MASTER TERMS AND CONDITIONS

Date: January 1, 2026
Version: 1.0.6

SECTION 1: LEGAL ARCHITECTURE AND BINDING INDENTURE

1.1. Contractual Parties and Corporate Designation: This Master Terms of Service (hereinafter referred to as the “Agreement” or “Terms”) constitutes a definitive and comprehensive legal indenture executed between the corporate entity identified as Syntra Nexus Pte. Ltd., including its parent companies, subsidiaries, successors, and permitted assigns (collectively referred to as “Banxtack™”, “the Company”, “we”, “us”, or “our”), and any natural person, legal person, or unincorporated association (hereinafter referred to as the “Counterparty”, “Visitor”, “User”, or “you”) who accesses, interacts with, or retrieves data from the digital interfaces and informational portals situated at www.banxtack.com (the “Website”).

1.2. Manifestation of Assent and Point of Ingress: By the act of electronic ingress to the Website, or by the initiation of any technical inquiry, API ping, or pre-contractual correspondence, you hereby interpose an absolute and irrevocable manifestation of assent to be bound by these Terms in their entirety. This Agreement operates as a "Browse-wrap" and, where applicable, a "Click-wrap" contract. If you are acting as an agent or representative of a legal entity, you hereby warrant and covenant that you possess the requisite corporate authority to bind said entity to the obligations, liabilities, and waivers contained herein. If such authority is absent, or if you do not concur with every provision of this indenture, you must immediately cease all interaction with the Website and its underlying metadata.

1.3. Jurisdictional Portability and Global-Neutral Framework: This Agreement is engineered for global application. While the Company may maintain registered offices in specific jurisdictions (currently identified as the United Kingdom), this indenture is drafted to remain enforceable under the prevailing principles of international commercial law. You acknowledge that the Company’s corporate seat may change; consequently, these Terms are designed to survive such transition, with the "Governing Law" being defined as the laws applicable to the Corporate Entity at any given point in time, unless otherwise specified in a subsequent Master Services Agreement (MSA).

1.4. Bipartite Structural Distinction (Informational vs. Operational): A fundamental legal distinction is hereby established between the two tiers of engagement:

• Tier I (Informational Engagement): These Terms govern the public-facing, informational, and pre-contractual layers of the Website. No license to the production environment is granted at this stage.
• Tier II (Operational Infrastructure): The actual deployment of the Banxtack™ composable financial system—including access to production-grade multi-asset ledgers, API keys, and the Back-Office Operational Command Center—is strictly contingent upon the execution of an independent, high-velocity Master Services Agreement (MSA). The execution of an MSA follows a mandatory technical walkthrough and a comprehensive eligibility and regulatory evaluation.

1.5. Unilateral Modification and Survival: The Company reserves the exclusive, unilateral right to revise, amend, or restate these Terms at any time to reflect technological evolution, regulatory shifts, or corporate restructuring. Any such modification shall be deemed effective immediately upon posting to the Website. Your continued engagement with the Website following the publication of such revisions constitutes a renewal of your assent to the amended terms. All provisions regarding Intellectual Property, Indemnification, and Limitation of Liability shall survive the termination of this Agreement in perpetuity.

SECTION 2: THE INFRASTRUCTURE PROVISIONING PRINCIPLE AND REGULATORY INDEPENDENCE

2.1. Technical Nature of the Infrastructure: banxtack™ operates as a sophisticated, composable financial software ecosystem and an "Operating Layer" designed for the orchestration of modern financial products. The Counterparty acknowledges that the technology provided is neither a singular "wallet" nor a "bank," nor is it a discrete, single-purpose API. Rather, it constitutes a modular infrastructure designed to execute the core technical logic of financial operations—including account management, payments, and multi-asset flows—operating invisibly behind the Counterparty’s proprietary brand and user interface.

2.2. White-Label Delivery and Client Branding: All technology is delivered under a "White-Label" framework, enabling the Counterparty to deploy financial services under its own unique identity. The Counterparty maintains absolute sovereignty over the "Experience Layer," including the branding of self-service portals, cardholder dashboards, and conversion hubs. banxtack™ remains a technical facilitator, maintaining no direct legal, contractual, or operational relationship with the Counterparty’s end-users.

2.3. Absolute Regulatory Separation and Client Licensure: * Technological Scope: banxtack™ provides software and financial infrastructure only. The Company does not operate as a credit institution, payment service provider, or money transmitter.

• Mandatory Licensure: The Counterparty represents and warrants that it possesses, and shall maintain in good standing, all requisite regulatory licenses, permissions, and authorizations required by the competent authorities in its jurisdiction to operate the services it provides via the banxtack™ infrastructure.
• Compliance Responsibility: The legal burden of compliance—including but not limited to Anti-Money Laundering (AML), Counter-Terrorist Financing (CTF), and Know Your Customer (KYC/KYB) mandates—rests exclusively with the Counterparty. While the Company provide modules for identity orchestration and transaction monitoring, the Counterparty is the ultimate "Reporting Entity" and legal decision-maker.

2.4. Non-Custodial and Non-Fiduciary Status: * No Custody of Funds: banxtack™ does not hold, possess, or assume custody of customer funds at any stage of the transaction lifecycle. All fiat and virtual assets are domiciled with third-party financial institutions, custodians, or liquidity providers integrated through the software bridge.

• No Financial Advice: The Company does not provide financial, investment, legal, or tax advice. Any data, analytics, or automated workflows generated by the platform are provided for technical execution purposes only and do not constitute professional consultation.

