SECURITY & COMPLIANCE
At ZionX, security and regulatory compliance are foundational to our validator infrastructure services. We implement enterprise-grade security measures and maintain compliance with data protection and financial regulations across our target markets in Taiwan, Japan, and Thailand.
SECURITY INFRASTRUCTURE
Infrastructure Security
Multi-Region Redundancy
- Primary infrastructure hosted in Taiwan with redundant nodes in Japan
- Geographic distribution ensures 99.9%+ uptime targets
- Automatic failover systems for uninterrupted validator operations
- Enterprise-grade data centers with physical security controls
Network Security
- DDoS protection and traffic filtering at network edge
- Firewalls and intrusion detection/prevention systems (IDS/IPS)
- Network segmentation isolating validator operations from public-facing systems
- 24/7 security monitoring and incident response
Data Protection
- Encryption in transit (TLS 1.3) for all client communications
- Encryption at rest (AES-256) for all stored data
- Hardware security modules (HSM) for cryptographic key management
- Secure key generation and storage protocols
Operational Security
Access Controls
- Role-based access control (RBAC) with least-privilege principles
- Multi-factor authentication (MFA) required for all administrative access
- Regular access reviews and permission audits
- Segregation of duties for critical operations
Security Monitoring
- Real-time monitoring of validator performance and anomalies
- Automated alerting for security events and infrastructure issues
- Centralized logging and security information event management (SIEM)
- Regular security assessments and penetration testing
Incident Response
- Documented incident response procedures and runbooks
- Security Operations Center (SOC) with on-call engineers
- Defined escalation paths and communication protocols
- Post-incident reviews and continuous improvement processes
Validator Security
Slashing Prevention
- Software safety mechanisms preventing double-signing
- Redundant validator configurations with automatic failover
- Regular backup and recovery testing
- Continuous monitoring for protocol rule violations
Validator Key Management
- Non-custodial architecture - clients retain full control of private keys
- Secure key derivation and storage protocols
- Hardware-based key protection where applicable
- Regular key rotation procedures (where supported by blockchain protocols)
COMPLIANCE FRAMEWORK
ZionX operates under a comprehensive compliance framework designed to meet regulatory requirements across Taiwan, Japan, and Thailand. We are actively pursuing formal registrations and licenses as regulatory frameworks mature in our target markets.
Taiwan Compliance
Personal Data Protection Act (PDPA) Compliance
Status: Fully Compliant
The Taiwan Personal Data Protection Act governs how we collect, process, and protect personal information of Taiwan users. Our PDPA compliance program includes:
- Lawful Basis: We process personal data based on contractual necessity (service provision), legal obligations (KYC/AML compliance), and consent (marketing communications)
- Notice and Transparency: Clear privacy notices at data collection points explaining purpose, categories, retention periods, and recipient information
- Data Subject Rights: Established procedures for individuals to access, correct, delete, or restrict processing of their personal data
- Security Measures: Technical and organizational safeguards meeting Ministry of Digital Affairs requirements, including encryption, access controls, and audit trails
- Cross-Border Transfers: Contractual safeguards and adequacy assessments for international data transfers
- Breach Notification: Procedures to notify affected individuals and the Personal Data Protection Commission (PDPC) within required timeframes
Relevant Authority: Personal Data Protection Commission (PDPC) – https://www.pdc.gov.tw
Financial Compliance
Status: Monitoring Regulatory Development
Taiwan’s Financial Supervisory Commission (FSC) is developing frameworks for virtual asset service providers. ZionX’s non-custodial validator services do not require traditional financial licenses, but we monitor:
- Virtual Asset Service Provider (VASP) Framework: Draft legislation under consideration; ZionX validator operations are designed to align with anticipated requirements
- Anti-Money Laundering (AML) / Counter-Terrorist Financing (CTF): We implement risk-based customer due diligence and transaction monitoring consistent with Financial Action Task Force (FATF) recommendations
