GMTX.EXCHANGE
Data Security Policy

Effective Date: September 13, 2025

MANDATORY NOTICE: Security is a non-negotiable requirement for participation in GMTX.EXCHANGE. Any attempt to probe, disclose, undermine, or bypass our controls is strictly prohibited and will result in immediate expulsion, preservation of evidence, and referral to appropriate authorities.

1. Purpose & Scope

This Policy describes the technical, organizational, and administrative measures GMTX.EXCHANGE (“GMTX,” “we,” “us”) applies to protect information assets, including personal data, trade data, compliance records, and system telemetry. This Policy applies to all Members, visitors, employees, contractors, and service providers who access or process GMTX data.

2. Governance & Accountability

• Security program overseen by designated security and compliance officers and subject to executive review.
• Policies and standards reviewed at least annually, or upon material change to risk/regulatory posture.
• Mandatory security awareness and confidentiality obligations for staff and vendors with access.

3. Data Classification & Handling

• Data classified at minimum as: Public, Internal, Confidential, and Restricted.
• Confidential and Restricted data require strict access controls, encryption, monitoring, and documented handling procedures.
• Member-submitted KYC/KYB/AML/GDPR materials are treated as Confidential Information under the Terms of Service & Non-Disclosure Agreement.

4. Encryption

• In Transit: Enforced TLS for all external and internal communications; modern cipher suites; HSTS where applicable.
• At Rest: Strong encryption for databases, backups, and secrets stores. Keys are segregated, access-controlled, and rotated.
• Key Management: Principle of least privilege, role separation, rotation on schedule and upon personnel or risk changes.

5. Access Control & Authentication

• Role-Based Access Control (RBAC) with least privilege and need-to-know enforcement.
• Multi-factor authentication (MFA) required for privileged access; session management and timeout controls.
• Joiner/mover/leaver processes with prompt de-provisioning and periodic access reviews.

6. Network & Infrastructure Security

• Segmentation of public, application, and data tiers; deny-by-default firewall rules; restricted administrative interfaces.
• Hardened configurations, baseline benchmarks, and continuous configuration monitoring.
• DDoS and abuse detection/mitigation; integrity checks for critical system components.

7. Application Security

• Secure development lifecycle with threat modeling, code review, and automated security testing.
• Dependency and supply-chain controls; rapid patching of critical vulnerabilities.
• Secrets never committed to code repositories; parameterized queries; strict input validation and output encoding.

8. Logging, Monitoring & Detection

• Centralized logging for authentication, authorization, administrative actions, and security-relevant events.
• Alerting for anomaly detection and indicators of compromise; time-synchronized logs; protected log retention.
• Regular review of security telemetry by authorized personnel; tamper-evident storage where feasible.

9. Incident Response

• Documented incident response plan (IRP) with defined roles, escalation paths, and evidence preservation procedures.
• Containment, eradication, recovery, and post-incident review with corrective actions.
• Where legally required, timely notifications to regulators and affected parties; no “tipping off” contrary to AML laws.

10. Business Continuity & Disaster Recovery

• Backups of critical data with periodic restoration tests; geographically separated replicas where appropriate.
• Documented RTO/RPO objectives for critical services; DR exercises conducted at defined intervals.

11. Vendor & Third-Party Risk

• Security and compliance due diligence prior to onboarding; contractual security, confidentiality, and audit clauses.
• Continuous oversight appropriate to vendor risk tier; prompt remediation or termination upon material control failure.

12. Data Retention & Disposal

• Retention aligned to legal, regulatory, and operational requirements (e.g., AML recordkeeping generally ≥ 5 years).
• Secure disposal of data and media using methods commensurate with classification and legal obligations.

13. Privacy & Data Protection

• Processing governed by applicable privacy laws, including GDPR where applicable (see separate GDPR Statement).
• Data minimization, purpose limitation, and access limitation principles applied.

14. Member Responsibilities

• Maintain strong, unique credentials and MFA; keep contact and verification data current.
• Do not share accounts or disclose Confidential Information; promptly report suspected compromise or misuse.
• Strictly follow all KYC/KYB/AML obligations and platform rules.

15. Prohibited Activities

• Unauthorized scanning, probing, scraping, load testing, or security research without prior written permission.
• Introduction of malware, exploits, automated attack tools, or attempts to bypass controls.

16. Responsible Disclosure

If you believe you have identified a security vulnerability, contact us through the designated secure channel with enough detail to reproduce the issue. Do not access, modify, or exfiltrate data. We may authorize coordinated disclosure; unauthorized disclosure violates the NDA and will be treated as a security incident.

17. Confidentiality & Enforcement

All security architecture, procedures, communications, and telemetry are Confidential Information. Any disclosure or misuse constitutes a material breach of the Terms of Service & Non-Disclosure Agreement and may result in immediate, permanent expulsion, legal action, and referral to regulators or law enforcement.

18. Updates

We may update this Policy to address evolving threats, technology, or legal requirements. Material changes will be posted; continued use constitutes acceptance of updates.

19. Governing Law

This Policy is governed by the laws of the State of Wyoming, United States of America, without regard to conflict-of-law principles. The courts of Wyoming shall have exclusive jurisdiction over disputes arising from or relating to this Policy.

FINAL NOTICE: GMTX.EXCHANGE will act swiftly and decisively to defend the confidentiality, integrity, and availability of its systems and data. If you are unwilling to comply with these security obligations, do not use the platform.