Compliance

Triaurum Co. LTD aims to comply, where applicable, with:

1. 1.Turkish Personal Data Protection Law No. 6698 and related secondary legislation
2. 2.the EU General Data Protection Regulation where applicable
3. 3.applicable AML, sanctions, anti fraud, anti bribery, trade, customs, and recordkeeping requirements relevant to Triaurum Co. LTD's business model
4. 4.contractual compliance obligations agreed with counterparties, banks, logistics providers, assay providers, storage providers, advisers, and service providers

Triaurum Co. LTD maintains a proportionate compliance framework for:

1. 1.identity and authority verification
2. 2.beneficial ownership review
3. 3.source of funds review
4. 4.sanctions and AML screening
5. 5.controlled distribution of downloadable briefing materials
6. 6.document management and recordkeeping
7. 7.portal and information security controls
8. 8.incident escalation and response
9. 9.third party due diligence

Before providing commercial terms, granting restricted portal access, or proceeding with a transaction, Triaurum Co. LTD may require information and documents reasonably necessary to assess identity, authority, ownership, eligibility, funding, and compliance risk. Triaurum Co. LTD may refuse or discontinue engagement if required documentation is not provided or if risk concerns remain unresolved.

Triaurum Co. LTD processes personal data only for defined and legitimate purposes and applies data minimisation, access control, confidentiality, and need to know principles. Personal data is handled in accordance with the Privacy Policy and internal retention and security procedures.

Where Triaurum Co. LTD transfers personal data across borders, it will use the transfer mechanism required by applicable law, including relevant KVKK requirements and, where applicable, GDPR adequacy or safeguard mechanisms. Transfer countries and legal mechanisms are currently unspecified and will be documented when available.

Triaurum Co. LTD maintains an internal process for identifying, recording, assessing, containing, and remediating security and personal data incidents.

If a personal data breach occurs, Triaurum Co. LTD will:

1. 1.document the incident and preserve relevant evidence
2. 2.assess the impact on affected individuals and systems
3. 3.notify the competent authority and affected persons where required by applicable law
4. 4.take corrective and preventive measures

Where KVKK applies, Triaurum Co. LTD will notify the relevant authority without undue delay and, where feasible, within 72 hours, and if notification is delayed Triaurum Co. LTD will document the reasons for delay as required by applicable guidance.

Where GDPR applies, Triaurum Co. LTD will notify the competent supervisory authority without undue delay and, where required, within 72 hours after becoming aware of a notifiable breach. If the breach is likely to result in a high risk to individuals, Triaurum Co. LTD will also notify affected individuals without undue delay, unless an exception applies.

Individuals may submit privacy or data protection requests to [Privacy Contact Email]. Triaurum Co. LTD will review and respond within the time periods required by applicable law and may request identity verification where necessary.

Anyone wishing to report a compliance concern, legal issue, or suspected misuse of the website, portal, or onboarding process may contact [Compliance Contact Email].

Triaurum Co. LTD may maintain proportionate compliance records and review mechanisms, including:

1. 1.records of processing and disclosure categories
2. 2.retention and deletion schedules
3. 3.access control and security logs
4. 4.third party contract and due diligence records
5. 5.incident registers
6. 6.periodic internal reviews
7. 7.staff or adviser training where appropriate

Triaurum Co. LTD's VERBIS registration status is currently unspecified. If Triaurum Co. LTD becomes subject to a VERBIS registration obligation under Turkish law and no applicable exemption applies, Triaurum Co. LTD will complete registration and keep its registry information current as required by law.

This Compliance section may be updated from time to time to reflect changes in law, business structure, services, risk profile, or operational processes.