Technical & Organizational Security Measures

1. Access Control

Origin Ledgers has implemented and maintains a comprehensive set of formal policies, technical controls, and organizational practices to ensure appropriate access control and the protection of Customer Data.

These measures are designed to prevent unauthorized access, ensure accountability, and align with industry standards for identity and access management, including Zero Trust principles.

The Access Control framework includes the following key components:

• Access Management Policy — A documented policy defining standards, procedures, and responsibilities for access control, user provisioning, and authentication across all systems, applications, and infrastructure.
• Zero Trust Architecture — A multi-layered security model that classifies systems and data into criticality tiers, enforcing multi-factor authentication (MFA) and additional security measures on higher-tier and sensitive systems.
• Role-Based Access Control (RBAC) — User access is granted based on job function and the principle of least privilege, ensuring individuals receive only the minimum level of access required to perform their duties.
• Need-to-Know Restriction — Origin Ledgers personnel are permitted to access Customer Data strictly on a need-to-know basis, and only when access is necessary for legitimate operational purposes.
• Segregation of Duties — Functional and technical segregation is enforced to prevent conflicts of interest, including but not limited to:
  • Regular access control reviews,
  • Security group management through HR applications, and
  • Workflow and approval mechanisms for sensitive operations.
• Access Authorization and Review — All user accounts require management approval prior to granting access to data, applications, or network resources. Access privileges are regularly reviewed and adjusted based on role changes or employment status.
• Technical Access Controls — The use of VPNs, MFA, and device posture verification is mandated for access to classified systems and environments, consistent with Origin Ledgers’ Zero Trust Model.
• Endpoint and Mobile Device Security — A centrally managed Mobile Device Management (MDM) solution enforces security configurations, lockout periods, encryption, and compliance checks for all authorized endpoints and mobile devices.

2. Awareness and Training

Origin Ledgers has established and maintains a comprehensive Security Awareness and Training Program designed to ensure that all personnel understand their responsibilities for protecting Customer Data and maintaining the security and integrity of Origin Ledgers systems.

The program combines general awareness, role-specific education, and continuous engagement to promote a strong and enduring security culture across the organization.

Key components include:

• Mandatory Security and Privacy Training — All new employees, contractors, and partners complete extensive onboarding training covering security, privacy, compliance, and acceptable use. Annual refresher courses reinforce these principles.
• Varied Learning Formats — Training is delivered through diverse channels including online modules, in-person sessions, recorded webinars, and interactive phishing simulations to maximize engagement and retention.
• Role-Specific Training — Personnel with elevated access privileges or specialized responsibilities (e.g., engineers, administrators, and security staff) receive targeted training addressing advanced risks, secure system management, and incident prevention practices.
• Training Records and Tracking — All training completions and certifications are centrally recorded in a Learning Management System (LMS) to ensure traceability and auditability.
• Automated Reminders and Escalation — The LMS issues automated reminders for training deadlines and includes an escalation workflow to notify the relevant manager if completion is delayed.
• Ongoing Security Awareness — Origin Ledgers provides continuous awareness activities for all personnel, including contractors and third-party partners, focused on emerging threats, evolving compliance requirements, and evolving best practices.
• Secure Development Education — Security champions within engineering teams deliver secure coding and application security training sessions, ensuring that security-by-design principles are embedded in the software development lifecycle.
• Annual Security Events and Campaigns — Mandatory yearly security awareness events, workshops, and campaigns reinforce key security values, emphasizing the shared responsibility of every employee in maintaining a secure environment.

3. Audit and Accountability

Origin Ledgers maintains a comprehensive set of formal policies, controls, and practices to ensure proper auditing, monitoring, and accountability across its systems, services, and cloud environments.

These measures enable the timely detection of anomalies, facilitate forensic analysis, and ensure compliance with internal policies and regulatory requirements.

