V4

Property	SSP Solana Multisig	Squads V4
Address derivation	`sha256(sorted_members, threshold)` — deterministic	Random `create_key` — non-deterministic
Address knowable before init	✓ — derive client-side, pre-fund safely	✗ — unknowable until creator transacts
Creator role at setup	None — no privileged actor exists	Required — single point of trust
Permissionless initialization	✓ — anyone or any relay can init	✗ — only the creator
Key rotation at setup	Not applicable — no creator key	Required — `create_key` must be destroyed or transferred
Pre-fundable vaults	✓ — vault is a system-owned PDA, fund it any time	✗ — vault doesn't exist until creator creates it
Upgrade authority	None — program is immutable	Squads Labs retains program governance
Threshold enforcement	On-chain, M-of-N Ed25519	On-chain, M-of-N Ed25519
SPL token + Jupiter CPI	✓	✓
Open source	✓ — AGPL v3 at github.com/RunOnFlux/solana-multisig	✓

Status: Devnet-deployed at program ID CisPSFTQoTnEqn5cUi1pgpfPp2xiTVRkK7eD5jBevxdX. End-to-end tested across SOL transfers, SPL tokens, Jupiter swap routing, durable-nonce flows, and 7-of-10 multisig configurations. Mainnet deployment gated on external audit funding.

Why this matters for SSP Enterprise: vaults across UTXO, EVM, and Solana now share the same operational property — the vault address is a deterministic function of its governance rules. A treasury team can spin up a vault on any of the supported chains without depending on a creator at setup, then pre-fund and onboard members on their own schedule.

🔑 Key Derivation & Isolation

Why BIP-48 (and a quick HD-wallet primer)

Hierarchical Deterministic (HD) wallets, standardized in BIP-32, allow a single random seed to generate an unbounded tree of key pairs. BIP-44 specifies a standard 5-level path layout for single-signature wallets across chains: m / purpose' / coin_type' / account' / change / address_index. BIP-48 extends this for multisignature wallets by introducing a script_type' level and by mandating that every level above the address be hardened (the apostrophe in the path).

Hardened derivation matters because of a subtle property of BIP-32: from a public extended key (xpub), you can derive child public keys without seeing the private key — but only at non-hardened indices. At hardened indices the derivation function requires the private key, so an xpub at a hardened branch cannot leak its descendants. This is what lets SSP safely share public coordination data (xpubs at the SSP Identity branch) through the relay without ever exposing a path that the relay could use to grind out related addresses.

SSP standardizes on BIP-48 for everything multisig-related because it gives us a single uniform path structure across UTXO chains (P2WSH / P2SH), EVM chains (Schnorr-aggregated key pairs), and Solana (Anchor multisig members). The same seed deterministically derives every key the user will ever need on every supported chain, with cryptographic separation between unrelated purposes.

BIP-48 path layout used by SSP

m / 48' / coin_type' / account' / script_type' / change / address_index
    └┬─┘   └────┬───┘   └───┬──┘   └─────┬────┘   └──┬──┘   └────┬────┘
     │         │            │            │            │            │
   purpose:  SLIP-44       account     script_type:   change      address
   "multisig"  coin ID     index       0 = legacy,   chain (0)    index
   per BIP-48 (0=BTC,                  1 = P2SH-     or change    (0..n)
              60=ETH,                  P2WSH,        (1)
              ...)                     2 = P2WSH,
                                       Schnorr/MuSig2 / SSP
                                       Identity branch

Hierarchical Separation Architecture

SSP Enterprise uses cryptographically separate derivation paths to completely isolate personal and business funds:

Master Seed (Same device, different account numbers)
│
├── Personal Wallets: m/48'/coin'/account'/script_type'/0/address_index
│   ├── Primary Personal: m/48'/0'/0'/2'/0/0 (Bitcoin, account 0)
│   ├── Additional Personal: m/48'/0'/1'/2'/0/0 (Bitcoin, account 1)
│   └── Reserved: accounts 0-99 for personal use
│
└── Business Wallets: m/48'/coin'/account'/script_type'/0/address_index
    ├── Company A: m/48'/0'/100'/2'/0/0 (Bitcoin, account 100)
    ├── Company B: m/48'/0'/5240'/2'/0/0 (Bitcoin, account 5240)
    ├── Company C: m/48'/0'/75000'/2'/0/0 (Bitcoin, account 75000)
    └── Available: accounts 100-99999 for business use

Key Isolation Benefits

Aspect	Personal Keys	Business Keys	Isolation Benefit
Derivation Path	`account = 0-99`	`account = 100-99999`	Cryptographically separate
Address Space	Individual control	Multi-party control	Cannot cross-contaminate
Transaction History	Private	Business compliance	Clear audit separation
Backup/Recovery	Personal seed phrase	Same seed, different account	Unified backup, separate access
Tax Reporting	Personal transactions	Business transactions	Automatic categorization
Account Selection	Fixed personal accounts	User-chosen unique number (100-99999)	Easy to remember and manage

Derivation Examples

// Bitcoin Personal (existing SSP)
const personalPath = "m/48'/0'/0'/2'/0/0";  // account=0 (primary personal)

// Bitcoin Additional Personal
const personalPath2 = "m/48'/0'/15'/2'/0/0";  // account=15 (additional personal)

// Bitcoin Business Accounts (user-chosen unique numbers)
const companyA = "m/48'/0'/100'/2'/0/0";    // account=100 (Company A)
const companyB = "m/48'/0'/5240'/2'/0/0";   // account=5240 (Company B)
const companyC = "m/48'/0'/75000'/2'/0/0";  // account=75000 (Company C)

// Ethereum Examples
const ethPersonal = "m/48'/60'/0'/0'/0/0";      // Personal Ethereum
const ethBusiness = "m/48'/60'/2500'/0'/0/0";   // Business Ethereum (account 2500)

// Account Range Summary:
// 0-99:     Reserved for personal wallets
// 100-99999: Available for business wallets (user selects unique organisation number)

The `orgIndex` design — why 100–99999

Enterprise vaults use the same BIP-48 path tree as personal SSP Identity, but with the account' component (which we call the orgIndex) reserved in the range 100–99999:

Indices 0–99 are reserved for personal use. Index 0' is the user's primary personal SSP Identity on every chain; higher personal indices allow advanced users to hold multiple unlinked personal identities.
Indices 100–99999 are available for enterprise organisations. The user chooses a unique number when first creating an organisation in SSP Enterprise; that number is the orgIndex for life, recorded immutably on the organisation record in the relay.
This gives 99,900 distinct enterprise organisations per seed (per coin), which is more than any single user can practically operate, while keeping the index space small enough that orgIndex values fit cleanly into UI and audit logs.

The split is enforced both client-side and in ssp-relay-enterprise at organisation-creation time. Because every level above address_index is hardened, an attacker who learns one organisation's xpub cannot derive sibling organisations or the user's personal addresses — they are cryptographically unrelated.

Enterprise path: vault and address indices

Inside an organisation, the lower two BIP-48 levels (change and address_index) take on enterprise-specific meaning:

m / 48' / coin' / orgIndex' / script_type' / vault_index / address_index
                                              └────┬───┘   └─────┬────┘
                                              0..N: which       0..M: which
                                              vault inside      receive
                                              this org          address in
                                                                this vault

vault_index = 0 is reserved (currently unused; held for future expansion).
vault_index = 1, 2, 3, … correspond to vaults created within the organisation, in creation order. Once assigned, a vault's index is immutable for the life of the org. Deleting a vault does not free its index — this guarantees that the same (orgIndex, vault_index) tuple always derives the same multisig key set, which matters for restore and audit trails.
address_index works the same as in BIP-44 single-sig wallets: each new receive address increments the index. Because the SSP enterprise relay tracks address-derivation state per vault, address indices stay synchronized across all signers.

This structure means that the entire enterprise vault tree of any organisation is recoverable from any single member's SSP Identity seed plus the public organisation record (orgIndex, member set, threshold). There is no scenario where the relay disappears and member funds become unrecoverable — every signer can reconstruct every vault address from their seed and the publicly knowable organisation parameters.

Why hardened derivation matters here

Because orgIndex', script_type', and the account/purpose levels above are all hardened in BIP-48:

A leaked xpub for one org cannot be used to compute xpubs of sibling orgs
A leaked xpub cannot be used to compute the parent xpub of personal accounts
Even full compromise of one organisation's coordination data leaks zero information about the user's personal SSP Identity or any other org

This is a property of BIP-32 hardened derivation, not a property SSP invented — but it's the load-bearing reason SSP can publish public coordination data through a centrally hosted relay without any privacy or security degradation across orgs.

Cross-chain consistency

The same orgIndex value derives a deterministic key set on every supported chain (with the appropriate SLIP-44 coin_type). A treasury team that picks orgIndex 5240 for their organisation will have the same 5240' branch on Bitcoin (m/48'/0'/5240'/2'/…), Ethereum (m/48'/60'/5240'/0'/…), Solana (under SSP's Anchor multisig derivation), and every other chain SSP supports. This is what lets a single organisation operate vaults across all supported chains from one set of member seeds, without any cross-chain coordination beyond agreeing on the orgIndex once.

