GLOBAL DATA PRIVACY & PROTECTION POLICY

Date: January 1, 2026

Version: 1.0.6

SECTION 1: GOVERNANCE FRAMEWORK, SCOPE, AND LEGAL TAXONOMY

1.1. Statement of Privacy Mandate: This Global Data Privacy & Protection Policy (hereinafter the “Policy”) constitutes a definitive and rigorous framework governing the acquisition, processing, archival, and transmission of Personal Data and Meta-Data within the banxtack™ infrastructure. This Policy is engineered to satisfy the high-velocity requirements of global financial technology standards and ensures compliance with a plurality of international data protection regimes, including but not limited to the General Data Protection Regulation (EU 2016/679) (“GDPR”), the UK Data Protection Act 2018, the California Consumer Privacy Act (“CCPA”), and other equivalent statutory mandates in jurisdictions where the Company’s technology is deployed.

1.2. Bipartite Legal Designation (Controller vs. Processor): A fundamental legal distinction is hereby established regarding the Company’s role in the data lifecycle:

(a) banxtack™ as a Data Controller: The Company acts as a Data Controller regarding the Personal Data of its direct corporate Clients, Prospective Clients, and Visitors to the Website. This encompasses data processed for the purposes of sales, technical walkthroughs, eligibility evaluations, and corporate account management.
(b) banxtack™ as a Data Processor: In the context of the operational "White-Label" infrastructure—including the utilization of multi-asset ledgers, card issuance bridges, and compliance engines—the Client (the licensed financial entity) acts as the Data Controller, and banxtack™ acts strictly as the Data Processor. In this capacity, the Company processes End-User data solely under the documented instructions of the Client to facilitate the technical execution of the Client’s financial products.

1.3. Jurisdictional Neutrality and Portability: This Policy is designed to remain effective regardless of the specific corporate seat of Syntra Nexus Pte. Ltd.. It acknowledges that data sovereignty laws vary by region; consequently, the Company implements a "Highest Common Denominator" approach to privacy, ensuring that the most stringent global standards are applied to the "Atomic Reconciliation" and ledger-based data processing across the entire ecosystem.

1.4. Incorporation by Reference: This Policy is inextricably linked to, and forms an integral part of, the Master Terms and Conditions. By engaging with the Website or the Infrastructure, you hereby acknowledge the data processing modalities outlined herein as being necessary for the functional integrity of the composable financial system.

1.5. Definition of Terms: For the purposes of this Policy, “Personal Data” refers to any information relating to an identified or identifiable natural person; “Processing” refers to any operation or set of operations performed upon Personal Data, whether or not by automated means; and “Infrastructure Data” refers to the technical metadata generated through the orchestration of fiat and virtual asset flows.

SECTION 2: DATA TAXONOMY—CATEGORIES OF INFORMATION SUBJECT TO PROCESSING

2.1. Categorization by Engagement Tier: The Company classifies the data subject to its processing activities into discrete taxonomies based on the nature of the engagement and the functional pillar of the infrastructure being utilized. This classification is essential for the maintenance of "Atomic Reconciliation" and the rigorous audit trails required for global financial compliance.

2.2. Tier I: Corporate and Client-Level Personal Data: In its capacity as a Data Controller, the Company collects and processes information necessary for the establishment and maintenance of the commercial relationship with its Clients. This includes:

Administrative Identifiers: Full legal name, professional title, corporate affiliation, and verified business contact credentials of Client personnel.
Due Diligence & Eligibility Data: Documentation required for the formal "Eligibility Evaluation," including corporate charters, regulatory licenses, and identification data of Ultimate Beneficial Owners (UBOs) as part of the Company’s internal KYB (Know Your Business) protocols.
Commensurate Communications: Detailed records of pre-contractual engagements, technical product walkthroughs, and support ticket metadata within the Back-Office Operational Command Center.

