🔐Cybersecurity Policy

Date Approved	August 14th, 2020
Next review	TBA
Approved by	Chief Technology Officer
Custodian title	Chief Technology Officer
Author	Kotani Pay Limited
Responsible faculty	Technology Department
Supporting documents, procedures & forms of this policy	Kotani Pay Terms and Conditions
Audience	Public - accessible to anyone
Policy expiry date	TBA

Purpose of the Policy

The purpose of this Information Security Policy (“Policy”) expresses Kotani Pay Limited’s commitment to managing information security risks effectively and efficiently, coordinated globally and in compliance with applicable regulations wherever it conducts business. This Policy is the foundation for all information security activities. It focuses not only on the technology for the storage, processing, and transmission of information, but also on administrative and operational practices for the protection of all information, data, files, and processing resources owned by. It is the intent of this Policy to facilitate the exchange of information and computing resources while balancing the need for protecting information with the cost of implementation.

This Policy is the property of Kotani Pay Limited ("Kotani Pay”, “us", "we", or "our"). It is intended for distribution to all employees, partners and users associated with the business activities of Kotani Pay.

Scope of the Policy

This Policy applies to all employees, contractors, consultants, volunteers, and anyone who creates, distributes, access or manages information by means of Kotani Pay’s information technology systems including personal or corporate computers, networks, and communication services by which they are connected. It equally applies to individuals and enterprises, who by nature of their relationship to Kotani Pay, are entrusted with confidential or sensitive information. This Policy addresses all aspects of information security and continuity from the initial design of a system through implementation and operation. It also addresses any device used to store, process, or communicate proprietary or other protected information.

Definitions

Infrastructure and Services	Infrastructure and services operated by or on behalf of Kotani Pay. This includes services and systems and associated computing hardware and software used for the communication, processing and storage of information
Cyber security	The practice of defending computing devices, networks and stored data from unauthorized access, use, disclosure, disruption, modification or destruction
Cyber Security Team	Capability appointed by the CTO with knowledge of the Kotani Pay core team. Their responsibilities are outlined in the Cyber Security Policy
CEO	Chief Executive Officer
CFO	Chief Financial Officer
CTO	Chief Technology Officer
COO	Chief Operating Officer
HR	Human Resource
IT	Information Technology
KYC	Know Your Customer
multi-sig	multi signature
TBA	To be advised
SHA256	256 bit Secure Hash Algorithm
User	Any person using or accessing Kotani Pay’s services including end-users, clients and partners

Policy elements

Confidential data

Confidential data is secret and valuable. Confidential data handled by Kotani Pay includes

• KYC data such as official names, date of birth, government identification data

• Data of customers/partners/vendors

• Internal innovations including code base and APIs

• Customer lists (existing and prospective)

All employees are obliged to protect this data. In this policy, we will give our employees instructions on how to avoid security breaches.

Protect personal and company devices

When employees use their digital devices to access company emails or accounts, they introduce security risks to our data. We advise our employees to keep their personal and company-issued computers, tablets and cell phones secure. They do this by

• Keeping all devices and passwords protected.

• Choosing and upgrading antivirus software.

• Ensure they do not leave their devices exposed or unattended.

• Install security updates of browsers and systems monthly or as soon as updates are available.

• Log into company accounts and systems through secure and private networks only.

We also advise our employees to avoid accessing internal systems and accounts from other people’s devices or lending their own devices to others. When new hires receive company-issued equipment they will receive instructions for

• Disk encryption setup

• Password management tool setup

• Installation of antivirus/ anti-malware software

They should follow instructions to protect their devices and refer to our technology department if they have any questions.

Keep emails safe

Emails often host scams and malicious software (e.g. worms.) To avoid virus infection or data theft, we instruct employees to

• Avoid opening attachments and clicking on links when the content is not adequately explained

• Be suspicious of clickbait titles

• Check email and names of people they received a message from to ensure they are legitimate.

• Look for inconsistencies or give-aways (e.g. grammar mistakes, capital letters, an excessive number of exclamation marks.)

If an employee isn’t sure that an email they received is safe, they can refer to our technical department for advice.

Kotani Pay’s General Good Practice to prevent computer virus, Trojan, spyware or other malware infection

While using computers and other devices, it is important to safeguard from the likelihood of malicious software infections. The following list outlines good practices to prevent such attacks:

• Do not open emails from unknown senders.

• Don’t click on any links within emails that seem suspicious or from unknown senders.

• Don’t install any software on company-issued computers without prior approval from IT Dept.

• Only open websites that you know. Never randomly click a link as it may direct you to a malicious website or trick you to download an infected file or program.

• When using USB flash drives, thumb drives or any other removable drives, make sure you scan them using your security software. The best practice is to ask the IT dept. to scan if you’re not too sure.

• Limit the amount of information that is published on the internet about yourself or about Kotani Pay. This can be used for social engineering.

• Report any suspicious computer activity to the IT Department. right away.

• Educate yourself on the protection systems that are installed on your computer and check if it is up to date or has any alerts.

