This document provides an introduction to FundApps' shareholding disclosure service and its platform. FundApps provides shareholding disclosure monitoring services via a hosted web application which is provided via FundApps controlled infrastructure from secure and strictly controlled hosting environments. We maintain the software, continuously updating with the latest software enhancements and legislative content updates.

Workflow

FundApps' web application works on a batch processing model; position data is uploaded to the system and processed in the background. Typically clients implement an automated upload job from their systems to the API endpoints provided by FundApps to receive this data. Documentation of our API and example implementations are publicly available.

Users of the system may choose to receive notification e-mails letting them know when this process has concluded, and results are available inside the system. Users use a browser-based user interface to view the results of running the batch job and follow a workflow inside the software to investigate any results and file disclosures. Historical data from checks is retained within the system to provide a timeline of results and to facilitate the correct calculation of disclosure requirements.

Software

FundApps' web application is kept constantly up to date with the latest enhancements and fixes. We continuously deliver changes from development and content teams to client production environments. To support this activity we employ a best practices-based development approach employing test-driven development, pair programming and code review to reduce risk and improve software quality.

Every change to our software and rule content is run through an ever-growing test suite to ensure a minimal amount of risk in this continuous update process. Security considerations are built into our software lifecycle; we identify work items early on that have security implications. We conduct an annual penetration test and supply our clients with the report and a remediation plan.

Deployment of changes to our software is a fully automated and hands-off process.

Platform

FundApps platform is hosted in Amazon Web Services datacentres located in Dublin, Ireland and Frankfurt, Germany. With control over both software and infrastructure FundApps is able to deliver best in class availability and security. The principle of least privilege is applied throughout; at the network, system and software levels to tightly control the availability of data and reduce the potential for security breaches.

Data Security

All client data sent to or generated inside our platform follows an encrypted data lifecycle and all interactions with the system occur over an encrypted protocol: Secure HTTP (HTTPS). FundApps keeps supported cipher suites for the SSL encryption used for HTTPS in line with industry standards and regularly runs external tests to verify this. The results of these tests are on the internet. Once data enters our platform it remains encrypted in transit throughout our networks.

On our AWS infrastructure, this data is subsequently encrypted at rest and employs a key management system which allows us to rotate the keys used for the encryption of these volumes on a regular basis. Backups are also stored encrypted at rest, meaning data is never available in cleartext.

Access Control

FundApps' web application enforces several layers of access control.

Authentication: Our software allows clients to either use a single-factor authentication mechanism, the native multi-factor authentication mechanism or to integrate the platform with their Single-Sign-On.

Authorisation: Our software implements different authorisations based on roles which are described . These roles allow us to match permissions in our software with different users' job functions.

Network access control: FundApps is able to provide further access control by applying IP restrictions to client environments, preventing access from networks other than those of the client site. These restrictions operate before any authentication to the system and prevent any requests being made to the application at all.‌

Client Segregation: Individual client environments are isolated at the infrastructure level using separate databases, web and engine instances.

Access Control Audit Trail: A complete audit trail is visible inside the application and allows tracking of all operations taken inside the system, along with user access events. This auditing includes any support activities performed by FundApps staff.

Processes & Controls

Our platform is hosted in facilities with top-grade physical security; we host entirely within the EU with Amazon Web Services (AWS). AWS hold industry standard certifications relating to security and availability, including but not limited to ISO 9001, 27001 and SOC I, II certifications. Full details of the certification activities undertaken by our hosting partner are available via .

We ship all log events generated on the platform to a central store for audit, reporting and alerting activity. Direct access to production systems is strictly restricted to key personnel with a direct operational need, and these accesses are reviewed on a monthly basis.

Monitoring

We have automated monitoring of critical conditions for both infrastructure and software in the platform. These conditions create alerts following escalation policies and where necessary alert operators on a 24/7 basis to preserve the integrity and availability of the platform.

Furthermore, FundApps uses a 24/7 Security Operation Centre (SOC) to detect and respond to security alerts.

Application performance and infrastructure metrics are used for capacity planning and platform management; ensuring there is always sufficient capacity available across the platform to satisfy all demands.

Technical Resilience

For our platform's technical resilience please go to .

FundApps' information systems register [] contains any system (internal or external) that holds or permits access to information assets in our . For example, this includes:

• Client instances

• Amazon AWS (production data)

• Google Mail (our own internal communications)

Objective

Define the version control, change approval and review cycle of FundApps policies.

Scope

This plan describes how the Internal Audit will be split over 3 years, so that every 3 year cycle the entirety of FundApps' Information Security Management System has been audited.

Once a cycle of 3 years is completed, a new 3 year cycle will begin.

Year 1

This internal audit shall cover the following elements:

NOTE: At FundApps we're focused on offering the best possible services to the investment management industry. As part of that, we have a firm commitment to ensuring our platform remains highly available and your data remains secure. We have made this resource available to clients and prospective clients in order to learn more about how we achieve this and to assist with any due diligence questions you may have.

Our own staff use this resource to review security policy and educate themselves on our approaches. This is by its nature a "living" document - which will evolve as we continually evaluate how we can deliver a best of breed platform to the industry.

Policy documentation is maintained electronically across GitBook and Notion, depending on its intended audience. Version control is managed through GitHub via GitBook’s Git Sync feature, ensuring all changes are tracked. Pull requests provide visibility into modifications and require approval from the CTO and Head of Security before being merged.

If you require any clarifications or have any questions then don't hesitate to contact us.

Introduction

At FundApps we believe in simplicity, automation and testing in order to deliver high quality software - and that follows through our entire software development process. Testing is a integral part of this - not only through our software development but also our rules team who implement the legal changes made around the world.

Security in project management

Information Security should be addressed for all FundApps projects that have a potential for impacting FundApps Information System or FundApps data as defined in the .

These projects must include information security requirements.

An information security risk assessment must be conducted at an early stage of the project to identify necessary controls.

