Non-discriminatory Commercial Policy

NON-DISCRIMINATORY COMMERCIAL POLICY

Xchange360 s.r.o

October 2025

V2

1. INTRODUCTION

1.1. This non-discriminatory commercial policy (hereinafter referred to as the “Policy“) has been developed by Xchange360 s.r.o, a company registered in the Czech Republic (hereinafter referred to as the “Company“), registration number 18041647, with its registered address at Na Pankráci 1618/30, Nusle (Prague 4), 140 00 Prague, Czech Republic, to comply with the provision of Article 77 of Regulation (EU) 2023/1114 of the European Parliament and of the Council on cryptoasset Markets in Crypto in Crypto Assets Regulation (MiCA). The policy sets out the conditions to ensure transparency, fairness and equal treatment of all market participants.
1.2. In accordance with Article 77 of the MiCA, the Company applies the principles of a non-discriminatory trading policy in which it clearly defines the type of clients eligible to transact with the Company, and the conditions they must meet. The Company’s actions are aimed at ensuring fairness, market integrity and adherence to the principles of fair competition.

1.3. As part of its adherence to the principles of transparency, the Company publishes binding prices for cryptoassets or the methods for determining them and any limits on the amounts to be exchanged. Execution of client orders is carried out at the prices in force at the time the order becomes final and clients are informed of the conditions under which their orders are considered final.

1.4. Acting in accordance with European standards and regulations under the MiCA, the Company also ensures the publication of information on transactions made, including volumes and transaction prices, which supports the building of trust and transparency in the cryptocurrency sector. These activities are in line with the EU’s broad regulatory approach, which aims to adapt the key rules of the financial markets to the specificities of cryptoassets.

1.5. In line with the principle of technological neutrality enshrined in the MiCA Regulation, the Company ensures that its commercial practices and client onboarding processes do not confer preferential treatment to any specific category of cryptoassets, distributed ledger technology protocols, or client profiles, unless such differentiation is objectively justified based on risk-based criteria and proportionality principles.

1.6. The Company undertakes to implement robust internal governance frameworks that ensure the operational independence of commercial decision-making from undue influence, including from affiliated entities, majority stakeholders, or high-volume clients. Such independence is key to upholding the market integrity obligations mandated under MiCA Article 77 and related European supervisory standards.

1.7. The Company commits to continuously monitoring market conditions, systemic vulnerabilities, and cross-border regulatory developments to ensure that its commercial terms, pricing models, and transaction criteria remain aligned with the dynamic risk profile of the cryptoasset ecosystem, while maintaining full compliance with the principles of equal access and non-discrimination.

2. POLICY OBJECTIVE

2.1. The purpose of this policy is to ensure that the Company’s activities comply with the regulatory requirements set out in the MiCA Regulation and to establish rules for the fair and transparent conduct of exchanges of crypto-assets for fiat or other crypto-assets. The procedure aims to eliminate the risk of discrimination against clients, ensure equal access to services and increase the transparency of transactions. In addition, the document sets out mechanisms for monitoring and enforcing compliance with the regulations, as well as ways to inform clients about the Company’s rules.
2.2. This Policy also seeks to operationalize the principles of fair treatment, client categorization, and transparency, by setting forth clear internal standards for assessing client eligibility, access to specific services, and pricing schemes, thereby ensuring that any differentiation in service levels is based solely on objective, risk-based, and legally justifiable criteria.

2.3. In line with the Company’s commitment to good governance and consumer protection, this Policy reinforces the obligation to disclose commercial terms, pricing models, and risk factors in a manner that is clear, comprehensible, and accessible to all categories of clients, irrespective of their sophistication or jurisdiction of residence.

2.4. The Company seeks to cultivate a culture of accountability and regulatory alignment by ensuring that all relevant stakeholders — including senior management, staff, and service providers — are fully informed of, and trained on, the practical application of the principles enshrined in this Policy and their role in safeguarding non-discriminatory market conduct.