Key components of the Audit and Accountability Program include:

• Comprehensive Logging Standards — Detailed logging standards are defined as part of Origin Ledgers’ Policy Management Framework. These standards undergo annual reviews and senior management approval to ensure continued effectiveness and alignment with industry best practices.
• Centralized Log Management — All relevant system and security logs are securely forwarded and stored within a centralized log management platform in Origin Ledgers’ cloud infrastructure. Access to logs is restricted to read-only permissions and limited to authorized personnel.
• Continuous Monitoring and Review — Security audit logs are actively monitored to identify unusual or suspicious activity. Defined procedures ensure timely review, investigation, and remediation of detected anomalies.
• Dynamic Log Scope and Updates — The scope of logged information and system events is periodically reviewed and updated to reflect new features, technologies, and infrastructure changes within Origin Ledgers’ Cloud Products.
• Reliable Time Synchronization — All system clocks and timestamps are synchronized using time synchronization services from trusted cloud providers (e.g., AWS, Microsoft Azure) to maintain accurate and consistent logging across all deployed instances.

Through these measures, Origin Ledgers ensures traceability, accountability, and operational transparency in line with industry standards such as ISO/IEC 27001:2022, NIST SP 800-53 (AU controls), and SOC 2.

4. Assessment, Authorization, and Monitoring

Origin Ledgers has established and maintains a robust set of formal policies, controls, and operational practices to ensure continuous system monitoring, independent verification, and effective security assessment throughout its infrastructure and product lifecycle.

These measures ensure the integrity, compliance, and ongoing improvement of Origin Ledgers’ information security management system.

Key elements include:

• Comprehensive Audit and Assurance Policies — A detailed set of audit and assurance policies is maintained under Origin Ledgers’ compliance framework, subject to annual reviews, updates, and management approval to ensure alignment with evolving regulatory and contractual requirements.
• Centralized Policy Governance — A centralized internal policy program organizes global security and compliance policies into clearly defined domains, with each domain reviewed annually and approved by senior management.
• Audit Management Lifecycle — Origin Ledgers’ audit management process encompasses the planning, risk analysis, security control assessments, audit conclusions, remediation scheduling, and thorough review of historical audit findings to ensure continuous improvement.
• Internal and External Audits — Both internal assessments and independent external audits are conducted annually to evaluate adherence to legal, regulatory, and contractual obligations, as well as to validate the effectiveness of security controls and operational processes.
• Ongoing Compliance Verification — Regular reviews confirm alignment with globally recognized standards such as ISO/IEC 27001, SOC 2, and other applicable frameworks.
• Nonconformity Management and Corrective Actions — Identified nonconformities are documented, analyzed, and remediated based on root-cause analysis and severity rating. Corrective actions are tracked to completion to ensure accountability and continuous improvement.
• Penetration Testing and Bug Bounty Programs — Origin Ledgers conducts annual penetration tests on its products and platforms, supplemented by proactive bug bounty programs to identify and mitigate potential vulnerabilities before they can be exploited.
• Continuous Vulnerability Scanning — Automated and continuous vulnerability assessments are performed across systems and infrastructure. Identified vulnerabilities are prioritized and remediated according to Origin Ledgers’ internal security policy and defined risk severity levels.

Through these practices, Origin Ledgers ensures a rigorous, transparent, and proactive approach to risk management, control validation, and compliance assurance across its entire operational environment.

5. Configuration Management

Origin Ledgers maintains a comprehensive and formally documented Configuration Management Program that ensures all systems, infrastructure, and applications are securely configured, consistently maintained, and continuously monitored throughout their lifecycle. These practices support system stability, minimize risk, and ensure all changes are implemented in a controlled and auditable manner.

Key components include:

• Change Management Policy — Origin Ledgers enforces formal change management policies covering the full lifecycle of system, application, and infrastructure changes. All changes are assessed for security risk and business impact, and the policies are reviewed annually by senior management.
• Secure Encryption and Cryptographic Controls — Defined procedures govern all changes involving encryption, key management, and cryptography, ensuring secure handling of data and cryptographic materials according to their security classification.
• Centralized Policy Governance — A centralized internal policy framework organizes Origin Ledgers’ global policies into multiple control domains, each subject to annual review and executive approval to maintain compliance and operational integrity.
• Technical and Security Configuration Standards — Origin Ledgers maintains stringent policies and standards covering:
  • Encryption and key management
  • Cryptography controls
  • Endpoint configuration management
  • Asset tracking and lifecycle governance
  These are implemented in accordance with industry best practices and recognized international standards.
• Configuration Baselines and Change Controls — All system and application configurations follow established baseline standards, requiring testing documentation and authorized approval prior to deployment or modification.
• Peer Review and Green Build Process — All production code and infrastructure changes undergo peer review and a green build process, ensuring multiple levels of validation, successful testing, and approval prior to release.
• Emergency Change Procedures — Emergency changes are subject to post-implementation review and approval, verifying that the change was necessary, effective, and securely implemented.
• Automated Monitoring and Intrusion Detection — Origin Ledgers utilizes automated configuration management systems integrated with Intrusion Detection Systems (IDS) to identify, log, and prevent unauthorized changes in real time.
• Asset Inventory and Tracking — All physical and logical assets are catalogued, tracked, and reviewed annually to ensure an accurate and up-to-date inventory aligned with Origin Ledgers’ asset management policy.

Through these measures, Origin Ledgers ensures that configuration changes are secure, traceable, and controlled, maintaining the confidentiality, integrity, and availability of its systems and Customer Data.

6. Contingency Planning

Origin Ledgers has implemented and maintains a comprehensive set of formal policies, controls, and operational procedures to ensure effective business continuity and disaster recovery (BCDR) across all global operations and cloud-based environments.

These measures are designed to preserve the availability of Origin Ledgers’ products and services, protect Customer Data, and enable rapid recovery from disruptions, ensuring operational resilience under all conditions.

Key components of Origin Ledgers’ Contingency Planning framework include:

• Skilled Workforce and Infrastructure Readiness — A highly trained workforce and resilient IT infrastructure, including critical telecommunications and cloud technologies, ensure uninterrupted delivery of Origin Ledgers Products and Services.
• Business Continuity and Disaster Recovery Plans (BCDR Plans) — Documented and tested BCDR Plans define clear Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) for essential systems, services, and data.
• Data Continuity and Availability — Business continuity strategies encompass secure data storage, redundancy, and continuity-of-use mechanisms designed to prevent interruptions to Customer Data access and utilization.
• Geographic and Cloud Resilience — Origin Ledgers leverages geographically distributed infrastructure and a global workforce to minimize localized risk and maintain service continuity in the event of regional disruptions.
• Operational Resilience Controls — Daily backups, annual restoration testing, and the use of alternative cloud storage and failover sites strengthen resilience and enable swift recovery following potential data loss events.
• Cyber Event Response and Resilience Framework — Origin Ledgers maintains an integrated incident response and resilience framework with defined procedures for cyber event detection, mitigation, and recovery to preserve business continuity.
• Regular Testing and Continuous Improvement — Quarterly disaster recovery tests and scenario-based exercises are conducted to evaluate response readiness. Post-test analyses identify areas for enhancement, driving continuous improvement of BCDR capabilities.
• Capacity and Availability Management — Continuous monitoring and capacity planning ensure optimal service performance and uptime, including DDoS mitigation and scaling mechanisms for Origin Ledgers Cloud Products and infrastructure.
• Centralized Policy Oversight — A centralized internal policy program governs all global business continuity policies, with annual reviews and updates approved by senior management.
• Robust Data Backup Protocols — Comprehensive backup procedures include:
  • End-to-end data encryption during transfer and storage,
  • Redundancy across multiple data centers, and
  • Periodic backup testing to validate data integrity and ensure recoverability.

7. Identification and Authentication

Origin Ledgers has implemented and maintains a comprehensive framework of formal policies, technical controls, and operational practices to ensure robust identification and authentication of users accessing systems, applications, and Customer Data.

These measures enforce accountability, minimize the risk of unauthorized access, and align with Zero Trust and defense-in-depth security principles.

