KYC/AML & Privacy Policy

1. BSA/AML Program Overview

Glide, operated by Axtior Inc., maintains a comprehensive Anti-Money Laundering (AML) program in compliance with the Bank Secrecy Act (BSA), USA PATRIOT Act, and FinCEN regulations. Our program is designed to detect, prevent, and report money laundering, terrorist financing, and other financial crimes conducted through or facilitated by our Service.

The program is built on five core pillars that form the foundation of our compliance framework:

1. Internal Policies, Procedures, and Controls — Written policies governing all aspects of BSA/AML compliance, including customer onboarding, transaction monitoring, suspicious activity reporting, and record retention. These policies are reviewed and updated annually.
2. Designated BSA Compliance Officer — A qualified individual responsible for the day-to-day administration of the AML program, with authority to implement policies and escalate issues to senior management and the board.
3. Ongoing Training Program — Annual training for all employees covering BSA/AML requirements, red flag indicators, reporting obligations, and updates to regulations and enforcement trends.
4. Independent Testing — Annual independent review of the AML program by a qualified third party to assess effectiveness, identify gaps, and recommend improvements.
5. Customer Due Diligence (CDD) — Risk-based procedures for verifying customer identity, understanding the nature and purpose of customer relationships, and conducting ongoing monitoring for suspicious activity.

Together, these pillars ensure that Glide operates in full compliance with federal anti-money laundering requirements while maintaining the security and integrity of our financial services.

2. BSA Compliance Officer

Axtior Inc. has designated a BSA Compliance Officer who is responsible for the overall administration and implementation of the AML program. The Compliance Officer reports directly to senior management and has the authority to make decisions regarding account suspension, SAR filing, and escalation to law enforcement.

Key responsibilities of the BSA Compliance Officer include: ensuring the AML program is current and effective, managing the alert investigation and SAR filing process, coordinating with regulatory examiners and law enforcement agencies, overseeing employee training, and reporting to the board of directors on the state of the compliance program.

The Compliance Officer maintains current knowledge of BSA/AML regulations, FinCEN guidance, and industry best practices through ongoing professional development, attendance at compliance conferences, and participation in industry working groups.

In the absence of the primary Compliance Officer, a designated deputy is authorized to perform all compliance functions to ensure continuity of the AML program.

3. Customer Identification Program (CIP)

In accordance with Section 326 of the USA PATRIOT Act and FinCEN regulations, Glide implements a Customer Identification Program (CIP) that verifies the identity of every individual who opens an Account. No Account functionality is available until identity verification is successfully completed.

Identity verification is conducted through Bridge KYC Links, which utilizes Persona as the identity verification provider. The process requires the user to submit a photograph of a valid, unexpired government-issued photo identification document (passport, driver's license, or national ID card) and a live selfie photograph for facial comparison.

Persona's automated verification system performs document authentication checks (including tamper detection, expiration validation, and format verification) and biometric facial matching between the submitted selfie and the ID photograph. If the automated checks are inconclusive, the application is escalated for manual review by trained verification specialists.

We retain records of the identification information collected during the CIP process for a minimum of five years after account closure, in accordance with BSA record-keeping requirements.

4. Customer Due Diligence (CDD)

Customer Due Diligence is performed during onboarding and on an ongoing basis throughout the customer relationship. CDD enables us to understand each customer's risk profile, the expected nature and purpose of the account relationship, and to identify transactions that deviate from expected patterns.

During onboarding, the following information is collected through the Bridge automated verification process: full legal name, date of birth, residential address, Social Security Number (for US persons) or national identification number (for non-US persons), and source of funds declaration.

Based on the information collected, each customer is assigned a risk rating (low, medium, or high) that determines the level of ongoing monitoring and the frequency of periodic reviews. Risk ratings are recalculated when new information becomes available, such as changes in transaction patterns or adverse media results.

CDD information is stored securely and encrypted at rest. Access is restricted to authorized compliance personnel on a need-to-know basis.

5. Enhanced Due Diligence (EDD)

Enhanced Due Diligence is applied to customers and transactions that present higher levels of risk. EDD goes beyond standard CDD procedures and requires additional information gathering, documentation, and senior-level review.

EDD is triggered by any of the following conditions: the customer resides in or conducts significant business with a high-risk country or jurisdiction; the customer is identified as a Politically Exposed Person (PEP) or a close associate or family member of a PEP; the customer's monthly transaction volume exceeds $50,000 USD; or the customer appears in adverse media searches related to financial crime, corruption, or other relevant risks.

When EDD is triggered, additional documentation may be required, including but not limited to: proof of source of funds (bank statements, employment records, or investment documentation), proof of source of wealth, detailed explanation of the business relationship or purpose of transactions, and references from other financial institutions.

