Cyber Security Policy

Effective Date: 04/11/2026
Last Updated:04/11/2026
NoBellTrading and TalasAI (“Company,” “we,” “us,” or “our”) are committed to maintaining a cybersecurity program designed to protect the confidentiality, integrity, and availability of our systems, data, and services. This Cybersecurity Policy describes the administrative, technical, and operational safeguards we maintain to manage cybersecurity risk in connection with our websites, software, brokerage-connected tools, communications, and related business operations.This policy is intended to provide an overview of our security practices and controls. Because security threats evolve continuously, we reserve the right to update, revise, supplement, or enhance our security measures and this policy from time to time as appropriate.

1. Purpose
The purpose of this Cybersecurity Policy is to establish the Company’s approach to identifying, assessing, managing, and reducing cybersecurity and operational risk across our systems, software, infrastructure, integrations, and service providers.
Our cybersecurity program is designed to support the following objectives: Protect sensitive data from unauthorized access, use, disclosure, alteration, or destruction Limit access to systems and information based on business need Secure data in transit and at rest using reasonable safeguards Identify, assess, and remediate vulnerabilities in a timely manner Respond to security incidents and support business continuity and recovery Evaluate material cybersecurity risks presented by third-party service providers Maintain security practices appropriate to the nature and scale of our operations
2. Scope
This policy applies to the Company’s systems, software, cloud resources, hosted environments, websites, internal tools, brokerage-connected services, technical infrastructure, business records, and data processed in connection with NoBellTrading and TalasAI.
This policy also applies, as relevant, to employees, contractors, service providers, and other authorized persons who may access Company systems or data.
3. Governance and Security Responsibility
The Company maintains responsibility for the oversight of its cybersecurity practices, including the management of security controls, operational safeguards, vendor dependencies, and incident-response procedures appropriate to the size and complexity of the business.
Security responsibilities may include: Managing access to systems and administrative functions Overseeing system configuration and credential protection Monitoring for material security risks and service issues Coordinating remediation, patching, and response efforts Reviewing third-party service dependencies and related risk Updating internal practices as systems and risk exposure evolve.
The Company reviews its security posture periodically and may adjust controls, tools, vendors, and procedures based on operational changes, broker expectations, legal obligations, technical developments, or emerging threats.
4. Data Classification and HandlingThe Company recognizes that different types of data require different levels of protection. Information may be classified and handled according to sensitivity, business purpose, operational need, and risk.Categories of data may include: Account and profile information Authentication and access-related information Support communications Business and operational records System logs and technical records Integration and brokerage-related connection data Payment and transaction-related records where applicableThe Company limits the collection, retention, storage, and use of data to what is reasonably necessary for legitimate business, operational, legal, compliance, and security purposes. Data handling practices may include restrictions on access, secure storage, limited transmission, defined retention periods where appropriate, and secure deletion or disposal when data is no longer needed.
Sensitive information is handled with elevated care and access is restricted based on role and legitimate business need.
5. Access Control and Privileged Access ManagementThe Company maintains access-control practices designed to limit unauthorized access to systems, data, and administrative functions.These practices may include: Unique user accounts where appropriate Authentication controls for administrative or sensitive systems Role-based or need-based permission assignment Restriction of privileged access to authorized personnel only Review and removal of unnecessary or outdated access Credential protection and secure storage practices Logging or monitoring of administrative activity where appropriatePrivileged access is granted only where required for operational, technical, or support purposes. Administrative permissions are limited to those with a legitimate need to manage production environments, infrastructure, integrations, or security-related functions.
Access may be modified, restricted, revoked, or reissued at any time based on business need, personnel changes, suspected misuse, operational changes, or security concerns.
6. Encryption of Data at Rest and in TransitThe Company uses reasonable safeguards designed to protect data during transmission and storage.Where appropriate, these safeguards may include: Encrypted transport protocols for data transmitted over public or shared networks Secure authentication and session-management practices Encrypted storage layers or protections provided by cloud or hosting vendors Use of reputable third-party platforms that maintain encryption and security controls appropriate to their servicesData in transit is protected through secure communication methods where supported and appropriate. Data at rest may be protected through encrypted hosting environments, cloud storage controls, vendor-provided encryption capabilities, or similar safeguards based on the systems and providers in use.
Because some services depend on third-party platforms and infrastructure, certain encryption controls may be implemented directly by those providers.