🌐 Multi-Chain Support Matrix

SSP Enterprise supports 12 mainnet chains live in production today across UTXO, EVM, and (imminently) Solana — with active roadmap for more.

UTXO-Based Networks (Native P2WSH Multisig)

Network	Current SSP Support	Enterprise Structure	Key Advantages
Bitcoin	✅ P2SH, P2WSH	M-of-N native multisig	Universal compatibility, mature tooling
Litecoin	✅ Native support	M-of-N native multisig	Fast confirmations, low fees
Dogecoin	✅ Native support	M-of-N native multisig	High liquidity, community adoption
Bitcoin Cash	✅ Native support	M-of-N native multisig	Fast transactions, low fees
Ravencoin	✅ Native support	M-of-N native multisig	Asset tokenization, community-driven
Zcash	✅ Native support	M-of-N native multisig	Privacy features, shielded transactions
Flux	✅ Native integration	M-of-N native multisig	Cloud computing blockchain

EVM-Compatible Networks (Schnorr Aggregated Signatures + ERC-4337 Account Abstraction)

Network	Current SSP Support	Enterprise Structure	Key Advantages
Ethereum	✅ Schnorr + AA (Halborn-audited)	Schnorr aggregated M-of-N	Gas economics of single-sig transactions, signer privacy
Polygon	✅ Schnorr + AA	Schnorr aggregated M-of-N	Ultra-low fees, fast finality
BSC	✅ Schnorr + AA	Schnorr aggregated M-of-N	High throughput, low cost
Base	✅ Schnorr + AA	Schnorr aggregated M-of-N	Coinbase backing, L2 efficiency
Avalanche	✅ Schnorr + AA	Schnorr aggregated M-of-N	Sub-second finality

Our EVM Schnorr multisig is compatible with major ERC-4337 bundler and paymaster infrastructure — including Alchemy and Etherspot — so it works on every ERC-4337-enabled chain (with Arbitrum, Optimism, and XDC on the active roadmap).

Solana (Imminent)

Network	Current SSP Support	Enterprise Structure	Key Advantages
Solana	⏳ Devnet live, mainnet ready upon audit	Custom Anchor program, permissionless self-initiating M-of-N	Deterministic PDA derivation — vault address known before any on-chain action; no creator role; no upgrade authority

Our open-source Solana multisig program (github.com/RunOnFlux/solana-multisig) is end-to-end tested for SOL, SPL tokens, Jupiter swap integration, durable-nonce flows, and 7-of-10 multisig configurations. Mainnet deployment gated on external audit.

Total Supported Networks: 12 mainnet live; Solana imminent; XDC, Arbitrum, Optimism, Tron, Cosmos, TON, Sui, Aptos on roadmap.

Why This Matters for Enterprise

Proven Multi-Chain Architecture: Each network battle-tested in SSP ecosystem with $100M+ in production
Halborn-audited cryptography: All EVM Schnorr+AA contracts and SDKs pass 3 Halborn audits (zero critical/high findings)
Unified User Experience: Same SSP Wallet/Key workflow across all chains
Open-Core: Self-hostable, no lock-in; commercial value layer is paymaster, policy engine, analytics
Future-Proof: New SSP-supported chains automatically available to Enterprise users

🔌 Integrated Services & Ecosystem Connectivity

SSP Wallet ships with a curated set of third-party integrations for moving value in and out of self-custody, plus dApp connectivity that preserves the 2-of-2 signing requirement on every interaction. None of these services hold user keys or bypass the multisig flow — they sit outside the cryptographic boundary.

In-wallet crypto swaps

SSP integrates seven swap routing providers through the ABE (Asset Bridge Engine) backend at abe.zelcore.io. The wallet aggregates quotes, lets the user choose by rate or speed, and constructs the swap transaction:

Changelly
ChangeNOW
SimpleSwap
ChangeHero
XOSwap
Fusion (cross-chain bridging)
Exolix

Signing still requires both SSP Wallet and SSP Key, so even an in-app swap is multi-device authenticated end to end. Reference: ssp-wallet/src/lib/ABEController.ts and exchangeLogos.ts.

Fiat on/off-ramps (Onramper)

SSP Wallet integrates with Onramper as an aggregated fiat on/off-ramp surface. Each supported blockchain carries an onramperNetwork identifier in src/storage/blockchains.ts (e.g. 'bitcoin', 'ethereum', 'flux'), and per-asset onramp / offramp boolean flags drive UI availability. The SSP Relay signs the Onramper session parameters so the user lands in the ramp flow pre-bound to a verified SSP Identity address — no custodial intermediary, no centralized address mapping.

Reference: ssp-wallet/src/types.d.ts (onramperSignatureSSPRelay type and onramp / offramp flags), ssp-wallet/src/storage/blockchains.ts (onramperNetwork per chain).

Reown WalletConnect v2 (dApp integration)

SSP Wallet implements WalletConnect v2 through Reown WalletKit (@reown/walletkit v1.5.3). What this gives you in practice:

Connect SSP to any of the thousands of dApps that speak WalletConnect v2
Full EIP-712 typed-data signing for modern dApp interactions
Native ERC-4337 Account Abstraction flow — sponsored transactions and bundled UserOperations route through the SSP smart account, not a legacy EOA
Every dApp signature still requires both SSP Wallet and SSP Key, so a malicious dApp cannot extract a signature with one-device compromise

Reference: ssp-wallet/package.json (@reown/walletkit, @walletconnect/core, @walletconnect/utils); README's WalletConnect Integration section.

🔐 Verifiable Releases & Reproducible Builds

SSP publishes Chrome and Firefox extension binaries that are byte-reproducible from source. Any reviewer, security researcher, browser-store auditor, or community member can re-run the build process and verify that the published binary corresponds exactly to the public source code — no hidden patches, no supply-chain injection in the release pipeline.

Build pipeline

   Public source repo           Docker container             Build output
┌──────────────────────┐    ┌──────────────────────┐    ┌──────────────────────┐
│ github.com/RunOnFlux │    │ Base image:          │    │ dist/, dist-zip/     │
│ /ssp-wallet          │ →  │  node:24.11.1-alpine │ →  │ (chrome & firefox)   │
│                      │    │  @sha256:2867d550... │    │                      │
│ Pinned yarn.lock     │    │  (pinned by digest)  │    │ SHA256SUMS           │
│                      │    │                      │    │ (cryptographic hash) │
│                      │    │ SOURCE_DATE_EPOCH    │    │                      │
│                      │    │  = 1735689600        │    │ SHA256SUMS.asc       │
│                      │    │  (2025-01-01 UTC)    │    │ (GPG signature on    │
│                      │    │                      │    │  the SHA256SUMS file │
│                      │    │ --frozen-lockfile    │    │  by maintainer key   │
│                      │    │ no network access    │    │  fingerprint         │
│                      │    │ during build         │    │  F3244FFC...A0B13EC1)│
└──────────────────────┘    └──────────────────────┘    └──────────────────────┘

Reproducibility properties

Pinned base image — node:24.11.1-alpine is referenced by full SHA256 digest (@sha256:2867d550...), not by floating tag. The same Docker image is fetched on every build, on every machine, forever.
Frozen lockfile — yarn.lock is committed; --frozen-lockfile is enforced. No dependency drift between builds.
Normalized timestamps — SOURCE_DATE_EPOCH=1735689600 (2025-01-01 00:00:00 UTC). Every file in the output tree is touched to this timestamp before packaging. Without this step, file mtimes would differ between machines and produce different zip hashes.
No network access — the production build runs in an isolated container that cannot reach out to fetch unpinned dependencies.
SHA256SUMS — produced for every release artifact (Chrome zip, Firefox zip, unpacked dist directory, all contained binaries).
GPG-signed — SHA256SUMS is signed by the SSP maintainer key (fingerprint F3244FFC7207DB2CAA355DF506139DA3A0B13EC1), so reviewers can verify both the bytes and the publisher.

How to verify a release

git clone https://github.com/RunOnFlux/ssp-wallet.git
cd ssp-wallet
git checkout v<release_tag>
yarn build:deterministic                # Docker-based reproducible build
sha256sum -c SHA256SUMS                 # confirm your build matches published hashes
gpg --verify SHA256SUMS.asc SHA256SUMS  # confirm the signing key

Reference: ssp-wallet/REPRODUCIBLE_BUILDS.md, ssp-wallet/Dockerfile, scripts/deterministic-build.sh.

♻️ Recovery Protocol

Single-device wallets that "back up your seed phrase to iCloud" effectively reduce 2-of-2 security to whatever the cloud provider's authentication strength is. SSP takes a different approach: a two-layer-encrypted recovery envelope stored locally on the wallet device, decryptable only with the cooperation of SSP Key.