3. DEFINITIONS

3.1. Client — a natural or legal person who is eligible to use the Company’s services and enters into a business relationship with the Company under the terms of this Policy.
3.2. Know Your Customer (KYC) — the process through which the Company verifies a client’s identity, legal status, and business activity as part of initial and ongoing due diligence.

3.3. High-Risk Jurisdiction — A country or territory identified as presenting elevated AML/CFT risks, including those listed by FATF, the EU, the UN, or local authorities.

3.4. Restricted Jurisdictions List — A dynamic internal register of countries from which clients are not accepted, based on regulatory guidance and internal risk appetite.

3.5. Client Classification — a formal categorization process applied to incorporated legal entities during onboarding, determining the client’s risk level, service permissions, AML/CFT monitoring intensity, and reporting obligations.

3.6. Ultimate Beneficial Owner (UBO) — the natural person(s) who ultimately owns or controls a legal entity, whose identity must be disclosed and verified during the onboarding process.

3.7. Client Reclassification — a regulated process whereby a client’s classification may be modified based on material changes in business model, licensing status, transactional behavior, or ownership structure.

3.8. Classification Binding Status — the assigned classification becomes enforceable upon confirmation and may not be altered by client request alone without documented grounds and compliance approval.

3.9. Periodic Classification Review — a scheduled or event-driven reassessment of a client’s classification to reflect updated risk factors, changes in structure, or compliance alerts.

3.10. Source of Funds / Source of Wealth — documentary evidence indicating the origin of funds used in crypto transactions and the overall financial background of the entity and its UBOs.

3.11. Non-Discriminatory Access — the principle of applying uniform onboarding and verification standards to all eligible clients regardless of size, jurisdiction, or commercial importance.

3.12. Functional Parity — the principle that all client categories receive the same interface, API tools, transaction routing, and post-trade services without preferential handling or expedited paths.

3.13. Objective Pricing Model — a fixed and transparent pricing structure based solely on market inputs, excluding subjective discounts, markups, or discretionary pricing incentives.

3.14. Pricing Methodology — A structured, algorithm-driven approach used by the Company to determine crypto-asset prices based on real-time liquidity provider data, public indices, and internal validation mechanisms.

3.15. Client Dashboard — The digital interface through which clients view real-time pricing, applicable fees, and order confirmation data before transaction execution.

3.16. Compliance Management System (CMS) — The Company’s primary internal repository for storing and managing KYB files, classification decisions, approvals, and compliance documentation.

3.17. Customer Risk Register (CRM Extension) — A dedicated module that tracks a client’s risk score, classification category, and ongoing AML alerts or reclassification triggers.

3.18. Document Management System (DMS) — The secured archive for official client records, including certificates, licenses, declarations, and correspondence, stored in audit-compliant, tamper-evident formats.

3.19. Transaction Ledger — A tamper-proof system record of all executed client transactions, including timestamps, pricing, spread, and client identifiers, maintained for audit and supervisory review.

4. TYPE OF CLIENTS AND TERMS OF TRANSACTIONS

4.1. Under art. 77 (1) MiCA, the Company indicates that it agrees to transact with the following types of Clients:
(i) Professional clients — Legally registered small and medium-sized enterprises engaged in cross-border digital activities (e.g., SaaS providers, IT companies, marketing and consulting firms), primarily using crypto-assets for business-to-business invoicing, payroll, and settlement purposes;

(ii) Financial Institutions (Fintech and Payment Platforms) — Regulated or licensed financial technology entities, including PSPs, EMIs, and neobanks, that integrate crypto-fiat exchange flows into their operational infrastructure through APIs or white-label solutions;

(iii) Corporate Clients (Regulated Advisors and Corporate Service Providers) — Licensed legal, tax, and fiduciary professionals (e.g., accountants, law firms, corporate advisors) transacting on behalf of corporate clients for the purposes of treasury operations, settlements, and managed client mandates);

(iv) Financial Institutions (Licensed iGaming and Forex Operators) — Entities operating under national or EU regulatory frameworks for online gaming or foreign exchange services, using compliant crypto payment rails and engaging in crypto-fiat conversion and acceptance activities;

(v) Crypto Asset Service Providers (OTC Brokers, Funds, and Corporate Treasuries) — Institutional participants managing proprietary or client-held crypto portfolios, including OTC desks and investment funds, typically involved in high-frequency, high-volume crypto-to-crypto transactions and treasury operations.

