Preamble

Fortiblox Labs LLC ("Fortiblox") is a limited-liability company. This page sets out Fortiblox's anti-money-laundering ("AML") and sanctions posture, its non-custodial operating model, and the division of regulatory responsibility between Fortiblox and the licensed money-transmitter partners whose services Fortiblox software may integrate. It is a statement of how Fortiblox operates today; it is not a substitute for the Terms of Service or the Privacy Policy, both of which govern your use of Fortiblox software.

1. Corporate identity

Fortiblox Labs LLC is a limited-liability company in good standing. Entity and registered-agent details are available on request by writing to [email protected] and stating the purpose of the request. Fortiblox is an independent software provider building infrastructure for public blockchain networks. Fortiblox does not operate a bank, a broker-dealer, an investment-adviser business, a money-transmission business, or any regulated financial-services franchise.

2. Non-custodial posture

Fortiblox's operating model is non-custodial. Fortiblox states, without qualification:

  • No custody of customer funds. Fortiblox does not custody, hold, control, or take possession of customer funds — whether fiat currency or cryptocurrency — at any point in any transaction flow. Fortiblox does not operate customer accounts, does not maintain customer balances, and does not commingle customer assets with its own.
  • Licensed partner handles the fiat leg. Where Fortiblox software integrates a licensed money-transmitter partner (a Money Services Business, or "MSB"), the licensed partner is the entity that handles the fiat leg of the transaction and the entity that has possession of customer funds during that leg. Fortiblox is a software vendor to that integration.
  • No card data. Fortiblox does not receive, process, or store payment-card numbers, security codes, expiry dates, cardholder names, or billing addresses. Card data is captured, tokenised, and processed exclusively by the licensed partner on that partner's own PCI-DSS-compliant infrastructure.
  • On-chain verifiability. Cryptocurrency transactions facilitated by Fortiblox software occur on public blockchains and are cryptographically verifiable. Transaction destinations, amounts, and timing are visible on-chain and can be independently audited.

3. KYC reliance

Where Fortiblox software integrates a licensed money-transmitter partner:

  • The licensed partner performs KYC. All Know-Your-Customer and Customer Identification Program ("CIP") requirements are performed by the licensed partner in accordance with the U.S. Bank Secrecy Act (31 U.S.C. § 5311 et seq.) and its implementing regulations at 31 C.F.R. Parts 1010, 1020, and 1022, or the analogous obligations under the partner's home-jurisdiction licence.
  • Fortiblox does not collect KYC-derived PII. Fortiblox does not collect, store, or process government-issued identification, biometric data, proof-of-address documentation, or any personal information derived from a KYC or CIP procedure. The identification data collected during KYC resides with the licensed partner and is governed by that partner's own privacy notice.
  • No MSB registration. Fortiblox does not hold Money Services Business registration with the Financial Crimes Enforcement Network ("FinCEN"), is not a "money transmitter" as that term is defined at 31 C.F.R. § 1010.100(ff), and, under its current operating model, is not required to register as such. Fortiblox monitors its activities on a continuing basis against the FinCEN money-transmitter definition and the interpretive guidance published by FinCEN concerning convertible virtual currencies (including FIN-2019-G001), and will register with FinCEN if and when its activities cross the regulatory threshold.

4. Sanctions compliance

Fortiblox maintains an OFAC-aligned sanctions-screening posture:

  • On-chain screening. Before facilitating any software-initiated on-chain transfer, Fortiblox screens the destination address against public sanctions-oracle data, including the Chainalysis on-chain sanctions list, which mirrors the U.S. Department of the Treasury's Office of Foreign Assets Control ("OFAC") Specially Designated Nationals and Blocked Persons ("SDN") list and equivalent EU, UK, and UN consolidated sanctions programmes.
  • Refusal to facilitate. Transactions involving addresses appearing on the OFAC SDN list, addresses identified by Chainalysis as belonging to a sanctioned entity, or addresses on any equivalent list administered by a jurisdiction whose law applies to Fortiblox are refused. The refusal is enforced at the software layer before the on-chain transfer is signed.
  • Fail-closed. Where the sanctions oracle is unreachable at the moment a transfer would otherwise be signed, Fortiblox software fails closed — the transfer is held pending screening rather than proceeding on an unchecked address.
  • Freeze, terminate, report. Fortiblox reserves the right to freeze in-flight transactions, terminate service to an implicated user, and report to relevant authorities where required by 31 C.F.R. Parts 500–599 (OFAC sanctions regulations), the International Emergency Economic Powers Act (IEEPA, 50 U.S.C. § 1701 et seq.), or subsequent regulation. Fortiblox will not delay a lawful report in order to warn the implicated party.
  • Prohibited jurisdictions. Fortiblox software is not offered to residents of jurisdictions subject to comprehensive U.S. sanctions, currently including Cuba, Iran, North Korea, Syria, the so-called Donetsk People's Republic, the so-called Luhansk People's Republic, and the Crimea region of Ukraine, together with any successor jurisdiction designated by OFAC.

5. Data protection

The full description of what personal data Fortiblox processes, on what legal basis, and how it is protected is set out in the Privacy Policy. At a high level:

  • Personally identifiable information ("PII") processed by Fortiblox is encrypted at rest using AES-256-GCM with keys managed under separation-of-duties controls.
  • PII is scrubbed from operational logs at ingestion; log records retain only pseudonymised identifiers sufficient for debugging and incident response.
  • Order records associated with software-facilitated financial transactions are retained for seven (7) years from the date of the Order, corresponding to the record-keeping obligation for transactions covered by the Bank Secrecy Act (31 U.S.C. § 5311; 31 C.F.R. § 1010.410).

6. Reporting suspicious activity

Fortiblox operates dedicated intake channels for compliance-relevant reports:

  • Suspicious activity reports: [email protected]. This mailbox is monitored by Fortiblox's security function and is the correct channel for reports of suspected money laundering, sanctions evasion, fraud, account takeover, or on-chain patterns consistent with illicit finance. Please include on-chain addresses, transaction signatures, and any timing information that would help our investigators corroborate the report.
  • Compliance inquiries and correspondence: [email protected]. Use this address for general AML/sanctions correspondence, policy questions, and non-urgent regulator engagement.

Fortiblox will acknowledge good-faith reports promptly and will treat the identity of the reporter as confidential to the extent permitted by law.

7. Regulatory contact

Fortiblox will cooperate with lawful requests from United States and international regulators, law-enforcement agencies, and courts of competent jurisdiction. Fortiblox maintains an internal runbook for the receipt, authentication, and response to subpoenas, court orders, and equivalent instruments, and intends to publish an annual transparency report summarising the aggregate volume and categories of requests received. Until that transparency report is first published, the current channel for regulator correspondence is [email protected]; please identify the requesting authority, the reference number, and the nature of the request, and Fortiblox will route the correspondence to its external counsel promptly.

Fortiblox will not respond to requests that lack lawful authority, and will notify affected users of a request where lawfully permitted to do so.

8. Effective date

Effective: 2026-07-14

Last updated: 2026-07-14

Fortiblox may revise this page from time to time to reflect changes in its operating model, changes in the licensed partners it integrates, or changes in applicable law. Revisions take effect on the "Effective" date shown above.