The RMA™ is built for the full complexity of Web3
The RMA™ certification is not a checklist. It is a structured, evidence-based audit that adapts to your organisation’s unique positioning — whether you are a DeFi protocol, an AI-integrated platform, a logistics network, or a payment infrastructure provider. Every area of the audit is designed to reflect the realities of operating in the Web3 ecosystem, where traditional compliance frameworks often fall short.
Each of the six components below is assessed by a VaaSBlock auditor. The depth of each review scales with the complexity and stage of your organisation.
Corporate Governance
The Corporate Governance component evaluates the leadership and operational frameworks that underpin a Web3 organisation. Auditors verify the entity’s legal registration and jurisdictional compliance, confirming adherence to applicable local laws and regulations. Banking history and creditworthiness are examined to confirm transparent and reliable financial practices.
In the Web3 landscape, fundraising can occur through traditional share raises and token sales. The RMA™ audit scrutinises fundraising history in full — whether capital was raised through equity or tokens — and challenges the tokenomics of any token-based raise. Auditors specifically assess vesting schedules and distribution structures that could later damage the organisation’s reputation with a broader pool of stakeholders.
Board composition, management accountability, and the independence of key leadership roles are all reviewed. The audit ensures that the legal structure aligns with the organisation’s business activities, growth stage, and operating regions. Ethical standards and business practices are assessed to reinforce the organisation’s commitment to integrity and responsible management.
Revenue Model
The Revenue Model component examines how an organisation makes — or intends to make — money, and whether that model is financially robust and sustainable over time. Auditors review all revenue streams: product sales, subscriptions, transaction fees, token sales, or other structures specific to the Web3 context.
To satisfy this component of the RMA™, organisations must provide justification that demonstrates a clear understanding of current and long-term viability, including strategies for adapting to external factors such as changing market conditions, consumer behaviour, and competitive pressure. The audit specifically questions readiness for bear and bull market cycles — critical for any product or service whose demand is market-condition dependent.
The financial controller responsible for overseeing revenue streams is identified and their controls evaluated. Auditors assess the balance between cryptocurrency and fiat revenues and scrutinise the measures in place to safeguard funds against market volatility. Where early-stage organisations rely on assets and cash reserves rather than recurring revenue, this is an acceptable and common situation — provided it is documented and understood.
Technology and Security
The Technology and Security component assesses a company’s technical infrastructure, security protocols, and operational resilience. Auditors review the overall IT architecture, blockchain integrations where relevant, and the quality, scalability, and efficiency of the codebase against industry best practices.
RMA™ does not perform smart contract audits directly, but mandates that projects have undergone rigorous third-party security assessments — such as those conducted by Hashlock or Certik. VaaSBlock auditors then review these results within the broader technical and business context of the organisation. Projects holding certifications such as SOC2 or ISO 27001 are strongly encouraged to submit these credentials; established industry certifications are viewed favourably and typically reduce the volume of additional information auditors need to gather.
The audit examines encryption protocols, multi-factor authentication, secure key management, and incident response strategies. Risk and crisis management practices are reviewed, including any active bug bounty programmes that incentivise responsible vulnerability disclosure. Organisations that demonstrate both technical rigour and adaptive security practices reinforce their credibility with users, investors, and exchange partners.
Planning and Transparency
The Planning and Transparency component assesses how an organisation manages its day-to-day workflow and prepares for the unexpected — including the specific operational risks of the Web3 ecosystem. Auditors review the company’s project management frameworks, organisational charts, and tooling. Visual documentation such as Kanban board snapshots or workflow diagrams helps demonstrate how tasks are created, tracked, and completed.
A critical aspect of this evaluation is crisis readiness. RMA™ auditors assess the robustness of crisis management strategies, including clearly defined roles and responsibilities during emergencies. This includes reviewing customer communication templates for scenarios such as data breaches, and evaluating whether the organisation conducts regular drills and simulations to test its response capability without compromising service quality or security.
Transparency in operational execution is given equal weight to the existence of structured plans. Organisations that can demonstrate both are confirmed as well-prepared to maintain continuity and stakeholder trust — even under significant disruption.
Team Proficiency
The Team Proficiency component evaluates the personnel who are responsible for executing the business model today and scaling the organisation into the future. Auditors review the backgrounds of founders, executives, and core team members, verifying that professional histories align with the project’s stated objectives and demonstrate a relevant track record.
A particular focus is commitment. RMA™ auditors scrutinise whether founders and departmental leaders are fully engaged — and whether there are any structural or behavioural signals that key personnel may disengage prematurely, which is a recognised risk in the Web3 space. Educational qualifications and practical experience are assessed alongside the capacity to grow within a rapidly evolving industry.
Beyond CVs and LinkedIn profiles, auditors conduct in-depth interviews and reference checks to understand each individual’s capabilities and dedication. Advisor backgrounds and the substance of their involvement are also evaluated. A team that is genuinely qualified and demonstrably committed significantly strengthens investor and stakeholder confidence in the long-term viability of the organisation.
Results Delivered
The Results Delivered component assesses an organisation’s track record of achieving its goals and honouring its commitments. Auditors review key performance indicators, project milestones, and the measurable impact of the organisation’s products or services. Metrics such as user adoption rates, transaction volumes, code release cadence, and community engagement are analysed against stated expectations.
RMA™ acknowledges that targets are not always met — and does not treat this as an automatic disqualifier. What matters is that the organisation can explain what was learned from both hitting and missing targets, and that any adjustments made are logical and justified. Honesty about performance is treated as a signal of organisational maturity.
A central focus is on validating claims made during fundraising, partnership announcements, and public marketing. Auditors verify that the company has followed through on promises to stakeholders — whether meeting revenue targets, delivering product milestones on schedule, or securing the partnerships it announced. The frequency and reliability of code releases is also examined, as regular updates without causing system downtime are a strong indicator of platform stability and team discipline.
Finally, auditors assess the organisation’s partnership track record, with preference given to companies that form alliances with established, reputable businesses. The structure of responsibility for managing those partnerships is reviewed to understand whether strategic relationships are being actively maintained and leveraged for long-term growth.