Two-layer encryption

The recovery envelope wraps each user's sensitive wallet parameters (extended keys, encrypted password material) in two independent cryptographic layers:

Inner layer — password-based: PBKDF2 derives an AES-256-GCM key from a user-chosen recovery password (via @metamask/browser-passworder).
Outer layer — recovery-key ECIES: the password-encrypted blob is then sealed with secp256k1 ECIES to a public key derived from SSP Key's seed at a dedicated recovery path m/48'/0'/0'/2'/11/0 — separate from the SSP Identity path m/48'/0'/0'/2'/10/0 used for ordinary signing.

The combined envelope is versioned (version=0x01), byte-stable across platforms, and persisted to plain localStorage on the wallet. Without both the recovery password and an interactive handshake with SSP Key, the envelope is opaque ciphertext.

Why two layers

Either layer alone is meaningful but insufficient:

Password-only could be brute-forced from a dumped localStorage.
ECIES-to-SSP-Key-only would let anyone with the SSP Key seed decrypt without consent.

Requiring both means device theft + cloud backup leak still cannot recover funds without the in-the-flesh recovery password, and a forgotten password cannot be exploited without simultaneous compromise of SSP Key.

Recovery handshake

When a user needs to recover their wallet (browser reinstall, fingerprint drift, machine replacement), the protocol runs unauthenticated at the transport layer but biometric-gated on the Key device:

   Wallet                                                    Key
   ──────                                                    ───
1. Generate ephemeral ECDH keypair
2. POST recoveryRequest to /v1/action
   { ephemeralPub, nonce }
   ──────── via SSP Relay ────────►
                                          3. Receive via socket event
                                          4. Display recovery prompt;
                                             user confirms with biometric
                                          5. Derive identity privkey at
                                             m/48'/0'/0'/2'/10/0
                                          6. ECDH(identity_priv, ephemeralPub)
                                             → shared_secret
                                          7. AES-GCM-encrypt recovery_priv
                                             with shared_secret + nonce
   ◄──────── via SSP Relay ────────
8. Recover shared_secret with own
   ephemeral privkey; AES-GCM decrypt
   recovery_priv; verify nonce and tag
9. Use recovery_priv to unwrap the
   outer ECIES layer of the envelope;
   prompt for recovery password to
   unwrap the inner PBKDF2 layer

The relay sees only opaque ciphertexts and public ECDH points — no key material. Authentication is implicit in the AES-GCM tag: only the legitimate SSP Key holding the identity privkey can produce a tag that verifies against the wallet's ephemeral key. Reference: ssp-wallet/src/lib/recoveryProtocol.ts, recoveryEnvelope.ts, recoveryCrypto.ts.

Device-fingerprint binding

In addition to the recovery envelope, SSP Wallet derives a stable device fingerprint from canvas-rendering quirks, display geometry, CPU cores, touch support, vendor, and platform. SHA256 of the composite fingerprint is used as an additional KDF input that binds AES-encrypted storage to the originating device. Fingerprint drift (e.g. major browser update) triggers the recovery flow above, rather than silent re-derivation. Reference: ssp-wallet/src/lib/fingerprint.ts.

🔍 Competitive Analysis

Complete Market Landscape: Existing Multisig Solutions

Enterprise Custodial Solutions

Fireblocks (Custodial MPC)

Trust Model: Company holds 2 of 3 MPC key shares
┌─────────────────┐  ┌─────────────────┐  ┌─────────────────┐
│   Key Share 1   │  │   Key Share 2   │  │   Key Share 3   │
│ (Fireblocks)    │  │ (Fireblocks)    │  │   (Customer)    │
│ Intel SGX       │  │ Intel SGX       │  │ Customer Device │
│ AWS Cloud       │  │ Google Cloud    │  │                 │
└─────────────────┘  └─────────────────┘  └─────────────────┘

Assets: 120+ blockchains
Pricing: $100,000-1,000,000+ annually
Reality: NOT self-custody - customer only controls 1/3 of keys

BitGo (Custodial + Self-Custody Options)

Trust Model: Company holds 1 of 3 keys as co-signer
Assets: 1,100+ digital assets supported
Pricing: Enterprise-grade, custom pricing
Features: Regulated custody, insurance up to $250M
Target: Institutional investors, 1,500+ institutions use it
Reality: Hybrid model - still requires trust in BitGo

Self-Custody Multisig Solutions

Safe (formerly Gnosis Safe) - EVM Only

Technology: Smart contract multisig on Ethereum + EVM chains
Assets: Ethereum, USDC, USDT + all ERC-20 tokens, 14 EVM chains
Pricing: Free to use (pay gas fees only)
Users: Manages $100B+ in assets, used by Vitalik Buterin
Limitations: EVM chains only - no Bitcoin, no UTXO chains
Setup: Technical knowledge required, web-based interface

Casa - Hybrid Custody (NOT Full Self-Custody)

Technology: Proprietary service with Casa holding 1 key in multisig
Assets: Bitcoin (primary), Ethereum, USDC, USDT (limited)
Pricing: $250/year (3-key), $2,100/year (5-key premium) + KYC required
Setup: Casa holds 1 key, user holds majority (but not full self-custody)
Target: Individuals comfortable with trusted third party
Limitations: Not open source, Casa dependency, limited multi-chain support

Specter Desktop - Bitcoin Only

Technology: Desktop GUI for Bitcoin Core with hardware wallet support
Assets: Bitcoin ONLY (no multi-chain support)
Pricing: Free and open source
Setup: Requires Bitcoin Core + 1-2TB storage + technical expertise
Target: Bitcoin maximalists and technical users
Limitations: Bitcoin-only, extremely cumbersome setup, 350GB+ storage requirements

Hardware-Coordinated Solutions

Nunchuk - Bitcoin Privacy-Focused

Technology: Bitcoin multisig with privacy focus (no KYC)
Assets: Bitcoin only
Pricing: Subscription model
Setup: Hardware wallet integration (Ledger, Trezor, COLDCARD)
Target: Privacy-conscious Bitcoin users
Limitations: Bitcoin-only, subscription fees, limited business features

TotalSig - Multi-Chain MPC

Technology: MPC technology (not true blockchain multisig)
Assets: Bitcoin, Ethereum, Polygon, Avalanche, BSC, 10+ chains
Pricing: Subscription model
Setup: Software-based MPC solution
Target: Multi-chain users seeking convenience
Limitations: Not true multisig, proprietary technology, subscription cost

Factual Competitive Comparison

Feature	Fireblocks	BitGo	Safe	Casa	Specter	Nunchuk	TotalSig	SSP Enterprise
True Self-Custody	❌ Custodial MPC	⚠️ Hybrid	✅ Yes	❌ Casa holds key	✅ Yes	✅ Yes	❌ MPC technology	✅ Complete
Multi-Chain Native	✅ 120+ chains	✅ 1,100+ assets	❌ EVM only	❌ BTC + limited ETH	❌ Bitcoin only	❌ Bitcoin only	✅ 10+ chains	✅ 12 mainnet (Solana imminent)
Business Features	✅ Full enterprise	✅ Institutional	⚠️ Basic DAO tools	❌ Consumer focus	❌ None	❌ None	⚠️ Basic	✅ Purpose-built
Dual-Device Workflow	⚠️ Custom app	⚠️ Enterprise app	❌ Web only	✅ Mobile app	❌ Desktop only	⚠️ Mobile limited	✅ Mobile app	✅ Desktop + Mobile
Setup Complexity	⚠️ 4-8 weeks	⚠️ Enterprise sales	⚠️ Technical	⚠️ Guided setup	❌ Very technical	⚠️ Hardware setup	⚠️ Technical	✅ 1-hour ceremony
Annual Cost	$100K-1M+	$50K-500K+	$0 (gas only)	$250-2,100	$0	Subscription	Subscription	✅ Free*
Blockchain Multisig	❌ MPC only	⚠️ Hybrid	✅ Smart contract	⚠️ Hybrid	✅ Native Bitcoin	✅ Native Bitcoin	❌ MPC only	✅ Native + Smart Contract
Security Audited	⚠️ Enterprise only	⚠️ Enterprise only	✅ Multiple audits	❌ Proprietary	⚠️ Limited	❌ Unknown	❌ Unknown	✅ Halborn audited
Open Source	❌ Proprietary	❌ Proprietary	✅ Core contracts	❌ Proprietary	✅ Fully open	⚠️ Partial	❌ Proprietary	✅ Full stack
Target Market	Large enterprise	Institutions	DeFi/DAOs	Bitcoin users	Bitcoin maximalists	Bitcoin privacy	Multi-chain users	Universal

