Cybersecurity Policy

1.1. Protection of Information Assets

Ensure the confidentiality, integrity, and availability of all data—customer, issuer, transactional, or administrative.

1.2. Threat Detection & Response

Implement proactive monitoring, detection, and rapid response capabilities to mitigate the impact of cyberattacks or unauthorized access.

1.3. Secure Platform Infrastructure

Maintain security across all layers of Penthian’s infrastructure, including the cloud environment, wallet infrastructure, marketplace, API integrations, and smart contracts.

1.4. Regulatory Compliance

Satisfy cybersecurity-related requirements under applicable VASP laws and frameworks, including auditability and reporting obligations.

1.5. User Trust & Resilience

Uphold Penthian’s reputation as a secure, transparent, and user-first tokenization platform through clear cybersecurity governance and zero-tolerance for negligence.

2.1. Covered Systems and Assets

• Web platform and mobile application (frontend and backend)
• Multi-chain wallet infrastructure (including self-custody and private key security)
• Smart contracts and token modules (e.g. ERC-3643, ERC-1155)
• Cloud-based hosting and storage systems (AWS, Azure, or equivalent)
• Internal IT systems (email, productivity, file sharing, internal communication tools)
• APIs and third-party integrations (e.g. Veriff, blockchain explorers, compliance tools)
• KYC/AML data storage and transmission pipelines
• Databases housing investor, issuer, and transactional data
• Administrative control panels and developer consoles
• Employee devices accessing Penthian systems

2.2. Internal Applicability

• All employees and contractors of Penthian Ltd
• Executive leadership and board members with system access
• Marketplace operators and compliance personnel
• Platform developers and DevOps engineers
• Marketing, sales, and support teams who access internal platforms or user data

2.3. External Applicability

• KYC/AML service providers (e.g. Veriff)
• Cloud service vendors
• Smart contract auditors and security consultants
• Legal and accounting firms with system access
• Joint venture partners and integrators
• Each third-party provider must adhere to this policy or demonstrate equivalent cybersecurity standards.

3.1. Board of Directors

• Approving the Cybersecurity Policy and reviewing it annually
• Ensuring sufficient budget and resources for security initiatives
• Appointing a qualified Chief Information Security Officer (CISO) or equivalent
• Monitoring the overall cybersecurity risk posture

3.2. Chief Executive Officer (CEO)

• Supporting compliance with the FSC and global standards
• Promoting a security-first culture across the company
• Overseeing incident response decisions at the executive level

3.3. Chief Information Security Officer (CISO)

• Implementing and maintaining the cybersecurity program
• Managing threat detection and incident response
• Conducting risk assessments and audits
• Reporting material cybersecurity risks or breaches to the Board and FSC
• Coordinating third-party penetration testing and system hardening

3.4. Compliance Officer

• Aligning cybersecurity policies with FSC regulatory expectations
• Ensuring data protection obligations (e.g., Data Protection Act, GDPR) are met
• Verifying third-party providers meet cybersecurity SLAs and audit requirements

3.5. IT & Engineering Team

• Ensuring secure development practices (DevSecOps)
• Applying updates, security patches, and configurations
• Managing API security and access permissions
• Monitoring infrastructure for intrusion attempts or anomalies

3.6. All Employees

• Comply with this Cybersecurity Policy and related IT policies
• Complete annual cybersecurity training
• Use strong passwords and multi-factor authentication
• Report suspicious activities or phishing attempts immediately

3.7. Third-Party Vendors

• Sign a cybersecurity and confidentiality agreement
• Demonstrate compliance with ISO 27001, SOC 2, or equivalent
• Cooperate in vulnerability assessments and risk reviews
• Notify Penthian of any known or suspected breaches related to their services

4.1. Risk Management Framework

• Identify – Assets, systems, data, and threats
• Protect – Implement controls to safeguard systems
• Detect – Monitor and identify threats or breaches
• Respond – Act on security incidents and limit impact
• Recover – Restore affected services and learn from events