2.3. Tier II: Infrastructure-Derived End-User Data: In its capacity as a Data Processor, the Company processes data on behalf of the Client through the "Identity Orchestration" and "AML Engine" modules. This data taxonomy includes:

Identity & Onboarding Metadata: Comprehensive identification dossiers including national identification numbers, passport scans, proof of residency, and socio-economic profiling (e.g., source of wealth/funds) as dictated by the Client’s specific risk appetite.
Biometric & Liveness Metadata: High-fidelity biometric templates and liveness verification data processed to facilitate secure end-user onboarding and prevent synthetic identity fraud.
Ledger-Based Transactional Data: Immutable records of value storage and movement, encompassing fiat currency identifiers (IBAN, SWIFT, Sort Codes), virtual asset wallet addresses, and cryptographic transaction hashes.
Card Ecosystem Data: Information derived from the "Payment Cards & Issuance" pillar, including Primary Account Numbers (PANs) in masked or tokenized form, expiration dates, and Merchant Category Code (MCC) data utilized for custom spending logic and authorization protocols.

2.4. Tier III: Technical, Telemetric, and Security Metadata: To ensure the systemic integrity and cyber-resilience of the composable system, the Company processes technical data points, which may include:

Network Identifiers: Internet Protocol (IP) addresses, device fingerprinting, and browser characteristics utilized to detect and mitigate "Data Poisoning" or unauthorized API ingress.
Cryptographic Signatures: Security tokens, API keys, and session-based identifiers required for the authentication of requests within the Experience Layer and the Back-Office interfaces.
Operational Logs: Real-time telemetric logs of system performance, atomic reconciliation events, and automated workflow triggers.

2.5. Anonymized and Aggregated Data Protocols: The Company reserves the right to process anonymized, de-identified, or aggregated data derived from the infrastructure for the purposes of benchmarking, systemic performance optimization, and the training of fraud detection algorithms. Such data, being stripped of all personal identifiers, does not constitute "Personal Data" under this Policy and remains the proprietary intellectual property of the Company.

SECTION 3: LEGAL BASIS FOR PROCESSING AND REGULATORY NECESSITY

3.1. Plurality of Legal Grounds: The Company processes Personal Data only where a valid legal basis exists under applicable international data protection statutes. Given the sophisticated nature of the banxtack™ infrastructure, which operates at the intersection of technology and regulated finance, the Company relies on a plurality of legal justifications to ensure the continuity and legality of its operations.

3.2. Performance of Contractual Obligations: The primary basis for the processing of Client-level data and the technical orchestration of End-User data is the necessity to perform the contractual obligations set forth in the Master Terms and Conditions and subsequent Master Services Agreements (MSAs). This includes:

Infrastructure Provisioning: Facilitating the "Atomic Reconciliation" of multi-asset ledgers and ensuring the functional integrity of the payment card issuance bridge.
Systemic Communication: Providing critical system updates, technical support, and operational notifications via the Back-Office Operational Command Center.
Workflow Execution: Executing automated settlement logic, fiat-to-crypto conversion protocols, and global payment rail routing as directed by the Client.

3.3. Compliance with Global Regulatory Mandates: As a provider of financial software infrastructure, the Company is architected to facilitate the Client's compliance with rigorous legal edicts. Processing is deemed necessary for:

Anti-Money Laundering (AML) & CTF: Facilitating real-time transaction screening, sanctions monitoring (OFAC, UN, HM Treasury), and the identification of Politically Exposed Persons (PEPs) via the AML & Compliance Engine.
Reporting Obligations: Generating the "Investigations & Reporting" templates and audit trails required by financial conduct authorities and central banks in the Client’s operational jurisdictions.
Auditability: Maintaining a historical record of asset movements to satisfy the record-keeping requirements inherent in the provision of financial-grade software.

3.4. The Doctrine of Legitimate Interests: The Company processes certain data based on its "Legitimate Interests" in maintaining a secure and high-performance ecosystem. These interests are carefully balanced against the privacy rights of the data subjects and include:

Cyber-Resilience and Fraud Mitigation: Implementing "Identity Orchestration" checkpoints and "Dynamic Risk Scoring" to detect and neutralize synthetic identity fraud, "Data Poisoning" attempts, and unauthorized API ingress.
Infrastructure Optimization: Analyzing anonymized telemetric data to improve the latency of the "Experience Layer" and the efficacy of the "Pricing & Fee Engine."
Legal Defense and Risk Management: Establishing, exercising, or defending legal claims arising from the use or misuse of the banxtack™ infrastructure.

