Policies

ACCREDEFI INFORMATION SECURITY POLICY & OPERATIONAL PROGRAM OVERVIEW (V1.0)

1. Policy Statement and Scope

AccreDeFi establishes this Information Security Policy (ISP) to ensure the confidentiality, integrity, and availability of all critical assets, data processed, and smart contract logic deployed across the TON and XDC networks. Our mandate is to operate as an institutional enforcement protocol that facilitates secure asset tokenization exclusively for licensed asset managers. The scope of this policy covers all deployed software, infrastructure-as-code (IaC), and administrative functions within the current Minimum Viable Product (MVP) operational footprint.

2. Governance, Risk Management, and Compliance (GRC)

The organization maintains a formalized, operational information security program guided by this documented policy. Risk management is fundamentally driven by Data Minimization and Compliance by Enforcement.

To mitigate third-party risk, all external compliance data is validated by a secure Oracle Bridge using cryptographic signatures (JWT/JWK standard). Our core risk mitigation strategy centers on the Cryptographic Identity Anchor, which is a unique, unforgeable hash linked to the user's verified identity. This anchor is used to enforce all compliance checks.

• Integrity Control: We operate a Wallet Recovery Protocol implemented within the Reputation Engine to actively penalize score migration, preventing unauthorized attempts to evade the historical compliance record.

• Data Handling: We adhere to the principle of least privilege. We minimize sensitive data retention; the system relies on external providers (like Plaid) for initial PII and only receives and commits the final, cryptographically validated compliance status to the on-chain Oracle.

3. Operational and Technical Controls

AccreDeFi actively enforces security controls across its infrastructure and personnel environments.

Endpoint Security and Visibility

We maintain continuous and comprehensive visibility into all network assets. The organization utilizes automated tools and Infrastructure-as-Code (IaC) via Terraform and Docker to discover and

maintain continuous visibility into all network endpoints, including servers, virtual machines, and databases. We actively perform vulnerability scans against all production assets and address identified vulnerabilities using a strict, defined Service Level Agreement (SLA) for patching. Endpoint security agents are deployed across all production assets to protect against malicious code, viruses, and malware.

Access Control and Authentication

Security controls are uniformly applied across all critical access points. We have deployed strong factors of authentication (MFA) for all critical assets, including cloud consoles, code repositories, and secrets management vaults. Furthermore, access to all resources is managed via explicitly defined, documented processes for requesting, granting, reviewing, approving, and revoking access.

Device Policy

AccreDeFi maintains a policy against the use of personal devices for carrying out job responsibilities. We do not operate a Bring Your Own Device (BYOD) policy. All access to critical production assets and data is conducted using company-provided and managed devices, simplifying the security posture and ensuring a consistent level of endpoint protection.

4. Operational Commitment

This documented policy is fully integrated into the development lifecycle and operations of the AccreDeFi MVP. Compliance with these controls ensures that the protocol maintains the highest standards of integrity required to serve licensed asset managers and financial institutions, providing a secure and auditable foundation for compliant tokenization.

ACCREDEFI DATA DELETION AND RETENTION POLICY (DDRP V1.0)

1. Scope and Purpose This policy establishes the rules for handling all non-chain data collected, processed, and stored by the AccreDeFi protocol's off-chain services. The primary goal is to ensure continuous compliance with global data privacy regulations while maintaining the necessary immutable audit trail required for institutional financial operations.

2. Data Categories and Required Retention Data is classified into three categories based on sensitivity, function, and regulatory retention requirements. Category A: Financial Instrument and Compliance Ledger (Minimum 7 Years) This category includes non-PII records necessary for financial accounting, audit, and GRC functions. Retention is mandated for a minimum of seven (7) years to align with global financial record-keeping laws.

• Data Included: Transaction records, final TokenBook metadata, GTRN hashes, Liquidation Logs, Fee Distribution Records, and all data committed to the XDC Ordinal Inscription (e.g., Signed Document Hash, Legal Counsel Name, transaction amounts). Category B: Sensitive PII and Operational Data (Strict Data Minimization) This category includes personally identifiable information obtained during the verification process. Retention of this data is subject to rapid hard deletion.

