Security, Confidentiality & CIS Protection Statement
Effective date: 22 December 2025
This Statement is provided for informational transparency and summarizes security, confidentiality, and CIS-protection practices applicable to the Platform. It does not create additional warranties or modify the TradinLoop Terms of Service. If there is any inconsistency between this Statement and the Terms of Service, the Terms of Service prevail.
1) Purpose and scope
This Security, Confidentiality & Company Information Sheet (CIS) Protection Statement explains how TradinLoop protects information and administers the digital commercial workflow of B2B transactions on the TradinLoop platform (the “Platform”), including: onboarding qualification, secure matching, messaging, document exchange, auditability of key steps, and payment orchestration where enabled.
This Statement applies to:
•Visitors and registered users of the Platform and any associated sub-domains;
•Corporate onboarding and verification materials “Company Information Sheet (CIS)” ;
•Transaction-related data exchanged through the Platform (messages, documents, milestones, approvals, and related metadata).
2) Our role and what we do (and do not) “guarantee”
2.1 What TradinLoop commits to secure
TradinLoop commits to securing the administration of the commercial transaction on the Platform—meaning we apply layered administrative, technical, and physical safeguards to protect Platform data and to ensure that transaction steps are handled in a controlled, auditable, and confidentiality-preserving manner.
2.2 What remains outside TradinLoop’s responsibility
TradinLoop is a neutral marketplace operator and service provider. We are not the buyer or seller of record, do not take title to goods, and are not a party to the underlying sale/purchase contract between trading parties. Accordingly, the physical goods and their performance remain the sole responsibility of the relevant contracting parties (buyer, seller, logisticians, insurers, inspectors), in alignment with the agreed Incoterms and contractual risk allocation (including custody, insurance, carriage, quality/quantity procedures, discharge obligations, and risk of loss). TradinLoop does not guarantee delivery, quality, legality, payment, or conformity of goods, and does not assume responsibilities allocated to the parties under the applicable Incoterms or their contracts.
3) Company Information Sheet (CIS): confidentiality-by-design
TradinLoop’s CIS model is designed to enable serious counterparties while preserving confidentiality and minimizing unnecessary disclosures.
3.1 Purpose limitation (why we process CIS)
CIS is processed only to:
1.qualify participants (KYB/KYC, sanctions/PEP screening evidence as applicable),
2.enable compliant matching, and
3.execute transactions and Platform services in accordance with applicable laws.
3.2 “No disclosure before LOI” default
By default, TradinLoop does not disclose named CIS to other participants before there is a genuine prospect of a deal. Matching prior to LOI relies on non-identifying attributes (e.g., industry, aggregated capacities, regions, certifications, indicative ranges), not identity-revealing dossiers.
3.3 Controlled disclosure triggers (minimum necessary)
The minimum necessary CIS may be disclosed only when:
•a Letter of Intent (LOI) has been executed; or
•the data owner gives explicit, limited consent (defined fields, defined purpose, defined duration); or
•disclosure is required by law/regulation/court order/competent authority.
TradinLoop logs CIS disclosures (who/what/why/when) and retains logs in line with retention policy.
3.4 Data minimization (what we do not ask for by default)
TradinLoop is designed to avoid unnecessary collection of highly sensitive personal data. For example:
•We do not request passports or bank account details unless required for onboarding with regulated payment providers or for specific compliance obligations.
•Payment coordinates are shared at the payment stage only, and via secure channels, consistent with the Platform’s staged disclosure approach.
3.5 Commercial discretion / non-signalling
To limit market signalling and protect negotiating power, early disclosure of identities, supply/demand intentions, target prices, or volumes is deferred until LOI unless a disclosure trigger (LOI executed, explicit limited consent, or legal obligation) applies
3.6 Confidentiality obligation (summary)
Information disclosed by a participant that is marked, designated, or reasonably understood to be confidential must be protected with reasonable care and used only as necessary to perform obligations under the Terms of Service and to administer the transaction workflow on the Platform.
4) Core security controls: layered safeguards
TradinLoop’s Platform is built on an enterprise SaaS environment and security framework that applies multiple, complementary layers of protection:
4.1 Encryption in transit and at rest
•In transit: Platform connections are protected using modern TLS (including TLS 1.2/1.3), with protections such as perfect forward secrecy and HSTS where applicable.
•At rest: Sensitive data is protected using strong encryption (e.g., AES-256 for relevant data classes), with controlled key management and restricted access.
4.2 Identity, authentication, and access control
•Least privilege / RBAC: Access is provisioned on a need-to-know basis, using role-based controls and administrative safeguards to reduce exposure risk.
•Multi-factor authentication: MFA is supported to reduce account takeover risk.
•Production access controls: Administrative access to production environments is protected with strong authentication and is logged and audited.
4.3 Monitoring, logging, and auditability
The Platform environment records and monitors security-relevant events and operational activity (e.g., event/audit/admin logs), with tamper-resistant approaches and anomaly detection to identify suspicious activity.
4.4 Secure development and vulnerability management
The Platform environment follows secure engineering practices, including secure SDLC controls, code screening, vulnerability scanning, and a vulnerability management workflow that prioritizes remediation based on severity. No method of transmission or storage is 100% secure. TradinLoop maintains safeguards designed to prevent, detect, and respond to threats, and continuously improves controls as risks and technologies evolve.
4.5 Network and application protection
The environment employs layered network defenses (e.g., segmentation, firewalls, intrusion detection/prevention, WAF controls, and DDoS mitigation) to reduce exposure and maintain availability.
4.6 Resilience: backups and disaster recovery
The environment supports systematic backups and data replication across data centers to support resilience and continuity, with defined retention practices for backups and recovery.
4.7 Physical security and staff safeguards
The environment includes physical access controls (restricted access, access logs, monitoring), and organizational controls such as security training and background verification practices for personnel in sensitive roles.
4.8 Independent assurance (certifications)
The enterprise hosting/security environment supporting the Platform is subject to independently audited controls and certifications (including ISO-family controls and SOC-type audits, as applicable).
5) Payment orchestration and sensitive financial data handling (TLPay)
Where payment orchestration is enabled, TradinLoop administers payment steps as a controlled workflow:
•Funds custody, on/off-ramp, and payouts are performed by regulated payment partners where applicable, and disbursements follow transaction terms (e.g., milestone-based releases).
•Banking details or payout coordinates are requested and shared only when needed for settlement, and access is restricted according to role and stage.
TradinLoop does not take custody of client assets; where applicable, regulated payment partners provide custody, on/off-ramp, and payout services.
6) Incident response and breach notification
TradinLoop maintains an incident response approach designed to detect, contain, investigate, remediate, and learn from security events, including user notification practices where applicable and legally required.
7) Data retention and deletion
TradinLoop applies retention limits aligned with business purpose, legal requirements, and security principles, including scheduled deletion practices for CIS and transaction data where appropriate.
8) User responsibilities (shared security)
Security is a shared responsibility. Users are expected to:
•keep credentials confidential and use strong passwords;
•enable MFA where available;
•limit internal access to authorized personnel;
•avoid uploading unnecessary sensitive personal data; and
•promptly notify TradinLoop of suspected unauthorized access. (tradinloop.com)
9) Contact
For security inquiries or to report a suspected vulnerability or incident, contact TradinLoop through the channels listed in the Terms of Service.