3.5. Affirmative Consent and Authorization: Where processing is not covered by contractual necessity or legal obligation—specifically in relation to certain biometric liveness checks or discretionary marketing communications—the Company (or the Client, acting as the Data Controller) shall obtain the affirmative, informed, and unambiguous consent of the data subject. Such consent may be withdrawn at any time through the designated administrative channels, subject to the retention requirements necessitated by the legal bases described in Sections 3.2 and 3.3.

3.6. Vital Interests and Public Interest: In exceptional circumstances, the Company may process data where it is necessary to protect the vital interests of an individual or where processing is required for tasks conducted in the public interest, such as the prevention of systemic financial crime or cooperation with law enforcement agencies during emergency forensic investigations.

SECTION 4: DATA DISSEMINATION, SUB-PROCESSING, AND ECOSYSTEM INTEGRATION

4.1. The Interconnected Infrastructure Principle: The Counterparty acknowledges that the banxtack™ infrastructure operates as a consolidated gateway to a global ecosystem of financial institutions, payment networks, and compliance providers. To facilitate the "Atomic Reconciliation" and the "Payments & Money Movement" pillars, the Company must disseminate certain data to authorized third-party entities (collectively, “Integrated Partners” or “Sub-Processors”).

4.2. Categories of Authorized Recipients: Personal and Transactional Data may be disclosed to the following categories of recipients, strictly as necessitated by the functional requirements of the Services:

Regulated Financial Institutions: Tier-1 and Tier-2 banks (e.g., Banking Circle, Currencycloud) for the purpose of fund safeguarding, clearing, and global rail settlement.
Card Scheme Networks: Global payment networks (Visa, Mastercard) for the authorization, tokenization, and clearing of transactions initiated via the "Card Issuance" pillar.
Identity & Forensic Partners: Specialized providers (e.g., Sumsub, Chainalysis) integrated into the AML & Compliance Engine to perform liveness checks, blockchain forensic analysis, and sanctions screening.
Institutional Custodians: Regulated digital asset custodians (e.g., Fireblocks, BitGo) for the secure storage and movement of virtual assets via the "Secure Custody Bridge."
Regulatory & Law Enforcement Authorities: Competent judicial or administrative bodies where disclosure is mandated by statute, court order, or the "Investigations & Reporting" requirements of the Client's jurisdiction.

4.3. Sub-Processor Governance and Due Diligence: The Company maintains a rigorous Sub-Processor Selection Policy. Before integrating any third-party provider into the infrastructure, the Company performs an ICT Risk Assessment to ensure the provider employs technical and organizational measures (TOMs) commensurate with the sensitivity of the data being processed.

4.4. Contractual Safeguards (DPAs): In accordance with global data protection standards, the Company enters into formal Data Processing Agreements (DPAs) with all Sub-Processors. These agreements stipulate that the Sub-Processor may only process data under the explicit instruction of the Company, maintain strict confidentiality, and notify the Company of any security incidents within accelerated timeframes.

4.5. Zero-Sale Policy: banxtack™ explicitly represents and warrants that it does not, and will not, "sell" Personal Data (as defined by the CCPA or similar statutes) to third parties for marketing, advertising, or data-brokering purposes. Data dissemination is restricted solely to the operational requirements of the financial software infrastructure.

4.6. Internal Dissemination: Within the Company, access to Client and End-User data is restricted to authorized personnel (e.g., DevOps, FinOps, and Compliance Engineers) on a "Need-to-Know" basis. All internal access is governed by Role-Based Access Control (RBAC) and is monitored through immutable audit logs within the Back-Office command center.

SECTION 5: GLOBAL DATA SOVEREIGNTY AND INTERNATIONAL TRANSFER PROTOCOLS

5.1. Transborder Data Flow Mandate: The Counterparty acknowledges that the banxtack™ infrastructure is a globally distributed system designed for high-velocity cross-border asset movement. Consequently, the processing of Personal Data and Transactional Metadata may necessitate the transfer of information across international borders to jurisdictions that may have data protection standards different from those of the Counterparty’s country of origin.

