Privacy Policy


eXchange1 ("we", "us", "our", "the Company") is committed to protecting the confidentiality and security of client information in accordance with applicable UAE laws, including Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data ("PDPL"), the Capital Market Authority's ("CMA") Decision No. 26/RM of 2023 (Virtual Assets Platform Operators Regulation or "VAPO Regulation"), Federal Decree-Law No. 10 of 2025 on Combating Money Laundering, Terrorism Financing, and the Financing of Proliferation ("AML/CFT Law"), and the Central Bank of the UAE ("CBUAE") requirements.

This Policy establishes comprehensive controls for the collection, processing, storage, disclosure, and protection of confidential client information and sets out accountability frameworks for all personnel handling such information in accordance with the Data Governance Policy Framework (DGPF/2/26) Version 2.0 established and maintained by eXchange1.


1. Scope and Application

1.1 Territorial and Material Scope

This Policy applies to:

  • All personal data processing activities conducted by eXchange1 within the United Arab Emirates;
  • All personal data processing activities relating to UAE residents and customers, regardless of the location of data processing, pursuant to PDPL extraterritorial application;
  • All data processed on eXchange1's Primary Processing Server located in Singapore (hosted on Amazon Web Services) and the UAE-Authoritative Server located in Dubai, which operates as a real-time synchronised replica of all regulated data;
  • All employees, officers, directors, contractors, service providers, and third parties engaged by eXchange1;
  • All information systems, platforms, applications, and infrastructure used to collect, store, process, or transmit confidential client information;
  • All customer transaction data subject to real-time information requirements for trading platforms under the VAPO Regulation;
  • All AML/CFT data subject to UAE Federal Decree-Law No. 10 of 2025 and CBUAE requirements;
  • All crypto asset custody data subject to CMA security and safeguarding regulations;
  • All data required for CMA supervisory reporting, market surveillance, and real-time transaction monitoring.


1.2 Cross-Border Data Processing Architecture

This Policy expressly governs the cross-border data flows arising from eXchange1's dual-server architecture:

  • Primary Processing Server (Singapore): Hosted on Amazon Web Services in Singapore, this server performs all primary data processing operations. UAE customer personal data and regulated trading data are processed on this server on the basis of contractual necessity under PDPL Article 23;
  • UAE-Authoritative Server (Dubai): Located in Dubai, this server maintains a real-time synchronised replica of all regulated data processed in Singapore, ensuring immediate availability for UAE regulatory compliance, CMA supervisory access, and operational resilience;
  • Data Processing Agreement: All cross-border data transfers between Singapore and Dubai are governed by a comprehensive Data Processing Agreement mandated by the Data Governance Framework and compliant with PDPL Article 23 requirements;
  • Data Protection Impact Assessment: A Data Protection Impact Assessment (DPIA) has been conducted and is maintained to assess risks associated with this cross-border processing architecture, as required by PDPL Article 10 and the Data Governance Framework.
  • Both processing locations are within the scope of this Policy and subject to all controls herein. The UAE-Authoritative Server ensures that all regulated data remains accessible within UAE jurisdiction at all times for CMA supervisory purposes and operational resilience.


1.3 Governance Integration

This Policy operates as an integral component of the Data Governance Policy Framework (DGPF/2/26) and is subject to the governance structures, accountability frameworks, and compliance obligations established therein.


2. Definitions of Confidential Client Information

For purposes of this Policy, "Confidential Client Information" encompasses all categories of personal data and sensitive information relating to our clients, whether in electronic or physical form, including but not limited to:


2.1 Personal Data

Personal Data means any information that identifies or can be used to identify a natural person, including:

  • Names, identification numbers, and contact details;
  • Financial information and transaction records;
  • Wallet addresses linked to identified individuals;
  • Location data and IP addresses;
  • Biometric data used for authentication purposes;
  • Behavioral data and browsing patterns on the platform;
  • Any other information that, alone or in combination with other data, can identify a natural person.


