COMPLIANCE MANUAL

Objectives of the Compliance Manual

It is The main objective of the manual is to establish the policies and procedures that allow our company Disruptive Exchange S. de R.L. of C.V. (“Disruptive Exchange”), whose corporate purpose is the habitual and professional performance, as a commission agent, intermediary, importer and/or exporter in the purchase and sale of Cryptoactives with national and/or foreign suppliers; as well as provide related services; develop, implement, publish and maintain an electronic platform and mobile application to provide its commercial services; and the purchase, sale and maintenance of technological products, software and/or technologies based on blockchain.

Through this manual, we establish a framework to guarantee that Disruptive Exchange will comply with Mexican laws and regulations related to the prevention of money laundering and other illicit activities.

Within the framework of our commercial activities, we must prioritize complying with legal and regu latory obligations regarding the prevention of money laundering and financing of terrorism (MLD/FT) under Mexican law, as well as knowing the legal risks of our activity to avoid conduct. illegal activities in our organization. The specific objectives are the following:

• Establish the legal and regulatory bases: Provide a framework of reference on the laws, regula tions and standards applicable in Mexico in relation to virtual assets and the prevention of money laundering.
• Identify and evaluate risks: Develop and implement procedures for the identification, evaluation and understanding of AML/FT risks associated with our services and operations.
• Implement internal controls: Establish effective internal controls to mitigate identified risks, includ ing know-your-customer (KYC) policies, transaction monitoring, reporting suspicious transactions, among others.
• Promote a culture of compliance: Foster a corporate culture that prioritizes legal and ethical com pliance, through regular staff training on AML/FT issues.
• Cooperate with authorities: Establish procedures to effectively cooperate with competent author ities, including the timely reporting of suspicious transactions.
• Constant Review and Update: Implement a continuous process of reviewing and improving the compliance program to adapt to changes in laws, regulations, risks and best practices in the industry.

This manual is considered a living document that will be updated periodically to reflect any changes to our business operations, regulatory environment or AML/CFT risk landscape.

Definitions

Archive

Set of data and documents that are preserved or stored in printed format or in electronic, optical or any other technology, which will remain complete and unaltered from the moment it was generated for the first time and is accessible for subsequent consultation, with the purpose of integrating, pre serving and demonstrating the Operations of Disruptive Exchange.

Beneficiary

The person designated by the ClientDisruptive Exchange, so that, in the event of the death of said Client, such person can exercise beforeDisruptive Exchange the rights derived from the account, contract or Order.

Customer

The natural or legal person who, directly or indirectly, contracts or carries out any Order to Disruptive Exchange.

Board of directors

The Disruptive Exchange body, in charge of supervision and decision-making, composed of independent directors and/or executives, whose role is to provide strategic guidance and supervise the management of the company.

Control

The ability to impose, directly or indirectly, decisions in general meetings of shareholders, partners or equivalent bodies, or to appoint or dismiss the majority of the directors, administrators or their equivalents of a legal entity; or maintaining ownership of rights that allow, directly or indirectly, the exercise of voting with respect to more than fifty percent of the company's share capital, or directing, directly or indirectly, the administration, strategy or main policies of the company. society. Likewise, Control will be understood to be exercised by any natural person who, directly or indirectly, acquires 25% or more of the shareholding composition or share capital of a legal entity.

Criptoactivos

The representation of value recorded electronically and used among the public as a means of payment for all types of legal acts, the transfer of which can only be carried out through electronic means. In no case will Crypto Assets be understood as legal tender in the national territory of Disruptive Exchange, nor foreign currencies. These are a mechanism for the storage and exchange of information, which does not represent the possession of any underlying asset at par and which is univocally identifiable, even fractionally, stored electronically; Therefore, they are not legal tender or foreign currencies; that they do not have the power to release payment obligations nor are they regulated by the Mexican financial authorities; nor are they shares, shares, debentures, bonds, warrants, certificates, promissory notes, bills of exchange and other titles of credit, nominated or unnamed, that are issued serially or en masse and represent the share capital of a legal entity or a part of this, an aliquot part of an asset or the participation in a collective credit or any individual credit right, under the terms of the applicable national or foreign laws; nor securities, contracts or any other legal act whose valuation refers to one or more underlying assets, securities, rates or indices. By virtue of this, since Disruptive Exchange only offers the commission service for the purchase and sale of Cryptoactives, it is not considered by na tional laws as a financial institution or technological financial institution.

Exchange or Provider

Digital platforms for the exchange of Cryptoassets, outside ofDisruptive Exchange, who are Disruptive Exchange suppliers and operate from abroad.

Corporate governance

It is the set of principles, standards and practices that regulate the management and direction of Disruptive Exchange. Its main objective is to establish an internal and external control framework that promotes transparency, responsibility, ethics and efficiency in decision making within the organization.

Platform

Set of Disruptive Exchange web pages, visible through the electronic address https:/ disruptivex.mx/, its subdomains, mobile application services, clients, APIs or any electronic form of communication developed and authorized by Disruptive Exchange.

Principles

These principles are the foundation of our commitment to Disruptive Exchange's integrity, compliance, and sustainable success. Each member of our team is required to adhere to these principles and contribute to building a strong compliance culture in the company:

1. Legal and Regulatory Compliance

Disruptive Exchange is committed to complying with all applicable laws and regulations wherever it operates. This includes laws and regulations related to the industry in which we participate, as well as anti-money laundering, data protection laws and any other relevant regulatory framework.

2. Ethics and Responsibility

Business ethics are essential for us. We are committed to carrying out all our operations in an ethical, honest and responsible manner. This means avoiding any conduct that could compromise our integrity or that of our employees.

3. Transparency and Disclosure

We encourage transparency in all our business relationships. We are committed to providing accurate and complete information to all interested parties, including our investors, customers, employees and regulators.

4. Responsibility of Managers and Employees

The officers and employees of Disruptive Exchange have a responsibility to act in the best interest of the company and its shareholders. They must make decisions based on the best interests of the company and comply with established policies and procedures.

5. Anti-Money Laundering and Know Your Customer (KYC)

We will establish rigorous anti-money laundering and know-your-customer (KYC) procedures to ensure our operations are protected against illicit activities and to comply with relevant regulations.

6. Social and Environmental Responsibility

Disruptive Exchange is committed to operating in a socially responsible manner and considering the environmental impact of its activities. We will look for opportunities to contribute positively to society and the environment.

7. Audit and Internal Monitoring

We will implement an internal audit and continuous monitoring system to ensure compliance with all compliance policies and procedures, and to detect and address any irregularities in a timely manner.

8. Participation of Shareholders and Interested Parties

We will encourage the active participation of shareholders and other interested parties in our corporate decisions and ensure that their rights are protected.

9. Continuous Update and Review

We are committed to regularly reviewing and updating our Compliance Manual to reflect changes in laws, regulations and the business environment.

Legal bases

This chapter of the Disruptive Exchange Regulatory Compliance Manual focuses on the legal bases that govern commercial intermediation activities in Mexico. Considering the corporate purpose of our company, it is essential to understand and comply with the relevant laws and regulations to operate legally and ethically in the Mexican market. This chapter provides an overview of the main regulations and legal considerations that must be taken into account.

