Program Parameters and Definitions (Fillable)

1. Program metadata

Company legal name: SUPRASTACK LLC
DBA / product name: SupraPay
Effective date: 2026-01-11
Version: v1.0
Approved by: Board
Program owner (Compliance Officer / MLRO): Compliance Officer / CEO
Primary regulators / frameworks (select as applicable):
- United States: Bank Secrecy Act (BSA) / FinCEN MSB obligations (as applicable), state MTL (if applicable)
- Sanctions: OFAC (as applicable), UN/EU/UK sanctions (as applicable)
- EU: AMLD / applicable national transpositions; Regulation (EU) 2024/1624 (as applicable)

Describe the user journeys supported by your platform and which components are provided by Bridge and/or other third parties.

User types:
- Individual
- Business (KYB)
Core services (examples):
- Fiat on-ramp and off-ramp
- Crypto-to-crypto conversions (if applicable)
- Stablecoin purchase/sale and custody (via Bridge)
- Virtual accounts / vIBANs (if applicable)
- Payouts to user-owned accounts (if applicable)
Asset types supported:
- Stablecoins: USDC, USDT
- Other digital assets: SOL
Jurisdictions supported: United States (US only)
Channels:
- Web app
- Mobile app
- API (if any)

Maintain a detailed “RACI” as an appendix if needed.

Bridge: [Describe responsibilities per contract: onboarding/eligibility/identity verification, transaction monitoring, recordkeeping, custody, order processing, etc.]
Company (Developer): [Describe responsibilities per contract: user interface, secure API credential storage, user consent to Bridge terms, user support intake/escalation, suspicious activity reporting to Bridge, etc.]
KYC/KYB provider (if separate): Persona and/or Bridge (as applicable)
Sanctions/screening provider: Bridge
Blockchain analytics provider: Circle Program
Case management tool: Not yet selected

Risk appetite statement: Moderate risk appetite. The Program shall not support prohibited categories and shall apply EDD and risk-based restrictions for higher-risk users, transactions, and corridors consistent with BSA/FinCEN expectations and partner requirements.
Prohibited categories: Adopt/align with Bridge “Prohibited Activities List” and Company-specific prohibitions.
Restricted categories (EDD required): PEPs; high-risk industries; complex ownership structures; users with elevated adverse media; repeated monitoring alerts; higher-risk geographies as determined by the risk assessment.

KYC refresh:
- Standard risk: every 12 months
- High risk: every 6 months
Sanctions screening:
- Onboarding: Yes
- Ongoing (daily/continuous): [Yes/No]
- Pre-transaction: [Yes/No]
Transaction monitoring:
- Monitoring frequency: Real-time where technically feasible; otherwise daily batch reconciliation
- Scenario tuning cadence: Quarterly (or more frequently based on risk/events)
Record retention: 5 years (minimum; align to BSA recordkeeping expectations)
Incident response SLAs:
- Sanctions potential match triage: 4 hours
- High-severity TM alert triage: 24 hours

AML/CTF: Anti-Money Laundering / Counter-Terrorist Financing.
BSA: Bank Secrecy Act (U.S.).
CDD / EDD: Customer Due Diligence / Enhanced Due Diligence.
CIP: Customer Identification Program (U.S. terminology; use equivalent in other jurisdictions).
OFAC: U.S. Department of the Treasury, Office of Foreign Assets Control.
PEP: Politically Exposed Person (including domestic and foreign PEPs; close associates/family members).
SAR: Suspicious Activity Report (U.S.); equivalent suspicious transaction reports in other jurisdictions.
Transaction: Any order, conversion, on-ramp/off-ramp, transfer, payout, or other movement of value initiated or completed via the Program.
User: A customer of the Company accessing Bridge-enabled services through the Company’s interface.