Information security must be applied to all the phases of the applied project methodology.

Change Management Controls

Authorising Changes

Significant changes to the production environment are captured in Shortcut and are based on requirements made by FundApps stakeholders (Product Team, CTO, Head of Information Security, etc.) as illustrated in Figure 2. This process is described in a dedicated procedure available in .

Testing changes

All changes are tested with a multi-level test suite (Front End tests, integration tests, unit tests, rule tests, static application security testing as well as Open Source Software License scans) as can be seen in figures 4, 5, 6 and 7. Changes cannot be applied to production if tests fail. Finally, a dynamic application security testing tool scans a client-like environment on a weekly basis.

Approving changes and Segregation of Duties

All changes to production can only be submitted by members of the Engineering team, Content and CS teams. Furthermore they need to be peer reviewed (Figure 3) and approved by a different staff member (based on the repository) than the one submitting the changes, before they can be merged into the main code branch, as described .

Emergency changes

All builds are stored allowing to rollback to the last known good build in case of an emergency.

Change Management Steps

1. Work item specified Work items are scoped and defined as development tasks in Shortcut. Potential security issues flagged and discussed at this stage. Items prioritised and tackled by the team (Figure 2)

2. Development work Development or configuration work is performed as scoped and defined in the work item.

3. Pull Request created Once the work is complete, or at intermediate stages for larger work items ‘pull requests’ are created (Figure 3). Pull requests specify the desired changes across files and act as proposals for specific change.

Internal communication regarding this ISMS will be conducted as described below:

Our information asset register [Restricted to FundApps staff] contains every information asset of value to FundApps. For example, this includes:

• Client support queries

• Internal communications

• Server logs

• Development source code

Identification

Information assets are identified as part of:

• Monthly company-wide security awareness sessions

• Monthly security review meetings

• Our software development lifecycle

• Everyday working practice

Assessment

For each information asset identified, we

• Assign an owner for the information

• Identify if it falls under any specific regulation (primarily General Data Protection Regulation)

• Assess CIA ratings in accordance with our process

• Identify an appropriate data classification from these ratings

Any changes to the register results in:

• updates to our with regards the classification of information they hold

• updates to our data classification policy with regards the information systems and asset information falling under each classification

• updates to our requiring us to record privileges granted to this systems and ensuring revokation during the offboarding process

Review

Information systems are reviewed as part of our monthly security review meetings.

Logging

FundApps logs system and network events in order to detect and respond to information security threats.

The following events are logged:

• Application events:

  • Login attempts,

  • Changes to users and privileges,

• System events:

  • System accesses,

  • File system accesses,

  • Host-based IPS (Intrusion Prevention System) alerts.

• Network events:

  • Network traffic.

All events are aggregated, stored centrally and protected against alteration.

Monitoring and Alerting

FundApps has processes in place to monitor logs. Automated alerting of certain events or event thresholds allows FundApps staff to detect and respond to a potential security incident 24/7.

Security alerts are reviewed by the Security team and tracked in the Security Incident and Event Management tool, and a summary is provided during the monthly security meeting.

FundApps backups production data to local storage at the following frequency:

• FundApps continuously backups production data to a hot standby instance in the same region but a different availability zone (generally <100ms RPO, <5 minutes RTO).

• Backups are continuously replicated to a cold standby instance in a secondary region (generally <500ms RPO, <1 hour RTO).

Seven days of full snapshot history are stored in RDS snapshots in the primary and secondary regions. Each backup contains the entire history of the client instance. Backup integrity is checked automatically at the end of each backup. Backups are fully encrypted.

FundApps has implemented a tiered network architecture to host its services. This tiered architecture allows the restriction of communications between networks in order to reduce the probability and impact of a security incident.

Operational and security logs are monitored 24/7 by the Security team to detect and respond to security incidents.

Access to the administration of the network is limited to a small number of FundApps staff.

Objective

The purpose of this policy is to define the way in which FundApps manages patching of its Information System.

Scope

The policy applies to all FundApps managed Information Systems.

Policy

End user computers

End user computers must receive system patches automatically. Users must not be able to defer patching for more than 30 days.

Servers

Proxy servers

Proxy servers must be cycled at least on a monthly basis, and must be built using an image including the latest system patches.

Web servers

Web servers must receive system patches automatically every month.

Other servers

Other servers must receive system patches at least every 3 months.

FundApps has performed a business impact analysis and maintains a risk register as part of our information security management system. The full risk register is maintained here [Restricted to FundApps staff].

Information Security Management System > Information Security Management Policy

Added an entry to External Issues > Legal Factors: Regulations affecting FundApps’ relations with its clients and providers (e.g. DORA)

Additional Information

Added information about our insurance.

General Terms > Third Party Data Provider Terms

Adding BIGTXN third party terms for Sanctions data.

Information Security Management System > Access Control Policy

Added information regarding Just In Time access.

AWS has established formal policies and procedures to delineate the minimum standards for logical access to AWS platform and infrastructure hosts. AWS conducts criminal background checks, as permitted by law, as part of preemployment screening practices for employees and commensurate with the employee’s position and level of access. The policies also identify functional responsibilities for the administration of logical access and security.

Personnel & Safety > The FundApps Code for Third Parties

Uploaded the first version of our supplier code of conduct.

The following table describes the plan for 2025 to achieve FundApps' objectives.

Objective

This policy defines the internal audit process of FundApps' Information Security Management System (ISMS).

Scope

The scope of the internal audit is FundApps' Information Security Management System (ISMS), which is described in .

Frequency and Coverage

Internal audits shall be performed against FundApps' ISMS at planned intervals at least once per year.

Over a three year period there will be three internal audits:

• one audit will cover the entire scope of the ISMS

• two audits will cover at least one third of the ISMS.