2.5. Compliance with Local Edicts: All utilization of the banxtack™ infrastructure is strictly subject to the applicable laws, statutes, and regulations of the Counterparty’s operational jurisdiction. The Counterparty assumes all legal liability for ensuring that its specific deployment of the software is compliant with local financial conduct standards and administrative rules.

SECTION 3: INTELLECTUAL PROPERTY, PROPRIETARY RIGHTS, AND TRADE SECRETS

3.1. Absolute Ownership and Proprietary Vesting: The Counterparty hereby acknowledges and agrees that Banxtack™ (or its licensors, where applicable) retains absolute and exclusive ownership of all right, title, and interest in and to the Website, the software infrastructure, and the composable financial system. This proprietary vesting includes, without limitation, all Application Programming Interfaces (APIs), multi-asset ledger architectures, atomic reconciliation protocols, payment scheme bridges (including Visa and Mastercard integrations), and the "Experience Layer" comprising white-label components such as self-service portals and cardholder dashboards. All algorithms, source code, object code, technical documentation, and the "Back-Office" operational command center—incorporating the AML & Compliance Engine and Business Configuration modules—are protected by international copyright, trademark, patent, and trade secret laws.

3.2. Limited, Revocable License Grant: Subject to the Counterparty’s strict and continuous compliance with these Terms, and where applicable, the execution of a Master Services Agreement, the Company grants the Counterparty a limited, personal, non-exclusive, non-transferable, and revocable license to access the Website and utilize the white-label components for the sole purpose of deploying its proprietary financial product. This license is granted strictly under the "White-Label Principle," permitting the Counterparty to skin the "Experience Layer" with its own brand and identity. This grant does not constitute a sale, and no title or ownership interest in the Banxtack™ infrastructure is transferred to the Counterparty.

3.3. Rigorous Prohibitions and Restrictive Covenants: The Counterparty shall not, and shall not permit any third party to:

• Reverse Engineering: Decompile, disassemble, reverse engineer, or otherwise attempt to derive the source code, underlying ideas, or algorithms of any portion of the Banxtack™ ecosystem.
• Circumvention: Bypass, delete, or obscure any security protocols, rate-limiting mechanisms, or proprietary notices embedded within the APIs or software interfaces.
• Unauthorized Derivative Works: Modify, translate, or create derivative works based upon the infrastructure or its technical pillars (Accounts, Cards, Payments, Crypto).
• Competitive Exploitation: Use the Website or its Content to develop, promote, or distribute any product or service that competes directly or indirectly with the Banxtack™ infrastructure model.

3.4. Client Data and Proprietary Carve-Out: Notwithstanding the foregoing, the Counterparty retains all right, title, and interest in and to the data, information, or material that it or its End Users submit to the platform in the course of using the Services (“Client Data”). The Counterparty grants the Company a limited, worldwide, royalty-free license to host, copy, and process Client Data solely for the purpose of providing the Services, satisfying regulatory audit trails, and generating the reporting templates necessitated by the Counterparty's operational requirements.

3.5. Feedback and Intellectual Accumulation: Any suggestions, enhancement requests, recommendations, or other feedback provided by the Counterparty regarding the functionality or architecture of the Banxtack™ system shall be deemed non-confidential. The Counterparty hereby grants the Company a perpetual, irrevocable, royalty-free, and sublicensable right to utilize such feedback for any purpose, including the continuous improvement and evolution of the global infrastructure, without compensation or attribution to the Counterparty.

SECTION 4: PROHIBITED CONDUCT, SYSTEMIC INTEGRITY, AND RESTRICTIVE USAGE COVENANTS

4.1. Covenants of Lawful Utilization: The Counterparty represents, warrants, and covenants that its engagement with the Website and the broader Banxtack™ infrastructure shall be conducted strictly for lawful purposes and in exhaustive compliance with all applicable international, national, and local statutes. The Counterparty is strictly prohibited from utilizing the infrastructure to facilitate, promote, or participate in any activity that constitutes a criminal offense, gives rise to civil liability, or otherwise violates the public policy of any jurisdiction in which the Services are deployed.

4.2. Prohibition of Systemic Misuse and Infrastructure Interference: The Counterparty shall not, under any circumstances, engage in conduct designed to impair, degrade, or compromise the operational integrity of the Banxtack™ ecosystem. Prohibited actions include, but are not limited to:

• Cyber-Assaults: Initiating or facilitating distributed denial-of-service (DDoS) attacks, flooding, or any effort to overwhelm the network infrastructure.
• Malicious Payloads: Transmitting, uploading, or distributing any software, code, or data containing viruses, Trojan horses, logic bombs, or other technologically deleterious components.
• Unauthorized Penetration: Attempting to circumvent the Company’s security perimeters, perform unauthorized vulnerability assessments, or engage in "packet sniffing" or other forms of network surveillance.
• Data Poisoning: Intentionally injecting fraudulent or erroneous data into the system with the intent to degrade the efficacy of the AML & Compliance Engine or the automated atomic reconciliation protocols.

4.3. Restrictive Covenants on Data Harvesting and Extraction: The use of automated systems, including "bots," "spiders," "crawlers," or "scrapers," to retrieve, index, or data-mine any portion of the Website or its underlying metadata is strictly prohibited. The Counterparty acknowledges that the proprietary arrangement of informational content on the Website is a protected trade secret; any unauthorized extraction constitutes a material breach of this Agreement and an infringement of the Company’s intellectual property rights.

