Trust & Compliance

Due diligence

starts here.

This page is written for compliance officers, CISOs, and procurement teams conducting technical and regulatory due diligence on M5Wealth. It covers the regulatory frameworks we operate within, our data security architecture, audit and control infrastructure, and incident response procedures.

Claims marked with an amber flag are pending independent verification or are subject to ongoing certification processes. We do not make unverified assertions in this document.

Amber flags denote unconfirmed or in-progress claims requiring legal sign-off before publication

01 Regulatory Frameworks

02 Data Security

03 Audit Trail

04 Client Data

05 Certifications

06 GDPR & Data Residency

07 Incident Response

SECTION 01

Regulatory Frameworks

Six regulatory frameworks. One codebase. No parallel builds. M5Wealth operates under six financial regulatory frameworks from a single shared codebase. Regulatory updates are applied once and propagate across all jurisdictions simultaneously. A client relationship spanning Singapore and Dubai is governed by the correct framework for each jurisdiction automatically — not by manual configuration at the point of advice.

MAS

Monetary Authority of Singapore

Singapore

Covers capital markets services, fund management, and financial advisory activities regulated under the Securities and Futures Act and Financial Advisers Act.

Architecture implements MAS Notice SFA 04-N02 suitability requirements, pre-trade compliance checks calibrated to MAS product classification, and audit trail retention aligned to MAS record-keeping obligations. Maker-checker workflows are enforced at the platform layer, not the application layer.

DFSA

Dubai Financial Services Authority

DIFC, UAE

Governs financial services conducted in or from the Dubai International Financial Centre, including investment management, custody, and advisory services.

DFSA client classification is enforced at the data model level. Suitability assessments, product restriction rules, and disclosure workflows are jurisdiction-aware and cannot be bypassed by user configuration. Audit records are immutable and timestamped to DFSA retention standards.

FSRA

Financial Services Regulatory Authority

Abu Dhabi Global Market, UAE

Regulates financial services within the Abu Dhabi Global Market free zone, with a framework closely aligned to international standards including IOSCO principles.

FSRA framework is implemented as a distinct compliance configuration within the same codebase as DFSA. Clients operating in both jurisdictions share a single data model with jurisdiction-specific compliance overlays.

SFC

Securities and Futures Commission

Hong Kong SAR

Regulates the securities and futures markets in Hong Kong, including Type 1, Type 4, and Type 9 licensed activities relevant to wealth management operations.

SFC Code of Conduct requirements for suitability, know-your-client, and product due diligence are implemented natively. Cross-border data flows between HK and other jurisdictions are governed by explicit data residency controls.

FCA

Financial Conduct Authority

United Kingdom

Regulates financial services firms and markets in the UK. Relevant to M5Wealth clients operating under FCA authorisation for investment management and advisory services.

FCA Consumer Duty and MiFID II-derived suitability requirements are implemented at the workflow level. Post-Brexit divergence from EU MiFID II is tracked and reflected in the rule engine. COBS-aligned disclosure templates are available within the platform.

CMA

Capital Market Authority

Sultanate of Oman

Regulates capital market activities in Oman including investment management, brokerage, and portfolio management services for licensed entities.

CMA Oman framework is live in production at a leading bank in Oman. The platform has been deployed in environments running T24 and Finacle core banking systems, with validated data pipelines to both. This is the only framework with a live tier-one bank reference in the same jurisdiction.

Questions about a specific regulatory framework configuration? Request a Security Briefing.

SECTION 02

Data Security & Infrastructure

Where your data lives. How it is protected. Who can reach it. M5Wealth’s infrastructure is built on the principle that client financial data is among the most sensitive data any organisation holds. The security architecture reflects that — not as a compliance posture, but as an operational reality.

Encryption

At rest and in transit

All PII data at rest is encrypted using AES-256. Data in transit is encrypted using TLS 1.2 minimum, with TLS 1.3 enforced on all new connections.

Database-level encryption is applied to persistent stores where supported. Application-level field encryption is applied to PII fields including client identity data, account numbers, and beneficial ownership records.

Encryption controls are applied by default and are not configurable off by any user or administrator role.

Industry-standard cryptographic practices are followed to ensure the confidentiality and integrity of sensitive client data.

Access Control

Identity and authorisation

Access to the M5Wealth platform is governed by role-based access control with attribute-based extensions for jurisdiction and entity-level scoping. No user has access to data outside their assigned scope by default. Privilege escalation requires a separate approval workflow and is logged.

Multi-factor authentication is enforced for all user accounts. Session tokens expire after configurable idle periods.

