Compliance, end-to-end. Built into every engagement.
Stobox has operated in regulated digital-asset markets since 2018. Every engagement is structured around licensed infrastructure, independent legal counsel, and institutional custody — so token programs stand up to regulatory scrutiny from day one.
Five regulatory pillars. One engagement.
Every Stobox token program rests on the same five pillars — regulatory framing, data protection, security posture, third-party audits, and institutional custody. None of them are optional. None of them are bolted on after launch.
SEC, FINRA & MiCA aligned
Token programs are structured under the appropriate regulatory regime and distributed by licensed counterparties. Stobox itself is not a registered broker-dealer, fund manager, or investment adviser.
- SEC Regulation D 506(b) & 506(c) · Reg S · Reg A+
- FINRA broker-dealer network — tZERO, Entoro, Silicon Prairie
- EU MiCA & MiFID II compliance layer for European programs
- ADGM, DIFC, QFC, BVI, Cayman jurisdictional structures
GDPR applied globally
Stobox applies GDPR-grade data protection to all client and investor data, regardless of jurisdiction. Data minimisation, purpose limitation, and retention policies are documented per engagement.
- KYC documents stored by Sumsub under its own regulatory framework
- Stobox receives verification status — not raw KYC files
- Stobox DID keeps personal data off-chain by design
- Detailed processing terms in the Privacy Notice
Institutional infrastructure
Stobox integrates institutional-grade partners across custody, identity, and oracle infrastructure — each operating under its own certified regulatory framework.
- Fireblocks — SOC 2 Type II · ISO 27001 MPC custody
- Sumsub — biometric KYC · sanctions · PEP screening
- Chainlink — industry-standard oracle network
- Arbitrum One — Ethereum L2 with public verifiability
Compliance enforced on-chain
STV3 enforces transfer restrictions, jurisdiction blocklists, and lockup periods at the smart-contract level. Non-eligible transfers are rejected on-chain, before settlement — not flagged after the fact.
- Transfer restrictions & whitelisting at the protocol layer
- EIP-2535 Diamond Standard — upgradeable without reissuance
- Multi-sig wallet controls on all critical operations
- Role-based access & auditable change history
Independently audited
The STV3 protocol is independently audited by specialist blockchain security firms. Audit reports are available to institutional counterparties and qualified reviewers under NDA.
- Automated vulnerability scanning & manual code review
- Formal verification on critical compliance functions
- Live activity verifiable on the Stobox Dune Dashboard
- Reports available on commercial engagement — request access
Stobox is not a BD
Stobox does not solicit, offer, or sell securities. Token offerings are structured and distributed by FINRA-licensed broker-dealers under separate regulatory authority.
- No solicitation or offer of securities by Stobox
- No custody of investor funds or securities
- No participation in secondary market transactions
- Independent legal counsel for every token program
What Stobox is. And what it isn't.
Clarity on scope is the foundation of a regulated engagement. Stobox provides the services on the left and does not provide the services on the right. Licensed third parties cover everything else.
- Engagement management — end-to-end coordination of the 7-stage tokenization program
- Financial architecture — token economics, capital structure, investor return modeling
- Legal coordination — managing independent external counsel through to delivery
- Compliance architecture — KYC/AML design, transfer restriction rules, eligibility matrices
- Technology platform — STV3 smart contract protocol and Stobox 4 platform deployment
- Distribution introductions — warm intros to FINRA broker-dealers and ATS partners
- Post-launch operational support — platform hosting, compliance monitoring, infrastructure
- Broker-dealer services — offerings are structured and distributed by licensed broker-dealers
- Legal advice — legal structuring is delivered by independent third-party counsel
- Investment advice — Stobox does not advise on investment suitability, selection, or allocation
- Fund management — Stobox does not manage client assets or investor funds
- Custody of funds or securities — digital asset custody handled by Fireblocks under separate agreement
- Solicitation of securities — Stobox does not solicit, offer, or sell securities on its own account
- Secondary market transactions — Stobox takes no part in secondary trading of client tokens
We work within the rules of every market we touch.
Every Stobox engagement is structured around the regulatory regime applicable to the asset, issuer, and investor base. Common frameworks below — additional jurisdictions are assessed during the Pre-Qualification Audit.
