NDAX Security Changes Oct 2022 To Oct 2023
1 removal
64 lines
2 additions
65 lines
Institutional Grade Crypto Security
Institutional Grade Crypto Security
NDAX sets the bar high for the global fintech industry through advanced security measures, and being the first Canadian crypto platform to receive SOC2 Type II certification.
NDAX sets the bar high for the global fintech industry through advanced security measures and being the first Canadian crypto platform to receive SOC2 Type II certification.
Digital Asset Security and Insurance
Digital Asset Security and Insurance
NDAX’s security standards are among the highest in the Canadian FinTech industry. NDAX holds the majority of digital assets offline in cold storage protected by multi-signature technology, provided by Ledger Vault, the global leader in security and infrastructure solutions for cryptocurrencies.
NDAX’s security standards are among the highest in the Canadian FinTech industry. NDAX holds the majority of digital assets offline in cold storage protected by multi-signature technology, provided by Ledger Vault, the global leader in security and infrastructure solutions for cryptocurrencies.
For insurable incidents, including fraud, NDAX holds:
For insurable incidents, including fraud, NDAX holds:
USD 5 million on its cold wallets, covering internal theft and Hardware Security Module (HSM) malfunction, and
USD 5 million on its cold wallets, covering internal theft and Hardware Security Module (HSM) malfunction, and
USD 3 million in insurance per instance on its hot wallets.
USD 3 million in insurance per instance on its hot wallets.
CAD 5 million in general business liability.
CAD 5 million in general business liability.
Segregated Accounts
Segregated Accounts
NDAX safeguards users’ fiat in a segregated bank account held at a Canadian Crown-owned financial institution. This measure keeps funds separate from NDAX’s operating capital. In the event of insolvency, fiat assets can be identified and appropriately distributed to entitled parties.
NDAX safeguards users’ fiat in a segregated bank account held at a Canadian Crown-owned financial institution. This measure keeps funds separate from NDAX’s operating capital. In the event of insolvency, fiat assets can be identified and appropriately distributed to entitled parties.
Regulatory Framework
Regulatory Framework
NDAX is registered with the Financial Transactions and Reports and Analysis Centre of Canada (FINTRAC) and Revenue Québec as a Money Service Business (MSB). NDAX complies with the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and other applicable laws and regulations.
NDAX is registered with the Financial Transactions and Reports and Analysis Centre of Canada (FINTRAC) and Revenue Québec as a Money Service Business (MSB). NDAX complies with the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and other applicable laws and regulations.
Robust compliance procedures set NDAX apart in the cryptocurrency industry by fostering a strong reputation with regulatory and governmental bodies. NDAX maintains strict Know Your Client (KYC) processes aligned with industry best practices and required under legislation.
Robust compliance procedures set NDAX apart in the cryptocurrency industry by fostering a strong reputation with regulatory and governmental bodies. NDAX maintains strict Know Your Client (KYC) processes aligned with industry best practices and required under legislation.
FINTRAC Registered: M18632135
FINTRAC Registered: M18632135
Revenue Québec License Number: 904486
Revenue Québec License Number: 904486
Multi-Signature Approvals
Multi-Signature Approvals
Transferring funds out of cold storage requires multiple approvals from NDAX’s senior management team. Restricting unauthorized internal transactions, effectively protecting the user's assets and safeguarding their crypto wallets.
Transferring funds out of cold storage requires multiple approvals from NDAX’s senior management team. Restricting unauthorized internal transactions, effectively protecting the user's assets and safeguarding their crypto wallets.
In addition, NDAX’s Ledger Vault is whitelisted, which adds another layer of protection to a user's funds. Outgoing transactions out of cold storage can only go to NDAX’s whitelisted addresses in warm storage.
In addition, NDAX’s Ledger Vault is whitelisted, which adds another layer of protection to a user's funds. Outgoing transactions out of cold storage can only go to NDAX’s whitelisted addresses in warm storage.
MPC Hot Wallets
MPC Hot Wallets
NDAX has implemented Multi-Party Computation (MPC) technology recognized by industry experts.
NDAX has implemented Multi-Party Computation (MPC) technology recognized by industry experts.
MPC technology offers an advanced security level for hot wallet management solutions that protect crypto assets from internal/external bad players. It requires multiple parties to perform mathematical computations to create distributed shares, which come together to compute a public key and wallet address to store digital assets.