• Data Included: Full Name, Email, Date of Birth, Raw ID Verification IDs (Plaid-generated), IP Address logs, and the original raw Webhook Payloads.

• Retention Mandate: This data is Permanent and cannot be deleted or altered.

3. Deletion and Erasure Procedures The organization enforces distinct protocols for the erasure of data:

1. Hard Deletion of PII (Category B): All data in Category B is subject to permanent erasure (hard deletion) from all active databases and log archives six months after the successful verification or immediately upon a valid regulatory request, provided this deletion does not conflict with Category A mandatory retention. Automated lifecycle management tools are used to enforce this schedule.

2. Financial Archival (Category A): After the initial three years of active use, financial records are transitioned to a restricted, encrypted archival storage to maintain the seven-year retention mandate.

3. Right to Erasure: While on-chain data (Category C) cannot be erased, all PII (Category B) is erased upon request, adhering to global privacy laws, provided the erasure does not compromise mandatory financial reporting obligations.

4. Technical and Enforcement Controls This policy is operationalized through continuous technical controls: • Data Encryption: All data subject to retention is protected by AES-256 encryption at rest and communicated only via TLS 1.2+ connections.

• Access Control: Access to sensitive data is governed by multi-factor authentication (MFA) and strict role-based access controls (RBAC).

• Audit Trail: All data retention, deletion, and archival events are recorded in a separate, tamperproof audit log to demonstrate compliance with the

AccreDeFi REPUTATION SYSTEM DISCLAIMER

IMPORTANT NOTICE REGARDING REPUTATION METHODOLOGY

The reputation scoring systems implemented on the AccreDeFi platform (TIRN and GTRN) were developed using an independent, multi-artificial intelligence consensus methodology. This disclaimer clarifies the source, nature, and limitations of the methodology used.

1. ARTIFICIAL INTELLIGENCE METHODOLOGY ATTRIBUTION

1.1 Independent AI Analysis

The factor selection, weighting scheme, and scoring criteria for AccreDeFi's reputation systems were determined entirely by three independent artificial intelligence systems from separate technology providers:

1. Claude (Anthropic, Inc.) - Model: Claude Sonnet 4.5

2. Gemini (Google LLC) - Model: Gemini Pro 3.5

3. Grok (xAI Corp.) - Model: Grok

AccreDeFi did not:

- Direct or influence the AI systems' analyses

- Modify the AI-generated recommendations

- Cherry-pick favorable outcomes

- Reject unfavorable AI conclusions

- Provide leading questions designed to produce specific results

1.2 AI Systems as Decentralized Voices

These artificial intelligence systems represent the closest technological approximation currently available to simulate a truly decentralized, global consensus mechanism.

The reasoning behind this approach:

a) Mass Training Data

Modern large language models (LLMs) are trained on datasets representing billions of human interactions, documents, conversations, and knowledge bases spanning:

- Multiple languages and cultures

- Diverse geographic regions and jurisdictions

- Varied socioeconomic backgrounds

- Different educational levels and professional expertise

- Broad political and philosophical perspectives

- Multiple religious and secular viewpoints

- Diverse gender identities and sexual orientations

- Various racial and ethnic backgrounds

- Different age groups and generational perspectives

- Wide range of financial literacy and experience levels

b) Collective Human Intelligence

When artificial intelligence systems generate responses, they synthesize patterns, logic, and reasoning derived from this massive, diverse training corpus. The AI responses do not represent any single individual's opinion, but rather an aggregated synthesis of human knowledge and reasoning across populations.

c) Elimination of Single-Party Bias

By using three independent AI systems from different organizations (Anthropic, Google, and xAI), each with different:

- Training datasets

- Algorithmic approaches

- Corporate philosophies

- Development teams

...AccreDeFi ensured that no single company, individual, or ideology could dominate the methodology.

d) Democratic Representation

This multi-AI consensus approach simulates what would theoretically result from surveying millions of diverse stakeholders globally—a feat that would be:

- Prohibitively expensive

- Logistically impossible

- Subject to sampling bias

- Vulnerable to manipulation

AI systems provide the most practical, scalable, and unbiased method currently available for synthesizing global consensus on complex evaluation criteria.