4.2. Cyber Risk Categories

• External Threats: DDoS, ransomware, phishing, credential stuffing
• Internal Threats: Insider leaks, poor access management, negligent staff
• Third-Party Risk: API exploits, supply chain attacks, vendor data breaches
• Technology Risk: Smart contract bugs, code vulnerabilities, outdated libraries
• Compliance Risk: Violation of FSC rules, data protection laws, or industry standards

4.3. Risk Assessments

• Initial Risk Assessment during onboarding of new technology, smart contracts, or third-party vendors
• Periodic Reviews conducted quarterly to reassess the threat landscape
• Ad-hoc Assessments triggered by incidents, system changes, or regulatory updates
• Includes penetration testing, vulnerability scanning, configuration reviews, and security audits

4.4. Risk Register & Mitigation Plan

• Maintain a centralized Cyber Risk Register updated by the CISO
• Include risk description, probability and impact ratings, assigned owner, mitigation controls, residual risk, and monitoring frequency

4.5. Risk Reporting

• Report material risks or confirmed breaches to the Board of Directors
• Notify the FSC and impacted users where applicable in line with disclosure regulations

5.1. Identity Verification

• a. Internal Users: Company-issued credentials with Multi-Factor Authentication (MFA); access tied to role-based permissions.
• b. External Users (Investors, Issuers, Agents): KYC/KYB via Veriff; wallet addresses tied to verified identities using ERC-3643 whitelisting; session data encrypted and tracked for anomalies.

5.2. Role-Based Access Control (RBAC)

• Admin – Full backend/platform access including user controls
• Compliance – KYC/KYB, risk dashboard, and reporting
• Developer – Codebase, staging, and smart contract deployment
• Issuer – Listing tools, asset dashboards, investor messages
• Investor – View and transact on verified offerings
• Agent – Limited access to referral tools and managed property dashboards
• Access levels are reviewed quarterly and upon role or employment change

5.3. Password Policy

• Minimum 12 characters with symbols and mixed case
• Mandatory MFA for all staff and critical systems
• Password managers required for internal accounts
• Automatic lockout after 5 failed login attempts
• No plaintext storage of passwords

5.4. Session Management

• User sessions expire after 15 minutes of inactivity
• Admin sessions logged and stored for audit
• Anomaly detection flags session hijacking attempts

5.5. Device & Network Controls

• Access limited to company-approved devices with up-to-date endpoint protection
• Remote access requires VPN and device fingerprinting
• IP whitelisting enforced for sensitive admin panels and backend services

5.6. Access Review & De-provisioning

• Quarterly access reviews conducted
• Immediate deactivation upon exit or termination
• Automated tools detect and revoke stale/inactive accounts

6.1. Data Classification

• Confidential – KYC/KYB documents, investor transactions, wallet addresses (Restricted to Compliance & Admin)
• Internal – Employee records, internal communications, financial reports (Role-based staff access)
• Public – Platform FAQs, marketing materials, investor education (Open to all users)

6.2. Data Storage Security

• Data at rest encrypted with AES-256
• Cloud on ISO 27001-compliant providers; keys managed via HSMs
• On-chain data (e.g., ownership records) hashed/obfuscated where feasible
• Daily encrypted backups stored geographically separate with 30-day retention

6.3. Data in Transit

• TLS 1.3 enforced for all web/API communications
• Mutual TLS (mTLS) between internal services
• SFTP used for file-based data exchange

6.4. KYC/KYB Data Handling

• Identity data handled per GDPR and FSC requirements
• PII encrypted at rest and in transit
• Access limited to Compliance; all access logged

6.5. Token & Wallet Data

• Self-custody private keys are never stored by Penthian
• Custodial features protected by multi-signature and air-gapped cold storage
• Smart contract interactions audited and signed by verified roles

6.6. Third-Party Data Handling

• Vendors sign Data Protection Agreements
• Vendor systems meet/exceed Penthian’s encryption and storage standards
• Third-party data access is monitored and logged continuously

7.1. Device Registration & Authorization

• All devices accessing Penthian systems must be registered and approved by IT
• Device IDs and MAC addresses logged and tied to user profiles
• BYOD prohibited for staff accessing sensitive environments