4.2. The Company exclusively onboards and transacts with clients that meet stringent legal, regulatory, and AML/CFT standards. Client categories must undergo both general eligibility screening and category-specific onboarding checks based on a documented risk-based approach.

4.3. The Сlients must possess full legal capacity to enter into contractual relationships under the laws of their country of incorporation. Legal entities must be properly incorporated and authorized to engage in crypto-related activities.

4.4. The Сlients must complete a rigorous Know Your Customer (KYC) process and undergo both initial and ongoing due diligence procedures aimed at identifying money laundering, terrorist financing, or sanction-related risks.

4.5. Each Client is subject to a documented risk assessment that evaluates their jurisdictional exposure, transaction profile, business activity, and regulatory history.

4.6. Clients who are legal entities registered in jurisdictions deemed high-risk or sanctioned are not eligible to use the Company’s services. The Company maintains a dynamic list of restricted jurisdictions based on FATF, EU, UN, and local supervisory guidance.

4.7. Clients must explicitly accept the Company’s Terms of Use, AML Policy, Risk Disclosure Statement, Privacy Policy, and any applicable legal disclaimers. Acceptance must be documented and securely stored.

4.8. All clients are subject to periodic reviews of their identification documents, business activities, and transactional behavior. Failure to comply with information update requests may result in suspension or termination.

4.9. Clients previously rejected, terminated, or flagged for AML/CFT violations or fraud are not eligible for re-onboarding unless re-assessed and approved by the Compliance Department.

4.10. In addition to the general requirements, the following tailored conditions apply to different categories of clients:

(i) have full legal capacity in accordance with the applicable laws of their country of residence or incorporation;

(ii) maintain an active and verified account within the Company’s transaction infrastructure, with a unique client identifier and secure access credentials;

(iii) refrain from acting as nominees or intermediaries unless fully disclosed, authorized, and approved by the Company’s compliance department;

(iv) not engage in high-risk activities or services involving anonymity-enhancing technologies, such as privacy coins, mixers, or decentralized exchanges, unless explicitly assessed and permitted based on a documented risk-based approach;

(v) submit to periodic reviews and updates of identification documents, business activity, beneficial ownership structures, and transactional behavior;

(vi) not have been previously denied onboarding, suspended, or terminated by the Company due to non-compliance, fraud, or violation of this Policy, unless subsequently reinstated upon reassessment;

(vii) must provide AML policies, internal control procedures, and details of responsible officers must be submitted for review;

(viii) must provide source of funds and transaction purposes must be documented and aligned with stated business objectives;

(ix) must disclose governance structure, funding sources, and detailed use of crypto-assets.

4.11. The Company applies uniform conditions of access and execution to all eligible clients without granting preferential treatment based on client size, volume, jurisdiction of incorporation, unless objectively justified in accordance with risk-based principles.

4.12. In exceptional cases where differential pricing, limits, or execution windows are applied, the Company shall publish clear and transparent justification to ensure compliance with the principles of non-discrimination and equal treatment.

4.13. Clients who fail to meet the above requirements or who attempt to circumvent the onboarding, verification, or transaction monitoring processes shall be restricted from accessing the Company’s services and may be reported to competent authorities as required by law.

4.14. The Company reserves the right to update its list of eligible client types and transaction rules in accordance with changes in applicable legislation, supervisory guidance, or internal risk tolerance.

