POLICIES AND CONDITIONS
(FUTSWAP)

PRIVACY AND DATA PROTECTION POLICY

GENERAL INFORMATION

INFORMATION

FUTSWAP MARKETS LIMITED with company number 14510288, is a limited liability company organized and existing under the laws of the UK, which for the purposes of these terms shall be referred to as FUTSWAP.

INTERPRETATION

The following definitions and rules of interpretation shall apply to customers or users who have a contractual relationship with FUTSWAP:

Data Protection Legislation: means the data protection regulations enacted in English law (GDPR) as revised and replaced from time to time, Directive 2002/58/EC as updated by Directive 2009/136/EC and any other laws and regulations relating to the processing of personal data and privacy that apply to a party and, if applicable, guidance and codes of practice issued by the relevant supervisory or data protection authority.
Personal Data Breach: Means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to the Shared Personal Data.
Shared Personal Data: Means the Personal Data to be shared between the parties by virtue of this contractual relationship.
Access Request: Means the right by a Customer or User to access or request a copy of the Data provided pursuant to Article 15 of the GDPR.
Supervisory Authority: means the relevant supervisory authority in the territories where the parties to this Agreement are established.

PURPOSE

The present privacy and data protection policies, constitute the regulatory framework for the provision of Personal Data made by the Customer or the User. Likewise, these policies define the principles and procedures to which users must adhere and the responsibilities to be assumed during the commercial relationship.

FUTSWAP requires the personal data of clients and users for the fulfillment of its obligations and diligences pertinent to the registration and knowledge of the client and to comply with the legal obligations of prevention of Money Laundering, Financing of Terrorism and Transfer of Funds (Information on the Payer) Regulation 2017 and other related legislation.

FUTSWAP undertakes to process the customer's and user's personal data only for the following purposes:

FUTSWAP's performance of its obligations under this business relationship.
Complying with all of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 and any other applicable legislation.

FUTSWAP will not process Users' personal data without the User's prior permission for purposes other than those previously stated.

Compliance with Data Protection Laws

FUTSWAP will ensure users' compliance with applicable national data protection laws at all times during the term of the business relationship. It is noted and should be noted that in the event of a conflict between the data protection law of the United Kingdom and the data protection law of the customer's country of domicile, the law of the country that provides greater protection for the privacy and personal data of users will be preferred.

Shared Personal Data

The following types of Personal Data will be shared by users during the Term of the business relationship: name, address, date of birth, identification document numbers (such as driver's license or passport), photograph of the Customers (if natural persons) and of the directors and beneficial owners of the customer (if legal entities). Personal Data shared by customers and users will not be used for purposes other than those already agreed.

Data Processing

FUTSWAP will ensure that it processes the personal data of shared customers and users in a fair and lawful manner. To the same extent it will ensure that it has the respective powers in accordance with the Data Protection legislation for the processing of the Shared Personal Data.

The user is obliged to provide clear, truthful, real and sufficient information to FUTSWAP for the fulfillment of the purposes already established, in the same way, expressly authorizes FUTSWAP to process his or her personal data directly or through a third party.

FUTSWAP may share or transfer the personal data provided to a third party. If the Personal Data is transferred outside of the EEA, FUTSWAP will fully inform the user of such transfer, the purpose of such transfer, and the security measures implemented by FUTSWAP to enable the transfer to take place.

FUTSWAP to enable the customer to be fully aware of and understand the purpose and risks of such transfer.

FUTSWAP undertakes to inform its users, in accordance with the Data Protection Legislation, of the purposes for which it will process their personal data, the legal basis for such purposes, and any other information that may be required. This includes:

Whether the Personal Data shared will be transferred to a third party, and providing sufficient information about such transfer and the purpose of such transfer to enable the data subject to understand the purpose of such transfer.
If the Personal Data will be transferred outside the EEA, providing sufficient information about such transfer, the purpose of such transfer, and the security measures implemented by FUTSWAP to enable the user to understand the purpose and risks of such transfer.

Information about such transfer and the purpose of such transfer to enable the data subject to understand the purpose and risks of such transfer.

The purpose and risks of such transfer. (b) If the Shared Personal Data will be transferred outside of the EEA, this fact and sufficient information about such transfer, the purpose of such transfer, and the security measures implemented by FUTSWAP to enable the user to understand the purpose and risks of such transfer. said transfer.

