# Security & Custody Model

<figure><img src="https://3852375146-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FC86rIjDAXo1q1iymcvSV%2Fuploads%2FCFzEkTV7xprXFJR93Xeb%2FArchitecture%20Overview%20(1).png?alt=media&#x26;token=19e91e8a-4a3b-4c40-829f-67208513afb9" alt=""><figcaption></figcaption></figure>

### **Custody Boundaries**

All assets associated with wallets created or connected through **Lumexo remain under direct user custody**. **Lumexo does not hold funds, control accounts, or act on behalf of users in any execution capacity**.

Custody is enforced by design: **transactions are cryptographically signed locally by users on their own devices** and **submitted directly to the Stellar network**, without passing through **Lumexo-operated infrastructure**.

***

### **Keys Control**

**Private keys are owned and controlled exclusively by users**. Keys may be managed locally within **user-controlled environments** or **delegated to external wallet providers** selected by the user.

**Signing authority always resides with the user**. **Lumexo cannot generate signatures, initiate transactions, or modify transaction payloads without direct user approval**.

***

### **User Authorization Model**

All transaction execution is initiated through **explicit user action**. **Transaction intent and parameters are presented for review prior to signing**, ensuring that authorization is **deliberate and informed**.

There are **no background transactions, automated executions, or implicit approvals** within the system. **Each transaction requires an explicit signing event**.

***

### **Backend Trust Assumptions**

**Lumexo backend services are limited to data aggregation, indexing, and performance optimization**. They **do not participate in custody, key management, or transaction authorization**.

**All asset control and transaction settlement remain governed by the underlying network and user-controlled signing processes**.

***

### **External Wallets and dApps**

When external wallets or third-party applications are used, **Lumexo functions as a coordination and presentation layer rather than an execution intermediary**. **Transaction requests originate externally and are authorized directly by the user** through compatible signing layers.

**Lumexo does not alter protocol logic, enforce execution rules, or mediate on-chain behavior**. **Risk exposure remains constrained to the scope of user-authorized actions**.

***

#### **Security Scope**

<figure><img src="https://3852375146-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FC86rIjDAXo1q1iymcvSV%2Fuploads%2FNFsrXdgwQPvpZJewtyIX%2FFrame%202087327682%20(1).png?alt=media&#x26;token=943c2958-145d-4f0d-9b99-9687b60b03d3" alt=""><figcaption></figcaption></figure>

This section defines **custody and authorization boundaries at a system level**. **Detailed cryptographic mechanisms, implementation specifics, and threat considerations** are **documented separately in the technical documentation**.

***