Release 2026-03-31

Address Book V2

We are excited to announce the release of Address Book V2, a major upgrade designed to provide greater flexibility, enhanced security, and improved governance for your asset management.

Key New Features

Multi-Book Support: Users are no longer restricted to a single address list. You can now create and manage multiple named address books, such as "Whitelisted Traders" or "Cold Storage," alongside the "default" legacy book.

Mutable Definitions: Flexibility is improved with the ability to edit existing address book names and update appliesTo wallet configurations after a book has been created.

API Changes (GraphQL)

Queries

addressBooks: Retrieve a high-level dashboard view of all address books and their nested entries.

addressBook: Fetch a specific book with support for nextToken pagination to handle large entry lists.

addressBookApprovals: Access governance data, including requester info and approval status.

Mutations

createAddressBook: Initialize new containers with specific governance logic (e.g., approvalProcess set to NONE or WALLET).

editAddressBook: Update metadata and wallet associations. Note: Updating the appliesTo array will completely overwrite existing associations.

createAddressBookEntries: Add single or bulk entries to a specific book.

deleteAddressBookEntries: Remove specific entries using an array of IDs.

deleteAddressBook: Permanently remove an entire address book.

Important Considerations

Wallet Targeting: When creating a book, setting appliesTo to ["*"] will target all wallets; otherwise, specific wallet IDs must be provided.

Overwrite Behavior: When using the editAddressBook mutation, remember that the appliesTo field replaces the previous list rather than appending to it.

InfraOps APIs

We've introduced new InfraOps capabilities, enabling secure and
auditable operational workflows for managing clusters.

Cluster Operations

InfraOps provides APIs to interact with clusters and handle operational
tasks securely.

Supported capabilities: - Retrieve cluster information - Manage
offline cluster signing workflows via secure file exchange

Secure File Flows (Offline Clusters)

For offline clusters, we've introduced a secure mechanism for handling
signing workflows using pre-signed URLs.

Permissions

Requires CLUSTER_MANAGER or CLUSTER_OPS roles

Applies to both users and API keys

Organisation Management

We've introduced new Organisation Management capabilities, enabling
full control over API keys and users within your organisation.

API Key Management

New endpoints: - listApiKeys -- Retrieve all organisation API keys
with roles, status, and expiry - createOrgApiKey -- Create a new API
key with assigned roles and expiry date - updateOrgApiKey -- Enable or
disable an existing API key

Highlights: - API keys are returned only once upon creation ---
ensure secure storage - Keys are enabled by default - Supports
role-based access control and expiry for improved security

User Management

New endpoints: - organisationManagement.listUsers -- List all
users in the organisation - updateUser -- Update user roles and
status - inviteUser -- Invite new users with predefined roles

Highlights: - User updates are full replacements (not partial
updates) - Invitations include pre-assigned roles for streamlined
onboarding

Permissions

All Organisation Management endpoints require ADMIN role

Applies to both users and API keys

Notes

Designed for enterprise-grade access control and governance

Enables API key lifecycle management (create, audit, disable)

Provides centralised user administration via API

Release 2025-08-31

August 31, 2025

This release focuses on compliance, security hardening, performance, and resilience improvements across custody services. The items below intentionally avoid exposing internal designs, vendor names, firmware requirements, or implementation specifics while communicating customer‑relevant outcomes.

Platform Resilience & Security

Routine security updates and control tuning across core services.

Dependency hygiene and audit‑driven remediation's across the platform.

Benefit: Reinforces our custody‑grade security baseline and operational stability.

Compliance & Governance

Foundational support for compliance workflows across custody components.

Enhancements to AML‑related review processes and reporting readiness.

Benefit: Streamlines compliance operations and reduces manual effort.

Mobile Experience

Performance and responsiveness improvements across key mobile flows.

Refined session and authentication handling for improved reliability.

Benefit: Provides a smoother mobile experience while maintaining security integrity.

Signing & Policy Services

Enforced encrypted channels for inter‑service communication.

Aligned policy validation across sensitive import and key‑related workflows.