1. Legal framework for the commercial commission in Mexico

In Mexico, the commercial commission is regulated by various laws and regulations. Some of the main regulations that affect companies dedicated to this activity include:

a. Federal Economic Competition Law (LFCE)

The LFCE regulates economic competition in Mexico and prohibits monopolistic practices and illicit concentrations that may restrict free competition in the markets. Disruptive Exchange must avoid any conduct that may be considered anticompetitive and comply with the obligations established in this law.

b. Commercial Code

The Commercial Code establishes the legal provisions related to commercial contracts, the sale of goods, commercial intermediation, commercial commission and other commercial activities.Disruptive Exchange, must operate in accordance with the relevant provisions of this code; for which, any contract made with third parties or in whichDisruptive Exchange participates, it must always be endorsed by the company's legal provider.

c. Federal Law for Protection of the Consumer

This law regulates relationships between suppliers and consumers in Mexico and establishes rights and obligations for both parties.Disruptive Exchange, You must ensure that your business practices comply with the consumer protection standards established in this law and respect consumer rights.

d. Federal Law for the Prevention and Identification of Operations with Resources of Illicit Origin (Anti-Laundering Law)

The Anti-Laundering Law establishes measures to prevent and detect operations with resources of illicit origin, including money laundering. As part of its compliance obligations,Disruptive Exchange, must implement money laundering prevention policies and procedures and comply with the reporting obligations established in this law. This manual will contain the main obligations that must be met.

e. Law on Protection of Personal Data Held by Private Parties

Disruptive Exchange collects, stores and/or processes personal data of clients or other interested parties, so it must comply with the provisions of the Personal Data Protection Law, guaranteeing the privacy and security of the data.

2. Registration and Licensing Obligations

Disruptive Exchange is limited to offering the commercial commission service for the purchase and/ or sale of Cryptoactives on behalf and on behalf of our clients; therefore Disruptive Exchange is in no way a facilitator of any type of business, nor is it a financial or fintech institution; Disruptive Exchange is NOT a portfolio provider, stock exchange, broker, distributor, investment advisor, investment company or company, bank, exchange house, credit institution, creditor, savings institution or company, chamber, confederation, insurer , surety company, fund administrator of any kind, remittance sending company, stock exchange institution, credit auxiliary, savings bank, financial or savings cooperative, financial group, electronic payment fund institution or collective financing institution.

Disruptive Exchange, plays no role in the facilitation, conduct, execution or consummation of any transaction in securities, commodity futures, securities, fiat currencies or foreign currencies.

In no case can our Platform be used to market securities, shares, corporate shares, obligations, bonds, warrants, certificates, promissory notes, bills of exchange and other credit titles, nominated or un named, registered or not in the Public Registry, capable of circulating in the securities markets that are issued serially or en masse and represent the share capital of a legal entity, an aliquot part of an asset or participation in a collective credit or any individual credit right, in the terms of applicable national or foreign laws; nor securities, commodities, commodity futures, securities, fiat currencies or foreign currencies.

Nor can our Platform be used to maintain the legal tender currencies or foreign currencies of our clients, nor to exchange them.

Additionally, customers may not use our Services to pay and/or obtain payments for products or services from third parties, collect and/or send money or securities; obtain and/or promote insurance, make investments, obtain and/or grant credit, or send and/or receive remittances.

In the event that the services provided by Disruptive Exchange, due to legal provisions, are included in activities subject to any special regulation; The services will be suspended to the extent that Disruptive Exchange can verify the corresponding regulatory compliance.

Disruptive Exchange, prior to starting its operations, has informed the following authorities what its corporate purpose will be and has requested reports from the Ministry of Finance and Public Credit, the National Banking and Securities Commission, the Bank of Mexico and the National Commission for the Protection and Defense of Users of Financial Services to find out if you are obliged to obtain regulation; In the reports issued by the transparency units of these agencies that Disruptive Exchange has in its possession, none of them have established that the company requires a special license or regulation.

Furthermore, publicly the Bank of Mexico has said that:

“It is important to highlight that, although ITFs or ICs are not authorized to offer operations with virtual assets to the general public, this does not imply that companies other than these cannot offer services related to virtual assets. Such is the case of virtual asset exchange houses that offer the service of buying and selling virtual assets to the public, which, as long as they do not carry out fundraising activities or guard resources in national currency or foreign currencies of their clients, could continue offering its services.”

Which is visible on the official website: https:/www.banxico.org.mx/sistemas-de-pago/6--acciones-regulatorias-po.html

Therefore, by not capturing or custody resources in national currency or foreign currencies of our clients, nor being a credit institution or technological financial institution; We do not have any legal impediment to operate in our business model.

3. Compliance and Know Your Customer (KYC)

Since merchant commission is carried out on activities considered vulnerable by law, Disruptive Exchange must establish rigorous KYC policies and procedures to identify and verify the identity of its clients and trading partners. This is essential to comply with anti-money laundering obligations and know your customers in accordance with the Anti-Money Laundering Law and other applicable regulations.

Code of ethics

Disruptive Exchange must inform its suppliers, clients, shareholders, agents and representatives that our corporate has been established on the basis of integrity and ethical values and we must work together to develop this company with the principles contained in this document. , which include fundamental values such as Honesty, Respect, Compliance, Commitment, Responsibility and Professionalism.

In principle, we must govern our actions with Honesty in the relationships we have with the company's employees, clients, shareholders and suppliers; Because only by using this value can we have lasting and reliable relationships.

On the other hand, Respect allows us - as individual human beings who are members of this company - to recognize, accept, appreciate and value the qualities of the people with whom we interact and who are in some way linked to our company; Therefore, in each of our decisions and actions, we must be empathetic and respectful of our neighbors and our environment, because only in this way can we guarantee that our conduct is as correct as possible.

Also, as members of this company, we must make an effort and be very diligent in our actions to comply with the internal and legal provisions that govern our performance, because only in this way will we ensure that the company lasts and we can rest assured that we are doing the right thing; It is clear, then, that sometimes it is complicated and we can get lost among so many provisions, but from the Board of Directors, we will strive to carry out regulatory compliance programs that facilitate this work.

Commitment and Responsibility are especially linked to fulfill our duties with the greatest probity and enthusiasm, always seeking to understand that our actions of doing or not doing have consequences - these may be positive or negative, depending on how we act - so We must try to behave correctly and guarantee compliance with the commitments we make.

Finally, Professionalism implies always acting with the highest standards of quality and restraint; respecting the rules of our company and the principles that govern our trade or profession; But it also imposes on us the commitment to continue training ourselves to offer the people with whom we interact in our work field a better version of ourselves.

Having a code of ethics aims to:

• Establish the minimum behavioral guidelines that must be followed in activities linked to the company.
• Efficiently communicate our company values and behavioral guidelines.
• Avoid conduct that is contrary to ethics in the activities we carry out.
• Establish an Ethics and Compliance Committee, which constantly evaluates that the actions of our people align with the Code of Ethics.
• Eradicate behaviors of our people that are contrary to ethics.

All of us who work to make Disruptive Exchange an ethically responsible company are obliged to:

Each and all of our collaborators are obliged to:

