1. Introduction and Scope of the Crypto-Asset Custody and Administration Policy
Rintral Trading S.L.U. (hereinafter, "Nebeus"), in its capacity as a crypto-asset service provider, establishes this Crypto-Asset Custody and Administration Policy in order to ensure the effective, continuous and verifiable protection of digital assets belonging to its clients, in compliance with Regulation (EU) 2023/1114 (MiCA).
This policy establishes the principles, procedures and internal controls governing the provision of the crypto-asset custody service, when these are held on behalf of clients, as well as the criteria for selecting sub-custodians for the provision of the service under strict security and regulatory compliance standards.
The scope of this policy includes all operations related to the receipt, storage, recording, control, reconciliation and restitution of crypto-assets held in custody on behalf of clients. It applies to all departments, employees and systems of Nebeus involved in such activity, as well as to third-party providers contractually involved.
Nebeus maintains individualised accounting records per client, technological and accounting segregation systems, and periodic reconciliation mechanisms to ensure the permanent identifiability, reversibility and segregation of assets.
This policy is periodically reviewed by the Legal team, which ensures its correct implementation and update in line with regulatory, technological or operational changes that may affect the custody service.
2. Scope of Application
This custody policy applies to all activities, employees, departments and third parties involved in the management, protection and supervision of crypto-assets held in custody on behalf of Nebeus clients. It covers all operational, accounting, technological and legal processes associated with the receipt, storage, segregation, transfer and restitution of such assets.
In particular, it covers the internal and external systems used for technical and accounting segregation, as well as the control and monitoring mechanisms that ensure compliance with the principles of identifiability, segregation and operational reversibility, pursuant to Article 75 of Regulation (EU) 2023/1114 (MiCA).
This policy also applies to any external provider participating in technical custody or in the crypto-asset storage infrastructure. Such providers must be duly contracted, subject to ongoing evaluation and operating within the European Economic Area (EEA), complying with equivalent standards of security, traceability and regulatory supervision.
Also included within its scope are all recording systems, access controls, contractual documentation and technical support linked to custody services, ensuring immediate access to information by competent authorities.
3. General Custody Principles
Nebeus ensures that all crypto-assets held in custody on behalf of clients are maintained in a separate and identifiable manner, both technically and accountably, from the entity's own assets and from the assets of other clients. This separation ensures the protection of funds against risks of misuse, insolvency or claims by third parties.
The principles governing this policy include:
•Technical and accounting segregation: Crypto-assets are recorded in wallets or other digital storage environments clearly identified as client property. Each transaction is linked to an individualised accounting record that reflects each client's available balances in real time.
•Complete traceability: All inbound, holding and outbound transactions of custody crypto-assets are documented in detail, enabling precise and uninterrupted tracking of assets at all times.
•Prohibition on use: Nebeus may not use custody crypto-assets without an explicit and documented instruction from the client, except where the client voluntarily participates in additional services such as staking or renting, in accordance with previously accepted terms.
•Protection against insolvency: In the event of financial difficulties, custody crypto-assets may not form part of Nebeus' assets nor be subject to claims by creditors, ensuring their restitution to the beneficial clients.
In order to provide greater clarity on internal crypto-asset custody processes, a representative diagram of the operational flow is included below, from asset receipt through to possible restitution or transfer. This flow reflects the key stages, implemented controls and the interaction between internal systems and external custody providers.
See diagram below.
4. Technical and Operational Security Measures
Nebeus maintains a custody infrastructure supported by advanced security protocols, aimed at ensuring the effective and uninterrupted protection of clients' crypto-assets. This infrastructure distinguishes between assets intended for daily operations and those maintained in long-term reserves, applying differentiated measures according to the level of exposure and risk profile.
Operational custody is limited to a pre-defined prudential threshold of crypto-assets in online storage infrastructure ("hot wallets"), which under normal conditions does not exceed approximately EUR 5,000,000. The remaining funds are safeguarded in high-security storage environments, without direct connection to public networks and with reinforced custody measures. This threshold is defined and periodically reviewed based on the total volume of assets under custody, operational liquidity needs and internal risk assessments.