4.4. Global Sanctions and AML Compliance: The Counterparty warrants that it—including its ultimate beneficial owners (UBOs), directors, and officers—is not currently designated on any international sanctions list, including those maintained by the United Nations Security Council, the Office of Foreign Assets Control (OFAC) of the U.S. Department of the Treasury, HM Treasury (UK), or the European Union. Furthermore, the Counterparty shall not utilize the infrastructure to facilitate transactions involving sanctioned territories or persons, nor shall it use the Services in any manner that facilitates money laundering or the financing of terrorism.

4.5. Responsibility for Subordinate Conduct: Notwithstanding the white-label nature of the delivery, the Counterparty assumes absolute and non-delegable responsibility for the conduct of its Authorized Users and, by extension, the activity occurring within its branded deployment of the software. Any breach of these restrictive covenants by an employee, agent, or contractor of the Counterparty shall be deemed a breach by the Counterparty itself, entitling the Company to immediate equitable relief and the summary suspension of access.

SECTION 5: SYSTEMIC INFRASTRUCTURE ARCHITECTURE, OPERATIONAL PILLARS, AND SERVICE EVOLUTION

5.1. The Composable Infrastructure Model: The Counterparty acknowledges that the banxtack™ ecosystem is architected as a modular, composable financial infrastructure. This system is comprised of distinct technical pillars and an operational command center designed to function as an integrated "Operating Layer" for modern financial products. Each pillar represents a discrete suite of functionalities that the Counterparty may orchestrate to meet its specific commercial requirements.

5.2. Functional Infrastructure Pillars: The core technical deliverables of the infrastructure include, but are not limited to:

• Accounts & Value Storage (Pillar I): Provision of multi-asset ledgers supporting fiat and virtual assets through unified account structures. This pillar incorporates "Atomic Reconciliation" protocols, ensuring real-time ledger tracking and 100% balance accuracy across global currency pairs.
• Payment Cards & Issuance (Pillar II): Technical facilitation of digital and physical card programs hard-wired to multi-currency ledgers for instant, real-time authorization. This pillar enables the Counterparty to deploy "Custom Spending Logic," incorporating complex authorization rules and dynamic spending limits.
• Payments & Money Movement (Pillar III): Consolidated access to global payment rails, including but not limited to SEPA, SEPA Instant, Faster Payments, and SWIFT. This infrastructure facilitates "Automated Workflows" for high-velocity bulk payouts, scheduled transfers, and Variable Recurring Payments (VRPs).
• Crypto & Hybrid Finance (Pillar IV): Provision of bi-directional flows for high-speed crypto-to-fiat and fiat-to-crypto conversion. This includes the "Secure Custody Bridge," providing direct software integration with institutional-grade custody providers.

5.3. Operational Command Center (The "Back-Office"): The infrastructure incorporates a production-grade administrative environment known as the "Back-Office". This command center provides the following sub-modules:

• The AML & Compliance Engine: A suite of technical tools for identity orchestration (KYC/KYB), transaction screening, and dynamic risk scoring.
• Business Configuration & Treasury Oversight: A master module allowing the Counterparty to configure the "Pricing & Fee Engine" (including custom FX margins) and maintain real-time treasury visibility across integrated provider accounts.

5.4. Unilateral Service Evolution and Technical Updates: The Company reserves the absolute right to modify, update, or evolve the technical specifications of the infrastructure at any time. Such modifications may include the introduction of new "Experience Layer" components, the deployment of upgraded ledger units, or the integration of additional global financial providers. The Company shall employ commercially reasonable efforts to ensure that such updates do not materially degrade the core functionality of the infrastructure.

5.5. Deprecation and Maintenance Protocols: The Company may periodically deprecate certain legacy API endpoints or legacy pillars to maintain the security and efficiency of the global ecosystem. Notice of significant technical deprecations or scheduled maintenance windows that may impact service availability will be communicated to the Counterparty via the designated channels. The Counterparty acknowledges that temporary service suspensions may be required to preserve the systemic integrity and "Atomic Reconciliation" of the platform.

5.6. Technical Documentation and Integration Standards: All use of the infrastructure must adhere to the technical documentation and integration standards provided by the Company. Failure to comply with these standards, or the implementation of non-standard integration logic that threatens the stability of the banxtack™ ecosystem, shall be deemed a material breach of this Agreement.

SECTION 6: FEES, FISCAL OBLIGATIONS, AND REVENUE RECOVERY

6.1. Consideration and Pricing Engine Governance: The Counterparty shall pay the Company the fees as set forth in the applicable Order Form or as configured within the "Business Configuration & Treasury" module of the Back-Office. The infrastructure provides a sophisticated "Pricing & Fee Engine" allowing the Counterparty to establish custom fee structures, define foreign exchange (FX) margins, and implement tiered pricing across various client segments. The Counterparty acknowledges that it is solely responsible for the configuration of these parameters and the resulting fiscal impact on its End Users.

6.2. Invoicing, Settlement, and Payment Modalities: Unless otherwise stipulated in a Master Services Agreement, all subscription and infrastructure maintenance fees are non-refundable and payable in advance. Usage-based fees, including those derived from API call volumes or transaction throughput, shall be calculated via the internal ledger units and billed in arrears. All payments shall be remitted in the currency designated by the Company, free and clear of any set-off, counterclaim, or withholding.

6.3. Fiscal Responsibilities and Taxation: All fees quoted by the Company are exclusive of Value Added Tax (VAT), Sales Tax, Goods and Services Tax (GST), and any other governmental levies or digital services taxes imposed by any jurisdiction. The Counterparty assumes absolute responsibility for the identification, calculation, and remittance of all taxes arising from its use of the infrastructure to provide services to End Users. If the Company is legally obligated to collect or pay such taxes, the Counterparty shall be invoiced for the same unless a valid tax exemption certificate is provided.