Internal Auditor

The internal auditor shall be appointed by the ISMS Manager. The auditor and may be a member of FundApps or an external trusted third party auditor. Auditor selection shall be done to ensure objectivity and the impartiality of the audit process.

Internal Audit Process

Audit Planning

Audits shall be planned in advance and the ISMS Manager shall be notified no less than 5 business days ahead of time.

The internal auditor shall prepare the audit plan which shall define the scope of the ISMS, including the scope of the controls, which shall be audited.

Amongst others, the audit plan must take as an input the following items:

• Security related incidents that have occurred since last audit;

• Changes made to the Information Security Policy;

• Changes made to Information Security controls;

• Improvements made to the ISMS.

The resulting audit plan must be validated by the ISMS Manager.

Upon validation the ISMS auditor must communicate the plan to the interested parties.

Audit Preparation

The internal auditor shall collect and study the previous audit findings and outstanding issues. They shall also prepare relevant documents required for the audit (e.g. ISMS Audit checklist).

Conduct Audit

During the audit, the internal auditor shall find relevant evidence to ascertain that:

• The information security policy reflects the current business requirements;

• An appropriate risk assessment methodology is being used;

• Documented procedures (within the scope of the ISMS) are being followed and are meeting their objectives;

• Controls are in place and working as intended;

Audit Reporting

The internal auditor shall prepare an audit report based on the audit findings. Findings shall be labelled according to their severity and priority level:

• Major Non-Conformity - This pertains to a major deficiency in the ISMS and exists if one or more elements of the ISO/IEC 27001: 2022 Information Security standard is not implemented and this finding shall have a direct effect on information security, specifically on the preservation of confidentiality, integrity and availability of information assets.

• Minor Non-Conformity - A minor deficiency. One or more elements of the ISMS is/are only partially complied with. Minor non-conformities have an indirect effect on information security.

• Observations/Potential Improvements – An audit recommendation for improvement for consideration by FundApps.

The internal auditor shall send the audit report to the ISMS Manager and the ISMS Implementer.

Audit Remediation

According to the audit findings and the non-conformity levels, an action plan and potential follow-up audit shall be defined by the ISMS Implementer and validated by the ISMS Manager. The scope of a follow-up audit is limited to the non conformity and the same mechanisms that produced the finding are used.

Appendix

Internal Audit Template

Overview

FundApps approaches both information security and business continuity from risk based principles. Each identified information security or business continuity risk is reviewed with regard to Likelihood (the possibility of a risk happening), and Impact (the consequence of a risk happening).

Risks can be identified by any member of staff, and, staff members are encouraged to contribute. Once risks are identified and reviewed for Likelihood and Impact, an appropriate remediation plan can be formulated.

The key is that risk management drives activity to resolve identified risks, and is the responsibility is that of each employee of FundApps.

Risk Appetite

FundApps has no appetite for safety risks that could result in the injury or loss of life of FundApps staff, clients or partners.

FundApps has no appetite for information security risks that could result in unauthorised or accidental disclosure of, client or other sensitive information.

FundApps has a low appetite for business continuity risks which prevent the ability to provide service to clients.

Risk Tolerance

It is important to note that following the risk management framework, any risk that equals or exceeds a risk rating of twelve (12) will exceed the FundApps Risk Tolerance level and therefore will require a risk treatment plan to lower the risk profile. See the FundApps Risk Management Matrix at the bottom of the page for further information.

Risk Management Process

A- Risk Identification

Potential information security risks and business continuity risks are identified through both formal and informal channels:

1. Monthly security review meetings

2. Incident response and reviews

3. As part of the Software Development Lifecycle

4. As part of the continuous release management

B- Risk Assessment

Likelihood and impact

Potential risks are recorded in the risk register and assigned an owner. Risks are assessed on two criteria with regards to any current controls that may already be in place:

• Likelihood, according to the FundApps Risk Management Matrix (cf. bottom of the page). Likelihood should consider the specific vulnerability or threats that may exploit this vulnerability.

• Impact, according to the FundApps Risk Management Matrix (cf. bottom of the page). Further guidance must be taken from the FundApps Data Classification and Handling when referring to impact. This will take into account the Confidentiality, Integrity and Availability requirements of any data asset.

Residual risk

The assessment of likelihood and impact places the risk within risk tolerance levels defined in the Risk Management Matrix (cf. bottom of the page).

Each risk level consists of

• the likelihood and impact levels

• a timeframe for review while the risk is open

• a timeframe for review once the risk is closed

C- Risk Response

Based on this categorization we can then design a risk response in order to reduce our residual risk.

Strategies for responding to the risk can include:

• Avoid risk – activities with a high likelihood of loss and large business impact. The best response is to avoid the activity.

• Mitigate risk – activities with a high likelihood of occurring, but business impact is small. The best response is to use management control systems to reduce the risk of potential loss.

• Transfer risk – activities with low probability of occurring, but with a large business impact. The best response is to transfer a portion or all of the risk to a third party by purchasing insurance, hedging, outsourcing, or entering into partnerships.

Our risk response may generate information security or business continuity controls which could be technical, procedural or policy based.

D- Risk and Control Monitoring

Identified risks and their mitigating controls are monitored and reviewed at least annually in order to ensure the residual risk is within the risk appetite. Should the residual risk change, either due to a change in the intrinsic risk, or due to the control effectiveness, the risk response will be reviewed.

Risk Management Matrix

Use of definitions based upon ISACA’s

Roles and Responsibilities

ISMS Manager

The CTO shall ensure FundApps allocates the appropriate resources to ensure the ISMS' conformity with the ISO 27001 standard and shall report the performance of the ISMS to the Leadership team.

Objective

This process aims to allow FundApps to continually improve the suitability, adequacy and effectiveness of the information security management system.

Scope

Data Center Physical Security Overview

All data hosted in FundApps’ platform is hosted in facilities with top grade physical security. These facilities are located within the EU with Amazon Web Services (AWS). AWS hold industry standard certifications relating to security and availability, including but not limited to ISO 9001, 27001 and SOC I, II certifications. Full details of the certification activities undertaken by our hosting partner are available via AWS compliance.