All private keys associated with custody are generated, stored and accessed in accordance with internal information security policies, based on international standards such as ISO/IEC 27001 and the requirements of the DORA Regulation. Access is managed without traditional password systems, using exclusively one-time authentication mechanisms (OTP), and applying principles of segregation of duties, periodic review of permissions and complete traceability.
Users' personal information and that relating to their assets is stored in separate environments (dedicated "ledgers"), ensuring the logical segmentation of data. Connections with systems are end-to-end encrypted and subject to continuous monitoring and anomaly detection protocols.
Additionally, Nebeus carries out periodic internal and external audits, penetration tests and incident recovery simulations, in order to validate and maintain the effectiveness of the implemented controls. These measures are integrated within a general cybersecurity and operational continuity framework, subject to constant review by the Board of Directors.
Nebeus' custody policy is based on a hybrid model that prioritises cold storage as the primary mechanism for protecting custody crypto-assets. More than 95% of client funds are maintained in cold storage environments, completely disconnected from public networks, ensuring their immunity from unauthorised access and cyberattacks.
Hot storage is limited exclusively to the funds necessary for daily operations. This exposure is subject to strict pre-defined limits that do not exceed a previously defined maximum aggregate limit for daily operations. These funds are equally protected by advanced encryption systems, multi-factor authentication and continuous monitoring.
5. Control and Periodic Verification Procedures
Nebeus has established a comprehensive system of internal controls and continuous verification to ensure the integrity, accuracy and traceability of custody crypto-assets. These procedures ensure that at all times the digital assets maintained on behalf of clients match the internal accounting records and the reports of the external custodian.
Reconciliations between Nebeus' records and effective balances are performed daily for operational funds and on a weekly basis for assets in reinforced security storage, meaning those custody environments with restricted or no connectivity (including cold storage and warm environments with controlled access), protected by multiple signature mechanisms (multisign), key segregation, role-based access controls and continuous integrity monitoring.
These reviews cover both blockchain records and technological custody platforms, and any discrepancy detected is analysed and corrected immediately through a formal incident resolution protocol. Results are documented and submitted to senior management review, where appropriate.
Additionally, regular verifications are carried out on the integrity of cryptographic keys, signature records and custody systems, including restoration simulations and recovery from operational failures or cybersecurity incidents. These activities form part of Nebeus' operational continuity plan and are aligned with the principles of reversibility and segregation required by MiCA.
6. Reversibility and Restitution of Custody Crypto-Assets
Nebeus ensures that crypto-assets held in custody on behalf of its clients remain available and recoverable in accordance with valid client instructions, in line with Article 75 of Regulation (EU) 2023/1114 (MiCA).
Ownership of crypto-assets always belongs to the client, and Nebeus does not use them for its own purposes without express, documented and individual authorisation. Internal documented procedures regulate the execution of restitution instructions, which include steps for enhanced identity verification, multi-factor authentication controls, review of applicable regulatory compliance, as well as operational validation of orders before processing.
Restitution requests are handled in accordance with these protocols, with corresponding traceability and within reasonable timeframes, in accordance with the nature of the operation and applicable regulations. In exceptional situations, such as court orders, regulatory investigations or substantiated operational risks, Nebeus may temporarily suspend the execution of the instruction, notifying the client where legally required.
7. Access Controls, Recording and Custody Supervision
Nebeus implements strict logical and physical access controls to protect the systems and environments used in the custody of crypto-assets. All accesses are restricted according to the principle of least privilege and require multi-factor authentication. Access to private keys, signing systems or storage environments is granted only to authorised personnel, with complete traceability, segregation of functions and periodic review of permissions, in accordance with the current Access Control Policy.
Each interaction with custody systems is automatically recorded in immutable logs that capture the user's identity, the operation carried out, the time of the action and its result. These records are stored securely and reviewed regularly by the Technology area, as part of continuous supervision.
Nebeus also carries out internal and external audits that include specific reviews of access controls and monitoring. Such audits allow verification that the custody environment meets applicable technical and regulatory standards, including the requirements of the MiCA Regulation, the DORA Regulation and industry best practices.