7.2. Endpoint Protection Tools

• Antivirus/anti-malware kept up to date
• Endpoint Detection & Response (EDR) for advanced monitoring
• Firewalls enabled; auto-lock and screen timeouts configured

7.3. Operating System & Patch Management

• OS must be regularly updated with security patches
• Unsupported OS versions prohibited
• Automated tools enforce patch compliance and scan for vulnerabilities

7.4. Disk & File Encryption

• Full-disk encryption required (e.g., BitLocker, FileVault)
• Sensitive local files encrypted individually
• USB and external storage encrypted and approved before use

7.5. Remote Access Controls

• Remote access only via company-approved VPNs
• Devices authenticated with MFA and IP whitelisting
• RDP monitored for unusual activity

7.6. Device Monitoring & Audits

• Endpoint activity (times, IPs, device IDs) logged
• Periodic log reviews to detect anomalous behavior
• Non-compliant devices quarantined and remediated

7.7. Lost or Stolen Devices

• Incidents reported within 1 hour
• IT triggers remote lock or wipe
• Security reviews access logs; incident report filed and escalated if data exposure is suspected

8.1. Incident Definition

• Events that compromise confidentiality, integrity, or availability of systems/data
• Violations of cybersecurity policies or applicable laws
• Unauthorized access, disclosure, alteration, or destruction of data
• Incidents affecting wallets, smart contracts, or token logic
• Triggers from monitoring systems or third-party vendors

8.2. Incident Response Team (IRT)

• CISO – IRP coordinator and lead responder
• Compliance Officer – Regulatory reporting and user disclosure
• Engineering Lead – Technical triage, patching, rollback
• Legal Representative – Liabilities and breach disclosure obligations
• Communications Lead – Internal and external updates

8.3. Incident Response Stages

• 1. Identification – Detect anomaly via alerts or reports
• 2. Containment – Isolate affected systems/services
• 3. Investigation – Gather logs/data and determine scope/origin
• 4. Notification – Inform teams, regulators, and users as required
• 5. Eradication – Remove malware, close vulnerabilities, revoke access
• 6. Recovery – Restore from backup, verify integrity, resume operations
• 7. Postmortem – Analyze root cause, update playbooks, report to Board & FSC

8.4. Incident Classification

• Critical – Major system outage, data breach, smart contract exploit (Immediate)
• High – Unauthorized access, phishing with credentials at risk (≤ 2 hours)
• Medium – Failed intrusion attempt, suspicious logins (≤ 24 hours)
• Low – Policy violations, misconfigured access (≤ 72 hours)

8.5. Reporting & Disclosure

• All incidents logged in the Incident Register
• Material incidents reported to the FSC within 72 hours
• Affected users notified with scope, impact, and remedial actions

8.6. Post-Incident Review

• Conduct lessons learned session
• Review timeline, detection gaps, and response speed
• Recommend policy updates, technical upgrades, or training
• File an Incident Report Summary for Board and regulator records

9.1. Continuous Monitoring

• SIEM and automated tools monitor app logs, smart contracts, logins, APIs, cloud infrastructure, third-party data flows, and on-chain transactions
• Logs centralized, timestamped, and stored immutably for at least 12 months

9.2. Anomaly Detection

• Repeated failed logins (possible brute-force)
• Abnormal wallet transaction sizes/timing
• Access from blacklisted IPs/geolocations
• Atypical code/contract interactions
• Excessive API calls suggesting scraping/abuse
• Alerts triaged by the CISO team with severity ratings

9.3. Smart Contract Monitoring

• Detection for reentrancy, overflows/underflows
• Unauthorized minting or transfers
• Function call abuse (e.g., price manipulation)
• Critical contracts include pause mechanisms to halt trading

9.4. Blockchain & Wallet Watchlists

• Threat intel via Chainalysis, CipherTrace, etc.
• Suspicious wallets reported to Compliance and quarantined pending investigation

9.5. Physical Access Monitoring

• If applicable, access logs and CCTV tracked to review physical security violations for on-prem assets

9.6. External Intelligence Feeds

• Mauritius National CERT alerts
• Cybersecurity ISACs
• Global blockchain exploit trackers
• FSC and FATF guidance updates

