Cifra X Platform AML / KYC Policy

Compliance Policies
Last updated on 4 DEC 2025

1. Policy Statement

This Anti-Money Laundering and Know-Your-Customer Policy (“AML/KYC Policy” or “Policy”) sets out the principles and measures adopted by:

IDY BILGISAYAR BILISIM SISTEMLERI LIMITED COMPANY, a corporation incorporated under the laws of Turkey, with its head office located at Ataturk Neighborhood, Ertugrul Gazi Street, Metropol Istanbul Kozyatagi, Tax Office 470, Tax Number 150 7911 (hereinafter referred to as “IDY BILGISAYAR BILISIM SISTEMLERI LIMITED COMPANY”),

in connection with the operation of the Cifra X Platform (hereinafter referred to as the “Platform”, “we” or “us”).

The Platform allows its users (hereinafter referred to as the “Users” or “you”) to trade in Digital Assets and to access other services related to Digital Assets (the “Services”). For convenience, you and us are collectively referred to as “both Parties” and individually as “each Party”.

We are committed to:

preventing the Platform from being used for money laundering, terrorist financing, sanctions evasion or other illegal activities;
complying with applicable anti-money laundering and counter-terrorism financing (“AML/CTF”) laws, rules and regulations;
applying appropriate know-your-customer (“KYC”) measures and ongoing monitoring.

This Policy is an integral part of the Cifra X Platform User Agreement and applies to all Users and all Services on the Platform.

If you do not agree with this Policy, you must not use the Services. By creating an Account or using the Services, you acknowledge that you have read, understood and agreed to this Policy.

2. Definitions

Unless otherwise stated, capitalised terms in this Policy have the meanings given in the Cifra X Platform User Agreement and Cifra X Platform Privacy Policy. In addition:

“AML/CTF” means anti-money laundering and counter-terrorism financing.
“Customer Due Diligence” or “CDD” means the procedures for identification, verification and risk assessment of Users.
“Enhanced Due Diligence” or “EDD” means additional measures applied to higher-risk Users, transactions or business relationships.
“Identification Information” means Personal Identification Information and Corporate Identification Information as defined in the Privacy Policy.
“Restricted Jurisdictions” has the meaning given in the Cifra X Platform User Agreement and currently includes: the United States of America, Cuba, Syria, Iran, Bangladesh, Myanmar and North Korea.
“Sanctions” means any economic or trade sanctions laws, regulations, embargoes or restrictive measures administered or enforced by applicable authorities.
“Suspicious Activity” means any activity that may be related to money laundering, terrorist financing, sanctions evasion, fraud or other financial crime.

3. AML / KYC Principles

We adopt the following core principles:

Risk-based approach – we assess and manage money laundering and terrorist financing risk on a risk-sensitive basis.
Customer Due Diligence – we identify and verify the identity of Users before establishing a business relationship and on an ongoing basis.
Ongoing monitoring – we monitor User activity and transactions on the Platform to detect unusual or suspicious patterns.
Sanctions & Restricted Jurisdictions – we do not knowingly provide Services to sanctioned persons or Users from Restricted Jurisdictions.
Record keeping – we maintain records of Identification Information, transactions and internal decisions for at least the minimum periods required by applicable laws.
Training & controls – we provide AML/CTF training to relevant staff and maintain internal controls to ensure effective implementation of this Policy.
Cooperation with authorities – we cooperate with competent authorities, including by freezing accounts and providing information where lawfully required.

4. Customer Due Diligence (CDD)

4.1 When CDD is performed

We carry out CDD in the following situations, including but not limited to:

when a User creates an Account;
before providing access to certain Services (e.g. higher limits, fiat on/off ramps, derivatives or margin products, where applicable);
when there is a suspicion of money laundering or terrorist financing;
when we have doubts about previously obtained Identification Information;
when required by applicable laws, rules or regulations.

We may refuse to open an Account or provide Services, or may suspend or terminate an existing Account, if you fail or refuse to provide the information we require.

4.2 Individual Users

For individual Users, we may collect the following Personal Identification Information (in line with the Privacy Policy), including but not limited to:

full name;
residential address and/or permanent address;
proof of address documents;
date of birth;
nationality;
email address and phone number;
government-issued identification documents (e.g. passport, national ID, residence permit, driver’s license);
photographs or video (“selfie”) for facial verification;
biometric and electronic identification information where permitted by law;
any other information we may request to comply with applicable AML/CTF requirements.

