AML/CFT & KYC Policy

Company: Summa GmbH
Registered Address: c/o Sielva Management SA, Gubelstrasse 11, 6300 Zug, Switzerland
Registration No.: CH-170.4.021.771-6
Domain/Platform: onegog.io
Document Owner: Statutory body of Summa GmbH
Effective Date: 26 September 2025

This Policy consolidates internal rules, procedures, and controls to prevent money laundering and terrorist financing (ML/TF) and to ensure compliance with applicable Swiss laws and international sanctions. It supersedes prior versions and adapts the structure and wording of the previously used policy while preserving its substantive controls.

1) Introduction
Summa GmbH (the “Company”) operates services that could be misused to launder proceeds of crime or to finance terrorism. This Policy sets binding internal regulations and controls to prevent such misuse and to ensure compliance with applicable anti‑money‑laundering and counter‑terrorist‑financing (AML/CFT) requirements, including international sanctions. Comparable controls apply to similar businesses in Switzerland and abroad because ML/TF risks are frequently cross‑border.

Failure to apply this Policy may result in breaches of statutory obligations with serious consequences. Therefore, all employees, officers, and relevant third parties must adhere to these rules at all times.

2) Purpose and Legal Basis (Meaning of this Document)
This Policy translates mandatory legal and regulatory obligations into practical procedures for onegog.io. It defines how we identify and verify customers, assess and monitor risk, detect and report suspicious activity, and apply sanctions and other restrictions. It is designed to comply with applicable Swiss AML/CFT legislation and regulations, as well as relevant international standards and sanctions regimes.

In simple terms, “money laundering” is activity intended to disguise the illicit origin of assets or to impede tracing those assets. Methods used for laundering often overlap with those used to finance terrorism; therefore, both areas are addressed together throughout this document.

3) Scope of Services (Virtual Asset Services)
For the purposes of this Policy, Virtual Asset Services include, without limitation:
Wallet services: generating or safeguarding customers’ cryptographic keys used to hold, store, or transfer virtual assets; and
Exchange services: exchanging virtual assets for fiat currency, fiat currency for virtual assets, or one virtual asset for another; and
Ancillary services: directly connected to the above.
A virtual asset is any electronically storable or transferable unit that can perform payment, exchange, or investment functions, unless specifically excluded by applicable payments, securities, or banking laws.
Services requiring registration, authorization, or licensing must not be provided without the appropriate permissions.

4) Definitions
AML/CFT Laws: The applicable Swiss anti‑money‑laundering and sanctions framework and other binding obligations relevant to the Company’s activities.
Customer: Any natural or legal person (i) with whom the Company has established or seeks to establish a business relationship; (ii) who has begun negotiations to establish such a relationship; (iii) with whom a business relationship has ended; or (iv) who uses the Company’s virtual asset services.
Business Relationship: A contractual relationship under which the Company provides virtual asset services (typically via a framework agreement).
Customer Instruction: Any instruction from the customer or its authorized representative requesting a virtual asset service or related action, regardless of channel or acceptance.
Virtual Asset Service Value: The value of assets made available by the customer for service provision or to be transferred, exchanged, or otherwise used; for linked services, the values are aggregated.
Currency Conversion: References to EUR may be converted into other currencies at the applicable authoritative daily reference rate.
Third‑Party Binding Force: These procedures also bind persons acting on the Company’s behalf in providing services or establishing business relationships (e.g., authorized representatives). The responsible person must ensure their acceptance and integration of these procedures.

5) Governance, Roles & Responsibilities
5.1 Staff and Resourcing
Obligations in this Policy apply to employees, contractors, the AML Officer, the Responsible Person(s), and any other person who may encounter potential ML/TF activity. Adequate staffing (qualitative and quantitative) must be maintained at all times. Where full, error‑free execution cannot be ensured (e.g., sudden staff shortages), activities must be reduced or suspended until remedied, subject to overriding legal obligations.

New or reassigned staff performing in‑scope roles must be assessed for:

sufficient language and communication skills for typical customers;
understanding of corporate structures and ownership for legal‑entity customers;
competence with required software and tools;
professional conduct and integrity to enforce identification and monitoring requirements; and
knowledge of procedures set out in this Policy, supported by training.