6.4. Delinquency and Revenue Recovery Protocols: Any failure to remit payment by the designated due date shall constitute a material breach of this Agreement. Delinquent accounts shall accrue interest at a rate of 1.5% per month, or the maximum rate permitted by law, whichever is lower, from the date such payment was due until the date paid in full. In the event of continued delinquency exceeding thirty (30) days, the Company reserves the unilateral right to:

• Suspend Ledger Connectivity: Temporary cessation of "Atomic Reconciliation" and payment rail access.
• API Throttling: Immediate degradation of API response times or complete deactivation of API keys.
• Service Termination: Permanent cessation of the license to the "Experience Layer" and the Back-Office command center.

6.5. Treasury Oversight and Discrepancy Resolution: While the infrastructure provides "Treasury Oversight" and global liquidity visibility across all provider accounts, the Counterparty is responsible for real-time reconciliation against its internal ledger. Any disputes regarding usage-based billing must be submitted to business@banxtack.com within fourteen (14) days of the invoice date; otherwise, the recorded ledger data shall be deemed final and conclusive for the purposes of billing.

SECTION 7: DATA SOVEREIGNTY, PRIVACY, AND GLOBAL REGULATORY COMPLIANCE

7.1. Proprietary Data Sovereignty: The Counterparty shall retain all right, title, and interest in and to all "Client Data," defined as any electronic data, information, or material—including Personal Data and Transactional Data—submitted to the banxtack™ infrastructure by the Counterparty or its End Users. The Company acknowledges that Client Data is the exclusive property of the Counterparty. The Company is hereby granted a limited, non-exclusive, royalty-free license to host, copy, transmit, and display Client Data solely for the purpose of maintaining the "Operating Layer," facilitating "Atomic Reconciliation," and ensuring the functional integrity of the multi-asset ledgers.

7.2. Designation of Data Roles: For the purposes of the General Data Protection Regulation (GDPR), the UK Data Protection Act, and other global data privacy frameworks (including CCPA and APPI), the Counterparty is designated as the Data Controller and banxtack™ is designated as the Data Processor. The Company shall process Personal Data strictly in accordance with the Counterparty’s documented instructions and the specific parameters of the "Identity Orchestration" and "AML & Compliance Engine" modules.

7.3. Identity Orchestration and Compliance Data: The infrastructure facilitates "Identity Orchestration" through integrated KYC/KYB checkpoints and streamlined end-user onboarding flows. The Counterparty acknowledges that while the Company provides the technical suite for identity verification, UBO mapping, and manual corporate reviews, the Counterparty remains the legally responsible entity for the accuracy and retention of this data for regulatory audit trails.

7.4. Systematic Transaction Monitoring and Screening: The "AML & Compliance Engine" performs real-time, continuous screening across fiat and digital flows against sanctions, PEPs, and adverse media. This data processing is conducted to satisfy stringent global regulatory requirements and to provide "Investigations & Reporting" workflows with regulator-ready templates. The Counterparty is responsible for the final adjudication of any "Red Flags" generated by the "Dynamic Risk Scoring" algorithms.

7.5. Technical and Organizational Safeguards: The Company maintains a robust ICT Risk Management Framework, incorporating enterprise-grade technical safeguards:

• Data Encryption: All Client Data is encrypted utilizing AES-256 protocols at rest and TLS 1.3 for data in transit.
• Resilience and Redundancy: In alignment with global operational resilience standards (such as DORA), the Company maintains geo-redundant data centers and automated failover protocols to preserve the ledger's "Atomic Reconciliation".
• Access Control: Access to the "Back-Office" operational command center is governed by multi-factor authentication and strict "least privilege" internal protocols.

7.6. Cross-Border Data Transfers: As a global infrastructure provider, the Company may process data in various jurisdictions. The Company warrants that any cross-border transfer of Client Data shall be conducted via recognized legal mechanisms, such as Standard Contractual Clauses (SCCs), ensuring a level of protection equivalent to the data's origin jurisdiction.

7.7. Audit Rights and Regulatory Cooperation: The Company agrees to provide the Counterparty with the documentation necessary to demonstrate compliance with its data processing obligations. Subject to reasonable notice and strict confidentiality, the Company shall cooperate with the Counterparty’s regulatory audits to verify the ICT security measures protecting the financial movements orchestrated via the platform.

SECTION 8: REPRESENTATIONS, WARRANTIES, AND THE SCOPE OF TECHNOLOGICAL ASSURANCE

8.1. Mutual Representations and Warranties: Each party represents and warrants to the other that:

• (a) Corporate Standing: It is a legal entity duly organized, validly existing, and in good standing under the laws of its jurisdiction of incorporation or formation.
• (b) Authority and Binding Indenture: It possesses the full corporate power and authority to execute this Agreement and perform its obligations hereunder; the execution of this Agreement has been duly authorized by all necessary corporate action and constitutes a valid and binding obligation.
• (c) Non-Contravention: The execution and performance of this Agreement do not and will not violate any provision of its charter, bylaws, or any existing contractual commitment to a third party.

