WRITTEN SAFEGUARDS AND WRITTEN PROCEDURES Admiral strictly limits the persons that may access the live Admiral ATS production networks, databases, servers, and ATS applications (collectively, the "Admiral Systems") and data to those persons that must have such access to perform their jobs. Admiral enforces these protections by implementing access controls around the Admiral Systems. Permitted persons can only access these Admiral Systems through a secure authentication process. 1. Access Controls: Access to Admiral Systems and data is restricted to authorized persons based on job responsibility and approved in advance by Admiral Management. Admiral Management regularly reviews access rights to Admiral Systems. Individuals granted access to CTI are separated from those who do not have access to CTI. The separation is accomplished by use of segregated offices and/or privacy screens. 2. Authentication: a. Individual access by associated persons to the Admiral Systems must be authenticated and is reviewed by Admiral Management. b. Credentials for and access by administrative users are securely maintained and reviewed regularly by Admiral Management. c. Admiral network services automatically enforce password complexity and password aging rules for access through secure VPN tunnels. 3. Logging: a. Orders, trades and application configuration changes in the Admiral Systems are time-stamped and recorded in logs. b. Ad hoc queries and ad hoc changes made to the Admiral Systems are logged and reviewed on a regular basis by Admiral Management. B. Trading by associated persons Admiral permits associated persons to maintain personal investment accounts with third party brokers. Associated persons are required to disclose to Admiral all personal trading accounts controlled by the associated person (and other related accounts as set forth in Admiral policies, collectively "outside accounts") and provide Admiral with access to trading confirmations and account statements for these outside accounts. Admiral's compliance department reviews and monitors trading by all associated persons. Associated person accounts also include accounts of the associated person's spouse, partner, minor children and other members of the associated person's household and any account in which the associated persons has an interest or has the power, directly or indirectly, to make or influence investment decisions (any person who is supported, directly or indirectly, to a material extent by the associated person). All requests for transacting in equity securities by associated persons are required to be pre-approved by the CCO. The CCO or designee compares the requested transactions to activity on the Admiral ATS at the time of the request to verify that recent transactions on the Admiral ATS and confidential information available to the Admiral ATS does not appear in conflict with the associated person trade request. Any appearance of potential conflict would cause denial of the trade request and an investigation of whether any conflict exists. In addition to prior approval, associated persons must hold positions in securities eligible to be traded on the Admiral ATS for a minimum of 30 days unless the current value of the securities is less than the purchase price. ADDITIONAL SAFEGUARDS FOR CTI 1. Cybersecurity Measures and Protections A. Data Encryption - Azure Disk Encryption (ADE): Encrypts the Operating System (OS) and data disks of the Linux-based Admiral ATS Order Management System (OMS), Matching Engine, Market Data Feeder, Database (specifically, the Relational Database Management System (RDBMS)) and other processes using dm-crypt, and the Windows-based ATS administrative tools using BitLocker. This protects data at the OS level. - Server-Side Encryption (SSE): Automatically encrypts Azure-managed storage, such as logs and database backups, at the storage infrastructure level. - Encryption in Transit: VPN tunnels (e.g., IPsec via Azure VPN Gateway) provide secure network-level encryption for FIX connections between ATS subscribers and the OMS, as well as Remote Desktop Protocol (RDP) sessions between Admiral ATS operators and Windows admin servers. In addition, Transport Layer Security (TLS) encryption is used where supported for added protection of data flows (e.g., web admin interfaces). B. Identity and Access Management - Azure Active Directory (AAD): Manages authentication for administrative applications and Role-Based Access Control (RBAC) to restrict access based on user roles (e.g., admin, operator, auditor). - Multi-Factor Authentication (MFA): Ensures secure operator access to Windows administrative tools and RDP sessions. C. Secure Networking - Network Security Groups (NSGs): Firewall rules are applied to control traffic between Azure VMs, allowing only authorized FIX client traffic and inter-service communication. - Azure Firewall: Inspects and filters incoming traffic to protect against external threats. - Azure Bastion: Allows Admiral ATS operators to securely access Windows-based admin