5.2 AML Officer
The AML Officer ensures the Company’s business activities comply with AML/CFT and sanctions obligations. Duties include implementing this Policy, overseeing identification and monitoring, coordinating suspicious activity handling, and liaising with competent authorities. The AML Officer typically manages personnel authorized to establish or negotiate business relationships for virtual asset services.

5.3 Responsible Person
The Responsible Person is any member of the Company’s statutory body. They oversee resourcing, approval of key decisions where required (e.g., certain high‑risk or PEP relationships), adoption of updates, and overall accountability for this Policy.

6) Politically Exposed Persons (PEPs)
A PEP is an individual who holds or has held a prominent public function at the international, national, or regional level (e.g., heads of state, senior government officials, members of parliament, senior judiciary, central bank board members, senior military officers, senior executives of state‑owned enterprises, ambassadors, etc.), as well as positions in EU/international organizations of similar standing.
Close associates and family members (e.g., immediate family, persons with close personal or economic ties, beneficial owners of legal entities set up for a PEP’s benefit) are treated as PEP‑related.
Enhanced due diligence (EDD) applies in line with risk.

7) Beneficial Ownership & Control
7.1 Beneficial Owner (BO)
For legal entities or legal arrangements, the **beneficial owner** is the natural person who ultimately owns or controls the customer through direct or indirect ownership or other means of control (e.g., voting rights, right to profits, ability to exercise decisive influence). Indicators include, for example, ownership of more than 25% of shares or voting rights (alone or acting in concert), control over entities that own the customer, entitlement to at least 25% of profits or distributions, or positions enabling decisive influence when BOs cannot otherwise be determined.

7.2 Controlling Person
A controlling person is any natural or legal person with the ability to exercise decisive influence over a company, directly or indirectly, including through the right to appoint/remove the majority of board members or by holding significant voting rights alone or acting in concert.

8) Customer Lifecycle Controls
8.1 Pre‑Onboarding (Before Establishing a Business Relationship)
The authorized employee will:

Create a customer file (physical and/or digital) to store all information and documents;
Perform initial identification (natural person vs. legal entity path);
Conduct preliminary screening (including sanctions and adverse information, where applicable);
Establish the customer’s risk profile per the Risk Assessment; and
Submit information to the AML Officer for a decision to approve or decline. Risk profiles B/C/D/E require particular scrutiny. If the customer is a PEP (or a legal entity involving a PEP), the statutory body’s approval is required.

8.2 Prohibitions on Entering a Business Relationship
The Company must refuse to onboard where, for example:

the customer fails to cooperate with identification/verification requests or provide required documents;
there are doubts about the accuracy, completeness, or authenticity of information or documents;
the customer appears to act as an undisclosed intermediary for another person and fails to provide satisfactory authorization;
EDD is required but senior approval is not granted;
the customer is a PEP and the source of funds/assets is unknown; or
the customer’s risk profile falls into a prohibited category.

8.3 Service Denial & Termination of Relationship
Services will be denied and/or an existing relationship terminated if, among other things:

the customer refuses identification when required, or refuses to provide a power of attorney where appropriate;
the customer refuses to cooperate with verification or provide supporting documents;
the customer becomes a PEP (or PEP‑related) and risk cannot be adequately mitigated or required approvals are not granted;
information provided appears false or inconsistent and doubts are not resolved;
risk escalates to a prohibited level;
remote identification is used but the first payment from a same‑name account fails (further services are blocked until in‑person identification succeeds); or
sanctions are identified and required permissions (where applicable) are absent.

All such cases must be escalated to the AML Officer without delay.

9) Sanctions Compliance
9.1 International Sanctions
International sanctions are restrictive measures issued by competent authorities (e.g., UN, EU, Switzerland) to maintain peace and security, protect fundamental rights, and combat terrorism. The Company enforces such measures across all operations.

9.2 Sanctions Lists
Legally binding sanctions lists include, for example, consolidated lists issued by the UN and EU, as well as relevant Swiss measures. The Responsible Person must ensure access to up‑to‑date lists for screening.