2.2 Client Identity Information

Client identity information includes:

  • Full legal names, aliases, and previous names;
  • Date and place of birth;
  • Nationality and citizenship information;
  • Government-issued identification documents (passport, Emirates ID, national ID);
  • Residential and business addresses;
  • Contact information including telephone numbers and email addresses;
  • Copies of identity verification documents collected during the Know Your Customer (KYC) process pursuant to AML/CFT Law requirements.


2.3 Financial and Transaction Information

Financial and transaction information includes:

  • Bank account details and payment card information;
  • Source of funds and wealth information;
  • Transaction history, including all virtual asset trading activity on the platform;
  • Account balances, holdings, and portfolio information;
  • Trading patterns and investment preferences;
  • Cryptocurrency wallet addresses and blockchain transaction data;
  • Fee structures and pricing information
  • All transaction data subject to CMA real-time monitoring and market surveillance requirements under the VAPO Regulation;
  • Records of deposits, withdrawals, transfers, and conversions.


2.4 Account and Authentication Information

Account and authentication information includes:

  • Login credentials, usernames, and encrypted passwords;
  • Multi-factor authentication data;
  • Biometric authentication data (fingerprints, facial recognition);
  • Security questions and answers;
  • Device identifiers and authentication tokens;
  • Session information and access logs;
  • IP addresses and geolocation data associated with account access.


2.5 Communication Records

Communication records include:

  • All correspondence with clients via email, chat, telephone, or other channels;
  • Customer service inquiries and complaint records;
  • Internal notes and comments regarding client interactions;
  • Recorded telephone calls and video conferences;
  • Marketing communications and consent records;
  • Notifications and alerts sent to clients.


2.6 Compliance and Risk Management Data

Compliance and risk management data includes:

  • KYC and Customer Due Diligence (CDD) documentation and assessments;
  • Enhanced Due Diligence (EDD) records for high-risk clients;
  • Politically Exposed Person (PEP) screening results;
  • Sanctions screening and adverse media checks;
  • Suspicious Activity Reports (SARs) and related investigation records;
  • Transaction monitoring alerts and disposition records;
  • Risk ratings and risk assessment documentation;
  • All AML/CFT compliance records required under Federal Decree-Law No. 10 of 2025 and CBUAE regulations;
  • Audit trails and regulatory reporting submissions.


2.7 Special Categories of Personal Data

Special Categories of Personal Data (also referred to as "Sensitive Personal Data") require heightened protection and include:

  • Biometric data processed for the purpose of uniquely identifying a natural person;
  • Health data (if collected for any purpose);
  • Genetic data;
  • Data concerning a person's racial or ethnic origin;
  • Religious or philosophical beliefs;
  • Trade union membership;
  • Data concerning sexual orientation or sex life;
  • Political opinions;
  • Criminal conviction records or allegations of criminal conduct.
  • Processing of Special Categories of Personal Data is permitted only where:
  • The Data Subject has provided explicit consent for the specific processing purpose;
  • Processing is necessary for compliance with legal or regulatory obligations;
  • Processing is necessary for the establishment, exercise, or defense of legal claims;
  • Another lawful basis under PDPL Article 6 applies and additional safeguards are implemented.


2.8 Technical and Usage Data

Device information (model, operating system, browser type);

  • IP addresses and network identifiers;
  • Cookies and similar tracking technologies;
  • Platform usage data and navigation patterns;
  • Performance metrics and error logs;
  • API access logs and integration data;
  • Mobile application usage data and push notification preferences.


3. Legal Basis for Processing Personal Data

eXchange1 processes personal data only on the basis of lawful grounds established under PDPL Article 5. The legal bases for processing include:

3.1 Contractual Necessity

Processing is necessary for the performance of a contract to which the Data Subject is party, or to take steps at the request of the Data Subject prior to entering into a contract. This includes:

  • Account creation and management;
  • Processing virtual asset transactions;
  • Providing platform services and customer support;
  • Cross-border data transfer to the Singapore Primary Processing Server for the purpose of executing the services contract with the customer;
  • Maintaining custody of client virtual assets.


