Business Continuity Plan

This plan has been designed to prepare P2P Kapital Sdn Bhd (NK) to cope with the effects of an emergency or crisis. It is intended that this document will provide the basis for a relatively quick and painless return to “business as usual” regardless of the cause.

Emergency Contact Persons

NK sees two emergency contact persons. Namely:

1. Chief Executive Officer
   • Name: Kee Yong Foo
   • Contact No.: +6016 221 5537
   • E-mail address: kee@nusakapital.com
2. Chief Operating Officer
   • Name: Izmi bin Omar Marican
   • Contact No.: +6012 484 5555
   • E-mail address: izmi@nusakapital.com

NK will promptly notify the Securities Commission of any changes within 30 days following the change. We will review and update this information within 21 business days following the end of each calendar year.

Firm’s Policy

In the event of a Significant Business Disruption (SBD), we expect this document to

• minimize the risk of damage to the firm’s property and injuries or deaths of the firm’s employees and to
• minimize disruption to the firm’s operations by quickly recovering and resuming business operations.

This includes allowing our clients to transact and protecting all of the firm’s books and records. Should circumstances dictate that we are unable to resume operations permanently, we will assure customers prompt access to their funds and securities. This plan will be executed on the authority of the Managing Partner and will be stored in hard copy at our offices and in soft copy on the cloud server. All employees will have access to this plan online or otherwise.

1. Significant Business Disruptions (“SBD”)

Our plan anticipates two kinds of SBDs, internal and external. Internal SBDs affect only our firm’s ability to communicate and do business, such as a fire in our building. External SBDs prevent the operation of the securities markets or a number of firms, such as any event of Force Majeure, being any event beyond the reasonable control of the obligated party, including but not limited to, acts of God, extreme weather or acts of third parties. Our response to an external SBD relies more heavily on other organizations and systems, especially on the capabilities of our Trustee.

2. Approval and Execution Authority

Kee Yong Foo, Chief Executive Officer, is responsible for approving the plan and for conducting the required annual review.He has the authority to execute this Business Continuity Plan (“ BCP”).

3. Plan Location and Access

Our firm will maintain copies of its BCP plan and the annual reviews, and the changes that have been made to it for inspection. An electronic copy of our plan is located on our physical backup server and cloud server, as provided by Dropbox, Inc. in the Emergency Information folder.

Business Description

Our firm conducts business in the provision of Shariah-compliant financing to firms through peer-to-peer networks. Financing is provided to the issuers through a Murabahah or a Mudharabah structure. As NK is an introducing firm, we do not perform transactions for ourselves or others. Instead, this role is fulfilled by a trustee organization, Pacific Trustees Berhad (Company No. 317001-A).

Office Locations

1. Operational Office
   218 – Level 5,
   Klang Midvalley Complex,
   Jalan Pasar,
   41400 Klang,
   Selangor, Malaysia
   
   Our employees within the city may travel to the office by means of car, bus, and train. This office functions as the head office and is the venue for much of the processing of issuers and investors.
   
2. Alternative Office
   Suite 24 & 25,
   Unit 3.07, Level 3,
   KL Gateway Mall,
   No. 2, Jalan Kerinchi,
   Pantai Dalam
   59200 Kuala Lumpur, Malaysia

Should the need arise, employees may be asked to work from an alternative office as stated above. Our employees within the city may travel to the office by means of car, bus and train and may arrive from the KL office by flight.

Alternative Physical Location(s) of Employees

In the event of an SBD, staff may be required to work from home or at an alternative site wherein all the infrastructure (mainly internet) is available successfully continue our business. This allows them to remain in their respective cities, where our stakeholders are domiciled. Should the need arise, they may be allocated a working space at one of the other offices.

Customers’ Access to Funds and Securities

NK does not maintain custody of customers’ funds. Funds are maintained by our Trustee. In the event of an internal or external SBD, if telephone service is available, our registered persons will take customer orders or instructions and contact our Trustee on their behalf, and if our Web access is available, our firm will post on our website that customers may access their funds and securities by contacting an agent of the firm via telephone or email. Should our firm be uncontactable, customers may elect to contact the trustees directly. The firm will make this information available to customers through its disclosure policy. We may also provide our books and records which may result in the identification of customers subject to regulations and legal orders.

Data Back-Up and Recovery (Hard Copy and Electronic)

Our production site is configured to automatically perform backups on a daily basis. In the event of an internal or external SBD that causes the loss of our digital or physical records, the site is automatically configured to retrieve the backups and reset without human intervention required. The system administrator will be notified with the relevant log reports to be follow up where necessary.

In addition, at any point in time, there are at least concurrent development site that will be able to replace the production site where necessary. This arrangement is also necessary to prevent unforeseen errors while developing updates for the site. In order for us to utilize the development sites, only a change in the DNS is required and this will limit the site downtime.

