Infrastructure Security

Vertalo's platform is built on a cloud-native architecture designed for resilience, scalability, and security. Our infrastructure incorporates:

• Encryption at Rest: All stored data — including investor records, transaction history, and sensitive documents — is encrypted using AES-256 or equivalent standards.
• Encryption in Transit: All data in transit is protected with TLS 1.2+ across every network boundary, including external APIs, internal service communication, and user sessions.
• HSM Key Management: Cryptographic keys are managed via Hardware Security Modules (HSMs), ensuring private keys never exist in plaintext outside secure hardware enclaves.
• Network Segmentation: Production environments are isolated from development and staging systems. Network access is restricted by firewall rules, VPC boundaries, and explicit allow-lists.
• DDoS Protection: Distributed denial-of-service mitigation is implemented at the network and application layers.
• Redundancy & Availability: Critical systems are deployed with multi-region redundancy and automated failover to maintain availability for regulated recordkeeping operations.

Access Controls

Access to Vertalo systems and data is governed by the principle of least privilege. Controls include:

• Multi-Factor Authentication (MFA): Required for all user accounts and all administrative access to production systems.
• Role-Based Access Control (RBAC): Permissions are assigned based on defined roles, ensuring users access only the data and functions required for their responsibilities.
• Privileged Access Management: Administrative and privileged access is subject to additional authentication requirements, session recording, and time-limited credentials.
• Audit Logs: All access events, authentication attempts, and administrative actions are logged to immutable audit trails, retained in accordance with SEC recordkeeping requirements.
• Separation of Duties: Critical operations require multiple authorized personnel — no single individual can unilaterally execute sensitive actions.

Multi-Signature Wallet Security

For blockchain operations, Vertalo implements multi-signature (multisig) wallet architectures that require approval from multiple independent keyholders before any on-chain transaction is executed. This design ensures:

• No single point of compromise can result in unauthorized asset movement.
• Private keys are distributed across geographically and organizationally separate custody arrangements.
• On-chain transfer actions are subject to the same segregated authorization controls as traditional securities transfers.

Smart Contract Audit Practices

All smart contracts deployed by or on behalf of Vertalo clients undergo a structured review process:

• Internal Review: Smart contracts are reviewed by Vertalo's engineering team against established security checklists prior to deployment.
• Third-Party Audits: Material smart contract deployments are subject to independent security audits by qualified external auditors.
• Version Control & Immutability: Deployed contract addresses and their audit reports are documented and linked to the corresponding issuance records.
• Upgrade Governance: Contract upgrades (where applicable) require formal change control approval and re-audit of modified components.

Data Privacy Compliance

Vertalo's security practices are aligned with applicable data protection regulations:

• GDPR: Data protection by design and by default is embedded in our engineering practices. Data processing activities are inventoried, and Privacy Impact Assessments are conducted for high-risk processing.
• CCPA: California resident data is handled in accordance with the California Consumer Privacy Act, including appropriate access, deletion, and portability controls.
• SEC Recordkeeping: Data handling practices account for SEC mandatory retention obligations, ensuring regulated records are preserved and protected for required periods.

See our Privacy Policy for a full description of how personal data is collected, used, and protected.

Incident Response

Vertalo maintains a documented Incident Response Plan (IRP) that defines procedures for identifying, containing, eradicating, and recovering from security incidents. Key elements include:

• Detection & Alerting: Automated monitoring systems generate real-time alerts for anomalous activity, failed authentication attempts, and infrastructure health events.
• Response Team: A designated incident response team is on-call with defined escalation procedures and communication protocols.
• Regulatory Notification: In the event of a breach affecting regulated data, Vertalo will notify affected parties and relevant regulatory authorities within the timeframes required by applicable law.
• Post-Incident Review: All incidents are subject to a documented post-mortem, with findings used to improve preventive controls.
• Business Continuity: Recovery time and recovery point objectives are defined for critical systems, with regular testing of backup and failover procedures.

Vendor & Third-Party Risk

Third-party service providers with access to Vertalo systems or data are subject to security review and contractual obligations, including data processing agreements, confidentiality requirements, and the right to audit. Critical vendors are assessed on an ongoing basis.