Stringent Password Protection and Session Timeout Controls
  • 2 Factor Authentication (2FA) is mandatory for all accounts for system login and password reset
  • Minimum password length and complexity
  • Session timeout after a period of inactivity
  • To reset your password we require you to access to both 2FA and your registered email. After multiple failed password attempts, your account is locked
  • SSL website encryption  
KYC/AML (Know Your Client/Anti-Money Laundering)

Our goal is to keep our onboarding simple, while protecting your safety and abiding by government regulations.

  • Our KYC/AML process verifies your identity. As a Canadian digital asset trading platform, retail users must pass VirgoCX’s strict KYC requirements
  • Proper KYC/AML also validates who you are and who you say you are so that someone else cannot claim to be you
  • Our clients can be onboarded manually, automatically or in-person  
Data Encryption

Sensitive information such as user password is encrypted within the internal system and multiple layers of security measures are in place to protect clients’ personal information so that no leakage of sensitive data can occur.

Blockchain Forensics Analysis

VirgoCX is integrated with a top digital currency risk management technology company that offers a variety of cryptocurrency AML/CFT compliance processes, risk scoring, and blockchain analytics. It flags questionable or illegitimate transactions by providing a verification rating to the Counterparty's address.

Digital Currency Protection

VirgoCX enforces institutional-grade control on all transactions. When a client deposits crypto onto the platform, a small portion stays on the platform in a hot wallet for regular business trading and withdrawals. The majority of crypto on the platform is automatically transferred to the cold wallet powered by the Ledger Vault.

Cold Storage Protection

Storing digital currency safely and securely for our retail and institutional clients are key priorities for us. At least 95% of VirgoCX’s digital currencies are held in cold storage. We use the state-of-the art technology platform of Ledger Vault to safeguard digital currencies for end-point security. Ledger Vault’s insurance provider covers up to $150 million for third-party theft, insider collusion and master seed theft that occurs on Ledger’s side. As we grow and scale, we need more than an advanced hardware wallet, we need a solution to help us reduce operational risk, external breaches and enhanced oversight.

Banking and Access to Your Funds

Trading with confidence requires your funds to be safe and accessible with strong banking relationships. VirgoCX uses direct banking services for fund transfers and is one of the few digital asset trading platforms in Canada with direct and multiple banking relationships.

Our unique position with impeccable KYC/AML compliance procedures, iron clad internal processes and cyber security practices have opened doors to diversified banking services.

All fiat (Canadian and US dollar) funds are held in trusted top tier Banks in Canada. VirgoCX has CDIC insured segregated banking in Canada with multiple banks. All deposits are held at the bank level. Clients retain and control the ownership of their assets. All funds are held for the benefit of the client.

Internal Controls

Cryptocurrency Disaster Recovery Plan

In the event that members of the management team are unable to access funds, the Cryptocurrency Disaster Recovery Plan is triggered. VirgoCX has designed a disaster recovery plan that removes key-man risk entirely.

External Audits

VirgoCX maintains the highest standard of legal compliance, business conduct and ethics that permit us to attract the best-in-class banking relationships. Auditing is the single best governance tool to ensure compliance with regulations, building systems to prevent theft, detect and limit fraud, and verify that customer’s funds are properly held. Our first independent and cryptographically-verified compliance and financial audits are scheduled to take place in spring 2020.

Internal Fund Management Controls

VirgoCX has multi-authorization mechanisms in place, where both crypto and fiat transfers would need multiple levels of approval. This largely eliminates the internal threats and unlawful collusion.

Access to Server

Only security cleared personnel have access to the server and must provide whitelisted credentials with every log-in. 2FA is required to access server. Unusual IP address log-in is strictly prohibited.


We have integrated protection to mitigate a DDoS attack.

  • Detection -  we have traffic attack protection of data flow and custom traffic monitoring to detect traffic abnormalities
  • Response - We have had no attack records.  For unusual traffic volumes, we respond in a timely manner, turn on more cloud protection, and even temporarily disconnect
  • Routing - We use multiple  servers connected to load balancing, allocating servers by access order
  • Our database sits on the server and requires multiple layers of security measures to access
  • All database access is done via internal networks, use of external networks are prohibited. We use Data Management Services to manage and connect to our database.  We never use external software to manage our database.  Our data will never go to an external network
  • The data backup plan is also established to avoid potential loss of the data
DNS Protection

We monitor our website server port so that clients are not re-routed to another site. We have global detection point service integrated into our DNS protection. If you visit our site from a different network around the world.

  • It is timed to detect the web server port, try to log in probe, view the connection status, send abnormal status
  • Global monitoring point to detect website ports for problems to prevent hijacking
Penetration Testing

We test port access for all five areas.

  • Interface testing
  • Compatibility testing
  • Performance testing
  • Vulnerability detection, vulnerability update alert and up-timely
  • Password anti-cracking
Internal Management

All office computers have firewall and anti-virus protection installed.


We protect our API access. For public methods, we limit the frequency of access through user IP to prevent abuse and DDoS attacks at the source.  We will check IP frequency visit and may stop service for you based on our threshold.

For Non-public method, we encrypt the request parameters through the HMAC-SHA512 encryption algorithm, and then use a custom signature algorithm to generate a signature sign to prevent parameter tampering and nonce-based scenarios to prevent replay attacks.