9.3 Persons to Screen
Before onboarding (and periodically thereafter), the Company screens:

the customer (natural or legal person) and any persons acting on the customer’s behalf;
for legal‑entity customers: the customer entity, members of the management or statutory bodies, controlling persons, beneficial owners, and other identified relevant persons, and
known counterparties to the customer’s transactions where identifiable.

9.4 Record of Screening
Each screening must record: (i) date and performer (or automation), (ii) list of persons screened, (iii) sources/lists used, and (iv) the outcome (positive/negative).

9.5 Sectoral/Program Sanctions Awareness
In addition to name screening, staff must understand current program/sector sanctions (e.g., dual‑use goods restrictions) and escalate any indications that the customer’s activity may relate to restricted goods/services or destinations.

9.6 Procedure for Sanction Hits
If international sanctions apply to a customer or related person—or the services are linked to a sanctionable context—the case is treated as suspicious, escalated to the AML Officer and statutory body, and handled in accordance with applicable law.

10) Initial & Ongoing Customer Due Diligence (CDD)
The initial customer check determines whether: (i) the customer meets eligibility criteria; (ii) the risk profile is acceptable; and (iii) subsequent activity is consistent with the customer’s profile. Ongoing monitoring ensures activity remains consistent with purpose, source of funds/wealth, and expected behavior.

11) Indicators of Suspicious Activity
A suspicious activity is any service or behavior giving rise to a reasonable suspicion of money laundering or terrorist financing, including attempts. Illustrative indicators include (non‑exhaustive):

payments from unusual or unrelated accounts, or from multiple unrelated accounts;
use of services from multiple countries without clear rationale;
patterns or volumes inconsistent with the customer’s profile or stated purpose;
unnecessary cash usage or frequent redemptions without economic rationale;
transfers to third‑party accounts without clear relationship;
fictitious or unverifiable businesses;
abrupt spikes in activity or long dormancy followed by sudden high usage;
structuring below monitoring thresholds;
attempts to avoid or negotiate away identification/verification;
contradictory, evasive, over‑explained, or obviously coached information;
adverse media linking the customer or counterparty to illegal activity;
links to jurisdictions with known ML/TF deficiencies;
documents showing signs of tampering or unacceptable quality for identification; and
any scenario described elsewhere in this Policy as requiring refusal or termination.

Presence of an indicator does not automatically mean suspicion; context matters. Conversely, absence of listed indicators does not preclude suspicion.

12) Suspicious Activity Handling & Reporting
Employee actions: Immediately inform the AML Officer; provide all data and documents (identification, verification, transaction), state reasons for suspicion, and cooperate with requests.
AML Officer actions: Promptly assess the case, determine whether to delay execution, and file the statutory suspicious activity/transaction report with the competent authority within required timelines.

13) Information Requests from Authorities
Upon lawful request, the Company will provide information about services or relationships under investigation within the specified time limits, including access to records and documents. Staff must assist the AML Officer and Responsible Person in fulfilling this obligation.

14) Confidentiality
Employees, the Responsible Person, and the AML Officer must keep confidential: (i) suspicious activity notifications and related investigations; (ii) actions by competent authorities; and (iii) information‑sharing carried out under legal obligations. Confidentiality survives role changes and termination of employment or services. Legally permitted disclosures (e.g., to competent authorities) are handled by the Responsible Person/AML Officer.

15) Training
Coverage: All staff who may encounter ML/TF risk, including the AML Officer and Responsible Person.
Content: This Policy, the Risk Assessment, applicable AML/CFT rules, and relevant updates.
Frequency: At least annually and prior to assuming in‑scope duties for new/transferred staff.
Records: Attendance and training content are recorded and archived.

16) Record‑Keeping & Archiving
What: Customer identification/verification data, transaction/service records, internal forms and records, suspicious‑activity files and submissions, and training records.
Form: Paper and/or digital, with secure backups for digital records. Certain originals or certified copies (e.g., powers of attorney, IDs) must be retained in original if required by law.
Traceability: Each record must indicate the related relationship/service, responsible staff, and relevant dates.
Retention: Relationship/service records retained for 10 years from the first day of the calendar year following termination of the relationship; training records for at least 5 years after the session; risk assessment reports for at least 5 years or as otherwise required.