Objective

The purpose of this policy is to define the way in which FundApps raises, approves, records and reviews exceptions to its information security policies.

Scope

Objective

The purpose of this policy is to define the way in which FundApps addresses information security in project management.

Scope

General Terms > Third Party Data Provider Terms

Uploading v2 of Refinitiv and new FactSet third party terms for Poison Pills data and LSEG Redist.

Insurance

FundApps has prepared this Statement on Operational Resilience to describe how FundApps addresses measures that financial entities themselves need to meet under DORA. This Statement is not an operational document – FundApps has in place its own policies and procedures and the means to implement them. However, this Statement does offer a fair description of the measures that FundApps has in place which are aligned to financial entity requirements under DORA.

Legal Information > DORA

Creation of page and subpages for information related to DORA

Legal Information > General Terms

At FundApps, we are committed to providing a secure, reliable, and high-performing service for all our users. To uphold this commitment and foster a positive environment, this Acceptable Use Policy (“AUP”) outlines acceptable and unacceptable conduct for our Services. Violations, especially deliberate, repeated, or harmful ones, may lead to suspension or termination of access. By accessing or using the Service, you (the Client and any user) agree to comply with this AUP.

ISMS > Information Security Management Policy

Added a section on Data Protection Act

ISMS > Statement of Applicability

FundApps' privacy policy is available on .

This policy outlines FundApps' approach to TLPT testing by external testers and our clients.

Software Development

Updated screenshots for SAST and OSS license checks to reflect the current current tools used.

Business Continuity > Business Continuity Documents

Legal Information > Insurance

Adding updated insurance cert for US.

Legal Information > SEC Regulation S-P

Information Security Policies > Data Retention Policy

Update language on Client Data retention to align with FundApps' general terms.

Information Security Policies > Physical Security

Updated our Physical Security Policy to reflect that the Singapore office door now locks automatically.

Legal Information > Insurance

Updated the dates the insurance applies including the insurance confirmation letter

Additional Information > Legal Information

Information Security Policies > Employee Guide

Update our Employee Guide to remove the social media paragraph.

Additional Information > Frequently Asked Questions

• FundApps' latest penetration test report and,

Risk Management > Information Systems Register

Minor change to reflect that system owners are also called Supplier Relationship Managers.

Risk Management > Data Classification and Protection Standard

ISMS > Statement of Applicability

Added document version to the Statement of Applicability.

Business Continuity > Business Continuity Documents

Information Security Policies > Client Services Access to Client Environments

Updated policy on how our client services team interacts with client environments based on our latest practices.

Legal Information > DORA > Subcontractors and Service Location

Including LEI codes and updating SG address

Personnel & Safety > The FundApps Code for Third Parties

Linked the relevant section of the employee guide.

ISMS > Statement of Applicability

Corrected the Statement of Applicability to align rows

ISMS > Information Security Management Policy

Added a note that changes to ISMS are carried out in a planned manner. Updated the Interested Parties section to address clause 4.2 (which of the requirements will be addressed through the information security management system).

ISMS > Scope

Improved the software and application section and updated our list of services and addresses.

Information Security Management System > Statement of Applicability

Aligned the controls with the requirements of ISO 27001:2022.

FundApps management believes that embedding security into the culture of FundApps is critical to the success of our information security program, and as such this is a management priority.

FundApps implements the following practices to achieve this objective:

• New joiners go through an Information Security training when they start at FundApps. This training covers what is Information Security, why it’s important to FundApps and what is expected of FundApps staff and contractors;

• FundApps staff undergo an annual Information Security Training refresher;

• Security-themed presentations to all of FundApps’ staff;

• Technical Security presentations to engineers on most common vulnerabilities;

• Channels in company communication tool with security news;

• Monthly security review session for key stakeholders where we actively review security access lists, audit logs and risk register;

• Culture of continuous improvement across all areas of the business.

Personnel & Safety > Code of Conduct and FundApps Code for Third Parties

Updated both Codes.

Legal Information > DORA > TLPT Policy

Creation of TLPT policy for DORA.

Business Continuity > Technical Resilience

Updated FundApps' technical resilience documentation to reflect changes in the resilience objectives, scenarios, and capabilities.

FundApps Policies > Acceptable Use

Adding an updated version of the Acceptable Use Policy to this portal.

Information Security Management System > Objective Plan

Updated the ISMS objective plan with 2023 objectives set out during the December ISMS Performance review.

Information Security Management System > Performance Evaluation

Updated the ISMS performance evaluation following the December ISMS Performance review.

Legal Information > Governance

Creating a new section that outlines FundApps governance structure.

This DORA Statement on Contractual Compliance is designed to assist financial entities track DORA requirements to the FundApps DORA Addendum (the "Addendum"). It aligns clauses from the Addendum and explains how the Addendum is designed to meet financial entity requirements.

The ISMS applies to the shareholding disclosure, position limits, sensitive industries, annex IV reporting and Filing Manager services, which FundApps delivers to its clients. It also applies to the information assets, processes, teams and external service providers which FundApps relies on to provide these services.

Services provided

FundApps’ five main services provided are:

Shareholding Disclosure

FundApps’ Shareholding Disclosure service monitors disclosure requirements for major shareholding, short selling and takeover panels. Position data is uploaded daily and users are alerted to new disclosures. Disclosures are made on time without mistakes.

Position Limits

FundApps' Position Limits service simplifies the process of monitoring position limits on derivative contracts which are imposed by exchanges across the globe as well as regulators (e.g. CFTC, ESMA via MiFID II). Our service informs our clients on where their positions are versus applicable limits and acts as an early warning system.