3.2 Legal and Regulatory Compliance

Processing is necessary to comply with a legal obligation to which eXchange1 is subject. This includes:

  • KYC and AML/CFT obligations under Federal Decree-Law No. 10 of 2025;
  • CMA reporting and supervisory obligations under the VAPO Regulation;
  • CBUAE regulatory requirements;
  • Tax reporting obligations;
  • Court orders and lawful requests from competent authorities;
  • Retention of records for the minimum 10-year period mandated by the Data Governance Framework and regulatory requirements;
  • Maintenance of the UAE-Authoritative Server to ensure immediate regulatory access as required by CMA.


3.3 Legitimate Interests

Processing is necessary for the purposes of legitimate interests pursued by eXchange1, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject. Legitimate interests include:

  • Fraud prevention and detection;
  • Network and information security;
  • Internal reporting and business analytics;
  • Improving platform functionality and user experience;
  • Marketing communications where not requiring consent;
  • Operational resilience and business continuity, including maintenance of dual-server architecture.
  • A Legitimate Interests Assessment (LIA) is conducted and documented before relying on this legal basis to ensure that processing is necessary and proportionate.


3.4 Consent

Where processing is based on consent, eXchange1 obtains freely given, specific, informed, and unambiguous consent from the Data Subject through a clear affirmative action. Consent is obtained for:

  • Marketing communications not covered by legitimate interests;
  • Processing of Special Categories of Personal Data where no other legal basis applies;
  • Use of non-essential cookies and tracking technologies;
  • Any processing activity not covered by other legal bases.
  • Data Subjects have the right to withdraw consent at any time, and such withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.


4. Data Protection Principles

eXchange1 adheres to the following data protection principles mandated by the PDPL and the Data Governance Framework:


4.1 Lawfulness, Fairness, and Transparency

Personal data is processed lawfully, fairly, and in a transparent manner. Data Subjects are provided with clear, accessible information about how their personal data is collected, used, and protected through privacy notices and this Policy.


4.2 Purpose Limitation

Personal data is collected for specified, explicit, and legitimate purposes and is not further processed in a manner incompatible with those purposes. Any new processing purposes require additional legal basis and, where necessary, Data Subject notification or consent.


4.3 Data Minimization

Personal data collected and processed is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed. eXchange1 conducts regular reviews to ensure that excessive data is not collected or retained.


4.4 Accuracy

Personal data is kept accurate and, where necessary, up to date. Reasonable steps are taken to ensure that inaccurate personal data is erased or rectified without delay. Clients are provided with mechanisms to update their personal information.


4.5 Storage Limitation

Personal data is retained only for as long as necessary to fulfill the purposes for which it was collected, subject to:

  • A minimum retention period of 10 years for all regulated data, including KYC records, transaction records, AML/CFT compliance data, and customer communications, as mandated by the Data Governance Framework and applicable regulatory requirements;
  • Extended retention periods where required by law, regulation, or for the establishment, exercise, or defense of legal claims;
  • Secure deletion or anonymization of personal data at the end of the applicable retention period, unless ongoing retention is justified.
  • The Data Retention Schedule established in the Data Governance Framework governs all retention and deletion activities.


4.6 Integrity and Confidentiality

Personal data is processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage, using appropriate technical and organizational measures as detailed in Section 6 of this Policy.


4.7 Accountability

eXchange1 is accountable for demonstrating compliance with the data protection principles. This includes:

  • Maintaining comprehensive records of processing activities;
  • Conducting Data Protection Impact Assessments (DPIAs) for high-risk processing, including the cross-border processing architecture;
  • Implementing data protection by design and by default;
  • Appointing a Data Protection Officer as required;
  • Maintaining documentation evidencing compliance with this Policy and the PDPL;
  • Operating under the governance structure established by the Data Governance Framework, including the Data Governance Committee and designated accountability roles.


5. Collection and Use of Personal Data


5.1 Methods of Collection

Personal data is collected through the following methods:

  • Directly from Data Subjects during account registration and onboarding;
  • Through use of the virtual assets trading platform, mobile application, and web portal;
  • From identity verification service providers and KYC utility platforms;
  • Through customer service interactions (email, chat, telephone);
  • From publicly available sources and blockchain networks;
  • From third-party data providers for PEP screening, sanctions checks, and adverse media monitoring;
  • Through cookies and similar tracking technologies on our website and applications;
  • From regulatory authorities and law enforcement agencies;
  • From payment processors and financial institutions facilitating transactions.