8.2. Counterparty (Client) Specific Warranties: The Counterparty expressly represents and warrants to the Company that:

• (a) Regulatory Licensure: It holds, and shall maintain throughout the duration of its engagement with the infrastructure, all requisite regulatory licenses, permits, and authorizations necessary to conduct its business operations and provide financial services to End Users.
• (b) Legal and Jurisdictional Compliance: Its use of the banxtack™ ecosystem, including its custom configuration of the "Pricing & Fee Engine" and "Custom Spending Logic," complies with all applicable statutes, administrative edicts, and consumer protection laws in every jurisdiction where it operates.
• (c) Non-Sanctioned Status: Neither the Counterparty nor any of its ultimate beneficial owners (UBOs) appear on any global sanctions lists (e.g., OFAC, UN, HM Treasury) or are located in a prohibited territory.
• (d) Accuracy of Data: All information provided during the Technical Product Walkthrough and the Eligibility Evaluation is accurate, current, and devoid of material omissions.

8.3. The "Fintech Infrastructure" Limited Warranty: The Company warrants that the banxtack™ infrastructure will perform substantially in accordance with the technical documentation provided in the "Experience Layer" and "Back-Office" specifications. This warranty is provided strictly for the benefit of the Counterparty and does not extend to any End Users or third parties.

8.4. Affirmative Warranty Disclaimers: EXCEPT AS EXPRESSLY PROVIDED IN SECTION 8.3, THE WEBSITE, THE SOFTWARE INFRASTRUCTURE, THE API INTERFACES, AND ALL ASSOCIATED PILLARS ARE PROVIDED ON AN "AS IS" AND "AS AVAILABLE" BASIS. THE COMPANY HEREBY DISCLAIMS ALL OTHER WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING BUT NOT LIMITED TO:

• (a) Non-Interruption: That access to the infrastructure or the atomic reconciliation protocols will be uninterrupted, error-free, or compatible with any third-party software not expressly authorized by the Company.
• (b) Accuracy of Third-Party Data: That data retrieved from external financial providers (e.g., Banking Circle, Fireblocks) is accurate or provided in real-time.
• (c) Fitness for Purpose: That the technology will meet the specific commercial, regulatory, or operational requirements of the Counterparty's business model.

8.5. Explicit Exclusion of Professional Advice: The Counterparty acknowledges that the Company is a technology vendor and not a financial advisor, legal counsel, or tax consultant. No information, analytics, or dynamic risk scoring provided via the AML & Compliance Engine shall be construed as professional advice. All business decisions, including the onboarding of End Users and the execution of conversion logic, are made solely at the Counterparty’s discretion and risk.

8.6. Security and Systemic Integrity Warranty: While the Company employs enterprise-grade technical and organizational measures to protect the systemic integrity of the ledgers, it does not warrant that the infrastructure is immune to sophisticated cyber-assaults, zero-day vulnerabilities, or failures in the global telecommunications matrix. The Counterparty acknowledges that financial technology involves inherent risks and that it has performed its own technical due diligence prior to engagement.

SECTION 9: LIMITATION OF LIABILITY, RISK ALLOCATION, AND THE "FINTECH SHIELD"

9.1. Comprehensive Exclusion of Consequential and Indirect Damages: To the maximum extent permitted by the governing law of this Agreement, the Company, its Affiliates, and its respective directors, officers, employees, and agents shall in no event be liable to the Counterparty or any third party for any indirect, incidental, special, consequential, exemplary, or punitive damages. This exclusion includes, without limitation, damages for loss of profits, loss of revenue, loss of business opportunity, loss of anticipated savings, loss of goodwill, or the corruption or loss of data, regardless of whether such damages were foreseeable or whether the Company had been advised of the possibility of such losses. This "Fintech Shield" is a fundamental element of the risk allocation between the parties, reflecting the technical-only nature of the infrastructure provision.

9.2. Monetary Cap on Aggregate Liability: Notwithstanding any provision to the contrary, the maximum aggregate liability of the Company—whether arising in contract, tort (including negligence), strict liability, or any other legal or equitable theory—shall not exceed the total amount of fees actually paid by the Counterparty to the Company during the twelve (12) month period immediately preceding the event or circumstance giving rise to the claim. The Counterparty acknowledges that the fee structure for the banxtack™ infrastructure is predicated upon this limitation of liability, and that absent this cap, the economic terms of this Agreement would be substantially different.

9.3. The "Fintech Infrastructure" Shield and Excluded Risks: As a provider of composable financial software, banxtack™ provides the "operating layer" behind the Counterparty’s brand. Consequently, the Company shall have zero liability for losses, claims, or regulatory penalties arising from:

• (a) Regulatory and Licensing Failures: Any action, fine, or sanction imposed by a financial regulator due to the Counterparty's failure to maintain valid licenses or adhere to jurisdictional compliance mandates .
• (b) Operational Configuration Errors: Any financial loss resulting from the Counterparty’s internal configuration of the "Pricing & Fee Engine," "Custom Spending Logic," or "Dynamic Risk Scoring" parameters.
• (c) Customer Decisions and Defaults: Any losses incurred due to the business decisions, credit defaults, or fraudulent activities of the Counterparty’s End Users.
• (d) Professional Advice Reliance: Any loss resulting from the Counterparty’s reliance on automated analytics or reporting templates as a substitute for professional financial or legal counsel.

9.4. Allocation of Risk for Third-Party Ecosystem Failures: The banxtack™ ecosystem consolidates connectivity to global financial providers (e.g., Banking Circle, Visa, Mastercard, Fireblocks) . The Counterparty acknowledges that these are independent third-party entities. The Company shall not be liable for the insolvency, service interruption, or technical failure of any third-party bank, card scheme, or custody provider integrated via the infrastructure. All claims regarding the loss of funds or failure of settlement must be directed to the respective regulated provider, as banxtack™ does not hold customer funds.