💰 SSP Enterprise: Most Cost-Effective Solution

Organization Size	Fireblocks	BitGo	Safe	Casa	Specter	Nunchuk	TotalSig	SSP Enterprise
Small (3 parties, $1M AUC)	$300,000+	$150,000+	$3,000¹	$750²	$0³	$600⁴	$1,200⁵	Free⁷
Medium (5 parties, $10M AUC)	$750,000+	$400,000+	$15,000¹	$6,300²	$0³	$3,000⁴	$6,000⁵	$0-36,000⁶
Large (10 parties, $100M AUC)	$2,000,000+	$1,200,000+	$75,000¹	N/A	$0³	$12,000⁴	$24,000⁵	$0-360,000⁶

SSP Enterprise Pricing Model

Core Platform: FREE (Open Source)
├── Multi-party wallet creation and management
├── Transaction coordination and signing
├── Basic audit trails and reporting
├── Cross-chain address generation
└── Community support

Premium Features: Subscription-Based (AUM-Dependent)
├── Advanced Analytics & Insights
├── Enhanced Compliance Reporting  
├── Premium Support & SLA
├── Advanced Policy Engine
├── Integration APIs & Webhooks
└── White-label Customization

Built-in Revenue Features: Transaction-Based
├── Fiat on-boarding (credit card to crypto)
├── Fiat off-boarding (crypto to bank account)
├── Cryptocurrency swapping engine
└── Competitive rates with enterprise volume discounts

Pricing Tiers:
├── Starter: $0/month (Core features only)
├── Professional: 0.3% annually on AUM ($25 minimum)
├── Enterprise: 0.36% annually on AUM + premium features
└── Self-Hosted: Free core + premium feature licenses

Pricing Sources & Methodology:

Safe: Gas fees only (user pays network transaction costs)
Casa: $250/year (Gold) to $2,100/year (Platinum) - Official Casa Pricing
Specter: Free open-source software (technical setup costs only)
Nunchuk: Subscription model (pricing not publicly disclosed)
TotalSig: Subscription model (pricing not publicly disclosed)
SSP Enterprise: 0-0.36% annually on AUM for premium features
SSP Enterprise: Free core platform, premium features scale with usage

Enterprise Custody Verification:

Fireblocks: $8,388/year minimum (Essentials), enterprise typically $100K+ - Fireblocks Pricing
BitGo: 0.20-0.25% annually on AUM ($25K/year for $10M portfolio) - BitGo Billing
Coinbase Prime: Custom pricing only, no public rates (requires sales consultation)

Transparency Note: Many enterprise providers use "contact sales" pricing, making exact comparisons difficult. Estimates based on publicly available documentation where possible.

🎯 SSP Enterprise's Unique Market Position

The Only Solution That Combines All Enterprise Requirements:

✅ Complete Self-Custody + Multi-Chain

Market Reality:
├── Fireblocks/BitGo: Multi-chain but custodial (not self-custody)
├── Safe: Self-custody but EVM-only (no Bitcoin)
├── Casa: NOT self-custody (Casa holds keys) + limited chains
├── Specter: Self-custody but Bitcoin-only + extremely technical
├── Nunchuk: Self-custody but Bitcoin-only + subscription fees
├── TotalSig: NOT true multisig (MPC) + subscription costs
└── SSP Enterprise: TRUE self-custody + 12 mainnet chains (Solana imminent) + no AUM fees

✅ Blockchain-Level Enforced Multisig + Business Features

Technology Reality:
├── Fireblocks/BitGo/TotalSig: MPC (not true blockchain multisig)
├── Safe: True smart contract multisig but EVM-only
├── Casa: Hybrid approach with trusted third party
├── Specter/Nunchuk: True Bitcoin multisig but no business features
└── SSP Enterprise: True multisig (Bitcoin native + EVM smart contracts) + business coordination

✅ Open Source + Security Audited + Free

Transparency & Cost Reality:
├── Fireblocks/BitGo/Casa/TotalSig: Proprietary + expensive
├── Safe: Open source + audited but limited chains
├── Specter: Open source + free but Bitcoin-only + complex setup
├── Nunchuk: Partially open + subscription costs
└── SSP Enterprise: Fully open source + Halborn audited + Free* core platform

✅ Mobile-Native + Enterprise-Ready

User Experience Reality:
├── Fireblocks/BitGo: Enterprise complexity, weeks to setup
├── Safe: Web-only interface, technical setup
├── Specter: Desktop-only, requires Bitcoin Core + 1-2TB storage
├── Casa: Mobile but NOT self-custody + limited business features
├── Nunchuk: Mobile but Bitcoin-only + no business features
└── SSP Enterprise: Desktop + Mobile coordination + business features + 1-hour setup

🛡️ Security Architecture

Multi-Layer Security Model

┌─────────────────────────────────────────────────────────────┐
│                    Enterprise Security Stack                │
├─────────────────────────────────────────────────────────────┤
│ Layer 5: Regulatory & Compliance                            │
│ • Immutable blockchain audit trails                         │
│ • Multi-jurisdictional compliance support                   │
│ • Real-time transaction monitoring                          │
│ • Customizable reporting and documentation                  │
├─────────────────────────────────────────────────────────────┤
│ Layer 4: Business Policy Engine                             │
│ • Configurable spending limits and approval workflows       │
│ • Role-based access control (Admin, Signer, Observer)       │
│ • Time-based restrictions and emergency procedures          │
│ • Integration with enterprise identity systems              │
│ • Note: UI-enforced policies (true self-custody allows      │
│   bypassing via custom UI implementations)                  │
├─────────────────────────────────────────────────────────────┤
│ Layer 3: Blockchain Security                                │
│ • Native multisig verification (Bitcoin 4-of-6)             │
│ • Smart contract enforcement (EVM 2-of-3)                   │
│ • Immutable transaction finality                            │
│ • Network consensus validation                              │
├─────────────────────────────────────────────────────────────┤
│ Layer 2: SSP Wallet 2FA (Proven in Production)              │
│ • Dual-device requirement per party                         │
│ • BIP48 hierarchical deterministic key derivation           │
│ • Device-specific encryption and authentication             │
│ • Separation of signing and coordination                    │
├─────────────────────────────────────────────────────────────┤
│ Layer 1: Device-Level Protection                            │
│ • Operating system security and updates                     │
│ • Hardware security module utilization                      │
│ • Biometric and PIN-based authentication                    │
│ • Secure enclave and keychain integration                   │
└─────────────────────────────────────────────────────────────┘

Attack Vector Analysis

Attack Type	Traditional Multisig	Fireblocks MPC	SSP Enterprise	Mitigation Strategy
Device Compromise	⚠️ Single point failure	✅ MPC protection	✅ Multi-party + 2FA	Requires 2+ parties AND 2FA
Insider Threat	❌ Full access if admin	⚠️ Fireblocks trust	✅ Threshold enforcement	Cannot act alone
Social Engineering	⚠️ Target key holders	⚠️ Target Fireblocks	✅ Multi-party verification	No single point of control
Malware/Phishing	❌ Can steal keys	⚠️ Can affect shares	✅ 2FA protection	Mobile confirmation required
Physical Coercion	❌ Force signing	⚠️ Force Fireblocks	✅ Distributed parties	Geographic distribution
Vendor Failure	✅ No vendor	❌ Fireblocks bankruptcy	✅ No vendor dependency	Self-sovereign architecture
Regulatory Seizure	✅ Individual action	❌ Fireblocks compliance	✅ Individual responsibility	Cannot be collectively seized
Key Loss/Recovery	⚠️ Complex recovery	⚠️ Vendor dependent	✅ Standard BIP48	Industry-standard recovery

Enhanced Security Roadmap: Hardware Key Integration

While SSP Enterprise's core functionality relies on the proven software-based SSP ecosystem, future hardware integration will provide additional security layers for enterprise deployments.

Phase 1: Current Software Security (2025)

Current SSP Security Model (Software-Based):
┌─────────────────────────────────────────────────────────┐
│                 Proven Security Features               │
├─────────────────────────────────────────────────────────┤
│                                                         │
│  Device-Level Protection:                               │
│  ├── Mobile biometric authentication (SSP Key)          │
│  ├── Browser extension secure storage                   │
│  ├── Device-specific encryption keys                    │
│  └── PIN/password protection layers                     │
│                                                         │
│  Cryptographic Security:                                │
│  ├── BIP48 hierarchical deterministic keys              │
│  ├── AES-GCM encryption with PBKDF2                     │
│  ├── Device fingerprinting for secondary encryption     │
│  └── Zero server-side key storage                       │
│                                                         │
│  Audit & Compliance:                                    │
│  ├── Halborn security audit passed (March 2025)        │
│  ├── Enterprise coordination data model                 │
│  ├── Open source transparency                           │
│  └── Mathematical proof of security model               │
└─────────────────────────────────────────────────────────┘

Hardware Security Integration Levels

Level 1: FIDO2 Authentication Enhancement (Planned 2026)

Current SSP + Hardware Token:
├── Hardware key authenticates wallet access
├── Seed phrase remains in secure device storage
├── Signing operations in SSP Wallet/Key apps
├── Additional physical security layer
└── Enterprise compliance improvement

Level 2: Encrypted Seed Storage (Recommended - Target 2027)