M5Wealth engineering and support staff do not have standing access to client production environments. Access for support purposes requires a time-limited, client-approved access grant, which is logged and auditable by the client. This applies without exception.

Network Security

Perimeter and internal controls

All M5Wealth deployments operate within a secure virtual network. Public-facing endpoints are limited to the API gateway and client portal. Internal services communicate over controlled network segments with restricted access.

Network security controls enforce least-privilege traffic rules at the subnet level. DDoS mitigation is provided at the network layer.

Penetration testing is conducted annually by an independent third party. Findings are remediated according to a risk-tiered schedule: critical within 72 hours, high within 14 days, and medium within 60 days.

Infrastructure Resilience

Availability and recovery

Production deployments are configured for multi-availability-zone redundancy. Database replication is synchronous within the primary region. Cross-region replication is available for clients with specific disaster recovery requirements.

Recovery time objective is 10 hours for a full regional failure. Recovery point objective is one hour. SLA figures are subject to deployment-specific validation.

Backup procedures run on a daily full schedule. Backups are encrypted and stored in the secure AWS storage account. Restoration procedures are tested quarterly.

Request a Security Briefing for full infrastructure documentation. Request a Security Briefing.

SECTION 03

Audit Trail & Controls

The audit trail is not a reporting feature. It is the platform’s permanent record of everything that happened. M5Wealth’s Activity Logs are built for regulatory examination, not for internal governance convenience.

Every action taken within the platform — every configuration change, every role assignment, every order placed, every deviation flagged, every approval granted — is logged with four attributes: the action taken, the user who took it, the timestamp, and the state of the relevant record before and after the action. Logs are tamper-resistant by architecture. No user, including platform administrators, can edit or delete a log entry.

Control

Description

Scope & Enforcement

Immutable Event Log

Core infrastructure

Every create, read, update, and delete operation on any data entity is written to an append-only event log. The log is write-once; no process has delete or update permissions on log records.

All deployments. All user roles including system administrators. Enforced at the database layer, not the application layer.

Maker-Checker Workflow

Four-eyes principle

2Material actions — including order placement, client onboarding approval, suitability override, and fee schedule changes — require a second authorised user to approve before execution. The maker and checker cannot be the same user.

Enforced at the workflow engine level. The list of maker-checker-required actions is configurable by the client within a defined minimum set that cannot be removed.

Timestamp Integrity

Cryptographic timestamping

All audit records are timestamped using a server-side clock synchronised to an NTP source. Timestamps cannot be modified after the fact. The sequence of events is verifiable through a hash chain on the event log.

All deployments. Client-side clocks are not used for audit timestamps. Time zone is recorded alongside UTC timestamp for all records.

Retention Policy

Regulatory alignment

Audit records are retained for a minimum of seven years. Jurisdiction-specific retention requirements are met within this baseline. Clients in jurisdictions with longer requirements can configure extended retention.

Minimum seven years enforced by platform policy. Cannot be reduced below the applicable regulatory minimum for the client’s jurisdiction.

Audit Export

Regulatory inspection readiness

Audit records can be exported in structured formats (JSON, CSV) for regulatory inspection. Export requests are themselves logged. Exports can be scoped by date range, user, entity type, or action type.

Available to designated compliance officer roles. Export capability cannot be disabled. All export events are logged to the same immutable audit trail.

Privileged Access Logging

Admin and support access

All access by M5Wealth engineering or support staff to client environments is logged separately. Time-limited access grants are recorded with the approving client contact and the stated purpose.

All deployments. Client-visible log. Cannot be suppressed. M5Wealth staff access without a logged grant is a policy violation subject to disciplinary process

Audit log retention period and export format available in the Security Briefing documentation. Request a Security Briefing.

SECTION 04

Client Data Handling

Your data is yours. Isolated at the architecture level, not at the policy level. M5Wealth serves multiple institutions from a shared infrastructure platform. The data isolation between those institutions is enforced at the architecture level — through separate encrypted data stores, separate encryption keys, and access controls that do not permit cross-tenant data access under any operational circumstance.

Data Isolation

Each client deployment operates in a logically isolated environment. In cloud deployments, this is enforced through logical data segregation at database level with strict row level securities implemented. In dedicated deployments, physical separation is used.

Cross-client data access is not technically possible through the application layer. Any cross-client query at the infrastructure level requires a separate, logged access grant.

Client data is never used to train shared models or to improve platform features without explicit written consent. Anonymised, aggregated benchmarking data may be used for platform analytics with client consent; this is opt-in, not opt-out.