9.5. Cyber-Resilience, Systemic Failure, and Force Majeure: While the Company maintains enterprise-grade ICT security and atomic reconciliation protocols, it shall not be liable for any failure or delay in performance caused by a Force Majeure event. This includes, but is not limited to:

• (a) Global Technical Instability: System-wide internet outages, global submarine cable failures, or failures in the telecommunications matrix.
• (b) Sophisticated Cyber-Warfare: State-sponsored cyber-assaults, zero-day vulnerabilities, or distributed denial-of-service (DDoS) attacks that exceed the industry-standard mitigation capacity.
• (c) External Acts: Acts of God, war, civil unrest, government-mandated internet shutdowns, or changes in law that render the provision of the infrastructure illegal or technically impossible.

SECTION 10: TERM, SUSPENSION, TERMINATION, AND POST-CONTRACTUAL EXIT MANAGEMENT

10.1. Duration and Effectiveness of Agreement: This Agreement shall commence upon your initial point of ingress to the Website or the initiation of any pre-contractual technical inquiry and shall remain in full force and effect for the duration of your interaction with the banxtack™ digital ecosystem. For Prospective Clients, the "Term" of this specific Website Agreement concludes upon either (a) the cessation of all access to the Website or (b) the execution of a definitive Master Services Agreement (MSA), which shall thereafter govern the operational relationship.

10.2. Extraordinary Suspension and Protective Measures: The Company reserves the unilateral and absolute right to suspend, throttle, or terminate your access to the Website, any pre-production demo environments, or the "Experience Layer" components immediately and without prior notice, if the Company, in its sole and unfettered discretion, determines that:

• (a) Systemic Risk: Your usage patterns pose a threat to the technical stability, security, or "Atomic Reconciliation" protocols of the global infrastructure.
• (b) Regulatory Contamination: Your activities create an unacceptable risk of regulatory non-compliance or reputational damage to the banxtack™ ecosystem.
• (c) Breach of Covenants: You have violated any restrictive covenant or prohibited use policy outlined in Section 4 of this Agreement.
• (d) Force Majeure/Legal Mandate: Suspension is necessitated by a Force Majeure event or a direct administrative edict from a competent judicial or regulatory authority.

10.3. Termination for Cause and Convenience:

• (a) Termination for Convenience: Either party may terminate the pre-contractual relationship governed by these Website Terms at any time by ceasing all interaction with the platform. For formal engagements, a notice period of ninety (90) days is standard unless otherwise specified in an Order Form.
• (b) Termination for Material Breach: The Company may terminate this Agreement and any associated "Back-Office" access if you fail to cure a material breach (including non-payment or licensing failure) within thirty (30) days of receipt of a formal notice of default.

10.4. Post-Termination Exit Management and Data Retrieval: 

Upon the effective date of termination or the decommissioning of an account, the "Lifecycle Management" protocols of the infrastructure are triggered:

• (a) Data Export Window: The Counterparty shall have a period of thirty (30) calendar days to retrieve and export all Client Data, ledger histories, and audit trails from the Operational Command Center.
• (b) Secure Disposal: Following the expiration of the 30-day retrieval window, the Company shall have no further obligation to maintain Client Data and shall proceed with the secure, permanent purging of such data from production servers, subject to mandatory legal retention requirements for AML/KYC audit purposes.
• (c) De-integration: The Counterparty must immediately remove all banxtack™ white-label components, "Experience Layer" scripts, and API calls from its proprietary applications.

10.5. Survival of Provisions: The termination of this Agreement, howsoever caused, shall not affect the survival and continued enforceability of those provisions which, by their nature, are intended to survive termination. This includes, without limitation, Section 3 (Intellectual Property), Section 7 (Data Sovereignty and Privacy), Section 8 (Warranties), Section 9 (Limitation of Liability), and Section 10.6 (Governing Law).

10.6. Governing Law and Final Jurisdictional Clause: This Agreement, and any non-contractual obligations arising out of or in connection with it, shall be governed by and construed in accordance with the laws of the jurisdiction in which the banxtack™ contracting entity is incorporated at the time of the dispute. The parties irrevocably submit to the exclusive jurisdiction of the competent courts of said jurisdiction for the resolution of any disputes.

‍

GLOBAL COOKIE & TELEMETRIC GOVERNANCE POLICY

Date: January 1, 2026

Version: 1.0.6

SECTION 1: ARCHITECTURAL NECESSITY AND SCOPE OF TELEMETRY

1.1. Technical Rationale for Telemetric Deployment: The banxtack™ digital ecosystem and its underlying "Experience Layer" utilize "Cookies," "Web Beacons," "Local Storage Objects," and "Pixel Tags" (collectively referred to as “Telemetric Tools”). Unlike standard consumer-facing applications, these tools are architecturally indispensable for the maintenance of Session Persistence, Multi-Asset Ledger Security, and the prevention of unauthorized API ingress. The deployment of these tools is a fundamental requirement for the functional stability of the global financial infrastructure.

1.2. Scope of Governance: This Policy governs all telemetric data acquisition across the Company’s digital real estate, including:

• (a) Public Portals: The informational interfaces situated at www.banxtack.com.
• (b) Operational Interfaces: The "Back-Office" Operational Command Center and the administrative dashboards utilized for "Eligibility Evaluation" and "Investigations & Reporting."
• (c) White-Label Gateways: Any "Experience Layer" components deployed as part of a branded infrastructure instance.

1.3. Definition of Telemetry in the Fintech Context: For the purposes of this Policy, "Telemetry" refers to the automated collection of real-time operational data regarding user interaction, system performance, and network behavior. This data is essential for the "Atomic Reconciliation" protocols and serves as a first line of defense against sophisticated cyber-assaults and "Data Poisoning" attempts.