Key components include:

• Unique Employee Identification — Each Origin Ledgers employee is uniquely identified through a centrally managed Active Directory service, ensuring traceable and auditable account management across all systems.
• Single Sign-On (SSO) — Access to corporate applications and services is facilitated through Single Sign-On (SSO), streamlining authentication while maintaining centralized visibility and control.
• Multi-Factor Authentication (MFA) — MFA is mandatory for all secure access points, including VPN connections and application launches via SSO, as defined by Origin Ledgers’ Zero Trust Model. This ensures that access requires both user credentials and an additional verification factor.
• Password Security and Policy — Password creation and management follow the NIST SP 800-63B Digital Identity Guidelines, emphasizing password strength, protection against common passwords, and secure reset mechanisms.
• Credential Storage and Protection — All stored credentials, including passwords, secrets, and tokens, are safeguarded using strong encryption algorithms and secure password and secret management systems, ensuring confidentiality and integrity.
• Account Governance and Review — Access and identity data are subject to documented approvals, regular access reviews, and automated synchronization between HR systems and identity management platforms to maintain accuracy, integrity, and lifecycle consistency.

8. Security Incident Response

Origin Ledgers maintains a comprehensive and formally documented Security Incident Response Program designed to ensure timely detection, analysis, containment, remediation, and communication of all Security Incidents.

This program aligns with globally recognized frameworks and emphasizes preparedness, regulatory compliance, and continuous improvement.

Key elements include:

• Security Incident Response Plans — Documented and regularly updated plans define the full incident lifecycle, including preparation, detection, containment, eradication, recovery, and post-incident review. These plans integrate data protection and regulatory reporting requirements to ensure full compliance.
• Dedicated Cross-Functional Teams — A Security Incident Response Team (SIRT), consisting of specialists from security, engineering, legal, compliance, and communications, manages incidents collaboratively to ensure rapid, coordinated responses.
• Event Triage and Escalation — Clearly defined processes govern the identification, categorization, and escalation of potential security events, ensuring that threats are quickly validated and prioritized based on impact and severity.
• Testing and Continuous Improvement — Incident response plans are regularly tested through simulated exercises and tabletop drills. Performance metrics and lessons learned are tracked to continuously improve detection and response capabilities.
• Annual Reviews and Updates — Company-wide incident response policies are reviewed and updated annually to reflect emerging threats, new technologies, and best practices shared across the organization.
• Post-Incident Reviews (PIRs) — For all high-severity incidents, a root cause analysis is performed as part of a PIR process, identifying systemic improvements and implementing corrective actions to prevent recurrence.
• Integration with Business Processes — Incident response procedures are embedded in critical operational and business workflows, minimizing service disruption and security exposure during potential incidents.
• Customer Reporting Channels — Customers can report security incidents, vulnerabilities, or system defects through established reporting channels. All reports receive prompt investigation and follow-up by the Origin Ledgers Security Team.
• Customer Notification and Support — In accordance with the Origin Ledgers Data Processing Addendum (DPA), Customers are notified without undue delay in the event of a confirmed Security Incident affecting their data. Origin Ledgers also provides timely assistance and relevant information necessary for compliance with Applicable Data Protection Laws.

9. Maintenance

Origin Ledgers maintains a comprehensive set of formal policies, operational controls, and monitoring practices to ensure the continued effectiveness, reliability, and availability of its Cloud Products and supporting infrastructure.

These measures ensure that systems remain secure, resilient, and performant throughout their lifecycle.

Key elements include:

• Regular Testing of BCDR Plans — Business Continuity and Disaster Recovery (BCDR) Plans are tested and validated quarterly, ensuring their effectiveness in maintaining service availability during disruptive events. Independent external audits verify adherence to defined recovery objectives and overall operational readiness.
• Real-Time Availability and Reliability Monitoring — Continuous, real-time monitoring is conducted across multiple geographic regions to ensure high availability and rapid detection of anomalies. Routine infrastructure reliability testing validates uptime commitments and performance consistency across all production environments.
• Integrated Oversight and Coordination — Maintenance activities are coordinated in alignment with the relevant Origin Ledgers security and compliance programs, including:
  • Section 4 – Assessment, Authorization, and Monitoring,
  • Section 6 – Contingency Planning, and
  • Section 18 – System and Communications Protection.
  Together, these frameworks ensure a holistic approach to ongoing security, system health, and operational resilience.