4.15. The Company shall maintain detailed records of all transactions, client categories, and applied terms, ensuring traceability, auditability, and accessibility for regulator.

4.16. This Policy shall be made available to Clients upon request and published in an accessible format on the Company’s website to ensure informed consent and awareness.

5. CLIENT CLASSIFICATION FRAMEWORK

5.1. The Company applies a structured client classification framework that constitutes an integral part of its compliance and risk management program. Client classification serves as a foundation for determining the applicable regulatory obligations, the permissible scope of services, the level of anti-money laundering and counter-terrorist financing (AML/CFT) due diligence, and corresponding commercial onboarding terms.
5.2. Classification is mandatory for all onboarded Сlients and applies exclusively to incorporated legal entities. Only Сlients who meet predefined eligibility criteria consistent with the Company’s regulatory obligations and business model are permitted to access crypto-asset services. The classification process is based solely on verifiable, documented factors assessed during onboarding and is not subject to client preference or commercial negotiation.

5.3. Client classification is conducted during the Know-Your-Business (KYB) and Customer Risk Assessment phases of onboarding and is led by the Compliance Department. As part of this process, clients are required to submit official corporate and regulatory documentation, including but not limited to the certificate of incorporation, business license, shareholder registry, ultimate beneficial ownership (UBO) information, AML/CFT internal policies, and projected transaction profile. All submitted information is independently verified by the Compliance Department using publicly accessible regulatory, corporate, and financial registries, and via official government channels.

5.4. Based on this validated information, the Client is assigned to one of three predefined categories Corporate Clients, Financial Institutions, Crypto Asset Service Providers (CASPs).

5.5. The assigned classification is recorded in the Company’s internal onboarding system and governs the client’s access rights, service limitations, applicable AML monitoring levels, and reporting requirements.

5.6. Once classification is granted, it is binding and cannot be modified at the sole request of the client. Clients are not permitted to select or request a specific classification for commercial advantage.

5.7. Reclassification may occur only under defined and limited conditions, where the client’s business model, regulatory status, or transaction behavior has materially changed.

5.8. Permissible grounds for reclassification include, but are not limited to: obtaining or losing a regulatory license or professional authorization (e.g., transition from SME to licensed payment service provider); documented changes in business activity, such as entry into financial markets or crypto services; material deviation from the declared transaction profile, including increases in frequency or volume or changes in asset type; corporate restructuring, mergers, acquisitions, or changes in beneficial ownership; or regulatory developments requiring alignment with supervisory expectations.

5.9. The reclassification procedure includes:

(i) submission by the client of a formal written request with supporting documentation;

(ii) internal KYB re-verification and risk reassessment by the Compliance Department;

(iii) approval or denial of the new classification;

(iv) update of internal records; and

(v) formal notification to the client including revised contractual terms, where applicable. A full audit trail of the reclassification decision, rationale, and evidentiary basis is retained for internal and regulatory audit purposes.

5.10. The Company reserves the right to reject reclassification requests where such change would breach AML/CFT regulations, exceed the Company’s risk appetite, result in regulatory misalignment, or lack sufficient documentary justification. Classification status is also subject to periodic review by the Company, including during scheduled compliance refresh cycles or in response to emerging risk factors or supervisory enquiries.

5.11. Classification status is subject to periodic review, including during annual file refresh, suspicious activity analysis, or as a result of supervisory inquiry.

6. ELIGIBILITY AND VERIFICATION CRITERIA

6.1. Eligibility to access the Company’s crypto-asset exchange and related services is strictly limited to incorporated legal entities that successfully complete the Company’s Know-Your-Business (KYB) and Anti-Money Laundering / Counter-Terrorist Financing (AML/CTF) onboarding procedures.
6.2. As part of the eligibility assessment, all prospective clients must submit a complete set of corporate documentation, including but not limited to:

(i) Certificate of Incorporation and an official company registry extract confirming active legal status;

(ii) Full List of Directors and disclosure of all Ultimate Beneficial Owners (UBOs), supported by valid identification documents;

(iii) Proof of registered business address within a jurisdiction acceptable under the Company’s risk-based framework;

(iv) Description and organisational chart outlining shareholding structure and controlling interests;

(v) Valid and current regulatory licenses or authorisations, if applicable (e.g. EMI/PSP for financial institutions, CASP license for service providers);

(vi) A written business description and intended use case for crypto-assets, including expected transaction flows, asset types, and volumes;

(vii) Source of funds and source of wealth of the company and its UBOs.