Sensitive Industries

FundApps simplifies the process of monitoring sensitive industries investment and foreign ownership. Position data is uploaded daily and users are alerted to pre-approval warnings, notifications for disclosure obligations and hard stop breaches.

Filing Manager

Filing Manager automates the disclosure process for short selling reporting. It uses the client-provided data and provides a fully audited service to file for the client. It identifies disclosures for short positions once the position file runs and prepares them to be submitted to the relevant regulator.

Annex IV reporting

AIFMD Annex IV reporting requires detailed disclosures on investor data, risk exposures, liquidity, and financing to enhance transparency in the alternative investment space. We automate data aggregation, centralise workflows, and provide full calculation visibility at every stage.

People

The FundApps departments within the scope of the ISMS are:

• Client Services – On-board clients and assist them throughout their experience with our software.

• Regulatory team– Help to ensure rules correctly mirror current regulation.

• Finance – Manage FundApps’ budget, cash flow, tax planning and record keeping.

At a high level, the following executives and teams support FundApps’ processes and services:

• CEO – Assigns authority and responsibility for operating activities and reporting relationships. FundApps’ CEO defines and communicates the company’s objectives.

• Global Head of Client Services – Takes the lead in owning FundApps client portfolio and drive cross-team collaboration to support FundApps’ objectives.

• Chief Product Officer – Accountable for all product management and content team activities globally.

Offices

FundApps operates out of three offices:

• 18th Floor, HYLO, 105 Bunhill Row, London, EC1Y 8LZ, United Kingdom

• 276 5th Ave, Suite 808, New York, NY 10001

• #13-135, 71 Robinson Road, 068895, Singapore

Infrastructure

FundApps services make use of a resilient infrastructure, which is hosted within multiple data centres (availability zones) and regions operated by Amazon Web Services. There are two environments with a primary environment made up of three data centres within a single geographic region, from which the service is provided in normal operation. There is also a secondary environment in an alternate geographic region, which is used in case the primary environment is unavailable. Each of the three data centres within the primary environment have discrete power and Internet connectivity. FundApps’ primary environment is designed to continue to provide its service should two of the three centres suffer concomitant failures. Should the whole primary environment fail, FundApps has procedures to recover its service in the secondary environment. The critical components of this highly available infrastructure include:

• Proxy servers, which filter inbound traffic and route them to the correct service;

• Serverless computing elements and containers which perform apply rule sets analysis of FundApps clients’ financial positions and provide clients with a web user interface and an application programming interface (API); and

• Databases, which store the results of this analysis, as well as objects and events related to client environments.

Software and Tools

FundApps relies on various applications, tools, and infrastructure components to support its information security management system.

FundApps' platform consists of software that supports its applications, including software for our build pipeline, deployment tools used to deploy to AWS environments, and automation software for managing cloud infrastructure changes.

In addition, FundApps utilises systems for:

• Identity and Access Management to control authentication and authorisation.

• Development and Change Management to track and manage software changes securely.

• Security Monitoring and Threat Detection to protect against, detect, and respond to security threats.

• Communication and Collaboration to facilitate internal and external information sharing.

FundApps ensures that all business-critical applications and tools within the ISMS scope are assessed for security risks, aligned with industry best practices, and regularly reviewed to maintain compliance with ISO 27001. A current list of subprocessors is maintained in our .

Objective

The purpose of this policy is to define the way in which FundApps maintains the security of information transferred within FundApps and with any external entity.

Scope

This policy applies to all FundApps Information Systems.

Policy

Information transferred within FundApps as well as with external entities must comply with the rules set out in the Transmission section of the , as well as the .

Information must be transmitted through FundApps Information Systems (which include the FundApps managed email system). Exceptions to this requirement must be validated by the Head of Information Security, the CTO or the CEO.

Information transmitted to FundApps through email must be scanned for malware before being downloaded by end users.

Endpoint Detection and Response tools must be deployed to all FundApps devices in order to detect and respond to any malware which may have been transferred to FundApps devices.

Information transferred must be cryptographically encrypted in line with the .

Information protected by a strict ACL (Access Control List) must be transferred in a way which continues to guarantee the ACL is maintained. For example, one should share the link to the information system the information is maintained in, rather than the information itself.

Sensitive information must not be shared over the phone in public places.

Transferring information with clients

When transferring sensitive information with clients, usage of FundApps' platform API or User Interface should be privileged. Sending the information through email as an encrypted password protected attachment is an acceptable alternative.

Upon contract termination, the client may require for FundApps to send information stored in the FundApps platform. The transfer of this information must be made in adherence with any relevant clause in the client contract and the requirements set out in this policy.

Subcontractors

Pursuant to Part 1 Clause of the DORA Addendum, the following aspects of our Services have been subcontracted:

Service Location

Pursuant to Part 1 Clause 5 of the DORA Addendum, the locations from where the Services are to be provided and where Client Data is to be processed, including the storage location, are set out at as follows:

FundApps Group

Subcontractors

Sub-processors

Client Personal Data is processed in accordance with applicable Data Protection Laws and Schedule C of our . For a full list of sub-processors, including locations and transfer mechanisms, please see our .

Objective

The purpose of this policy is to define the way in which FundApps manages third party risks.

Scope

This policy applies to all FundApps third parties which impact FundApps' Information System.

Policy

Initial Assessment

FundApps assess the risk posed by all third party providers which interact with FundApps' Information System.

This assessment is based on the review of security accreditations the third party might hold (e.g. ISO 27001 certificate, SOC 2 report) as well as specific questions tailored to the Third Party provider.

Risks identified through this process will be managed in accordance to FundApps' .

Regular Review

FundApps reviews the risks posed by critical Third Party providers on an annual basis.

This review is logged in FundApps' monthly security meeting.

Roles and Responsibilities

Objective

This policy aims to define how FundApps retains data throughout its systems.

Scope

The policy applies to all data processed or stored by FundApps.

Policy

Personal Data Retention

Retention of personal data is described in .

