Operating the keys to a better financial future

Clavestra Orbital – White Paper on Federated Custody

Clavestra´s Federated Digital Asset Custody

Version: 1.0
Date: March 2026
Classification: Confidential — For Regulatory Review
Prepared by: Clavestra Capital Holdings Ltd (Malta, C113811)

1. Executive Summary

Clavestra Orbital is a digital asset custody service provider headquartered in Lugano, Switzerland. The company provides secure storage of Bitcoin and USD-denominated stablecoins for licensed financial service providers, payment processors, and institutional clients.

Clavestra operates a federated custody model in which multiple independent parties (“guardians”), located in different legal jurisdictions, collectively hold client assets using threshold cryptography. No single guardian can access or move client funds alone. A supermajority — for example, 7 out of 10 guardians — must approve any transaction.

This model eliminates single points of failure, distributes jurisdictional risk, and provides institutional-grade security while maintaining full regulatory compliance at all entry and exit points.

Clavestra is seeking SRO membership through VQF (Verein zur Qualitaetssicherung von Finanzdienstleistungen) as the first step in its regulatory licensing strategy, with a Gibraltar DLT Provider License planned as Phase 2.

The company does not issue tokens, operate an exchange, or provide lending services. Clavestra is a custody service provider — comparable to a vault service for digital assets.

2. Problem Statement

The digital asset custody market faces two structural problems that leave institutional clients underserved.

2.1 Single Custodian Risk
Traditional digital asset custodians operate as a single entity in a single jurisdiction. All client assets are held by one company, secured by one set of cryptographic keys, under one legal framework.

If that custodian fails — through insolvency, security breach, or regulatory action — all client assets are at risk. Recent examples demonstrate this is not theoretical:

  • FTX (2022): Approximately $8 billion in client assets lost through custodian mismanagement and fraud.
  • Celsius Network (2022): Client assets frozen and subject to lengthy bankruptcy proceedings under a single jurisdiction.
  • Mt. Gox (2014): 850,000 Bitcoin lost through a single security breach at a single custodian.

In each case, the root cause was the same: concentration of custody in a single entity, a single jurisdiction, with a single point of failure.

2.2 Self-Custody Complexity

The alternative — clients managing their own cryptographic keys — introduces unacceptable operational risk for businesses and institutions:

  • Loss of private keys results in permanent, irrecoverable loss of funds.
  • No consumer protection or legal recourse.
  • Key management requires specialized technical expertise.
  • Insurance coverage is difficult or impossible to obtain.
  • Regulatory compliance burden falls entirely on the client.
  • For payment processors, fintech companies, and financial institutions, self-custody is not a viable solution.

2.3 The Gap
The market lacks a custody model that combines the security of distributed key management with the professional governance and regulatory compliance that institutional clients require.

Clavestra Orbital addresses this gap.

3. The Clavestra Custody Model

3.1 How It Works

Clavestra operates a federation of independent guardian operators. Each guardian is a registered legal entity operating servers in a specific jurisdiction. Together, these guardians collectively secure client assets.

The process:

Deposit: A client deposits Bitcoin or stablecoins through KYC-verified channels. The client’s identity is verified before any funds enter the system.

  • Distributed Storage: The deposit is secured by splitting the cryptographic key material across all guardian servers using threshold cryptography. No single guardian holds a complete key.
  • Transfer: Authorized transfers between verified accounts are processed when the required threshold of guardians approve the transaction.
  • Withdrawal: The client withdraws funds through KYC-verified channels. A full audit trail is generated for every withdrawal.

3.2 Threshold Cryptography

Threshold cryptography is a well-established cryptographic method in which a minimum number of parties (the “threshold”) must cooperate to perform any operation.

In Clavestra’s implementation:

The federation consists of 10 independent guardians. A minimum of 7 guardians must approve any transaction (7-of-10 threshold). No combination of 6 or fewer guardians can access or move client funds. Each guardian holds one key shard that is mathematically useless on its own.

This means:

If 1-3 guardians go offline, the system continues to operate normally. If a single guardian is compromised, client funds remain secure. An attacker would need to simultaneously compromise 7 independent servers in at least 4 different countries to access any funds.

3.3 What Clavestra Is NOT

To avoid any ambiguity:

  • Not a blockchain. Clavestra does not operate a public blockchain or distributed ledger.
  • Not an exchange. Clavestra does not facilitate trading between users.
  • Not a token issuer. Clavestra does not create, issue, or sell any tokens or cryptocurrencies.
  • Not a lending platform. Client assets are never lent, staked, or rehypothecated.
  • Not a mining operation. The term “mining” is not used in our operations. We provide custody, not asset creation.


