CLIENT VIRTUAL ASSETS POLICY

2. DEFINITIONS

• a) Client Virtual Assets: All virtual assets held or controlled by XchangeOn on behalf of a client in connection with XchangeOn’s Exchange Services. Excluded are balances representing fees or costs immediately due to XchangeOn.
• b) Hot Wallets: Online, readily accessible wallets managed via Fireblocks for day-to-day transaction processing (e.g., client withdrawals, on-chain settlement).
• c) Cold Wallets: Offline, air-gapped wallets—managed via Fireblocks MPC that store the vast majority of Client Virtual Assets (≥ 95%) for long-term security.
• d) Custody Service Provider: Fireblocks, a third-party provider that handles key management, transaction signing, and secure wallet infrastructure under XchangeOn’s direction.

3. CUSTODY & SEGREGATION OF CLIENT ASSETS

• 1. Trust Basis & Segregation:
  • Client Virtual Assets are held in trust. They are never commingled with XchangeOn’s own holdings.
  • All client deposits route into distinct omnibus wallets controlled by Fireblocks. XchangeOn’s ledger system tracks each client’s entitlement on a one-to-one basis.
  • XchangeOn will provide (has provided) VARA with the full list of public keys and wallet addresses (hot and cold) currently in use for client custody.
• 2. Fireblocks Integration:
  • Fireblocks provides MPC based key storage and transaction signing.
  • Fireblocks’s Multi‐Party Computation (MPC) ensures that private keys never exist in a single location; at least 2-of-3 MPC signatures are required to authorize any hot‐wallet transaction.
  • Cold wallet private keys likewise remain protected within Fireblocks’s air‐gapped HSM architecture.
• 3. Hot vs. Cold Wallet Ratios:
  • At least 95% of all Client Virtual Assets (by USD value) are maintained in Fireblocks cold wallets.
  • No more than 5% of aggregate client holdings reside in hot wallets for transaction liquidity.
  • XchangeOn maintains insurance coverage that specifically protects assets stored in hot wallets up to the insured amount.

4. BANKRUPTCY-REMOTE SAFEGUARDS

• 1. Legal Title & Off-Balance-Sheet Treatment:
  • All virtual assets held in XchangeOn’s Fireblocks workspace remain at all times the sole, beneficial property of the relevant client.
  • Such assets do not form part of XchangeOn’s assets in the event of liquidation, administration, restructuring or any similar proceeding.
• 2. No Lien, Charge or Set-Off:
  • Neither XchangeOn nor Fireblocks holds, nor may assert, any lien, pledge, encumbrance or right of set-off over client virtual assets.
  • This includes securing XchangeOn’s own obligations or those of any third party.
• 3. Contingency Transfer Plan:
  • Should XchangeOn become subject to an insolvency filing or material resolution event, the Audit & Risk Committee will instruct Fireblocks to act.
  • This is done under the standing “Change of Control / Insolvency Instruction Letter” lodged with the custodian.
  • Fireblocks will (i) freeze all omnibus client wallets and (ii) transfer the full balances to bankruptcy-remote successor wallets controlled by an independent trustee or court-appointed administrator within 48 hours of receiving such instruction.

5. NO RE-HYPOTHECATION OR USE OF CLIENT ASSETS

• 1. Absolute Prohibition:
  • XchangeOn shall not re-pledge, lend, stake, rehypothecate or otherwise encumber any client virtual assets without the client’s express, prior, written consent in a transaction-specific agreement.
• 2. Operational Segregation:
  • Client wallets: labelled “XchangeOn-Clients” on-chain and in Fireblocks.
  • Corporate wallets: labelled “XchangeOn-Corp”.
  • Automated controls within the custody policy engine prevent any transfer between these wallet groups except for expressly authorised fee deductions disclosed in the Terms of Service.
• 3. Disclosure Statement:
  • Clients are informed of the above prohibition at onboarding and via this public policy.
  • Any future proposal to use client assets (e.g., staking services) will require an opt-in process at the individual-client level and pre-approval by VARA.

6. SECURITY CONTROLS & KEY MANAGEMENT

• 1. Key Generation & Storage:
  • Fireblocks’s MPC cluster generates, stores, and rotates private key shares across geographically separated zones.
  • XchangeOn personnel with “Signer” privileges are limited to designated Crypto Operations staff, subject to strict IAM policies and multi‐factor authentication.
• 2. Daily Reconciliation & Monitoring:
  • A real‐time automated reconciliation process compares Fireblocks’s reported wallet balances (hot + cold) with XchangeOn’s internal ledger snapshots before opening each trading day.
  • Any discrepancies trigger an immediate investigation by the Crypto Operations team and must be resolved within 24 hours.
• 3. Transfer Thresholds & Multi‐Sig Approvals:
  • Any transfer from a cold wallet requires:
    • Two independent MPC signatures (2-of-3 threshold)
    • Approval by the Head of Crypto Operations (secondary sign‐off)
    • Recording of the transaction request, with full audit metadata (timestamp, requester ID, amount, destination)
  • Transfers above a predefined USD threshold (e.g., ≥ $200,000) require an additional Senior Management sign-off and compliance review.
• 4. Backups & Redundancy:
  • Fireblocks performs encrypted backups of all key shares to a geographically separate, off‐site vault.
  • XchangeOn retains daily snapshots of wallet addresses and audit logs in immutable, write-once storage for eight (8) years.

