Security Statement

---

1. Overview

Meridian Solution's e-money accounts, payment and foreign exchange services are provided by Ebury Partners UK Limited. Ebury Partners UK Limited is authorised and regulated by the Financial Conduct Authority (FCA) as an Electronic Money Institution (Reference number 900797).

This security statement applies to the products, services, websites and apps offered by Ebury Partners UK Limited ("Ebury"). Ebury values their customers’ trust and takes its role as data custodian very seriously. Your information is stored securely and the safety practices detailed below aim to provide you with complete transparency over how your data is protected. More information on how they collect and use data is outlined in the following Privacy Policy.

The FCA requires standards to be met across three areas and Ebury exceeds all three of these standards which are as follows:

Capital Adequacy

The levels of capital requirements are based on Ebury’s level of activity. The FCA regularly reviews their capital adequacy on an annual basis.

Client Protection

Client funds are held in segregated accounts, entirely separate from Ebury’s own operating accounts, so client funds are always safeguarded.

Robust Internal Risk Management

Ebury has strict governance and operational processes in place to scrutinise the accuracy of each of their transactions, with appropriate involvement from their Directors. Compliance with Ebury's governance and processes is regularly audited.

---

2. Compliance

Ebury complies with the regulations imposed by GDPR, PSD2 and MiFID II, among others. Should clients feel unsatisfied with their experience, the complaints policy can be found here.

---

3. Physical Security

Ebury uses AWS and Google hosting facilities, which are PCI and ISO accredited, and employs robust physical security controls to prevent physical access. Controls include 24/7/365 monitoring and surveillance, on-site security staff and regular on-going security audits. Ebury offices are provided with access control passes for staff, alarm systems, security cameras for critical zones, and security teams that patrol the buildings regularly.

---

4. Network Security

Ebury production environments are hosted using advanced Cloud Technologies, Amazon Web Services and Google Cloud. Security controls such as IP restriction, VPN access for employees and admins, Intrusion Detection Systems (IDS) to detect, avoid and manage threats in real time, Web Application Firewall (WAF) to protect their Web servers against OWASP Top 10 most critical web security risks, and anti-phishing/spoofing security measures (email server side) are in place.

---

5. User authentication

User access to Ebury Online, Ebury’s client platform, is through a 2-factor authentication method, requiring a set username/password and a one-time-password, delivered via text or email. For Ebury’s internal applications, access is also achieved through a 2-factor authentication method provided by Google, using federated access based on SAML 2.0 and SSO technologies.

---

6. Data Encryption

Ebury uses proven transport layer security (TLS) technology from the most trusted providers to encrypt all data transmissions between your device and their servers. TLS technology is designed to protect your information by establishing a secure connection with their servers through a trusted third party, from which your data can pass to their servers protected by malicious intent. They also use AES 256 encryption before data is durably stored, commonly referred to as ‘at-rest’ encryption.

---

7. SWIFT

Ebury can send or receive certain currencies via the SWIFT payment network. SWIFT payments are a type of international transfer sent via the SWIFT network. Ebury secures its local SWIFT-related infrastructure by putting in place the right people, policies and practices, that are critical to avoiding cyber related fraud, and Ebury is attested on the SWIFT Customer Security Program. This security framework is based on ISO 27000 controls and is practiced for all their counterparties.

---

8. Logging and Monitoring

Ebury continuously monitors applications and infrastructure systems log information from a centrally managed log repository for troubleshooting, security reviews, and analysis by authorised Ebury personnel. Logs are preserved in accordance with regulatory requirements.

---

9. Development

User access to Ebury Online, Ebury’s client platform, is through a 2-factor authentication method, requiring a set username/password and Their development team employs secure coding techniques and best practices, focused around the OWASP Top Ten. Development, testing, and production environments are separated. All changes are peer reviewed and logged for performance, audit, and forensic purposes prior to deployment into the production environment. a one-time-password, delivered via text or email. For Ebury’s internal applications, access is also achieved through a 2-factor authentication method provided by Google, using federated access based on SAML 2.0 and SSO technologies.

---

10. Personnel

Ebury conducts background screening at the time of hire (to the extent permitted or facilitated by applicable laws and countries). In addition, Ebury communicates its data security policies to all personnel (who must acknowledge this) and requires new employees to sign non-disclosure agreements and provides ongoing privacy and security training.

---

11. Operational Management and dedicated Security personnel

Ebury has a dedicated Trust & Security team, which focuses on application, network, and system security. This team is responsible for implementing policies and procedures designed to ensure that their clients’ data is secure. Their security team is continually evaluating new security threats and implementing updated countermeasures designed to prevent unauthorised access. Access to all Ebury production systems and data is limited to authorised members of the Ebury technical support teams.

---

12. Asset Management

Ebury maintains an asset management policy which includes identification, classification, retention, and disposal of information and assets. Company-issued devices are equipped with full hard disk encryption and up-to-date antivirus software. In addition, a BYOD policy is applied for mobile devices and laptops to access corporate and production networks.

---

13. Information Security Incident Management

Ebury maintains security incident response policies and procedures covering the initial response, investigation, customer notification (no less than as required by applicable law), public communication, and remediation.

---

14. Breach Notification

Despite best efforts, no method of transmission over the Internet and no method of electronic storage is perfectly secure. However, if a security data breach becomes known, affected users are notified in order to take appropriate protective steps. Their data breach notification procedures are consistent with their obligations under the applicable country level, state and federal laws and regulations, as well as any industry rules or standards applicable. They are committed to keeping their customers fully informed of any matters relevant to the security of their account and providing all the information necessary for them to meet their own regulatory reporting obligations.

---

15. Information Security Aspects of Business Continuity Management

Ebury has implemented business continuity according to the potential security risks analysed. Their cloud model allows them to move seamlessly between locations in the event one becomes inaccessible, by using advanced AWS technologies to guarantee suitable levels of high availability based on availability zones, load balancers, and auto-scaling techniques. Databases are daily backed on a rotating basis of full and incremental backups and are verified regularly. Backups are encrypted and stored within the production environment to preserve their confidentiality and integrity and are tested regularly to ensure availability.

---

16. Vulnerability Management and Penetration Tests

Ebury maintains a documented vulnerability management program which includes periodic scans, identification, and remediation of security vulnerabilities on servers, workstations, network equipment, and applications. All networks, including test and production environments, are regularly scanned using trusted third-party vendors. Critical patches are applied to servers on a priority basis and as appropriate for all other patches. They also conduct regular external penetration tests and re-mediate, according to the severity for any results found.