🔐 Cybersecurity Policy

Purpose of the Policy
The purpose of this Information Security Policy (“Policy”) expresses Kotani Pay Limited’s commitment to managing information security risks effectively and efficiently, coordinated globally and in compliance with applicable regulations wherever it conducts business. This Policy is the foundation for all information security activities. It focuses not only on the technology for the storage, processing, and transmission of information, but also on administrative and operational practices for the protection of all information, data, files, and processing resources owned by. It is the intent of this Policy to facilitate the exchange of information and computing resources while balancing the need for protecting information with the cost of implementation.

This Policy is the property of Kotani Pay Limited ("Kotani Pay”, “us", "we", or "our"). It is intended for distribution to all employees, partners and users associated with the business activities of Kotani Pay.

Scope of the Policy
This Policy applies to all employees, contractors, consultants, volunteers, and anyone who creates, distributes, access or manages information by means of Kotani Pay’s information technology systems including personal or corporate computers, networks, and communication services by which they are connected. It equally applies to individuals and enterprises, who by nature of their relationship to Kotani Pay, are entrusted with confidential or sensitive information. This Policy addresses all aspects of information security and continuity from the initial design of a system through implementation and operation. It also addresses any device used to store, process, or communicate proprietary or other protected information.
Definitions

Policy elements
Confidential data
Confidential data is secret and valuable. Confidential data handled by Kotani Pay includes
KYC data such as official names, date of birth, government identification data
Data of customers/partners/vendors
Internal innovations including code base and APIs
Customer lists (existing and prospective)
All employees are obliged to protect this data. In this policy, we will give our employees instructions on how to avoid security breaches.
Protect personal and company devices
When employees use their digital devices to access company emails or accounts, they introduce security risks to our data. We advise our employees to keep their personal and company-issued computers, tablets and cell phones secure. They do this by
Keeping all devices and passwords protected.
Choosing and upgrading antivirus software.
Ensure they do not leave their devices exposed or unattended.
Install security updates of browsers and systems monthly or as soon as updates are available.
Log into company accounts and systems through secure and private networks only.
We also advise our employees to avoid accessing internal systems and accounts from other people’s devices or lending their own devices to others. When new hires receive company-issued equipment they will receive instructions for
Disk encryption setup
Password management tool setup
Installation of antivirus/ anti-malware software
They should follow instructions to protect their devices and refer to our technology department if they have any questions.
Keep emails safe
Emails often host scams and malicious software (e.g. worms.) To avoid virus infection or data theft, we instruct employees to
Avoid opening attachments and clicking on links when the content is not adequately explained
Be suspicious of clickbait titles
Check email and names of people they received a message from to ensure they are legitimate.
Look for inconsistencies or give-aways (e.g. grammar mistakes, capital letters, an excessive number of exclamation marks.)
If an employee isn’t sure that an email they received is safe, they can refer to our technical department for advice.
Kotani Pay’s General Good Practice to prevent computer virus, Trojan, spyware or other malware infection
While using computers and other devices, it is important to safeguard from the likelihood of malicious software infections. The following list outlines good practices to prevent such attacks:
Do not open emails from unknown senders.
Don’t click on any links within emails that seem suspicious or from unknown senders.
Don’t install any software on company-issued computers without prior approval from IT Dept.
Only open websites that you know. Never randomly click a link as it may direct you to a malicious website or trick you to download an infected file or program.
When using USB flash drives, thumb drives or any other removable drives, make sure you scan them using your security software. The best practice is to ask the IT dept. to scan if you’re not too sure.
Limit the amount of information that is published on the internet about yourself or about Kotani Pay. This can be used for social engineering.
Report any suspicious computer activity to the IT Department. right away.
Educate yourself on the protection systems that are installed on your computer and check if it is up to date or has any alerts.
Never leave your computer unattended while outside the company offices where anyone could plug in a USB device. As a best practice always lock your computer session before leaving your computer unattended.
Manage passwords properly
Password leaks are dangerous since they can compromise our entire infrastructure. Not only should passwords be secure so they won’t be easily hacked, but they should also remain secret. For this reason, we advise our employees to
Choose passwords with at least eight characters (including capital and lower-case letters, numbers and symbols) and avoid information that can be easily guessed (e.g. birthdays.)