Benefit: Strengthens cryptographic controls and standardises sensitive operations.

Blockchain Indexing & Throughput

Scaled indexing capacity to handle higher on‑chain activity during periods of network congestion.

Stability and throughput improvements during spikes in block size and transaction volume.

Benefit: Ensures reliable indexing and transaction visibility under heavy load conditions.

No customer action is required for this release. For questions, please contact Support.

Release 2025-07-31

July 31, 2025

This release focuses on security, reliability, and developer‑experience improvements across the custody platform. The items below are intentionally written to avoid exposing internal designs, vendor names, or implementation details while still describing customer‑relevant outcomes.

Platform Resilience & Security

Ongoing maintenance and remediation as part of our secure development lifecycle

Routine dependency updates and configuration tuning

Incremental improvements informed by internal and external reviews

Benefit: Reinforces our security baseline and keeps our controls aligned with industry expectations.

Error Handling & Transparency

Clearer, more consistent responses for transaction status and failure scenarios

Additional telemetry for issues that are not automatically retried

Aligned behaviour across APIs to standardise how errors are reported

Benefit: Improves troubleshooting clarity and reduces integration effort.

Vault & Key Management Enhancements

Improved transaction descriptions for supported assets

Expanded request feedback to surface actionable information where appropriate

Additional safeguards and audit controls in recovery workflows

Benefit: Increases end‑user clarity, improves operational resilience, and supports secure key lifecycle management.

Infrastructure Optimisation

Simplified network architecture and routing to improve efficiency

Hardened private integration paths used by background services

Broader monitoring and alerting coverage across core components

Benefit: Enhances reliability and reduces operational overhead.

API & SDK Improvements

More consistent API responses for transaction queries

SDK updates that reduce footprint and improve maintainability

Benefit: Simplifies the developer experience and speeds up integrations.

Governance & Access

Routine refresh of cryptographic controls

Role definitions reviewed to reinforce least‑privilege access

Enhanced visibility into the status of vulnerability remediation

Benefit: Strengthens overall security posture and operational governance.

No customer action is required for this release. For questions, please contact Support.

Release 2025-06-30

June 30, 2025

This release focuses on expanding compliance capabilities, strengthening audit readiness, and optimizing network infrastructure across our custody ecosystem.

Security & Performance Improvements

We applied several backend security patches in line with our CVE patching policies:

Updated Go stdlib dependencies across multiple services

Upgraded internal infrastructure libraries

Increased memory allocations for critical lambdas

Benefit: Improves runtime resilience and keeps services aligned with our internal security guidelines.

Compliance Engine Enhancements

Enhancements to the anti-money-laundering (AML) layer improve transaction monitoring fidelity:

Compliance checks now reference organisation.product for more granular enforcement via third-party compliance providers

Fixed case-sensitive asset matching in Travel Rule provider integration

Extended chain ID mapping to support additional networks

Benefit: Increases precision of compliance workflows across supported chains and products.

Custody Chain Service Hardening

Post-audit remediation's were applied across multiple chain services:

pbkdf2 CVE resolution

Dependency upgrades

Infrastructure interface corrections

Benefit: Aligns on-chain connectors with current audit requirements and ensures predictable node integration.

Network Infrastructure Optimization

Refinements to internal networking components:

Decommissioned unused NAT gateways and staging subnets

Added direct endpoints for ECR services

Removed legacy private endpoint

Benefit: Reduces internal network complexity and improves routing efficiency for key components.

API Documentation Redirect

We have consolidated custody developer documentation under the Bitpanda TechSolutions portal:

Redirected developer.bitpandacustody.com to techsolutions.bitpanda.com/custody

New routing is managed via CloudFront and backed by an S3 origin (as fallback)

Benefit: Streamlines access to up-to-date documentation under a unified platform portal.

Release 2025-05-31

May 31, 2025

This release brings continued improvements across chain services, custody governance, and security posture. Our updates focus on secure seed management, dynamic transaction handling, and refined access controls across the custody infrastructure.

