Logo

Record-Keeping Policy

Record-Keeping Policy

Framework for retention, accessibility, and secure management of records in compliance with FSC and VAITOS Act 2021.

This Record-Keeping Policy outlines Penthian Ltd’s standards for creating, storing, maintaining, and disposing of records to meet the requirements of the Financial Services Commission (FSC) of Mauritius, the VAITOS Act 2021, and related AML/CFT obligations.

Proper record-keeping is essential for regulatory compliance, auditing, dispute resolution, and operational continuity.

1. Introduction & Objective

Defines the purpose and regulatory basis for record-keeping across all Penthian Ltd operations.

Aligns with FSC of Mauritius, VAITOS Act 2021, and international AML/CFT frameworks.

2. Scope & Applicability

Applies to all departments, staff, contractors, and technology systems involved in Penthian Ltd’s regulated Virtual Asset Marketplace.

2.1. Covered Records

Client Identification & Onboarding

  • KYC files verified through Veriff
  • Proof of identity (passport, ID, license)
  • Proof of address (utility bill, bank statement)
  • Risk assessments and source-of-funds declarations

Transaction & Wallet Records

  • Token purchases and sales
  • Token allocations under ERC-721, ERC-1155, ERC-3643
  • Wallet addresses, transaction hashes, timestamps
  • Smart contract logs and dividend distributions

Compliance & AML/CFT Records

  • Suspicious Transaction Reports (STRs)
  • Ongoing monitoring logs and investigation reports
  • Correspondence with FSC and FIU

Legal & Governance Records

  • Board resolutions and minutes
  • Contracts and partnership agreements
  • Incident and breach reports

Financial & Accounting Records

  • Annual financial statements and tax returns
  • Invoices, bank reconciliations, audit trails

2.2. Policy Applicability

  • Applies to all internal teams, external vendors managing data (e.g., Veriff, legal counsel), and cloud providers (AWS, Google Cloud).

3. Regulatory Requirements

3.1. Minimum Retention Periods

Retention Table

  • KYC records — 7 years after client relationship ends
  • Transaction and blockchain logs — 7 years from date of transaction
  • STRs — 7 years from filing date
  • Legal contracts — 7 years post-termination
  • Financial records — 7 years after fiscal year end
  • System logs — 5–7 years depending on risk profile

3.2. Accessibility & Auditability

3.3. Cross-Border Data Compliance

4. Record Storage & Security

4.1. Digital Record Storage

  • All electronic records stored in encrypted, access-controlled cloud systems (AWS, Google Cloud).
  • Blockchain records (ERC-3643, ERC-721, ERC-1155) are immutable and permanently stored on-chain.
  • Access managed via RBAC, MFA, and continuous audit logging.

4.2. Physical Record Storage

  • Hardcopy documents stored in secure, fireproof locations with logged physical access.

4.3. Security Measures

Encryption

  • AES-256 at rest
  • TLS 1.2+ in transit

Authentication

  • Multi-factor authentication
  • Quarterly access reviews

Monitoring & Alerts

  • Automated breach detection
  • Incident escalation to CTO and Compliance

5. Record Access & Retrieval

5.1. Internal Access Controls

Access Matrix

  • Compliance Team — full access to compliance records
  • Executive Management — financial and governance records
  • Tech Teams — system and blockchain logs
  • Customer Service — view-only client onboarding data

5.2. External Access

  • FSC, FIU, and external auditors must receive data access within 48 hours of written request.

5.3. Retrieval Standards

  • Records retrievable in human-readable form, indexed by client ID, hash, or metadata.

5.4. Emergency Retrieval

  • Essential records recoverable from backups within 6 hours; full restoration within 24 hours (RTO).

6. Record Retention & Disposal

6.1. Retention Schedule

  • Records retained per regulatory timelines (7 years minimum).

6.2. Conditions for Early Deletion

  • Permitted only via regulator/court order or legal approval by Compliance.

6.3. Disposal Methods

Digital Records

  • Wiped using DoD 5220.22-M or equivalent
  • Encryption key destruction
  • Deletion logs retained 2 years

Physical Records

  • Shredding by authorized staff/vendor
  • Certificate of destruction stored in disposal register

6.4. Disposal Register

  • Centralized log with record description, disposal date/method, and authorization signature.

7. Monitoring & Policy Review

7.1. Monitoring of Compliance

  • Compliance Officer audits record management and vendor practices.
  • Breaches or deviations trigger immediate corrective actions.

7.2. Review Cycle

  • Policy reviewed annually or sooner upon regulatory changes, new products, or incidents.
  • Approved by Board after consultation with Compliance, Legal, and IT.

7.3. Training & Awareness

  • All staff with access to records trained on creation, retention, and secure disposal procedures.