5.2. Data Residency vs. Data Portability: While the Company utilizes geo-redundant data centers to ensure "Atomic Reconciliation" and operational resilience, the functional execution of "Payments & Money Movement" (e.g., SWIFT or SEPA Instant transfers) requires data to follow the financial rails. The Company implements a "Strategic Data Placement" policy, aiming to store data within the region of the Client’s primary operations (e.g., EEA, UK, or North America) unless the technical nature of the transaction dictates otherwise.

5.3. Legal Mechanisms for International Transfers: To ensure the "Fintech Shield" of privacy remains intact during transborder movements, the Company employs the following legal safeguards:

(a) Adequacy Decisions: Transfers to jurisdictions officially recognized by the European Commission or the UK Information Commissioner's Office (ICO) as providing an "adequate" level of data protection.
(b) Standard Contractual Clauses (SCCs): In the absence of an adequacy decision, the Company utilizes the latest version of the Standard Contractual Clauses (or the International Data Transfer Addendum in the UK) to provide enforceable rights and effective legal remedies for data subjects.
(c) Supplementary Measures: The Company applies technical supplementary measures, including end-to-end encryption (E2EE) and pseudonymization, to protect data against unauthorized access by foreign governmental authorities during transit.

5.4. Compliance with Local Sovereignty Edicts: The Counterparty is responsible for notifying the Company of any specific local data residency requirements (e.g., the Russian Data Localization Law or the Chinese PIPL) that may impact their specific deployment. The Company will employ commercially reasonable efforts to accommodate such localized requirements through its composable infrastructure modules.

5.5. Impact Assessments: The Company periodically conducts Transfer Impact Assessments (TIAs) to evaluate the legal environment of the third countries to which data is transferred. These assessments ensure that the protections afforded by the banxtack™ infrastructure are not undermined by the domestic laws of the recipient jurisdiction.

SECTION 6: TEMPORAL DATA GOVERNANCE, RETENTION, AND FORENSIC ARCHIVAL

6.1. The Principle of Storage Limitation: In accordance with the principle of "Data Minimization," the Company implements a rigorous Temporal Data Governance framework. Personal Data and Infrastructure Metadata shall be retained only for the duration necessary to fulfill the specific purposes for which they were collected, as outlined in Section 3 of this Policy, or as mandated by the statutory limitations of the jurisdictions in which the banxtack™ ecosystem operates.

6.2. Categorized Retention Schedules: The Company maintains a "Multi-Tiered Retention Schedule" to balance operational efficiency with legal compliance:

(a) Pre-Contractual Engagement Data: Data collected during technical walkthroughs or eligibility evaluations for Prospective Clients who do not proceed to a formal Master Services Agreement (MSA) shall be purged within twelve (12) months of the last active communication, unless a longer period is required for the prevention of fraudulent "re-entry" attempts.
(b) Operational Transactional Data: Records of asset movements, atomic reconciliation logs, and ledger entries shall be retained for a period of seven (7) to ten (10) years following the date of the transaction. This duration is mandated by global Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF) statutes to ensure "Forensic Archival" capability for regulatory audits.
(c) Identity & Onboarding Records: End-User identification dossiers, including biometric liveness metadata and UBO mapping, shall be maintained for the duration of the Client’s active subscription and for a period of five (5) to seven (7) years post-termination, as necessitated by financial conduct authority (FCA, SEC, or equivalent) record-keeping edicts.
(d) Technical Telemetry & Logs: System security logs, IP ingress data, and API heartbeat metadata are typically rotated or purged after ninety (90) days, unless flagged for an active security investigation or forensic post-mortem.

6.3. Forensic Archival and Legal Hold: Notwithstanding the standard retention schedules, the Company reserves the unilateral right to impose a "Legal Hold" on any data taxonomy. This occurs when data is deemed relevant to an active or anticipated judicial proceeding, regulatory inquiry, or internal investigation within the "Investigations & Reporting" module. Data under Legal Hold is sequestered from the standard purging cycles until the legal necessity has been formally resolved.

6.4. Secure Decommissioning and Irreversible Deletion: Upon the expiration of the mandated retention period, the Company utilizes industry-standard "Secure Decommissioning" protocols. This involves the use of cryptographic erasure (crypto-shredding) or multi-pass digital overwriting to ensure that Personal Data is rendered permanently irrecoverable. The Company provides a "Certificate of Deletion" to Clients upon request following the decommissioning of a branded white-label instance.

