Emergency Contact Information And Risk Mitigation Measures Procedure

Published on Mar 29, 20258 min read

Last Update: 26 June 2025

1. PURPOSE AND SCOPE

OKX TR Kripto Varlık Alım Satım Platformu Anonim Şirketi ("Company") has informed its customers about the possible risks related to crypto assets and transactions through the General Risk Notification Form published on its website accessible at https://tr.okx.com/. This Emergency Contact Information and Risk Mitigation Procedure (“Procedure”)  includes the measures taken to minimize customer victimization in the event of possible risks in accordance with contingency plans and contact information to be used in case of emergency and unexpected situations.

The purpose of this Procedure  is to strengthen and standardize the process of handling the risks related to information security, to ensure that the Company responds to these risks correctly, to minimize the negative impact of the relevant risks, to inform clients about the minimum measures that can be taken to mitigate the relevant risks and to ensure the regular and stable development of the Company's information system.

2. RISKS OCCURRING WITHIN THE SCOPE OF INFORMATION SECURITY

a. Definition

Information security risks mean a single or series of unintended and unexpected information security events that have a high probability of jeopardizing business operations and threatening information security, and that have the potential to adversely affect confidentiality, integrity or availability of data and information. These risks may include, but are not limited to, the following:

  • Unauthorized alteration, disclosure or deletion of confidential information.

  • Changes to information, data or to system hardware, firmware or software specifications without knowledge, instruction or approval.

  • Technical malfunctions originating from computer systems.

  • Unauthorized access, use or modification of system connections, application.

  • Unauthorized access to computer systems (e.g. hacking and cybersecurity attack).

  • Loss or theft of physical  records, data or equipment (e.g. cell phone, laptop) where confidential information is stored.

  • Virus or other security attacks on internal networks or applications.

  • A power outage that made an important information technologies infrastructure unavailable.

  • Denial of Service (“DoS”) attack.

  • Distributed Denial of Service (“DDoS”) attack.

  • Network intrusion attempts.

  • Physical security breaches (e.g. forcing doors or windows into secure rooms).

b. Communicating with Customers and Relevant Authorities Regarding the Risk

When such risk affects the service provided by the Company or causes business interruption, the Company shall immediately notify its clients  through its customer support team via e-mail, SMS notifications or other communication channels that may be supported by OKX TR or otherwise provided under the relevant terms and conditions.

In these situations, the Company will inform the relevant regulatory and supervisory institutions and authorities in accordance with the applicable legislation, particularly the relevant capital markets legislation.

c. Measures Taken by the Company

If an information security risk occurs and the system of the device or personnel where the risk occurs will affect the system of other devices and personnel; immediate containment measures will be taken. In this context, if a device within the Company is found to be infected with a network virus, the network connection of the relevant device will be disconnected.

If this risk results in equipment or personnel downtime and affects business operations, emergency measures are implemented as soon as possible, and back-up resources are activated as soon as possible. In the scope of emergency rescue operations, necessary measures are taken to prevent secondary damage or loss of evidence related to the incident.

In order to determine the causes of the relevant risk and to find solutions to eliminate the risk in question, the relevant department of the Company carries out the necessary investigation and analysis studies.

In order to address this risk, the relevant units and departments of the Company shall work in coordination and organize to meet to discuss this information security risk and develop solutions regarding this risk and, if necessary, may decide to contact relevant third-party service providers to help address this risk.

Following the determination of the solution to be implemented in this matter, the relevant personnel of the Company carry out the implementation of the planned solution program to restore the system to normal operation, including the recovery and security repair of the system affected by the risk, and perform the necessary technical operations to prevent the same risk from occurring again. Afterwards, the effectiveness of the solution is reviewed and verified.

In addition to the provisions set forth in this Procedure, the necessary steps outlined in the Company’s Business Continuity and Recovery Plan shall be implemented in the process of managing information security risks and in order to remedy service interruptions caused by such risks and to ensure the continuation of operations as smoothly as possible.

The necessary elements related to this risk management process are recorded, and the documents prepared during this process are stored in accordance with the obligations set forth in the relevant legislation and the applicable policies and procedures established by the Company.