Rights of the Data Holder

FUTSWAP undertakes to provide the necessary assistance and to allow users who own the data exercise their protection rights under the legal regulations, this within the time limits imposed by the Data Protection Legislation.

FUTSWAP will be responsible for keeping a record of individual requests for information, decisions taken and any information that has been exchanged with users. The records will include copies of the request for information, details of the data accessed and shared and, where appropriate, notes of any meeting, correspondence or phone calls related to the application.

Data Retention and Deletion

FUTSWAP will not retain or process Personal Data shared before or after the user's business relationship. However, FUTSWAP will continue to retain Personal Data shared in accordance with applicable regulatory, professional and/or industry retention periods.

FUTSWAP will ensure that all shared Personal Data is returned to the user or destroyed once the processing of the Personal Data is no longer necessary for the fulfillment of the purposes for those that were initially shared. Following deletion of Shared Personal Data in accordance with FUTSWAP, will notify the user that the Shared Personal Data in question has been deleted.

Data Transfers

The transfer of personal data means any exchange of personal data by FUTSWAP with a third party, and will include, among others, the following items:

Subcontract the processing of Personal Data shared.
Grant a third party controller access to Shared Personal Data.

FUTSWAP will designate a third-party processor to process the Shared Personal Data, for which they will comply with Article 28 and Article 30 of the GDPR.

FUTSWAP may not transfer the Customer's Shared Personal Data to a third party located outside the EEA, with exception of the following requirements:

The third party complies with the provisions of articles 26 of the RGPD (in case the third party is a joint controller).
Ensures that: (i) The transfer is to an approved country by the European Commission as a provider of adequate protection in accordance with article 45 of the RGPD; (iii) there are appropriate safeguards in accordance with article 46 of the GDPR; or (iii) one of the exceptions for specific situations in the article 49 of the GDPR applies to the transfer.

SECURITY AND DATA PROTECTION

User will only provide Shared Personal Data to FUTSWAP using secure methods.

For its part, FUTSWAP undertakes to take all appropriate technical and organizational security measures.

DATA RETENTION POLICY

GENERAL ASPECTS

INFORMATION

OBJECT

This policy sets forth the retention periods required for specific categories of data and establishes the minimum standards that will apply when certain information is destroyed within FUTSWAP. This Policy applies to all business units, processes and systems in all countries in which FUTSWAP conducts business and enters into transactions or other business relationships with third parties. This Policy applies to all officers, directors, employees, agents, affiliates, contractors, consultants, advisors or service providers of FUTSWAP who may collect, process or have access to data (including personal data and/or sensitive personal data). It is the responsibility of all of the above to familiarize themselves with this policy and to ensure proper compliance with this policy. This policy applies to all information used in the Company, Example: Emails, Paper documents, Electronic documents, Video and audio, Data generated by physical access control systems.

SCOPE

This procedure is applicable to all FUTSWAP personnel.

RETENTION RULES

General Retention Principle: In the event, for any category of documents not specifically defined elsewhere in this policy (and in particular within the Data Retention Schedule) and unless otherwise provided by applicable law, the required retention period for such document shall be deemed to be 6 years for business documents from the date of creation of the document.

General retention schedule: The data protection officer determines the period of time for which electronic documents and records are to be retained through the data retention schedule. As an exception, retention periods within the data retention schedule may be extended in cases such as:

Ongoing investigations by the authorities of the member states, if there is the possibility of personal data records necessary for the Company to demonstrate compliance with legal requirements;

In the exercise of legal rights in cases of lawsuits or similar legal proceedings recognized by local legislation.

POLICIES AND CONDITIONS (FUTSWAP)

Safeguarding data during the retention period: Consideration shall be given to the possibility that the media used for data archiving may wear out. If electronic storage media are chosen, procedures and systems shall also be stored to ensure that the information can be accessed during the retention period (both with respect to information carrier and format readability) to protect the information against loss as a result of future technological changes. Responsibility for storage rests with the Security Officer.