Client Data

FundApps retains the following sets of data within its production platform during the lifetime of the contract with its clients:

• Data uploaded to the platform;

• Application audit trail (i.e. actions performed by users in application).

Upon contract termination FundApps will securely delete all client data from its infrastructure within 20 working days, insofar as technically feasible. A copy of this data can be provided to the client prior to deletion based on contractual agreements.

Technical Data

FundApps stores technical logs and events related to its production infrastructure within a centralised log management platform. Data is retained for at least one year.

FundApps data

All other data which do not fall in the previous categories is retained by FundApps within its systems for the length of time deemed adequate by FundApps to provide its service efficiently.

At FundApps, we are dedicated to providing the highest support quality while ensuring consistent data confidentiality, integrity, and availability.

As such, there are certain actions we can (and cannot) take on your behalf. The following is a list of some of the work practices you can expect from us:

What we do

• We use secure virtual desktops to access client platforms.

• We provide a valid and unambiguous reason every time we log into a client environment (reviewable at any time in the audit trail).

• We may click the "Validate File" button to troubleshoot failed file validations

• We may download/export relevant files to conduct necessary analysis to troubleshoot unexpected behaviour (i.e. disclosure documents, positions and portfolio files). These files will only be downloaded to secure virtual desktops and destroyed when no longer required.

• We may create or edit Companies as part of the environment setup. Subsequent changes must be based on a written request from a client with administrator privileges.

• We verify all calls made to our support line are from legitimate users of our platform.

What we are unable to do

• We cannot create or edit any users (except the initial admin users when setting up the environment)

• We cannot create or edit any data overrides

• We cannot upload any files to client environments (except disaggregations & imported disclosures as part of the initial setup)

• We cannot interact with results, except when downloading already generated documents to support

FundApps' platform's technical resilience is built to address multiple adverse scenarios and relies on high availability and disaster recovery capabilities.

Adverse Scenarios

These scenarios are:

• Single or multiple data centres (but not all data centres) fail within an AWS region;

Effective Date: October 2025

Summary

In May 2024, the U.S. Securities and Exchange Commission (SEC) adopted amendments to Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information. These changes enhance data protection obligations for certain regulated financial institutions and their service providers.

FundApps position: The amendments do not impact FundApps obligations under Regulation S-P, as FundApps does not process or store any “Customer Information” as defined by the rule and therefore no change to FundApps regulatory obligations or customer data handling practices is required.

FundApps maintains insurance coverage, which is adequate and proportionate to our type of business from reputable providers throughout the term of our agreements with our clients.

A summary of our coverage is as follows:

From 16th July 2025 to 15 July 2026:

FundApps Limited

• Employers Liability

  • Indemnity Limit: £10,000,000 any one claim

Onboarding

We follow a task based process in our HR system that ensures correct checks are carried out and crucial training delivered when onboarding new staff.

Background checks

FundApps recognise our responsibility to the planet. By 2027 we will achieve and maintain Carbon Neutral status.

How FundApps Will Achieve Carbon Neutrality

FundApps will seek to reduce emissions as far as is practical by living our values of "Do more with less", "have courage" and "raise the bar"

1. Ensuring the energy efficiency and sustainability of the FundApps platform. Globally, cloud computing consumes vast amounts of energy. More energy efficient architectures naturally consume less energy and often offer greater performance. Cloud computing emissions comprised approximately 1/3 of FundApps total emissions in 2021. By adopting a "cloud native" approach to providing compute infrastructure and storing data FundApps will reduce carbon emissions and improve performance for clients.

FundApps Code for Third Parties

Updated the environmental and social responsibility parts to reflect the latest requirements in this areas that we have of our suppliers.

In order to preserve the appropriate confidentiality, integrity and availability of FundApps information assets, we must make sure they are protected against unauthorized access, disclosure or modification. This is critical for all personal data, client data and FundApps proprietary data we deal with across the FundApps business.

This standard applies to all FundApps information, irrespective of the data location or the type of device it resides on.

Approach

We maintain an information asset register detailing all key information assets at FundApps, who owns them, the business processes they are used in, and any external service providers that may utilise or store the information.

As a result, we can see at a glance

• What information assets fall under which data classification

• What information systems hold data falling under those classifications

• The controls that we expect each system to have in place

Responsibilities

FundApps & third parties

All FundApps employees, contractors and third parties who interact with information held by and on behalf of the FundApps are responsible for assessing and classifying the information they work with and applying the appropriate controls. Individuals must respect the security classification of any information as defined and must report the inappropriate situation of information to the Information Security Manager or Head of Security as quickly as possible.

System Owners

Each System has an owner (Supplier Relationship Manager) responsible for assessing the information it contains and classifying its sensitivity. Systems owners are then responsible for ensuring the appropriate controls are in place in conjunction with the Head of Security.

Security Team

Responsible for advising on and recommending information security standards on data classification and ensuring these are regularly reviewed.

Classification and Protection Guidance

The latest classification guidance can be found below.

Reporting Violations

Report suspected violations of this policy to the Head of Information Security, the CTO or the CEO. Reports of violations are considered Restricted data until otherwise classified.

Objective

The purpose of this policy is to define the way in which FundApps manages cryptographic controls to protect the confidentiality, authenticity and/or the integrity of information.

Scope

The policy applies to all FundApps Information Systems.

Policy

FundApps will implement cryptographic controls to protect information as defined in the Data Classification and Protection Standard.

Information which requires encryption

The following tables summarises when cryptography must be used:

Encryption of data in transit

All client data sent to or generated inside our platform follows an encrypted data lifecycle and all interactions with the system occur over an encrypted protocol: Secure HTTP (HTTPS). We keep supported cipher suites for the SSL encryption used for HTTPS in line with industry standards and regularly run external tests to verify this, the results of these tests are .