MPC technology offers an advanced security level for hot wallet management solutions that protect crypto assets from internal/external bad players. It requires multiple parties to perform mathematical computations to create distributed shares, which come together to compute a public key and wallet address to store digital assets.
Third-Party Vendor Assessment
Third-Party Vendor Assessment
NDAX has implemented a stringent process to assess third-party service providers. Ensuring the highest security and controls are in place to protect user's personal information and assets.
NDAX has implemented a stringent process to assess third-party service providers. Ensuring the highest security and controls are in place to protect user's personal information and assets.
Both NDAX’s hot and cold wallet service providers are System and Organization Controls (SOC) 2, type 1 certified.
Both NDAX’s hot and cold wallet service providers are System and Organization Controls (SOC) 2, type 1 certified.
Protecting Against Service Attacks
Protecting Against Service Attacks
NDAX’s Distributed Denial-of-Service-Protection (DDoS) mitigation reliably monitors, resists and defends against any comprehensive threats on, or to, the NDAX platform. It ensures constant maintenance and up-time of service, performance and availability without incurring latency or interference.
NDAX’s Distributed Denial-of-Service-Protection (DDoS) mitigation reliably monitors, resists and defends against any comprehensive threats on, or to, the NDAX platform. It ensures constant maintenance and up-time of service, performance and availability without incurring latency or interference.
Ongoing Monitoring
Ongoing Monitoring
NDAX uses multiple data servers that are isolated and monitored 24/7. A malicious attack on any one of the servers will automatically shut down the network to prevent damage to a user’s data and prevent access to crypto assets held on the platform.
NDAX uses multiple data servers that are isolated and monitored 24/7. A malicious attack on any one of the servers will automatically shut down the network to prevent damage to a user’s data and prevent access to crypto assets held on the platform.
Preventing Account Takeovers
Preventing Account Takeovers
Mandatory Two-Factor Authentication - Every NDAX user must enable Two-Factor Authentication (2FA) to withdraw or deposit funds. Users are also required to confirm all withdrawals via email, acting as a third verification form.
Mandatory Two-Factor Authentication - Every NDAX user must enable Two-Factor Authentication (2FA) to withdraw or deposit funds. Users are also required to confirm all withdrawals via email, acting as a third verification form.
Notifications - An email notification is sent with login time and IP address every time a user logs in to an NDAX account.
Notifications - An email notification is sent with login time and IP address every time a user logs in to an NDAX account.
Account Information - Users requesting any account information updates, such as changing their email, 2FA, phone number or address, must provide NDAX’s compliance team with:
Account Information - Users requesting any account information updates, such as changing their email, 2FA, phone number or address, must provide NDAX’s compliance team with:
An above the shoulder, front-facing image (a selfie) holding a handwritten note that states the current date and the request; and a photo of the front and back of a non-expired PHOTO ID.
An above the shoulder, front-facing image (a selfie) holding a handwritten note that states the current date and the request; and a photo of the front and back of a non-expired PHOTO ID.
This information is compared with the documents provided initially during sign up.
This information is compared with the documents provided initially during sign up.
Internal Controls
Internal Controls
Access controls
Access controls
NDAX utilizes the least privilege approach when providing employees access to client information. Every employee at NDAX is also required to sign confidentiality and nondisclosure agreements.
NDAX utilizes the least privilege approach when providing employees access to client information. Every employee at NDAX is also required to sign confidentiality and nondisclosure agreements.
Employee screening
Employee screening
NDAX conducts an extensive background and criminal check on all employees. NDAX also obtains employee information per the Canada Revenue Agency reporting and record-keeping requirements.
NDAX conducts an extensive background and criminal check on all employees. NDAX also obtains employee information per the Canada Revenue Agency reporting and record-keeping requirements.
Employee training
Employee training
All NDAX employees are required to complete appropriate security, Anti-Money Laundering (AML) and any other applicable industry or job-related training. Employees must have sufficient job proficiencies and have all designations and licenses are up to date.
All NDAX employees are required to complete appropriate security, Anti-Money Laundering (AML) and any other applicable industry or job-related training. Employees must have sufficient job proficiencies and have all designations and licenses are up to date.
Daily audits
Daily audits
Daily reconciliation of financial assets on and off the platform is performed to record assets’ integrity, ensuring proper asset distribution (crypto and fiat) between segregated accounts and cold/hot storage.
Daily reconciliation of financial assets on and off the platform is performed to record assets’ integrity, ensuring proper asset distribution (crypto and fiat) between segregated accounts and cold/hot storage.