Hardware-Encrypted Storage (Sweet Spot):
├── Seed phrase encrypted and stored on hardware key
├── PIN/biometric required for seed decryption
├── Seed temporarily transmitted to SSP Wallet/Key for signing
├── Memory cleared immediately after transaction
├── Hardware tamper resistance protects encrypted seed
└── Signing still occurs in familiar SSP apps

Level 3: Hardware-Only Operations (Future - 2028+)

Pure Hardware Signing (Maximum Security):
├── Seed never leaves hardware security key
├── Signing operations performed entirely in hardware
├── Only public keys and signatures transmitted
├── Requires custom hardware development
├── True airgapped security model
└── May be unnecessary for most enterprise use cases

Supported Hardware Security Keys

Hardware Key	Storage Capacity	Enterprise Features	Cost per Key
YubiKey 5 NFC	25 encrypted credentials	FIDO2, OpenPGP, PIV	$55
YubiKey 5C Nano	25 encrypted credentials	USB-C, compact form	$60
YubiKey Bio	25 + biometric	Fingerprint unlock	$85
Nitrokey 3	50+ credentials	Open source firmware	$49
SoloKey	Variable	Open hardware/software	$20-40

Enterprise Deployment Scenarios

Scenario 1: Executive Team Security

High-Value Asset Protection:
├── Each executive: Personal YubiKey Bio
├── Seed phrases never in device memory
├── Biometric + PIN dual protection
├── Hardware audit logs for compliance
└── Secure backup keys in company vault

Scenario 2: Distributed Team Operations

Multi-Location Security:
├── Standardized YubiKey deployment
├── Central hardware key management
├── Role-based access with different keys
├── Geographic distribution of backup keys
└── Remote attestation capabilities

Scenario 3: Regulatory Compliance

Maximum Security Requirements:
├── Hardware-only signing operations
├── Air-gapped seed storage
├── Physical key ceremonies for setup
├── Multi-party hardware key custody
└── Immutable hardware audit trails

Hardware Integration Technical Flow

Seed Storage Process:
┌─────────────┐    ┌─────────────┐    ┌─────────────┐
│ Seed        │    │ Hardware    │    │ Encrypted   │
│ Generation  │───▶│ Encryption  │───▶│ Storage     │
│ (BIP39)     │    │ (YubiKey)   │    │ (Hardware)  │
└─────────────┘    └─────────────┘    └─────────────┘

Transaction Signing Process:
┌─────────────┐    ┌─────────────┐    ┌─────────────┐    ┌─────────────┐
│ Transaction │    │ Hardware    │    │ In-Hardware │    │ Signature   │
│ Request     │───▶│ PIN/Bio     │───▶│ Signing     │───▶│ Return      │
│             │    │ Auth        │    │ Operation   │    │             │
└─────────────┘    └─────────────┘    └─────────────┘    └─────────────┘

Enterprise Security Advantages

vs. Software-Only Storage:

✅ Seed never in browser/mobile memory - hardware isolation
✅ Tamper-resistant storage - physical security
✅ PIN/biometric protection - additional authentication layer
✅ Audit trails - hardware-verified access logs
✅ Compliance friendly - meets enterprise security standards

vs. Traditional Hardware Wallets:

✅ Business workflow integration - works with SSP Enterprise platform
✅ Multi-party coordination - hardware security + business processes
✅ Mobile-friendly - NFC support for mobile signing
✅ Centralized management - enterprise key provisioning
✅ Cost effective - $50-85 per key vs $100-300 hardware wallets

Implementation Roadmap

Phase 1: FIDO2 Authentication (Q3 2026)

Hardware key authentication for wallet access
Enterprise key provisioning and management
Basic audit logging and compliance

Phase 2: Encrypted Seed Storage (Q1 2027)

Seed phrase encryption and hardware storage
PIN/biometric protection integration
Advanced enterprise management features

Phase 3: Hardware Signing Operations (Q3 2027)

Pure hardware-based signing operations
Air-gapped security model
Maximum enterprise security compliance

🔄 Platform Workflow

1. Enterprise Wallet Setup Ceremony

┌─────────────────────────────────────────────────────────┐
│                SSP Enterprise Web Portal                │
│                                                         │
│  Step 1: Administrator Initiates Setup                  │
│  ├── Define business requirements                       │
│  ├── Set threshold (2-of-3, 3-of-5, etc.)               │
│  ├── Configure spending policies                        │
│  └── Generate secure invitation links                   │
│                                                         │
│  Step 2: Party Onboarding                               │
│  ├── Each party connects existing SSP Wallet            │
│  ├── Platform verifies SSP Key pairing                  │
│  ├── Role assignment (Admin, Signer, Observer)          │
│  └── Policy acknowledgment and acceptance               │
│                                                         │
│  Step 3: Cryptographic Setup                            │
│  ├── Coordinate public key exchange                     │
│  ├── Generate multi-chain enterprise addresses          │
│  ├── Verify address derivation across parties           │
│  └── Create initial funding transactions                │
│                                                         │
│  Step 4: Operational Validation                         │
│  ├── Test transaction workflow                          │
│  ├── Verify all parties can sign                        │
│  ├── Confirm policy enforcement                         │
│  └── Document setup for compliance                      │
└─────────────────────────────────────────────────────────┘

2. Transaction Workflow

Transaction Lifecycle: Proposal → Approval → Execution

┌─────────────┐  ┌─────────────┐  ┌─────────────┐  ┌─────────────┐  ┌─────────────┐
│ Initiator   │  │ Policy      │  │ Required    │  │ Signature   │  │ Blockchain  │
│ Proposes    │─►│ Engine      │─►│ Parties     │─►│ Collection  │─►│ Execution   │
│ Transaction │  │ Evaluation  │  │ Approval    │  │ & Broadcast │  │             │
└─────────────┘  └─────────────┘  └─────────────┘  └─────────────┘  └─────────────┘
       │                │                │                │                │
       │                │                ▼                │                │
       │                │    ┌─────────────────────┐      │                │
       │                │    │  SSP Wallet UI      │      │                │
       │                │    │  • Review details   │      │                │
       │                │    │  • Verify recipient │      │                │
       │                │    │  • Check policy     │      │                │
       │                │    │  • Initial approval │      │                │
       │                │    └─────────────────────┘      │                │
       │                │                │                │                │
       │                │                ▼                │                │
       │                │    ┌─────────────────────┐      │                │
       │                │    │   SSP Key Mobile    │      │                │
       │                │    │  • Biometric auth   │      │                │
       │                │    │  • Transaction hash │      │                │
       │                │    │  • Final confirmation │    │                │
       │                │    └─────────────────────┘      │                │
       │                │                │                │                │
       └────────────────┼────────────────┼────────────────┼────────────────┘
                        │                │                │
              ┌─────────────────────────────────────────────────┐
              │            Platform Coordination                │
              │  • Collect signatures from required parties     │
              │  • Verify threshold requirements are met        │
              │  • Validate against business policies           │
              │  • Construct final transaction                  │
              │  • Submit to blockchain network                 │
              │  • Update audit trail and notify all parties    │
              └─────────────────────────────────────────────────┘

3. Business Policy Engine

┌─────────────────────────────────────────────────────────┐
│                  Policy Configuration                   │
├─────────────────────────────────────────────────────────┤
│                                                         │
│  Spending Limits:                                       │
│  ├── Daily/Monthly transaction limits                   │
│  ├── Per-party individual limits                        │
│  ├── Recipient whitelist/blacklist                      │
│  └── Asset-specific restrictions                        │
│                                                         │
│  Approval Workflows:                                    │
│  ├── Threshold requirements by amount                   │
│  ├── Required approvers for specific operations         │
│  ├── Time-based restrictions (business hours)           │
│  └── Multi-level approval for large transactions        │
│                                                         │
│  Risk Management:                                       │
│  ├── Transaction velocity monitoring                    │
│  ├── Anomaly detection and alerts                       │
│  ├── Compliance screening integration                   │
│  └── Emergency freeze procedures                        │
│                                                         │
│  Audit & Compliance:                                    │
│  ├── Immutable transaction logging                      │
│  ├── Role-based access tracking                         │
│  ├── Automated compliance reporting                     │
│  └── Integration with enterprise systems                │
└─────────────────────────────────────────────────────────┘

4. Premium Revenue Model & Value-Added Services

Core Platform: Always Free

Open Source Foundation (No Cost):
├── Multi-party wallet setup and management
├── Transaction coordination and signing  
├── Cross-chain address generation
├── Basic transaction history and audit trails
├── Community support and documentation
├── Self-hosting capability with full source code
└── Standard compliance reporting

