Information Security Policy

Abra Digital Information Security Policy
Last updated: June 11, 2025

This Information Security Policy (“Policy”) sets out the obligations, responsibilities, and controls that govern Abra Digital’s protection of information assets. All employees, contractors, and third-party service providers (“Users”) must comply with this Policy in full.

1. Purpose

Abra Digital (“we,” “us,” “our”) is committed to safeguarding the confidentiality, integrity, and availability of all information used in our institutional OTC, arbitrage, and liquidity-management services. This Policy formalizes our approach to identifying risks, applying controls, and responding to security events.

2. Scope

This Policy applies to all information assets, systems, networks, applications, and data—whether electronic or physical—owned, leased, or processed by Abra Digital, including data, trading records, proprietary algorithms, and supporting infrastructure.

3. Definitions

• Information Asset: Any data, device, or system that contains or processes information.
• Confidential Data: Sensitive information whose unauthorized disclosure could harm Abra Digital.
• Security Incident: Any event that compromises or threatens the confidentiality, integrity, or availability of an Information Asset.

4. Policy Statements

1. Risk Management: We maintain an ongoing risk-assessment program to identify threats to our information assets. Controls are selected based on risk severity, cost-effectiveness, and alignment with industry standards (e.g., ISO 27001).
2. Data Classification & Handling: All data is classified as Public, Internal, Confidential, or Restricted. Users must handle, store, and transmit data in accordance with its classification level, applying encryption and access controls where mandated.
3. Access Control: Access to systems and data is granted on a least-privilege basis. All Users must authenticate via unique credentials and multi-factor authentication for privileged functions. Shared or generic accounts are prohibited.
4. Encryption & Transmission: Confidential and Restricted data must be encrypted at rest (AES-256) and in transit (TLS 1.2+). Hard-copy data containing sensitive information must be physically secured.
5. Incident Response & Reporting: All Security Incidents must be reported immediately to the Information Security Officer. We follow our Incident Response Protocol to contain, investigate, remediate, and notify affected parties in accordance with applicable laws and contractual requirements.
6. Third-Party Security: Vendors with access to our systems undergo security due diligence, contractually binding them to maintain controls at least as stringent as this Policy. Periodic audits verify their ongoing compliance.
7. Audit & Compliance: We conduct internal reviews and engage independent auditors at least annually to validate adherence to this Policy. Non-compliance may result in disciplinary action, contract termination, or legal penalties.
8. Training & Awareness: All Users receive annual security awareness training. Additional, role-specific training is provided to personnel in sensitive positions (e.g., developers, operations, compliance).

5. Roles & Responsibilities

• Chief Information Security Officer (CISO): Owns this Policy, oversees implementation, and reports to the Board Risk Committee.
• Information Security Team: Implements controls, conducts risk assessments, and manages incidents.
• Data Owners: Classify data and approve access.
• All Users: Must adhere to this Policy, complete training, and report suspected breaches.

6. Breach Notification

In the event of a confirmed or suspected breach of Confidential or Restricted data, we will notify affected stakeholders without undue delay, as required by law and contract.

7. Policy Review

This Policy is reviewed at least annually or following any major security incident, significant organizational change, or amendment of relevant laws and regulations. Approved revisions are published on our website under “General Terms.”

Legal Notice: Non-compliance with this Policy may lead to disciplinary measures, contractual liabilities, and regulatory sanctions. For questions or to report concerns, contact security@abradigital.com.