5.2 Purposes of Processing

Personal data is processed for the following purposes:

  • To provide virtual asset trading and custody services;
  • To create, verify, and maintain client accounts;
  • To process transactions, deposits, withdrawals, and transfers;
  • To comply with KYC, AML/CFT, and other regulatory obligations;
  • To conduct customer due diligence, enhanced due diligence, and ongoing monitoring;
  • To provide customer support and respond to inquiries;
  • To detect, prevent, and investigate fraud, money laundering, and other financial crimes;
  • To ensure platform security and protect against cyber threats;
  • To comply with CMA reporting obligations, including real-time transaction monitoring and market surveillance;
  • To maintain operational resilience through dual-server architecture in Singapore and Dubai;
  • To improve platform functionality and user experience;
  • To send transactional notifications and service updates;
  • To conduct internal analytics and business reporting;
  • To comply with legal obligations and respond to lawful requests from authorities;
  • To establish, exercise, or defend legal claims;
  • To send marketing communications where lawful basis exists.


5.3 Transparency and Notice

At the point of collection, or as soon as practicable thereafter, Data Subjects are provided with a privacy notice containing:

  • The identity and contact details of eXchange1 as the Data Controller;
  • The contact details of the Data Protection Officer;
  • The purposes of processing and the legal basis for each purpose;
  • The categories of personal data collected;
  • The recipients or categories of recipients of the personal data, including disclosure to Amazon Web Services in Singapore and regulatory authorities;
  • Details of cross-border data transfers to Singapore and the safeguards applied;
  • The retention period or criteria used to determine the retention period;
  • The rights of Data Subjects under the PDPL;
  • The right to lodge a complaint with the UAE Data Office;
  • Whether provision of personal data is a statutory or contractual requirement and the consequences of failure to provide such data.


6. Data Security Measures

eXchange1 implements comprehensive technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of processing.


6.1 Technical Security Controls

Technical security measures include:

  • Encryption: All personal data is encrypted both in transit (using TLS 1.3 or higher) and at rest (using AES-256 or equivalent). This applies to data stored on both the Singapore Primary Processing Server and the Dubai UAE-Authoritative Server;
  • Access Controls: Role-based access controls (RBAC) ensure that personnel access only the personal data necessary for their job functions. Multi-factor authentication is mandatory for all system access;
  • Network Security: Firewalls, intrusion detection systems, and intrusion prevention systems protect against unauthorized access;
  • Audit Logging: Comprehensive audit logs track all access to and processing of personal data, with logs retained for the minimum 10-year period;
  • Pseudonymization and Anonymization: Where appropriate, personal data is pseudonymized or anonymized to reduce risk;
  • Data Loss Prevention (DLP): DLP tools prevent unauthorized exfiltration of personal data;
  • Secure Development: Secure coding practices and regular security testing are applied to all systems;
  • Real-Time Synchronization Security: The real-time synchronization mechanism between Singapore and Dubai servers employs encrypted channels and integrity verification to ensure data consistency and security during cross-border transfer;
  • Backup and Recovery: Regular encrypted backups are maintained to ensure data availability and resilience.


6.2 Organizational Security Controls

Organizational security measures include:

  • Data Governance Framework: Implementation of and adherence to the Data Governance Policy Framework (DGPF/2/26), including establishment of the Data Governance Committee and clear accountability roles;
  • Personnel Training: Mandatory data protection and information security training for all employees, contractors, and third parties with access to personal data, conducted at onboarding and annually thereafter;
  • Background Checks: Pre-employment screening for all personnel with access to confidential client information;
  • Confidentiality Obligations: All personnel sign confidentiality and non-disclosure agreements;
  • Clean Desk and Clear Screen Policy: Policies requiring secure storage of physical documents and locking of workstations when unattended;
  • Physical Security: Controlled access to offices and data centers, visitor management, and surveillance systems;
  • Incident Response Plan: Documented incident response procedures as set forth in Section 8 of this Policy and the Data Governance Framework;
  • Business Continuity and Disaster Recovery: Plans and procedures to ensure operational resilience, including the dual-server architecture in Singapore and Dubai to ensure continuous availability;
  • Vendor Management: Due diligence and contractual safeguards for all third-party service providers processing personal data, including Amazon Web Services;
  • Regular Audits and Assessments: Internal audits, external penetration testing, and vulnerability assessments conducted regularly.