10.1. Vendor Selection & Due Diligence

• Review ISO 27001/SOC 2 certifications and security history
• Assess security policies, IR procedures, and breaches
• Legal review of DPAs and SLAs
• Technical integration and API vulnerability assessment
• Vendors must meet or exceed policy standards

10.2. Approved Vendor List

• Only vendors in the Approved Vendor Register may be used (KYC/KYB, cloud hosting, email, auditing, analytics)
• Register reviewed quarterly by Compliance and the CISO

10.3. Contractual Obligations

• GDPR and local law-compliant data processing terms
• Breach notification within 48 hours
• Right to audit by Penthian or regulators
• Termination for failure to meet cybersecurity requirements

10.4. Ongoing Monitoring

• Annual/bi-annual security reviews
• Penetration testing of exposed APIs/SDKs
• Uptime and service delivery audits
• Incident reporting drills and tabletop exercises

10.5. Third-Party Wallet & Token Risks

• All contracts audited before deployment
• Least-privilege permissions enforced
• Real-time whitelist/blacklist updates
• ERC-20/1155 tokens scanned for malicious patterns

10.6. Termination & Offboarding

• Immediate revocation of access
• Vendor-held data destroyed or returned per DPA
• Replacement vendors complete full due diligence prior to handover

11.1. Onboarding Security Training

• Mandatory within first 7 days for all hires
• Covers phishing, password hygiene, data protection, secure device use, and reporting procedures
• Developers receive training on secure coding and smart contract risks

11.2. Annual Refresher Training

• All employees must pass an annual cybersecurity exam and simulation
• Content updated for new threats (e.g., deepfakes, wallet scams, AI risks)
• Passing score required for continued access to sensitive systems

11.3. Phishing Simulations

• Periodic simulated phishing campaigns
• Employees who fail must retake targeted training
• Results anonymized and used for organizational learning

11.4. Developer & Technical Training

• Smart contract security (reentrancy, overflows, gas attacks)
• Safe deployment pipelines and staging procedures
• Key management and signature verification
• Common Web3 vulnerabilities (front-running, flash loans)

11.5. Vendor Awareness

• Vendors receive a Security Handbook
• Contractual requirement to follow platform-specific security guidelines, SDK/API best practices, and data access policies

11.6. Culture of Reporting

• Immediate reporting encouraged without fear of reprisal
• Anonymous whistleblower mechanisms available
• Security wins are celebrated and communicated internally

11.7. Leadership & Tone from the Top

• Executives champion security by joining training, reviewing reports, and allocating resources
• Leadership style infused with Love, Joy, Peace, Patience, Kindness, Goodness, Faithfulness, Gentleness, and Self-Control to foster ethical technology use

12.1. Ownership & Accountability

• CISO is the primary owner of this policy
• Board provides oversight and prioritizes cybersecurity as a business imperative
• Department heads enforce controls within their functions

12.2. Governance Committee

• Cybersecurity & Risk Committee meets quarterly
• Members: CISO (Chair), Compliance Officer, Legal Counsel, CTO/Engineering Lead, and (if applicable) an independent advisor/auditor
• Reviews incidents, threat reports, audit outcomes, and policy updates

12.3. Policy Review Cycle

• Reviewed and updated at least annually
• Earlier reviews triggered by significant incidents, new FSC/FATF guidance, material business/architecture changes, or new risks

12.4. Change Management

• All updates documented, versioned, and approved by the Cybersecurity & Risk Committee
• Material updates communicated to staff and posted on the internal policy portal
• Critical system users must acknowledge policy changes

12.5. External Audits & Certification

• Annual penetration tests and third-party audits conducted
• As the business scales, pursue ISO/IEC 27001, SOC 2 Type II, and FSC-accepted assurance reports
• Audit results and remediation shared with the Board and regulators as needed

12.6. Breach Reporting to Regulators

• Confirmed cyber breaches affecting funds, tokens, wallets, or PII reported to FSC Mauritius within 72 hours, including mitigation and recovery plans
• Affected users notified transparently in line with local laws and platform commitments