17) Policy Maintenance: Assessment & Updates
Annual Review: At least every 12 months, the Responsible Person assesses whether this Policy and the Risk Assessment remain current and proportionate to the nature, scale, and complexity of the Company’s activities; updates are made as needed.
Out‑of‑Cycle Updates: Triggered by changes in business model/strategy, legal or regulatory changes, new risk information, or conclusions from the Risk Assessment.
Documentation: Every assessment and update is documented; substantive changes trigger targeted staff training with recorded content and attendance.
Approval: Changes are approved by the Company’s statutory body.

17.1 Customer Data Updates
Following Policy or Risk Assessment changes, the Responsible Person ensures customer information (identification, verification, and other ML/TF‑prevention data) is reviewed and updated as needed—at the latest before the next transaction with the customer.

Appendix A — Country Risk Categorization (Illustrative)
The Company applies a risk‑based approach to country risk when constructing customer risk profiles. Categories below are **indicative** and assessed together with other risk factors by the AML Officer. External high‑risk lists (e.g., EU/FATF) must be considered where applicable.

Categories:
Black List — highest risk
High Risk
Low Risk

Note: Inclusion here is for internal risk‑rating purposes and does not replace legally binding sanctions lists or official PEP registers.

Black List (illustrative)
Abkhazia; Afghanistan; Akrotiri and Dhekelia; Antarctica; Artsakh; Burkina Faso; Belarus; Central African Republic; Congo (Democratic Republic of); Crimea; Donetsk People’s Republic; Haiti; Hawaii; Heard and McDonald Islands; Iran; Iraq; Kosovo; Libya; Luhansk People’s Republic; Mali; Myanmar; Nicaragua; North Korea; Pakistan; Palestinian Territory; Russia; Somalia; South Ossetia; South Sudan; Syria; Transnistria; U.S. Minor Outlying Islands; U.S. Virgin Islands; USA; Venezuela; Western Sahara; Yemen; Zimbabwe.

High Risk (illustrative)
Åland Islands; Albania; Algeria; Angola; Anguilla; Antigua and Barbuda; Argentina; Armenia; Aruba; Ashmore and Cartier Islands; Azerbaijan; Bahamas; Bahrain; Bangladesh; Barbados; Belize; Benin; Bermuda; Bhutan; Bolivia; Bonaire; Bosnia and Herzegovina; Botswana; Bouvet Island; Brazil; British Indian Ocean Territory; British Virgin Islands; Brunei; Bulgaria; Burundi; Cambodia; Cameroon; Canada; Canary Islands; Cape Verde; Caribbean Netherlands; Cayman Islands; Ceuta; Chad; Chile; China (PRC); Christmas Island; Clipperton Island; Cocos (Keeling) Islands; Colombia; Comoros; Congo; Cook Islands; Coral Sea Islands; Costa Rica; Croatia; Cuba; Curaçao; Djibouti; Dominica; Dominican Republic; Easter Island; Ecuador; Egypt; El Salvador; Equatorial Guinea; Eritrea; Eswatini; Ethiopia; Falkland Islands; Faroe Islands; Micronesia; Fiji; French Guiana; French Polynesia; French Southern Territories; Gabon; Gambia; Georgia; Ghana; Gibraltar; Greenland; Grenada; Guadeloupe; Guam; Guatemala; Guernsey; Guinea; Guinea‑Bissau; Guyana; Honduras; Hong Kong; Hungary; Iceland; India; Indonesia; Isle of Man; Israel; Côte d’Ivoire; Jamaica; Japan; Jersey; Jordan; Kazakhstan; Kenya; Kiribati; South Korea; Kuwait; Kyrgyzstan; Laos; Lebanon; Lesotho; Liberia; Liechtenstein; Madagascar; Madeira; Malawi; Malaysia; Maldives; Malta; Marshall Islands; Martinique; Mauritania; Mauritius; Mayotte; Melilla; Mexico; Moldova; Monaco; Mongolia; Montenegro; Montserrat; Morocco; Mozambique; Namibia; Nauru; Navassa Island; Nepal; New Caledonia; New Zealand; Niger; Nigeria; Niue; Norfolk Island; North Macedonia; Northern Mariana Islands; Oman; Palau; Panama; Papua; Papua New Guinea; Paraguay; Peru; Philippines; Pitcairn Islands; Puerto Rico; Qatar; Réunion; Romania; Rwanda; South Georgia & South Sandwich Islands; Saba; Saint Barthélemy; Saint Helena/Ascension/Tristan da Cunha; Saint Kitts and Nevis; Saint Lucia; Saint Martin; Saint Pierre and Miquelon; Samoa; San Marino; São Tomé and Príncipe; Saudi Arabia; Senegal; Serbia; Seychelles; Sierra Leone; Singapore; Sint Eustatius; Sint Maarten; Solomon Islands; South Africa; Sri Lanka; Saint Vincent and the Grenadines; Sudan; Suriname; Svalbard and Jan Mayen; Taiwan; Tajikistan; Tanzania; Thailand; Timor‑Leste; Togo; Tokelau; Tonga; Trinidad and Tobago; Tunisia; Türkiye; Turkmenistan; Turks and Caicos Islands; Tuvalu; Uganda; Ukraine; United Arab Emirates; Uruguay; Uzbekistan; Vanuatu; Vatican City; Vietnam; Wake Island; Wallis and Futuna; West Papua; Zambia.