10. Media Protection

Origin Ledgers has implemented and maintains a comprehensive framework of formal policies, controls, and operational practices to ensure the secure handling, storage, and disposal of all physical and digital media containing Customer Data.

These measures protect the confidentiality, integrity, and availability of information throughout its lifecycle — from creation and processing to transfer and destruction.

Key components include:

• Trusted Infrastructure Providers — Origin Ledgers leverages secure and reputable third-party cloud service providers (e.g., Microsoft Azure, AWS) as Sub-processors responsible for operating the physical infrastructure used to process and store Customer Data. These providers maintain rigorous security certifications and undergo regular third-party audits.
• Secure Media Sanitization and Disposal — All equipment and media used by Origin Ledgers’ infrastructure providers are subject to secure sanitization or degaussing before reuse or disposal, following recognized industry standards such as ISO/IEC 27001, NIST SP 800-88, and the providers’ internal data destruction policies.
• Encryption of Data at Rest — Full-disk encryption using strong cryptographic standards (e.g., AES-256) is enforced for data drives on servers, databases, and storage systems containing Customer Data. All endpoint devices accessing Customer Data are also required to use encryption.
• Bring Your Own Device (BYOD) Security — Origin Ledgers enforces a strict BYOD policy, ensuring that access to Customer Data is permitted only from secure, compliant, and managed devices. Access is controlled via VPN, Multi-Factor Authentication (MFA), and other technical safeguards within Origin Ledgers’ Zero Trust Model architecture.
• Secure Workspace Practices — Employees are required to maintain clean and secure workspaces, ensuring that no confidential information is visible or accessible when unattended, in accordance with Origin Ledgers’ secure workplace guidelines.

11. Physical and Environmental Protection

Origin Ledgers has implemented and maintains a comprehensive framework of formal policies, physical safeguards, and operational controls to ensure the physical and environmental protection of facilities, systems, and infrastructure where Customer Data is processed or stored. These measures are designed to prevent unauthorized physical access, environmental damage, or service disruption across all Origin Ledgers offices and data center environments.

Key components include:

• Secure Office Environment — Origin Ledgers provides a safe and secure working environment across all global offices, with access controls and protective measures implemented consistently to safeguard personnel, assets, and Customer Data.
• Access Control and Monitoring — Employee access is managed through electronic badge systems, camera surveillance, and time-based access restrictions, ensuring only authorized personnel may enter secure areas.
• Access Logging and Investigations — Office entry and exit activities are recorded in secure access logs, periodically reviewed and available for investigative or forensic purposes when necessary.
• Data Center Security by Trusted Providers — Origin Ledgers’ cloud infrastructure is hosted by third-party providers (e.g., Microsoft Azure, AWS) with multiple compliance certifications (ISO 27001, SOC 2, PCI DSS) and robust physical controls, including:
  • Biometric identity verification for restricted zones,
  • On-site security personnel, and
  • 24/7 monitoring and incident response coverage.
• Environmental and Infrastructure Safeguards — Providers implement controlled access points, advanced surveillance, and protection of power/telecom cables to prevent tampering or interruptions. Fire suppression, temperature regulation, and redundant power mitigate natural or technical risks.
• Low-Risk Equipment Placement — Critical hardware is stored in low-risk environmental zones to reduce exposure to flooding, fire, or other hazards.

12. Planning

Origin Ledgers maintains a comprehensive set of formal policies, governance frameworks, and operational practices to ensure the effective planning, coordination, and continuous improvement of its business and security operations. These measures ensure that strategic decisions, system enhancements, and regulatory obligations remain aligned with Origin Ledgers’ commitment to security, compliance, and customer trust.

Key components include:

• Regulatory Monitoring and Documentation — Legal and Compliance Teams monitor applicable laws, regulations, and industry standards to ensure Origin Ledgers remains compliant. Obligations are documented and periodically reviewed.
• System Security Planning — A formal System Security Plan (SSP) defines security boundaries, architecture, dependencies, and responsibilities for Origin Ledgers systems and products.
• Change Communication — Origin Ledgers ensures transparent communication regarding significant changes to systems, security features, processes, or infrastructure that could impact data handling.
• Program Review and Continuous Improvement — The Security Management Program undergoes periodic reviews to address emerging risks, audit findings, technology evolution, and lessons learned.