6.3. In some cases additional documentation such as Enhanced Due Diligence (EDD) reports, source-of-funds declarations, audited financials, or third-party AML attestation may be required.

6.4. No client may access the Company’s platform or services until onboarding is successfully completed and verified.

6.5. The Compliance Department holds exclusive authority to determine the eligibility of clients for onboarding, classification, and continued access to services. All eligibility and classification decisions must be documented and reviewed by a designated Compliance Officer. In complex cases involving regulatory ambiguity, high-risk activities, or third-country licenses, a second-level compliance review is triggered and must be resolved prior to onboarding approval.

6.6. While the Operations Department may assist with document intake, technical validation of wallet ownership, and ongoing file maintenance, final approval remains within the purview of the Compliance function.

6.7. In accordance with the principles of fair access and non-discriminatory service provision, the Company applies uniform eligibility and verification standards across all client categories, irrespective of client size, jurisdiction, volume, or commercial relevance. No preferential onboarding terms, fast-track channels, or exemptions are offered, unless expressly required or permitted by law or supervisory guidance (e.g. AML regulatory relief, sanctioned country derogations).

7. THE COMPANY’S RULES OF CONDUCT TOWARDS CLIENTS

7.1. The Company upholds strict non-discriminatory principles across all operational and client service processes. All approved clients are granted uniform access to services, pricing, and infrastructure regardless of their size, nationality, transaction frequency, or commercial profile. The Company’s commitment to equal treatment is embedded in both the design of the platform and its procedural safeguards, in line with applicable regulatory standards.
7.2. The Company guarantees equal access to all approved services for every Сlient that has successfully completed onboarding. All technical and functional features offered through the platform are identical across the three predefined client categories: Corporate Clients, Financial Institutions, and Crypto Asset Service Providers (CASPs).

7.3. Service pricing is determined solely based on objective market inputs and a pre-defined pricing model comprising fixed fees or transparent spreads. No client-specific discounts, mark-ups, rebates, or preferential pricing terms are applied. The Company does not differentiate access or fees based on nationality, scale of operations, or trading volume.

7.4. These commitments are structured around two operational pillars:

(i) Uniform Service Conditions — All approved clients are subject to the same system access, service features, and functional capabilities;

(ii) Objective and Transparent Pricing Execution — Pricing is governed by pre-set, non-arbitrary conditions with no scope for discretionary adjustments in favour of specific clients

7.5. The Company at all times adheres to the following guiding principles:

(i) Treat clients fairly, professionally, and consistently with their best interests;

(ii) Ensure strict non-discriminatory access to all services;

(iii) Apply transparent and objective standards to all pricing, execution, and operational workflows.

7.6. To safeguard these principles in practice, the Company implements a multi-tiered framework for monitoring, governance, and enforcement, consisting of:

(i) Standardised Onboarding and Eligibility Procedures – All applicants undergo uniform KYB/KYC, AML/CFT, and risk-based screening processes; Evaluation criteria are standardized across all client categories and do not consider nationality, commercial value, or size; Upon successful onboarding, clients are granted access to the full suite of trading, settlement, and transfer functionalities available through the Company’s platform.

(ii) Functional Parity of Services – The same API, web interface, and transactional workflows are made available to all categories of clients; Key post-trade processes, including transaction routing, settlement cycles, custody management, and liquidity provider access, are executed through shared and identical infrastructure; The Company does not offer special routing paths, faster execution queues, or privileged handling mechanisms to any individual client or class of clients.