8. Crypto-Asset Restitution Procedures
Nebeus has established a structured and secure procedure for the restitution of crypto-assets held in custody on behalf of its clients, aimed at ensuring the traceability, integrity and regulatory compliance of each outgoing operation. This process is activated upon the client's express request, following verification of the legitimacy and authenticity of the instruction.
Every restitution request is analysed by the Compliance, Finance and Operations teams, who verify the client's identity, the correspondence between origin and destination data, and the absence of alerts in transactional monitoring systems. Enhanced authentication measures are applied, including multi-factor validation (2FA) and, where necessary, additional documentary requirements.
Restitutions are executed exclusively from designated and approved outgoing addresses, and require the involvement of several authorised parties within the shared custody model. This approach reduces the risk of operational errors or improper access, and ensures effective control throughout the transaction lifecycle.
Depending on the type of asset, the risk level, the amount requested and the external custody provider involved, restitution timeframes may vary, especially in cases where source of funds verifications or additional technical validations are required. Nevertheless, Nebeus undertakes to act with the utmost diligence to ensure that restitutions are carried out within reasonable timeframes and in accordance with client expectations.
All outgoing movements are recorded in the internal accounting and operational systems, remaining available for audit purposes, regulatory reporting and documentary support before third parties, ensuring at all times the transparency and traceability required by the MiCA Regulation and applicable Spanish legislation.
9. Internal Supervision and Third-Party Assessment
The provision of the crypto-asset custody and administration service is subject to continuous internal supervision by Nebeus, as well as systematic assessment of all external providers involved in the technical or accounting infrastructure of the service.
Internally, in coordination with the Operations department and the Technology officer, periodic reviews are carried out of the procedures, controls and records associated with custody. These reviews allow the identification of areas for improvement, verification of compliance with regulatory principles and proactive mitigation of operational risks.
In parallel, Nebeus maintains a continuous evaluation and monitoring process over sub-custodians, based on criteria of technical capacity, regulatory compliance, reputation, insurance coverage level, incident history and support quality. This evaluation is documented through internal reports and independent audits, and its outcome determines the continuation or modification of the contractual relationship.
The custody provider contract includes specific clauses on supervision, cooperation with authorities, access to information, minimum service levels (SLAs) and incident resolution mechanisms. Any material breach of these obligations triggers internal alerts and may lead to immediate corrective actions, including replacement of the provider if necessary.
Nebeus ensures that all internal review reports, external audit findings and provider performance metrics are available for consultation by the governing bodies and, when required, by the competent authorities, in compliance with the principles of transparency and accountability established in the MiCA Regulation.
10. Incident Management and Recovery from Failures
Nebeus has established a formal incident management framework that ensures the continuous protection, traceability and resilience of the crypto-asset custody systems against any event affecting their integrity, availability or confidentiality. This policy complies with the provisions of Regulation (EU) 2022/2554 (DORA), including specific reporting and mitigation obligations.
Incident management is articulated through a structured procedure covering from early detection and classification by criticality levels, through to effective resolution, documentation and subsequent reporting. All incidents are recorded in a centralised system, assigning responsible parties, resolution timeframes and measures adopted. In the most critical cases, an immediate escalation protocol is activated involving the Technology, Compliance, Operations and technical provider teams as applicable.
In the event of operational failures, unauthorised access, cyberattacks or data loss, the incident response plan is executed, supplemented by the Disaster Recovery Plan (DRP) and the Business Continuity Plan (BCP), both regularly tested through simulations. The objective is to ensure that recovery times are within defined thresholds and that client assets are not compromised.
When a relevant incident meets the criteria established by regulations, Nebeus notifies the competent authorities within regulatory timeframes, using the required channels, formats and procedures.
Each incident is closed with a root cause analysis and implemented improvement measures report, which is reviewed by the Information Security Committee and the Risk area, ensuring effective feedback into the internal control system.
Communication of relevant incidents to the competent authorities is carried out within the timeframes and formats established by applicable regulations, including the articles relating to the reporting of operational incidents under the DORA Regulation.