1.4. Manifestation of Assent: By accessing the Website or interacting with the infrastructure’s API interfaces, the Counterparty acknowledges and agrees to the deployment of these Telemetric Tools as being necessary for the delivery of a secure and compliant financial environment.

SECTION 2: TAXONOMY OF TELEMETRIC TOOLS AND FUNCTIONAL HIERARCHY

2.1. Categorization by Criticality: The Company classifies its Telemetric Tools into a discrete hierarchy based on their necessity for systemic integrity, operational stability, and regulatory compliance. Each category serves a specific role within the multi-asset ledger environment.

2.2. Tier I: Strictly Necessary (Security and Session Integrity): These tools are mandatory for the technical execution of the platform's core logic and cannot be deactivated without compromising the security architecture of the infrastructure.

• Purpose: Orchestration of multi-factor authentication (MFA) states, CSRF (Cross-Site Request Forgery) protection, and the maintenance of authenticated "Back-Office" sessions.
• Forensic Utility: Ensuring that a single user session is tethered to a verified device/IP combination to prevent "Session Hijacking" and unauthorized ledger manipulation.
• Duration: Typically session-based (expiring upon the termination of the administrative session) or short-term persistent.

2.3. Tier II: Functional and Performance Telemetry (Infrastructure Optimization): These tools monitor the health, throughput, and latency of the global financial rails and API response times.

• Purpose: Load balancing optimization across geo-redundant data centers and the identification of "Experience Layer" latency that may impact "Atomic Reconciliation" speeds.
• Data Points: Anonymized telemetrics, including geographic point of ingress, browser versioning, and system heartbeat data.
• Utility: Improving the efficacy of the "Pricing & Fee Engine" by analyzing traffic patterns during peak transaction windows to ensure high-velocity settlement.

2.4. Tier III: Compliance and Forensic Telemetry (AML & Fraud Mitigation): Specialized tools designed to detect anomalous behavior indicative of "Data Poisoning" or high-frequency automated script ingress.

• Purpose: Advanced device fingerprinting and distinguishing legitimate human interaction from sophisticated bot-based attempts to scrape the infrastructure’s conversion logic or test card vulnerabilities.
• Integration: These telemetric signals are fed directly into the "AML & Compliance Engine" to contribute to the "Dynamic Risk Scoring" of a specific connection.

SECTION 3: THE MECHANIZATION OF CONSENT AND GOVERNANCE MANAGEMENT

3.1. Provision of Granular Control: In accordance with the "Privacy by Design" principles inherent in the banxtack™ architecture, the Company provides the Counterparty and its Users with a specialized Governance Consent Manager. This interface, accessible upon initial ingress to the Website or the "Back-Office," enables the granular selection or rejection of Telemetric Tools that are not classified as "Strictly Necessary" under Section 2.2.

3.2. Mandatory Nature of Tier I Infrastructure Tools: The Counterparty acknowledges that Tier I (Strictly Necessary) tools are a technical prerequisite for the secure orchestration of the multi-asset ledgers and the maintenance of systemic integrity. These tools cannot be deactivated through the Governance Consent Manager. Any attempt to bypass or block these specific scripts via third-party browser extensions or firewall configurations may result in a "Systemic Lockout," rendering the "Experience Layer" and its associated financial modules non-functional.

3.3. Affirmative Assent for Optimization and Compliance Tiers: For Tier II (Functional) and Tier III (Forensic) telemetry, the Company employs an "Opt-In" framework for Users residing in jurisdictions with stringent privacy mandates (such as the EEA or UK). By toggling these options to "Active," the User provides their explicit, informed consent for the Company to utilize these tools for infrastructure optimization and fraud mitigation.

3.4. Administrative Revocation and Temporal Expiration: Consent granted via the Governance Consent Manager is not perpetual. Users retain the right to modify their telemetric preferences at any time through the "Settings" menu of the Operational Command Center. Furthermore, to ensure compliance with the "Right to be Forgotten," the system is programmed to trigger a "Consent Re-validation" prompt every twelve (12) months, ensuring that the user’s preferences remain current and documented for regulatory audit trails.

3.5. Impact of Consent Withdrawal: While the Company respects the withdrawal of consent for Tier II and Tier III tools, the Counterparty acknowledges that such withdrawal may degrade the "Dynamic Risk Scoring" efficacy for that specific user session. In cases where forensic telemetry is unavailable, the "AML & Compliance Engine" may default to a more restrictive security posture to protect the broader infrastructure.

SECTION 4: THIRD-PARTY ECOSYSTEM TELEMETRY AND INTEGRATED PARTNER SCRIPTS

4.1. The Consolidated Infrastructure Principle: The Counterparty acknowledges that the banxtack™ ecosystem functions as a high-velocity gateway, orchestrating connectivity to a global network of regulated financial institutions, card schemes, and compliance providers. To facilitate the "Atomic Reconciliation" and "Payments & Money Movement" pillars, the infrastructure may load technical scripts or Telemetric Tools originating from authorized Integrated Partners (collectively, “Third-Party Telemetry”).

4.2. Nature and Utility of Integrated Scripts: These third-party tools are strictly functional and are deployed only within the specific operational context of a transaction or compliance event. Their utility includes:

• Payment Authorization & Tokenization: Scripts from card networks (e.g., Visa, Mastercard) or banking partners (e.g., Banking Circle) utilized to secure the "Card Issuance" bridge and ensure transaction validity.
• Identity Orchestration & Liveness: Telemetric signals from specialized forensic partners (e.g., Sumsub, Chainalysis) integrated into the AML & Compliance Engine to perform biometric liveness verification and real-time blockchain forensic analysis.
• Secure Custody Handshakes: Cryptographic heartbeat signals from institutional-grade custody providers (e.g., Fireblocks) to maintain the integrity of the "Secure Custody Bridge" during the movement of virtual assets.