(iii) Governance Oversight and Corrective Mechanisms – The Compliance Department conducts periodic reviews of client onboarding results and key service performance indicators, such as execution latency, settlement times, and access logs; Any indication of disparity or preferential treatment is escalated internally and subject to immediate investigation, with corrective action implemented as necessary; All findings are reported to senior management to ensure ongoing accountability and continual improvement of fairness controls.

8. METHOD OF DETERMINING THE PRICE OF CRYPTOASSETS

8.1. The Company determines the price of each crypto-asset using an objective, market-driven methodology that relies on real-time liquidity provider data and predefined calculation formulas. This approach ensures pricing is transparent, auditable, and non-discriminatory, and that it is applied uniformly across all clients regardless of identity, nationality, or transaction volume.
8.2. Prices are derived from executable quotes obtained via secure APIs from multiple regulated or reputable institutional liquidity providers (LPs), including Kraken Institutional (Payward Europe Solutions Limited), B2C2 (B2C2 Ltd), and other Tier-1 exchanges. The system continuously retrieves and refreshes live bid-ask prices and order book depth at frequent intervals.

8.3. Internal validation checks are performed against public reference indices to ensure consistency, and aggregated data is used to minimise the impact of any outliers or market distortions. This ensures that all clients receive prices based on fair and current market conditions.

8.4. A standardised transaction fee or mark-up is added to the market price to cover operational, execution, and compliance costs. This fee is determined according to a fixed schedule based on the client’s assigned risk tier:

(i) Fee levels are predefined (e.g., Low = 0.5%, Medium = 0.75%, High = 1%) and strictly linked to the client’s risk classification;

(ii) The fee does not vary based on the client’s volume, jurisdiction, or commercial profile;

(iii) Clients with higher compliance or jurisdictional risks may incur higher fixed fees, proportionate to the objectively assessed cost of risk mitigation;

(iv) These fee tiers are visible in the client profile and disclosed during onboarding to ensure informed consent.

8.5. Execution is performed at the next available market price at the time of the client’s order instruction. All transactional details, including executed price, spread, and timestamp, are logged in the transaction ledger and maintained for full auditability.

8.6. Post-trade analytics are performed to compare execution outcomes against market benchmarks, thereby verifying best execution standards and identifying any anomalies or deviations. This ensures that the pricing model remains effective, fair, and consistent over time.

8.7. The Compliance Department continuously monitors the alignment between fee levels and risk scores. No manual fee override is allowed without documented Compliance approval.

8.8. The entire pricing process is governed by internal controls to safeguard against arbitrary, biased, or preferential pricing, in full compliance with MiCA Article 77(2) requirements.

 

9. PRICING DISCLOSURE CHANNELS

9.1. The Company ensures that all clients have timely and transparent access to pricing information prior to the execution of any transaction.
9.2. Pricing is displayed within the client dashboard before order confirmation. This includes the applicable exchange rate, transaction fee (or spread), and the total amount the client is expected to receive or pay. The disclosure ensures full visibility into transaction costs at the point of execution, allowing the client to make an informed decision.

9.3. A dedicated “Pricing and Fees” section is available on the Company’s official website. It contains a current version of the Fee Schedule, including standardised transaction fees and mark-ups across different services and risk tiers. Clients are encouraged to consult this page regularly to remain informed of applicable rates.

9.4. The pricing methodology and applicable charges are detailed in the Company’s Terms and Conditions, which are accessible at the time of onboarding and via the Company website. These legal terms serve as a binding framework, outlining how pricing is calculated, applied, and disclosed.

9.5. Clients are encouraged to independently verify indicative exchange rates through publicly available reference sources. All disclosures are designed to ensure full transparency, eliminate ambiguity, and uphold the Company’s commitment to fair and non-discriminatory treatment across all client categories.

