Last Updated: June 2025
At Noders, we take validator security and operational integrity seriously.
Below is an overview of our current practices:
1. Introduction
Noders LLC is a professional validator and infrastructure provider operating across multiple blockchain networks. Security is central to our mission. We are committed to delivering resilient, secure, and compliant services for delegators, projects, and the broader Web3 ecosystem. This policy outlines our security architecture and practices, aligned with international standards, including ISO/IEC 27001.
2. Infrastructure & Physical Security
Our infrastructure is hosted in geographically distributed, ISO 27001-compliant, enterprise-grade data centers with physical access controls, network isolation, and high availability SLAs. Redundant architecture is implemented using sentry nodes and backup validators to ensure high availability. All validator and sentry nodes are protected by firewalls, private networking, and IP whitelisting.
Key elements include:
Firewalled and segmented network topologies
Physical access controls at hosting providers
Cold-standby infrastructure for failover scenarios
Hardware and hosting environments evaluated for uptime SLAs and location redundancy
All systems are regularly patched and hardened using baseline security benchmarks.
3. Key Management & Slashing Protection
We strictly follow a one-active-validator-per-network model. All validator keys:
Are generated offline and stored in secure, isolated environments
Are managed via encrypted offline storage or HSM-based signing solutions
Are never stored on internet-facing systems
Are rotated using tested key migration workflows (where supported)
Undergo regular integrity checks
We enforce strict access controls for key storage environments, actively monitor slashing risks (e.g., missed signatures, double signing), and apply alert thresholds to enable preventative action.
4. Access Control & Authentication
We implement a strict access model based on role-based privileges:
All production systems require SSH key authentication and MFA
Access is granted following the principle of least privilege
User permissions are reviewed and rotated quarterly
Offboarding includes immediate credential revocation and audit logging
Access is limited exclusively to our internal senior DevOps team.
5. Monitoring, Observability & Alerting
Our observability stack includes:
Prometheus and Grafana for metrics
Loki for centralized log aggregation
Alerta for deduplicated alert routing
Uptime Kuma for external uptime checks
We monitor:
Block production, missed slots, peer connectivity, validator health
CPU, memory, disk usage, peer count, missed blocks
Signing errors, slashing risks, network latency
Critical alerts are delivered to on-call engineers via Telegram and email.
6. Automation, CI/CD & Orchestration
We manage infrastructure using:
Ansible for infrastructure-as-code
Docker for containerized deployments
GitHub Actions for CI/CD automation
This ensures low-touch, consistent deployments with rollback capability, reducing human error.
7. Backup & Disaster Recovery
We maintain an encrypted, versioned, and geo-redundant backup strategy:
Automated encrypted backups of node states and configurations
Daily snapshots of configurations and system states
Restoration drills in staging environments
Cold-standby validators for emergency activation
All backups are encrypted at rest and transferred over secure channels.
8. Compliance & ISO 27001 Alignment
We are actively finalizing our ISO/IEC 27001 certification. Implemented controls include:
Documented risk assessment and treatment plans
A formal Information Security Management System (ISMS)
Staff training, incident reporting procedures, and periodic audits
Role-based access control and asset management policies
All documentation is aligned with Annex A of ISO/IEC 27001.
9. Incident Response & Communication
We maintain an incident response playbook, which includes:
Severity-based incident classification
SLA-driven response and mitigation timelines
Transparent communication with delegators and affected parties
Post-incident reviews for root cause analysis and process improvement
To report an issue with our validator nodes, contact security@noders.team. Communication channels include our website, email, and Discord (where applicable).
10. Vulnerability Disclosure Program
We support responsible security research. Our Vulnerability Disclosure Policy outlines:
Systems in scope
Submission guidelines
Expectations for ethical, non-disruptive behavior
We commit to:
Acknowledging valid submissions
Avoiding legal action against good-faith researchers
Offering optional public credit
We do not currently offer a paid bug bounty program.
11. Data Privacy & User Information
While our staking services are non-custodial, we collect limited data via our website. Please refer to our Privacy Policy for full details.
Collected data includes:
Contact form submissions
Google Analytics usage data
Cookie-based interaction logs
We do not collect validator keys, wallet information, or staking-related user data.
12. Continuous Improvement & Change Management
Security is a continuous process. We:
Monitor upstream CVEs and validator client advisories
Rotate secrets and access credentials regularly
Conduct quarterly internal reviews of observability and incident readiness
Improve processes based on community feedback and compliance audits
13. Contact & Updates
To report a security issue, contact: security@noders.team
General inquiries: tech@noders.team
This policy is reviewed and updated at least twice per year and published at: https://noders.team/security-policies
Noders LLC
Exempted Company incorporated in the Cayman Islands with Limited Liability
© 2025 Noders LLC. All rights reserved.