Clavestra is a custody service provider that holds client assets securely and processes authorized deposits and withdrawals.

4. Governance Model

4.1 The Guardian Network. Each guardian in the Clavestra federation meets the following requirements:

  • Legal entity: Each guardian must be a registered company in its operating jurisdiction
  • Independent operation Guardians operate independently — no shared infrastructure or personnel
  • We strive for jurisdictional diversity – No three guardians in the same legal jurisdiction (where possible)
  • Technical capacity: Dedicated server infrastructure meeting minimum security standards
  • Compliance Adherence to the federation’s governance charter and operational procedures


4.2 Decision-Making

All significant operations require supermajority consensus:

Action Threshold Required

  • Process a client withdrawal 7 of 10 guardians
  • Onboard a new guardian 7 of 10 guardians
  • Remove a guardian 7 of 10 guardians
  • Update federation parameters 7 of 10 guardians
  • Emergency shutdown 7 of 10 guardians

No single guardian, no single jurisdiction, and no single person — including Clavestra’s own directors — can unilaterally move client funds.

4.3 Defined Roles


Role Responsibility

Guardian Operator Maintains server infrastructure, participates in threshold signing

  • Federation Coordinator Clavestra Orbital GmbH — coordinates operations, manages client onboarding
  • Compliance Officer Oversees KYC/AML compliance, transaction monitoring, suspicious activity reporting
  • Money Laundering Reporting Officer (MLRO) Designated individual responsible for AML reporting obligations

5. Jurisdictional Structure
5.1 Corporate Structure
Clavestra Capital Holdings Ltd (Malta, C113811) — Parent company
Directors: Vincent Soons (CEO), Luuk Soons (CSO)
└── Clavestra Orbital GmbH (Lugano, Switzerland) — Operating entity
Directors: Vincent Soons (CEO), Bas Soons (CTO), Luuk Soons (CSO)

5.2 Guardian Jurisdictions

Guardian Jurisdiction Purpose

  • Guardians 1-2 Switzerland Operating base – Clavestra Orbital GmbH
  • Guardian 3 Switzerland (St. Gallen) Independent operator (CTO’s company)
  • Guardian 4-5 Malta company jurisdiction – Clavestra Capital Ltd
  • Guardians 5-7 Malta company jurisdiction – Clavestra Digital Ltd
  • Guardians 7-8 Gibraltar company jurisdiction – Clavestra Gibraltar Ltd
  • Guardians 9-10 USA company – CLVSTRA Guard USA

Future partner operator partners could acquire a guardian seat in the federation for maximum jurisdictional and operational benefits. We strive for more jurisdictional diversification in the future.

5.3 Jurisdictional Design Principles

  • All guardian jurisdictions are OECD-recognized, FATF-compliant.
  • Mission: No single jurisdiction controls a majority. Even if all Swiss guardians were ordered to cease operations, the remaining 7+ guardians continue to operate and protect client assets.
  • MLAT compatibility. The jurisdictional structure is designed to cooperate with Mutual Legal Assistance Treaty requests through proper legal channels. Independent legal counsel in each guardian jurisdiction.

6. Client Protection

6.1 Asset Security – Protection Mechanism

  • Threshold custody 7 of 10 guardians must approve any fund movement
  • Key segregation Each guardian holds only one key shard — useless alone
  • Geographic distribution Guardians across 5+ jurisdictions
  • No rehypothecation Client assets are never lent, invested, or pledged

6.2 Cryptographic Proof of Reserves

Clavestra provides continuous, cryptographic proof that client assets are fully backed:

  • The federation can generate a mathematical proof at any time showing that total holdings are greater than or equal to total client liabilities.
  • This proof is verifiable by any third party (auditor, regulator, client) without requiring access to the federation’s internal systems.
  • Individual client balances are not revealed in the proof — client privacy is preserved while solvency is demonstrated.

This is functionally equivalent to a continuous, real-time audit of reserves.