7. INDEPENDENT AUDITS & TESTING

• 1. Annual Penetration Testing & Smart-Contract Audits:
  • XchangeOn engages a qualified third‐party auditor (e.g., Hacken OÜ) to perform annual vulnerability assessments, penetration testing, and, when relevant, smart‐contract code reviews.
  • Audit reports are submitted to VARA upon request and retained for regulatory inspection.
• 2. Ongoing Security & Vulnerability Scanning:
  • Regular (monthly) automated scans of infrastructure and application layers for vulnerabilities.
  • Quarterly external system vulnerability audits, with findings reviewed by the Security Committee.
• 3. Fireblocks Attestation:
  • XchangeOn obtains and verifies Fireblocks’s SOC 2 compliance attestation and NIST‐aligned security reports annually.
  • Any critical issues flagged by Fireblocks’s own auditors must be remediated within 30 days, with evidence provided to XchangeOn’s Compliance team.

8. DEPOSITS, TRAVEL RULE & COMPLIANCE

• 1. Deposit Process:
  • Upon client initiation of a deposit from an external wallet, XchangeOn automatically screens the origin address (sanctions, AML/CFT).
  • If additional Travel-Rule information is required, the system requests beneficiary details (name, address, account number).
  • Failure to provide valid Travel Rule data prompts a transaction reversal to the originator address (minus network fees).
  • Successful deposits update the client’s XchangeOn ledger balance in real time; transaction details are recorded in an immutable, timestamped log.
• 2. Client Liability & Irreversibility:
  • All on-chain deposits are final and irreversible once confirmed by the blockchain.
  • Clients are responsible for using the correct deposit address; misrouted or unsupported token deposits may be unrecoverable.
• 3. Deposit Limits:
  • XchangeOn imposes dynamic daily deposit limits per client, based on KYC tier.
  • Exceeding a deposit limit requires manual review and approval by the Compliance team.

9. WITHDRAWALS & RISK MANAGEMENT

• 1. Withdrawal Authorization:
  • Clients initiate withdrawals by specifying: network, token, destination address, and amount.
  • Each request must be confirmed via:
    • Funding password
    • Real-time 6-digit code from Google Authenticator (2FA)
    • Separate one-time passcodes (OTPs) sent via SMS and email
• 2. Real-Time Risk Scoring:
  • An automated risk-management engine evaluates:
    • Account activity (recent login, password/2FA changes)
    • Withdrawal size vs. historical volume
    • Destination address reputation (sanctions, blacklists)
  • High-risk withdrawals (e.g., new device, large value, flagged destination) trigger a “pending” status for manual compliance review (within 2 business hours).
• 3. Cold-to-Hot Replenishment:
  • When a hot-wallet balance falls below a pre-defined buffer (e.g., $200,000 USD equivalent), Crypto Operations triggers a cold-wallet transfer.
  • That transfer requires full MPC signature threshold and Senior Management approval if exceeding the high-value threshold.
• 4. Withdraw Limits & Controls:
  • Clients may voluntarily assign a personal withdrawal cap lower than the default platform ceiling.
  • Any request to raise a cap:
    • Undergoes 24-hour cooling-off and fresh MFA
    • Requires Compliance approval if the new cap exceeds USD 250,000 / 24 h or lifts a previously set cap
    • Is refused where inconsistent with AML/CFT risk or regulatory instructions
  • XchangeOn retains the right to impose, reduce, or freeze withdrawal limits at its sole discretion to comply with liquidity safeguards, AML/CFT duties, or VARA instructions.

10. ON-EXCHANGE TRANSACTIONS

• 1. Order Placement & Execution:
  • Clients place market or limit orders by specifying price, quantity, and trading pair.
  • To confirm a new order, the client enters the funding password.
  • Once authenticated, the order is routed to the matching engine; maker orders rest on the order book; taker orders match immediately.
  • A temporary “password waiver” session (1 hour) is granted after entering the funding password, during which new orders in the same session do not require re-entry of the password.
• 2. Ledger Updates:
  • Upon trade execution, both buyers’ and sellers’ internal ledger balances are updated in real time.
  • Trade records—including execution price, quantity, timestamp, and order IDs—are stored in an immutable transaction log.
• 3. Zero-Balance Protection:
  • Clients cannot place orders that would overdraw their available balance.
  • Sufficient funds checks occur before matching; if an order partially fills and the client’s balance is insufficient for the remainder, the residual order is automatically canceled.

11. TRANSACTION LIMITS & RESTRICTIONS

• 1. Self-Imposed Limits:
  • Clients can configure daily/weekly/monthly spending or withdrawal caps via their security settings.
  • To modify these caps, clients must re-enter funding password, 2FA code, SMS OTP, and email OTP.
• 2. Company-Imposed Limits:
  • XchangeOn may, at its discretion, impose or adjust transaction limits (deposits, withdrawals, trades) on individual accounts for:
    • AML/CFT compliance
    • Sanctions screening
    • High-risk jurisdictions
    • VARA directives
  • Affected clients receive notice via email and must comply with any additional documentation or verification steps.

12. GOVERNANCE, MONITORING & REVIEW

• 1. Risk Oversight & Reporting:
  • The Head of Crypto Operations and Chief Compliance Officer jointly oversee the Client Virtual Assets Policy.
  • Monthly reporting to the Risk Committee (including balance reconciliation, MPC sign-off logs, and any security incidents).
  • Quarterly executive review of:
    • Cold/hot wallet ratio
    • Insurance coverage status
    • Audit findings and remediation progress
    • Regulatory feedback from VARA inspections
• 2. Policy Review & Amendments:
  • This policy is reviewed at least annually or whenever:
    • XchangeOn introduces new products or chains
    • Fireblocks updates its custody architecture
    • VARA issues new guidance on asset custody
    • Security incidents reveal gaps in existing controls
  • Any material changes require approval by the Board of Directors and publication to all staff within five (5) business days.

Approval & Acknowledgment:

This Client Virtual Assets Policy was approved by the Board of Directors on June 5, 2025.

CCO CEO