Third-party sub-processor list pending full public disclosure

Role-Based Access

Access to client data within a deployment is governed by a role hierarchy defined by the client. M5Wealth provides a default role structure aligned to typical wealth management operations: Relationship Manager, Portfolio Manager, Compliance Officer, Operations, and Administrator.

Each role has a defined set of data access permissions. Permissions are additive; roles cannot be granted access beyond their defined scope without an explicit configuration change by an Administrator. All permission changes are logged.

Entity-level scoping allows a Relationship Manager to be restricted to their own book of clients. Compliance Officers have read access across all entities within their jurisdiction scope.

Client administrators can provision and deprovision user access without M5Wealth involvement. Deprovisioned users lose access immediately; their audit records are retained.

Export & Portability

All client data is exportable in full at any time. M5Wealth does not use proprietary data formats that create lock-in. Core data entities — clients, portfolios, transactions, audit records, documents — are exportable in open formats (JSON, CSV, PDF).

On contract termination, M5Wealth provides a full data export within 30 days of the termination date. The export includes all client data, all audit records, and all configuration. After the export is confirmed as received, M5Wealth deletes all client data from its systems within 60 days.

Data deletion is confirmed in writing. Deletion applies to all copies including backups, with the exception of records that M5Wealth is legally required to retain.

The export includes all client data and all audit records

Questions about data isolation or role-based access? Request a Security Briefing.

SECTION 05

Certifications & Accreditations

Independent certification provides third-party validation that M5Wealth’s security and compliance controls meet defined standards. The table below reflects M5Wealth’s current certification status. Every row marked as requiring confirmation must be verified by the legal and security team before this page is published.

We do not publish certification claims we cannot substantiate.

Certification

Status

Scope

Notes

ISO 27001

Information Security Management

Platform infrastructure and operations

Certified by an accredited certification body. Annual surveillance audits completed. Certificate available under NDA.

SOC 2 Type II

Security, Availability, Confidentiality

Cloud-hosted deployments

SOC 2 Type II compliant report available under NDA. Although PCI DSS is not applicable, we are currently in the process of assessment.

PCI DSS

Payment Card Industry

Not in scope

M5Wealth does not process payment card data. PCI DSS is not applicable to the platform’s current scope.

GDPR Compliance

EU Data Protection

EU and UK data subjects

Data Processing Agreements in place with all sub-processors. GDPR-compliant data residency controls available. See Section 06 for detail.

MAS TRM Guidelines

Technology Risk Management

Singapore deployments

Platform architecture is aligned to MAS Technology Risk Management Guidelines (2021). Alignment assessment available to MAS-regulated clients.

Formal third-party assessment pending

NIST CSF

Cybersecurity Framework

All deployments

Security controls are mapped to NIST CSF 2.0 functions: Identify, Protect, Detect, Respond, Recover. Mapping documentation available on request.

Editorial Note — Legal Sign-Off Required

The certifications table above reflects the current state as of the date this page was last updated. “Aligned” status indicates that the platform architecture and controls are designed to meet the relevant standard, but does not constitute formal certification. Every row marked with an amber flag must be verified by the legal and security team before this page is published. We do not publish certification claims we cannot substantiate.

SECTION 06

GDPR & Data Residency

Data residency is client-configurable. Your data stays in the region you specify. For institutions operating in regulated jurisdictions with data localisation requirements — including the UAE, Singapore, and the European Economic Area — data residency is not a feature request. It is a regulatory obligation.

GDPR Compliance

M5Wealth acts as a data processor for client data. The client institution is the data controller. This relationship is formalised in a Data Processing Agreement executed as part of every client contract. The DPA covers the lawful basis for processing, the categories of data processed, sub-processor obligations, and data subject rights procedures.

Data subject rights requests — including access, rectification, erasure, and portability — are supported through the platform’s data management tooling. Compliance officers can action data subject requests directly without requiring M5Wealth involvement. Response timelines are configurable to meet the applicable regulatory deadline.

M5Wealth maintains a Record of Processing Activities as required under GDPR Article 30. Sub-processors are listed in the DPA schedule and are updated when sub-processors are added or removed. Clients are notified of sub-processor changes with a minimum of 30 days notice.

Data Protection Impact Assessments are conducted for new processing activities that are likely to result in high risk to data subjects. DPIA outputs are available to clients where the processing relates to their data.

Data Protection Officer

M5Wealth has appointed a Data Protection Officer responsible for overseeing GDPR compliance. The DPO is the point of contact for data subjects and supervisory authorities.

