Skip to content
Custody Docs Paribu Custody

Organization Structure

Paribu Custody is managed by creating separate organizations and independent workspaces. Paribu Custody can be accessed through the platform (web), mobile application, and API.

Organization

Section titled “Organization”

This is the top level of the Paribu Custody architecture. Different organizations operate independently within the Paribu Custody system. Organizations are categorized based on the companies that use Paribu Custody.

Each user can belong to only one organization. Users joining the organization acquire roles based on the workspaces they are assigned to. A user can be included in an organization by joining at least one workspace within that organization.

Workspace

Section titled “Workspace”

This is one level down from organization, where independent product usage is managed. There is no limit to the number of workspaces within an organization.

Workspaces are created with the support of the operations team. During workspace creation, the user is asked for the following information:

  • Workspace name
  • Workspace owner
  • Workspace type
  • Workspace deposit type
  • Workspace backup key requirement selection

Workspace name: Name of the workspace. Changeable.

Workspace owner: Each workspace must have one owner. The master key ceremony is conducted with the owner.

Workspace types: Warm and cold. While the warm workspace offers a more flexible structure, the cold workspace comes with certain limitations.

  • The warm workspace ensures that transactions are executed and transmitted to the blockchain in accordance with policies defined specifically for crypto assets, subject to authorization and approval by user accounts. Transfers can be automated, and wallets can operate under the hot wallet principle by using the API keys associated with API users created during the use of the warm workspace.
  • The cold workspace has more system constraints compared to the warm workspace. The system does not allow API users to use this workspace. Additionally, workspace security settings cannot be bypassed. Transactions within the cold workspace can only be initiated by real users, following the necessary approval and signature processes. Since creating a proxy wallet is not possible, the cold workspace is not suitable for use with end-user wallets.

Workspace deposit types: Default and fast. It refers to the selection of the required number of block confirmations for deposits coming to the workspace.

Workspace backup key requirement selection

Each workspace is created with an “owner.” Keys are generated at the workspace level. While the workspace is being created, the owner joins the key creation ceremony with Paribu Custody servers on a mobile device to create a workspace-based master key.

A user can be an owner in multiple workspaces within the same organization. A user who is an owner in multiple workspaces will hold a distinct key shard for each workspace.

The roles of workspace users are specific to each individual workspace. Users can have the same or different roles across their workspaces.

Vault

Section titled “Vault”

Vaults are created by users within the workspace. Users can create unlimited vaults within their workspace.

Users create and manage main and proxy wallets within the vaults. Each vault includes a main wallet upon creation, and there can only be one main wallet.

Wallet

Section titled “Wallet”

Wallets include addresses associated with the vault. All digital assets added to the system are stored within the wallet. Wallets allow Paribu Custody users to differentiate their own users. They consist of a wallet name and a reference ID. Users can create separate wallets for their end users within the workspace.

Vault creation is followed by the automatic creation of a “main wallet.” Upon creation, the main wallet does not contain any network addresses. The user adds the selected network and asset to the relevant wallet, and an address is created based on the network of the selected asset. Each wallet contains only one address for each network-asset pair.

All wallets in the vault, except for the first one, are considered “proxy wallets.” A proxy wallet is added to manage end users’ assets within the vault. A proxy wallet only allows deposits and does not permit transferring assets outside the vault. Assets sent to addresses in the proxy wallet are automatically swept into the main wallet within the same vault.