• Respect each of the people with whom we have relationships.
• Promptly comply with laws, regulations and internal regulations.
• Promote the company's values and principles with our colleagues.
• Be exemplary in our behaviors.
• Submit to the evaluation processes implemented by the company to certify that we comply with this Code of Ethics and the quality standards required by the company.
• Request from their hierarchical superiors the clarifications they deem appropriate when their instructions could go against the provisions of this Code and the applicable laws.
• Conduct oneself with rectitude without using one's position to obtain or attempt to obtain any personal benefit, benefit or advantage or in favor of third parties, nor seek or accept compensation, benefits, gifts, gifts or gifts from any person or organization.
• Under no circumstances, grant compensation, benefits, gifts, gifts or presents to government officials, the company or any person related to it.
• Seek the collective best interest, above particular, personal or unrelated interests of the company.
• Give people the same treatment, without granting privileges or preferences and much less discriminating against people for any reason.
• Manage the resources under your responsibility, subject to the principles of efficiency, effectiveness, economy, transparency and honesty to satisfy the objectives for which they are intended.
• Correspond to the trust that shareholders, managers, employees, suppliers and customers; deposited in us.
• Have an absolute vocation for service.
• Account for interests that may conflict with the responsible and objective performance of their powers and obligations.
• Avoid engaging in conduct that involves unfair competition or direct or indirect competition with the company.
• Not associate with investors, suppliers, clients, contractors or national or foreign businessmen, to establish any type of private business that affects the impartial and objective performance towards the company.
• Legally separate from assets and economic interests that directly affect the exercise of their responsibilities and that constitute a conflict of interest.
• Refrain from intervening or promoting, by oneself or through an intermediary, in the selection, hiring or appointment of people with whom one is related by affiliation up to the fourth degree or by affinity up to the second degree or friendship.
• Refrain from making any private deal or promise that compromises the interests of the company.
• Promote collaborative work and support between units and areas of the organization, in order to share knowledge, experience and the best of themselves.
• Communicate promptly and responsibly ideas, concerns, and/or constructive comments for the company, which make processes more efficient and effective.
• Request feedback, know how to listen to it and use it as a means to improve
• Follow the instructions they receive from their hierarchical superiors.
• Register, integrate, safeguard and take care of the documentation and information that, due to your employment, you have under your responsibility, and prevent or avoid its use, disclosure, theft, destruction, concealment or improper use.
• Supervise that the collaborators under his command act diligently and in line with this Code.
• Collaborate with the authorities that establish and motivate the cause of their actions, always under the supervision of the company's legal area and giving notice to it of any requirement from the authorities.
• Make sure, before entering into contracts, that control is exercised over the people with whom we interact and that they do not incur conflicts of interest.
• Do not report information that does not correspond to the reality of the operation.
• Avoid manipulation of financial statements.
• Do not retain or divert organizational resources.
• Avoid unauthorized access to the Company's information systems.
• Do not engage in acts of verbal or physical aggression between collaborators.
• Avoid incurring any property damage to the detriment of the company or people linked to it.
• Prevent transactions from being carried out through the company to hide the illicit origin of assets and values or to simulate that they prevent a legal origin; Therefore, action must be taken in accordance with legal and internal regulations to prevent money laundering and terrorist financing.
• Generate safe work environments and report any potential risk to the physical and mental health of collaborators or people related to the company.
• Communicate by any means on behalf of the company or to the detriment of its documents or opinions; or use the corporate image in activities not related to their position.
• Report to the Ethics and Compliance Committee any acts or omissions that are contrary to this Code and that in the exercise of their functions they come to notice.

Identification and evaluation of risks

The risk-based approach is fundamental to Disruptive Exchange's compliance program. This chapter focuses on how to identify, evaluate and mitigate the risks associated with our commercial commission activities. By taking a risk-based approach, Disruptive Exchange seeks to ensure that our compliance efforts are effective and focused on the areas that pose the greatest risks to the business and compliance with applicable laws and regulations.

1. Risk Identification

To implement an effective risk-based approach, it is essential to identify and understand the risks to which the company is exposed. This implies:

• Evaluation of Operations: Analyze in detail our activities with each of our clients and internal activities, to identify the areas of greatest risk.
• Evaluation of Customers and Business Partners: Evaluate the risk associated with the customers, suppliers and business partners with whom we interact. This includes due diligence in identifying and verifying customer identity (KYC).
• Industry Analysis: Consider trends and risks specific to the industry in which we operate, including changes in regulation and competition.

2. Risk Assessment and Prioritization

Once risks have been identified, it is important to assess their likelihood and impact. This allows risks to be prioritized and resources and controls to be allocated efficiently. Factors to consider include:

• Probability: The probability that a particular risk will occur.
• Impact: The financial, legal, operational and reputational impact that the materialization of a risk could have.
• Residual Risk: The risk that remains after applying mitigation measures.

3. Design of Controls and Risk Mitigation

Once the risks have been assessed, Disruptive Exchange must design and implement appropriate controls and mitigation measures to reduce the risk to acceptable levels. This may include:

• Policies and Procedures: Develop specific policies and procedures to address identified risks.
• Training: Provide appropriate training to employees and suppliers so that they are aware of the risks and know how to act to mitigate them.
• Continuous Monitoring: Establish a monitoring and tracking system to closely supervise activities and detect deviations from policies and procedures.

4. Continuous Update and Review

The risk-based approach is not static; It should be reviewed and updated periodically to reflect changes in the business and regulatory environment. This includes:

• Periodic Risk Assessment: Conduct regular risk assessments to identify new risks or changes to existing risks.
• Adjusting Controls: Modify and improve controls and mitigation measures as necessary.

The risk-based approach is essential to the effectiveness of our compliance program at Disruptive Exchange. By appropriately identifying, evaluating and mitigating risks, we can make informed and efficient decisions to protect the integrity of the company and comply with applicable laws and regulations in the Mexican market. Each member of the Disruptive Exchange team has an important role to play in risk management and regulatory compliance, and it is everyone's responsibility to contribute to the success of this approach.

5. Concrete steps

Through our legal compliance provider we must carry out the following steps:

• Must establish and describe in detail all the processes that were carried out for the identification, measurement and mitigation of Risks, for which it must take into account the Risk factors that we have identified for this purpose, as well as the information contained in the national evaluation of Risks and its updates, which are applicable.
• Identify the components and signals related to each of the risks, describing how Disruptive Exchange could be exposed to the risk, taking into account, at least, the following elements: the products and services offered, the types of clients served and the countries or regions from which they use our services.
• Implement an approach to evaluate risks, establishing a connection between the indicators and the risk component to which they are associated, assigning a weighted value to each of them in a consistent manner based on their relevance to describe said risks.
• Neutralize the risk, taking into account all the policies, criteria, actions and internal processes described in this manual, as well as their effectiveness when applied, with the purpose of evaluating how they will influence the previously identified risk indicators and elements.
• If the Compliance Officer, when analyzing the results of the application of the Methodology, identifies the presence of additional or increased risks, he must adjust the policies, criteria, measures and procedures of the Manual to implement the relevant mitigation measures in accordance with the risks. detected and ensure that they remain within acceptable tolerance levels.

Customer identification

Disruptive Exchange, through the electronic platform or through a specialized certified provider, will integrate and maintain an identification file by each of its Clients at the time of the execution of any contract, provision of services and carrying out activities or operations, with the objective of identifying them fully.

The aforementioned identification file is integrated with the information, data and documentation thatDisruptive Exchange collect from its Clients, taking into account the typeof Client in question; For these purposes, the classification of Clients is established.as follows:

1. Natural person of Mexican or foreign nationality, in conditions of stay of temporary resident or permanent resident in terms of the Law of Migration.

• Paternal surname, maternal surname and first name or names without abbreviations. - Gen der. - Birthdate. - Federative Entity of birth. - Country of birth. - Nationality. - Voter code, if applicable.
• Private address of the country of residence composed of the name of the street, avenue or road in question, duly specified; exterior and, where applicable, interior number; colony or urbanization; mayor's office, delegation, municipality or similar political demarcation that corresponds, if applicable; city or town, federal entity, state, province, department or similar political demarcation that corresponds, if applicable; zip code and country.
• In the case of people who have their place of residence abroad and, at the same time, have an address in national territory where they can receive correspondence addressed to them, the data relating to said address will be recorded in the file, with the same elements as those contemplated above.
• Occupation, profession, activity or line of business in which the Client is dedicated. - Unique Population Registry Code. - Digitized Autograph Signature. - Telephone number where you can be reached. - Email address. - If applicable, account number and Standardized Bank Code (CLABE) in the Financial Entity or Foreign Financial Entity that corresponds to the full name and without abbreviations of the Client.
• Statement in which the Client indicates that he is acting on his own behalf, as established in the Terms and Conditions.
• Digital version of the document where the Client's identification data comes from.