Premium Analytics & Business Intelligence

┌─────────────────────────────────────────────────────────┐
│            Premium Analytics Dashboard                  │
├─────────────────────────────────────────────────────────┤
│                                                         │
│  Asset Intelligence:                                    │
│  ├── Portfolio composition and diversification          │
│  ├── Asset performance tracking and ROI analysis        │
│  ├── Cross-chain yield optimization recommendations     │
│  └── DeFi opportunity detection and risk scoring        │
│                                                         │
│  Transaction Analytics:                                 │
│  ├── Spending pattern analysis and behavioral insights  │
│  ├── Counterparty risk assessment and scoring           │
│  ├── Cost basis tracking and tax optimization           │
│  └── Predictive cash flow modeling                      │
│                                                         │
│  Compliance Intelligence:                               │
│  ├── Automated regulatory reporting generation          │
│  ├── AML/KYC risk screening and monitoring              │
│  ├── Multi-jurisdictional compliance tracking           │
│  └── Custom audit reports and documentation             │
│                                                         │
│  Business Intelligence:                                 │
│  ├── Multi-party activity correlation analysis          │
│  ├── Enterprise-grade SLA and support                   │
│  ├── Custom API integrations and webhooks               │
│  └── White-label deployment and customization           │
└─────────────────────────────────────────────────────────┘

Sustainable Revenue Streams

Revenue Model Strategy:
├── Core Platform: Free (drives adoption)
├── Analytics Premium: 0.3% annually on AUM
├── Enterprise Features: 0.36% annually on AUM  
├── Professional Services: Custom pricing
├── White-label Licensing: One-time + revenue share
└── Self-Hosted Premium: Feature licensing model

Value Proposition:
├── 10-50x cheaper than custodial alternatives
├── Transparent pricing based on asset value
├── No transaction limits or hidden fees
├── Pay only for premium features you use
└── Full self-hosting option available

💼 Use Cases & Applications

Corporate Treasury Management

Challenge: Multi-signature approval for company funds without giving up custody

Setup: CEO + CFO + Board Member (2-of-3)
Benefits:
✅ No single person can access funds
✅ Board oversight on major expenditures  
✅ Fast mobile approval for routine payments
✅ Complete audit trail for compliance
✅ Cross-chain treasury management

Example: $50M company treasury
- Daily operations: CEO + CFO approval
- Major investments: CEO + Board Member  
- Emergency procedures: Any 2 parties

Partnership & Joint Ventures

Challenge: Shared control of partnership funds with clear accountability

Setup: Partner A + Partner B + Neutral Party (2-of-3)
Benefits:
✅ Equal control prevents disputes
✅ Neutral arbitrator for conflicts
✅ Transparent fund management
✅ Easy dissolution procedures

Example: Real estate investment partnership
- Property purchases: Both partners agree
- Management expenses: Either partner + neutral
- Profit distribution: Automated smart contracts

Professional Services & Law Firms

Challenge: Client escrow accounts with regulatory compliance

Setup: Lawyer + Client + Trust Account Manager (2-of-3)
Benefits:
✅ Client funds protection
✅ Regulatory compliance built-in
✅ Transparent fee structures
✅ Automated trust accounting

Example: Legal escrow for M&A transaction
- Funds release: Lawyer + Client approval
- Fee payment: Any 2 parties
- Compliance reporting: Automatic

Investment Funds & DAOs

Challenge: Decentralized decision making with security

Setup: Multiple fund managers with configurable thresholds
Benefits:
✅ Democratic fund management  
✅ Transparent investment decisions
✅ Automated governance integration
✅ Institutional-grade security

Example: Crypto investment fund
- Investment decisions: Majority approval
- Routine operations: Simplified threshold
- Emergency procedures: Admin override

Family Office & Wealth Management

Challenge: Multi-generational wealth management with succession planning

Setup: Parents + Adult Children + Family Office Manager
Benefits:
✅ Gradual wealth transition
✅ Education through participation
✅ Professional oversight
✅ Estate planning integration

Example: $100M family office
- Conservative investments: Any family member + manager
- Major decisions: Multiple family members
- Next generation: Observer roles transitioning to signers

⚠️ Limitations & Trade-offs

Honest Assessment: What SSP Enterprise Cannot Do

1. Fixed Threshold Limitation

❌ Cannot Change After Creation:
├── Bitcoin: 4-of-6 multisig address is permanent
├── Ethereum: Smart contract threshold is immutable  
├── Cannot add/remove signers dynamically
└── Requires new wallet setup for changes

Impact: Less flexible than MPC solutions for growing organizations
Mitigation: Plan threshold carefully during setup

2. Manual Approval Requirement

❌ No Automated Payments:
├── Every transaction requires human approval
├── No policy-based automatic execution
├── Cannot schedule recurring payments
└── No algorithmic trading support

Impact: Not suitable for high-frequency operations
Mitigation: Focus on treasury and approval workflows

3. Blockchain-Specific Limitations

❌ Technical Constraints:
├── Bitcoin: Must use 4-of-6 (not 2-of-3) due to ECDSA
├── Higher transaction fees for complex multisig
├── Larger transaction sizes on UTXO chains
└── Smart contract risks on EVM chains

Impact: Higher costs and complexity than simple wallets
Mitigation: Costs still lower than custodial solutions

4. Coordination Complexity

❌ Multi-Party Coordination:
├── All parties must be available for signing
├── Mobile connectivity required for approval
├── Time zone coordination for global teams
└── Potential delays during approval process

Impact: Slower than custodial solutions for urgent transactions
Mitigation: Plan approval workflows and emergency procedures

Who Should NOT Use SSP Enterprise

❌ Large Enterprises Needing Automation

Better Alternative: Fireblocks
├── High-frequency trading operations
├── Algorithmic treasury management  
├── Complex automated payment workflows
├── Dynamic organizational structures
└── Reason: Need automation > self-custody

❌ EVM-Only Organizations

Better Alternative: Safe (Gnosis Safe)
├── DeFi-focused operations
├── Ethereum/EVM-only asset portfolios
├── DAO governance requirements
├── Web3-native organizations
└── Reason: Safe is free and purpose-built for EVM

❌ Bitcoin-Only Holdings

Better Alternative: Casa or Specter Desktop
├── Bitcoin maximalist organizations
├── Simple Bitcoin treasury needs
├── No multi-chain requirements
├── Preference for Bitcoin-specific tools
└── Reason: Specialized Bitcoin solutions are simpler

Who SHOULD Use SSP Enterprise

✅ Multi-Chain Self-Custody Organizations

Perfect Fit: No good alternative exists
├── Bitcoin + Ethereum + other chains
├── True self-custody requirements
├── Business approval workflows needed
├── Mobile-friendly operations preferred
└── Reason: Only solution combining all requirements

✅ Self-Custody Advocates

Prioritizing True Ownership: Complete asset control
├── Organizations requiring genuine asset ownership
├── Regulatory environments favoring transparency
├── Privacy-conscious businesses
├── Institutions mandating direct asset control
└── Reason: Proven self-custody with business features

✅ Cost-Conscious Multi-Party Operations

Budget Alternative To: Fireblocks/BitGo
├── Startups with crypto treasuries
├── SMBs needing multi-party approval
├── Non-profits managing donations
├── Partnerships requiring shared control
└── Reason: 90% cost savings vs enterprise custodial

🗺️ Implementation Roadmap

Status update — May 2026: Phase 1 is shipped and live in production. SSP Enterprise platform, multi-party address generation, transaction proposal and approval workflows, business policy engine, and audit trails are all operational across 12 mainnet chains. The platform is securing $100M+ in enterprise vaults today. Phase 2 (advanced policy features, multi-chain expansion) is largely complete. Phase 3 features (Bitcoin Taproot MuSig2, SSO, advanced security) and Phase 4 (Solana, Cosmos, additional chains) are in active development. The phase descriptions below remain for technical depth; see the current status updates at the start of each phase.

Phase 1: Enterprise Platform Foundation ✅ SHIPPED (Live in production May 2026)

Building on Proven SSP Infrastructure

🎯 Core Deliverables:
├── SSP Enterprise web portal for business coordination
├── Multi-party address generation (leveraging existing SSP chains)
├── Transaction proposal and approval workflows  
├── Integration with existing SSP Wallet/Key ecosystem
├── Business policy engine and spending controls
└── Compliance audit trails and reporting

🔧 Technical Implementation:
├── Extend SSP Relay server for multi-party coordination
├── Deploy enterprise smart contracts on supported EVM chains
├── Implement BIP48 business account derivation paths (accounts 100-99999)
├── Create enterprise-specific UI components
├── Policy engine for business rules and approvals
└── Integration testing across all SSP-supported chains

🏗️ Leveraging Existing SSP Infrastructure:
├── Reuse SSP Wallet browser extension (no changes needed)
├── Reuse SSP Key mobile app (minimal UI updates)
├── Extend SSP Relay for multi-party message coordination  
├── Leverage existing multi-chain network support (12 mainnet, 17 incl. testnets in SSP Wallet)
├── Build on proven BIP48 key derivation architecture  
├── Maintain zero-server-key-storage security model
└── Deliver enterprise security through open source transparency