- Know Your Customer (KYC): Identity verification procedures for institutional clients, with enhanced due diligence for high-risk customers
Relevant Authority: Financial Supervisory Commission (FSC) – https://www.fsc.gov.tw
Japan Compliance
Act on Protection of Personal Information (APPI) Compliance
Status: Fully Compliant
The Japan Act on Protection of Personal Information establishes requirements for handling personal information of Japanese individuals. Our APPI compliance program includes:
- Purpose Specification: We specify and publicly disclose the purposes for which personal information is used at or before collection
- Lawful Processing: We process personal information based on legal grounds including consent, contractual necessity, and compliance with legal obligations
- Sensitive Information: We obtain explicit consent before collecting “special care-required information” such as medical records or criminal history (generally not applicable to validator services)
- Cross-Border Transfers: We obtain consent or establish equivalent data protection measures for transfers of personal information outside Japan, including contractual safeguards with foreign recipients
- Data Subject Rights: We provide mechanisms for individuals to request disclosure, correction, suspension of use, or deletion of retained personal data
- Breach Notification: We report significant data breaches to the Personal Information Protection Commission (PPC) without undue delay and notify affected individuals as required
Relevant Authority: Personal Information Protection Commission (PPC) – https://www.ppc.go.jp
Financial Services Compliance
Status: Monitoring Regulatory Development / Application Pending
Japan’s Financial Services Agency (FSA) regulates crypto asset exchange service providers (CAESPs) and crypto asset custodians. ZionX’s approach:
- Non-Custodial Service Model: ZionX operates as a validator service provider without taking custody of client assets, which distinguishes our services from regulated custodial activities under the Payment Services Act
- Registration Plans: We are evaluating registration requirements as Japan’s regulatory framework evolves to cover broader digital asset service categories
- AML/CTF Compliance: Our KYC and transaction monitoring procedures align with FSA guidelines and Act on Prevention of Transfer of Criminal Proceeds
Relevant Authority: Financial Services Agency (FSA) – https://www.fsa.go.jp/en/
Thailand Compliance
Personal Data Protection Act (PDPA) Compliance
Status: Preparation Stage
Thailand’s Personal Data Protection Act (B.E. 2562), which took full effect in 2022, governs personal data processing. ZionX is implementing:
- Lawful Basis: Processing based on contract performance, legal obligations, and legitimate interests (with consent where required)
- Data Subject Rights: Procedures for access, correction, deletion, data portability, and restriction of processing
- Privacy Notices: Thai-language privacy notices for Thai users explaining data processing activities
- Cross-Border Transfers: Assessments and safeguards for transfers of Thai personal data outside Thailand
- Data Protection Officer: Designated contact for data protection inquiries
Relevant Authority: Personal Data Protection Committee (PDPC) – Office of the Personal Data Protection Committee
Digital Asset Regulation
Status: Monitoring Regulatory Environment
Thailand’s Securities and Exchange Commission (SEC) regulates digital asset businesses through the Digital Asset Business Decree. ZionX’s considerations:
- Licensing Requirements: Validator operations are not currently subject to digital asset exchange or dealer licenses, but we monitor regulatory guidance on staking services
- Tax Framework: Thailand offers favorable capital gains tax treatment for digital assets (2025-2029 exemption), creating attractive conditions for institutional clients
- Regulatory Engagement: We maintain awareness of SEC Thailand’s evolving guidance on digital asset services and staking activities
Relevant Authority: Securities and Exchange Commission (SEC Thailand) – https://www.sec.or.th/EN
SECURITY CERTIFICATIONS & AUDITS
Current Certifications
SOC 2 Type II Compliance
Status: In Progress (Target: Q2 2026)
Service Organization Control (SOC) 2 Type II certification demonstrates that our systems meet rigorous standards for security, availability, and confidentiality. Our SOC 2 audit covers:
- Security controls and access management
- Infrastructure availability and disaster recovery
- Data encryption and protection measures
