Security Best Practices

Recommended security practices for organizations using Tholos to manage digital assets.

This guide outlines key security best practices for organizations using Tholos to manage their digital assets. Implementing these recommendations can help safeguard your treasury and policy changes against both internal and external risks.

These are suggested guidelines only. Tholos provides them for informational purposes and assumes no responsibility or liability for their implementation or outcomes.

Core Security Practices

Threshold and Approver Count

Higher Thresholds = Greater Security - Your vault’s threshold defines how many signers must approve a transaction before it’s executed. A higher threshold makes it more difficult for an attacker to succeed, as more individuals must be compromised.

  • Aim for a threshold of at least 2/3 of your approvers.
  • Avoid setting the threshold equal to the number of approvers. If 5 of 5 are required and one person loses access, your funds are frozen.

Buffer Between Threshold and Approvers - Maintain a sensible gap between total signers and the threshold for resilience.

  • Avoid configurations like 3 of 9, where a small number of compromised signers could gain control of a vault.
  • Minimum Recommendation: Set your threshold to at least floor(total signers / 2) to balance availability and security.

Key Rotation

  • Regularly rotate keys that may have been exposed or used on insecure devices.
  • Rotate any key associated with a device that’s lost, stolen, or shared.

Transaction Verification

  • Live Coordination: Confirm in real time that all signers are approving the intended transaction.
  • Cross-Check Interfaces: Always verify transaction details match between the Tholos web-app and mobile-app.

Backup File Management

Your encrypted backup file is the lifeline to your vault. Losing it or the password to decrypt the file may result in permanent loss of access.

  • Never store it only on your primary device — that device may be lost, wiped, or hacked.

Recommended storage locations (by security priority):

  1. Offline physical device (e.g., encrypted USB) stored in a secure, access-controlled location
  2. Encrypted cloud storage (e.g., iCloud, Google Drive) with strong passwords and 2FA

Backup Password Hygiene:

  • Never store the password in the same location as the backup file.
  • Use a password manager or store it offline in a physical safe.

Treasury Compartmentalization

Segmenting your treasury adds a strong layer of protection. This involves splitting your funds between high-security cold storage and more accessible operational accounts.

Cold Vault (Standard Vault)

  • Holds 80-95% of your assets
  • High thresholds, strict policies, limited access
  • For long-term holdings and infrequent movement
  • Avoids third-party protocol interactions
  • As a standard vault, transactions are signed synchronously, requiring all signers to be online at the same time

Operational Vaults (Flex Vaults)

  • Holds 5-20% of your funds
  • Lower thresholds for speed and usability
  • Handles payroll, vendor payments, and day-to-day transactions
  • May interact with third-party tools or platforms
  • As a flex vault, transactions are signed asynchronously, enabling signers to sign at different points of time

Signer Security and Device Practices

Dedicated Devices

  • Use dedicated phones and computers exclusively for Tholos-related activity
  • Do not install non-essential software or apps on these devices

Separate Logins and Emails

  • Each signer should use a unique email address and login credentials for Tholos

Endpoint Protection

  • Install EDR/XDR security software on laptops used for administrative or organizational access

Device Security Hygiene

  • Devices should be password-protected and physically secured
  • Never leave signing devices unattended or unlocked
  • The Tholos app should be force quit once use is completed

Network and Communication Hygiene

  • Use a dedicated mobile data plan when signing from phones; avoid using shared or public Wi-Fi
  • Avoid using public Wi-Fi for any transactions involving Tholos
  • Bookmark the official Tholos dashboard to avoid phishing sites

Role Management and Exposure

  • Public-facing members of your organization (e.g., the CEO) should not have the highest-level permissions
  • Assign treasury responsibilities to operational staff with limited public visibility
  • Limit vault access to only those who need it

Personal OpSec

  • Avoid discussing crypto holdings or treasury responsibilities on social media
  • Be cautious about oversharing job roles or project details publicly
  • Stay alert for targeted phishing or impersonation attempts

By following these best practices, your organization can significantly strengthen its digital asset security posture while using Tholos.