Cybersecurity Policy

Company: TraderFyles Inc.

Effective Date: 12/18/2025

Approved By: Management

1. Purpose

The purpose of this Cybersecurity Policy is to establish standards and responsibilities for protecting TraderFyles Inc.’s information systems, data, and technology assets from unauthorized access, misuse, loss, or compromise. As a software and financial data platform, TraderFyles Inc. is committed to safeguarding client data, proprietary information, and operational systems.

2. Scope

This policy applies to:

• All employees, contractors, officers, and temporary workers
• All information systems, applications, databases, networks, and devices owned, leased, or managed by TraderFyles Inc.
• All data, including customer data, financial data, trading data, and internal company information

3. Information Security Objectives

TraderFyles Inc.’s cybersecurity program is designed to:

• Ensure confidentiality, integrity, and availability of information
• Protect customer and company data from cyber threats
• Comply with applicable laws, regulations, and contractual obligations
• Reduce operational, financial, legal, and reputational risk

4. Data Classification

TraderFyles Inc. classifies data into the following categories:

4.1 Confidential Data

Includes, but is not limited to:

• Customer personal information
• Financial and tax-related data
• Trading data and brokerage integrations
• Authentication credentials and API keys

4.2 Internal Data

• Internal reports
• Business processes
• Non-public operational data

4.3 Public Data

• Marketing materials
• Public website content

Confidential data must be encrypted in transit and at rest where feasible.

5. Access Control

• Access to systems and data is granted on a least-privilege basis
• Role-based access controls (RBAC) are implemented where possible
• Multi-factor authentication (MFA) is required for:
  • Administrative access
  • Cloud platforms
  • Financial and production systems
• User access is reviewed periodically and revoked promptly upon termination

6. Password and Authentication Policy

• Passwords must meet minimum complexity standards
• Passwords may not be shared
• Password managers are recommended
• MFA is required for all cloud services and critical systems

7. Acceptable Use

Users must:

• Use company systems for authorized business purposes only
• Not install unauthorized software
• Not bypass security controls
• Immediately report suspicious activity

Prohibited activities include:

• Unauthorized data access
• Sharing credentials
• Downloading or transmitting data to unapproved systems

8. Endpoint and Device Security

• Company and personal devices accessing TraderFyles systems must:
  • Use up-to-date operating systems
  • Enable device-level encryption where available
  • Use antivirus or endpoint protection
• Lost or stolen devices must be reported immediately

9. Network and Infrastructure Security

• Firewalls and security groups are used to restrict network access
• Production systems are logically separated from development and testing
• Security patches are applied regularly
• Cloud infrastructure follows vendor security best practices

10. Application Security

• Secure coding practices are followed
• Code reviews are performed for material changes
• Third-party dependencies are monitored for vulnerabilities
• APIs and integrations (including brokerage integrations) are secured with authentication and rate limiting

11. Third-Party and Vendor Risk Management

• Vendors with access to TraderFyles data must meet reasonable security standards
• Data sharing with third parties is limited to business necessity
• Contracts may include confidentiality and data protection obligations

12. Incident Response

TraderFyles Inc. maintains an incident response process that includes:

1. Identification of potential security incidents
2. Containment and mitigation
3. Investigation and root cause analysis
4. Notification to management and affected parties, as required
5. Remediation and documentation

All suspected security incidents must be reported immediately to management.

13. Data Backup and Recovery

• Critical systems and data are backed up regularly
• Backups are stored securely
• Restoration procedures are tested periodically

14. Logging and Monitoring

• System activity is logged where appropriate
• Logs are reviewed for suspicious activity
• Access to logs is restricted

15. Training and Awareness

• Employees and contractors receive security awareness guidance
• Phishing and social engineering risks are emphasized
• Security responsibilities are part of onboarding

16. Compliance and Enforcement

Violations of this policy may result in:

• Revocation of system access
• Disciplinary action
• Termination of employment or contract
• Legal action where applicable

17. Policy Review

This policy is reviewed at least annually and updated as needed to reflect changes in technology, threats, or regulatory requirements.

18. Acknowledgment

All personnel may be required to acknowledge that they have read, understand, and agree to comply with this Cybersecurity Policy.

TraderFyles Inc.