EDD reviews are conducted by senior compliance staff and documented thoroughly. The decision to onboard, continue, or terminate a high-risk customer relationship requires approval from the BSA Compliance Officer.

6. Beneficial Ownership

For business accounts, Glide is required under FinCEN's Customer Due Diligence Rule to identify and verify the identity of all beneficial owners who own 25% or more of the legal entity, as well as at least one individual who has significant managerial control over the entity.

Beneficial ownership information is collected through the Bridge Know Your Business (KYB) process. Each identified beneficial owner must provide the same identification information required for individual accounts: full legal name, date of birth, residential address, and Social Security Number or national ID.

The entity itself must provide: legal entity name, formation documents, Employer Identification Number (EIN) or equivalent, and a list of all individuals with ownership interests of 25% or greater. We may also request organizational charts, operating agreements, or articles of incorporation.

Beneficial ownership information is verified, recorded, and retained for the duration of the business relationship plus five years, in accordance with BSA record-keeping requirements.

7. OFAC/SDN Screening

Glide screens all customers and transactions against the Office of Foreign Assets Control (OFAC) Specially Designated Nationals and Blocked Persons (SDN) list, as well as other relevant sanctions lists. Screening is performed at multiple points in the customer lifecycle to ensure comprehensive coverage.

Fiat transfers (ACH, wire, and SWIFT) are screened by Column N.A. using their institutional sanctions screening infrastructure. Column screens all parties to a transaction, including originators, beneficiaries, and intermediary banks, against OFAC lists and other applicable sanctions databases.

Cryptocurrency addresses are screened using the Chainalysis free sanctions API on every deposit and withdrawal transaction. Each Solana wallet address involved in a stablecoin deposit or withdrawal is checked against known sanctioned addresses before the transaction is processed. If a positive match is identified, the transaction is blocked and the compliance team is immediately notified.

Screening is also performed at account opening, during periodic customer reviews, and whenever OFAC updates its sanctions lists. Any potential matches are escalated to the BSA Compliance Officer for investigation and resolution.

8. Ongoing Monitoring

Glide operates a 63-rule automated transaction monitoring engine that covers nine categories of activity. The monitoring system runs continuously and analyzes every transaction in real time to detect patterns indicative of money laundering, terrorist financing, sanctions evasion, or other suspicious activity.

The nine monitoring categories are: deposits (rules A1–A5), withdrawals (rules B1–B5), international transfers (rules C1–C3), domestic transfers (rules D1–D5), card transactions (rules E1–E5), cryptocurrency activity (rules F1–F9), sanctions screening (rules G1–G2), login and access patterns (rules H1–H3), and behavioral analysis (rules I1–I5).

When a rule is triggered, an alert is generated and assigned to the compliance team for investigation. Alerts are prioritized by severity: critical alerts (such as sanctions matches) are investigated within 4 hours, high-severity alerts within 24 hours, medium-severity alerts within 72 hours, and low-severity alerts within 5 business days.

For complete details on monitoring rules, thresholds, and investigation procedures, see our Transaction Monitoring Policy.

9. SAR Filing

Glide files Suspicious Activity Reports (SARs) with the Financial Crimes Enforcement Network (FinCEN) when we identify transactions or patterns of activity that meet the SAR filing criteria established by BSA regulations. The SAR filing threshold for individuals is $5,000 or more in suspicious transactions.

The SAR filing clock begins when suspicious activity is first detected by our monitoring systems or otherwise brought to the attention of the compliance team. SARs must be filed within 30 calendar days from the date of initial detection. If no suspect is identified, the filing deadline may be extended to 60 days to allow for additional investigation.

SAR narratives are drafted with AI assistance to ensure consistency and completeness, but every SAR is reviewed and approved by a qualified human compliance officer before filing. The narrative includes a description of the suspicious activity, the parties involved, the transactions at issue, and the reason why the activity is deemed suspicious.

We are prohibited by federal law (31 U.S.C. § 5318(g)(2)) from notifying any person involved in a SAR filing that a report has been or will be filed. All SAR-related information is maintained with strict confidentiality and access controls.

10. CTR Filing

Currency Transaction Reports (CTRs) are required for cash-equivalent transactions exceeding $10,000 in a single business day, as mandated by the Bank Secrecy Act. While Glide primarily handles electronic transactions, certain transaction types may qualify as cash equivalents under BSA regulations.

Our automated monitoring system detects transactions that meet or exceed the $10,000 CTR threshold, including aggregated transactions by the same customer within a single business day. When a CTR-eligible transaction is identified, the system automatically prepares the CTR data for filing.

Prepared CTR reports are reviewed by compliance staff before being submitted through Column N.A.'s filing infrastructure. CTRs must be filed within 15 calendar days following the date of the transaction.

Attempted structuring — the deliberate breaking up of transactions to avoid CTR reporting thresholds — is a federal crime and is monitored as part of our transaction monitoring program. Detected structuring patterns are treated as suspicious activity and may result in SAR filing, account suspension, and law enforcement referral.