We may verify such information using independent and reliable sources, including electronic identity verification solutions, public databases, or other appropriate methods.

4.3 Corporate Users

For Users that are legal entities, we may collect Corporate Identification Information, including but not limited to:

legal name, registration number and legal form;
registration and incorporation documents;
articles of association or memorandum;
registered office and principal place of business;
ownership structure and description of such ownership;
identification of directors and persons with management control;
identification of beneficial owners (generally persons holding 10% or more of voting power, or otherwise exercising control);
board resolution or other authorisation designating the authorised representative(s);
contact information of authorised representative(s);
any other information we may require under applicable laws, rules or regulations.

4.4 Verification and refusal

We may:

take reasonable steps to verify Identification Information using reliable and independent sources;
request notarised or certified copies and/or translations of documents, where necessary;
decline, suspend or terminate any Account where Identification Information is incomplete, inconsistent, unverifiable or suspected to be fraudulent.

You are responsible for ensuring that all Identification Information you provide is true, accurate, complete and kept up to date.

5. Risk-Based Approach and Risk Categorisation

We assess the risk level of Users and transactions using a risk-based approach, taking into account factors such as:

country of residence or incorporation;
use of intermediaries or complex structures;
nature and purpose of the relationship with the Platform;
anticipated volume and pattern of transactions;
type of products and Services requested (e.g. margin, derivatives, lending, staking, copy trading, trading bots);
source of funds and source of wealth;
negative media or adverse information;
status as politically exposed persons (“PEPs”);
any other relevant risk indicators.

Based on this assessment, Users may be categorised into different risk levels (e.g. low, medium, high). We may apply stricter measures (EDD) to higher-risk Users or transactions.

6. Enhanced Due Diligence (EDD)

We may apply Enhanced Due Diligence in, including but not limited to, the following situations:

Users from higher-risk countries or regions (other than Restricted Jurisdictions, where Services are not provided);
Users with complex ownership or control structures;
PEPs and their close associates or family members;
unusually large, complex or frequent transactions that appear to have no clear economic or lawful purpose;
transactions involving higher-risk products (e.g. leveraged trading, perpetual contracts, derivatives, staking products, lending/borrowing, copy trading or trading bots), where applicable;
any situation where there is a higher risk of money laundering or terrorist financing.

EDD measures may include, without limitation:

obtaining additional Identification Information or documentation;
requesting evidence of source of funds and/or source of wealth;
conducting more frequent and detailed monitoring of transactions and behaviour;
requesting additional explanations about the purpose of the relationship or specific transactions;
seeking senior management approval before entering into or continuing a business relationship.

7. Ongoing Monitoring

We perform ongoing monitoring of User activity to ensure that transactions are consistent with our knowledge of the User, their business and risk profile, and to detect unusual or suspicious patterns.

Monitoring may include, without limitation:

reviewing transaction size, frequency, destination and counterparties;
monitoring changes in device fingerprints, IP addresses, login patterns or geolocation;
reviewing the use of multiple accounts, sudden spikes in activity, or use of high-risk products;
checking against sanctions lists, law enforcement notices and other relevant databases;
conducting periodic reviews and refreshes of Identification Information.

Where necessary, we may:

request updated or additional information from you;
temporarily restrict certain features or Services;
suspend deposits, withdrawals, trading, copy trading, bot usage, staking, margin or derivatives features;
freeze or close your Account.

8. Sanctions, Restricted Jurisdictions and Prohibited Users

8.1 Restricted Jurisdictions

In line with the Cifra X Platform User Agreement, Users from the following jurisdictions are prohibited from using the Services:

United States of America, Cuba, Syria, Iran, Bangladesh, Myanmar and North Korea.

We reserve the right to update the list of Restricted Jurisdictions at any time, in our sole discretion, in light of legal, regulatory or risk considerations.

8.2 Sanctioned Persons and Prohibited Users

You may not use the Services if you:

are subject to any sanctions administered or enforced by relevant authorities;
are located in, or a resident or national of, any Restricted Jurisdiction;
act on behalf of, or for the benefit of, any sanctioned person or person located in a Restricted Jurisdiction;
intend to use the Services for any illegal, fraudulent or prohibited activities.

We may use screening tools and other methods to identify potential matches with sanctions lists or other high-risk categories and may request additional information where necessary.