11. Access Protection and Permission Control
Nebeus has implemented a comprehensive access control system aimed at ensuring that only authorised personnel can interact with critical systems linked to the custody and administration of crypto-assets. This system is based on the principle of least privilege, segregation of functions and role-based access, thereby minimising the risk of improper access or fraudulent use.
Access to custody environments, including cryptographic key management systems, digital wallets, administration interfaces and reconciliation platforms, requires mandatory multi-factor authentication (MFA). This authentication combines personal credentials, temporary tokens and, in certain cases, biometric validations or enhanced authentication, depending on the criticality level of each system.
All access permissions are granted following documented request, review by the head of the relevant area and final validation by the Technology department. Generic, shared or default accesses are not permitted. Furthermore, each technical or administrative profile is configured to strictly limit its operational scope, without unnecessary additional privileges.
Accesses are subject to continuous audit through secure and unalterable logging systems (logs), enabling complete traceability of each interaction, including date, time, user, system and action performed. These logs are automatically monitored and integrated into anomaly detection mechanisms to identify improper access attempts, unauthorised movements or atypical behavioural patterns.
Periodically, and at least once per quarter, a comprehensive review is carried out of all granted accesses, verifying that each permission remains justified based on the user's position, functions and operational needs. Likewise, any structural modification, role change, staff departure or risk detection implies the immediate revocation of accesses, in accordance with the procedures defined in the Logical Access Control Policy.
All these controls form part of Nebeus' global cybersecurity framework, in alignment with ISO/IEC 27001 and ISO/IEC 27002 standards, the DORA Regulation and the specific requirements of the MiCA Regulation on crypto-asset custody. Their correct application is verified in internal and external audits on a regular basis.
12. Sub-Custody and Service Delegation
Nebeus may, when necessary, subcontract or partially delegate functions related to the technical custody of crypto-assets, exclusively to external entities that hold authorisation and supervision within the European Economic Area or in jurisdictions offering equivalent regulatory guarantees. This sub-custody is formalised through legally binding contracts that clearly define responsibilities, service levels, required security measures and confidentiality and compliance obligations.
Before delegating any custody function, Nebeus carries out a rigorous risk assessment process that includes reviewing the provider's financial soundness, compliance history, robustness of its technological infrastructure, implemented security policies and insurance coverage offered. Only those entities that satisfactorily pass this analysis are considered suitable to hold assets on behalf of Nebeus and its clients.
Sub-custody contracts include specific clauses ensuring immediate access to information required by competent authorities, compliance with the principles of segregation, traceability and integrity, as well as the reversibility of operations in the event of service interruption. Furthermore, Nebeus maintains ultimate responsibility for the protection of custody assets, continuously supervising the performance of the subcontracted provider and reserving the right to audit or request periodic reports on fund management.
Any delegation decision is communicated internally to the legal area and documented in the entity's official records, thereby ensuring transparency and operational control over all aspects of the custody service.
13. Protection against Cyber Threats and Incident Recovery
Nebeus maintains a proactive and structured approach to the protection of digital assets against cyber threats, through the implementation of a comprehensive security architecture based on principles of defence in depth, access controls, advanced encryption and constant monitoring. All connections allowing access to custody systems are encrypted using secure protocols and subject to multi-factor authentication, thereby minimising the risk of unauthorised access or brute force attacks.
The operating environment is segmented into different levels of privilege, applying principles of minimum exposure and segregation of functions, which significantly limits the scope of potential vulnerabilities. Critical information, including private keys, technical credentials or accounting records, is stored in independent environments with complete access traceability, in accordance with internal information security policies and the guidelines of ISO/IEC 27001 standards and the DORA Regulation.
Nebeus has a disaster recovery plan and a business continuity plan specifically designed to protect the custody service. Both plans address scenarios of technological failure, security breaches or prolonged unavailability of critical providers, and establish clear protocols for restoration, internal communication, notification to authorities and protection of custody assets. These plans are periodically reviewed and tested through internal simulations, with participation from the Compliance and Technology areas.
