Version #1
Effective Date: 14/10/2025
Last Revised Date: 14/10/2025
Gate Technology FZE ("Company", "we", "us", "our" or "ours") is committed to ensuring the safe custody of Client Virtual Assets (as defined hereinafter). Accordingly, we have established this Safeguarding Client Assets Policy ("Policy") to specify how the Company stores and manages the keys for virtual asset wallets, as well as the methods, thresholds, internal controls, and auditing procedures governing transfers between the Company's hot and cold wallets.
For the purposes of this Policy, "Client Virtual Assets" refers to all virtual assets held or controlled by the Company on behalf of clients in the course of, or in connection with, the regulated activity of Exchange Services, excluding:
A. Virtual assets that are immediately due and payable to the Company for any fees or other charges levied under the User Agreement, whether for services provided to the client or otherwise; and
B. Amounts payable by the Company for expenses incurred on behalf of the client.
The Company is authorized to collect virtual assets solely in the course of providing Exchange Services. The Company acknowledges that Client Virtual Assets are held in trust for clients. These assets must be identifiable and secure at all times. There shall be no intermingling of Client Virtual Assets with the Company's own virtual assets. The Company will not collect or accept deposits or offer itself as a custodian of virtual assets by way of business. Client Virtual Assets will be held in wallets that are separate from all Company-owned virtual assets. The Company has submitted to VARA a list of all public keys and wallet addresses (hot and cold) currently managed by the Company.
Client Virtual Assets are not held to cover any depository liabilities or Company-owned assets. All Client Virtual Assets shall be maintained on a one-to-one basis, and the Company shall not authorize any encumbrance over them. All proceeds arising from Client Virtual Assets shall accrue solely for the benefit of the client.
The Company shall maintain reserves equivalent to the value of Client Virtual Assets held in its custody. Additionally, the Company shall engage a qualified and independent third-party auditor to conduct vulnerability assessments and penetration testing at least annually. Prior to launching any new applications or products, the Company must provide the results of such assessments and tests to VARA upon request.
The Company shall maintain effective internal controls and measures to continuously monitor its operations and processes. In particular, the Company shall, on a regular basis or upon request from VARA, perform:
A. security testing on both infrastructure and applications; and
B. internal and external vulnerability audits.
Evidence of tests and audits must be documented by the Company.
The Company shall transfer at least 95% of Client Virtual Assets to cold wallets, while no more than 5% may be held in hot wallets. Additionally, the Company has obtained insurance coverage for the value of Client Virtual Assets stored in hot wallets.
Additionally, the Company has implemented various measures to ensure the safe custody of Client Virtual Assets, covering areas such as infrastructure, key holder arrangements, daily reconciliations, signature protocols, wallet and key generation, backup keys, and wallet access.
A. Deposits
A deposit is initiated by the client (or an originator) from an external address. Generally, the client is not required to take any action unless additional information is requested.
Upon detection, the Company will take the necessary steps, including address screening and requesting information, if required, to comply with the Travel Rule. If the client is unable to provide the required information for Travel Rule purposes, the transaction will be reversed and the assets returned to the originating address (gas fees may apply), provided that no money-laundering risks are identified.
Once the assessments have been successfully completed, the client's account balance will be updated accordingly.
B. Withdrawals
To initiate a withdrawal, the client must provide the transaction details, including the network (i.e., blockchain), recipient address, and amount. The client must then confirm the transaction by entering their funding password, the real-time code from Google Authenticator, and two separate OTPs sent via text message and email.
A real-time risk management system will assess the client's account status. Once the assessment is passed, the specified amount will be deducted from the client's account, and the transaction will be submitted to the blockchain for processing.
Withdrawals are also subject to any transaction limits set by the client or the Company.
C. Transactions
To execute an on-exchange transaction, the client must enter the transaction details, including the price, conditions, and amount, and confirm the transaction by entering the funding password. The requirement to enter the funding password may be temporarily waived for subsequent transactions for a one-hour period after it has been entered; this waiver will expire automatically after one hour.
Upon completion of the on-exchange transaction, the account balances of both clients involved will be updated accordingly.
D. Transaction Limits
The Company allows clients to set transaction limits for their outgoing transactions.
To set a transaction limit, the client must enter the parameters into the system and confirm by providing the funding password, a Google Authenticator OTP, and two separate OTPs sent via text message and email. Any transaction exceeding the limit will be required to follow the same verification procedures. A notification will be sent to the client whenever the transaction limit is changed.
In certain circumstances, the Company may also impose transaction limits or restrictions due to legal, compliance, or regulatory requirements.