2. Moral person of Mexican nationality.

• Denomination or social reason. - Business line, activity or corporate purpose. - Nationality. - Federal Taxpayer Registry key with homoclave and, where applicable, tax identification number or equivalent, as well as the country or countries that assigned it. - Advanced Electronic Signature serial number. - Address, composed of the name of the street, avenue or road in question, duly specified; exterior and, where applicable, interior number; colony or urbanization; mayor's office, delegation, municipality or similar political demarcation that corresponds, if applicable; city or town, federal entity, state, province, department or similar political demarcation that corresponds, if applicable; zip code and country. - Home telephone number. - Email address. - Constitution date. - Paternal surname, maternal surname and name or names of the administrator or administrators, director, general manager or legal representative who, with their signature, can oblige the legal entity to carry out the Transaction, coming from a valid official personal identification document issued by competent authority. - If applicable, account number and CLABE in the Financial Entity or Foreign Financial Entity authorized to receive deposits; of conversion to electronic payment funds or, of investment in or receipt of resources from Collective Financing Operations, as applicable, which must be in the name of the legal entity. - Digitalized Handwritten Signature of the legal representative.
• Digital version of the following documents:
  • The document or the testimony or certified copy of the public instrument that proves its legal existence, registered in the corresponding public registry, or any instrument or document that reliably proves its existence. When the legal entity is not registered in the public registry because it has been recently established, a document will be obtained from the legal representative or attorney-in-fact, stating the obligation to carry out the respective registration. - Tax Identification Card issued by the Ministry of Finance andCredit Public and, where applicable, the document that records the assignment of the tax identification number or its equivalent issued by a competent authority and proof of the Advanced Electronic Signature. - Proof of address where the data provided is verified.
  • Testimony or certified copy of the instrument issued by a public notary that contains the powers of the legal representative or representatives, when they are not contained in the public instrument that certifies the legal existence of the legal entity and the personal identification of each of the representatives. When the legal representative is of foreign nationality, is outside the national territory and does not have a passport, credentials issued by federal authorities of the country in question, valid on the date of presentation, may be considered valid official personal identification documents. , containing the photograph, signature and, where applicable, address of the representative.
  • To prove the legal existence and powers of the legal representatives or attorneys-in-fact of public agencies or entities and other Mexican legal entities governed by public law, the provisions of the laws, regulations, decrees or organic statutes that create and regulate them will be followed. If applicable, obtain a copy of your appointment or the public instrument issued by a notary.
• We must also integrate a file to:
  • Know the share structure or social parts, as appropriate. When the Client has a level of Risk other than low, collect information on the internal corporate structure, with at least the name and position of the general director, the hierarchy immediately below him and the members of the board of directors or sole administrator.
  • Identify the Real Owners of your Clients, who exercise Control.

3. Natural person of foreign nationality who does not have the condition of stay of temporary resident or permanent resident in terms of the Law of Migration.

• Paternal surname, maternal surname and first name or names without abbreviations. - Gen der. - Birthdate. - Country of birth. - Nationality.
• Private address of the country of residence composed of the name of the street, avenue or road in question, duly specified; exterior and, where applicable, interior number; colony or urbanization; mayor's office, delegation, municipality or similar political demarcation that corresponds, if applicable; corresponding city or town, federal entity, state, province, department or similar political district, postal code and country, if applicable. - Occupation, profession, activity or line of business in which the Client is dedicated.
• Telephone number where you can be reached. - Email address. - If applicable, account number and CLABE in the Financial Entity or Foreign Financial Entity authorized to receive deposits; conversion to electronic payment funds or investment in or receipt of resources from Collective Financing Operations, as applicable.
• tatement in which the Client indicates that he is acting on his own behalf, which is established in the Terms and Conditions.
• Digital version of the document where the Client's identification data comes from.

4. Moral person of foreign nationality.

• Denomination or social reason. - Business line, activity or corporate purpose. - Nationality. - Code of the Federal Taxpayer Registry with homoclave or, tax identification number or equivalent, the country or countries that assigned it and, where applicable, the serial number of the Advanced Electronic Signature. - Address, composed of the name of the street, avenue or road in question, duly specified; exterior and, where applicable, interior number; colony or urbanization; mayor's office, delegation, municipality or similar political demarcation that corresponds, if applicable; city or town, federal entity, state, province, department or similar political demarcation that corresponds, if applicable; zip code and country. - Home telephone number. - Email address.
• Constitution date. - Paternal surname, maternal surname and name or names of the administrator or administrators, director, general manager or legal representative who, with their signature, can oblige the legal entity to carry out the Transaction, coming from a valid official personal identification document issued by competent authority. - If applicable, account number and CLABE in the Financial Entity or SWIFT code.
• Know the share structure or social parts, as appropriate. When the Client has a degree of Risk other than low.
• Identify the Real Owners of your Clients, who exercise Control.
• Document that proves its legal existence and which records the assignment of the tax identification number or equivalent issued by the competent authority.
• Proof of address where the name of the street, avenue or road in question is verified, duly specified; exterior and, where applicable, interior number; colony or urbanization; mayor's office, delegation, municipality or similar political demarcation that corresponds, if applicable; city or town, federal entity, state, province, department or similar political demarcation that corresponds, if applicable; zip code and country.
• Testimony or certified copy of the instrument issued by a notary public that contains the powers of the legal representative or representatives, when they are not contained in the public instrument that certifies the legal existence of the legal entity and the personal identification of each of them.

As part of the requirements to identify its clients, Disruptive Exchange will request and obtain the geographic location of the mobile device or computer equipment used by each of its clients when opening an account on our platform.

For each file, it is necessary to obtain the available identification data from a valid personal identification document issued by the competent authority or from a document that proves your legal stay in the country. The digital version of the document containing the client's identification data must be stored in accordance with the applicable official Mexican regulations on digitization and conservation of data messages.

Disruptive Exchange, collects the required documentation remotely through Data Messages and complies with the requirements established by the official Mexican regulations on digitization and conservation of applicable data messages. Additionally, it ensures that digital versions of documents are clear, legible, and of high quality.

Disruptive Exchange will have the obligation to guard, protect, safeguard and prevent the destruction or concealment of the information and documentation supporting the performance of Vulnerable Activities, as well as that which identifies its Clients or Users.

The information must be kept physically or electronically for 5 years from the date of the Vulnerable Activity, unless the relevant laws of the federal entities establish a different period.

In addition, we are obliged to provide the officials in charge with the facilities for verification visits to be carried out.

Risk classification the client's

Disruptive Exchange will have a risk assessment system that will allow its clients to be categorized according to their risk level, in accordance with the principles of this manual. For this categorization, the following classifications are established:

High - Medium - Low

1. Initial grade:

To determine the initial level of risk of its clients, Disruptive Exchange will consider the information provided by each client during the first six months of the business relationship.

Besides,Disruptive Exchange will conduct risk level assessments at least every six months to determine whether clients' risk classification needs to be changed. The frequency of these evaluations will be greater when the risk classification requires it.

To carry out this evaluation,Disruptive Exchange will follow the following procedure:

Step 1: KYC Information Collection

Customer must provide complete and verifiable information as required by company policies outlined in this manual.

Step 2: Document Verification

Verify the authenticity of customer-provided documents such as IDs, bank statements, business records, and biometric analysis by using technology applications to establish whether the customer is the one providing photo identification.

Step 3: Inherent Risk Assessment

Classify the customer into an initial risk category (for example, low, medium or high) based on the information provided in the KYC and the nature of the business relationship.

Step 4: Risk Factor Analysis

EAssess specific risk factors associated with the client, which may include:

Source of Funds: Determine the source of the client's funds and whether it is consistent with their profile and commercial activity.

Transaction History: Review the history of previous transactions and any unusual or suspicious activity.

Country of Origin or Destination: Consider the risk associated with the country of origin or destination of the funds and whether it is subject to international sanctions.

Client Type: Assess whether the client is an individual, company, government entity, or other legal entity, as this may affect the level of risk.

Step 5: Determination of Risk Level

Based on the inherent risk assessment and risk factors, determine the client's overall risk level. This can be low, moderate or high, and each category will have its own implications in terms of additional due diligence and monitoring.

Step 6: Definition of Control Measures

Establish control measures proportional to the level of risk. This could include additional due diligence procedures, more frequent monitoring of transactions, review of accounts and reporting to competent authorities where appropriate.

Step 7: Documentation and Registration

Document all steps and decisions made in the KYC risk assessment process in the client file. Maintaining accurate records is essential to demonstrate regulatory compliance and facilitate future audits.

