Business Continuity And Recovery Plan
Last Update: 26 Haziran 2025
PURPOSE AND SCOPE
This Business Continuity and Recovery Plan (Business Continuity and Disaster Recovery Plan) ("Plan") is prepared in accordance with the Capital Markets Law No. 6362 ("Law"), the Communique on the Principles Regarding the Establishment and Operating Procedures of Crypto Asset Service Providers No. III-35/B.1 ("Operating Principles Communique"), and the Communique on the Procedures and Principles of the Activities and Capital Adequacy of Crypto Asset Service Providers No. III-35/B.2 ("Working Procedures Communique"), as well as other relevant capital markets regulations. The Plan outlines the actions and risks that may arise in the event of a crypto asset loss and provides the general principles for the actions to be taken in such cases, applicable to OKX TR Kripto Varlık Alım Satım Platformu Anonim Şirketi ("OKX TR" or the "Company").
The purpose of this Plan is to ensure the continuity of customer services, to carry out the compliance process with regulations, to protect the assets of both customers and the Company, and to coordinate recovery of critical business functions in managing and supporting the business recovery in the event of a loss of facility, a disruption to critical systems, loss of personnel, or data breach.
The priorities in a disaster situation are to:
Ensure the safety of employees and visitors in the office buildings.
Mitigate threats or limit the damage that threats can cause.
Have advanced preparations to ensure that critical business functions can continue.
Have documented plans and procedures to ensure the quick, effective execution of recovery strategies for critical business functions.
The focus of this plan is on the recovery of technology facilities and platforms, such as critical applications, databases, servers or other required technology infrastructure. This plan does not address temporary interruptions of duration less than the periods determined to be critical to business operations.
In accordance with Article 47/4 of the Operating Principles Communique, this Plan shall be published on the Company's website. Partial publication of the Plan may be allowed, subject to the Company’s discretion.
2. UNEXPECTED INCIDENT
Unexpected Incident refers to the unplanned interruption of a service provided by the Company, which results in the loss of crypto assets held by the Company.
In response to an Unexpected Incident, the Company will take necessary actions to restore normal service operations as quickly as possible and minimize the impact of the Unexpected Incident to the lowest possible level.
a. Occurrence of an Unexpected Incident
Any event, regardless of its nature, that results in the loss of customer assets, constitutes the causes of an Unexpected Incident.
i. Cyberattacks
Cyberattacks conducted through information systems may lead to the occurrence of an Unexpected Incident. The main types are as follows:
(a) Distributed Denial of Service (DDoS) Attacks: DDoS attacks involve sending excessive traffic to the Company, causing the system to become overloaded and leading to service interruptions. This can result in disruptions or halts in crypto asset transactions.
(b) Data Breaches: Unauthorized access to the Company's systems, resulting in the theft of customer data or crypto assets, poses a significant threat to the Company's security.
(c) Malware: Malware, viruses, trojans, or ransomware infiltrating the Company pose a security threat to the system and can lead to the loss of crypto assets."
ii. System Failures
The main types of system failures are as follows:
(d) Software Errors: Errors in the Company’s software that lead to incorrect processing of transaction data.
(e) Server Crashes: Failures in the server infrastructure that cause the Company to go offline and prevent customer transactions from being completed.
(f) Network Connectivity Issues: Problems in the network infrastructure that hinder access to the Company and jeopardize the security of crypto assets.
iii. Security Breaches
Unauthorized access or manipulation of transactions and the system by malicious personnel working within the Company, and similar occurrences.
iv. Natural Disasters and Interruptions
Infrastructure issues that prevent the system from functioning, such as natural disasters that damage physical infrastructure or power outages.
v. Operational Errors
Interruptions to the Company caused by accidental transactions, incorrect system configurations, or errors made during changes to system settings that render the Company inoperable.
vi. Supplier or Service Provider Issues
Interruptions in the Company’s operations due to disruptions in services provided by third-party service providers.
vii. Unexpected Incident Severity Levels
The severity level of an Unexpected Incident is assessed individually for each event, considering factors such as location, timing, and the potential damage to crypto assets.
The severity levels of Unexpected Incidents are determined independently of the risks to information systems by the Company.
3. RECORD KEEPING
A copy of this Plan will be retained for a minimum of ten (10) years or longer, in accordance with applicable legislation.