- SEC Regulation D (506(b) and 506(c))
- SEC Regulation S (non-US investors)
- SEC Regulation A+ (mini-IPO — up to $75M)
- FINRA broker-dealer network — tZERO, Entoro, Silicon Prairie
- Delaware and BVI entities for US offerings
- MiCA (Markets in Crypto-Assets Regulation) compliance layer
- Assetera EU-regulated exchange distribution
- GDPR data protection applied across all processing
- Cyprus, Luxembourg, Ireland entity structures
- MiFID II coverage for security token programs
- MENA — ADGM, DIFC, QFC frameworks (UAE, Qatar, Bahrain)
- Asia-Pacific — Mauritius CAT III, Singapore structures
- LATAM & Africa — case-by-case jurisdictional strategy
- Cross-border compliance mapped during Stage 2
- Eligibility matrices reviewed per offering
Stobox itself is not a licensed broker-dealer, fund manager, or investment adviser in any jurisdiction. Regulated activity within each program is carried out by the appropriate licensed counterparty — broker-dealers, legal counsel, custodians, and exchanges.
The licensed counterparties behind every engagement.
Stobox integrates institutional-grade partners for custody, identity, distribution, and settlement. Each relationship is established and contractual — not directory-listed. Client programs inherit these integrations on day one.
Institutional MPC custody. Wallet policies, transaction approvals, and settlement infrastructure run under a direct Fireblocks enterprise agreement per client.
Identity verification, document review, biometric checks, and global sanctions lists. KYC results feed the Stobox DID identity layer and on-chain eligibility rules.
Price feeds, proof-of-reserves, and external data attestations. Used for automated on-chain distributions and asset-backed token validation.
Warm introductions to FINRA broker-dealer partners for US Regulation D and Regulation S offerings. Each introduction inherits Stobox's existing BD relationships.
EU-regulated digital asset exchange for European token distribution and listing. Covered under the MiCA compliance layer in the Stobox engagement.
All legal work is executed by independent law firms under direct engagement. Stobox coordinates but does not provide legal advice.
Public infrastructure. Verifiable activity.
Stobox-deployed token programs run on public blockchains with transparent data. Compliance rules are enforced on-chain — not through opaque off-chain processes.
Arbitrum One mainnet
STV3 smart contract protocol deployed on Arbitrum One, an Ethereum Layer 2 with public block explorers and open verification. Compliance rules, transfer restrictions, and distribution logic are enforced on-chain automatically.
Stobox Dune Dashboard
Full asset and activity data for Stobox-deployed programs is publicly available on Dune Analytics — no login, no gate. Anyone can query token holders, transfers, distributions, and aggregate TVL.
View Dune dashboard →Independently audited
The STV3 protocol has been independently audited. Audit reports are available under NDA to institutional counterparties and qualified reviewers as part of a commercial engagement.
Request audit report →Fireblocks wallet attestation
Client program custody is provided via Fireblocks MPC. Wallet addresses and policy configuration can be attested to directly by Fireblocks under the client's enterprise agreement.
Who you contract with.
The Stobox group operates through distinct registered entities. Engagements are contracted with the relevant entity depending on the jurisdiction and scope of service.
Client data is handled under formal frameworks.
GDPR applied globally
Stobox applies GDPR-level data protection standards to all client and investor data, regardless of jurisdiction. Data minimisation, purpose limitation, and retention policies are documented per engagement.
KYC data handled by Sumsub
Identity verification data (documents, biometrics, sanctions results) is collected and stored by Sumsub under its own regulatory framework. Stobox receives verification status, not raw KYC documents.
Stobox DID — user-owned identity
The Stobox Decentralized Identity (DID) layer gives investors a portable identity credential they control. On-chain eligibility is checked against the DID without exposing personal data on-chain.
Privacy Notice
Detailed information on data collection, processing, sharing, and user rights is available in the Privacy Notice. Data protection inquiries can be sent to privacy@stobox.io.
Pick your path. We’ll meet you there.
Stobox Compass
AI-powered RWA readiness tool. Run an unlimited screener, score your asset in 10 questions, and on Pro+ generate a consulting-grade AI report — without a sales call.
Register with CompassPrivate engagement call
For asset owners ready for end-to-end tokenization. CEO-led discovery, a written Pre-Qualification verdict, and engagement scoping. No commitment to proceed.
Schedule a discovery call