Step 8: Periodic Review

Establish a periodic KYC risk assessment review schedule, which may vary depending on the client's risk level. As customer circumstances or regulations change, adjust the risk assessment as necessary.

2. Obtaining the degree as we continue to operate with a client

Step 1: Update KYC Information

Conduct an annual review of the KYC process to verify information provided by the client and ensure it remains accurate.

Step 2: Customer Profiling

Based on the information obtained from the client, we will obtain a profile of the client to establish whether the transactions they carry out are consistent with their person.

Step 3: Inherent Risk Assessment

Clasificar al cliente en una categoría de riesgo en función de las características inherentes del cliente, que pueden incluir edad, ocupación, nacionalidad, fuente de ingresos, entre otros.

Step 4: Transactional History Analysis

Evaluate the client's transactional history, considering the type of transactions made, frequency, consistency, and the existence of unusual or suspicious activity.

Step 5: Risk Factor Assessment

Assess specific risk factors associated with the client, which may include source of funds, country of origin or destination of funds, type of account, and other relevant factors.

Step 6: Determining the Global Risk Level

Based on the inherent risk assessment and risk factor analysis, determine the client's overall risk level as low, moderate or high.

Step 7: Definition of Control Measures

Establish appropriate control measures to mitigate risk, which may include regular monitoring, regular KYC updating, customer communication and ongoing training.

Step 8: Documentation and Registration

Document all steps and decisions made in the client risk assessment process in the client file. Maintaining accurate records is essential to demonstrate regulatory compliance and facilitate future audits.

Step 9: Periodic Review and Update

Periodically review and update client risk assessment as client circumstances or applicable regulations change.

3. Definition of risk of a politically exposed person:

Assessing the risk of a client who is a Politically Exposed Person (PPE) is a crucial process in the area of anti-money laundering and risk management at Disruptive Exchange.

PEPs are individuals who hold important political positions or have close ties to people in such positions, and may be at higher risk of engaging in illicit financial activities or money laundering due to their influence and access to resources.

Risk Assessment Methodology for PPE Clients:

Step 1: Identification of PPE Clients

The first step is to identify if the client is a Politically Exposed Person. This involves collecting accurate information about your occupation, political connections, and family members who may be involved in politics.

Step 2: Categorization of PPE Clients

Classify the PPE client into one of the following categories:

High Risk: If the client is an active PPE or has a high level of political exposure.

Moderate Risk: If the client has political ties, but their political exposure is limited or their position is less influential.

Low Risk: If the client is a retired PPE or has minimal political exposure.

Step 3: Risk Factor Assessment

Assess specific risk factors associated with the client's PPE, which may include: The current or previous political position or position.

The geography and level of corruption of the country of origin or influence.

The nature of the relationship with the PEP (e.g., spouse, child, sibling).

History and pattern of financial transactions.

Step 4: Transactional Risk Assessment

Analyze the PPE customer's transactional history, including the nature and frequency of transactions, to detect unusual or suspicious activity.

Step 5: Determination of Global Risk Level

Based on the assessment of risk factors and transactional history, determine the PPE customer's overall risk level as high, moderate, or low.

Step 6: Definition of Control Measures

Establish appropriate control measures to mitigate risk, which may include:

Continuous and exhaustive monitoring of PPE customer transactions.

More frequent review of activities and operations.

Report suspicious transactions to competent authorities as necessary.

Step 7: Documentation and Registration

Document all steps and decisions made in the PPE client risk assessment process in the client file. Maintaining accurate records is essential for regulatory compliance and accountability.

Step 8: Periodic Review and Update

Periodically review and update the PPE customer risk assessment as the customer's circumstances, applicable regulations or risk profile change.

This methodology provides a structured and tiered approach to assessing the risk of clients who are Politically Exposed Persons. It is essential that financial institutions and companies that handle these types of clients are especially diligent in their due diligence, monitoring and regulatory compliance to mitigate the risks associated with political exposure.

4. Determination of the transactional profile of clients.

Determining the transactional profile of clients is essential to understand their financial activity patterns and assess the associated risk.

I. Criteria to Determine the Transactional Profile

Nature of the Commercial Relationship: Evaluate the nature of the relationship with the client, which may be investment, loan, commercial intermediation, among others. This will help define the type of transactions expected.

Transaction Frequency: Evaluate the frequency with which the client carries out financial transactions, such as deposits, withdrawals, purchases or sales of assets.

Transaction Volume: Determine the volume of financial transactions made by the client, including the amount of funds involved.

Types of Transactions: Identify the specific types of transactions that the client carries out regularly, such as international transfers, investments in financial markets, real estate purchases, among others.

II. Procedures to Determine the Transactional Profile

KYC Information Collection: Initiate the process of determining the transactional profile by collecting complete and verifiable information from each client in accordance with the KYC process.

Transaction Record: Record all financial transactions carried out by the client, including dates, amounts, counterparties and relevant details.

Transaction Analysis: Analyze transactions to identify patterns and trends, such as frequency of activity, fluctuating balances, and unusual activities.

Comparison with Known Profile: Compare the customer's transactional behavior with the previously known profile and any significant changes in activity.

Evaluation of Deviations: If significant deviations are detected in transactions, investigate and deter mine if they are consistent with the stated purpose of the account and the client profile.

Periodic Review: Conduct periodic reviews of the transactional profile to detect changes in customer behavior and adjust the risk level if necessary.

III. Transactional Profile Levels

Based on the information collected and the analysis performed, categorize the customer into one of the following transactional profile levels:

Low Profile: Clients with regular and consistent financial transactions that align with their stated purpose and known profile.

Moderate Profile: Clients with moderate financial activity and a moderate level of risk due to certain transactions that may be atypical but justifiable.

High Profile: Clients with complex, frequent or unusual financial transactions that may require greater attention and supervision due to their level of risk.

IV. Control measures

Establish control measures proportional to the level of each client's transactional profile, which may include:

Continuous transaction monitoring.

Periodic KYC update.

More frequent review of activities and operations.

Report suspicious transactions as necessary.

Conclusion.

Blacklists

The review of national and international blacklists is an essential part of our compliance program at Disruptive Exchange, it focuses on the methodology that our technological platform uses tools to automatically review clients and avoid carrying out transactions with individuals or entities that appear on these lists. This practice is essential to comply with applicable regulations and prevent money laundering and terrorist financing

I. National and International Black Lists

National Lists: These lists are provided by regulatory authorities within Mexico and contain information on sanctioned or restricted individuals and entities.

International Lists: These lists are prepared by international organizations and governments of other countries and include individuals, entities or countries subject to international sanctions.

II. Automatic Review Methodology

Our platform uses a rigorous methodology to automatically review clients and avoid transacting with people or entities that appear on national and international blacklists. The process is the following:

Customer Identification: When registering a new customer or processing a transaction, the platform collects identification information, including name, date of birth, nationality, address, identification number and other relevant data.

Comparison with Black Lists: The platform automatically compares customer information with national and international black lists. This process is carried out in real time for all operations.

Use of Screening Tools: The platform uses screening tools and updated databases to make comparisons with blacklists. These tools ensure the accuracy and coverage of the review.

Potential Matches: If a potential match is found between customer information and a blacklist entry, the platform generates an alert for the compliance team to investigate the situation.

Investigation and Resolution: The compliance team is responsible for investigating potential matches and determining if they are a sanctioned person or entity. If this is confirmed to be a valid match, appropriate action is taken, which may include denial of the transaction and reporting to regulatory authorities.

III. Update Continues

To ensure the effectiveness of blacklist review, the platform is regularly updated to incorporate new lists and changes to existing ones. This allows our company to be aware of the latest sanctions and restrictions at the national and international level.

IV. Compliance with Regulations

Automatic blacklist review is essential to comply with applicable regulations, including the Federal Law for the Prevention and Identification of Operations with Resources of Illicit Origin (Anti-Money Laundering Law) in Mexico.