• Never leave your computer unattended while outside the company offices where anyone could plug in a USB device. As a best practice always lock your computer session before leaving your computer unattended.

Manage passwords properly

Password leaks are dangerous since they can compromise our entire infrastructure. Not only should passwords be secure so they won’t be easily hacked, but they should also remain secret. For this reason, we advise our employees to

• Choose passwords with at least eight characters (including capital and lower-case letters, numbers and symbols) and avoid information that can be easily guessed (e.g. birthdays.)

• Remember passwords instead of writing them down. If employees need to write their passwords, they are obliged to keep the paper or digital document confidential and destroy it when their work is done.

• Exchange credentials only when absolutely necessary with the approval of the technology department.

• Change their passwords every two months.

Remembering a large number of passwords can be daunting. We will purchase the services of a password management tool that generates and stores passwords. Employees are obliged to create a secure password for the tool itself, following the above-mentioned advice.

Transfer data securely

Transferring data introduces a security risk. Employees must observe the following: Transferring sensitive data (e.g. customer information, employee records) to personal devices or personal accounts is strictly prohibited. Share confidential data using company emails and workspaces and not over personal channels. Ensure that the recipients of the data are properly authorized people or organizations and have adequate security policies. Report scams, privacy breaches and hacking attempts immediately

Our technology department needs to know about scams, breaches and malware so they can better protect our infrastructure. For this reason, we advise our employees to report perceived attacks, suspicious emails or phishing attempts as soon as possible to our specialists.

Our technology department must investigate promptly, resolve the issue and send out an alert when necessary. Our technology department is responsible for advising employees on how to detect scam emails. We encourage our employees to reach out to them with any questions or concerns.

Additional measures

To reduce the likelihood of security breaches, we also instruct our employees to

• Turn off their screens and lock their devices when leaving their desks.

• Report stolen or damaged equipment as soon as possible.

• Change all account passwords at once when a device is stolen.

• Report a perceived threat or possible security weakness in company systems.

• Refrain from downloading suspicious, unauthorized or illegal software on their company equipment.

• Avoid accessing suspicious websites.

We also expect our employees to comply with our social media and internet usage policy. Our technology department should:

• Install firewalls, anti-malware software and access authentication systems.

• Arrange for security training of all employees.

• Inform employees regularly about new scam emails or viruses and ways to combat them.

• Investigate security breaches thoroughly.

• Follow these policies provisions as other employees do.

Our company will undertake all necessary physical and digital measures to protect information.

Safeguarding Wallet Keys and Passwords

In addition to the above policies, this section addresses the safeguard of wallet keys and passwords. Kotani Pay uses a multi-sig wallet to secure funds with 2/3 authorisers (i.e the 3 main controllers of the company) for approving transactions. The custody of the multi-sig wallet shall be under the CEO and CTO of Kotani Pay with the authorization of the CFO. Each signing address is secured by a Private key provided by a hardware wallet.

The primary custodian of the hardware wallet is the CTO, and the next authorized personnel is the CFO. Our data is encrypted using the SHA256 hashing algorithm and stored on Google Cloud Server's that provide military-grade hardware and software security and redundancy. Access credentials are held by the COO and the CTO of Kotani Pay.

Any breach or security risks identified must be immediately reported to the technology department with reporting to the core team and Board of Directors. Where necessary, Kotani Pay users or partners shall be informed of such breaches and risks in order to make necessary changes.

Policy Responsibilities

The following responsibilities apply:

CTO

The CTO has the following responsibilities:

1. carriage of the company Cyber Security Policy and supporting framework;

2. ensuring the effectiveness of Cyber security measures through monitoring programs;

3. ensuring the effectiveness of disaster recovery plans with a program of testing;

4. lead the Cyber Security team;

5. authorize complementary operational procedures to support this policy;

6. authorizing the isolation or disconnection of any services or equipment from the company infrastructure which poses a severe and unacceptable risk; and

7. reporting to appropriate governance bodies, or the Board of Directors, where necessary.

Risk, Audit and Compliance Committee

The Risk, Audit and Compliance Committee has the following responsibilities: a) monitor cyber security risks and controls by reviewing the outcomes of cyber risk management processes and monitor emerging risks; and b) oversee the adequacy of cyber security capability and controls.

Kotani Pay Users

Individual Users have a responsibility to

1. Use Kotani Pay Services according to terms and conditions and cybersecurity policies at all times;

2. Be aware of the security requirements of the services they use, and take every precaution to safeguard their access to these systems against unauthorized use.

3. Immediately report any known or suspected security incidents and breaches to Kotani Pay.

Disciplinary Action

We expect all our employees to always follow this policy and those who cause security breaches may face disciplinary action:

• First-time, unintentional, small-scale security breach: We may issue a verbal warning and train the employee on security.

• Intentional, repeated or large scale breaches (which cause severe financial or other damage): We will invoke severe disciplinary action up to and including legal action and/or termination.

We will examine each incident on a case-by-case basis. Additionally, employees who are observed to disregard our security instructions will face progressive discipline, even if their behavior hasn’t resulted in a security breach.

Kotani Pay Limited may make changes to this policy in the future.