Privacy
We collect the minimum information necessary.
Evoke is non-custodial. Because client keys never leave the client's control, our data footprint is narrower than that of a custodian. Where regulation requires it (sanctions screening, KYC for fiat onramp partners, fiduciary onboarding under Crown Dependency rules), we collect and verify what we need to meet our obligations under applicable law.
Personal data is processed in line with the UK GDPR and equivalent frameworks in Jersey, Guernsey, and the EU. For the full detail, read our privacy policy.
01 - Wallet Security
Native SegWit (P2WSH) 2-of-3 multisig, with keys you can verify.
Every Evoke vault is a unique, per-client 2-of-3 multisignature address constructed as a native SegWit Pay-to-Witness-Script-Hash (P2WSH) output, the bech32 address format that begins with bc1q. P2WSH delivers the same multi-key security model as legacy P2SH multisig at materially lower on-chain fees, with the witness-data discount, smaller signatures, and broader hardware-wallet compatibility.
Addresses are derived from three independent extended public keys (xpubs): one from the client, one from Evoke, one from an independent third-party key agent. Two of the three signatures are required to move funds. No single party, including Evoke, can spend on its own.
Evoke never holds, sees, or has the technical ability to access a client's private key. Every key we control is generated on a hardware signing device, lives on hierarchical-deterministic (BIP-32) cold-storage hardware, and signs exclusively through offline, air-gapped procedures.
02 - Operational & Physical
Devices in vaults. Seeds in separate vaults. Nothing at the office.
We maintain a written internal security policy with mandatory personnel training and periodic review. Signing devices are stored in geographically separated, access-controlled facilities that require physical identity verification on entry.
Seed material is stored apart from the device it would restore, in a different controlled location, so no single facility compromise puts a key at risk. No Evoke key material is ever held at our corporate offices.
03 - Network Security
Modern infrastructure controls, applied without exception.
Our infrastructure runs on a private, firewalled network with strict perimeter and segmentation controls. All data is encrypted in transit and at rest using industry-standard AES-256, and two-factor authentication is required for any sensitive system.
A centralised identity provider gives every employee a unique, attributable identity; access is least-privilege by default. We monitor traffic and system events continuously and retain access, system, and application logs for the long term, so any action against a sensitive resource can be reviewed after the fact.
04 - Indentity Verification
We capture identity once, and use it only when assurance is required.
Evoke is not a custodian. We do not run accounts that tie a client's name to a balance we control, we do not monitor client transactions for tax purposes, and we do not surface client data to HMRC or any tax authority in the ordinary course of operation. Bitcoin held in an Evoke vault remains bitcoin in the way it has always been: controlled by keys, not by a list of names on a dashboard.
We do capture baseline identity at vault setup, as required for fiduciary onboarding under the regulations that apply to us. That record is held in cold storage and is not used for ongoing surveillance, balance monitoring, or routine reporting. It is retrieved and applied for one purpose only: to verify the person reaching us at the two assurance moments below.
Moment 1
Recovery Signing
If a client, beneficiary, or estate needs Evoke to step in with the key we hold (for example, after the loss of a client-side key or the death of a settlor), we will not apply our signature until we have verified that the person on the other end is who they say they are.
Moment 2
Beneficiary or executor-instructed signing
If a beneficiary asks us to sign under the instruction of an executor or trustee, we verify both the person and the authority being claimed before participating.
How the record is held. Identity records are encrypted at rest, retained for the minimum period our regulators require, and destroyed thereafter. They are never used for analytics, marketing, or any purpose other than the two assurance moments above, and are never shared with third parties except where we are legally compelled.
05 - Availability
Client bitcoin is spendable, with or without Evoke.
Because Evoke is non-custodial, our continued operation is not a single point of failure for client funds. We maintain and rehearse business continuity and disaster-recovery procedures, but the more important guarantee sits in the protocol itself.
Any vault built on Evoke can be recovered, signed, and broadcast using only open-source Bitcoin software and the client's own keys and output descriptor. If a client retains any two of the three keys and the multisig descriptor file, they can move funds on the Bitcoin network independently of Evoke, in perpetuity.