9. Suspicious Activity and Reporting

We may treat any activity or transaction as Suspicious Activity where, for example:

there is inconsistency between transactions and the User’s known profile;
the User provides false, misleading or forged documents;
funds appear to be derived from illegal or unexplained sources;
there is structuring or splitting transactions to avoid thresholds or controls;
there are signs of account takeover or identity theft;
there are indications of market manipulation, wash trading, spoofing or other abusive trading behaviour;
other red flags under applicable AML/CTF standards are present.

Where we identify Suspicious Activity, we may, without notice to you:

suspend, restrict, freeze or terminate your Account (including all balances and open positions);
cancel, reverse or block transactions (where possible);
request additional information or documentation;
file or submit reports to relevant authorities, in accordance with applicable laws, rules and regulations;
take any other action we deem appropriate to protect the Platform and comply with our obligations.

To the maximum extent permitted by law, we are not obliged to inform you about the existence or content of any report made to authorities.

10. Record Keeping

We will retain, for at least the minimum period required by applicable laws, rules and regulations (and longer where legally permitted or necessary for our legitimate interests):

Identification Information and related documents;
records of CDD and EDD checks and any internal analysis;
transaction records, including deposits, withdrawals, orders, trade history, staking, lending/borrowing, copy-trading or trading-bot activity (where applicable);
correspondence with Users and authorities;
internal decisions, approvals and risk assessments.

Such records may be kept in electronic or other form and may be stored in any jurisdiction we deem appropriate, in accordance with the Cifra X Platform Privacy Policy.

11. Internal Controls, Governance and Training

We maintain internal controls and procedures designed to ensure compliance with applicable AML/CTF obligations, including:

appointment (where required by law) of a compliance function with responsibility for AML/CTF matters;
implementation of written policies, procedures and controls, including this AML/KYC Policy;
risk assessment and periodic review of the effectiveness of our AML/CTF programme;
staff training appropriate to their roles, including training on AML/CTF risks, red flags and reporting obligations;
internal reporting and escalation mechanisms for suspicious activities;
periodic updates to this Policy and related procedures in response to changes in law, regulation or risk profile.

12. Data Protection

Processing of Personal Information for AML/KYC purposes is carried out in accordance with the Cifra X Platform Privacy Policy. In particular:

only authorised personnel and service providers have access to Identification Information on a need-to-know basis;
Personal Information is collected and processed for specified, lawful purposes, including compliance with AML/CTF requirements;
appropriate technical and organisational measures are used to protect Personal Information;
Personal Information is retained only for as long as necessary for AML/CTF, regulatory or legal purposes.

In case of conflict between this Policy and the Privacy Policy in relation to data protection, the Privacy Policy shall prevail to the extent of such conflict, unless applicable AML/CTF laws require otherwise.

13. User Obligations

By using the Services, you agree that you:

will provide true, accurate, complete and up-to-date information and documents when requested;
will promptly update your information when changes occur;
will not use the Services for any unlawful, fraudulent, money laundering, terrorist financing or other prohibited activities;
will cooperate with any request for information or documents made by us in connection with this Policy;
will immediately inform us if you become aware of any unauthorised use of your Account or any security breach;
understand that failure to comply with this Policy may result in suspension, freezing or termination of your Account and reporting to authorities.

14. No Limitation of Other Rights

This Policy does not limit any other rights we may have under the Cifra X Platform User Agreement, the Privacy Policy or applicable laws, rules and regulations, including our rights to:

suspend, restrict, freeze or terminate any Account;
refuse or cancel any transaction;
apply other risk controls or limits.

In case of any inconsistency between this Policy and the Cifra X Platform User Agreement, the User Agreement shall prevail to the extent of such inconsistency, unless otherwise required by applicable laws.

15. Amendments to this Policy

We reserve the right to determine, amend or modify any content of this Policy at any time at our sole discretion. The date and time displayed at the “Last updated on” section of this Policy refers to the timing of any changes to the provisions contained herein.

The amended Policy will take effect immediately upon publication on the Platform. You are responsible for reviewing this Policy regularly. If you do not agree with the amended Policy, you must immediately cease using the Services. Any continued use of the Services shall be deemed as your agreement to the amended Policy.

16. How to Contact Us

If you have any questions about this Policy or our AML/KYC measures, you may contact us at:

Email: [email protected]