Low Risk (illustrative)
Australia; Austria; Belgium; Cyprus; Czech Republic; Denmark; Estonia; Finland; France; Germany; Greece; Ireland; Italy; Latvia; Lithuania; Luxembourg; Netherlands; Norway; Poland; Portugal; Slovakia; Slovenia; Spain; Sweden; Switzerland; United Kingdom.

Appendix B — Activity Risk Categorization (Illustrative)

The Company also applies risk categories to customer activity. Categories are indicative and applied alongside other factors. Where an activity is marked “industrial” it refers to large‑scale enterprises (e.g., >100 employees, >€20m assets, >€3m monthly turnover); at least two criteria should be exceeded.

Categories:
Black List — prohibited/highest risk
High Risk
Medium Risk
Low Risk

Black List (prohibited/highest risk)
Illegal products/activities (per applicable laws and international conventions); weapons (incl. WMD, ammunition, pyrotechnics, cold weapons); narcotics and certain pharmaceuticals/related accessories; tobacco (growing, manufacturing, wholesale/retail); prostitution and related adult activities (e.g., outbound telemarketing linked to scams, certain night clubs/cabarets where justified by risk), high‑risk telemarketing (horoscopes/predictions), chain letters, timesharing schemes of abusive nature, certain debt collection agencies, replica products, certain political or religious organizations depending on risk and legal constraints, and guarantees with unquantifiable risk.

High Risk
Sub‑acquiring/merchant aggregation; licensed dealers in diamonds/gems/jewellery/precious metals; licensed alcohol (wholesale/retail); adult content (with age/consent verification) and dating services; licensed money exchange/forex/CFD; gambling/betting/lotteries (including online, poker rooms), subject to licensing; financial and insurance activities and auxiliaries; provision of virtual asset services (exchange/trading); large‑scale agriculture/forestry/fishing (industrial); mining and quarrying (industrial); certain manufacturing sectors (industrial, including batteries/chemicals/pharma, electronics, metals, petroleum products, motor vehicles/transport equipment); energy utilities (industrial); water/waste management (industrial); construction (industrial); human health services; real estate (incl. agencies); activities of extraterritorial organizations; arts/entertainment/recreation; membership organizations and trade unions.

Medium Risk
Motor vehicle trade/repair; wholesale trade; accommodation (hotels, short‑stay, camping); information and communication (publishing; film/TV production and post‑production; sound recording; information services; hosting/web portals); professional services (legal, accounting, consulting, PR/communications, architecture/engineering, geodesy/geology, testing/analysis, R&D, advertising/market research); administrative/support services (rental/leasing, employment agencies, travel/tour operations, security/investigation); education (all levels); ticketing and travel (air, rail, bus, taxi, transport, concerts/cinema/events).

Low Risk
Retail (general), food and restaurants; non‑industrial manufacturing; medium‑risk activities with turnover < €5,000/month; individuals using services for personal purposes (e.g., investing in virtual assets); and other low‑risk activities as assessed.