Non-custody

Why JoPay cannot touch your money. Labs holds no user keys and no session keys — funds flow through immutable forward-only contracts.

In one line

Labs holds nothing. No user wallet key, no session key, no signing authority over merchant or payer funds. Payments flow from the payer's wallet through an immutable forward-only contract to the merchant's wallet. JoPay the app only observes and indexes.

This is stronger than "we won't touch your funds". It's structurally impossible for JoPay to touch them — even a full JoPay infrastructure compromise does not put your money at risk.

Two things called "JoPay"

Internally, JoPay is split into two clearly separated pieces. Understanding the split is the key to understanding the non-custody claim.

What it isWhat it can do to your money
The ProtocolTwo immutable Solidity contracts (PaymentPostboxImpl and PaymentPostboxFactory). MIT-licensed. Deterministic CREATE2 addresses, same on every chain. No admin, no upgrade path, no pause switch.Receives stablecoin from the payer; forwards it to the merchant's address. That's the entire function. Cannot be reprogrammed. Cannot redirect.
Labs (the Interface)The app, the pay page, the merchant dashboard, the emails, the database. Operated by JoPay BV.Nothing. Labs creates payment requests, shows pay pages, observes the chain, stores records. No key held at Labs can move merchant or payer funds.

When the pay page or this documentation says "JoPay" without qualification, it means Labs — the interface you interact with. The Protocol sits underneath and is unowned-by-anyone on-chain.

How a payment actually flows

A payment is a straight line from payer to merchant. The Protocol is the pipe; Labs is the label on the outside of the pipe.

1. Labs computes a unique postbox address for the request
   (deterministic via CREATE2 — same inputs → same address).

2. Pay page displays the amount + the postbox address.

3. Payer's wallet sends stablecoin to the postbox address.
   (Payer signs; their own wallet broadcasts the transaction.)

4. Anyone — typically a permissionless keeper bot — calls claim()
   on the postbox. The postbox contract atomically forwards
   balance − 0.01 USDC (keeper fee) to the merchant's wallet.

5. Labs observes the on-chain transfer and marks the request
   verified.

Labs signs nothing at steps 3, 4, or 5. The funds never pass through any Labs-controlled address.

What Labs holds (and what it doesn't)

Every key and credential the app touches, sorted by whether it could affect your money:

Does Labs hold…AnswerWhy
A key to any user wallet?No.Merchants own their own wallets — either a Sequence embedded wallet (MPC-split between Sequence infra and the user's session) or an external wallet the merchant brought. Labs has no share in either.
A session key on any user wallet?No.v1 uses two native delegation paths: Sequence WaaS users sign a native SessionPermissions / ExplicitSession on their own wallet; external wallets (Safe, Coinbase SW, MetaMask Delegator, EIP-7702 EOAs) sign an ERC-7715 grant to a public executor contract. Both are held by the user's wallet, not by Labs. There is no KMS-resident JoPay signer.
Authority to initiate transfers of user funds?No.There is no server-side code path that signs a user transaction. Every fund-moving signature comes from the user's own wallet.
A keeper EOA that calls the Protocol?Optionally, yes.A permissionless keeper bot can call claim() to forward postbox balances to merchants. Anyone can run a keeper — the address is compile-time constant, the fee (0.01 USDC) is capped in the contract, and the keeper cannot redirect funds anywhere except the pre-set merchant address. If Labs' keeper goes offline, any third party can claim instead. The keeper is not custody.
Its own treasury / operating cash?Yes.JoPay BV runs a Safe multisig for its own operating costs. It is separate from any user wallet and has no authority over user funds.
Operational infrastructure (DB, RPC keys, email secrets)?Yes.Standard app-level secrets. None of them can move user funds — they grant access to reading the chain, sending emails, and writing to the JoPay database.

What happens in a worst-case compromise

If an attacker fully compromised Labs — Vercel account, KMS, database, email, everything — what could they do to merchant funds?

Nothing, without also compromising two other independent parties.

  • Merchant funds sit in wallets keyed to the merchant's own signer. The attacker would need to compromise Sequence (for WaaS merchants) or the merchant's external wallet (for self-custody merchants) in addition.
  • For Sequence WaaS merchants specifically: Sequence's MPC architecture splits the signing key between Sequence infra and the user's active session. The attacker would need to compromise Sequence and the user's live session.
  • The Protocol contracts are immutable and have no admin. A Labs compromise cannot change their behaviour, pause them, or upgrade them.
  • Pending payments at compromise time are already in transit from payer to postbox; the postbox is forward-only to the merchant. Attacker has no path to redirect them.

Three independent custodians (Labs + Sequence + user session) is better than the typical single-custodian model of traditional payment platforms.

Why this matters for the legal posture

The non-custody claim is the basis for JoPay operating as a software vendor rather than a payment service provider. It is why no EMI licence, no PSD2 licence, and no CASP registration are required for the Interface. Keeping it true at the architecture level — not just in marketing copy — is the company's most important engineering invariant.

If you spot a feature description or UI that implies JoPay holds, processes, or moves user funds, flag it — that framing drifts from product reality and has regulatory consequences.

What next?

Grants & delegation

The engineering primitive behind this claim: how your wallet authorizes JoPay-coordinated actions without giving up a key.

Security

Threat model, isolation boundaries, and infrastructure security.

Overview

The instruction-only payment rail in 60 seconds.

Fees & economics

Who pays what, and how the keeper fee works.

Embedded wallets (WaaS)

How Sequence MPC keeps merchant keys split from both Labs and from itself.