6.3 Data Protection Impact Assessments (DPIAs)

A Data Protection Impact Assessment (DPIA) is conducted prior to commencing any processing activity that is likely to result in high risk to the rights and freedoms of Data Subjects. This includes:

  • Cross-border transfers of personal data to Singapore for processing on the Primary Processing Server;
  • Large-scale processing of Special Categories of Personal Data;
  • Systematic monitoring of publicly accessible areas;
  • Automated decision-making with legal or similarly significant effects;
  • Processing of personal data on a large scale;
  • Innovative use of new technologies.


    • The DPIA process involves:

    • Systematic description of the processing operations and purposes;
    • Assessment of the necessity and proportionality of the processing;
    • Identification and assessment of risks to Data Subjects;
    • Identification of measures to mitigate those risks;
    • Documentation of findings and decisions;
    • Review and approval by the Data Protection Officer and Data Governance Committee.
    A DPIA has been conducted and is maintained for the cross-border processing architecture involving the Singapore and Dubai servers, and is reviewed annually or upon any material change to the processing.


    7. Cross-Border Data Transfers and International Disclosure


    7.1 Cross-Border Transfer Framework

    eXchange1's operational architecture involves cross-border transfers of personal data between the United Arab Emirates and Singapore. Such transfers are conducted in accordance with PDPL Article 23 and the safeguards mandated by the Data Governance Framework.


    7.2 Singapore Processing Operations

    Personal data collected from UAE residents and customers is transferred to and processed on the Primary Processing Server located in Singapore and hosted on Amazon Web Services (AWS) infrastructure. The legal basis for this transfer is contractual necessity under PDPL Article 23, as the processing in Singapore is essential for the performance of the services contract with the customer.


    7.3 UAE-Authoritative Server and Regulatory Access

    To ensure compliance with CMA supervisory requirements and operational resilience standards, eXchange1 maintains a UAE-Authoritative Server located in Dubai. This server operates as a real-time synchronised replica of all regulated data processed in Singapore, ensuring:

    • Immediate availability of all regulated data within UAE jurisdiction;
    • Direct access for the CMA and other UAE regulatory authorities without reliance on foreign jurisdictions;
    • Operational resilience and business continuity in the event of disruption to the Singapore server;
    • Compliance with data localization requirements for regulatory data.


    7.4 Data Processing Agreement

    Specification of the subject matter, duration, nature, and purpose of processing;

    • Types of personal data transferred and categories of Data Subjects;
    • Obligations and rights of eXchange1 as Data Controller;
    • Instructions for processing personal data;
    • Security measures to be implemented by AWS;
    • Sub-processor approval and management procedures;
    • Data Subject rights assistance obligations;
    • Audit rights and inspection procedures;
    • Data breach notification requirements;
    • Data return or deletion obligations upon termination;
    • Liability and indemnification provisions;
    • Compliance with PDPL Article 23 requirements.
    The DPA is reviewed annually and updated as necessary to ensure ongoing compliance with PDPL and regulatory requirements.


    7.5 Safeguards for Cross-Border Transfers

    In addition to the DPA, the following safeguards are applied to cross-border transfers:

    • Encryption of all data in transit and at rest;
    • Access controls limiting AWS personnel access to personal data;
    • Comprehensive audit logging of all data access and processing activities;
    • Regular security assessments and certifications (ISO 27001, SOC 2, etc.);
    • Contractual prohibitions on further transfer without eXchange1's authorization;
    • Mechanisms for Data Subjects to enforce their rights;
    • Notification to Data Subjects of the cross-border transfer through privacy notices;
    • Maintenance of the UAE-Authoritative Server as a safeguard ensuring data availability within UAE jurisdiction.