Through structured planning activities, Origin Ledgers ensures that operational decisions and security initiatives are coordinated, risk-informed, and forward-looking, supporting long-term resilience and compliance.

13. Program Management

Origin Ledgers has implemented a comprehensive Information Security and Risk Management Program supported at the executive leadership level. This program ensures governance, accountability, and continual improvement necessary to safeguard Customer Data and Origin Ledgers systems.

Key components include:

• Executive-Level Governance — Security and privacy initiatives receive appropriate oversight and resourcing.
• Documented Information Security Policies — Policies define roles, risk mitigation procedures, and a service provider security management framework.
• Risk Assessment and Response — Regular risk assessments identify, analyze, and mitigate threats. Security Incidents are reviewed and corrective actions implemented promptly.
• Formal Security Controls Framework — Aligned with SOC 2, ISO/IEC 27001, and NIST 800-53.
• Risk Identification and Mitigation — Risks are documented within the Enterprise Risk Management (ERM) process, with mitigation tracked through completion.
• Comprehensive Security Testing — Including penetration testing, vulnerability assessments, and application security reviews.
• Continuous Program Review — Annual updates reflect emerging threats and business priorities.
• Security Talent Development — Continuous training and development for security personnel.
• Strategic Oversight and Performance Review — Executive management reviews operational alignment.
• Enterprise Risk Management Review — Annual ERM framework review including enterprise-wide risk assessments.

14. Personnel Security

Origin Ledgers has implemented comprehensive personnel security measures to ensure the integrity, trustworthiness, and accountability of all personnel with access to Customer Data. These measures mitigate insider threats and promote a culture of security awareness.

Key components include:

• Pre-Employment Screening — Background checks, criminal record inquiries, and employment history verification in accordance with local laws.
• Secure Onboarding Process — Includes execution of confidentiality agreements, policy acknowledgment, and training on ethical, privacy, and compliance obligations.
• Employment Policies and Reviews — Policies are reviewed and updated annually for compliance.
• Access Lifecycle Management — Role changes, transfers, and terminations follow strict access de-provisioning procedures.
• Ongoing Security and Compliance Training — Continuous education for all employees, with role-specific training for elevated-privilege positions.
• Security Awareness Initiatives — Including Security Awareness Month with workshops and recognition programs.
• Disciplinary Measures — Formal procedures for handling violations of security policies.

15. Personal Data Processing and Transparency

Origin Ledgers maintains comprehensive policies, controls, and governance practices to ensure all personal data processing complies with Applicable Data Protection Laws. These measures support principles of lawfulness, fairness, transparency, and accountability.

Key components include:

• Global Privacy Compliance Program — Continuous monitoring of evolving data protection laws.
• Internal Data Processing Policy — Defines categories of data, purposes, and processing principles.
• Detailed Processing Standards — Including lawful bases, minimization, purpose limitation, retention, and security requirements.
• Pseudonymization and Data Minimization — Established methodologies ensuring protection against re-identification.
• Transparency and Privacy Communication — Clear privacy policies for users, customers, and partners.
• Comprehensive Compliance Documentation — Including RoPA, PIAs, TIAs, user preferences, and DPAs.
• Privacy by Design and Secure Development — Embedded throughout the SDLC.
• Respect for Data Subject Rights — Ensures users can exercise rights including access, correction, deletion, restriction, portability, and objection.

16. Risk Assessment

Origin Ledgers maintains a comprehensive Information Security Management System supported by a formal Risk Management Program designed to identify, assess, and mitigate security and operational risks affecting Customer Data and Origin Ledgers systems.

Key components include:

• Comprehensive Risk Management Program — Governs identification, analysis, evaluation, and mitigation of risks across compliance, operations, and technology.
• Policy Alignment with Global Standards — Including ISO/IEC 27001, NIST 800-53, and other standards.
• Continuous Security Testing — Ongoing penetration testing, vulnerability scanning, bug bounty programs, and threat modeling.
• Vulnerability Management and Reporting — Defined processes for remediation, prioritization, and reporting.
• Independent and Internal Evaluations — Regular internal assessments and external audits to verify controls and corrective actions.