DPO contact details available to clients under DPA — not published publicly

Data Residency

M5Wealth supports data residency requirements through deployment configuration. Clients who require data to remain within a specific geographic boundary can specify this at deployment time. The platform enforces residency constraints at the infrastructure level, not the application level.

Available residency configurations include: EU-only, Singapore-only, UAE-only, and client-specified custom regions. Multi-region deployments can be configured with explicit data flow rules that prevent certain data categories from leaving a defined boundary.

Cross-border data transfers where required are governed by Standard Contractual Clauses or equivalent transfer mechanisms. Transfer impact assessments are conducted for transfers to countries without an adequacy decision.

Clients operating in jurisdictions with specific data localisation laws can request a dedicated deployment within the required geography. M5Wealth has experience deploying within Gulf-region cloud infrastructure and can provide references from clients who have completed this process.

Available Residency Regions

On request

Request the Data Processing Agreement and sub-processor list. Request a Security Briefing.

SECTION 07

Incident Response

What happens when something goes wrong. M5Wealth operates a defined incident response process. Security incidents are classified by severity on a four-tier scale. Tier 1 incidents — those with the potential to affect client data confidentiality, integrity, or availability — trigger immediate escalation to M5Wealth’s security team lead and the affected client institution’s designated contact.

Severity Classification

Critical

Complete platform unavailability, confirmed data breach, or active security compromise affecting client data or operations.

Initial response: 30 minutes

Client notification: 1 hour

Status updates: Every 30 min

Resolution target: 4 hours

High

Significant degradation of core functionality, partial data unavailability, or security event with potential client data impact under investigation.

Initial response: 60 minutes

Client notification: 2 hours

Status updates: Every 2 hours

Resolution target: 8 hours

Medium

Partial functionality degradation affecting non-critical workflows, performance degradation, or security event with no confirmed client data impact.

Initial response: 2 hours

Client notification: 4 hours

Status updates: Daily

Resolution target: 48 hours

Low

Minor issues with workarounds available, cosmetic defects, or informational security events with no operational impact.

Initial response: Next business day

Client notification: Next business day

Status updates: Weekly

Resolution target: Next release

Regulatory Notification Timelines

Where an incident constitutes a personal data breach under GDPR or a notifiable incident under applicable financial services regulation, M5Wealth will notify the client within the timeframes required to allow the client to meet their own regulatory notification obligations.

GDPR Data Breach

Client notified within 24 hours of M5Wealth becoming aware of a confirmed breach. This allows the client to meet the 72-hour supervisory authority notification requirement under GDPR Article 33.

MAS Reportable Incident

Client notified within 1 hour of a P1 incident that may constitute a reportable incident under MAS Notice MAS TRM. Client is responsible for making the regulatory notification.

DFSA / FSRA Reportable Incident

Client notified within 2 hours of a P1 or P2 incident that may require regulatory notification. M5Wealth provides a factual incident summary to support the client’s notification.

SLA notification timelines subject to contractual confirmation

Post-Incident Process

All P1 and P2 incidents result in a post-incident review completed within five business days of resolution. The output is a written post-incident report provided to the client.

Timeline Reconstruction

Full chronological account of the incident from first detection to resolution, drawn from system logs and incident response records.

Root Cause Analysis

Technical root cause identified and documented. Contributing factors noted. No attribution to external parties without evidence.

Remediation Actions

Specific actions taken to resolve the incident and prevent recurrence. Each action has an owner and a completion date.

Control Improvements

Where the incident reveals a gap in controls, the improvement is documented and tracked. Clients are notified when the improvement is implemented.

Request the Incident Response Policy. Request a Security Briefing.

NEXT STEPS

If you are conducting

formal due diligence,

we are ready.

The Security Briefing is a structured session with M5Wealth’s CISO and a senior compliance representative. It covers the full technical and regulatory architecture, answers questions specific to your jurisdiction and deployment model, and provides access to certification documentation under NDA.

The Trust Pack is a document set containing our ISO 27001 certificate, SOC 2 Type I report, DPA template, sub-processor list, and penetration test executive summary. It is provided under NDA to qualified prospective clients.

Security Briefing

60-minute structured session with CISO and compliance representative. Covers architecture, controls, certifications, and jurisdiction-specific questions. Documentation provided under NDA.

Trust Pack

ISO 27001 certificate, SOC 2 Type I report, DPA template, sub-processor list, penetration test executive summary. Provided under NDA to qualified prospective clients.

Client References

Direct introductions to compliance and technology contacts at live M5Wealth deployments. References available in Singapore, UAE, Oman, and Europe. No scripted calls.