- Change management and incident response
- Monitoring and logging practices
ISO 27001 Information Security Management
Status: Planned (Target: Q4 2026)
ISO 27001 certification validates our information security management system (ISMS). We are implementing comprehensive security policies and controls across:
- Risk assessment and treatment
- Asset management and data classification
- Access control and authentication
- Cryptography and key management
- Incident management and business continuity
Security Audits
Infrastructure Security Audits
- Annual third-party penetration testing of network infrastructure and applications
- Quarterly vulnerability assessments and remediation tracking
- Regular review of security configurations and access controls
Smart Contract Audits (where applicable)
- Third-party security audits of any smart contracts used in validator operations
- Formal verification of critical contract logic
- Bug bounty programs for responsible disclosure of vulnerabilities
Blockchain Protocol Audits
- Participation in security reviews of supported blockchain protocols
- Monitoring of protocol upgrades and security patches
- Coordination with blockchain foundations on security best practices
INSURANCE & RISK MANAGEMENT
Operational Insurance
Cyber Liability Insurance
- Coverage for data breaches, cyber-attacks, and security incidents
- Protection against costs of breach notification, forensics, and remediation
- Third-party liability coverage for claims arising from security events
Technology Errors & Omissions Insurance
- Professional liability coverage for technology service errors
- Protection against claims related to service failures or technology errors
- Coverage for defense costs and settlements
Slashing Insurance (in development)
Status: Negotiating Coverage (Target: Q1 2026)
We are working with specialized crypto insurance providers to secure coverage for:
- Validator slashing events caused by operational errors
- Protocol-level penalties resulting from infrastructure failures
- Client protection against losses from ZionX’s operational mistakes
Coverage details, limits, and exclusions will be specified in client Service Agreements once policies are finalized.
Risk Management Framework
Operational Risk Management
- Comprehensive risk assessment identifying infrastructure, security, and operational risks
- Risk mitigation controls including redundancy, monitoring, and incident response procedures
- Regular risk reviews and control effectiveness testing
Third-Party Risk Management
- Vendor security assessments for critical service providers
- Contractual requirements for data protection and security standards
- Ongoing monitoring of third-party performance and compliance
Business Continuity Planning
- Documented disaster recovery procedures with defined recovery time objectives (RTO) and recovery point objectives (RPO)
- Regular backup testing and failover drills
- Alternative communication channels and escalation procedures
ANTI-MONEY LAUNDERING (AML) & COUNTER-TERRORIST FINANCING (CTF)
ZionX implements a risk-based AML/CTF program aligned with Financial Action Task Force (FATF) recommendations and applicable local regulations:
Customer Due Diligence (CDD)
- Identity verification for all clients (individuals and entities)
- Beneficial ownership identification for corporate clients
- Source of funds documentation for high-risk relationships
- Enhanced due diligence (EDD) for politically exposed persons (PEPs) and high-risk jurisdictions
Transaction Monitoring
- Risk-based monitoring of staking transactions and reward distributions
- Automated alerts for unusual or suspicious activity patterns
- Investigation and reporting of suspicious transactions to relevant financial intelligence units (FIUs)
Sanctions Screening
- Real-time screening against OFAC, UN, EU, and other sanctions lists
- Ongoing monitoring of client relationships for sanctions exposure
- Immediate action protocols for sanctioned entities or jurisdictions
Record-Keeping
- Retention of KYC documentation and transaction records for minimum 7 years
- Audit trails for all compliance activities
- Secure storage with access controls and encryption
Staff Training
- Regular AML/CTF training for all personnel
- Specialized training for compliance and customer-facing staff
- Annual compliance attestations and knowledge assessments
REGULATORY ENGAGEMENT & LICENSING ROADMAP
ZionX actively engages with regulators across our target markets to ensure compliant operations and support the development of clear regulatory frameworks for validator services.
