1. Trust Center

We build our services with a focus on security, privacy, and responsible AI governance. Our internal policies and governance measures are designed to support appropriate data handling, secure operations, and ongoing oversight as our services, customer use cases, and applicable legal expectations evolve.

We maintain internal governance measures intended to address information security, privacy, access management, service reliability, and the responsible development, deployment, and use of AI-enabled capabilities. These measures are reviewed and refined over time in light of product development, operational needs, customer requirements, and relevant legal and regulatory developments.

For customers, partners, and reviewers seeking additional information, we provide further details on our security practices, privacy approach, and AI governance framework below.

2. Security

We are committed to maintaining a secure and reliable environment for our customers and partners. Our security practices are designed to support the confidentiality, integrity, and availability of the information processed through our services, as well as the resilience of our operational environment.

Our security program is intended to address organizational, technical, and operational safeguards across our systems, personnel, and service providers. These practices continue to evolve in light of product development, operational needs, customer expectations, and applicable legal and contractual requirements.

Data Encryption in Transit and at Rest

We implement measures intended to protect data during transmission and storage. Communications with our services are designed to be protected using industry-standard encryption protocols in transit. Where appropriate to the relevant service environment and data type, data stored within our systems is also protected through encryption at rest and related key-management practices.

We maintain internal practices intended to support the secure handling of sensitive information and to reduce the risk of unauthorized access, disclosure, or alteration during routine operations.

Access Control

Access to systems, environments, and data is intended to be limited based on role, legitimate business need, and formal internal authorization procedures. We seek to apply least-privilege principles to reduce unnecessary access and support accountability for the use of privileged systems.

Internal access management measures may include role-based provisioning, approval workflows, periodic review of access rights, and the removal or adjustment of access when responsibilities change or access is no longer required.

Logging and Monitoring

We maintain internal processes intended to support the logging and monitoring of relevant system activity, access events, and security-related events.

These measures are designed to support visibility into system operations, the investigation of abnormal or unauthorized activity, incident response and forensic analysis, and the ongoing review of our control environment.

Incident Response

We maintain internal procedures intended to support the identification, escalation, management, and review of security incidents. These procedures are designed to support timely investigation, mitigation, internal coordination, and follow-up in the event of a security-related issue.

Where appropriate, we may review incidents to identify lessons learned and improve relevant processes, controls, or operational safeguards over time.

Third-Party Service Provider Management

Where third-party infrastructure providers, service providers, or sub-processors are used to support our services, we maintain internal review procedures intended to assess their relevance to security, confidentiality, and operational suitability.

Our use of third-party providers is intended to be supported by appropriate contractual, technical, and operational measures, taking into account the nature of the services they provide and their role in our service delivery environment.

Infrastructure Security

We maintain technical and operational practices intended to support the security and resilience of our infrastructure environment. These measures may include configuration controls, environment segregation, documented change handling, service continuity and recovery measures, vulnerability management practices, and ongoing operational review.

Where relevant, infrastructure and service design may also incorporate measures intended to support backup, recovery, and the continued availability of key service components.

Personnel Confidentiality and Access Management

Personnel with access to relevant systems, data, or operational functions may be subject to internal confidentiality, acceptable-use, and access-management requirements. We seek to assign access based on job responsibilities and to maintain internal expectations relating to the responsible handling of systems and information.

Our internal personnel measures may include onboarding and offboarding controls, confidentiality commitments, internal policy awareness, and role-based limitations on access to sensitive systems or information.

Continuous Review

Our security practices continue to evolve alongside our services, technical environment, customer requirements, and applicable legal and contractual expectations. We review and refine our security measures over time as part of our broader operational and governance processes.

Security Contact

For security-related inquiries, vulnerability disclosures, or requests for additional information regarding our security practices, please use the contact details made available by the Company from time to time.

