Exit control portability
Keep issuer authority, investor eligibility, lifecycle governance, and audit evidence portable during an asset servicing exit.
When you exit an asset servicing arrangement, the platform keeps the asset's control record available to an approved receiving operator. The record covers issuer control, investor eligibility rules, lifecycle governance, holder state, configuration, and documents, including transaction history. The handover path depends on the contract model: upgradeable deployments transfer the relevant administrative control, while non-upgradeable deployments use a controlled replacement asset and investor transition.
Control record
The portable record combines on-chain role assignments, configured policy, participant state, and operational history, together with documents. Review these surfaces before you change a servicing provider, hand over administration, conduct an audit review, wind down the asset, or move to another operator.
| Control surface | Portable record | Review point |
|---|---|---|
| Issuer authority | Token roles for permission management, governance, supply management, custody operations, and emergency operations | Confirm the current role holder and the receiving role holder before revoking outgoing access. |
| Platform authority | Platform administrator roles for identity, compliance, token creation, feeds, gas sponsorship, and audit visibility | Confirm which users can manage system settings and which roles are needed after the handover. |
| Investor eligibility | Identity registry entries, OnchainID links, jurisdictions, trusted issuers, claim topics, allowlists, and denylists | Confirm that every affected holder remains linked to the correct identity and eligibility policy. |
| Lifecycle governance | Compliance modules, feature configuration, metadata rules, supply controls, pause state, redemption, and governance | Confirm which settings are mutable by governance and which settings require a new deployment. |
| Holder state | Holder balances, available balances, frozen amounts, historical balances where enabled, and lifecycle status | Reconcile current state before changing authority or opening a replacement asset. |
| Contract artifacts | Token address, asset identity, access manager, compliance attachments, feature configuration, documents, and metadata | Retain the deployed artifact list and the configuration used by the factory or issuance path. |
| Transaction evidence | Administrative events, mint, burn, transfer, pause, freeze, recovery, document, and metadata activity | Retain transaction status, monitoring records, pending operation queues, and idempotency records where the deployment stores them. |
The diagram is a planning view. Each deployment must still follow its own change-control and custody process, with any applicable privacy controls applied separately.
Handover sequence for upgradeable contracts
Upgradeable DALP asset deployments keep the asset address and holder record while administrative authority changes hands. Use this path when your deployed contract model permits the required change without replacing the asset.
Freeze the scope
Record the asset address, asset identity, and access manager. Add compliance attachments, enabled features, current role holders, holders, frozen amounts, and recent administrative transactions to the same list. Include documents and metadata. Treat this as your handover baseline.
Prepare the receiving operator
Create or confirm the receiving user account and wallet. Make sure the identity records are in place. For holder or participant activity, the wallet must resolve through the identity registry and hold the claims required by the asset's trusted issuers and compliance modules.
Transfer required authority
Grant only the platform roles and token roles the receiving operator needs. Token roles cover asset-specific work: permission management, governance, supply management, and custody or emergency operations. Platform roles cover system-wide settings: identity records, compliance configuration, token creation, data feeds, sponsorship, and audit access.
Verify the receiving authority
Confirm that the receiving operator can inspect the asset, identity registry links, compliance settings, and holder state. Also verify access to documents and metadata. Check the status of recent transactions before removing old access.
Remove outgoing authority
Revoke outgoing roles that are no longer needed. Keep transition-period access only when your operating model requires it, and record that reason in the regulated operator's evidence file.
Migration sequence for immutable contracts
Non-upgradeable contracts keep their deployed code and fixed parameters. When your handover requires changed parameters, a different contract owner model, or a different servicing architecture, use a replacement asset rather than changing the existing contract.
Preserve the existing record
Retain the original asset address and token identity. Record the access manager. Also keep the compliance and feature configuration alongside all documents. Preserve metadata, holder list, balances, and freezes. On-chain transaction history remains on the ledger. Off-chain evidence remains under the deployment's retention and privacy model.
Define the replacement configuration
Deploy the replacement asset with the required role mappings, identity policy, trusted issuers, and compliance modules. Include documents, metadata, lifecycle settings, and immutable parameters. Treat testnet and mainnet as separate deployments. A successful testnet rehearsal does not promote state or authority into production by itself.
Map investor transition
Map each affected holder from the original asset to the replacement asset. Reconfirm identity registry links and jurisdictions. Verify that required claims remain in place. Also check allowlist or denylist status and any lifecycle restrictions on frozen balances before issuing, swapping, redeeming, or otherwise transitioning balances.
Reconcile state and evidence
Reconcile holder balances, supply totals, and frozen amounts between the original asset and the replacement asset. Confirm lifecycle status and check that documents and metadata reflect recent changes. Keep transaction records for both assets so auditors can follow the transition without losing the original history.
Close or restrict the original asset path
Apply the deployment's approved wind-down controls to the original asset. Depending on the asset configuration, this may mean removing operational roles, pausing selected operations, freezing affected balances, completing redemption, or keeping the asset available only for audit and historical review.
Deployment and evidence boundary
DALP preserves the technical control record that a receiving operator needs to continue asset servicing. It does not replace the regulated operator's legal appointment records, customer notices, or privacy obligations. Custody contracts and off-chain evidence archives remain the operator's responsibility.
| Boundary | Required operating evidence |
|---|---|
| Legal and contractual appointment | Keep appointment letters, service termination terms, notices, and regulator or customer communications in the regulated record system. |
| Off-chain KYC evidence | Keep verifier records, consent evidence, and data-retention controls with the regulated operator or verifier. DALP records claim results and issuers on identity records, not the full evidence file. |
| External custody or bridge infrastructure | Confirm provider contracts, keys, route approvals, and external balances with the provider. Token roles do not certify or transfer external infrastructure. |
| Personal data exports | Follow the deployment's privacy and retention controls. On-chain history remains on the ledger. Off-chain personal data follows the deployment's retention model. |
| Testnet and production environments | Each network is a separate deployment with its own addresses, roles, identities, and transaction records. Testnet activity is not production evidence. |
Before you complete the exit, confirm that the receiving operator has the required control, the outgoing operator no longer holds unnecessary access, affected investors remain eligible, lifecycle governance is assigned, documents match the operating record, metadata is current, and recent transactions reconcile. The public path for this page is /docs/operators/asset-servicing/exit-control-portability.
Related guides
How to operate stablecoins after issuance
Run the post-issuance stablecoin lifecycle across holder eligibility, reserve and collateral updates, controlled minting, transfers, burns, and reconciliation.
Mint assets in the console
Issue new units of a security to investor accounts from the web console, with eligibility checks and safe retry guidance.