Privacy Policy: 

At Attrus, we take our responsibility to protect the privacy, confidentiality, integrity, and availability of personal information extremely seriously. We implement a comprehensive, risk-based data privacy and information security framework aligned with applicable laws, regulatory expectations, and industry best practices.

1. Data Privacy and Information Security Program

Without limiting Attrus’ obligation of confidentiality, Attrus shall establish and maintain a data privacy and information security program, including physical, technical, administrative, and organizational safeguards, designed to:

(a) ensure the security and confidentiality of User data;
(b) protect against any anticipated threats or hazards to the security or integrity of User data;
(c) protect against unauthorized disclosure, access to, or use of User data;
(d) ensure the proper disposal of User data; and
(e) ensure that all employees, agents, and subcontractors of Attrus comply with all of the foregoing.

In no case shall the safeguards of Attrus’ data privacy and information security program be less stringent than applicable legal, regulatory, or industry standards.

2. Security Governance, Audits and Oversight

Attrus maintains a strong governance structure to ensure continuous monitoring, accountability, and improvement of its security framework:

• Attrus shall conduct, no less than annually, a comprehensive independent third-party audit of its data privacy and information security program related to its platform and services;
• Attrus may provide audit findings to clients where required by contractual or regulatory obligations;
• Clients shall have the right to review Attrus’ data privacy and information security program prior to onboarding and from time to time during the relationship;
• Clients may, at their own expense, conduct or request on-site audits or, alternatively, require Attrus to complete audit questionnaires within forty-five (45) days;
• Attrus shall implement mutually agreed safeguards and remediation measures arising from audits or reviews.  

3. Financial Crime Compliance and Risk Controls

Attrus implements risk-based controls to prevent fraud, financial crime, and misuse of its platform, including:

1. Verification of publicly available information indicating potential illegal activity (including, where applicable, beneficial owners);
2. Screening against sanctions and restricted party databases (including OFAC and equivalent lists);
3. Verification of potential involvement in tax evasion within relevant jurisdictions;
4. Verification of potential involvement in money laundering activities;
5. Assessment of whether the financial capacity of a client is compatible with transaction volumes;
6. Monitoring and tracking of transactions, including maintaining records of wallets and bank accounts used in digital asset-related transactions where applicable.

These controls are aligned with AML/CFT regulatory expectations and internal compliance policies.

4. Technical and Organizational Security Measures

Attrus adopts industry-standard technical safeguards to ensure system integrity, confidentiality, and availability, including:

• Secure API authentication (e.g., JWT tokens);
• IP access restrictions;
• Signed requests and responses;
• Multi-factor authentication (2FA);
• Strong password requirements aligned with industry standards;
• Encryption of sensitive data in transit and at rest (including SSL/TLS);
• Secure infrastructure hosted with trusted providers;
• Continuous monitoring, logging, and anomaly detection systems.

5. Data Collection, Use and Processing for Security Purposes

Attrus processes personal information to:

• Provide and operate its digital platforms and services;
• Verify identity and authenticate users;
• Detect, prevent, and investigate fraud and unauthorized activity;
• Perform analytics, monitoring, and system optimization;
• Improve services, develop new functionalities, and enhance user experience;
• Comply with legal, regulatory, and contractual obligations.

Attrus ensures that personal data is limited to what is necessary, kept accurate and up to date, and retained only as long as required for legitimate business or legal purposes.

6. Requests for Information and Source of Funds Verification

Attrus may, at its discretion, request personal and/or corporate documentation from Users.

Clients expressly authorize Attrus to request from their Users any documents necessary to verify:

• the origin of funds;
• whether such funds relate to liquidity, outward transfers, or outward payments; and
• whether such funds were legitimately obtained.

This is part of Attrus’ regulatory obligations and financial crime compliance framework.

7. Data Security Practices and Legal Compliance

Attrus shall comply with all applicable laws and regulations in connection with the collection, storage, use, processing, and transfer of User data.

Attrus shall also comply with any additional privacy or data security requirements formally communicated by clients, to the extent applicable and legally permissible.

8. Access Credentials and User Responsibilities

Users are responsible for selecting, maintaining, and safeguarding their access credentials, including usernames, emails, and passwords.

Users must employ diligent efforts to ensure credentials remain secure and that no unauthorized third-party access occurs.

Attrus shall not be responsible for damages resulting from:

• unauthorized disclosure of credentials due to user negligence; or
• failure to comply with required security standards.

9. Data Breach and Incident Response

In the event of any act, error, omission, negligence, misconduct, or breach that compromises or is suspected to compromise the security, confidentiality, or integrity of personal data, Attrus shall:

(a) notify affected parties without undue delay and no later than 48 hours after becoming aware of the occurrence;

(b) cooperate fully in investigating the incident, including providing access to relevant logs, records, files, and data;

(c) in the case of personally identifiable information (PII), at the election of the client:
(i) notify affected individuals within the legally required timeframe, or, if none applies, within ten (10) business days; or
(ii) reimburse the client for costs associated with such notifications;

(d) provide credit and identity monitoring services to affected individuals where required by law, or for no less than twelve (12) months if no legal requirement exists;

(e) take all necessary actions to comply with applicable laws and regulatory obligations;

(f) indemnify, defend, and hold harmless clients and their representatives against any claims, including reasonable legal fees and expenses; and

(g) provide a detailed remediation and prevention plan within ten (10) business days.

Notifications shall be written in clear and plain language and include:

• description of the incident;
• types of data involved;
• date or estimated date of occurrence;
• potential impact;
• mitigation measures taken;
• recommended protective actions;
• contact details;
• information on monitoring services provided.

These obligations shall survive termination of the relationship.

10. Data Sharing and International Transfers

Attrus may transfer and process personal data across jurisdictions to support its global operations.

Such transfers are conducted in accordance with applicable data protection laws and appropriate safeguards, including contractual and regulatory mechanisms.

11. Third-Party Service Providers

Attrus may engage trusted third-party providers to support its operations.

All such providers are subject to appropriate contractual, technical, and organizational safeguards to ensure the protection of personal data.

12. Continuous Improvement and Policy Updates

Attrus continuously reviews and enhances its data security and privacy framework to reflect:

• evolving regulatory requirements;
• technological advancements;
• emerging risks;
• business developments.

Users are encouraged to review this policy periodically.

If you have any comments, questions or concerns about any of the information in this Online Privacy Policy, or any other issues relating to the processing of your personal information by Attrus under this Policy, please contact your regular Attrus client service contact.