Encryption of data at rest

All client data is encrypted at rest. FundApps employs a key management system which allows us to rotate the keys used for the encryption of these volumes on a regular basis. Backups are also stored encrypted at rest, meaning your data is never available in cleartext. Data is encrypted using AES-256-GCM, a symmetric algorithm based on Advanced Encryption Standard (AES) in Galois Counter Mode (GCM) with 256-bit keys.

Encryption ciphers and key lengths

FundApps supports TLS v1.2 and TLS v1.3. The full list of supported ciphers are available on

Encryption ciphers and key lengths used to protect information must comply with requirements set out in .

The minimum length of a symmetric key to encrypt restricted client data at rest is 256 bits.

Cryptographic Key Management

Cryptographic keys must be generated, transmitted, stored and managed in a secure manner that prevents loss, unauthorised access, or compromise.

Access: Access to cryptographic keys must be restricted to authorised staff only.

Distribution: Private and symmetric keys must be distributed securely such as through the use secure email or out of band techniques like phone conversations with known individuals. Physical transportation of private and symmetric keys will require that they will be encrypted

Physical security: Equipment used to generate, store and archive keys must be physically protected using appropriate, secure access controls.

Key rotation: Cryptographic keys must be rotated at a minimum every 3 years.

Compromised keys: In the event of a cryptographic key being compromised, a new key (or key pair) must be generated and the existing key must be revoked.

Backup: Backup of cryptographic keys must be maintained to recover them should they be lost.

Logging and auditing: All accesses to cryptographic keys as well as modifications to these keys must be logged. Logs must be audited for anomalous activity.

Roles and responsibilities

The system owner (Supplier Relationship Manager), as defined in , is responsible for ensuring information to protected by cryptographic controls as set out in this policy.

The Head of Information Security is responsible for ensuring the policy is aligned to FundApps' business objectives.

Objective

The purpose of this policy is to define the way in which FundApps detects, classifies, mitigates and corrects vulnerabilities on its Information System. Effective implementation of this policy will allow to reduce the probability and/or impact of vulnerabilities affecting the FundApps Information System

Scope

This policy applies to applications and infrastructure which makes up FundApps’ production environment. Physical vulnerability management is out of scope of this policy and managed by our hosting provider (AWS).

Vulnerability Detection

FundApps uses several layers of security controls to detect and remediate vulnerabilities:

• A human-led penetration test performed by a CREST-accredited company is performed annually.

• Static Application Security Testing (SAST) is performed against any change before being deployed to production.

• Dynamic Application Security Testing (DAST) is performed against our platform weekly.

• Infrastructure vulnerability scanning is performed against our infrastructure weekly.

FundApps' latest penetration test report and response to this report can be found in

Vulnerability Severity Ratings

• Applications

  Application vulnerabilities are rated based on their impact and likelihood. Possible vulnerability ratings are Low, Medium, High and Critical. The rating system is based on the OWASP Risk Rating Methodology ().

• Infrastructure

  Infrastructure vulnerabilities are rated using the Common Vulnerability Scoring System (). Possible vulnerability ratings are None (0.0), Low (0.1 - 3.9), Medium (4.0 - 6.9), High (7.0 - 8.9) and Critical (9.0 - 10.0).

Vulnerability Acceptance, Mitigation and Correction

• Process

  Once vulnerabilities have been identified, rated and formalised, FundApps will manage risk treatment based on the following diagram:

By default, and as a maximum, the vulnerability acceptance period will be one year.

• Applications

  FundApps will endeavour to address vulnerabilities based on their severity as defined in the following table:

(*) number of working days after application vulnerability report is formalised. (**) Critical or High vulnerabilities will not be accepted. In the worst case scenario FundApps will mitigate these to reduce the risk to Medium.

• Infrastructure

  FundApps will endeavour to address infrastructure vulnerabilities based on their severity as defined in the following table:

(*) number of working days after vulnerability has been identified.

1. What is FundApps Assistant?

FundApps Assistant is an AI agent which is provided by Intercom, FundApps’ client support ticketing platform. FundApps Assistant acts as an intelligent virtual assistant which can provide immediate, automated assistance with:

• Answering Frequently Asked Questions (FAQs): Get answers to common queries about FundApps products, features, and platform functionality.

• Providing Troubleshooting Assistance: FundApps Assistant can guide you through self-service troubleshooting steps for issues you may encounter.

• Help with Account Management: Learn more about your account settings, features, and how to use the platform effectively.

• Recommending Resources: It can direct you to relevant articles, guides, and support materials within the FundApps Help Centre.

FundApps Assistant provides an automated service, available 24/7, for faster responses and general assistance.

2. How Does FundApps Assistant Work?

FundApps Assistant works by leveraging large language models (LLMs) to aggregate information from the FundApps Help Centre, analyse your request, and respond with relevant information, suggested actions, or links to further resources.

While FundApps Assistant can assist with basic queries, it is not a replacement for human expert support. If your issue is complex or requires a more in-depth response, you will be directed to a human FundApps representative.

3. Data Privacy

We take your privacy seriously. When using FundApps Assistant, you should know the following:

• Data Collection: Basic interaction data is collected, such as the questions you ask and the responses it provides. This helps improve the accuracy of the support provided.

• Data Sources: FundApps Assistant leverages FundApps Help Centre articles and your Intercom support ticket information to answer your questions. It does not have access to your or that of other clients, or the Intercom support ticket information of other clients, and cannot provide you with answers relating to this.

• Sensitive Data: Do not share sensitive personal or financial information (e.g., position files, portfolio files, account passwords, financial details) by typing or uploading it into your conversation with FundApps Assistant. If your issue is complex or requires the sharing of these types of information, please reach out to a human FundApps representative.

For more information, please read our .

4. Limitations of FundApps Assistant

While FundApps Assistant can provide immediate assistance, please note:

• Not a Replacement for Expert Support: FundApps Assistant is designed to handle general inquiries and basic troubleshooting. It cannot replace a human representative for complex or personalised assistance.