📊 Success Metrics:
├── 10+ pilot organizations successfully onboarded
├── $1M+ in multi-party enterprise treasury managed
├── Zero security incidents during deployment
├── <1 hour average multi-party setup ceremony time
└── Seamless integration with existing SSP user base

Phase 2: Enhanced Features ✅ Largely Shipped (Advanced policy engine, multi-chain, mobile-optimized portal live; REST APIs in active development)

🎯 Deliverables:
├── Advanced business policy engine with rules
├── Spending limits and approval workflow automation
├── Compliance reporting and audit export tools
├── Mobile-optimized platform interface
├── Integration APIs for business systems
└── Multi-chain expansion (Polygon, BSC, Base)

🔧 Technical Milestones:
├── Policy engine with configurable business rules
├── RESTful APIs for enterprise system integration
├── Mobile-responsive web application
├── Cross-chain transaction coordination
├── Advanced notification and alerting system
└── Performance optimization for mobile devices

📊 Success Metrics:
├── 100+ organizations using the platform
├── $10M+ in managed enterprise treasuries
├── Advanced policy features in production
└── <5 minute transaction approval times

Phase 3: Advanced Security & Scale (Active development — 2026-2027)

🎯 Deliverables:
├── Bitcoin Taproot 2-of-3 implementation (MuSig2)
├── YubiKey hardware security integration
├── Zero-knowledge proof enhancements
├── Enterprise SSO and identity integration
├── Advanced fraud detection and monitoring
└── SOC 2 Type II compliance certification

🔧 Technical Milestones:
├── MuSig2 implementation for Bitcoin Taproot
├── FIDO2/WebAuthn integration with YubiKey
├── SAML/OIDC integration for enterprise identity
├── Machine learning fraud detection models
├── Security audit and certification processes
└── White-label deployment capabilities

📊 Success Metrics:
├── 500+ organizations on platform
├── $100M+ in managed treasuries
├── SOC 2 Type II certification achieved
└── Zero successful attacks or breaches

Phase 4: Enterprise Ecosystem (2027-2028)

Solana update: Our open-source Solana multisig program is already deployed on devnet with end-to-end test coverage (SOL, SPL, Jupiter, durable-nonce flows, 7-of-10 configurations). Mainnet deployment gated on external audit. Custom Anchor program at github.com/RunOnFlux/solana-multisig. XDC Network integration is in active scoping with the XinFin ecosystem team.

🎯 Deliverables:
├── Solana mainnet deployment (open-source Anchor program, audit-gated)
├── Multi-chain expansion (XDC, Arbitrum, Optimism, Cosmos, Tron, TON, Sui, Aptos)
├── Swapping, staking, buy/sell flows inside enterprise vaults
├── DeFi protocol integrations and yield strategies
├── Institutional custody partnerships
├── White-label solutions for financial institutions
├── Advanced analytics and business intelligence
└── Global regulatory compliance automation

🔧 Technical Milestones:
├── Universal multi-chain architecture
├── DeFi protocol abstraction layer
├── Institutional-grade analytics dashboard
├── White-label deployment framework
├── Global compliance automation engine
└── Enterprise marketplace integrations

📊 Success Metrics:
├── 1,000+ organizations ecosystem-wide
├── $1B+ in managed digital assets
├── Multiple regulatory certifications
└── Profitable recurring revenue model

🎯 Market Positioning

SSP Enterprise: Filling the Market Gap

Market Reality Map:

                    Multi-Chain Support
                              ↑
                              │
    Fireblocks/BitGo          │          No Solution Exists
    (Custodial)               │          (Market Gap)
    • Multi-chain             │          
    • Enterprise features     │          
    • NOT self-custody        │          
                              │
─────────────────────────────────────────────────────→
Custodial                     │                Self-Custody
                              │
    Not Applicable            │          Safe, Casa, Specter
    (No self-custody)         │          (Self-custody)
                              │          • Single chain focus
                              │          • Limited business features
                    Single Chain Focus

Market Gap Identified: No solution exists for multi-chain business self-custody

Honest Competitive Positioning

Note on classifications: Anchorage Digital, Coinbase Custody, and BitGo are qualified custodians (regulated trust company / OCC bank charters). Fireblocks, Copper, and DFNS are MPC platforms — software-based, cannot legally serve as U.S. qualified custodians under FIPS 140-2/140-3 standards. Safe and Squads are DIY multisig protocols (true self-custody but single-chain and operationally bare). SSP Enterprise is the only platform combining true self-custody, multi-chain support (UTXO + EVM + Solana), open-source primitives, and a production-grade enterprise coordination layer.

vs. Fireblocks (MPC) and BitGo/Anchorage (Qualified Custodians)

When to choose SSP Enterprise over Fireblocks:
✅ Self-custody is non-negotiable
✅ Transparency and auditability required  
✅ Cost reduction is priority (90% savings)
✅ No vendor lock-in desired

When to choose Fireblocks over SSP Enterprise:
✅ Automation and policy engines needed
✅ Dynamic threshold changes required
✅ High-frequency operations
✅ Willing to trade custody for convenience

vs. Safe (EVM-Only Self-Custody)

When to choose SSP Enterprise over Safe:
✅ Need Bitcoin or other non-EVM chains
✅ Traditional business features required
✅ Mobile-native workflow preferred
✅ Unified multi-chain management

When to choose Safe over SSP Enterprise:
✅ EVM-only asset portfolio
✅ DeFi-focused operations
✅ DAO governance needs
✅ Free solution acceptable (gas fees only)

vs. Casa/Specter (Bitcoin-Focused)

When to choose SSP Enterprise over Casa/Specter:
✅ Multi-chain asset portfolio
✅ Business coordination features needed
✅ Mobile workflow preferred
✅ Enterprise-grade audit trails

When to choose Casa/Specter over SSP Enterprise:
✅ Bitcoin-only holdings
✅ Simpler setup preferred
✅ Lower annual costs acceptable
✅ Bitcoin-maximalist philosophy

Target Market Analysis

Primary Market: Multi-Chain Business Self-Custody

Market Size: Currently underserved/non-existent
Characteristics:
├── $100K - $100M digital asset portfolios
├── Bitcoin + Ethereum + other chains
├── 2-10 stakeholders requiring approval
├── Self-custody mandate (regulatory or philosophical)
├── Business approval workflows needed
└── Mobile-preferred operational style

Examples:
├── Crypto startups with diverse portfolios
├── Investment DAOs with multi-chain strategies  
├── Family offices with cross-chain holdings
├── Partnerships managing diverse crypto assets
└── SMBs accepting multiple cryptocurrencies

Secondary Market: Cost-Conscious Enterprise

Market Size: Large, price-sensitive segment
Characteristics:
├── Currently using expensive custodial solutions
├── Seeking cost reduction without losing features
├── Willing to trade some automation for savings
├── Self-custody becoming regulatory requirement
└── Multi-signature governance already established

Examples:
├── Mid-market companies reducing crypto costs
├── Non-profits managing donor cryptocurrencies
├── Professional services with shared crypto accounts
├── International businesses prioritizing direct asset control
└── Regulated entities requiring transparency

💻 Technical Requirements

For Organizations

Minimum Setup Requirements

Participants: 2-10 parties per enterprise wallet
Each party needs:
├── Existing SSP Wallet (Chrome/Firefox extension)
├── Existing SSP Key (iOS/Android mobile app)
├── Modern web browser (Chrome/Firefox/Safari/Edge)
├── Reliable internet connectivity for coordination
└── Basic cryptocurrency knowledge

Setup Time: ~1 hour for initial ceremony
Ongoing: ~5 minutes per transaction approval

Recommended Enterprise Setup

Roles & Responsibilities:
├── Administrator: Wallet setup and policy management
├── Signers: Transaction approval authority  
├── Observers: Read-only access to transactions
└── IT Support: Technical assistance and troubleshooting

Documentation:
├── Business continuity procedures
├── Key backup and recovery processes
├── Emergency access protocols
└── Compliance and audit procedures

For Development Team

Infrastructure Stack

┌─────────────────────────────────────────────────────────┐
│                SSP Enterprise Architecture              │
├─────────────────────────────────────────────────────────┤
│ Frontend: React/TypeScript SPA                          │
│ Backend: Node.js/Express API server                     │
│ Database: MongoDB for coordination and audit            │
│ Blockchain: Smart contracts on target networks          │
│ Security: End-to-end encryption, zero-knowledge proofs  │
│ Integration: WalletConnect, enterprise SSO              │
└─────────────────────────────────────────────────────────┘

Required Code Changes

SSP Wallet Extensions:

// Business account derivation (organisation unique numbers)
const BUSINESS_ACCOUNT_MIN = 100;
const BUSINESS_ACCOUNT_MAX = 99999;

function validateBusinessAccount(account: number): boolean {
  return account >= BUSINESS_ACCOUNT_MIN && account <= BUSINESS_ACCOUNT_MAX;
}

// Business wallet derivation path
const businessPath = `m/48'/${coin}'/${businessAccount}'/${scriptType}'/0/${addressIndex}`;