6.5. Regulatory Deviation: The Counterparty acknowledges that certain jurisdictions may impose "Sovereign Retention Mandates" that conflict with the Company's standard schedules. In such instances, the "Business Configuration" module allows for the adjustment of retention parameters to ensure the Client remains in compliance with their local administrative edicts.

SECTION 7: TECHNICAL SAFEGUARDS, ICT RISK MANAGEMENT, AND CYBERSECURITY RESILIENCE

7.1. Infrastructure Security Posture: The Company maintains an enterprise-grade cybersecurity architecture designed to protect the "Atomic Reconciliation" and data integrity of the banxtack™ infrastructure. In alignment with global operational resilience standards—including the Digital Operational Resilience Act (DORA) and ISO/IEC 27001/27002—the Company implements a "Defense-in-Depth" strategy, ensuring that multiple layers of security controls protect Personal Data and Infrastructure Metadata from unauthorized access, alteration, or exfiltration.

7.2. Cryptographic Protocols and Data Sanitization: To maintain the "Fintech Shield" of privacy, the Company utilizes high-velocity cryptographic standards:

Data at Rest: All Personal Data, ledger entries, and Identity Orchestration dossiers are encrypted utilizing AES-256 (Advanced Encryption Standard) with robust key management protocols.
Data in Transit: All communications between the Experience Layer, the API interfaces, and the Back-Office Command Center are secured via TLS 1.3 (Transport Layer Security) or higher, utilizing modern cipher suites to prevent interception or "Man-in-the-Middle" (MITM) assaults.
Pseudonymization: Transactional metadata is pseudonymized wherever possible to reduce the risk of re-identification in the event of a perimeter breach.

7.3. Network Integrity and Perimeter Defense: The Company utilizes a multi-layered network security framework:

Micro-Segmentation: The infrastructure pillars (Accounts, Cards, Payments, Crypto) are isolated within discrete network segments to prevent lateral movement by unauthorized actors.
WAF & DDoS Mitigation: A sophisticated Web Application Firewall (WAF) and automated DDoS mitigation layers protect the Website and API endpoints from high-velocity cyber-assaults and "Data Poisoning" attempts.
Zero-Trust Architecture: Access to the Back-Office Operational Command Center is governed by "Zero-Trust" principles, requiring multi-factor authentication (MFA) and device-level verification for every administrative session.

7.4. ICT Risk Management and Continuous Monitoring: The Company operates a proactive ICT Risk Management Framework, which includes:

Automated Threat Detection: Real-time monitoring of system logs and API heartbeat data to identify anomalous patterns indicative of a security incident or unauthorized ingress.
Vulnerability Management: Regular automated scanning and periodic third-party penetration testing of the "composable system" to identify and remediate zero-day vulnerabilities.
Security Awareness: Continuous training for all banxtack™ engineers and administrative staff on data protection hygiene and social engineering defense.

7.5. Disaster Recovery and Operational Continuity: To ensure the permanence of the multi-asset ledgers, the Company maintains:

Geo-Redundant Archival: Real-time data mirroring across geographically disparate, Tier-III data centers to ensure instantaneous failover and zero-loss of ledger state in the event of a regional infrastructure failure.
Atomic Backup Protocols: Immutable backups of all infrastructure metadata, stored in a sequestered environment to protect against ransomware or systemic data corruption.

7.6. Incident Response and Regulatory Notification: In the event of a material data breach or systemic security failure, the Company maintains a formal Incident Response Plan (IRP). Consistent with global regulatory windows (e.g., GDPR Article 33), the Company shall notify the affected Data Controller (the Client) without undue delay, typically within 24 to 48 hours of confirming the breach, to allow for timely notification to relevant supervisory authorities and affected data subjects.

SECTION 8: DATA SUBJECT RIGHTS AND THE MECHANIZATION OF PRIVACY AGENCY

8.1. Empowerment of the Data Subject: In accordance with global data protection frameworks, including the GDPR and CCPA, banxtack™ acknowledges a comprehensive suite of rights afforded to individuals (the “Data Subjects”) whose information is processed via the infrastructure. The Company is committed to the "Mechanization of Privacy Agency"—the provision of technical and administrative pathways that allow individuals to exercise control over their digital footprint within the composable system.