11. Record Keeping

Glide maintains comprehensive records in accordance with BSA record-keeping requirements. All BSA-related records are retained for a minimum of five years from the date of creation or, for account- related records, five years from the date of account closure, whichever is later.

The following record categories are subject to the 5-year retention requirement: all transaction records (deposits, withdrawals, transfers, and card transactions), Currency Transaction Reports (CTRs), Suspicious Activity Reports (SARs) and supporting documentation, KYC/CIP identification documents and verification results, alert investigation case files and disposition records, and Chainalysis screening logs for all cryptocurrency addresses.

Records are stored in encrypted form using AES-256 encryption at rest and are accessible only to authorized compliance personnel. All access to compliance records is logged for audit purposes.

For complete details on our data retention schedule, encryption standards, and destruction procedures, see our Data Retention Policy.

12. Data Collection & Use

We collect and process personal data in connection with the provision of the Service. The types of data we collect, the purposes for which we use it, and the legal bases for processing are described below.

Our legal bases for processing personal data include: compliance with legal obligations (BSA/AML requirements), performance of a contract (providing the Service), and legitimate interests (fraud prevention, service improvement, and security).

13. Data Sharing

We share personal data with third-party service providers only as necessary for service delivery and regulatory compliance. We do not sell personal data to third parties, and we do not share data for marketing purposes without your explicit consent.

Data is shared with the following vendors in the course of providing the Service:

• Privy— Receives email address and authentication data for user login and wallet provisioning.
• Bridge— Receives identity data (name, DOB, address, ID images, selfie) for KYC verification, and financial data for card issuance and crypto conversion.
• Column N.A. — Receives identity and financial data necessary for bank account provisioning, transaction processing, and regulatory compliance.
• Chainalysis — Receives cryptocurrency wallet addresses for OFAC/SDN sanctions screening. No personal identity data is shared with Chainalysis.

We may also share data with law enforcement agencies, regulatory authorities, or courts in response to valid legal process, including subpoenas, court orders, or regulatory examination requests.

14. Data Rights

Depending on your jurisdiction, you may have the following rights with respect to your personal data:

• Right of Access — You may request a copy of the personal data we hold about you.
• Right of Correction — You may request correction of inaccurate or incomplete personal data.
• Right of Deletion — You may request deletion of your personal data, subject to the BSA 5-year retention override for compliance records. Data required for BSA compliance cannot be deleted until the retention period has expired.
• Right of Portability — You may request that your personal data be provided in a structured, commonly used, machine-readable format for transfer to another service provider.

To exercise any of these rights, contact our support team. We will respond to your request within 30 calendar days. In certain circumstances, we may request additional information to verify your identity before processing a data rights request.

Please note that the BSA 5-year retention requirement supersedes deletion rights under CCPA, GDPR, and other data protection regulations for records classified as BSA compliance records. We will inform you if any portion of your deletion request cannot be fulfilled due to regulatory retention obligations.

15. Training

All Axtior Inc. employees receive comprehensive AML training upon hiring and annual refresher training thereafter. Training is tailored to each employee's role and responsibilities, with more intensive training provided to compliance staff and personnel who interact directly with customers or handle financial transactions.

Training covers the following topics: overview of BSA/AML regulations and FinCEN requirements, recognizing red flags and indicators of suspicious activity, SAR and CTR filing procedures and responsibilities, OFAC sanctions compliance and screening procedures, customer identification and due diligence requirements, and data privacy and security best practices.

Training records, including attendance, content covered, and assessment results, are maintained for a minimum of five years. The training program is reviewed and updated annually to incorporate changes in regulations, new enforcement actions, emerging typologies, and lessons learned from internal audits and examinations.

The BSA Compliance Officer is responsible for overseeing the training program and ensuring that all staff remain current on their compliance obligations.

16. Independent Testing

Axtior Inc. engages a qualified independent third party to conduct an annual review of the AML program. The independent testing evaluates the effectiveness of our policies, procedures, and controls, and identifies areas for improvement. This requirement is mandated by BSA regulations and is a critical component of a sound AML compliance framework.

The scope of independent testing includes: review of the CIP/CDD program for completeness and accuracy, assessment of transaction monitoring system effectiveness and calibration, evaluation of SAR and CTR filing processes and timeliness, review of OFAC screening procedures and match resolution, assessment of training program adequacy, and review of record-keeping practices and data security.

Findings and recommendations from the independent testing are documented in a formal report that is presented to the BSA Compliance Officer and senior management. An action plan is developed to address any identified deficiencies, with specific timelines and responsible parties assigned.

Progress on remediation actions is tracked and reported to senior management on a quarterly basis until all findings are resolved. The independent testing report and all related documentation are retained for a minimum of five years.