    7.6 Other International Disclosures

    Personal data may be disclosed to recipients outside the UAE in the following circumstances:

    • To comply with legal obligations or lawful requests from foreign authorities;
    • To third-party service providers, including KYC utilities, sanctions screening providers, and payment processors, subject to appropriate contractual safeguards;
    • To professional advisors, including lawyers, auditors, and consultants, bound by confidentiality obligations;
    • In connection with a merger, acquisition, corporate restructuring, or sale of assets, subject to confidentiality and data protection commitments.

    8. Data Breach and Incident Response

    8.1 Data Breach Definition

    A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.


    8.2 Incident Response Framework

    eXchange1 maintains a comprehensive Data Breach and Incident Response Plan in accordance with the Data Governance Policy Framework. The incident response process includes:

    • Detection and Reporting: All personnel are trained to identify and immediately report suspected data breaches or security incidents to the Data Protection Officer and the Incident Response Team through designated reporting channels available on a 24/7 basis.
    • Containment and Assessment: The Incident Response Team promptly contains the incident to prevent further unauthorized access or loss and conducts an initial assessment of the scope, nature, and severity of the breach.
    • Investigation: A detailed investigation is undertaken to determine the cause of the breach, the categories and approximate number of affected Data Subjects, the categories and volume of personal data impacted, and the likely consequences.
    • Notification to the UAE Data Office: Where a breach is likely to result in a risk to the rights and freedoms of Data Subjects, eXchange1 notifies the UAE Data Office within 72 hours of becoming aware of the breach, in accordance with PDPL requirements.
    • Notification to Regulators: Material data breaches affecting regulated data or platform operations are reported to the Capital Market Authority and other relevant regulators in line with applicable regulatory timelines.
    • Notification to Data Subjects: Where the breach is likely to result in a high risk to Data Subjects, affected individuals are notified without undue delay using clear and plain language describing the breach and mitigation measures.
    • Remediation: Immediate and long-term corrective actions are implemented to address the incident and prevent recurrence.
    • Documentation: All breaches are fully documented, including facts, effects, and remedial actions taken, and records are retained for regulatory inspection.
    • Post-Incident Review: A formal post-incident review is conducted to identify lessons learned and enhance security and response controls.

    8.3 Incident Response Team

    The Incident Response Team is a cross-functional group responsible for managing and coordinating responses to data breaches and security incidents and includes:

    • Data Protection Officer (Team Lead);
    • Chief Information Security Officer;
    • Chief Compliance Officer;
    • Chief Technology Officer;
    • Legal Counsel;
    • Representatives of the Data Governance Committee, as required.

    8.4 Breach Notification Involving Cloud and Cross-Border Processing

    In the event of a data breach involving the Singapore Primary Processing Server, Amazon Web Services is contractually required under the Data Processing Agreement to notify eXchange1 without undue delay. eXchange1 applies the incident response procedures described in this chapter, including assessment of whether the breach also impacts data replicated on the UAE‑Authoritative Server.


    9. Data Subject Rights

    eXchange1 respects and facilitates the exercise of Data Subject rights in accordance with the UAE Personal Data Protection Law (PDPL). Appropriate technical and organisational measures are implemented to ensure that Data Subjects can effectively exercise their rights.


    9.1 Right of Access

    Data Subjects have the right to obtain confirmation as to whether their personal data is being processed and, where that is the case, to access the personal data and related information, including:

    • The purposes of the processing;
    • The categories of personal data concerned;
    • The recipients or categories of recipients of the personal data;
    • The envisaged data retention period;
    • The existence of Data Subject rights;
    • The source of the personal data where it was not collected directly.

    Access requests are responded to within 30 days and are provided free of charge for the first request. A copy of the personal data is supplied in a commonly used electronic format.


    9.2 Right to Rectification

    Data Subjects have the right to obtain the rectification of inaccurate personal data and to have incomplete personal data completed. Rectification requests are addressed without undue delay and no later than 30 days from receipt.


    9.3 Right to Erasure

    Data Subjects may request erasure of their personal data where:

    • The data is no longer necessary for the purposes for which it was collected;
    • Consent is withdrawn and no other legal basis applies;
    • The Data Subject successfully objects to processing;
    • The personal data has been unlawfully processed;
    • Erasure is required by law.