3. Privacy

We recognize the importance of handling personal data responsibly, transparently, and in a manner appropriate to the nature of our services. Our privacy practices are designed to support appropriate data governance, proportionate processing, and the ongoing review of how data is handled across our operations.

Our approach to privacy is intended to address the collection, use, retention, protection, and management of data in light of our service model, operational needs, customer expectations, and applicable legal requirements.

Privacy Governance

We maintain internal measures intended to support privacy governance across our services and operations. These measures are designed to support the review of relevant data handling activities, the allocation of internal responsibilities, and the ongoing refinement of privacy-related practices over time.

Where appropriate, privacy-related considerations may be addressed in connection with service design, operational processes, customer support activities, and the use of third-party service providers.

Categories of Data We May Process

Depending on the nature of the relevant service, we may process categories of personal data such as identity and contact data, account and authentication data, transaction and financial data, technical and usage data, communications data, and, where applicable, KYC and identity verification data. The specific categories of data processed may vary depending on the features used, the customer relationship, and the applicable service environment.

Purposes of Processing

We seek to process personal data for defined and legitimate purposes connected to the provision, security, support, maintenance, and improvement of our services, as well as compliance with applicable legal, regulatory, or contractual requirements. Depending on the relevant service context, this may include service administration, transaction processing, fraud prevention, compliance monitoring, customer communications, troubleshooting, and related operational purposes.

Access Limitation and Internal Use

Access to data is intended to be limited based on role, business need, and internal authorization procedures. We seek to apply internal measures designed to reduce unnecessary access, support accountability, and promote the appropriate handling of information within our organization.

Internal access to data may be subject to confidentiality, acceptable-use, and access-management requirements.

Data Retention and Deletion

We maintain internal rules and procedures intended to support the retention and deletion of personal data in light of service requirements, operational needs, customer expectations, and applicable legal, regulatory, and contractual obligations. Retention periods may vary depending on the nature of the information, the context in which it is processed, and the legal or operational basis applicable to the relevant data category.

Privacy Requests and Communications

Requests relating to privacy, including requests concerning access, correction, deletion, restriction, objection, portability, or other data-related matters, may be directed to the Privacy Lead through the contact details made available by the Company. We seek to review and respond to such requests in accordance with our internal processes and applicable legal requirements.

Third-Party Service Providers and Processors

Where third-party service providers, infrastructure providers, processors, or sub-processors are used in connection with our services, we maintain internal review procedures intended to support appropriate confidentiality, data handling, and operational safeguards. Depending on the relevant service model, such providers may include cloud infrastructure providers, AI API providers, KYC/AML service providers, analytics providers, customer support tools, communication service providers, payment service providers, security and compliance vendors, and other relevant third parties engaged in connection with our services and operations.

International Data Transfers

Where our service delivery model involves the processing or access of personal data across jurisdictions, we seek to implement appropriate safeguards to support compliance with applicable legal requirements. Where transfers of personal data from the European Economic Area to third countries are required, we seek to rely on transfer mechanisms recognized under applicable law, which may include Standard Contractual Clauses adopted by the European Commission, adequacy decisions, or other appropriate safeguards permitted under applicable data protection law.

Privacy Contact

We have designated an internal contact responsible for data protection and privacy matters. Privacy-related inquiries may be directed to the Privacy Lead or through the contact details made available by the Company from time to time.

Ongoing Review

Our privacy practices continue to evolve alongside our products, service model, customer requirements, and applicable legal and regulatory developments. We review and refine our privacy measures over time as part of our broader governance and operational processes.

4. AI Governance

We are committed to the responsible development, procurement, deployment, and use of AI-enabled capabilities. Our AI governance framework is designed to support risk-based review, transparency, accountability, and ongoing compliance readiness in light of evolving legal and regulatory expectations, including applicable European AI regulation.

Scope and Role Awareness

We recognize that AI-related obligations may vary depending on the nature of the relevant AI-enabled feature, the way it is developed, procured, integrated, or made available, and the role performed in the relevant service chain. Where appropriate, we seek to consider whether and how our activities may involve responsibilities in relation to the provision, deployment, integration, or downstream use of AI-enabled functionality. 