tools via RDP without exposing VMs to the internet. D. Threat Detection and Monitoring - Microsoft Defender for Cloud: Provides real-time detection of anomalies, security misconfigurations, and threats targeting the Admiral ATS environment. - Azure Monitor: Tracks performance and logs from the Linux Admiral ATS software stack (OMS, Matching Engine, Market Data Feeder, RDBMS) and raises alerts for abnormal activity. E. Backup and Recovery - Azure Backup: Regularly backs up ATS system logs, RDBMS data, and administrative configurations. - Azure Site Recovery: Replicates the entire ATS environment to a secondary region for business continuity in case of regional outages. F. Regular Updates - Azure Automation: Schedules and applies security patches and software updates to both Linux and Windows VMs, ensuring the ATS environment remains up-to-date and secure. G. VPN Integration for Secure Remote Access - Admiral ATS uses highly available and industry-standard Azure VPN Gateway for site-to-site and point-to-site VPN scenarios. - To protect inbound FIX connections from ATS subscribers, a site-to-site or point-to-site VPN connection is established between the subscriber's network and Azure. This ensures FIX order flow travels securely over an encrypted tunnel. - Admiral ATS personnel accessing administrative Windows machines via RDP also connect through the same VPN infrastructure, ensuring secure and private access without exposing RDP to the public internet. - VPN access is tightly controlled via Azure Active Directory, Conditional Access policies, and IP whitelisting, ensuring only authorized users can establish VPN sessions. 3. System Safeguards A. Physical Security Azure data centers are certified to industry standards including ISO 27001, SOC 1/2/3. Facilities are protected by 24x7 surveillance, biometric access control, and multiple layers of physical segmentation. Admiral ATS systems are hosted in Azure West US 2 and Azure West Central US regions with geographic redundancy, backup power, and disaster recovery capabilities. B. Log Monitoring & Retention All logs generated by the Admiral Systems are centralized in a secure Azure Log Analytics workspace. Logs are retained in write-once, read-many (WORM) configuration, with alerts configured in Microsoft Sentinel for real-time threat detection and operational visibility. C. Vulnerability Management Regular vulnerability scans are conducted using Microsoft Defender and Azure Security Center. All critical and high-severity vulnerabilities are reviewed weekly and patched according to internal SLAs. Azure's integrated patch management helps automate and enforce security updates across both Linux and Windows systems. D. Incident Response Admiral ATS maintains a formal Incident Response Plan to manage and contain security incidents including data breaches, system outages, and regulatory violations. This plan is reviewed and tested annually, and includes designated roles across engineering, operations, compliance, and legal functions. E. Third-Party Risk Management Key vendors and third-party services used by Admiral ATS-including Azure infrastructure, clearing firms, and security tooling providers-are subject to annual reviews. These reviews assess confidentiality, data handling, service continuity, and regulatory alignment. F. Security Assessments Annual penetration testing is conducted by independent security firms. Vulnerability and configuration assessments are performed regularly using both internal tools and Azure Defender. 4. Periodic Reviews and Enforcement - The Chief Compliance Officer (CCO) conducts periodic remote reviews, no less than annually, to ensure physical and electronic safeguards are functioning properly, including separation of individuals with CTI access. This includes a review of the firm's vendors' independent third party reports on systems and organizational controls (SOC 2). - Admiral's COO and CCO conduct reviews of electronic communications to help determine if CTI is being distributed to unauthorized persons and to determine if files and e-mails that contain CTI are being encrypted. - The protection of CTI is covered by the CCO during Admiral's Continuing Education program and annual compliance meetings. 5. External Disclosure - Any disclosure of CTI must comply with Admiral's written policies and procedures and is permissible only in order to comply with regulatory requests. 6. Outside Business Activities - Upon request from a (potential) subscriber, Admiral discloses all outside business activities of its associated persons. INDIVIDUAL RESPONSIBILITIES FOR SAFEGUARDING CTI All individuals with access to CTI must: 1. Refrain from discussing CTI in public places (e.g. elevators, hallways, restrooms, social gatherings). 2. Limit, where practicable, access to Admiral offices where CTI could be observed or overheard, permitting entry only to those with a business need. 3. Avoid using speakerphones in areas where unauthorized persons may overhear. 4. Use code names or numbers for confidential projects where appropriate. 