2. ACCREDEFI'S ROLE AND LIMITATIONS

2.1 Platform Implementation Only

AccreDeFi's role in the reputation system development was strictly limited to:

✓ Permitted Activities:

- Identifying the business problem (need for reputation scoring)

- Selecting which AI systems to consult (choosing multiple vendors)

- Providing neutral, standardized prompts to AI systems

- Implementing the AI-recommended methodology in code

- Operating the scoring infrastructure

- Maintaining transparency through documentation

✗ Prohibited Activities (Not Performed):

- Overriding AI recommendations

- Adjusting weights to favor specific outcomes

- Modifying factor selections for business advantage

- Introducing subjective human bias into the formula

- Selectively implementing only favorable AI suggestions

2.2 No Editorial Control

AccreDeFi exercised zero editorial control over the AI analyses. The AI systems were:

- Provided with identical prompts

- Given the same background research

- Allowed to reach independent conclusions

- Not shown each other's responses during analysis

- Free to propose any factors and weights without restriction

The final methodology represents a mathematical synthesis of consensus findings across all three AI systems, with higher weights assigned to factors that all AI systems independently identified as critical.

2.3 Opinion Divergence Acknowledgment

ACCREDEFI DOES NOT NECESSARILY AGREE WITH, ENDORSE, OR SHARE THE OPINIONS, PRIORITIES, OR JUDGMENTS REFLECTED IN THE AI-GENERATED METHODOLOGY.

The reputation system factors and weights reflect:

- What the AI systems determined based on their training

- Patterns identified across massive datasets

- Aggregated human reasoning synthesized by the models

- Industry best practices as understood by collective intelligence

AccreDeFi's agreement or disagreement with these determinations is irrelevant. The platform has committed to implementing an objective, AI-derived methodology precisely to avoid any appearance of self-interest or manipulation.

3. AI SYSTEMS AS PROXY FOR GLOBAL CONSENSUS

3.1 Why AI Represents the Masses

Claim: AI systems trained on global datasets are the best available proxy for "the voice of the people" on complex technical and ethical questions.

Rationale:

a) Scale of Representation

AI training datasets include:

- Trillions of words of text

- Millions of documents across languages

- Diverse sources (academic, professional, casual)

- Multiple perspectives and viewpoints

- Historical and contemporary knowledge

No human survey or expert panel could possibly capture this breadth.

b) Lack of Institutional Bias

Unlike:

- Regulatory bodies (government bias)

- Industry associations (self-interest)

- Academic committees (ivory tower perspectives)

- Focus groups (selection bias)

...AI systems synthesize information across all these sources without allegiance to any single institution.

c) Resistance to Lobbying

AI systems cannot be:

- Bribed or influenced financially

- Politically pressured

- Socially manipulated

- Emotionally swayed

Their outputs are deterministic based on their training—representing the aggregate wisdom embedded in their datasets.

d) Inclusivity by Design

Modern AI systems are trained to:

- Avoid discriminatory reasoning

- Consider multiple cultural contexts

- Respect diverse perspectives

- Balance competing viewpoints

This results in methodologies that are inherently more inclusive than those designed by any homogeneous human group.

4. ACCREDEFI'S POSITION AND COMMITMENT

4.1 Neutrality Commitment

AccreDeFi commits to operating as a neutral platform that:

- Implements AI-derived methodologies faithfully

- Does not override scores for business advantage

- Maintains transparency in all calculations

- Documents any future methodology changes publicly

- Subjects all updates to the same multi-AI validation process

4.2 Non-Endorsement

AccreDeFi does not:

- Claim the AI methodology is perfect or infallible

- Endorse every factor or weight as "correct" by AccreDeFi's own judgement

- Represent that the system reflects AccreDeFi's personal values or preferences

- Guarantee that the methodology will never require updates or corrections

The methodology is adopted because it represents the best available objective, decentralized approach—not because AccreDeFi necessarily agrees with every detail.