Remember passwords instead of writing them down. If employees need to write their passwords, they are obliged to keep the paper or digital document confidential and destroy it when their work is done.
Exchange credentials only when absolutely necessary with the approval of the technology department.
Change their passwords every two months.
Remembering a large number of passwords can be daunting. We will purchase the services of a password management tool that generates and stores passwords. Employees are obliged to create a secure password for the tool itself, following the above-mentioned advice.
Transfer data securely
Transferring data introduces a security risk. Employees must observe the following: Transferring sensitive data (e.g. customer information, employee records) to personal devices or personal accounts is strictly prohibited. Share confidential data using company emails and workspaces and not over personal channels. Ensure that the recipients of the data are properly authorized people or organizations and have adequate security policies. Report scams, privacy breaches and hacking attempts immediately
Our technology department needs to know about scams, breaches and malware so they can better protect our infrastructure. For this reason, we advise our employees to report perceived attacks, suspicious emails or phishing attempts as soon as possible to our specialists.
Our technology department must investigate promptly, resolve the issue and send out an alert when necessary. Our technology department is responsible for advising employees on how to detect scam emails. We encourage our employees to reach out to them with any questions or concerns.
Additional measures
To reduce the likelihood of security breaches, we also instruct our employees to
Turn off their screens and lock their devices when leaving their desks.
Report stolen or damaged equipment as soon as possible.
Change all account passwords at once when a device is stolen.
Report a perceived threat or possible security weakness in company systems.
Refrain from downloading suspicious, unauthorized or illegal software on their company equipment.
Avoid accessing suspicious websites.
We also expect our employees to comply with our social media and internet usage policy. Our technology department should:
Install firewalls, anti-malware software and access authentication systems.
Arrange for security training of all employees.
Inform employees regularly about new scam emails or viruses and ways to combat them.
Investigate security breaches thoroughly.
Follow these policies provisions as other employees do.
Our company will undertake all necessary physical and digital measures to protect information.
Safeguarding Wallet Keys and Passwords
In addition to the above policies, this section addresses the safeguard of wallet keys and passwords. Kotani Pay uses a multi-sig wallet to secure funds with 2/3 authorisers (i.e the 3 main controllers of the company) for approving transactions. The custody of the multi-sig wallet shall be under the CEO and CTO of Kotani Pay with the authorization of the CFO.
Each signing address is secured by a Private key provided by a hardware wallet.
The primary custodian of the hardware wallet is the CTO, and the next authorized personnel is the CFO. Our data is encrypted using the SHA256 hashing algorithm and stored on Google Cloud Server's that provide military-grade hardware and software security and redundancy. Access credentials are held by the COO and the CTO of Kotani Pay.
Any breach or security risks identified must be immediately reported to the technology department with reporting to the core team and Board of Directors. Where necessary, Kotani Pay users or partners shall be informed of such breaches and risks in order to make necessary changes.
Policy Responsibilities
The following responsibilities apply:
CTO
The CTO has the following responsibilities:
carriage of the company Cyber Security Policy and supporting framework;
ensuring the effectiveness of Cyber security measures through monitoring programs;
ensuring the effectiveness of disaster recovery plans with a program of testing;
lead the Cyber Security team;
authorize complementary operational procedures to support this policy;
authorizing the isolation or disconnection of any services or equipment from the company infrastructure which poses a severe and unacceptable risk; and
reporting to appropriate governance bodies, or the Board of Directors, where necessary.
Risk, Audit and Compliance Committee
The Risk, Audit and Compliance Committee has the following responsibilities: a) monitor cyber security risks and controls by reviewing the outcomes of cyber risk management processes and monitor emerging risks; and b) oversee the adequacy of cyber security capability and controls.
Kotani Pay Users
Individual Users have a responsibility to
Use Kotani Pay Services according to terms and conditions and cybersecurity policies at all times;
Be aware of the security requirements of the services they use, and take every precaution to safeguard their access to these systems against unauthorized use.
Immediately report any known or suspected security incidents and breaches to Kotani Pay.
Disciplinary Action
We expect all our employees to always follow this policy and those who cause security breaches may face disciplinary action:
First-time, unintentional, small-scale security breach: We may issue a verbal warning and train the employee on security.
Intentional, repeated or large scale breaches (which cause severe financial or other damage): We will invoke severe disciplinary action up to and including legal action and/or termination.
We will examine each incident on a case-by-case basis. Additionally, employees who are observed to disregard our security instructions will face progressive discipline, even if their behavior hasn’t resulted in a security breach.
Kotani Pay Limited may make changes to this policy in the future.