6.3 Audit Trail

Every action in the system produces a complete, tamper-evident audit trail:

Timestamp, action type, actor, amount, source, destination
Authorization details (which guardians approved)
Consensus confirmation from the guardian network
Exportable in standard formats for regulatory review

6.4 Fee Transparency

  • Published fee schedule available to all clients before onboarding
  • No hidden charges
  • Transaction fees, custody fees, and currency conversion spreads clearly documented


7. Compliance Framework
7.1 KYC/AML at Entry and Exit Points

All deposits into and withdrawals from the Clavestra federation are gated by Know Your Customer (KYC) and Anti-Money Laundering (AML) verification:

Checkpoint Verification

  • Client onboarding Full KYC: identity documents, address verification, beneficial ownership
  • Deposit Source of funds verification, sanctions screening
  • Withdrawal Destination verification, enhanced due diligence for high-value transactions
  • Ongoing Continuous transaction monitoring, periodic client review

7.2 Anti-Money Laundering (AML) Compliance

Risk-based approach:

Client risk assessment at onboarding and periodic review

  • Transaction monitoring: Automated detection of suspicious patterns (structuring, rapid succession, threshold avoidance)
  • Suspicious Activity Reporting (SAR): Procedures for filing reports with relevant Financial Intelligence Units
  • Sanctions screening: Real-time screening against OFAC, EU, UN, and Swiss SECO sanctions lists
  • Record retention: All client and transaction records retained per jurisdictional requirements (minimum 10 years under Swiss AMLA)

7.3 Travel Rule Compliance

For transfers between Virtual Asset Service Providers (VASPs), Clavestra transmits required originator and beneficiary information per, FATF Recommendation 16:

  • Swiss AMLA requirements
  • Applicable local regulations in each guardian jurisdiction
  • 7.4 Compliance Governance
  • Role Responsibility
  • MLRO Anti-money laundering reporting, SAR filing
  • Compliance Officer Policy oversight, training, regulatory liaison
  • External Auditor Independent review of AML/CFT framework

8. Risk Management

8.1 Risk Register

Risk Category Description Mitigation

  • Custodian failure A guardian operator ceases operations Threshold design — system continues with 7+ guardians
  • Security breach A guardian server is compromised Single shard is useless alone — attacker needs 7 of 10
  • Jurisdictional action A government orders seizure in one jurisdiction Assets distributed across 5+ jurisdictions — no single jurisdiction controls a majority
  • Key loss A guardian loses its key shard Encrypted backup procedures, cross-jurisdictional backup storage
  • Regulatory change New regulations affect operations Proactive licensing strategy, multi-jurisdictional presence
  • Counterparty risk A client engages in illicit activity KYC/AML at all entry/exit points, transaction monitoring, SAR procedures
  • Technology risk Software vulnerability in custody protocol Open-source codebase, security audits, bug bounty program
  • Operational risk Internal process failure Documented procedures, segregation of duties, regular testing

8.2 Business Continuity

  • The federation is designed to survive the loss of up to 3 guardians simultaneously.
  • Guardian backup procedures ensure key shards can be recovered in a disaster scenario.
  • Backups are stored in encrypted form, in different jurisdictions from the guardian they belong to.
  • No single location holds more than 2 guardian backups.

8.3 Disaster Recovery Testing

Clavestra conducts regular disaster recovery tests:

  • Simulated guardian failure and recovery
    Threshold enforcement verification (confirming transactions halt below threshold)
  • Backup restoration procedures
  • Results documented and available for regulatory review

9. Technology Overview


9.1 Architecture
Clavestra’s custody infrastructure is built on Fedimint, an open-source federated custody protocol. The protocol is publicly auditable and has been reviewed by the open-source developer community.

Component Description

  • Consensus mechanism Byzantine fault-tolerant consensus among guardians
  • Threshold signatures Cryptographic key splitting across all guardians
  • Communication Encrypted peer-to-peer communication between guardian servers
  • API RESTful API for client integration
  • Solvency verification Automated cryptographic proof of reserves

9.2 Key Technical Properties

  • Open-source: The underlying protocol is publicly available for audit and review.
  • No proprietary blockchain: Clavestra does not operate its own blockchain or distributed ledger.
  • No token issuance: The system does not create, issue, or manage any tokens or cryptocurrencies.
  • API-first: Clients integrate through a documented API, enabling automated deposits, withdrawals, and balance queries.

9.3 Security Measures

  • Measure Implementation
  • Process isolation Each guardian process runs in a sandboxed environment with minimal filesystem access
  • Encrypted communication All guardian-to-guardian communication encrypted end-to-end
  • Access control Strict access controls on guardian servers — no shared credentials
  • Monitoring Continuous uptime and health monitoring of all guardian nodes
  • Penetration testing Regular security assessments (planned)

10. Business Model
10.1 Revenue
Revenue Source Description: Custody fees Monthly fee for holding client assets securely. Transaction fees Basis points on deposits and withdrawals
Currency conversion 0.3% spread on conversions between Bitcoin and stablecoins.