Data Destruction: Therefore, the Company and its employees must periodically review all data, whether in electronic format on their device or on paper, to decide whether to destroy or delete any data once the purpose for which those documents were created is no longer relevant. The overall responsibility for data destruction rests with the Security Officer. Once a decision has been made to carry out disposal in accordance with the Retention Schedule, the data must be disposed of, shredded or destroyed to a degree equivalent to the value given by others and its level of confidentiality. The method of disposal varies and depends on the nature of the document. For example, any document containing sensitive or confidential information (and, in particular, sensitive personal data) must be disposed of as confidential waste and be subject to secure electronic disposal, some contracts that have expired or have been superseded may only warrant internal shredding. The Document Disposal Schedule section below defines the mode of disposal. In this context, the employee must perform the tasks and assume the relevant responsibilities for the proper destruction of the information. The specific disposal or destruction process can be carried out either by an employee or by an internal or external service provider that the Security Officer outsources for this purpose. All applicable general provisions under the relevant data protection laws and the Company's personal data protection policy shall be complied with.

Adequate controls must be in place to prevent the permanent loss of essential company information as a result of the intentional or unintentional destruction of information, these controls are defined in Information Security Policies. The Security Officer shall fully document and approve the destruction process. Applicable legal requirements for the destruction of information, in particular the requirements of applicable data protection laws, shall be fully observed.

Violation, Enforcement and Compliance: The person designated with responsibility for Data Protection (the Security Officer) is responsible for ensuring that each of the Company's offices complies with this Policy. It is also the responsibility of the Security Officer to assist any local office with inquiries from any local or governmental data protection authority. Any suspected breach of this Policy should be reported immediately to the Security Officer. All instances of suspected breaches of the Policy will be investigated and action will be taken as appropriate. Failure to comply with this Policy may result in adverse consequences, including, but not limited to, loss of customer confidence, litigation and loss of competitive advantage, financial loss and reputational damage, personal injury, damage or loss to the Company. Failure to comply with this policy by permanent, temporary or contract employees, or third parties, who have been granted access to FUTSWAP facilities or information, may result in disciplinary proceedings or termination of their contract. Such non-compliance may also lead to legal action against the parties involved in such activities.

DOCUMENT DELETION

Routine Disposal Schedule:

Records that may be routinely destroyed unless subject to an ongoing legal or regulatory investigation are as follows:

Announcements and notices of daily meetings and other events including acceptances and apologies;
Ordinary request for information;
Communication documents such as letters, fax cover sheets, e-mail messages, routing sheets, congratulatory sheets, and similar items that accompany documents but add no value;
Message sheets;
Replaced address list, distribution lists, etc.
Duplicate documents, drafts; snapshot printouts or extracts from databases and daily files;
Stored internal publications that are obsolete or superseded; and catalogs from suppliers, brochures, and newsletters or other external organizations.

In all cases, disposal is subject to any communication requirements that may exist in the context of litigation.

METHOD OF DESTRUCTION

Level I documents are those that contain information that is of the highest security and confidentiality and those that include any personal data. These documents will be disposed of as confidential waste (cross-cut shredding and incineration) and will be subject to secure electronic disposal. Disposal of documents must include proof of destruction.

Level II documents are private documents that contain confidential information, such as names, signatures and addresses of parties, or that could be used by third parties to commit fraud, but do not contain any personal data. Documents must be cross-cut and then placed in closed trash containers for collection by an approved disposal company, and electronic documents will be subject to secure electronic disposal.

Level III documents are those that do not contain confidential information or personal data and are published FUTSWAP documents. These must be shredded into shreds or disposed of through a recycling company and include, but are not limited to, advertisements, catalogs, brochures, and newsletters. These may be disposed of without audit.

DATA SECURITY POLICY

GENERAL ASPECTS

INFORMATION

INTRODUCTION

FUTSWAP absolutely restricts access to confidential and sensitive data to prevent its loss or compromise, in order to avoid adverse impact on our customers, incurring penalties for non-compliance and/or suffering damage to our reputation. At the same time, FUTSWAP takes the utmost care in ensuring that its users can access data as necessary for effective operation. The main objective of this security policy is to increase user awareness and avoid accidental data loss scenarios, and therefore the requirements for data breach prevention are described.

SCOPE

This data security policy applies to all customer data, personal data or other FUTSWAP data defined as confidential by the company's data classification policy. Therefore, this policy applies to all servers, databases and IT systems that handle such data, including any devices that are regularly used for email, web access or other work-related tasks. Any user interacting with FUTSWAP IT services will also be subject to this policy. Information that is classified as Public is not subject to this policy.