Risk-Based Assessment

We seek to apply a risk-based approach to AI-enabled functionality, taking into account the nature of the relevant feature, the categories of users or affected persons involved, the context in which it is used, and the potential operational, security, privacy, and user-facing implications associated with its implementation. Where appropriate, our internal review may consider whether a given use case should be restricted, subject to enhanced governance, further legal and compliance assessment, or additional safeguards, including in light of prohibited uses, high-risk use cases, transparency-related obligations, or lower-risk deployment contexts.

Prohibited and Sensitive Use Screening

We seek to assess proposed AI-enabled features and use cases in light of applicable legal and regulatory restrictions, including whether a workflow, deployment scenario, or user-facing functionality may raise concerns relating to manipulation or deception, exploitation of vulnerabilities, inappropriate profiling or social scoring, sensitive inference, unlawful biometric use, emotion recognition in restricted contexts, or other prohibited or high-concern applications.

High-Risk Use Case Governance

Where a use case may involve heightened impact on health, safety, or fundamental rights, we seek to apply enhanced governance measures appropriate to the relevant context. Depending on the circumstances, this may include additional review of data handling, documentation, logging or traceability, user-facing information, human oversight, internal approval, operational safeguards, and oversight arrangements. We also seek to consider whether higher-risk deployment scenarios call for strengthened controls relating to accuracy, robustness, cybersecurity, monitoring, or incident escalation.

Transparency and User Information

Where appropriate to the relevant service context, we seek to consider whether and how users, customers, or other stakeholders should be informed that they are interacting with AI-enabled functionality. Where relevant, we may also consider whether AI-generated content, synthetic media, or other AI-assisted outputs should be described, labelled, or otherwise communicated in light of product design, user expectations, and applicable legal requirements.

Human Oversight and Escalation

Where appropriate to the relevant use case, we may implement internal review, escalation, approval, or other oversight measures intended to support the responsible deployment and operation of AI-enabled functionality. Depending on the relevant context, such measures may be intended to support informed human review, operational intervention, suspension of use where necessary, and escalation of concerns through designated internal channels. 

Documentation, Traceability, and Internal Review Records

Where appropriate to the relevant service context, we seek to maintain or develop documentation, assessments, risk classification records, and internal review materials intended to support governance, accountability, and the ongoing refinement of AI-related practices.

Third-Party Models, Tools, and Downstream Integration

Where third-party models, APIs, datasets, infrastructure providers, or other external tools are used in connection with our services, we seek to assess their relevance to security, privacy, operational suitability, and service-related risk. Where appropriate, we also consider the availability of information needed to support compliance assessment, including in relation to documentation, data handling, security, and contractual allocation of responsibilities across upstream providers, downstream deployment contexts, and customer-facing implementations. 

AI Literacy and Internal Enablement

We seek to promote an appropriate level of internal awareness regarding the use, operation, and governance of AI-enabled functionality, taking into account the roles of relevant personnel and the context in which AI-enabled features are used. Where appropriate, this may include internal guidance, training, operational support, or other enablement measures intended to support the responsible design, deployment, oversight, and use of AI-enabled functionality.

Monitoring, Incident Awareness, and Continuous Improvement

We continue to review and refine our AI governance practices in light of product updates, implementation experience, customer feedback, incident learnings, and evolving legal and regulatory developments.

Our governance measures are intended to develop over time alongside our services, the broader AI ecosystem, and applicable regulatory expectations.

General-Purpose AI and Regulatory Developments

Where relevant to our services, we continue to monitor legal and regulatory developments relating to general-purpose AI models, transparency expectations, copyright-related considerations, and safety and security issues associated with advanced AI capabilities.

We seek to adapt our internal governance approach over time in light of the evolving regulatory landscape and the role AI-enabled functionality plays within our products and services.