Service restrictions in unsupported jurisdictions

Disruptive Exchange recognizes the importance of complying with the laws and regulations of the countries in which we operate.

The methodology to identify and block users who attempt to use our services from countries where our business model is prohibited or restricted by local or international legislation is described below.

I. Identification of Prohibited Countries

Monitoring International Regulations: Disruptive Exchange carries out constant monitoring of international regulations that prohibit or restrict the provision of our services in certain countries.

Consult Official Sources: The company consults official sources, such as international sanctions lists and government regulations, to identify prohibited countries.

Legal Assessment: An ongoing legal and regulatory assessment is carried out to determine if there are legal restrictions in specific countries that affect our business model.

II. User Blocking Methodology

Once the prohibited countries are identified, Disruptive Exchange implements a methodology to block users who try to access our services from these geographic areas. The process is the following:

Geolocation: The platform uses geolocation tools to identify the user's geographic location when trying to access our services.

Comparison with Banned Countries List: The user's location is compared to the list of previously identified banned countries.

Access Blocking: If it is detected that a user is trying to access from a prohibited country, their access to the platform is blocked and they are notified that they cannot use our services due to legal restrictions.

III. Communication to Users

To ensure transparency and user understanding, a clear communication process is established in the event of geographic location blocking:

Blocking Notice: The user is notified that their access has been blocked due to legal restrictions in their geographic location.

Additional Information: Additional information is provided about legal restrictions affecting the provision of our services in your country.

Customer Service Resources: Contact information is provided so that the user can contact our customer service team with questions or concerns.

IV. Legal and Regulatory Compliance

Restricting users to prohibited countries is essential to comply with applicable laws and regulations and to avoid potential legal or regulatory sanctions that could impact the business.

V. Continued Update

The list of prohibited countries is updated periodically to reflect changes in international and local laws and regulations. This ensures that we are aware of the latest geographic restrictions and can take appropriate action.

Restricting users in banned countries is a crucial part of our compliance program at Disruptive Exchange. By identifying and blocking users who attempt to use our services from geographic areas where our business model is prohibited or restricted, we ensure regulatory compliance and protect company integrity. This practice is essential to maintain our reputation and compliance with our legal and regulatory obligations.

Anti-Money Laundering Notices

Since our corporate purpose is legally considered as Vulnerable Activity, we are obliged to carry out the registration and registration process with the Tax Administration Service, prior to the presentation of the first Notice.

Information on transactions carried out by clients or users involved in activities that may be exploited will be sent to the Financial Intelligence Unit through the Tax Administration Service.

This sending must be made no later than the 17th day of the month following the completion of the operation in question, as long as it exceeds the notification threshold established for that activity.

The reports must be transmitted electronically using the format determined by the Financial Intelligence Unit. These reports must include:

General data of the person or entity that carries out the susceptible activity.

General information about the client, user or, where applicable, the beneficial owner, as well as details about their main activity.

A general description of the susceptible activity.

Those who are involved in susceptible activities and have not carried out operations that require notification during the month in question, must send an official report in which only the fields related to the identification of the person carrying out the activity, the corresponding period and the indication will be completed. that no reportable transactions were carried out during that period.

In the event of carrying out a transaction with a person and subsequently detecting that they are registered in the lists issued by national authorities, international organizations or foreign authorities, officially recognized according to the international agreements in which Mexico participates, and that are related to crimes such as money laundering and other similar crimes, or property crimes where the resources involved may have of illicit origin or are used for illicit activities, we must submit the notice within 24 hours from the moment we become aware of such information.

I. Identification Threshold:

The Vulnerable Activities included in Article 17 of the Federal Law for the Prevention and Identification of Operations with Resources of Illicit Origin are considered as such by the simple fact of their execution.

II. Notice threshold:

A fundamental obligation that we have, is the presentation of Notices to the Ministry of Finance and Public Credit about the operations that its Clients or users carry out for an amount greater than that established in the Federal Law for the Prevention and Identification of Operations with Resources of Illicit Origin.

The Operations with Virtual Assets must always be identified and present notices when in the month a particular client carries out operations for an amount equal to or greater than 645 times the value of the current Unit of Measurement and Update, which in this year 2023 will be the same at $66,912.30 Mexican pesos.

Verification views

In terms of the Federal Law for the Prevention and Identification of Operations with Resources of Illicit Origin, the Ministry of Finance and Public Credit may carry out verification visits to those of us who carry out Vulnerable Activities, to verify compliance with the obligations provided for in the aforementioned Law. , taking into consideration the following:

The visited subjects are obliged to exclusively provide the information and supporting documentation that we have that is directly related to Vulnerable Activities.

The verifications carried out by the Ministry of Finance and Public Credit can only cover those acts or operations considered as Vulnerable Activities in the terms of the Federal Law for the Prevention and Identification of Operations with Resources of Illicit Origin, carried out within five years. immediately prior to the start date of the visit.

Compliance officer

The OC Compliance Officer plays a key role in Disruptive Exchange's compliance program. This chapter describes in detail the functions and obligations of the OC, as well as the selection and appointment process of this key figure in our company.

The OC is responsible for ensuring that the organization complies with all applicable laws and regulations and for maintaining an effective anti-money laundering and risk management program.

I. Functions and Obligations of the Compliance Officer

The OC has a number of key roles and responsibilities, including:

Supervision and Coordination of Regulatory Compliance: The OC supervises and coordinates all activities related to the company's regulatory compliance, including the implementation of policies and procedures.

Policy and Procedure Development: Collaborates in the creation, review and update of compliance policies and procedures, ensuring they are in line with applicable laws and regulations; which will be submitted to the approval of the Board of Directors and the Commissioner of the company.

Risk Assessment: Conducts regular risk assessments and participates in the identification and mitigation of risks associated with company operations.

Training and Awareness: Provides ongoing training to employees on compliance issues and promotes a culture of compliance throughout the organization.

Monitoring and Reporting of Suspicious Transactions: Monitors and reports transactions that may be suspicious of illegal activities, in compliance with the Federal Law for the Prevention and Identification of Operations with Resources of Illicit Origin (Anti-Money Laundering Law).

Communication with Authorities: Acts as a point of contact between the company and the authorities on compliance issues, facilitating audits.

Internal Audit and Compliance Review: Cooperates with internal and external audits to evaluate the effectiveness of the compliance program and take corrective action as necessary.

Regulatory Update: Keeps the company updated on changes in relevant laws and regulations and coordinates the adaptation of policies and procedures accordingly.

II. Compliance Officer Selection

The selection of the OC is a critical process and is carried out as follows:

Suitability Requirements: The OC candidate must meet the legal and regulatory requirements established for this role, which may include regulatory compliance experience, in-depth knowledge of financial regulations, and a strong academic background in law or related fields.

Interview Process: Qualified candidates are interviewed by the company's Board of Directors.

Experience and Reference Evaluation: Previous experience is verified and work references are consulted to evaluate the candidate's suitability.

Formal Appointment: Once selected, the OC is formally appointed by Disruptive Exchange senior management and assumes their responsibilities and obligations.

III. Independence of the Compliance Officer

The CB must operate independently in its compliance function, meaning that it must not be subject to undue influence or conflicts of interest that could compromise its ability to make objective, compliance-based decisions.

IV. Revocation

The revocation of the position of the Compliance Officer (CO) is a process that must be carried out with transparency and compliance with applicable regulations.

This chapter of the Disruptive Exchange Compliance Manual describes the process and the causes that may lead to the revocation of the OC position in our company. The revocation of the OC is an exceptional measure and is taken into consideration only in specific circumstances.

a. Compliance Officer Position Revocation Process

The process of revoking the position of the OC is carried out as follows:

Initiation of the Process: Senior management initiates the process of revoking the OC position when there are solid reasons to do so.

Evaluation of Causes: A detailed evaluation is carried out of the causes that justify the revocation of the OC's position, which may include non-compliance with duties, conflicts of interest, lack of suitability, among others.

