Roles & responsibilities
Every action in the backoffice is performed by someone in a defined role. The roles exist to enforce segregation of duties — the principle that no single person should be able to both approve and execute a sensitive action.
We have six roles.
Customer Support (CS)
The front door. CS receives requests from partners and holders, collects required documents, logs requests in the backoffice, communicates status updates, and closes out completed requests. CS does not make compliance decisions or move money — they coordinate.
Appears in: Issuance (step 1), Redemption (steps 1, 3, 8), Partner Onboarding (step 1)
Compliance (CO)
The gatekeeper. CO performs all KYC/KYB verification, AML and sanctions screening, and approval or rejection decisions. CO also triages Chainalysis alerts in the freeze alert inbox, decides whether to freeze addresses, and reviews the daily supply verification before publication.
CO is independent from operations. They never touch on-chain transactions and never move fiat. Their job is to say yes or no, with documented rationale.
Appears in: Issuance (step 2), Redemption (steps 2, 5), Partner Onboarding (step 2), Freezing Assets (decision-maker), Daily Supply Verification (sign-off)
Treasury (TR)
The fiat side. TR verifies incoming bank wires against issuance requests (matching amount, sender, and reference), initiates outgoing wires for redemptions, manages reserve allocation, and provides the daily fiat balance for supply verification.
TR never signs on-chain transactions. Their domain is the banking system.
Appears in: Issuance (step 3), Redemption (step 7), Daily Supply Verification (fiat input)
On-Chain Operator (OP)
The execution layer. OP creates mint transactions in the Safe multisig, monitors redemption addresses for incoming tokens, executes burns, and records on-chain data (transaction hashes, block numbers, finality confirmations).
OP can initiate on-chain transactions but cannot complete mints alone — every mint requires a co-signature from the Head of Operations.
Appears in: Issuance (steps 4, 6), Redemption (steps 4, 6), Freezing Assets (alerts on-chain anomalies)
Head of Operations (HO)
The co-signer and escalation point. HO is the mandatory second signer on all mint transactions (four-eyes principle). HO also executes on-chain freezes and unfreezes on Compliance's instruction, can suspend partners, and initiates internal rebalancing when needed.
HO and OP must sign from different machines, different networks, and different HSM instances. If one is compromised, the other remains secure.
Appears in: Issuance (step 5), Freezing Assets (on-chain execution), Partner Onboarding (suspension/deactivation), Daily Supply Verification (escalation)
System Administrator (SA)
Infrastructure only. SA manages access policies, monitoring and alerting configuration, network setup, and the decryption service that reads encrypted balances. SA does not participate in any operational flow — they never approve requests, sign transactions, or make compliance decisions.
Appears in: None of the operational flows directly. Supports infrastructure for all of them.
Segregation rules
These combinations are never allowed — one person cannot hold both roles:
| Rule | Why |
|---|---|
| CO ≠ OP | The person who approves must not be the person who executes on-chain |
| CO ≠ TR | The person who approves must not be the person who moves fiat |
| TR ≠ OP | The person who confirms fiat must not be the person who mints |
| OP ≠ HO | The person who initiates the mint must not be the person who co-signs |
| SA ≠ OP | Infrastructure must not execute operational transactions |
| SA ≠ CO | Infrastructure must not make compliance decisions |
Minimum staffing
The operation can run with five people:
| Person | Roles | Rationale |
|---|---|---|
| Person 1 | CS + TR | Receives requests and handles fiat — no conflict |
| Person 2 | CO + HO | Approves compliance and co-signs mints — allowed because CO decides and HO executes a different step (co-sign, not initiation) |
| Person 3 | OP | Initiates on-chain transactions — must be separate from HO |
| Person 4 | SA | Manages infrastructure — must be separate from both OP and CO |
| Person 5 | — | Third multisig key holder — no operational role, exists to satisfy the 2-of-3 multisig threshold |
This is the launch configuration. As the team grows, roles should be split further — particularly separating CO from HO into distinct people.