    The right to erasure does not apply where processing is necessary for:

    • Compliance with legal or regulatory obligations, including the mandatory ten‑year retention of regulated data;
    • The establishment, exercise, or defence of legal claims;
    • Archiving in the public interest or statistical purposes.

    9.4 Right to Restriction of Processing

    Data Subjects have the right to obtain restriction of processing where:

    • The accuracy of the personal data is contested;
    • The processing is unlawful and erasure is opposed;
    • The personal data is no longer required but is needed for legal claims;
    • An objection to processing is pending verification.

    During restriction, personal data is stored and not actively processed except with consent or for legal purposes.


    9.5 Right to Data Portability

    Data Subjects have the right to receive their personal data in a structured, commonly used, and machine‑readable format and to transmit that data to another controller where processing is based on consent or contractual necessity and is carried out by automated means.


    9.6 Right to Object

    Data Subjects have the right to object to processing based on legitimate interests or for direct marketing purposes. Upon receipt of an objection, processing is ceased unless compelling legitimate grounds override the interests or rights of the Data Subject.


    9.7 Right to Withdraw Consent

    Where processing is based on consent, Data Subjects may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing based on consent prior to its withdrawal.


    9.8 Right to Lodge a Complaint

    Data Subjects have the right to lodge a complaint with the UAE Data Office if they believe their rights under the PDPL have been infringed.


    9.9 Procedures for Exercising Rights

    Data Subjects may exercise their rights by:

    • Submitting a request through the designated portal on the eXchange1 website;
    • Contacting the Data Protection Officer via the published email address;
    • Submitting written correspondence to eXchange1’s registered address.

    Identity verification is required prior to processing requests. Responses are provided within 30 days, with the possibility of an extension of up to an additional 60 days for complex requests, with notification to the Data Subject.


    10. Third-Party Disclosure and Service Providers

    10.1 Disclosure to Third Parties

    eXchange1 may disclose personal data to third parties only where such disclosure is lawful, necessary, and subject to appropriate safeguards. Personal data may be disclosed to the following categories of recipients:

    • Regulatory Authorities: The Capital Market Authority (CMA), Central Bank of the UAE (CBUAE), UAE Data Office, Financial Intelligence Unit, and other competent authorities, in accordance with applicable legal and regulatory obligations.
    • Cloud Service Providers: Amazon Web Services, for hosting the Primary Processing Server in Singapore, subject to a written Data Processing Agreement.
    • KYC and Compliance Service Providers: Identity verification platforms, sanctions screening providers, and Politically Exposed Person (PEP) databases.
    • Payment Processors and Financial Institutions: For the processing of fiat currency transactions and related settlement services.
    • Professional Advisors: Lawyers, auditors, accountants, and consultants bound by professional confidentiality obligations.
    • IT and Technology Service Providers: Vendors providing infrastructure, security, software, and technical support services.
    • Business Partners: Liquidity providers, market makers, and other counterparties necessary for platform operations.
    • Successors in Interest: Entities involved in mergers, acquisitions, reorganizations, or asset sales, subject to confidentiality and data protection commitments.

    10.2 Data Processing Agreements with Service Providers

    All third-party service providers that process personal data on behalf of eXchange1 are required to enter into written Data Processing Agreements that include:

    • Processing of personal data only on documented instructions from eXchange1;
    • Confidentiality obligations binding all personnel with access to personal data;
    • Implementation of appropriate technical and organisational security measures;
    • Restrictions on sub-processing without prior authorisation;
    • Assistance with Data Subject rights requests;
    • Assistance with security incidents and breach notifications;
    • Deletion or return of personal data upon termination of services;
    • Audit and inspection rights for eXchange1;
    • Compliance with applicable PDPL requirements.

    10.3 Vendor Due Diligence and Oversight

    Prior to engaging any third-party service provider that will process personal data, eXchange1 conducts due diligence to assess:

    • The provider’s data protection and information security practices;
    • Compliance with applicable data protection and regulatory requirements;
    • Financial stability and business continuity arrangements;
    • Relevant industry certifications, including ISO 27001 and SOC 2;
    • Reputation and historical performance;
    • Data processing locations and cross-border transfer implications.