Communication to the OC: The OC is notified of the initiation of the revocation process and is provided the opportunity to present its version of the events and defend its position.

Review by an Independent Committee: An independent committee, which has no conflict of interest with the CB in question, reviews the evidence and evaluates whether the grounds for revocation are valid.

Committee Recommendation: The committee issues a recommendation based on its review, determining whether or not revocation of the OC's position is warranted.

Senior Management Decision: Senior management, after considering the committee's recommendation and the evidence presented by the OC, makes the final decision on revocation of the position.

Notification to the OC: The OC is notified of the decision made and is provided with a reasonable period of time to carry out an orderly transition of responsibilities.

b. Grounds for Revocation of the Position of the Compliance Officer

The grounds that may lead to the revocation of the OC's position include, but are not limited to:

Substantial Noncompliance with Duties: The OC does not substantially comply with his or her responsibilities and obligations as established in his or her job description and applicable regulations.

Unresolved Conflict of Interest: The CB has not adequately managed a conflict of interest that could compromise its impartiality and objectivity in the compliance function.

Lack of Suitability: The CB is determined to lack the necessary experience, knowledge or skills to effectively carry out its compliance responsibilities.

Serious Legal or Regulatory Noncompliance: The OC commits a serious legal or regulatory noncompliance that negatively affects the company's position.

Arbitrary or Unfair Decisions: The OC makes arbitrary or unfair decisions in the performance of its compliance functions.

c. Transition Process

In the event of revocation of the OC's position, a planned transition process is followed to ensure continuity in the compliance function. This may include appointing a new OC or redistributing compliance responsibilities to other members of the compliance team.

Complaint channel

The whistleblower channel is a fundamental tool in Disruptive Exchange's compliance program.

The primary objective of the reporting channel is to provide employees, customers, shareholders, agents, suppliers and other interested parties with a secure and confidential avenue to report suspicious activities, policy violations or any behavior that may violate applicable regulations or values. of the company.

I. Definition of the Whistleblowing Channel

The whistleblowing channel is an internal Disruptive Exchange mechanism that allows employees, customers, suppliers and other interested parties to confidentially report any concerns or suspicions related to regulatory compliance, ethical practices or inappropriate conduct within the company.

II. Objectives of the Whistleblowing Channel

The objectives of the whistleblowing channel on Disruptive Exchange are the following:

• Promote a culture of compliance and ethics throughout the organization.
• Facilitate early detection and correction of irregularities or violations.
• Protect whistleblowers from possible retaliation.
• Guarantee confidentiality and proper management of complaints.
• Comply with applicable regulations and laws regarding whistleblowing.

III. Complaints Procedure

Below is the procedure for filing a report through the Disruptive Exchange reporting channel:

Reporting: Any employee, customer, supplier or other interested party who has a concern or suspicion may file a report.

Complaints can be made orally or in writing, to the compliance officer or to the email legal@disruptivex.mx.

Confidentiality: All complaints are treated confidentially. Reporters have the option to file the report anonymously if they wish.

Complaint Recording: All complaints are carefully recorded and documented. This includes the date of receipt, the nature of the complaint and any relevant information provided by the complainant.

Complaint Evaluation: The Compliance Officer or designated compliance committee evaluates all complaints received. An appropriate investigation is conducted to determine the validity of the complaint.

Corrective Actions: If a complaint is determined to be valid, necessary corrective action is taken to address the identified concern or issue.

Communication with Complainant: Contacts the complainant confidentially to inform them of the results of the investigation and actions taken, provided the complainant has provided contact information.

IV. Protection against Retaliation

Disruptive Exchange strongly prohibits any form of retaliation against good faith whistleblowers. Measures are taken to protect complainants from any adverse consequences or harmful actions in retaliation for filing a valid complaint.

V. Report to Authorities

If a report involves illegal activities or serious violations of regulations, Disruptive Exchange reserves the right to report to the appropriate regulatory authorities as required by applicable laws and regulations.

Information reservation

The protection of personal data is of utmost importance at Disruptive Exchange. We comply with all applicable laws and regulations to ensure data privacy.

I. Legal and Regulatory Framework

Federal Law on Protection of Personal Data Held by Private Parties (LFPDPPP): Disruptive Exchange strictly adheres to the provisions of the LFPDPPP of Mexico and other data protection laws applicable in other jurisdictions where we operate.

II. Personal Data Protection Methodology

Our methodology for protecting personal data is based on the following key practices:

Identification of Personal Data: We identify and classify all personal data that we collect and process, including information from customers, suppliers, shareholders and other interested parties.

Informed Consent: Clients who use our services, by virtue of our Terms and Conditions, adhere to the privacy notice published on our website.

Data Security: We implement appropriate technical and organizational security measures to protect personal data against unauthorized access, disclosure, alteration or destruction.

Data Minimization: We limit the collection and processing of personal data to what is strictly necessary for the purposes established and required by law.

Rights of Data Owners: We respect the rights of data owners, including the right of access, rectification, cancellation and opposition (ARCO Rights).

Data Retention: We establish data retention policies that determine how long personal data is retained and when it is securely deleted.

III. Training and Awareness

Employee Training: All employees receive regular training on personal data protection policies and procedures.

Privacy Awareness: We promote awareness of the importance of privacy and data protection in com pany culture.

IV. Evaluation and Audits

Privacy Risk Assessment: We carry out periodic privacy risk assessments to identify possible threats and vulnerabilities in the protection of personal data.

Internal and External Audits: We carry out internal and, when necessary, external audits, to ensure compliance with our privacy and data protection policies.

V. Compliance and Accountability

Data Protection Officer: We appoint a data protection officer to oversee compliance with privacy and data protection regulations.

Incident Log: We maintain a log of data security incidents and are prepared to notify regulatory au thorities and data subjects in the event of a personal data breach.

Nondiscrimination

Disruptive Exchange is committed to creating an inclusive and respectful environment, both internally and in its external interactions. To this end, it focuses on the prevention of any form of discrimination, including discrimination based on gender, race, sexual orientation, religion, disability, economic capacity, social condition or any other characteristic protected by law.

I. Commitment to Non-Discrimination

Culture of Diversity: Disruptive Exchange promotes a culture of diversity and respect, where each individual is valued for their abilities and contributions, regardless of their origin, gender, sexual orientation, religion or other personal characteristics.

Non-Discrimination Policy: We have a non-discrimination policy that expressly prohibits any form of discrimination in the workplace and in all business interactions.

II. Discrimination in the Workplace

Employee Protection: We ensure that our employees are treated fairly and equitably, regardless of gender, race, religion, sexual orientation, disability or other personal characteristics.

Selection and Promotion Processes: Our selection and promotion processes are based on merit and skills, and no bias or discrimination is allowed in these decisions.

Inclusive Work Environment: We foster an inclusive work environment where differences are respected and mutual respect is promoted among all employees.

III. Discrimination in External Interactions

Business Relationships: In our business relationships with customers, suppliers and other interested parties, we avoid any form of discrimination and respect applicable non-discrimination laws and regulations.

Advertising and Communication: Our advertising and external communication are designed to be inclusive and respectful, avoiding stereotypes or discriminatory messages.

IV. Discrimination Complaint

Reporting Channel: We maintain a confidential and secure reporting channel where employees and stakeholders can safely report incidents of discrimination.

Whistleblower Protection: We protect whistleblowers from retaliation and take steps to address complaints of discrimination in a timely and appropriate manner.

V. Education and Awareness Raising

Awareness Programs: We offer diversity and inclusion awareness and training programs for employees and stakeholders.

Promoting Diversity: We promote diversity in our workplace and in our business relationships as a fundamental value of our company.

VI. Legal compliance

Legal Compliance: We comply with all applicable non-discrimination laws and regulations in all jurisdictions in which we operate.

Transparency

Transparency is a fundamental pillar of the Disruptive Exchange Compliance Plan.

