LEGAL

Security

Effective date: June 19, 2026  |  Version: 1.0

This page describes AlemX's approach to security: our program, our certifications, how our infrastructure and data are protected, who our vendors are, and how to report a vulnerability or concern. AlemX is pre-launch, so some items below are marked as in progress or planned rather than live — we would rather tell you where we actually are than overstate our posture.

1. Security Program Overview

AlemX takes a risk-based approach to security: we identify the assets and data that matter most — user funds and keys (which we never custody), personal data, and platform integrity — and build controls proportionate to the risk each one carries. Our security program is governed by an internal policy library covering access control, encryption, vendor risk, incident response, and vulnerability management, maintained and reviewed on a regular cadence as the program matures.

2. Compliance and Certifications

AlemX is pursuing SOC 2 Type I certification. This page will be updated with certification details and, once issued, a link to the certification letter, as our compliance program progresses.

3. Infrastructure and Hosting

AlemX runs on established cloud infrastructure providers, chosen in part for their own independent security certifications (such as SOC 2 and ISO 27001). We do not publish specific credentials, network topology, or architecture diagrams on this page, as that information is not appropriate for public disclosure. Data residency and hosting details are available to customers and partners on request as part of security due diligence.

4. Encryption and Data Protection

Data is encrypted in transit and at rest. Messages sent through the AlemX messenger are encrypted in transit, and access to systems holding personal data is controlled and audited. Our wallet architecture is self-custodial by design: AlemX does not hold or have access to user private keys or recovery phrases at any point. Further technical detail is governed by our internal security policies and made available to customers and auditors under appropriate confidentiality terms.

5. Vendor and Sub-Processor Disclosure

AlemX works with a limited set of licensed and infrastructure providers to deliver regulated and supporting features, including Crossmint (self-custodial wallet infrastructure and fiat on/off-ramp), Paxos (U.S. fiat on/off-ramp), card issuers, and cloud, analytics, and AI-model providers. The current list of material providers and sub-processors is published in Schedule A of our Privacy Policy. We will notify affected users of material changes to this list where required.

6. Vulnerability Disclosure Program

If you believe you have found a security vulnerability in AlemX's Services, we want to hear from you. Please report it to security@alemx.com, including enough detail (steps to reproduce, affected component, potential impact) for us to investigate.

We ask that researchers:

  • Give us a reasonable opportunity to investigate and remediate an issue before public disclosure.
  • Avoid accessing, modifying, or deleting data that does not belong to you.
  • Avoid actions that could degrade the availability of the Services for other users.
  • Do not exploit a vulnerability beyond what is necessary to demonstrate it.

We will acknowledge good-faith reports made in accordance with these guidelines and will not pursue legal action against researchers who comply with them. A formal Vulnerability Disclosure Policy with a documented safe-harbor statement and acknowledgment timeline is in development.

7. Bug Bounty Program

AlemX does not currently operate a paid bug bounty program. If we launch one on a platform such as HackerOne, Bugcrowd, or Intigriti, we will link the program, its scope, and its reward structure from this page.

8. Incident Response and Communication

AlemX maintains an internal incident-response process for identifying, containing, and remediating security incidents. For incidents that materially affect users, we intend to notify affected customers and, where required by law, relevant regulators. Once available, a public status page showing real-time service availability will be linked from this section.

9. Content Moderation and Trust & Safety

AlemX has zero tolerance for child sexual abuse material (CSAM), non-consensual intimate imagery, and terrorist or violent extremist content. AlemX participates in, or is in the process of implementing prior to launch, the following industry safety programs, applied to content that we are able to access through our systems:

  • Microsoft PhotoDNA image-hash matching to detect known CSAM.
  • NCMEC CyberTipline: we report apparent CSAM to the U.S. National Center for Missing & Exploited Children, as required by law.
  • StopNCII.org to help prevent the sharing of non-consensual intimate images.
  • GIFCT subscriber: we use the Global Internet Forum to Counter Terrorism shared hash database to detect and remove terrorist and violent extremist content.

10. Law Enforcement Guidelines

AlemX responds to valid legal requests from law enforcement and government authorities in accordance with applicable law. Our detailed Law Enforcement Request Guidelines — covering process, required legal instruments by jurisdiction, and our contact channel — are in development and will be linked from this page ahead of public launch.

11. Transparency Reports

AlemX intends to publish periodic Transparency Reports disclosing aggregate counts of government requests, content removals, and law-enforcement disclosures. See our Transparency Report page for our current cadence commitment and reporting approach.

12. Privacy and Data Protection

For details on what personal data AlemX collects, how it is used and shared, and your rights over it, see our Privacy Policy.

13. Security Contact

For security reports and inquiries, contact security@alemx.com. A PGP public key for encrypting sensitive reports, and a security.txt file (per RFC 9116) at /.well-known/security.txt, are planned to accompany this page.

14. Anonymous Reporting Channel

To report misconduct, security issues, or improper data handling, contact whistleblower@alemx.com. An external anonymous-relay form is planned as an additional reporting option.

15. Changes to This Page

This page is reviewed regularly and updated whenever our certification status, vendor list, content-moderation memberships, or disclosure channels materially change. Continued use of the Services after an update means you have had the opportunity to review the current version.