4.3. Governance of Third-Party Domains: While these tools are loaded via the banxtack™ infrastructure, the data processing activities of Integrated Partners are governed by their respective privacy and cookie policies. The Company ensures that these scripts are only active during authenticated sessions and are restricted from accessing any Personal Data not explicitly required for the technical execution of the specific service pillar being utilized.

4.4. Proliferation of "Fintech Shield" Standards: The Company conducts rigorous technical due diligence on all Integrated Partners to ensure their Telemetric Tools adhere to cybersecurity standards commensurate with the global financial industry. This includes the requirement for encrypted data transmission and the prohibition of "Cross-Site Tracking" for non-functional purposes.

4.5. Disclosure of Integrated Partners: A comprehensive and periodically updated list of the technical domains associated with our Integrated Partners is available to Clients upon formal request via the administrative channels. The Counterparty is responsible for informing its End Users that such third-party scripts may be active within their branded white-label instance to facilitate the underlying financial logic.

SECTION 5: TEMPORAL GOVERNANCE, STORAGE MANAGEMENT, AND TELEMETRIC PURGING

5.1. The Principle of Telemetric Minimization: In alignment with the "Data Minimization" requirements of global data protection frameworks, the Company implements a rigorous Temporal Governance Framework for all data acquired via Telemetric Tools. The Company does not store telemetric metadata indefinitely; instead, it adheres to a lifecycle management protocol designed to balance operational forensic requirements with the right to privacy.

5.2. Classification of Retention Durations: The retention period for telemetric data is dictated by its functional category within the infrastructure:

• (a) Session-Based Telemetry (Volatile): Metadata associated with Tier I (Strictly Necessary) tools is typically purged immediately upon the termination of the browser session or the expiration of the authenticated "Back-Office" handshake.
• (b) Optimization & Performance Logs (Short-Term): Telemetrics utilized for Tier II (Infrastructure Optimization) are retained for a period not exceeding ninety (90) days. This window allows for the analysis of monthly performance cycles and the identification of systemic latency trends.
• (c) Forensic & Security Metadata (Long-Term): Telemetry linked to Tier III (AML & Fraud Mitigation) may be retained for a duration of twelve (12) to twenty-four (24) months. This extended window is required to facilitate forensic post-mortems following a security incident and to support the "Investigations & Reporting" module in identifying long-term patterns of "Data Poisoning" or synthetic identity fraud.

5.3. Secure Archival and Ledger De-linking: During the retention period, telemetric logs are stored in an encrypted, sequestered environment. Once the operational utility of the telemetry has concluded, the Company performs "Ledger De-linking," ensuring that the technical logs are stripped of any identifiers that could link them back to a specific Counterparty or End-User, effectively rendering the data anonymous.

5.4. Automated Purging Protocols: The banxtack™ infrastructure employs automated purging scripts that execute daily "Clean-Sweep" operations. These scripts identify and permanently delete data taxonomies that have reached their "End-of-Life" (EOL) as defined by this Policy, utilizing cryptographic erasure to ensure the data is irrecoverable.

5.5. Legal Hold Exception: Notwithstanding the standard retention windows, the Company reserves the unilateral right to place a "Legal Hold" on specific telemetric logs. This occurs if the telemetry is deemed critical evidence for an active judicial proceeding, regulatory inquiry, or an internal investigation into systemic infrastructure misuse. Once the Legal Hold is formally lifted, the data is prioritized for immediate purging.

SECTION 6: ADMINISTRATIVE OVERSIGHT AND PROFESSIONAL INQUIRY PROTOCOLS

6.1. Dedicated Governance Oversight: The governance of Telemetric Tools and the broader infrastructure telemetry is managed by the banxtack™ Global Compliance & Information Security Office. This office is responsible for the continuous monitoring of the "Fintech Shield" and ensures that the deployment of any new "Experience Layer" scripts aligns with the rigorous standards set forth in this Policy and international data protection edicts.

6.2. Mechanization of Technical Audit: The Company recognizes that institutional Clients may require transparency regarding the specific Telemetric Tools active within their branded white-label instances. Upon formal written request, and subject to non-disclosure obligations, the Company can provide a Technical Telemetry Audit, detailing the current taxonomy of active cookies and the specific sub-processors integrated via the API interfaces.

6.3. Professional Inquiry Channels: All technical inquiries, notifications of suspected telemetric irregularities, or requests for detailed cookie manifests must be directed exclusively through the Company’s verified professional business channels. To ensure priority handling and forensic traceability, please use the following coordinate:

• Global Business & Compliance Affairs: business@banxtack.com

6.4. Limitation of Informal Communication: For the avoidance of doubt, and to preserve the security of the infrastructure, the Company does not provide telemetric support or governance updates via social media, informal messaging platforms, or unsecured communication rails. All formal governance correspondence must originate from the Counterparty’s registered corporate domain.

6.5. Severability and Policy Primacy: Should any provision of this Global Cookie & Telemetric Governance Policy be deemed invalid or unenforceable by a competent judicial authority, the remainder of the Policy shall continue in full force and effect. In the event of a conflict between this Policy and the Master Terms and Conditions, the Master Terms shall prevail as the primary governance indenture.