Release 2026-03-31#
Address Book V2#
We are excited to announce the release of Address Book V2, a major upgrade designed to provide greater flexibility, enhanced security, and improved governance for your asset management.Key New Features#
Multi-Book Support: Users are no longer restricted to a single address list. You can now create and manage multiple named address books, such as "Whitelisted Traders" or "Cold Storage," alongside the "default" legacy book.
Mutable Definitions: Flexibility is improved with the ability to edit existing address book names and update appliesTo wallet configurations after a book has been created.
API Changes (GraphQL)#
Queries#
addressBooks: Retrieve a high-level dashboard view of all address books and their nested entries.
addressBook: Fetch a specific book with support for nextToken pagination to handle large entry lists.
addressBookApprovals: Access governance data, including requester info and approval status.
Mutations#
createAddressBook: Initialize new containers with specific governance logic (e.g., approvalProcess set to NONE or WALLET).
editAddressBook: Update metadata and wallet associations. Note: Updating the appliesTo array will completely overwrite existing associations.
createAddressBookEntries: Add single or bulk entries to a specific book.
deleteAddressBookEntries: Remove specific entries using an array of IDs.
deleteAddressBook: Permanently remove an entire address book.
Important Considerations#
Wallet Targeting: When creating a book, setting appliesTo to ["*"] will target all wallets; otherwise, specific wallet IDs must be provided.
Overwrite Behavior: When using the editAddressBook mutation, remember that the appliesTo field replaces the previous list rather than appending to it.
InfraOps APIs#
We've introduced new InfraOps capabilities, enabling secure and
auditable operational workflows for managing clusters.Cluster Operations#
InfraOps provides APIs to interact with clusters and handle operational
tasks securely.Supported capabilities: - Retrieve cluster information - Manage
offline cluster signing workflows via secure file exchangeSecure File Flows (Offline Clusters)#
For offline clusters, we've introduced a secure mechanism for handling
signing workflows using pre-signed URLs.Permissions#
Requires CLUSTER_MANAGER or CLUSTER_OPS roles
Applies to both users and API keys
Organisation Management#
We've introduced new Organisation Management capabilities, enabling
full control over API keys and users within your organisation.API Key Management#
New endpoints: - listApiKeys -- Retrieve all organisation API keys
with roles, status, and expiry - createOrgApiKey -- Create a new API
key with assigned roles and expiry date - updateOrgApiKey -- Enable or
disable an existing API keyHighlights: - API keys are returned only once upon creation ---
ensure secure storage - Keys are enabled by default - Supports
role-based access control and expiry for improved securityUser Management#
New endpoints: - organisationManagement.listUsers -- List all
users in the organisation - updateUser -- Update user roles and
status - inviteUser -- Invite new users with predefined rolesHighlights: - User updates are full replacements (not partial
updates) - Invitations include pre-assigned roles for streamlined
onboardingPermissions#
All Organisation Management endpoints require ADMIN role
Applies to both users and API keys
Notes#
Designed for enterprise-grade access control and governance
Enables API key lifecycle management (create, audit, disable)
Provides centralised user administration via API
Release 2025-08-31#
This release focuses on compliance, security hardening, performance, and resilience improvements across custody services. The items below intentionally avoid exposing internal designs, vendor names, firmware requirements, or implementation specifics while communicating customer‑relevant outcomes.Routine security updates and control tuning across core services.
Dependency hygiene and audit‑driven remediation's across the platform.
Benefit: Reinforces our custody‑grade security baseline and operational stability.
Compliance & Governance#
Foundational support for compliance workflows across custody components.
Enhancements to AML‑related review processes and reporting readiness.
Benefit: Streamlines compliance operations and reduces manual effort.
Mobile Experience#
Performance and responsiveness improvements across key mobile flows.
Refined session and authentication handling for improved reliability.
Benefit: Provides a smoother mobile experience while maintaining security integrity.
Signing & Policy Services#
Enforced encrypted channels for inter‑service communication.
Aligned policy validation across sensitive import and key‑related workflows.
Benefit: Strengthens cryptographic controls and standardises sensitive operations.
Blockchain Indexing & Throughput#
Scaled indexing capacity to handle higher on‑chain activity during periods of network congestion.
Stability and throughput improvements during spikes in block size and transaction volume.
Benefit: Ensures reliable indexing and transaction visibility under heavy load conditions.
No customer action is required for this release. For questions, please contact Support.Release 2025-07-31#
This release focuses on security, reliability, and developer‑experience improvements across the custody platform. The items below are intentionally written to avoid exposing internal designs, vendor names, or implementation details while still describing customer‑relevant outcomes.Ongoing maintenance and remediation as part of our secure development lifecycle
Routine dependency updates and configuration tuning
Incremental improvements informed by internal and external reviews
Benefit: Reinforces our security baseline and keeps our controls aligned with industry expectations.