This chapter of the Compliance Manual focuses on the importance of transparency in our operations and how we foster accountability and trust among our employees, customers, and other stakeholders in our company.

I. Transparency and Corporate Culture

Business Values and Ethics: Disruptive Exchange promotes a culture of compliance, ethics and business responsibility. Our values are rooted in transparency and integrity in all actions and decisions.

Open Communication: We encourage open communication and accessibility of our leaders and compliance teams to address questions, concerns, and provide guidance.

II. Information and Transparent Disclosure

Clear Policies and Procedures: All of our compliance policies and procedures are transparent and easily accessible to employees and stakeholders through the Compliance Manual.

Regular Reports: Regular compliance reports are provided to senior management and the compliance committee to ensure transparency in risk management and decision making.

Incident Disclosure: In the event of compliance incidents or violations, a transparent disclosure process is followed both within the organization and, where necessary, to authorities and affected stakeholders.

III. Data Protection and Confidentiality

Data Protection: We comply with applicable data protection and privacy laws and ensure that confidential information is handled securely and in accordance with relevant regulations.

Confidentiality of Complaints: Complaints submitted through the complaints channel are treated with the utmost confidentiality and are communicated only to parties who need to know the information to carry out investigations and corrective actions.

IV. Collaboration with authorities and External Audits

Collaboration with authorities: We maintain open and transparent collaboration with regulatory authorities and are committed to complying with all requests for information and regulatory audits.

External Audits: We facilitate external audits when necessary to ensure transparency and independent review of our compliance operations.

V. Education and Awareness

Training Programs: We offer regular training programs for employees and stakeholders to promote understanding of compliance policies and procedures, as well as the importance of transparency in our operations.

VI. Accountability

Individual Responsibility: All employees are responsible for complying with compliance policies and procedures and for reporting any concerns in a transparent and ethical manner.

Training

Training plays a crucial role in the success of our Compliance Plan at Disruptive Exchange.

I. Objectives of Regulatory Compliance Training

Awareness: Promote awareness among all employees about the importance of regulatory compliance and their role in maintaining the integrity of the company.

Knowledge: Provide those of us at Disruptive Exchange with a solid knowledge of compliance regulations, policies and procedures that are relevant to their roles.

Skills: Develop specific skills that enable employees to comply with regulatory requirements and apply policies and procedures effectively.

Prevention: Help prevent and detect potential violations of regulations and compliance policies.

II. Training Planning

Audience Identification: Identify specific audiences requiring compliance training, which may include all employees, compliance teams, customer service personnel, and other relevant groups.

Content Design: Develop training content that adapts to the needs of each audience and is aligned with applicable regulations and policies.

Training Methodologies: Use a variety of training methods, which may include in-person training, online training, seminars, workshops and practical exercises.

Results Evaluation: Establish metrics and evaluations to measure the success of training programs, such as knowledge tests, participant feedback, and completion rates.

III. Training Content

Relevant Laws and Regulations: Train employees on key laws and regulations that affect our company, such as anti-money laundering laws, the Securities Market Law, and other applicable financial regulations.

Internal Policies and Procedures: Detail our internal compliance policies and procedures, including how complaints should be reported and how suspicious transactions are handled.

Anti-Money Laundering (AML): Provide a deep understanding of AML processes and controls and how to identify and report suspicious transactions.

Risk Management: Educate employees on how to identify and manage compliance-related risks, and how risk management is integrated into our daily operations.

Business Ethics: Promote business ethics and integrity in all interactions with customers, suppliers and other interested parties.

IV. Continuing Training Programs

Periodic Update: Maintain updated training programs to reflect changes in regulations, internal policies and compliance best practices.

On-the-Job Training: Provide on-the-job training and continuous learning opportunities so that employees can apply their knowledge effectively.

V. Accountability and Certification

Compliance Certification: Require employees to certify their understanding and compliance with compliance policies and regulations.

Monitoring and Evaluation: Conduct periodic monitoring and evaluation to ensure that employees meet training requirements and take corrective action if necessary.

VI. Training Periodicity

Regulatory compliance training is carried out according to the following periodicities:

New employee induction: All new employees must receive compliance training during their induction period, which includes an introduction to key regulations, internal policies and relevant procedures.

Mandatory Annual Training: All employees must participate in mandatory annual training in regulatory compliance. This training is renewed each year and addresses changes in regulations, policies and procedures, as well as key compliance topics.

Ongoing Training: In addition to annual training, employees who perform critical roles or are subject to specific regulations may require ongoing training at regular intervals.

Collaboration with authorities

Disruptive Exchange considers it essential to collaborate with the competent authorities in promoting the legal case and compliance with applicable regulations.

I. Cooperation with Authorities

Commitment to Cooperation: Disruptive Exchange is committed to fully cooperating with authorities to the extent required by applicable laws and regulations.

Communication Channel: We maintain an open and effective communication channel with the authorities, which facilitates collaboration and the exchange of relevant information.

II. Legal compliance

Regulatory Awareness: We are aware of applicable regulations and laws in all jurisdictions in which we operate and strive to comply strictly with them.

Records and Documentation: We maintain accurate and up-to-date records and documentation that support our legal compliance and are available to authorities as needed.

Reporting Suspicious Transactions: We comply with the obligation to report suspicious transactions to the competent authorities, in accordance with the laws for the prevention of money laundering and terrorist financing.

III. Legal requirements

Response to Requirements: We respond in a timely and complete manner to legal requirements issued by authorities, such as subpoenas, court orders or requests for information.

Confidentiality and Privacy: We protect the confidentiality and privacy of information provided to authorities to the extent permitted by applicable laws and regulations.

IV. Education and Training

Staff Training: We train our staff on the importance of cooperation with authorities and legal compliance.

Response Procedures: We establish internal procedures to ensure that all employees know how to appropriately respond to legal requirements.

V. Responsibility and Accountability

Designation of Responsible Persons: We designate responsible persons in the organization to coordinate the response to legal requirements and guarantee regulatory compliance.

Monitoring and Evaluation: We continuously monitor our interactions with authorities and evaluate our procedures to ensure their effectiveness.

Prevention of illegal conduct

At Disruptive Exchange, we value transparency and access to legal advice for our collaborators. To do this, we provide a communication channel and legal advice so that collaborators can consult and clarify doubts about activities they carry out in the company and ensure that they comply with our internal policies and applicable laws.

I. Legal Communication Channel

Availability of Legal Advisors: We have an external legal team to provide legal advice to our collaborators.

Access to Legal Advisors: We establish an accessible and confidential communication channel so that employees can consult the company's legal advisors in case of legal doubts.

Consultation Procedures: We define clear procedures for submitting legal inquiries, including the necessary documentation and response deadlines.

II. Scope of Legal Advice

Regulatory Compliance: Employees may consult legal advisors on issues related to regulatory compliance, including applicable laws and regulations.

Internal Policies: Advice is provided on our internal policies, procedures and codes of conduct.

Contracts and Agreements: Legal advisors must provide guidance on the drafting, interpretation and enforcement of contracts and agreements.

Dispute Resolution: Advice is provided on the resolution of disputes, litigation and legal claims.

III. Confidentiality and Protection

Confidentiality: We guarantee that all legal queries and information provided by collaborators are handled with absolute confidentiality.

Protection from Retaliation: Employees are protected from retaliation for seeking legal advice or submitting legal questions.

IV. Education and Awareness

Legal Awareness: We promote awareness of the importance of legal advice and consultation through training and internal communication.

V. Responsibility and Accountability

Management of the Consultation Channel: We designate a person responsible to manage the legal consultation channel and ensure that the consultations are attended in a timely and appropriate manner.

Monitoring and Evaluation: We continuously monitor legal consultations and evaluate the effectiveness of the communication and legal advice channel.

Channel and Deadline: Any questions should be directed to legal@disruptivex.mx where legal advisors will have up to forty-eight working hours for generic requests or twenty-four hours for urgent requests to respond to the request.