// Enterprise transaction handling
interface EnterpriseTransaction {
  type: 'enterprise';
  businessAccount: number;  // 100-99999 (organisation unique ID)
  walletId: string;
  threshold: number;
  parties: PartyInfo[];
  policy: BusinessPolicy;
  approvals: ApprovalStatus[];
}

// Multi-party address generation
export function generateEnterpriseAddress(
  partyPubkeys: Buffer[],
  threshold: number,
  businessAccount: number,
  chain: keyof cryptos
): EnterpriseAddress;

SSP Key Extensions:

// Enterprise signing context
interface EnterpriseSigningRequest {
  transactionId: string;
  businessContext: {
    walletName: string;
    policy: BusinessPolicy;
    currentApprovers: string[];
    amount: string;
    recipient: string;
    purpose: string;
  };
  technicalContext: {
    inputs: UTXO[];
    outputs: Output[];
    fee: string;
    chainId: number;
  };
}

// Enhanced approval flow
export function approveEnterpriseTransaction(
  request: EnterpriseSigningRequest,
  biometricAuth: boolean
): Promise<PartialSignature>;

SSP Relay Extensions:

// Multi-party coordination service
class EnterpriseCoordinator {
  async createWallet(
    parties: Party[], 
    threshold: number,
    policies: BusinessPolicy[]
  ): Promise<EnterpriseWallet>;
  
  async proposeTransaction(
    walletId: string,
    transaction: Transaction,
    proposer: string
  ): Promise<TransactionProposal>;
  
  async collectApprovals(
    proposalId: string
  ): Promise<ApprovalCollection>;
  
  async executeTransaction(
    proposalId: string
  ): Promise<TransactionResult>;
}

EVM Implementation Architecture

Smart Contract Infrastructure: SSP Enterprise leverages the proven, open-source smart contract infrastructure and SDK already developed and security-audited by the SSP team:

Repository: RunOnFlux/account-abstraction
Status: Open source and security audited
Features: Account Abstraction (ERC-4337) implementation for gasless transactions
Integration: Ready-to-deploy enterprise multisig contracts for all EVM chains

🎯 Conclusion

The Security & Transparency Advantage

Cryptographic Proof Over Institutional Trust

SSP Enterprise represents a fundamental shift from "trust us" to "verify everything":

Mathematical Security Foundation

Traditional Approach: Trust the Institution
├── Rely on company promises
├── Accept proprietary "black box" security
├── Depend on institutional controls
└── Hope for business continuity

SSP Enterprise Approach: Verify Everything
├── Cryptographic proof of security
├── Open source transparency
├── Direct blockchain verification  
└── Self-sovereign control

Unparalleled Transparency

Every line of code is publicly auditable
All cryptographic operations are mathematically provable
Transaction history is immutably recorded on-chain
Security claims can be independently verified
No hidden backdoors or proprietary algorithms

Business-Grade Security Without Compromise

Multi-layer protection from device to blockchain
Distributed trust model eliminates single points of failure
Battle-tested architecture securing real funds since launch
Professional audit trails for complete compliance
Enterprise coordination without sacrificing ownership

The Problems We Solve

Problem 1: Custody vs Control Trade-off

Traditional: Give up custody for enterprise features
SSP Enterprise: Keep full custody AND get enterprise features

Problem 2: Transparency vs Functionality

Traditional: Choose between open source simplicity or enterprise capability
SSP Enterprise: Full transparency WITH comprehensive business features

Problem 3: Multi-Chain vs Simplicity

Traditional: Complex setups for each blockchain or limited chain support
SSP Enterprise: Unified interface for all major blockchains

Problem 4: Cost vs Quality

Traditional: Pay premium prices or accept limited functionality
SSP Enterprise: Professional-grade features at the lowest cost in market

Revolutionary Open Source + Premium Model

The Freemium Advantage:

Core platform is completely free - no barriers to adoption
Premium features scale with your success - pay only as you grow
Self-hosting option available - ultimate flexibility for large organizations
Open source transparency - build custom features or audit everything
Community-driven innovation - benefit from collective development

Sustainable Value Creation:

Traditional Model Problems:
├── High upfront costs block adoption
├── Transaction fees punish usage
├── Vendor lock-in prevents switching
├── Proprietary systems hide costs
└── Fixed pricing ignores value delivered

SSP Enterprise Solution:
├── Free adoption removes barriers
├── No transaction limits encourage usage  
├── Open source prevents lock-in
├── Transparent pricing builds trust
└── Value-based fees align incentives

Why SSP Enterprise Will Succeed

1. Market Timing is Perfect

Growing demand for true asset ownership and control
Regulatory pressure favoring transparent architectures
SMB crypto adoption accelerating rapidly
Open source preference in enterprise security

2. Competitive Advantages are Sustainable

50x cost advantage - cheapest enterprise solution in market
Zero vendor lock-in - open source prevents switching costs
Proven security foundation with existing user base
Mobile-first approach matches modern work patterns
Revenue model alignment - success scales with customer success

3. Technical Foundation is Groundbreaking

Built on battle-tested SSP architecture
Halborn security audited ecosystem
Open source transparency and auditability
Leverages existing user base and applications

Strategic Recommendations

Phase 1: Prove the Model (2025)

Focus on crypto-native SMBs seeking self-custody
Build compelling case studies and testimonials
Establish thought leadership around "true self-custody"
Price aggressively to gain market share

Phase 2: Expand Market (2025-2026)

Target traditional businesses entering crypto
Develop partnerships with professional service providers
Create educational content for non-crypto native audiences
Build premium service offerings for advanced needs

Phase 3: Challenge Incumbents (2026+)

Directly compete with Fireblocks on transparency
Offer white-label solutions to disrupt custody providers
Build enterprise sales and support capabilities
Expand globally with regulatory compliance

The Bottom Line

SSP Enterprise represents the natural evolution of the proven SSP Wallet ecosystem into enterprise multi-party coordination.

Rather than building entirely new infrastructure, SSP Enterprise intelligently extends the battle-tested SSP architecture that's already securing $100M+ across 12 mainnet chains (with 17 chains in the consumer SSP Wallet). This approach delivers enterprise features while maintaining the security, simplicity, and cost-effectiveness that made SSP Wallet successful.

Why This Approach Works

Proven Foundation: Built on SSP Wallet's Halborn-audited (3 separate audits, zero critical/high findings), production-tested infrastructure
User Familiarity: Business parties use the same SSP Wallet/Key tools they may already know
Network Coverage: 12 mainnet chains in enterprise production today, with our open-source Solana multisig program imminent
Cost Efficiency: Open-core model — no AUM fees, self-hostable clients and relay, commercial value layer only
Security Heritage: Zero-server-storage, 2-of-2 SSP Identity, M-of-N vaults, never any private key material on our infrastructure

Perfect Market Positioning

SSP Enterprise fills a unique gap: multi-chain business self-custody. While Fireblocks offers automation at the cost of custody, and Safe provides EVM-only self-custody, SSP Enterprise delivers true multi-chain self-custody with business coordination features.

For organizations requiring multi-chain asset management with true self-custody principles, SSP Enterprise isn't just competitive – it's the only complete solution available.

Next Steps

For Organizations Interested in SSP Enterprise

Learn More: Visit sspwallet.io and sspwallet.io/ssp-enterprise.html to explore SSP Enterprise
Contact: [email protected] for enterprise discussions
Schedule Consultation: https://calendar.app.google/Mkg5iPUgnt17CmU97
Start Today: Live in production — create an organization on sspwallet.io/enterprise

For Current SSP Wallet Users

Explore Multi-Chain Support: SSP Wallet supports 17 networks (12 mainnet, 5 testnet) including Bitcoin, Ethereum, Polygon, Base, BSC, Avalanche, Litecoin, Dogecoin, Bitcoin Cash, Ravencoin, Zcash, Flux, and Solana (devnet)
Business Use Cases: Consider how SSP Enterprise could benefit your organization
Stay Updated: Follow development progress through official SSP channels
Provide Feedback: Help shape enterprise features based on real-world needs

For Developers and Contributors

SSP Ecosystem: Explore SSP Wallet, SSP Key, and SSP Relay
Documentation: docs.sspwallet.io for technical details
Community: Join the RunOnFlux Discord
Open Source: Contribute to the proven, audited codebase

For Partners and Integrators

Understand the Foundation: Review existing SSP Wallet architecture and capabilities
Partnership Opportunities: Email [email protected]
Integration Potential: Leverage proven multi-chain SSP infrastructure
White-Label Solutions: Enterprise customization opportunities

Ready to take control of your business cryptocurrency management with true self-custody?

SSP Enterprise: Where security meets simplicity, and ownership meets enterprise.

Built on the proven foundation of the SSP Wallet ecosystem, SSP Enterprise delivers institutional-grade multi-party custody without sacrificing the self-sovereignty principles that make cryptocurrency transformative.

SSP Enterprise: Multi-Party Self-Custody Solution