Thanks! Currently we only support full custodial wallets(users do not control a unique keypair). This means the trustlines are all setup with the companies hotwallet(controlled by Rehive) and warm storage keys(controlled by the company owner). The users of the company cannot setup custom trustlines and will only be able to transact in the tokens the company supports.
When a user registers they get assigned a randomly generated memo that they attach to their transactions to identify their deposits.
Hope that clarifies a few things. We do plan on looking into non-custodial/hybrid wallets to allow shifting more key control to end users.