Legal

Data Handling Policy

Version 1.0. Last updated: May 2026. Onbridge (operating under [Registered Company Name], Dubai, UAE)

This policy sets out how Onbridge collects, handles, stores, transmits and deletes client documentation and associated data. It applies to all data received from clients in connection with our onboarding facilitation service. We collect only what is necessary and retain it only for as long as required.

1. Introduction

Onbridge provides institutional exchange onboarding facilitation services. Our service enables institutional clients to complete the KYB onboarding process across multiple cryptocurrency exchanges by submitting a single consolidated document package to us.

Onbridge acts solely as a document management and submission service. We do not provide financial, investment, or legal advice. We do not hold, custody, or transact virtual assets on behalf of clients.

2. What we collect

Corporate documents

Certificate of Incorporation and corporate registration documents
Memorandum and Articles of Association
Corporate structure charts and ownership diagrams
Business registration certificates and licences
Proof of registered and operational address
Authorised signatory lists and board resolutions

UBO and director information

Passport copies and national identity documents
Proof of residential address
PEP and sanctions declarations
Details of all individuals holding 10% or greater ownership interest

Compliance and financial documents

AML and KYC policy documents
Source of funds and source of wealth documentation
Audited financial statements or management accounts where required
Regulatory licences and authorisations

✓

Data minimisation principle: we collect only the documentation explicitly required by your selected exchanges. We do not request supplementary information beyond what is operationally necessary to complete your onboarding submission.

3. How we use your data

Client data is used exclusively for the following purposes:

Preparing and formatting documentation packages for submission to client-selected exchanges
Transmitting documentation to exchanges on the client's behalf
Communicating with exchanges regarding the status of an application
Maintaining records for audit and compliance purposes
Complying with applicable legal or regulatory obligations

We do not use client data for marketing, analytics, or any secondary commercial purpose. We do not sell or license client data to any third party.

4. Storage and security infrastructure

Powered by Tresorit

All client documents are stored exclusively on Tresorit, a Swiss-based, enterprise-grade document management platform. Tresorit's zero-knowledge architecture means files are encrypted on your device before upload. Not even Tresorit can access your documents.

We are transparent that it is Tresorit as our infrastructure provider, not Onbridge as an organisation, that holds these certifications. We are happy to provide Tresorit's full certification documentation to your compliance team on request.

ISO 27001 Certified

SOC 2 Type II Compliant

Zero-knowledge encryption

AES-256 encryption at rest

TLS 1.2+ in transit

Swiss-based infrastructure

Access controls

Role-based access permissions: only personnel assigned to your case may access your documents
Each client is assigned a dedicated, isolated folder with unique access credentials
Multi-factor authentication is required for all platform access
No individual has blanket access to all client files
Access permissions are reviewed and revoked immediately upon any change in personnel

Audit trail

All document activity is logged and retained, including the date and time of every upload, access, download and deletion event, the identity of the team member who performed each action, and the IP address associated with each access. Audit logs are retained for a minimum of five years and are available to clients upon request.

5. Transmission to exchanges

Documents are transmitted only to exchanges explicitly selected and authorised by you
Transmission is carried out via each exchange's official secure portal, API, or designated compliance contact
Where email transmission is necessary, we use encrypted email or password-protected archives with credentials shared separately
A record of each transmission including the exchange, date and documents submitted is maintained in our audit log
We never transmit documents to any exchange not explicitly authorised by you in writing

6. Data retention and deletion

Document type	Retention period
Active engagement documents	Duration of engagement plus 12 months
Submitted onboarding packages	5 years from date of submission
Audit logs and access records	5 years from date of record creation
Unsuccessful onboarding documents	12 months from final determination
Documents subject to legal hold	Until hold is lifted, then standard period applies

You may request deletion of your documents at any time. Deletion requests are fulfilled within 30 calendar days, subject to any legal retention obligations. Deletion is logged in our audit trail.

7. Third-party service providers

We engage the following categories of third-party service providers who may process client data on our behalf:

Tresorit: secure document storage and access control
Target exchanges: document submission as directed by you
Legal advisors: where required for compliance purposes, using anonymised data where possible

All service providers are subject to appropriate data processing agreements and are required to maintain security standards no less stringent than those set out in this policy.

8. Your rights

Right of access: request a summary of all documents and data we hold relating to you
Right to rectification: request correction of inaccurate data
Right to deletion: request deletion of your documents
Right to data portability: receive a copy of your documents in a standard electronic format
Right to restrict processing: request that we limit use of your data to storage only

Requests should be submitted to hello@onbridge.io. We will acknowledge receipt within 5 business days and fulfil requests within 30 calendar days.

9. Security incident response

In the event of an actual or suspected security incident affecting client data, we will investigate and contain the incident within 24 hours of detection. Affected clients will be notified within 72 hours of confirming that their data has been or may have been compromised. A post-incident report will be prepared within 14 days and made available to affected clients upon request.

To report a suspected security incident, contact us immediately at hello@onbridge.io.

10. Policy review

This policy is reviewed annually or upon any material change to our operations, technology infrastructure, or regulatory environment. Clients will be notified of any material changes with a minimum of 30 days notice. The current version is always available at onbridge.io/data-policy.html.

11. Contact

All data handling queries, access requests, or concerns should be directed to hello@onbridge.io or in writing to [Registered Address], Dubai, UAE. We respond to all queries within 5 business days.