This chapter describes the technical implementation of the ecrop platform and provides developers and system architects with initial information about architecture, interfaces, and security mechanisms. It serves as a technical overview for platform integration and operation.

Crypto Securities Register

The crypto securities register is the heart of the ecrop platform and forms the technical foundation for issuing, registering, transferring, and managing crypto securities according to eWpG. It ensures secure, transparent, and efficient processing of all transactions and compliance with regulatory requirements. The register is based on a decentralized, tamper-proof database (Distributed Ledger Technology - DLT) that documents all transactions and ownership relationships transparently and traceably. Smart contracts enable process automation and secure custody of securities.

Technical Architecture: Decentralization and Security

The ecrop crypto securities register is based on a multi-layered, cloud-native architecture that enables secure, transparent, and scalable management of crypto securities according to eWpG. The architecture includes these core components:
  • A Private Permissioned Blockchain based on Hyperledger Besu operated by a network of decentralized validators.
  • A redundant and encrypted database (PostgreSQL) storing off-chain data.
  • A secure REST API with JWT-based authentication and authorization for programmatic access to register functions.
  • Secure and encrypted communication channels (TLS 1.3) between all components.
The architecture is modularly designed and enables flexible adaptation to individual customer needs. It ensures compliance with regulatory requirements of eWpG and eWpRV, particularly regarding data protection and security.

Register Components: Functionality in Detail

Each crypto securities register component fulfills a specific function:
  • Hyperledger Besu: Hyperledger Besu is an open-source Ethereum client providing core blockchain functionality. It enables smart contract execution, transaction management, and new block creation. ecrop uses Besu’s enterprise features to meet financial sector requirements.
  • Private Permissioned Blockchain: The Private Permissioned Blockchain forms the decentralized network managing crypto shares. Network access is restricted to authorized participants to ensure register security and integrity. Validators are selected according to strict criteria and subject to continuous monitoring. The consensus mechanism is designed for efficiency and security.
  • Smart Contracts: Smart contracts are written in Solidity and implement business logic for crypto share management. They enable automated transaction execution, share transfers, dividend distributions, and other functions. Smart contracts are immutable and ensure transaction integrity to restrict crypto share transfers and ensure regulatory compliance.
  • PostgreSQL Database: The relational database (PostgreSQL) stores all off-chain data, such as master data of issuers and crypto securities, user data, audit trails, configuration data, and transaction details. The database is redundantly designed (Multi-AZ, geographically redundant) to ensure highest availability and fault tolerance. It operates in the secure and scalable AWS Cloud and is protected by firewalls, industry-standard encryption (AES-256), and role-based access controls (RBAC). Regular backups and a disaster recovery plan provide additional data security and ensure regulatory compliance. (Reference: eWpG, eWpRV, data protection regulations, database best practices, AWS documentation)
  • REST API: The REST API enables secure and efficient access to register functions and provides developers with a standardized interface for integration with other systems. The API is versioned, comprehensively documented, and offers developers simple integration capability. Documentation contains detailed descriptions of all endpoints, parameters, data types, and return values, plus code examples in various programming languages. The API supports JSON as data exchange format and uses JWT-based authentication and authorization to ensure data transmission security. API integration enables process automation and seamless connection to existing systems. (Reference: eWpG, eWpRV, REST API design principles, JWT standard)

Security Architecture: Protection at All Levels

The crypto securities register’s security is of utmost importance. ecrop employs a multi-layered security architecture ensuring protection at all levels:
  • Multi-layered Security Architecture: Security measures encompass all system levels, from network through applications to data. This ensures comprehensive protection against various threat types.
  • Access Controls: Register access is strictly controlled based on the need-to-know principle. Role-based access controls (RBAC) ensure only authorized users can access sensitive data and functions. Additionally, multi-factor authentication (MFA) is used for critical operations. The four-eyes principle applies to particularly sensitive procedures.
  • Encryption: All data is encrypted during both transmission and storage. TLS 1.3 is used for transmission, AES-256 for storage. Keys are managed in Hardware Security Modules (HSMs).
  • Regular Security Reviews: ecrop conducts regular security reviews to identify and remediate vulnerabilities. This includes penetration tests, security audits, and vulnerability scans. Review results are documented and incorporated into continuous security measure improvement.
  • Incident Response Plan: ecrop has defined a clear incident response plan for handling security incidents. This plan includes security incident identification, cause analysis, countermeasure implementation, and communication with affected stakeholders.

Data Model: Structure and Relationships

The crypto securities register’s data model is relational and based on PostgreSQL database. It includes both on-chain and off-chain data and ensures linkage between these data.
  • Relational Data Model: Data is stored in tables connected through relationships. This enables efficient data querying and management.
  • Linking On-Chain and Off-Chain Data: On-chain data (e.g., transaction hashes) is linked with off-chain data (e.g., issuer and crypto share master data) via unique IDs. This ensures data integrity and consistency.
  • Detailed Description of Table Structure and Data Fields: Documentation contains detailed description of table structure and data fields including data types, constraints, and relationships. (ER diagram)

API & Integration: Developer Interface

The crypto securities register’s REST API enables secure access to register functions and provides developers with simple integration capability:
  • Endpoints: API documentation contains complete description of all API endpoints with function descriptions, parameters, data types, and return values.
  • Authentication: The API uses JWT-based authentication and authorization via API keys. Documentation contains detailed description of authentication process and code examples for authentication in various programming languages.
  • Examples: Documentation contains code examples for API integration in various programming languages and use cases, e.g., crypto security issuance, crypto security transfer, and transaction data querying.

Compliance Features: Security and Transparency

The crypto securities register contains various compliance features to ensure regulatory requirement adherence:
  • Audit Trail: The register logs all transactions and register changes in detail, tamper-proof and immutably in an audit-proof trail. Logs can be exported for audit purposes and comply with GoBD requirements. The audit trail enables complete traceability of all register operations and serves as evidence in disputes or regulatory investigations.
  • Reporting: The register enables automated creation of standardized and individual reports for issuers, investors, and supervisory authorities. Reports can be flexibly adapted to individual requirements and contain all relevant information, such as holdings overviews, transaction histories, and compliance data. Reports are provided in machine-readable format and can be retrieved via API.
  • Controls: The register contains integrated control mechanisms to ensure compliance with regulatory requirements, particularly eWpG, eWpRV, and GwG. This includes automated verification of KYC/AML requirements, transaction data validation, and issuance volume monitoring.