DATA LAYOUT

FUTSWAP will provide all employees and contracted third parties with access to the information they need to carry out their responsibilities as effectively and efficiently as possible, subject to this policy.

GENERAL

Each user will be identified by a unique user ID so that individuals can be held accountable for the actions they take. FUTSWAP allows the use of shared identities and each user will be required to read this data security policy and the login and logout guidelines, and sign a statement that they understand the terms of access. User access logs may be used to provide evidence for security incident investigations. Access will be granted on the principle of least privilege, meaning that each program and user will be granted the minimum privileges necessary to complete their tasks.

ACCESS CONTROL AUTHORIZATION

POLICES AND CONDITIONS

(FUTSWAP)

Access to the company's IT resources and services will be granted through the provision of a unique user account and a complex password. Accounts are provided by the IT department based on records from the human resources department. Passwords are managed by the IT service desk. Password length, complexity and expiration requirements are set in the company's password policy.

NETWORK ACCESS

All FUTSWAP employees and contractors will have access to the network in accordance with commercial access control procedures and the principle of least privilege. All personnel and contractors with remote access to company networks will be authenticated using only the VPN authentication mechanism. Network segregation will be implemented as recommended by the company's network security research. Network administrators will group information services, users and information systems as appropriate to achieve the required segregation. Network routing controls shall be implemented to support the access control policy.

USER RESPONSIBILITIES

All users should lock their screens whenever they leave their desks to reduce the risk of unauthorized access. All users should keep their workplace free of any sensitive or confidential information when they leave. All users should keep their passwords confidential and not share them.

APPLICATION AND ACCESS TO INFORMATION

All FUTSWAP personnel and contractors shall have access to data and applications necessary for their job functions. All company personnel and contractors shall access confidential data and systems only if there is a business need to do so and they have senior management approval. Sensitive systems shall be physically or logically isolated to restrict access to authorized personnel only.

ACCESS TO CONFIDENTIAL AND RESTRICTED INFORMATION

Access to data classified as 'Confidential' or 'Restricted' will be limited to authorized individuals whose job responsibilities require it, as determined by the Data Security Policy or senior management. Responsibility for implementing access restrictions rests with the IT Security department. Technical guidelines specify all requirements for technical controls used to grant access to data. Access control applies to all networks, servers, workstations, laptops, mobile devices, web applications and websites, cloud storage and services.

REPORTING REQUIREMENTS

Daily incident reports shall be produced and managed within the IT Security department or the FUTSWAP incident response team. Weekly reports detailing all incidents shall be produced by the IT Security department and forwarded to the IT manager or director. High priority incidents discovered by the IT Security department shall be immediately escalated to FUTSWAP policies. The IT Security department will also produce a monthly report showing the number of IT security incidents and the percentage that were resolved.

POLICES AND CONDITIONS

(FUTSWAP)

PROPIEDAD Y RESPONSABILIDADES

Data owners are employees who have primary responsibility for maintaining proprietary information, such as an executive, department manager, or team leader. The information security administrator is an employee designated by IT management who provides administrative support for the implementation, oversight, and coordination of security procedures and systems with respect to specific information assets. Users include all those who have access to information resources, such as employees, contractors, consultants, temporary employees, and volunteers.

COMPLIANCE

Any user who violates this policy is subject to disciplinary action, up to and including termination. Any partner or outside contractor found in violation may have their network connection terminated.

DEFINITIONS

Access Control List (ACL): a list of Access Control Entries (ACE) or rules.
Each ACE in an ACL identifies an administrator and specifies the access rights allowed, denied or audited for that administrator
Database: an organized collection of data, usually stored and accessed electronically from a computer system
Encryption: the process of scrambling a message or other information so that only authorized parties can access it.
Network segregation: the separation of the network into logical or functional units called zones. For example, a sales zone, a technical support zone and a research zone, each of which has different technical requirements.
Role-based access control (RBAC): a policy-independent access control mechanism defined around roles and privileges.
Server: a computer program or device that provides functionality to other programs or devices, called clients.
Virtual private network (VPN) : a secure private network connection over a public network.
VLAN (virtual LAN) : a logical grouping of devices in the same transmission domain.