SYNDIFUL SECURITY & COMPLIANCE STATEMENT
Effective Date: 6/12/2025

Syndiful, LLC ("Syndiful," "we," "our," or "us") is committed to protecting the confidentiality, integrity, and security of sensitive data entrusted to our platform. This Security & Compliance Statement provides an overview of our security, data protection, and compliance practices as of the date above.

This statement is provided for informational purposes only and does not create any contractual obligations, warranties, or guarantees.

1. Platform Architecture & Hosting

• Cloud Infrastructure:
  Syndiful operates on secure, enterprise-grade cloud infrastructure hosted by Amazon Web Services (AWS), utilizing U.S.-based data centers.
• Data Residency:
  All customer data is stored and processed within the United States.
• High Availability:
  Our systems are architected for redundancy, uptime, scalability, and failover resiliency.

2. Data Encryption

• Encryption In-Transit:
  All data transmissions are encrypted using Transport Layer Security (TLS 1.2 or higher).
• Encryption At-Rest:
  All stored data is encrypted using industry-standard AES-256 encryption protocols.
• Key Management:
  Encryption keys are securely managed and rotated using AWS Key Management Services (KMS) and controlled access.

3. Access Controls & Authentication

• Role-Based Access:
  Access to platform environments is strictly limited to authorized personnel under role-based permission models.
• Multi-Factor Authentication (MFA):
  Internal administrative access requires multi-factor authentication.
• Least Privilege Enforcement:
  Employee access is limited to the minimum level necessary for job function.
• Administrative Logging & Monitoring:
  All administrative access is logged and reviewed for operational oversight and audit integrity.

4. Third-Party Vendor Security

Syndiful engages third-party providers for select platform functions including:

• Identity verification (KYC / AML)
• Investor accreditation verification
• Document signing and storage
• Payment processing
• Fund administration
• Cloud infrastructure and hosting

All third-party vendors undergo security, privacy, and compliance evaluations prior to onboarding.
Vendor engagements are governed by appropriate contractual agreements, including confidentiality obligations, data processing agreements (DPAs), and service level commitments where applicable.

5. Compliance Practices

Syndiful is not a broker-dealer, investment adviser, fiduciary, or placement agent. While not directly regulated under securities laws, Syndiful has implemented operational controls designed to support compliance alignment with:

• SEC Rule 506(c) Accredited Investor verification standards
• Know Your Customer (KYC) and Anti-Money Laundering (AML) protocols via integrated vendors
• Data privacy frameworks applicable in the United States (including CCPA)
• Platform governance controls consistent with private capital market operational best practices

6. Privacy Commitments

• Syndiful does not sell or rent personal user data.
• Personal information is processed solely for operational, compliance, sponsor onboarding, and capital allocation purposes.
• User data is never shared with sponsors or third parties unless authorized or required for service delivery.
• Please refer to our Privacy Policy for full privacy disclosures.

7. Operational Controls

• Penetration Testing:
  Periodic penetration tests are conducted by third-party security firms.
• Vulnerability Management:
  Code vulnerabilities are monitored, patched, and remediated based on severity.
• Monitoring & Alerting:
  Continuous system and security monitoring is in place for real-time alerting.
• Disaster Recovery & Business Continuity:
  Syndiful maintains documented disaster recovery plans. While Syndiful strives for high availability, no specific uptime or restoration time guarantees are offered.

8. Responsible Disclosure

Syndiful encourages responsible disclosure of any potential security vulnerabilities. If you identify a vulnerability, please contact:
security@syndiful.com

All disclosures will be investigated promptly and handled in accordance with our security incident response protocols.

9. Forward-Looking Statements

This Security & Compliance Statement reflects current security and compliance practices as of the Effective Date. As technology, regulation, or best practices evolve, Syndiful may enhance or modify these controls. No warranties or contractual obligations are created by this Statement.

10. Contact Information

For any security, compliance, or legal inquiries, contact:
Syndiful, LLC
Email: legal@syndiful.com

‍