This policy covers onboarding, monitoring, and off-boarding of natural persons and legal entities interacting with SDA's token lifecycle. We follow applicable EU AML/CFT rules (including the Crypto-Asset Transfer Rule) alongside investor-protection duties where relevant. Local laws may impose additional requirements in certain jurisdictions.

Who: presale participants and holders during the utility-token phase.

We collect (everyone):
• Self-declaration: PEP status and sanctions screening.
• Wallet checks: proof of ownership (signed message or micro-tx loopback) for payout/withdrawal addresses.

Tiering during Phase 1:
- Tier A (under €1,000 cumulative, low risk):
  – Wallet and IP identification only.
  – Self-declaration PEP/sanctions status; geofencing for restricted countries.
- Tier B (≥ €1,000 or heightened risk):
  – Photo ID capture + automated liveness/face-match or robust bank-KYC evidence (e.g., SEPA account in same name).
  – Full KYC before further funding, voting, withdrawals or profit-sharing; apply EDD where flags exist.

Individuals
• Government ID (passport/ID card/driver's licence) + liveness/face-match; second document if needed.
• Proof of address (≤3 months): utility bill, bank/credit statement, government letter.
• Sanctions/PEP/adverse media cleared; PEPs require senior approval (EDD).
• Purpose & intended use; expected activity profile.
• Source of Funds (SoF) for the transaction; Source of Wealth (SoW) where size/risk warrants (e.g., payslips, tax returns, sale contracts, audited statements, exchange withdrawal histories).
• Ongoing monitoring and periodic refresh.

Entities (KYB)
• Legal name, registration number, registered address, formation documents/registry extract; LEI where available.
• Ownership & control: identify UBOs ≥25% or effective control; Full KYC on UBOs and directors/signatories.
• Business profile, licences (if applicable), expected activity.
• SoF/SoW at entity and UBO levels as appropriate.
• Sanctions/PEP/adverse media at entity/UBO/director levels; ongoing monitoring.

Who: clients converting to, receiving, or transacting SDA's regulated security-token and any equity-linked rights.

Required before Phase 2 access:
• Full KYC/KYB completion and approval.
• Refreshed screening (sanctions/PEP/adverse media).
• Investor categorisation (retail vs. professional). If we give advice/portfolio-style features: record appropriateness/suitability questionnaires.
• SoF/SoW evidence aligned to transaction size/risk and distribution flows.
• Travel Rule readiness for any on/off-ramp crypto movements; self-hosted wallets > €1,000 require ownership proof.

We collect and transmit required originator/beneficiary data for external crypto-asset transfers.
For CASP-to-CASP transfers, we exchange data using industry-standard messaging.
For self-hosted wallets, we apply ownership-proof procedures; above €1,000, we verify control (message-sign or loopback tx).
Transfers lacking minimum data or with unresolved red flags are rejected or held pending review.

We score risk across customer, geography, product, delivery channel, and behaviour. EDD applies to: PEPs, high-risk jurisdictions/sectors, complex ownership, unusual velocity/structuring, or adverse media. EDD measures may include senior-management approval, stricter SoF/SoW, lower limits, or refusal/exit.

ID: passport; national ID; driver's licence (where accepted).
Address: bank/credit statement, utility bill, government letter, lease/tenancy (with authority contact), property tax.
SoF/SoW (examples): payslips, employment contract, audited statements, tax returns, company sale docs, inheritance/probate, exchange withdrawal history with bank trails.

We store only data needed for AML/CTF, onboarding, servicing, and legal obligations.
KYC and transactional records are retained for the legally required period and then deleted or anonymised.
You may exercise privacy rights via privacy@sdafintech.com (subject to AML retention exemptions).

We maintain reproducible records of who was identified, how, and when, including screening results, SoF/SoW evidence, investor categorisation (Phase 2), and Travel Rule data exchanges.

We do not onboard customers in sanctioned or prohibited jurisdictions. We may apply additional controls or decline service in high-risk locations or sectors consistent with our risk appetite and legal obligations.

Questions or escalations: compliance@sdafintech.com

v1.0 — 18 Aug 2025: Initial publication; Phase 1/Phase 2 split; Travel Rule procedures; investor categorisation for Phase 2.