4.3 Right to Update

AccreDeFi reserves the right to update the reputation methodology in response to:

- Demonstrated flaws or unintended consequences

- Industry evolution and regulatory changes

- Technological improvements in AI systems

- Community feedback and stakeholder input

All updates will:

- Follow the same multi-AI consensus validation process

- Be publicly announced with 90 days' notice

- Include full documentation of rationale

- Respect grandfather clauses for existing participants

5. LIMITATIONS AND DISCLAIMERS

5.1 No Guarantees

AccreDeFi makes no representations or warranties that:

- The reputation scores are 100% accurate predictors of future behavior

- The methodology eliminates all risk of fraud or bad actors

- Scores will remain stable over time

- Higher scores guarantee better outcomes for investors

Reputation scores are informational tools only. They do not constitute:

- Investment advice

- Legal opinions

- Regulatory compliance certifications

- Guarantees of asset quality or safety

5.2 User Responsibility

Users are responsible for:

- Conducting their own due diligence

- Verifying all material facts independently

- Consulting professional advisors (legal, financial, tax)

- Understanding that past performance (high scores) does not guarantee future results

- Recognizing that scores can change based on behavior

5.3 AI System Limitations

AI systems have known limitations:

- They can reflect biases present in training data

- They cannot predict unprecedented future events

- They synthesize existing knowledge, not create new insights

- Their reasoning is probabilistic, not deterministic

- They may occasionally produce inconsistent outputs

These limitations are inherent to current AI technology and are not specific to AccreDeFi's implementation.

5.4 No Liability for AI Outputs

AccreDeFi is not liable for:

- Perceived unfairness in AI-generated factors or weights

- Disagreement with specific scoring criteria

- Economic impact of scores on participants

- Outcomes resulting from reliance on reputation scores

By using the AccreDeFi platform, participants acknowledge that:

- Scores are AI-generated using a transparent process

- AccreDeFi implemented, but did not design, the methodology

- No human can perfectly predict trustworthiness or quality

- This system represents a good-faith effort at objective evaluation

6. PHILOSOPHICAL FOUNDATION

6.1 Why Decentralization Matters

Traditional financial reputation systems suffer from:

- Regulatory Capture: Authorities influenced by powerful interests

- Insider Bias: Industry self-regulation favoring incumbents

- Geographic Limitations: Local rules that don't translate globally

- Institutional Conflicts: Credit rating agencies paid by issuers

- Subjective Judgment: Human biases in evaluation

Blockchain technology promises to eliminate these problems through:

- Transparent, immutable records

- Decentralized consensus mechanisms

- No single point of control

- Global accessibility

However, blockchain alone cannot determine WHAT should be measured or HOW to weight factors. That requires human judgement—which reintroduces bias.

The multi-AI consensus approach solves this by:

- Using AI systems as "synthetic participants" in a decentralized vote

- Eliminating any single human's or organization's control

- Synthesizing the collective wisdom of billions of human inputs

- Providing a transparent, auditable, and repeatable process

This represents the closest approximation currently possible to "asking everyone in the world what matters" without actually conducting an impossible global referendum.

6.2 The Legitimacy Question

"Who gives AccreDeFi the right to judge others?"

Answer: AccreDeFi doesn't.

The AI systems, trained on humanity's collective knowledge and reasoning, provide the evaluative framework. AccreDeFi merely:

- Operates the infrastructure

- Implements the AI recommendations

- Collects the data

- Performs the calculations

The legitimacy comes from:

1. Democratic Training: AI trained on billions of human inputs

2. Multi-Vendor Validation: Three independent systems reached consensus

3. Transparent Process: Full documentation of methodology

4. Opt-In Participation: Users choose to use AccreDeFi

5. Market Competition: Alternative platforms exist

If participants believe the methodology is unfair, they can:

- Use competing platforms

- Propose alternative methodologies (subject to same AI validation)

- Vote with their feet (exit the platform)

This market-based accountability, combined with AI-derived objectivity, provides legitimacy without requiring centralized authority.