5. Prevent unauthorized viewing of documents containing CTI; store them securely when not in use. 6. Destroy copies of confidential documents that are no longer needed and not otherwise required to be maintained under federal securities laws. 7. Restrict access to Admiral's records and offices so they are available only to persons who require it; visitors must be accompanied by an associated person of Admiral. 8. Dispose of documents containing CTI securely (e.g., by shredding), ensuring they are not readable or recoverable by unauthorized individuals. All individuals with access to CTI shall attest on an annual basis that they understand and will follow these protocols which are included in Admiral's Written Supervisory Procedures. Individuals who fail to do so may face disciplinary action including termination. PROCEDURES FOR THIRD PARTY PROVIDERS Personnel of third-party service providers retained by Admiral may have access to CTI only to the extent necessary and appropriate to perform services for Admiral (for example, clearing, settlement, surveillance, and fraud detection). Admiral permits such access on a limited-scope, need-to-know basis and subject to Admiral's vendor diligence, contractual protections, and ongoing oversight and audit practices. Admiral periodically reviews the type and scope of any third-party access to CTI and confirms that each provider continues to have a valid business reason to access such information. Admiral maintains an inventory of third-party suppliers with whom it conducts business. Prior to onboarding or integrating a new third-party supplier, Admiral conducts a risk assessment that evaluates (a) the type and classification of data the supplier may access or receive, and (b) potential threats to that data. For any third party that has access to, or may reasonably be expected to obtain access to, Confidential Trading Information, Admiral's risk assessment includes a review of the supplier's security controls, business continuity controls, and data protection and privacy practices, policies, and procedures. These reviews focus on the supplier's ability to protect the confidentiality, availability, and integrity of CTI at each point where such information is stored, transmitted, or processed. - Vision - Vision implements a comprehensive and rigorous set of safeguards and procedures to protect CTI. In addition, Vision has successfully completed a SOC 1 Type I examination. The safeguards and procedures include, but are not limited to: 1. Role-Based Access Controls - Restrict data access to authorized personnel on a "need-to-know" basis. - Use unique logins, strong passwords, and multi-factor authentication. 2. Encryption of Data - Encrypt sensitive information both at rest (on servers) and in transit (via secure protocols like SSL/TLS). - Frequently update and test encryption keys. 3. Network Monitoring & Audit Trails - Maintain comprehensive logs of system access and data queries. - Use real-time monitoring to identify unusual patterns or unauthorized attempts to access trading data. 4. Information Barriers ("Chinese Walls") - Segregate departments (e.g., clearing vs. proprietary trading) through technical and administrative controls. - Prevent improper sharing of client or trading data across business lines. 5. Physical Security Measures - Secure server rooms with controlled card access, biometrics, or other identity checks. - Enforce clean-desk policies and lock away any printed confidential records. 6. Written Supervisory Procedures (WSPs) - Outline detailed processes for handling, storing, and sharing trading data. - Define review and approval steps for any activity involving confidential information. 7. Training & Awareness - Conduct regular sessions on data privacy, social engineering risks, and firm policies. - Emphasize legal and regulatory consequences of sharing or mishandling CTI. 8. Incident Response & Escalation Protocols - Formal plan for investigating potential data breaches or unauthorized disclosures. - Define responsibilities and notification timelines for impacted clients, regulators, and internal teams. 9. Vendor and Third-Party Risk Management - Vet third-party service providers for robust data security practices. - Include confidentiality clauses and rights to audit in vendor agreements. - TRAFiX - TRAFiX is a third-party service provider that has access to CTI necessary to perform the services described below (Part III Item 5). Because TRAFiX is a service provider to Vision (not directly retained by Admiral), its access to CTI is governed by Admiral's clearing and services agreement with Vision. Vision maintains the direct contractual relationship with TRAFiX and imposes appropriate confidentiality, security, and data-protection obligations on TRAFiX. Admiral oversees Vision's performance of these obligations, including through the vendor due diligence, contractual protections, ongoing oversight, audit rights, periodic reviews, and risk-assessment processes described elsewhere in this Form ATS-N.