The entity also collaborates with external cybersecurity specialists for penetration testing, independent audits and forensic analysis when relevant incidents occur. All security events are recorded, investigated and reported in accordance with internal incident response procedures, ensuring transparency and response capability against any emerging threat.
14. Insurance Coverage for Custody Crypto-Assets
Nebeus, in its commitment to the comprehensive protection of its clients' crypto-assets, has verified that the external provider specialised in institutional custody services, with which it maintains a current contract, holds specific insurance coverage for digital assets under custody. This policy has been issued by internationally recognised insurance entities, with presence in markets such as Lloyd's and other European platforms specialised in digital asset coverage.
Such coverage is designed to offer protection against risks such as theft, loss, destruction or misuse of private keys, provided the assets are fully under the control of the external custodian, without client involvement in the direct management of such keys. Insurance protection applies exclusively to funds effectively held within the technical and operational perimeters defined by the custodian, and does not extend to self-custody or shared management arrangements outside the scope of formalised contracts.
The existence of this coverage, along with its general terms, has been verified by Nebeus as part of its selection, due diligence and monitoring procedures for critical counterparties, in accordance with applicable regulations and in line with the obligations of Regulation (EU) 2023/1114 (MiCA). Any material change in the existence, scope or conditions of said policy will be immediately assessed by Nebeus' Legal and Compliance areas, which may adopt the necessary measures to ensure the continuity of the protection offered to clients.
15. Training and Staff Awareness
Nebeus maintains a continuous training and awareness programme aimed at all personnel directly or indirectly involved in the custody and administration of crypto-assets. This programme aims to ensure that employees understand and correctly apply internal policies, regulatory obligations and technical procedures associated with the protection of clients' digital assets.
Mandatory training is structured in specific modules, regularly updated, and includes at least the following content:
• Rules and obligations of Regulation (EU) 2023/1114 (MiCA) regarding crypto-asset custody.
• Principles of Regulation (EU) 2022/2554 (DORA), focused on operational resilience and incident management.
• Prevention of money laundering and terrorist financing, in accordance with Law 10/2010 and European AML regulations.
• Correct use of internal tools, secure access management and protection of sensitive information.
Training is provided at the time of onboarding, on an annual basis and following any relevant regulatory, procedural or technological change. Additionally, reinforcement sessions and practical simulations are conducted to verify staff understanding and preparedness for real scenarios.
Human Resources and Cybersecurity are responsible for overseeing the execution of the programme, evaluating results and maintaining documentary evidence of each employee's training compliance.
Participation in these training activities is recorded and monitored by the Human Resources department, which maintains an up-to-date file per employee, tracking the degree of compliance and level of understanding achieved. In the event of deficiencies or non-compliance being detected, corrective measures may be adopted, including mandatory additional training, review of access permissions or re-evaluation of the employee's operational risk profile.
Awareness of the importance of responsible crypto-asset management forms part of Nebeus' corporate culture and is actively promoted through internal campaigns, periodic communications and incident simulation exercises. In this way, the entity reinforces its commitment to the secure custody of client funds and the rigorous fulfilment of its regulatory obligations.
16. Supervision, Continuous Improvement and Governance of the Custody Service
Nebeus' custody policy is not limited to technical compliance with the principles of segregation, traceability and protection against insolvency, but incorporates a comprehensive approach of continuous improvement, active supervision and strategic governance, in accordance with the regulatory frameworks established by MiCA.
Likewise, a formal annual review of this policy and the general custody framework is conducted, based on internal audit findings, technological changes, regulatory modifications or lessons learned. Any proposed modification is approved by the Board of Directors, ensuring that the policy remains up-to-date, effective and aligned with the highest standards of client protection and operational resilience.
17. Approval and Signature
This Crypto-Asset Custody and Administration Policy has been reviewed in accordance with Nebeus' internal governance framework and validated by the competent control and compliance bodies. It reflects current operational practices, implemented technical standards and applicable regulatory obligations in accordance with Regulation (EU) 2023/1114 (MiCA) and other relevant Spanish legislation.