7. INTELLECTUAL HONESTY

7.1 Acknowledging Imperfection

AccreDeFi acknowledges that this methodology is not perfect.

No system can:

- Perfectly predict human behavior

- Eliminate all bad actors

- Satisfy every stakeholder's preferences

- Remain permanently optimal as markets evolve

However, this methodology is demonstrably:

- More objective than human committee decisions

- More inclusive than single-vendor approaches

- More transparent than proprietary algorithms

- More defensible than subjective judgment

7.2 Commitment to Evolution

As AI technology improves and new models emerge, AccreDeFi commits to:

- Periodic re-validation (annually minimum)

- Incorporation of better AI systems as they become available

- Community feedback integration

- Continuous improvement while maintaining core principles

The goal is not to achieve a perfect, static system—but to maintain the most objective, fair, and representative system possible given current technology.

8. DISPUTE RESOLUTION

8.1 Challenging Scores

Participants who believe their scores are inaccurate may:

1. Request a manual audit of data inputs

2. Provide correcting documentation

3. Appeal obvious errors or bugs

4. Propose methodology improvements (subject to AI validation)

8.2 What Cannot Be Appealed

Participants cannot appeal:

- The choice of factors (AI-determined)

- The weighting scheme (AI consensus)

- Subjective disagreement with factor importance

- Scores that accurately reflect verified data

AccreDeFi will not override AI-derived methodology based on individual complaints. To do so would undermine the entire purpose of using an objective, AI-consensus approach.

9. REGULATORY COMPLIANCE

9.1 Disclosure to Regulators

This disclaimer and the full methodology report are provided to satisfy:

- Securities law disclosure requirements

- Consumer protection regulations

- Fair lending / non-discrimination laws

- Platform transparency obligations

9.2 Regulatory Interpretation

AccreDeFi cannot control how regulators interpret or judge this methodology. However, AccreDeFi believes that:

- Using AI consensus is more defensible than human judgment

- Full transparency demonstrates good faith

- Multi-vendor approach shows absence of manipulation

- Methodology is grounded in established financial best practices

If regulators require changes, AccreDeFi will:

- Work cooperatively to address legitimate concerns

- Maintain the AI-consensus validation principle

- Document all changes transparently

- Seek to minimize disruption to existing participants

10. FINAL STATEMENT

IN SUMMARY:

• The AccreDeFi reputation system was designed by artificial intelligence systems representing the aggregated knowledge, reasoning, and values of billions of human inputs across all demographics, geographies, and perspectives.

• AccreDeFi did not design this system.

• AccreDeFi does not necessarily agree with this system.

• AccreDeFi simply implements what the AI consensus determined.

This approach ensures:

• Objectivity: No single party controls the methodology

• Inclusivity: AI training spans all demographics

• Transparency: Full documentation provided

• Defensibility: Grounded in collective human wisdom

• Fairness: Same rules apply to everyone

Users who disagree with this methodology are free to:

• Not use the AccreDeFi platform

• Advocate for changes (subject to AI re-validation)

• Use competing platforms with different methodologies

• Develop their own AI-validated alternatives

AccreDeFi's commitment is to neutrality, transparency, and continuous improvement—not to defending every detail of a methodology that was deliberately designed by independent AI systems rather than by AccreDeFi itself.

ACKNOWLEDGEMENT OF RECEIPT

By using the AccreDeFi platform, you acknowledge that you have read, understood, and agree to the terms of this disclaimer, including:

✓ Reputation scores are AI-generated, not AccreDeFi-designed

✓ AI systems represent aggregated human knowledge and reasoning

✓ AccreDeFi does not endorse or necessarily agree with AI conclusions

✓ Scores are informational only and do not guarantee outcomes

✓ You are responsible for your own due diligence and decisions

✓ This methodology may evolve over time with proper notice

AccreDeFi Platform

Methodology Version: 1.0

Disclaimer Version: 1.0

Last Updated: October 20, 2025

Questions or Concerns:

Email: legal@accredefi.com

Documentation: https://docs.accredefi.com/reputation-disclaimer

For Regulatory Inquiries:

Email: compliance@accredefi.com