How we protect customer funds, customer data, and the system we operate in.

nxoras is a financial technology company, not a bank. Customer deposit accounts are held at our FDIC-insured partner bank, a Member FDIC institution. Our partner bank is the bank of record for all customer funds and card transactions; nxoras provides the technology layer through which customers access their accounts.

Deposits placed in customer accounts are FDIC-insured up to $250,000 through our partner bank.

nxoras operates a written BSA/AML compliance program designed in coordination with our partner bank and aligned with the Bank Secrecy Act, the USA PATRIOT Act, and the program expectations of the federal banking agencies.

The program addresses the four pillars: a designated BSA/AML Compliance Officer, a written program and risk assessment, ongoing employee training, and independent testing on a defined cadence.

Every new customer is identity-verified before an account is opened. Our CIP collects, at minimum, the customer's legal name, date of birth, residential address, and government-issued taxpayer identification number, and verifies the data through a combination of documentary and non-documentary methods, including identity-document review, knowledge-based verification, and third-party data sources.

Customers whose identity cannot be verified are referred to manual review by a trained analyst; accounts may be declined or further documentation requested where risk indicators are present.

Prospective and existing customers, payment counterparties, and transactions are screened against the Specially Designated Nationals and Blocked Persons (SDN) List maintained by the US Treasury Department's Office of Foreign Assets Control (OFAC), as well as other applicable sanctions and watchlists.

Matches are reviewed by trained personnel and escalated to our partner bank where the program requires.

Customer activity is monitored on an ongoing basis through a rules-based and behavior-based system designed in coordination with our partner bank. Alerts are investigated under documented procedures, and suspicious activity is reported in accordance with the Bank Secrecy Act and our partner bank's policies.

nxoras handles non-public personal information in accordance with the Gramm-Leach-Bliley Act (GLBA), Regulation P, the California Consumer Privacy Act (CCPA) and its successor framework, and applicable state privacy laws.

Our Privacy Policy describes the categories of information we collect, the purposes for which we use it, the third parties with whom we share it, and the rights customers have to access, correct, and delete their data.

Customer data is protected in transit using TLS 1.3 and at rest using AES-256 encryption. Access to production systems is governed by role-based access controls, multi-factor authentication, and least-privilege principles.

Application security is reviewed through periodic third-party penetration testing and ongoing internal review. We are pursuing SOC 2 Type II attestation, with a targeted completion date in [Q3 2026].

nxoras maintains a written third-party risk management program. Every vendor with access to customer information or material operational functions is reviewed before engagement and on a recurring basis thereafter, with findings shared with our partner bank as required.

Customers who believe an electronic fund transfer on their nxoras account is unauthorized or in error have the rights set out under the federal Electronic Fund Transfer Act and Regulation E.

Disputes can be filed through the in-app dispute flow or by contacting customer service at 1-800-nxoras-US or support@nxoras.com. Provisional credit, investigation timelines, and final adjustments follow the procedures required by 12 CFR § 1005.11.

If you believe you have identified a security vulnerability in any nxoras product or service, please report it to security@nxoras.com. We will acknowledge receipt within two business days and work with you in good faith on remediation. Researchers who follow responsible-disclosure norms will not be subject to legal action arising from their report.

nxoras maintains a written incident response plan that addresses identification, containment, eradication, recovery, and customer/regulator notification. Where notification of customers or regulators is required by law, we follow the timelines and methods prescribed.

Inquiries from federal or state regulatory agencies should be directed to legal@nxoras.com. We respond promptly to lawful regulatory requests and cooperate with our partner bank on all matters within its supervisory perimeter.