10.2 Target Clients
Clavestra serves business-to-business (B2B) clients only:

  • Licensed payment processors requiring digital asset custody
  • Fintech companies building Bitcoin and stablecoin products
  • Licensed financial institutions requiring institutional-grade digital asset storage
  • Regulated Virtual Asset Service Providers (VASPs) requiring third-party custody
  • Clavestra does not serve retail consumers directly.

10.3 Key Financial Features

Corporate tax \~12% (Canton Ticino, Switzerland)
Revenue model Fee-based — no speculation, no proprietary trading
Client asset treatment Fully segregated — never commingled with company funds. Rehypothecation Prohibited — client assets are never lent or pledged

11. Team

Name Role Responsibility

  • Vincent Soons CEO \& Founder, Director (Malta + Lugano) Operations, business development, core development
  • Luuk Soons CSO \& Co-Founder, Director (Malta + Lugano) Corporate structure, security research, jurisdictional strategy, regulatory positioning
  • Bas Soons CTO \& Director (Lugano) Swiss-resident director, technical infrastructure, guardian operations. Director of established Swiss software company (St. Gallen)
  • Legal counsel: Lugano-based firm (to be engaged) External auditor: To be appointed Advisory board: To be established

12. Regulatory Strategy

12.1 Licensing Roadmap
Phase Jurisdiction License Status Target
Phase 1 Switzerland (Lugano) VQF SRO Membership In progress Q2-Q3 2026
Phase 2 Gibraltar DLT Provider License Planned 2027
Phase 3 Switzerland FINMA Crypto-Institution License Future 2027-2028

12.2 Phase 1: VQF SRO Membership
Scope: AML/CFT supervision as a financial intermediary under Swiss AMLA
Regulatory body: FINMA (via VQF Self-Regulatory Organization)
Requirements: AML/CFT policies, CDD procedures, MLRO appointment, risk assessment
Timeline: 12-14 weeks from application to membership

12.3 Phase 2: Gibraltar DLT Provider License
Scope: Full conduct regulation under 9 regulatory principles
Regulatory body: Gibraltar Financial Services Commission (GFSC)
Advantage: Application strengthened by Swiss operational track record
Timeline: 6-12 months from application

12.4 Phase 3: FINMA Crypto-Institution License
Scope: Direct FINMA supervision under new Crypto-Institution category
Context: Swiss Federal Council proposed new license categories in October 2025, expected to take effect late 2026 or early 2027
Advantage: Tailor-made for companies providing custody and trading of crypto-based assets

12.5 Compliance Test

Prior to or during the SRO application, Clavestra will conduct a documented compliance test on a 7-of-10 guardian federation, demonstrating:

  • Threshold signature enforcement (transactions fail below threshold)
  • KYC/AML verification at all entry and exit points
  • Transaction monitoring and suspicious activity detection
  • Cryptographic proof of reserves (solvency verification)
  • Guardian failure and recovery (system resilience)
  • Complete audit trail generation
  • Travel Rule data transmission
  • The test report will be submitted as supporting documentation with regulatory applications.

13. Roadmap

Phase Milestone Target

  • Complete Technical proof of concept (3/4 threshold federation) Done
  • Complete Core modules built and tested Done
  • Complete Contribution merged into open-source Fedimint protocol Done
  • In Progress Lugano GmbH incorporation April 2026
  • In Progress VQF SRO membership application April 2026
  • Planned 7/10 guardian compliance test May-June 2026
  • Planned SRO membership granted June-July 2026
  • Planned Guardian network expansion (5+ jurisdictions) H2 2026
  • Planned First client onboarding H2 2026
  • Planned Gibraltar DLT Provider License application 2027
  • Future FINMA Crypto-Institution License 2027-2028

  • Appendices (Separate Documents)
  • Appendix A: Compliance Test Report (7/10 Guardian Federation) — see compliance-test-plan.md
  • Appendix B: AML/CFT Policy Manual — to be prepared by legal counsel
  • Appendix C: Guardian Operational Charter — to be prepared
  • Appendix D: API Documentation — to be prepared

Document control & version: 1.0 March 2026 Vincent Soons, Luuk Soons Initial version. This document is confidential and prepared for regulatory review purposes. It does not constitute a public offering, investment solicitation, or financial advice.