The most valuable things in the blockchain space are your private keys. Private keys are the ones that hold the information, how much cryptocurrency you have, and what you can spend. If you lose your private keys or they got compromised, you will never redeem your currencies back. The most important part of working with cryptocurrencies and blockchains is the secure management of your private keys.
There are 4 options, how Tatum handles private keys of the blockchain addresses.
sending private keys / mnemonic seeds to the Tatum API directly. This is not recommended in the production environment, and it should be used in a testnet only. Tatum never stores any private keys or mnemonic seeds.
using Tatum KMS, an external tool to securely generate and store private keys and use them to sign transactions locally. This is the safest and recommended way of working with private keys. Tatum KMS should be installed in the Deny-From-All environment to meet the highest security standards. It is possible to store private keys locally or using AWS HSM or Azure HSM. Tatum KMS communicates only with Tatum API to fetch the list of the pending transactions to sign. After successful signature and broadcasting transactions to the blockchain, it marks the pending transaction as complete and adds the final broadcasted transaction ID. It supports 4 eye control mechanism, where pending transactions are controlled in Tatum and the customer system.
using Tatum Middleware docker to serve as a proxy and local signature tool. All API calls are invoked against Tatum Middleware, and those with private keys are processed locally. No sensitive information is passed to Tatum.