• Response Accuracy: FundApps Assistant provides answers based on available data from the FundApps Help Centre and may not always have the most up-to-date or comprehensive answers for every situation. If you need more precise or specific information, a representative will be happy to assist.

• Availability: FundApps Assistant may be unavailable during technical maintenance or system updates.

5. How to Access FundApps Assistant

FundApps Assistant will be available to users from 15 July 2025, unless an admin user has contacted requesting to opt out their organisation. Admin users can opt out, and may opt back in, at any time.

Individual users will need to acknowledge that they are aware they will be interacting with an AI agent, that they have read and understand this Policy Portal page on the FundApps Assistant, and consent to using FundApps Assistant when starting each conversation.

If you ever feel that FundApps Assistant cannot fully resolve your issue, you can always escalate to a live support representative.

6. Consent to Use FundApps Assistant

If you consent to use FundApps Assistant, you acknowledge and agree to the following:

• You are aware of how FundApps Assistant works and how your data will be used.

• You understand the limitations of FundApps Assistant and acknowledge that it cannot replace human support for more complex issues.

• You understand that you should not upload sensitive data, including position files and portfolio files, to FundApps Assistant or Intercom.

• You can choose to stop using FundApps Assistant at any time by simply exiting the conversation or reaching out to our support team for assistance.

Access Control

FundApps implements physical and logical access controls across its IT systems and services in order to provide authorised, granular, audit-able and appropriate user access, and to ensure appropriate preservation of data confidentiality, integrity and availability in accordance with our Information Security Policy.

This policy covers all FundApps IT systems and information not classified as 'Public' in our .

Each information system is recorded in FundApps' which includes:

Introduction

Whatever part of FundApps we work in we are ambassadors for our company.

Lots of us are having conversations and sharing through social media or online communities. We approach the online world in the same way we do the physical one – by using sound judgement, respect and common sense.

Effective Date: November 2025

Summary

In 2023, the Canadian Office of the Superintendent of Financial Institutions (OSFI) adopted amendments to Guideline B-10: Third-Party Risk Management. These changes are applicable to vendors who provide services to regulated financial institutions, specifically concerning the vendors' use of subcontractors.

FundApps position: Taken together, FundApps’ subcontractor management, Sub-processor oversight, Change of Control provisions, and ISO/SOC 2-aligned security practices fully satisfy the subcontractor governance obligations set out in Annex 2 of OSFI Guideline B-10. No additional contractual terms are required to meet OSFI expectations.

Analysis of performance

Based on these indicators, FundApps will assess whether its ISMS is performing efficiently and whether root causes of underperformance are being identified and managed appropriately.

Management Review

At least once per calendar year, a review of the ISMS will be done to ensure its continuing suitability, adequacy and effectiveness.

Attendees

The annual management review meeting will have the following attendees:

• the ISMS Implementer,

• the ISMS Manager, and

• at least one member from the Leadership Team, which can be the ISMS Manager.

Agenda

The agenda will include the following topics:

1. Status of actions from previous management reviews

2. Relevant changes in external and internal issues

3. Performance of the ISMS

   1. Audit results, non-conformities and corrective actions

Overview

• Please read this information with regards Health and Safety

• Please assess your own workstation [Restricted to FundApps staff]

Risk assessement

We maintain a

Location of critical items

Health and Safety Policy

Andrew White has overall and final responsibility for Health and Safety

Hana Sekerez has day-to-day responsibility for ensuring this policy is practiced

Accidents and ill health at work reported under (Reporting of Injuries, Diseases and Dangerous Occurrences Regulations).

📝This page gives a clear overview of the FundApps Group structure and ownership chain as of Dec 2025.

At a glance

• The ultimate controlling investors sit above the Rio Group entities. There are no external minority investors at the operating‑company level.

Overview

Our clients include high profile companies with high availability and service expectations. It is therefore vital that FundApps maintain service and in the event of disruption, are able to effectively manage the incident and communicate with all key interested parties.

Any loss of service from the data centres or our key services will impact the reputation of FundApps, result in loss of revenue through service credits and other compensations, and potentially damage FundApps irreparably in the marketplace.

NOTE: This document describes the management systems framework intended for compliance with ISO 22301. It is designed to provide some documentation that is needed by ISO 22301, with pointers to the other key documents, and is aligned in structure to ISO 22301 for ease of assessing compliance.

As a business, we set ourselves high standards both in what we aspire to achieve and how we behave. The FundApps Code (“Code”) acts as a guide for our economic, social and environmental responsibility and business ethics. Our company follows the Code in spirit and letter and endeavours to always act in ways that supports and promotes and our culture of care.

As a supplier, you are an extension of our organisation, and as such are expected to not only follow your contractual obligations, but also the principles of the Code or your own equivalent standards, whether in your daily business activities or in the provision of goods and services to us/our clients. By working together, we aim to uphold the highest standards of integrity and fairness, ensuring that every partnership contributes to a sustainable and equitable future.

WE BUILD TRUST IN HOW WE DO BUSINESS

CONFLICT OF INTEREST

FundApps is committed to a robust implementation of Information Security Management. All our hosting environments are certified to ISO 27001. As an organisation we are endeavour to align our processes to ISO 27001 and the NIST Cyber Security Framework.

We are specifically committed to preserving the confidentiality, integrity and availability of data and documentation supplied by, generated by and held on behalf of our clients. The principles defined in this policy will be applied to all of the physical and electronic information assets for which the FundApps is responsible.

Our senior management team are directly responsible for ensuring that all FundApps staff have been made aware of these procedures and their contents.

All employees have access to this information, are required to abide by them, and are encouraged to regularly review and update these in their relevant areas.

The Business Continuity Policy is maintained by the security team and is endorsed by:

• Andrew White, CEO,

• Toby O'Rourke, CTO.

It is an open document and available to all employees through our internal portal and on request to any interested party.