Infrastructure security.
All data is encrypted at every stage. Each partner operates in a fully isolated environment with no shared infrastructure layer.
AES-256 at rest. TLS 1.3 in transit. Encrypted compute environments during processing. No unencrypted state at any point in the classification pipeline.
Each partner's data occupies a dedicated, isolated environment — separate storage volumes, separate encryption keys, separate processing queues. Cross-partner data access is architecturally impossible.
Partner data is stored and processed within the partner's jurisdiction — Canada or the United States. Enforced at the infrastructure level. No cross-border transfer without explicit written consent.
Controlled access. Complete record.
All internal systems operate under a least-privilege model. Roles reviewed quarterly. Daixta personnel do not have routine access to partner data. Any access requires explicit time-limited authorisation — maximum 4 hours, automatically revoked. MFA and hardware security keys required for all production system access. Zero standing access.
Every document ingestion, classification decision, output generation, data access event, login, and configuration change is written to an append-only, tamper-evident audit log. Entries cannot be modified or deleted — including by system administrators. Retained for a minimum of 7 years, aligned with financial services record-keeping standards.
Standards & certifications.
Daixta's security programme is structured against the frameworks applicable to regulated financial institutions in Canada and the United States.
| Standard / Framework | Scope | Jurisdiction | Status |
|---|---|---|---|
| PIPEDA | Data privacy, consent, breach reporting | Canada | Aligned |
| OSFI B-10 — Outsourcing Guidelines | Third-party risk management | Canada | Aligned |
| OSFI B-13 — Technology & Cyber Risk | Cybersecurity, tech risk | Canada | Aligned |
| FFIEC Cybersecurity Guidelines | Financial institution cyber guidance | United States | Aligned |
| NIST Cybersecurity Framework | Identify, protect, detect, respond, recover | US / International | Aligned |
| CCPA — California Consumer Privacy Act | Consumer data rights | California, US | Aligned |
| SOC 2 Type I | Security, availability, confidentiality audit | International | In Progress |
| SOC 2 Type II | Operational effectiveness over time | International | 2026 Roadmap |
| ISO 27001 | Information security management system | International | 2026–2027 Roadmap |
DPA template, sub-processor list, and security architecture overview available to partners under NDA. Contact compliance@daixta.com.
When something goes wrong.
How data ends.
Automated monitoring across all infrastructure — anomaly detection on data access patterns, authentication events, and network traffic. Alerts reviewed by on-call personnel around the clock.
In the event of a breach involving partner data, affected partners will be notified within 72 hours of identification — consistent with PIPEDA mandatory breach reporting and applicable US state obligations. This is a contractual commitment.
A written incident report is provided to affected partners within 15 business days of resolution — covering root cause, data affected, timeline, containment actions taken, and remediation implemented.
Upon termination of a partner engagement, all partner data is permanently deleted within 30 days. Deletion is cryptographic, documented, and a certificate of deletion is provided on request.
We handle financial documents.
That is the whole mandate.
We do not analyse the data for our own purposes, aggregate it across partners, sell it, licence it, or use it to train models serving other customers. The data belongs to the borrowers it represents, held in trust by the brokers who submitted it.