The necessary reports regarding the process of managing these risks and the outcomes of the solutions implemented in relation to these risks are prepared and submitted to the Company’s senior management and the Board of Directors.

In order to prevent this risk from occurring again, all security incident reports, and security policies, standards and procedures related to security incidents -particularly the Risk Management Policy and other policies and procedures associated with it - are reviewed and it is determined whether the relevant documents need to be updated. In this context, when updating these policies, procedures, and standards, particular consideration is given to the requirements introduced by legislative amendments and to newly developed best practices aimed at mitigating information security risks.

Additionally, it is determined whether other systems and devices are also under a similar threat, and within this scope, proactive measures are taken if necessary. 

In addition, in order to implement the necessary improvements and corrections within this scope,  necessary feedback is provided to the relevant units and departments of the Company affected by the risk in question.

Regarding the process of managing these information security risks; necessary training programs and awareness activities are provided to the Company’s personnel.

d. Measures That Can Be Taken by Customers

In order to prevent and eliminate the risks related to information security, it is recommended that the Company's customers take the measures and precautions listed below as examples:

  • Two-Factor Authentication (2FA) must be enabled. 

  • Passwords should be complex and unpredictable; the same password should not be used elsewhere and should be changed regularly.

  • Links from unknown sources should not be clicked on and emails from unknown accounts should be scrutinized carefully.

  • Security of the email account registered on the platform  must be ensured.

  • Devices used to access the platform  must have full antivirus software and updates, and if necessary, firewall applications should be used.

  • Periodic checks must be conducted to determine whether there are any security vulnerabilities on the relevant devices.

  • The platform account should not be accessed by connecting to unsecured internet networks offered in public and shared spaces such as cafes and airports.

  • In order to detect any unauthorized access, transaction result forms and account statements should be checked regularly.

  • Backups of login credentials and 2FA keys should be stored securely.

  • In case of loss of access to the platform account, the authentication process must be conducted.

  • In case of suspicious behavior, the Company's Customer Complaint Policy and Official Complaint Management Procedure should be utilized and Company personnel should be contacted immediately through the communication channels specified in the said policy and procedure or through the emergency contact information specified below.

3. EMERGENCY CONTACT INFORMATION

In the event of one of the emergency situations listed below as an example, customers may contact the relevant Company personnel via the contact addresses below regarding the services offered by the Company:

  1. Platform account hacking (for example: password interception, unauthorized access)

  2. Theft of login credentials as a result of phishing attacks

  3. 2FA  is disabled, making the account vulnerable

  4. Failure to execute buy/sell transactions (due to reasons such as overcrowding, system failure)

  5. Balance display issues (for example: no or incorrect display of assets)

  6. Delays in wallet transactions (for example: prolonged withdrawals or deposits)

  7. API outages 

  8. OKX TR Crypto Asset Trading Platform’s systems being hacked (for example: distributed denial of service (“DDoS”) attacks)

  9. Customer's inability to access their account (due to reasons such as forgotten password, loss of  e-mail)

  10. Loss of crypto assets (due to reasons such as personnel error, technical failure, etc.)

  11. Mobile app or website of the Company access interruption

In case of emergencies, the contact information of the Company personnel that customers can contact is given below:

Address : Maslak Mah., AOS 55. Sk. 42 Maslak B Blok Site No:4 Interior Door No: 542, Sarıyer/Istanbul

E-mail :

 

4. REGULAR REVIEW AND APPROVAL

This Procedure will be reviewed annually, or more frequently if necessary, by the Document Owner or the Document Author to ensure it remains up-to-date with regulatory changes and business practices. If deemed necessary (e.g., for the purpose of aligning with current industry practices or complying with new legislative requirements), it will be updated accordingly.

The Document Approver's approval is required at least once every year or when major and significant revisions are made, whichever precedes. Minor and limited revisions may be approved by the Document Owner, unless the Document Owner is also the Author.


5. RECORD KEEPING 

A copy of this Procedure will be retained for a minimum of ten (10) years or longer, in accordance with applicable legislation.