    Ongoing oversight includes periodic performance reviews, security assessments, and continuous monitoring of compliance with contractual and regulatory obligations.


    11. Data Retention and Deletion

    11.1 General Retention Principles

    Personal data is retained only for as long as necessary to fulfil the purposes for which it was collected, subject to legal and regulatory retention requirements. The Data Retention Schedule established under the Data Governance Policy Framework governs all retention and deletion activities.


    11.2 Minimum Ten-Year Retention Requirement

    The following categories of data are retained for a minimum period of ten (10) years from the date of the last transaction or account closure:

    • KYC and identity verification records;
    • Transaction history and trading records;
    • AML/CFT compliance data, including SARs;
    • Customer communications and correspondence;
    • Account opening and closure documentation;
    • Audit trails and access logs;
    • Regulatory reports and submissions;
    • All data required for CMA supervisory purposes.

    11.3 Extended Retention

    Personal data may be retained beyond standard retention periods where required by law, regulatory obligation, ongoing investigations, litigation, or where consent has been provided.


    11.4 Secure Deletion and Anonymization

    Upon expiry of retention periods, personal data is securely deleted or anonymized using approved methods ensuring irrecoverability, across both the Singapore Primary Processing Server and the UAE‑Authoritative Server.

    11.5 Review of Retention Schedule

    The Data Retention Schedule is reviewed annually by the Data Governance Committee to ensure continued legal and regulatory alignment.


    12. Roles and Responsibilities

    12.1 Data Governance Committee

    • Oversight of data protection governance;
    • Approval of policy changes;
    • Review of DPIAs and incidents;
    • Escalation of material risks.

    12.2 Data Protection Officer

    • Monitoring PDPL compliance;
    • Advising on DPIAs;
    • Regulatory liaison;
    • Handling Data Subject requests;
    • Leading breach response.

    12.3 Chief Information Security Officer

    • Implementation of security controls;
    • Security testing and monitoring;
    • Cyber‑incident management.

    12.4 Chief Compliance Officer

    • AML/CFT oversight;
    • Regulatory reporting;
    • Chairing the Data Governance Committee.

    12.5 Chief Technology Officer

    • Infrastructure management;
    • Data replication and resilience;
    • Technology vendor oversight.

    12.6 All Personnel

    • Compliance with policy requirements;
    • Confidential handling of data;
    • Immediate incident reporting.

    13. Employee Training and Awareness

    13.1 Mandatory Training

    • Onboarding data protection training;
    • Annual refresher training;
    • Role‑specific training for high‑risk roles;
    • Incident response simulations.

    13.2 Awareness Initiatives

    • Internal communications and reminders;
    • Simulated phishing exercises;
    • Security briefings and workshops.

    13.3 Training Records

    Training completion records are maintained and made available for regulatory inspection.


    14. Accountability and Enforcement

    14.1 Disciplinary Measures

    Violations of this Policy may result in disciplinary action up to and including termination of employment or contract, and referral to authorities where applicable.


    14.2 Investigation Process

    Suspected violations are investigated confidentially by Compliance in coordination with the DPO, Legal, and Human Resources, with documented findings and outcomes.


    14.3 Whistleblower Protections

    eXchange1 maintains confidential reporting channels and prohibits retaliation against individuals reporting concerns in good faith.


    15. Monitoring and Auditing

    15.1 Compliance Monitoring

    • Review of access and audit logs;
    • Data Subject request tracking;
    • Vendor compliance monitoring;
    • Training adherence.

    15.2 Internal Audits

    Internal audits assess policy compliance, security effectiveness, data retention, and cross‑border processing safeguards.


    15.3 External Assessments

    • Penetration testing;
    • SOC 2 and ISO audits;
    • PDPL compliance reviews.

    16. Records of Processing Activities

    eXchange1 maintains written Records of Processing Activities as required under PDPL Article 19.

    • Controller and DPO contact details;
    • Processing purposes;
    • Categories of Data Subjects and data;
    • Data recipients and transfers;
    • Retention periods;
    • Security measures;
    • Associated DPIAs.

    These records are reviewed annually, updated as required, and made available to the UAE Data Office upon request.