8.2. Taxonomy of Statutory Rights: Every Data Subject whose information resides within the banxtack™ ecosystem possesses the following non-alienable rights:

(a) Right of Access (Data Portability): The right to receive a machine-readable, structured dossier of their Personal Data and Transactional Metadata.
(b) Right to Rectification: The right to demand the immediate correction of inaccurate or incomplete ledger-associated data or identity dossiers.
(c) Right to Erasure (“The Right to be Forgotten”): The right to request the permanent deletion of their Personal Data, subject to the "Forensic Archival" mandates outlined in Section 6.
(d) Right to Restriction of Processing: The right to "freeze" the processing of their data during a legal dispute or verification period.
(e) Right to Object: The right to object to processing based on "Legitimate Interests" or for the purposes of automated profiling within the "Dynamic Risk Scoring" module.
(f) Rights Related to Automated Decision-Making: The right to contest decisions made solely by automated logic (e.g., automated AML rejection) and to request human intervention from the Client’s compliance team.

8.3. Implementation Protocol in the White-Label Context: The Counterparty acknowledges that because banxtack™ operates as a Data Processor for end-user data, the primary responsibility for responding to "Subject Access Requests" (SARs) rests with the Client (the Data Controller).

Client Autonomy: The "Back-Office Operational Command Center" provides the Client with native tools to independently retrieve, export, or redact end-user data to satisfy SARs without direct Company intervention.
Company Assistance: In circumstances where the Client cannot fulfill a request through the administrative interface, the Company shall provide reasonable technical assistance to facilitate compliance, provided such assistance does not compromise the "Atomic Reconciliation" or security of other platform participants.

8.4. Identity Verification and Request Integrity: To prevent "Privacy-Based Social Engineering" or unauthorized data exfiltration, any request to exercise a statutory right must undergo a rigorous identity verification process. The Company (or the Client) reserves the right to request "Identity Orchestration" proofing before releasing or modifying any data taxonomy.

8.5. Temporal Response Covenants: The Company warrants that it shall act upon instructions from the Data Controller regarding subject rights without undue delay. In its capacity as a Data Controller for its own direct Clients, the Company commits to responding to verified requests within thirty (30) calendar days, unless the complexity of the "Forensic Archival" retrieval necessitates a lawful extension of up to two additional months.

8.6. Non-Discrimination and Financial Incentive: Consistent with the CCPA and global fairness standards, the Company represents that no user shall be discriminated against (e.g., through degraded API performance or increased fees) for exercising their privacy rights.

SECTION 9: REGULATORY COOPERATION, INVESTIGATIVE DISCLOSURE, AND LEGAL COMPULSION

9.1. The Doctrine of Regulatory Transparency: banxtack™ acknowledges that the operation of financial infrastructure is subject to the rigorous oversight of global administrative, judicial, and financial regulatory authorities. The Company is committed to a policy of "Constructive Cooperation" with such entities to maintain the security and legality of the global financial system, while simultaneously protecting the "Fintech Shield" and the data sovereignty of its Clients.

9.2. Jurisdictional Compulsion and Law Enforcement Access: The Company may be legally compelled to disclose Personal Data, Transactional Metadata, or Infrastructure Logs to competent governmental authorities, including law enforcement agencies, financial intelligence units (FIUs), and tax authorities. Such disclosure shall only occur under the following conditions:

(a) Legal Validity: The request is supported by a valid, enforceable judicial order, warrant, subpoena, or a formal administrative mandate that carries the force of law in the Company’s jurisdiction of operation or the jurisdiction of the relevant data residency.
(b) Specificity and Proportionality: The Company shall employ commercially reasonable efforts to narrow the scope of any disclosure to the specific data points necessitated by the legal request, resisting "Bulk Data Collection" or overbroad investigative inquiries.
(c) Verification of Authority: The Company’s legal department shall verify the authenticity and jurisdictional authority of the requesting agency prior to the release of any information from the multi-asset ledgers or identity dossiers.

9.3. Notification Protocols and "Gag Orders": * (a) General Rule of Notification: Unless prohibited by law or the specific terms of a court order, the Company shall utilize its best efforts to notify the Client (the Data Controller) of any third-party request for their data. This notification is intended to allow the Client to seek protective orders or contest the disclosure through their own legal counsel.