Taiwan Licensing Roadmap
Q4 2025 - Q1 2026:
- Monitor finalization of VASP framework legislation
- Engage with FSC through industry associations
- Prepare documentation for potential registration requirements
Q2 2026:
- Submit VASP registration application if framework takes effect
- Establish Taiwan legal entity (as required)
- Obtain any necessary business registrations
Ongoing:
- Maintain PDPA compliance and data protection practices
- Participate in industry consultations on digital asset regulation
Japan Licensing Roadmap
Q4 2025 - Q1 2026:
- Establish Japan legal entity (Kabushiki Kaisha)
- Prepare CAESP registration application materials
- Appoint Japan-resident director with required qualifications
Q2 - Q3 2026:
- Submit CAESP registration application to FSA (6-12 month review period)
- Engage with Japanese Financial Intelligence Center (JAFIC) on AML requirements
- Establish minimum capital and operational infrastructure
Q4 2026 - Q1 2027:
- Obtain CAESP registration approval
- Launch Japan-compliant validator services
- Establish ongoing reporting and examination procedures
Ongoing:
- Maintain APPI compliance for personal information handling
- Monitor FSA guidance on staking and validator services
Thailand Licensing Roadmap
Q4 2025:
- Submit digital asset service provider registration to SEC Thailand
- Establish Thailand legal entity
- Meet minimum capital requirements (THB 50M)
Q1 - Q2 2026:
- Complete SEC Thailand approval process (150-day timeline)
- Obtain Ministry of Finance approval
- Implement SEC Thailand cybersecurity and operational standards
Q2 2026:
- Launch Thailand validator services
- Establish Thai customer support and compliance functions
Ongoing:
- Monitor SEC Thailand guidance on staking services
- Participate in industry working groups on digital asset regulation
TRANSPARENCY & REPORTING
Public Transparency
Security Incident Disclosure
- We commit to transparent communication about material security incidents
- Public disclosure of incidents that may affect client assets or data
- Post-incident reports describing root causes and preventive measures
Validator Performance Reporting
- Real-time dashboards showing validator uptime, performance metrics, and reward distributions
- Historical performance data for all Supported Blockchains
- Transparent disclosure of any slashing events or protocol penalties
Compliance Updates
- Regular updates on regulatory licensing progress
- Notification of material changes to compliance policies or procedures
- Annual compliance and security reports
Client Reporting
Monthly Performance Reports
- Validator uptime and performance metrics
- Staking rewards earned and distributed
- Service fees charged
- Network events affecting validator operations
Quarterly Business Reviews (institutional clients)
- Comprehensive performance analysis and optimization recommendations
- Compliance status updates
- Roadmap discussions and feature planning
- Security posture reviews
Annual Compliance Attestations
- SOC 2 Type II reports (upon completion of certification)
- External audit reports (where applicable)
- Regulatory filings and license status confirmations
Security & Compliance Inquiries
Data Protection Officer
Email: info@zionx.com
Subject: “Data Protection Inquiry”
Compliance Officer
Email: info@zionx.com
Subject: “Regulatory Compliance Inquiry”
Security Team
Email: info@zionx.com
Subject: “Security Issue Report” (for urgent security matters)
Regulatory Authorities
For concerns or complaints regarding our compliance with applicable laws, you may contact the relevant regulatory authority:
Taiwan:
Japan:
Thailand:
- Office of Personal Data Protection Committee: [Contact information]
- Securities and Exchange Commission (SEC): https://www.sec.or.th/EN
RESPONSIBLE DISCLOSURE
ZionX welcomes responsible disclosure of security vulnerabilities and encourages security researchers to report issues through our coordinated disclosure process.
Reporting Security Vulnerabilities
Please report potential security issues to:
Email: info@zionx.com
PGP Key: [To be published]
Responsible Disclosure Guidelines
- Provide reasonable time for ZionX to investigate and remediate before public disclosure
- Do not access, modify, or delete client data beyond what is necessary to demonstrate the vulnerability
- Do not perform testing that could degrade service availability or harm our systems
- Do not disclose the issue publicly until ZionX has had opportunity to address it
Recognition
We recognize and appreciate responsible disclosure contributions through:
- Public acknowledgment on our Security Hall of Fame (with your permission)
- Direct communication of remediation actions taken
- Consideration for bug bounty rewards (program details to be announced)
DOCUMENT VERSION CONTROL
Version: 1.0
Last Updated: November 30, 2025
Effective Date: December 1, 2025
Next Review: March 1, 2026 (or as regulatory requirements change)
This Security & Compliance page will be updated to reflect our evolving security posture, regulatory licensing progress, and compliance program maturity. Material changes will be communicated via email to existing clients and prominently displayed on our website.
ZionX: Building Asia’s Most Secure Validator Infrastructure
For additional information about our services, please visit https://zionx.com or contact info@zionx.com.
