01Safeguarding of End-User Funds
Consistent with the Bank of Canada’s Safeguarding End-User Funds Guideline under the RPAA, DaisyLink safeguards end-user funds by:
- Segregating end-user funds from DaisyLink’s own operating funds in a dedicated safeguarding account not used for any other purpose;
- Holding such funds in trust in the safeguarding account, and/or ensuring the funds are subject to insurance or a guarantee, as applicable;
- Placing end-user funds into the safeguarding account as soon as they are received, or by the next business day where immediate placement is not possible;
- Maintaining a documented Safeguarding Framework describing the methodology used to determine appropriate coverage and the account provider(s) used.
End-user funds are not used to fund DaisyLink’s operations, extend credit, or invest on DaisyLink’s own behalf.
02Operational Risk Management Framework
DaisyLink maintains an Operational Risk Management Framework (ORMF) built around Three Lines of Defence governance: business operations own and manage risk day to day; an independent risk and compliance function sets policy and monitors adherence; and internal/independent review provides assurance. The ORMF applies a nine-category risk taxonomy and is monitored through key risk indicator (KRI) dashboards reviewed by senior management.
Consistent with RPAA requirements, DaisyLink’s risk management and incident response framework — including this Security Statement’s underlying controls — is subject to independent review at least once every three years, performed by a party not involved in establishing or maintaining the framework.
03Information & Data Security
DaisyLink applies physical, organizational, and technological safeguards appropriate to the sensitivity of the information it holds, including:
- Encryption of personal and financial information in transit and at rest;
- Role-based access controls and multi-factor authentication for systems handling customer data or funds;
- Network segmentation, firewalls, and continuous monitoring for anomalous activity;
- Secure software development practices, including code review and change management for production systems;
- Logging and monitoring sufficient to support incident investigation and regulatory reporting.
04Payment & Virtual Currency Transaction Security
For card acquiring and payment processing activity, DaisyLink relies on tokenization and industry-standard payment security practices to limit exposure of raw card data, consistent with applicable card network requirements. For virtual currency activity, DaisyLink applies wallet security controls (including segregated hot/cold storage practices with its custodial or infrastructure partners, as applicable), blockchain analytics screening of counterparty wallets, and transaction monitoring aligned with DaisyLink’s AML/CTF Statement and Restricted & Prohibited Jurisdictions Policy.
05Incident Detection, Response & Regulatory Reporting
DaisyLink maintains an incident response plan with defined severity classification, escalation paths, and recovery procedures. Where an incident has a material impact on an end user, DaisyLink, or a clearing and settlement system, DaisyLink follows the reporting timeline required under the RPAA:
| Stage | Trigger | Timing |
|---|---|---|
| Initial notice to the Bank of Canada | PSP determines an incident has a material impact on an end user, DaisyLink, or a clearing house | Without delay, no later than 48 hours after materiality is determined |
| Notice to affected end users | Same materiality determination as above | Without delay, consistent with DaisyLink's incident response plan |
| Final notice to the Bank of Canada | Root cause and full impact of the incident are known | As soon as reasonably practicable following investigation |
| Interim / follow-up notices | At the Bank of Canada's request or as new information emerges | As required by the circumstances |
DaisyLink also maintains internal incident logs — including incidents not required to be reported to the Bank of Canada — consistent with its RPAA annual reporting obligations, and retains related records for a minimum of five years.
06Third-Party & Vendor Risk Management
Where DaisyLink relies on third-party service providers for hosting, payment processing, identity verification, or custodial infrastructure, it applies a risk-based due diligence and ongoing monitoring process, and requires contractual commitments regarding confidentiality, security controls, and incident notification. DaisyLink’s use of an indirect safeguarding arrangement, where applicable, is structured to meet the Bank of Canada’s expectations for direct relationships with a prudentially regulated safeguarding account provider.
07Business Continuity & Disaster Recovery
DaisyLink maintains business continuity and disaster recovery procedures designed to sustain critical payment functions and access to end-user funds information in the event of a disruption, including periodic testing of recovery procedures and defined recovery time objectives for critical systems.
08Personnel Security
DaisyLink applies the principle of least privilege to system access, conducts background screening for personnel in sensitive roles where permitted by law, and provides mandatory security and AML/CTF awareness training to employees and relevant agents at onboarding and on a recurring basis.
09Your Role in Keeping Your Account Secure
Customers can help protect their accounts by:
- Using a strong, unique password and enabling multi-factor authentication where offered;
- Never sharing login credentials, one-time passcodes, or wallet seed phrases with anyone, including anyone claiming to represent DaisyLink;
- Verifying that any DaisyLink communication or website matches official DaisyLink domains and contact channels before entering credentials or making a payment;
- Promptly reporting any suspected unauthorized access or suspicious activity to DaisyLink.
10Reporting a Security Concern
If you believe you have identified a security vulnerability or incident affecting DaisyLink, please contact us promptly using the details below. Please do not attempt to access, modify, or exfiltrate data beyond what is necessary to demonstrate an issue.
Security contact: security@daisylink.ca
11Changes to This Statement
DaisyLink may update this Security Statement from time to time to reflect changes in its practices, infrastructure, or applicable regulatory requirements, including updates to Bank of Canada guidance under the RPAA.
12Disclaimer
This Statement summarizes DaisyLink’s security and safeguarding practices as of July 6, 2026, at a level appropriate for public disclosure; it does not describe every technical control DaisyLink maintains, for security reasons. No system can be guaranteed completely secure, and DaisyLink cannot warrant that its Services will be free from all possible security incidents. This document does not constitute legal advice and should be reviewed by qualified legal, security, and compliance advisors before operational or external use.