Chain Service Security & Performance Updates

We have applied updates to multiple chain services in line with our patching guidelines to address critical security vulnerabilities in Go stdlib and supporting dependencies. These updates also include performance tuning improvements.

Memory configuration improvements for runtime components

Standardized dependency updates across chain services

Ongoing adherence to CVE patching policies

Dynamic Transaction Fee Handling

We improved our transaction tip calculation logic for EVM-based networks. Tip values are now dynamically fetched using eth_maxPriorityFeePerGas, ensuring compatibility across chains with different baseline fee requirements.

Resolves static tip issues on high-minimum-tip networks

Verified compatibility with EIP-1559 and non-EIP-1559 chains

Increases reliability and predictability of transaction inclusion

Seed Export Capability (Custody)

We have introduced secure export functionality for wallet seeds via TrustVault:

Export actions are gated by PCR (Policy Change Request) to enforce access controls.

Co-signing support is enabled via TCSS for multi-approver validation.

All exports are encrypted and auditable to support operational integrity.

This enables secure migration, recovery, or custodial transitions in line with governance protocols.

Webhook and Notification Enhancements

Webhook delivery systems were optimized to improve reliability and responsiveness:

Webhooks now execute in parallel with a 30-second max per call

Global timeout extended to 60 seconds

New subscription type added to support seed export notifications

Role and Access Management Updates

Internal access policies were refined to enhance operational governance:

Escalation flows updated for developer and admin access levels

Co-signing requirements expanded for sensitive operational actions

Infrastructure & Compliance Controls

We transitioned to AWS WAFv2 for improved edge protection and consistency:

Region-based rate-limiting updated in line with AWS standards

IP-level blocking aligned with compliance jurisdiction restrictions

Additional hardening applied for common web-layer vulnerabilities

Changelog

Release 2026-03-31#

Address Book V2#

Key New Features#

API Changes (GraphQL)#

Queries#

Mutations#

Important Considerations#

InfraOps APIs#

Cluster Operations#

Secure File Flows (Offline Clusters)#

Permissions#

Organisation Management#

API Key Management#

User Management#

Permissions#

Notes#

Release 2025-08-31#

Platform Resilience & Security#

Compliance & Governance#

Mobile Experience#

Signing & Policy Services#

Blockchain Indexing & Throughput#

Release 2025-07-31#

Platform Resilience & Security#

Error Handling & Transparency#

Vault & Key Management Enhancements#

Infrastructure Optimisation#

API & SDK Improvements#

Governance & Access#

Release 2025-06-30#

Security & Performance Improvements#

Compliance Engine Enhancements#

Custody Chain Service Hardening#

Network Infrastructure Optimization#

API Documentation Redirect#

Release 2025-05-31#

Chain Service Security & Performance Updates#

Dynamic Transaction Fee Handling#

Seed Export Capability (Custody)#

Webhook and Notification Enhancements#

Role and Access Management Updates#

Infrastructure & Compliance Controls#

Release 2026-03-31

Address Book V2

Key New Features

API Changes (GraphQL)

Queries

Mutations

Important Considerations

InfraOps APIs

Cluster Operations

Secure File Flows (Offline Clusters)

Permissions

Organisation Management

API Key Management

User Management

Permissions

Notes

Release 2025-08-31

Platform Resilience & Security

Compliance & Governance

Mobile Experience

Signing & Policy Services

Blockchain Indexing & Throughput

Release 2025-07-31

Platform Resilience & Security

Error Handling & Transparency

Vault & Key Management Enhancements

Infrastructure Optimisation

API & SDK Improvements

Governance & Access

Release 2025-06-30

Security & Performance Improvements

Compliance Engine Enhancements

Custody Chain Service Hardening

Network Infrastructure Optimization

API Documentation Redirect

Release 2025-05-31

Chain Service Security & Performance Updates

Dynamic Transaction Fee Handling

Seed Export Capability (Custody)

Webhook and Notification Enhancements

Role and Access Management Updates

Infrastructure & Compliance Controls