SettleMint
Asset servicing

Exit control portability

Keep issuer authority, investor eligibility, lifecycle governance, and audit evidence portable during an asset servicing exit.

When you exit an asset servicing arrangement, the platform keeps the asset's control record available to an approved receiving operator. The record covers issuer control, investor eligibility rules, lifecycle governance, holder state, configuration, and documents, including transaction history. The handover path depends on the contract model: upgradeable deployments transfer the relevant administrative control, while non-upgradeable deployments use a controlled replacement asset and investor transition.

Control record

The portable record combines on-chain role assignments, configured policy, participant state, and operational history, together with documents. Review these surfaces before you change a servicing provider, hand over administration, conduct an audit review, wind down the asset, or move to another operator.

Control surfacePortable recordReview point
Issuer authorityToken roles for permission management, governance, supply management, custody operations, and emergency operationsConfirm the current role holder and the receiving role holder before revoking outgoing access.
Platform authorityPlatform administrator roles for identity, compliance, token creation, feeds, gas sponsorship, and audit visibilityConfirm which users can manage system settings and which roles are needed after the handover.
Investor eligibilityIdentity registry entries, OnchainID links, jurisdictions, trusted issuers, claim topics, allowlists, and denylistsConfirm that every affected holder remains linked to the correct identity and eligibility policy.
Lifecycle governanceCompliance modules, feature configuration, metadata rules, supply controls, pause state, redemption, and governanceConfirm which settings are mutable by governance and which settings require a new deployment.
Holder stateHolder balances, available balances, frozen amounts, historical balances where enabled, and lifecycle statusReconcile current state before changing authority or opening a replacement asset.
Contract artifactsToken address, asset identity, access manager, compliance attachments, feature configuration, documents, and metadataRetain the deployed artifact list and the configuration used by the factory or issuance path.
Transaction evidenceAdministrative events, mint, burn, transfer, pause, freeze, recovery, document, and metadata activityRetain transaction status, monitoring records, pending operation queues, and idempotency records where the deployment stores them.
Rendering diagram...

The diagram is a planning view. Each deployment must still follow its own change-control and custody process, with any applicable privacy controls applied separately.

Handover sequence for upgradeable contracts

Upgradeable DALP asset deployments keep the asset address and holder record while administrative authority changes hands. Use this path when your deployed contract model permits the required change without replacing the asset.

Freeze the scope

Record the asset address, asset identity, and access manager. Add compliance attachments, enabled features, current role holders, holders, frozen amounts, and recent administrative transactions to the same list. Include documents and metadata. Treat this as your handover baseline.

Prepare the receiving operator

Create or confirm the receiving user account and wallet. Make sure the identity records are in place. For holder or participant activity, the wallet must resolve through the identity registry and hold the claims required by the asset's trusted issuers and compliance modules.

Transfer required authority

Grant only the platform roles and token roles the receiving operator needs. Token roles cover asset-specific work: permission management, governance, supply management, and custody or emergency operations. Platform roles cover system-wide settings: identity records, compliance configuration, token creation, data feeds, sponsorship, and audit access.

Verify the receiving authority

Confirm that the receiving operator can inspect the asset, identity registry links, compliance settings, and holder state. Also verify access to documents and metadata. Check the status of recent transactions before removing old access.

Remove outgoing authority

Revoke outgoing roles that are no longer needed. Keep transition-period access only when your operating model requires it, and record that reason in the regulated operator's evidence file.

Migration sequence for immutable contracts

Non-upgradeable contracts keep their deployed code and fixed parameters. When your handover requires changed parameters, a different contract owner model, or a different servicing architecture, use a replacement asset rather than changing the existing contract.

Preserve the existing record

Retain the original asset address and token identity. Record the access manager. Also keep the compliance and feature configuration alongside all documents. Preserve metadata, holder list, balances, and freezes. On-chain transaction history remains on the ledger. Off-chain evidence remains under the deployment's retention and privacy model.

Define the replacement configuration

Deploy the replacement asset with the required role mappings, identity policy, trusted issuers, and compliance modules. Include documents, metadata, lifecycle settings, and immutable parameters. Treat testnet and mainnet as separate deployments. A successful testnet rehearsal does not promote state or authority into production by itself.

Map investor transition

Map each affected holder from the original asset to the replacement asset. Reconfirm identity registry links and jurisdictions. Verify that required claims remain in place. Also check allowlist or denylist status and any lifecycle restrictions on frozen balances before issuing, swapping, redeeming, or otherwise transitioning balances.

Reconcile state and evidence

Reconcile holder balances, supply totals, and frozen amounts between the original asset and the replacement asset. Confirm lifecycle status and check that documents and metadata reflect recent changes. Keep transaction records for both assets so auditors can follow the transition without losing the original history.

Close or restrict the original asset path

Apply the deployment's approved wind-down controls to the original asset. Depending on the asset configuration, this may mean removing operational roles, pausing selected operations, freezing affected balances, completing redemption, or keeping the asset available only for audit and historical review.

Deployment and evidence boundary

DALP preserves the technical control record that a receiving operator needs to continue asset servicing. It does not replace the regulated operator's legal appointment records, customer notices, or privacy obligations. Custody contracts and off-chain evidence archives remain the operator's responsibility.

BoundaryRequired operating evidence
Legal and contractual appointmentKeep appointment letters, service termination terms, notices, and regulator or customer communications in the regulated record system.
Off-chain KYC evidenceKeep verifier records, consent evidence, and data-retention controls with the regulated operator or verifier. DALP records claim results and issuers on identity records, not the full evidence file.
External custody or bridge infrastructureConfirm provider contracts, keys, route approvals, and external balances with the provider. Token roles do not certify or transfer external infrastructure.
Personal data exportsFollow the deployment's privacy and retention controls. On-chain history remains on the ledger. Off-chain personal data follows the deployment's retention model.
Testnet and production environmentsEach network is a separate deployment with its own addresses, roles, identities, and transaction records. Testnet activity is not production evidence.

Before you complete the exit, confirm that the receiving operator has the required control, the outgoing operator no longer holds unnecessary access, affected investors remain eligible, lifecycle governance is assigned, documents match the operating record, metadata is current, and recent transactions reconcile. The public path for this page is /docs/operators/asset-servicing/exit-control-portability.

On this page