Warm and cold custody refer to different custody models for controlling access to private keys and transaction signing.
In institutional custody, the distinction is important because it affects operational speed, governance, signing availability, and the control model used to authorise asset movements.
The exact custody model available to an organisation depends on its Bitpanda Enterprise Custody setup and agreed service configuration.
Warm custody
Warm custody is designed to support controlled transaction signing while maintaining strong security and governance controls.
In a warm custody model, signing workflows may be available through configured operational processes, user roles, approval workflows, and custody infrastructure. This can support organisations that require regular or time-sensitive asset movements while still applying institutional controls.
Warm custody may be suitable where an organisation needs:
- Operational access to transaction signing
- Defined approval workflows
- Quorum-based authorisation
- Controlled user permissions
- Auditability of custody activity
- Support for recurring treasury or operational flows
Warm custody does not mean that private keys are exposed to users. Users interact through approved interfaces and workflows rather than directly handling private keys.
Cold custody
Cold custody is designed to provide a more restrictive operating model for private key use and transaction signing.
Cold custody typically places greater emphasis on reduced signing availability, controlled operational procedures, and stronger separation from day-to-day transaction activity.
Cold custody may be suitable where an organisation prioritises:
- Long-term asset holding
- Reduced signing frequency
- Strong procedural controls
- Additional governance around key lifecycle and transaction activity
- Separation between operational access and key use
- Enhanced control over exceptional or high-value movements
The specific cold custody process, availability, and operational requirements depend on the organisation’s custody setup.
How should organisations choose between warm and cold custody?
The appropriate model depends on the organisation’s operational requirements, risk appetite, asset flows, and governance model.
Organisations should consider:
- How frequently assets need to move
- Who is authorised to create and approve transactions
- Whether transaction activity is regular or exceptional
- The level of internal governance required
- The importance of signing availability
- Audit, compliance, and control expectations
- Integration requirements, where applicable
- Internal escalation and incident response processes
Some organisations may use different custody models for different assets, wallets, operational flows, or risk profiles.
Does cold custody mean assets cannot move?
No. Cold custody does not mean assets cannot move.
It means that asset movement is typically subject to a more controlled or restrictive process. This may involve additional operational steps, longer lead times, or more formal governance requirements depending on the setup.
Users should follow the agreed operational process for the relevant custody model.
Are private keys exposed in either model?
No. Private keys are not exposed to users through BE Custody Web or the Bitpanda Custody iOS app in normal custody workflows.
Both warm and cold custody models are designed to protect private keys while allowing authorised activity to take place through controlled processes.
Why are some details not described publicly?
Detailed information about custody architecture, signing flows, key lifecycle procedures, and infrastructure controls may be sensitive.
Public Help Centre articles provide high-level guidance only. More detailed information may be shared through approved commercial, legal, security, compliance, or due diligence review channels where appropriate.