7. Vulnerability Management and Patch Management
The Company maintains processes intended to identify, assess, prioritize, and address vulnerabilities that may affect its software, systems, infrastructure, dependencies, or service environment.
These processes may include: Monitoring vendor notices, security alerts, and dependency issues Applying software updates, patches, hotfixes, and security releases Replacing or disabling outdated or unsupported components where appropriate Updating configurations to reduce exposure Restricting access or functionality where an identified risk warrants action Reviewing service providers for material security-related changes or incidentsPatches and updates are applied according to risk, system importance, operational feasibility, and vendor availability. Critical issues may be addressed on an expedited basis where reasonably practical.
The Company does not guarantee that every vulnerability will be identified before impact occurs, but it seeks to address known issues in a commercially reasonable manner.
8. Incident Response
The Company maintains an incident-response approach intended to support detection, containment, assessment, remediation, and recovery in the event of a cybersecurity or systems-related incident.
Response measures may include: Identifying and assessing the nature and scope of the issue Containing affected systems, sessions, accounts, or integrations Restricting access or disabling impacted functionality Resetting or rotating credentials where appropriate Coordinating with relevant vendors, hosts, brokers, or service providers Reviewing logs and technical evidence where available Restoring systems or services after reasonable validation Taking corrective actions to reduce the likelihood of recurrence
Security incidents are evaluated based on severity, operational impact, data sensitivity, business risk, and third-party involvement.9. Disaster Recovery and Business Continuity
The Company maintains business-continuity and recovery measures appropriate to the nature and scale of its operations.
These measures may include: Backup practices for critical systems or records where appropriate Redundant cloud or vendor-supported infrastructure where applicable Restoration procedures for key services Temporary suspension of affected systems or integrations to preserve integrity Use of third-party provider continuity capabilities where relevant
While the Company seeks to maintain resilience and recoverability, not all services are guaranteed to be uninterrupted, instantly recoverable, or immune from outage, corruption, or vendor disruption.
10. Physical Security
Where the Company directly controls physical devices, workspaces, or hardware used in connection with operations, reasonable physical-security measures may be used to reduce the risk of unauthorized access, theft, tampering, or loss.
Such measures may include: Controlled access to physical devices Device handling and storage practices Protection of workstations and administrative devices Restriction of unauthorized physical access where applicable
To the extent the Company relies on cloud providers, data centers, hosting vendors, brokers, or other third-party infrastructure providers, physical security for those environments is generally managed by the applicable third party.
11. Vendor Risk Management
The Company relies on third-party providers for certain services, which may include cloud hosting, infrastructure, authentication, communications, payments, analytics, broker connectivity, development tools, software components, and other operational functions.
The Company seeks to manage vendor-related cybersecurity risk by: Selecting vendors based on business, technical, operational, and security considerations Relying on established third-party platforms where appropriate Monitoring material vendor issues that may affect service security or availability Limiting vendor access to the extent reasonably practical Replacing, restricting, or discontinuing vendors where risk becomes unacceptable or operationally impractical
Despite these efforts, third-party providers may experience outages, breaches, vulnerabilities, or service failures outside the Company’s control. Vendor reliance is an inherent part of modern cloud and software operations, including brokerage-connected environments.
12. User Security Responsibilities
Users also play an important role in protecting their accounts and connected systems. Users are expected to: Maintain strong, unique passwords Protect devices, email accounts, and login credentials Use multi-factor authentication where available Monitor accounts for suspicious or unauthorized activity Promptly report suspected security issues or account compromise Carefully manage linked-account permissions and authorizations
The security of user-controlled devices, credentials, and third-party accounts remains an important shared-responsibility component of overall platform security.
13. Security Awareness and Operational Practice
The Company seeks to maintain reasonable operational security practices appropriate to its size and technical environment. Such practices may include secure credential handling, limitation of unnecessary access, review of system changes, service monitoring, and vendor-supported security controls.
As the Company grows or its systems evolve, it may formalize or expand security procedures, tooling, documentation, and review practices.
14. Policy Maintenance and Updates
This Cybersecurity Policy may be reviewed and updated periodically to reflect changes in systems, vendors, operational structure, legal obligations, broker requirements, threat conditions, or security practices.
Material updates may be posted on the Company’s website or otherwise reflected in revised policy language.