17. System and Services Acquisition

Origin Ledgers has implemented and maintains a structured, security-centric methodology for the development, maintenance, and change management of all systems, applications, and infrastructure.

This framework ensures that all technology acquisitions and software changes are conducted in a secure, controlled, and auditable manner throughout their lifecycle.

Key components include:

• Secure Software Development Lifecycle (SDLC) — Origin Ledgers follows an agile and secure SDLC that promotes adaptability, efficiency, and security by design. All system and infrastructure changes are thoroughly reviewed, documented, and tested prior to release.
• Automated and Standardized Deployment — Application deployment and configuration management are executed through secure, automated pipelines that enforce standardized configurations, reduce human error, and maintain audit traceability for every system change.
• Code Review and Testing Requirements — A formal development process mandates peer-reviewed pull requests, automated code analysis, and unit and integration testing before any code is merged into production. This ensures code quality, security, and functional integrity.
• Segregation of Duties — Clear segregation of responsibilities exists among developers, reviewers, and release managers to maintain independence and reduce the risk of unauthorized or unverified changes.
• Emergency Change Procedures — Documented “break glass” procedures allow for emergency modifications during critical incidents. Such changes are logged, reviewed, and validated post-implementation to ensure compliance and traceability.
• Source Code and Deployment Security — Robust security and compliance controls are embedded within Origin Ledgers’ source code management systems (e.g., Bitbucket Cloud), including strict permission settings and automated mechanisms preventing unauthorized modifications.
• Change Documentation and Monitoring — All configuration and code changes are documented and continuously monitored. Automated alerts are generated for deviations from compliance baselines or peer-review enforcement policies.
• Vendor and Third-Party Software Controls — Any modifications to vendor-provided software are strictly controlled and logged. Third-party and open-source libraries undergo regular scanning and updates, supported by continuous codebase scanning for vulnerabilities and license compliance.

18. System and Communications Protection

Origin Ledgers has implemented and maintains a comprehensive framework of formal policies, technical controls, and operational practices to ensure the security of systems, communications, and Customer Data throughout its lifecycle.

These measures protect data confidentiality, integrity, and availability across networks, devices, and hosted environments.

Key components include:

• Cryptographic Safeguards — Strong cryptographic mechanisms are employed to protect sensitive information both in storage and during transmission across internal and external networks, including the public internet. All encryption technologies used adhere to current industry standards and recognized security best practices.
• Encryption of Data at Rest and in Transit — Customer Data is encrypted at rest and in transit using robust cryptographic protocols, including TLS 1.2 or higher with Perfect Forward Secrecy (PFS). These protocols protect data integrity and confidentiality during transmission over public and private networks.
• Network Segmentation and Environment Separation — Origin Ledgers enforces zone restrictions and strict separation between production and non-production environments, ensuring that development, testing, and operational systems are securely isolated and independently managed.
• Workstation and Asset Management — Workstation assets are continuously managed and secured through an enterprise-grade asset management platform, enforcing:
  • Timely security patch deployment,
  • Mandatory password protection and screen locks, and
  • Full-disk encryption on all storage devices.
• Device Compliance and Zero Trust Access — Access to internal systems is restricted to known, compliant devices that are enrolled in Origin Ledgers’ Mobile Device Management (MDM) solution. This enforces posture verification, encryption compliance, and access control consistent with the Zero Trust Model architecture.
• Firewall and Perimeter Security — Firewalls are maintained at corporate and platform edges to filter inbound and outbound traffic, protecting both hosted and non-hosted devices through layered network defense mechanisms.
• Network and Host Defense — Origin Ledgers employs multiple layers of protection, including operating system hardening, network segmentation, intrusion prevention and detection systems (IDS/IPS), and Data Loss Prevention (DLP) technologies to detect and mitigate malicious activities.
• Logical Data Segregation — Customer Data is logically segregated within Origin Ledgers’ cloud infrastructure to prevent unauthorized access or cross-tenant data exposure, ensuring each customer’s environment remains isolated and secure.

