Summary of Policy on Safeguarding Client Assets

1. Policy Statement

• Gate Technology FZE (“Company”, “we”, “us”, “our” or “ours”) is committed to ensuring the safe custody of Client Virtual Assets (as defined hereinafter). As such, we have established a safeguarding client assets policy (“Policy”) to detail how the Company stores and manages keys pertaining to virtual assets storage wallets and out the methods, thresholds, internal controls and auditing processes for transfer of virtual assets between the hot and cold wallets maintained by the Company.

• In this Summary, “Client Virtual Assets” shall mean all virtual assets held or controlled by the Company on behalf of a client in the course of, or in connection with, the carrying on of the regulated activity of Exchange Services, except for:

  (a) virtual assets immediately due and payable to the Company for any fees or other charges that are leviable from the client under the User Agreement, whether for services provided to the client or otherwise; or

  (b) amounts payable by the Company for expenses incurred on behalf of the client.

2. Protection of Client Virtual Assets

• The Company is authorized to collect virtual assets only in the course of its provision of exchange services only. The Company acknowledges that the Client Virtual Assets are held in trust for the clients. Client Virtual Assets must be identifiable and secure at all times. There will be no intermingling or co-mingling of Client Virtual Assets with the Company’s own virtual assets. The Company shall not collect or accept any deposits or offer itself out as a custodian of virtual assets, by way of business. The Company shall hold the Client Virtual Assets in separate virtual asset wallets from all virtual assets of the Company. The Company has submitted to VARA a list of the public keys and wallet addresses (hot/cold) that are currently managed by the Company.

• Client Virtual Assets are not held for depository liabilities or assets of the Company. All Client Virtual Assets shall be held on a one-to-one basis. The Company shall not authorize the creation of any encumbrance over the Client Virtual Assets. All proceeds related to Client Virtual Assets shall accrue to the Client’s benefit.

• The Company shall maintain reserves for the value of the Client Virtual Assets held in the safe custody of the Company. The Company shall engage a qualified and independent third-party auditor to conduct vulnerability assessments and penetration testing [including, to the extent relevant to the Company’s business and activities, comprehensive audits of the effectiveness, enforceability and robustness of all smart contracts] at least on an annual basis. Prior to the introduction of any new systems applications and products, the Company must provide the results of any such assessments and tests to VARA upon VARA’s request.

• The Company shall maintain effective internal functions and measures for continuous monitoring of its operation and processes. In particular, the Company shall, on a regular basis or otherwise on request received from VARA, perform:

  (i) security testing on both infrastructure and applications; and

  (ii) internal system and external system vulnerability audits.

• Evidence of tests and audits must be documented by the Company.

• The Company will transfer at least 95% of the Client Virtual Assets to be kept at the cold wallet and under 5% of Client Virtual Assets may be kept at the hot wallet. Also, the Company has obtained insurance against the value of Client Virtual Assets in hot wallets.

• Additionally, the Company has adopted various measures in aspects such as infrastructure, key holders arrangements, daily reconciliation, signature arrangements, wallet and key generation, backup keys, and wallet access for the safe custody of Client Virtual Assets.

3. Deposits, Withdrawals, Transactions and Restrictions

• (1) Deposits

  A deposit is initiated by the client (or an originator) from an outside address. Unless certain information is required from the client, the client generally is not required to take any actions.

  Upon detection by the Company, it will initiate the necessary steps including address screening and request information (if necessary) for Travel Rule compliance purposes. Where client is unable to provide certain information for Travel Rule purposes, the transaction would be reversed and the asset would be returned to the originating address (gas fees do apply), given that there are no money-laundering risks involved.

  After the assessments have been passed, the account balance of the client’s account will be updated accordingly.

• (2) Withdrawals

  To effect a withdrawal transaction, a client would need to input the particulars of the transaction including the network (i.e. chain), recipient address, and quantity, and confirm on the transaction details by entering the funding password, the real-time generated code from Google Authenticator and the two distinct OTPs sent to the client via text message and email.

  A real-time risk management tool would be used to check the status of the account of the client, and after passing the assessment, the relevant quantity will be deducted from the account of the client. The transaction will then be sent to the blockchain for processing.

  The withdrawals are also subject to the transaction limits set up by the client or the Company.

• (3) Transactions

  To effect an on-exchange transaction, a client would need to input the particulars of the transaction such as the price, conditions, and quantity, and confirm the transaction details by entering the funding password. The requirement of entering the funding password can be waived for the upcoming transactions for a one-hour period after the funding password is inserted, and the waiver shall lapse after one hour.

  Upon the completion of the on-exchange transaction, the account balances of the accounts of the two clients will be updated.

• (4) Transaction Limits

  The Company provides the option for clients to set transaction limits for their outgoing transactions.

  To set a transaction limit, the client would need to enter the parameters into the system and confirm so by entering the funding password, an OTP from Google Authenticator, and the two distinct OTPs sent to the client via text message and email. Any transaction over the limit would require to undergo the same procedures. A notification will be sent to the client after the transaction limit has been changed.

  In certain circumstances, the Company may also set transaction limits or restrictions due to various reasons such as for legal, compliance and/or regulatory purposes.