10. MARKET DATA SOURCES AND EMERGENCY PROCEDURES FOR PRICING FAILURES

10.1. The Company obtains real-time market data from trusted institutional LPs via secure APIs. These sources supply live executable prices (bid/ask) and order book depth. The system continuously fetches and updates prices based on current market conditions to ensure accurate and timely execution.
10.2. In the event of a data feed interruption or abnormal market behavior, the system automatically suspends price updates and halts trade execution to prevent erroneous pricing.

10.3. The incident is immediately escalated to the Head of Operations, who verifies data integrity and determines whether to resume trading or apply fallback pricing using verified manual inputs.

10.4. All such events are logged, and Compliance is informed without delay to ensure transparency and client protection. Clients are notified of any temporary suspension or change via the platform interface and email communication.

10.5. These procedures safeguard the reliability of pricing and uphold the principles of fairness, transparency, and non-discrimination.

11. DATA PROTECTION

11.1. The Company maintains a structured and secure system for the recording, storage, and long-term retention of all information collected and generated during the client onboarding process. This includes, but is not limited to, Know-Your-Business (KYB) assessments, client classification decisions, internal approvals, risk scores, and supporting corporate documentation. These records are vital for demonstrating regulatory compliance, supporting audit trails, and enabling supervisory inspections under applicable anti-money laundering and counter-terrorist financing (AML/CFT) legislation.
11.2. All onboarding data is stored within the Company’s internal infrastructure, which includes an integrated Admin Web Application environment, secure internal servers, and dedicated compliance repositories. Each entry is timestamped, linked to the responsible Compliance or Operations staff member, and cross-referenced with underlying documents, ensuring full accountability and traceability.

11.3. The Company retains all such records throughout the duration of the client relationship and for a minimum of five (5) years following the termination of the relationship or the execution of the last transaction, unless a longer retention period is required by applicable law or regulatory instruction.

11.4. Information is stored across a defined suite of secured repositories, each governed by strict access control protocols and designated data ownership. The core repositories include:

(i) Compliance Management System (CMS): This system functions as the primary compliance repository. It stores full onboarding profiles, KYB documentation (including corporate filings, licensing documents, shareholder declarations), client classification reports, internal approval logs, and notes of Compliance Officer review. The CMS is designed to ensure immutability of records and enforce version control. Access is strictly restricted to personnel within the Compliance, AML, and Risk Management departments, each operating under role-based permission levels;

(ii) Customer Risk Register (CRM Extension): A specialised extension within the CRM framework that tracks the risk profile, assigned client category (Corporate Client, Financial Institution, or Virtual Asset Service Provider (VASP)), and any subsequent reclassification events. This module also records triggers for enhanced due diligence (EDD), changes in transactional behaviour, or regulatory alerts. Access is limited to authorised Compliance and AML officers responsible for client monitoring and periodic reviews;

(iii) Document Management System (DMS): Serves as the central digital archive for evidentiary documents, including original and updated versions of corporate certificates, licences, board resolutions, signed declarations, and client correspondence. Files are stored in tamper-evident formats (PDF/A), with embedded metadata for audit verification. Access is granted solely to personnel in Compliance and Internal Audit departments;

(iv) Fireblocks and Core Platform Transaction Logs: These logs maintain an immutable and timestamped ledger of client transactions, wallet activity, account-level changes, and related cryptographic proofs. Logs are linked to the client’s internal ID and are periodically reviewed as part of ongoing transaction monitoring. Data is stored within the Company’s blockchain infrastructure and core financial platform. Access is limited to designated members of the Operations and IT Security teams;

(v) Backup Servers (EU-Based Cloud Infrastructure): All client data, including onboarding files, system logs, and compliance reports, are redundantly stored in geographically distributed, ISO 27001-certified, EU-hosted cloud environments. These servers are configured to meet Digital Operational Resilience Act (DORA) standards, ensuring resilience against system failures, cyber incidents, and natural disasters. Backup data is encrypted at rest and in transit, with decryption keys managed by a hardened Key Management System (KMS). Only IT and Security Administrators with elevated clearance may access or restore this data.