Error Handling & Transparency#
Clearer, more consistent responses for transaction status and failure scenarios
Additional telemetry for issues that are not automatically retried
Aligned behaviour across APIs to standardise how errors are reported
Benefit: Improves troubleshooting clarity and reduces integration effort.
Vault & Key Management Enhancements#
Improved transaction descriptions for supported assets
Expanded request feedback to surface actionable information where appropriate
Additional safeguards and audit controls in recovery workflows
Benefit: Increases end‑user clarity, improves operational resilience, and supports secure key lifecycle management.
Infrastructure Optimisation#
Simplified network architecture and routing to improve efficiency
Hardened private integration paths used by background services
Broader monitoring and alerting coverage across core components
Benefit: Enhances reliability and reduces operational overhead.
API & SDK Improvements#
More consistent API responses for transaction queries
SDK updates that reduce footprint and improve maintainability
Benefit: Simplifies the developer experience and speeds up integrations.
Governance & Access#
Routine refresh of cryptographic controls
Role definitions reviewed to reinforce least‑privilege access
Enhanced visibility into the status of vulnerability remediation
Benefit: Strengthens overall security posture and operational governance.
No customer action is required for this release. For questions, please contact Support.Release 2025-06-30#
This release focuses on expanding compliance capabilities, strengthening audit readiness, and optimizing network infrastructure across our custody ecosystem.We applied several backend security patches in line with our CVE patching policies:Updated Go stdlib dependencies across multiple services
Upgraded internal infrastructure libraries
Increased memory allocations for critical lambdas
Benefit: Improves runtime resilience and keeps services aligned with our internal security guidelines.
Compliance Engine Enhancements#
Enhancements to the anti-money-laundering (AML) layer improve transaction monitoring fidelity:Compliance checks now reference organisation.product for more granular enforcement via third-party compliance providers
Fixed case-sensitive asset matching in Travel Rule provider integration
Extended chain ID mapping to support additional networks
Benefit: Increases precision of compliance workflows across supported chains and products.
Custody Chain Service Hardening#
Post-audit remediation's were applied across multiple chain services:Infrastructure interface corrections
Benefit: Aligns on-chain connectors with current audit requirements and ensures predictable node integration.
Network Infrastructure Optimization#
Refinements to internal networking components:Decommissioned unused NAT gateways and staging subnets
Added direct endpoints for ECR services
Removed legacy private endpoint
Benefit: Reduces internal network complexity and improves routing efficiency for key components.
API Documentation Redirect#
We have consolidated custody developer documentation under the Bitpanda TechSolutions portal:Redirected developer.bitpandacustody.com to techsolutions.bitpanda.com/custody
New routing is managed via CloudFront and backed by an S3 origin (as fallback)
Benefit: Streamlines access to up-to-date documentation under a unified platform portal.
Release 2025-05-31#
This release brings continued improvements across chain services, custody governance, and security posture. Our updates focus on secure seed management, dynamic transaction handling, and refined access controls across the custody infrastructure.We have applied updates to multiple chain services in line with our patching guidelines to address critical security vulnerabilities in Go stdlib and supporting dependencies. These updates also include performance tuning improvements.Memory configuration improvements for runtime components
Standardized dependency updates across chain services
Ongoing adherence to CVE patching policies
Dynamic Transaction Fee Handling#
We improved our transaction tip calculation logic for EVM-based networks. Tip values are now dynamically fetched using eth_maxPriorityFeePerGas, ensuring compatibility across chains with different baseline fee requirements.Resolves static tip issues on high-minimum-tip networks
Verified compatibility with EIP-1559 and non-EIP-1559 chains
Increases reliability and predictability of transaction inclusion
Seed Export Capability (Custody)#
We have introduced secure export functionality for wallet seeds via TrustVault:Export actions are gated by PCR (Policy Change Request) to enforce access controls.
Co-signing support is enabled via TCSS for multi-approver validation.
All exports are encrypted and auditable to support operational integrity.
Webhook and Notification Enhancements#
Webhook delivery systems were optimized to improve reliability and responsiveness:Webhooks now execute in parallel with a 30-second max per call
Global timeout extended to 60 seconds
New subscription type added to support seed export notifications
Role and Access Management Updates#
Internal access policies were refined to enhance operational governance:Escalation flows updated for developer and admin access levels
Co-signing requirements expanded for sensitive operational actions
Infrastructure & Compliance Controls#
We transitioned to AWS WAFv2 for improved edge protection and consistency:Region-based rate-limiting updated in line with AWS standards
IP-level blocking aligned with compliance jurisdiction restrictions
Additional hardening applied for common web-layer vulnerabilities
Modified at 2026-05-06 12:51:46