19. System and Information Integrity

Origin Ledgers has implemented and maintains a comprehensive set of formally established policies, controls, and operational safeguards to ensure the integrity, reliability, and security of systems and information.

These measures enable the timely identification and remediation of vulnerabilities, protect against unauthorized modification or corruption of data, and maintain continuous system trustworthiness.

Key components include:

• Vulnerability Management and Remediation — Continuous vulnerability scanning is performed across systems, infrastructure, and applications to promptly identify and remediate security weaknesses. Detected vulnerabilities are triaged and addressed based on risk severity in accordance with Origin Ledgers’ Vulnerability Management Policy.
• Secure Data Disposal — Origin Ledgers adheres to stringent data disposal and sanitization protocols aligned with applicable laws and standards (e.g., NIST SP 800-88, ISO/IEC 27001). Data on storage media is rendered irrecoverable post-sanitization, ensuring secure disposal of obsolete or decommissioned assets.
• Data Integrity and Environment Segregation — Strict policies prohibit the use of production data in non-production environments. Logical segregation and sanitization procedures protect the integrity and confidentiality of Customer Data throughout development and testing processes.
• Centralized Logging and Monitoring — System logs are centrally managed in read-only mode, ensuring auditability and protection from tampering. Logs are continuously monitored for indicators of Security Incidents, and retention periods are defined in alignment with security and compliance best practices.
• Endpoint Security and Compatibility — Endpoint devices are continuously monitored and maintained to ensure compatibility with enterprise systems and applications, reducing operational risk and enhancing network security.
• Anti-Malware and Threat Detection — Comprehensive anti-malware solutions are deployed across relevant infrastructure and Origin Ledgers-managed devices. These solutions are continuously updated to detect and neutralize malware threats. Regular reviews of malware protection policies ensure their ongoing effectiveness and relevance.
• Logical Access and Token-Based Controls — Access to Customer Data is secured through unique user identifiers and token-based authentication mechanisms, ensuring logical isolation and enforcing least-privilege principles.

20. Supply Chain Risk Management

Origin Ledgers has implemented and maintains a comprehensive set of formally established policies, procedures, and governance practices to manage risks arising from its supply chain and third-party relationships.

These measures ensure that all suppliers, partners, and service providers meet Origin Ledgers’ high standards for security, confidentiality, availability, and compliance throughout the supplier lifecycle.

Key components include:

• Formal Supplier Management Framework — Origin Ledgers maintains a structured vendor management framework that governs the onboarding, assessment, and continuous oversight of third parties. The framework ensures alignment between supplier practices and Origin Ledgers’ security, availability, and confidentiality standards.
• Third-Party Risk Management (TPRM) Program — A robust TPRM process is in place, encompassing risk assessments, due diligence, contract management, and ongoing monitoring. Each third party is evaluated based on the criticality of services provided and the sensitivity of data handled.
• Cross-Functional Oversight — Dedicated teams from Legal, Procurement, Security, and Risk Management collaborate in the review of supplier contracts, Service Level Agreements (SLAs), and security measures to identify and mitigate risks related to data protection, confidentiality, and regulatory compliance.
• Supplier Risk Assessments — Functional and security risk assessments are conducted prior to onboarding and periodically thereafter based on supplier risk levels. Assessments are updated during policy renewals or whenever significant changes occur in the supplier relationship or service scope.
• Supplier Inventory and Classification — A centralized supplier inventory is maintained, detailing ownership, services provided, data access levels, and corresponding risk ratings. This inventory enables traceability, accountability, and prioritized oversight.
• Audit and Compliance Reviews — Origin Ledgers conducts an annual review of supplier audit reports (e.g., SOC 2 Type II, ISO 27001 certifications) and performs regular governance reviews to confirm that third-party controls remain effective and compliant with industry standards.
• Endpoint and Access Security Controls — Measures are enforced to secure third-party devices and endpoints connecting to Origin Ledgers systems. Compliance monitoring, conditional access policies, and selective restrictions are applied in accordance with Origin Ledgers’ Mobile and BYOD Policy.