11.5. All repositories are protected using advanced security mechanisms, including multi-factor authentication (MFA), encryption, audit logging, and access recertification controls. Periodic reviews and reconciliations of the stored data are conducted at least annually by the Compliance and Internal Audit teams to ensure currency, completeness, and compliance with regulatory expectations. Any anomalies, outdated documentation, or inconsistencies identified during these reviews are escalated for remedial action, including potential client reclassification or offboarding.

11.6. This multilayered storage and retention framework ensures full alignment with international best practices for financial integrity, data protection, and supervisory readiness, and supports the Company’s broader risk governance model.

12. CONTROL AND COMPLIANCE MECHANISMS

12.1. This Policy is owned by the Compliance Department and is subject to a formal governance process to ensure its continued relevance, accuracy, and effectiveness. The Policy is reviewed at least annually, or sooner if triggered by regulatory developments, supervisory feedback, or material changes in the business model. Proposed updates are initially drafted by the Compliance Department, reviewed collaboratively with the Operations Team and the Chief Financial Officer (CFO), and approved by the Senior Management.
12.2. To uphold the Company’s commitment to the principles of non-discrimination, fairness, and transparency, a structured internal monitoring and assurance framework is implemented.

12.3. This framework ensures equal treatment across all Сlients and includes four core pillars: compliance monitoring, audit and transparency, complaints and redress mechanisms, and outcome-based supervisory assurance.

12.4. The design of this framework ensures both preventative and detective controls are applied to detect, correct, and prevent any unequal access or discriminatory pricing practices.

12.5. Clients benefit from full transparency over their service conditions and have the ability to review pricing, access rights, and execution quality at any time.

12.6. Compliance-led monthly checks are conducted to identify and evaluate whether there are discrepancies in service access, pricing models, or execution quality across different client categories or segments.

12.7. The Company leverages data analytics to detect anomalies, such as irregular fee spreads, unexplained latency differences, or unusual rejection rates by client type. All flagged items are subject to investigation and remediation.

12.8. Internal audits are performed quarterly to verify that actual practices align with the Company’s published fee schedules, trading conditions, and order-handling protocols.

12.9. Clients are afforded clear and accessible insight into their pricing and execution treatment through disclosure dashboards and periodic statements, enabling them to verify service fairness and adherence to agreed terms.

12.10. The Company maintains a formal, documented complaints-handling procedure that ensures any client alleging unfair treatment is given an impartial and timely response under clearly defined timelines and standardized processing rules.

12.11. Complaints are centrally logged, categorized, and reviewed by the Compliance function. Complaint data are also integrated into the conduct-risk dashboard to identify recurring issues or systemic discrepancies across the client base.

12.12. The effectiveness of the Company’s fairness obligations is evaluated using objective outcome-based indicators: Access equality (demonstrated through standardized onboarding protocols and uniform platform functionality), Pricing equality (validated through automated fee computation models tied to objective market inputs and verified through public disclosures) and Execution equality (evidenced via real-time best-execution monitoring, timestamp audits, and control sample testing).

13. FINAL PROVISIONS

13.1. This Policy is reviewed at least once per year by the Compliance Department or earlier in case of regulatory updates, supervisory feedback, or internal risk triggers.
13.2. Draft updates are prepared by the Compliance Department, and approved by Senior Management. All approved versions are archived and version-controlled.

13.3. The latest approved version is published on the Company’s official website. Clients are expected to regularly monitor the website for updates. The Company may also notify clients of material changes via email or system notification.

13.4. In case of conflicting provisions, the version ensuring the highest level of client protection and regulatory compliance shall prevail.

13.5. Invalid or unenforceable clauses do not affect the rest of the Policy and will be replaced promptly.

13.6. Clients may contact the Compliance Department for clarifications using the contact details on the official website.

END OF POLICY