(b) Sovereign Secrecy (Gag Orders): The Counterparty acknowledges that in certain "National Security" or "Anti-Money Laundering" investigations, the Company may be served with a "Nondisclosure Order" (Gag Order). In such instances, the Company is legally prohibited from informing the Client of the existence of the inquiry or the fact that data has been disclosed.

9.4. Mechanization of Investigative Support: The infrastructure provides the Client with autonomous tools within the "Investigations & Reporting" module to fulfill their own regulatory reporting obligations.

Automated SAR/STR Generation: The system facilitates the generation of Suspicious Activity Reports (SARs) and Suspicious Transaction Reports (STRs) based on "Dynamic Risk Scoring" and "AML Engine" alerts.
Regulator-Ready Audit Trails: The Client can export regulator-ready, immutable audit trails that demonstrate the "Atomic Reconciliation" and compliance history of their branded instance.

9.5. Non-Interference with Systemic Integrity: Under no circumstances shall the Company grant any regulatory body or law enforcement agency direct, unmonitored "Backdoor Access" to the core infrastructure, source code, or cryptographic keys. All investigative disclosures are performed through controlled, documented, and audited administrative pathways to ensure the continued security of the broader banxtack™ ecosystem.

9.6. Indemnification for Compelled Disclosure: The Counterparty agrees to indemnify and hold the Company harmless from any claims, losses, or liabilities arising from the Company’s good-faith compliance with a seemingly valid legal request from a sovereign authority. The Company shall not be liable for the consequences of any data disclosure performed under the color of legal authority.

SECTION 10: POLICY EVOLUTION, GOVERNANCE UPDATES, AND CONTACT PROTOCOLS

10.1. Iterative Policy Evolution: The Counterparty acknowledges that the financial technology landscape, regulatory environment, and the banxtack™ infrastructure itself are subject to continuous evolution. Consequently, the Company reserves the unilateral and absolute right to modify, amend, or restate this Global Data Privacy & Protection Policy at any time. Such revisions are conducted to ensure the "Fintech Shield" remains resilient against emerging cyber-threats and compliant with shifting international data sovereignty edicts.

10.2. Manifestation of Continued Assent: Any amendments to this Policy shall be deemed effective immediately upon their publication on the Website or within the Back-Office Operational Command Center. The "Effective Date" at the commencement of this document shall serve as the primary indicator of the policy’s current version. Your continued utilization of the Website, APIs, or any infrastructure pillar following the posting of an updated version constitutes your irrevocable manifestation of assent to the revised terms of processing.

10.3. Communication of Material Changes: In the event of a "Material Change"—defined as a significant alteration to the legal basis for processing, a change in the primary data residency, or the integration of a Tier-1 Sub-Processor that substantially impacts the data flow—the Company shall employ commercially reasonable efforts to provide direct notification to its Clients via the designated administrative contact channels.

10.4. Hierarchy of Governance: In the event of any irreconcilable conflict between the provisions of this Policy and the data processing stipulations contained within a bespoke Master Services Agreement (MSA), the terms of the MSA shall take precedence, provided that such terms do not violate the mandatory requirements of the prevailing data protection statutes.

10.5. Mechanization of Feedback and Privacy Inquiries: The Company maintains a dedicated Privacy Office to oversee the governance of the infrastructure’s data lifecycle. All inquiries regarding this Policy, requests for Data Processing Addendums (DPAs), or the exercise of statutory rights should be directed to the following verified channels:

Data Protection Officer: dpo@banxtack.com
General Legal & Business Affairs: business@banxtack.com

10.6. Formal Service of Process and Corporate Ingress: For formal legal notices or communications regarding data sovereignty that require physical service, such correspondence must be directed to the Company’s registered office:

Syntra Nexus Pte. Ltd.

68 Circular Road, #02-01, 049422, Singapore

10.7. Severability and Survival: If any provision of this Policy is held by a court of competent jurisdiction to be invalid, illegal, or unenforceable, the remaining provisions shall remain in full force and effect. All obligations regarding data confidentiality, forensic archival, and indemnification shall survive the termination of the Counterparty’s relationship with the Company in perpetuity.

‍