Copies of the daily electronic records are synchronized across our physical storage device located at 218 – Level 5, Klang Midvalley Complex, Jalan Pasar, 41400 Klang, Selangor, Malaysia and our online cloud server as provided by Dropbox, Inc.

Dropbox files are encrypted with industry standard 256-bit Advanced Encryption Standard (AES). Data in transit during syncing are protected with Secure Sockets Layer (SSL)/Transport Layer Security (TLS). Files will only be shared with authorized parties in order to restrict the proliferation of sensitive information. Dropbox Inc. regularly tests its infrastructure and systems for security vulnerabilities in order to enhance securities and protect against attacks. In addition, we will be using the two-step verification at login for our Malaysian operations in due course.

Files stored in the physical storage device located at 218 – Level 5, Klang Midvalley Complex, Jalan Pasar, 41400 Klang, Selangor, Malaysia. will be encrypted with its own proprietary encryption. Our firm maintains its primary hard copy books and records at 218 – Level 5, Klang Midvalley Complex, Jalan Pasar, 41400 Klang, Selangor, Malaysia. Izmi bin Omar Marican, Chief Operating Officer, is responsible for the maintenance of these books and records.

Online records are backed up by paper records and backups are conducted once every six months.

Financial and Operational Assessments

Operational Risk

Due to the nature of our business, we are required to maintain communications with our clients and retrieve key activity records through our mission critical systems. In the event of an SBD, we will immediately identify all means of communication still available with our clients, employees, regulators and other key stakeholders. In addition, we will retrieve our key activity records as described in the section above, Data Back-Up and Recovery (Hard Copy and Electronic).

Financial and Credit Risk

In the event of an SBD, we will determine the value and liquidity of our investments and other assets to evaluate our ability to continue to fund our operations and remain in capital compliance. We will contact our Trustee, banks and investors to apprise them of our financial status. If we determine that we may be unable to meet our obligations to those counter-parties or otherwise continue to fund our operations, we will request additional financing from our bank or other credit sources to fulfill our obligations to our customers and clients. If we cannot remedy a capital deficiency, we will file appropriate notices with the regulators and immediately take appropriate steps.

Alternate Communications Between the Firm and Customers,Employees, and Regulators

Investors and Counterparties

Official communication between the firm and its present investors and issuers is via email. However, should an SBD render the internet unavailable, we will communicate with the other party through telephone. Should a written record be necessary, we will follow up this line of communication with a paper copy delivered by mail.

Employees

We communicate with our employees via email or Slack (an online office communicator) at present. Should there be no internet access, we will communicate via telephone.

Regulators

We would typically contact regulators via email. However, should an SBD render that inappropriate, we will explore other open communication lines such as phone calls or written communication.

Critical Business Constituents, Banks, and Counter-Parties

Business constituents

In light of an SBD, vendors supporting our operating activities will be advised on the extent to which we are able to resume our business relationship with them. We will establish alternative arrangements if the SBD impedes their ability to provide the goods to us when we need them.

Banks

We will contact our banks to determine if they can continue to provide the services that we will need in light of the internal or external SBD.

Disclosure of Business Continuity Plan

Attached is our written BCP disclosure statement we will provide customers (via email) before deals. We will also post the disclosure statement on our website and mail it to customers upon request.

Updates and Annual Review

Our firm will update this plan whenever we have a material change to our operations, structure, business or location or to those of our Trustee. In addition, our firm will review this BCP annually, on 30 April, to modify it for any changes in our operations, structure, business or location or those of our Trustee.

Senior Manager Approval

I have approved this Business Continuity Plan as reasonably designed to enable our firm to meet its obligations to customers in the event of an SBD.

Approved: Kee Yong Foo

Title: Chief Executive Officer

Date: 1 January 2024

NK’s Business Continuity Planning

NK has developed a Business Continuity Plan on how we will respond to events that significantly disrupt our business. Since the timing and impact of disasters and disruptions is unpredictable, we will have to be flexible in responding to actual events as they occur. With that in mind, we are providing you with this information on our business continuity plan.

Contacting Us – If after a significant business disruption, you cannot contact us as you usually do at our phone number or email, you should call our alternative number or go to our website at www.nusakapital.com.

Our Business Continuity Plan – Business continuity planning is a priority for NK. We understand any unexpected operating problems could have a significant negative impact on investors’ assets and overall operations of NK. Therefore, this is an area which will be prioritised and constantly developed.

NK’s business continuity process will include the following:

1. Maintain backup of business-critical data outside our operating region to ensure that business disruption will be kept to a minimum in case of a disaster within our office location.

2. Apart from having all data saved up in a physical storage in our office, we have and will continue to back up our data through cloud service provider Dropbox. We believe the benefits of Dropbox cloud storage for backup are the following:

   • Ease in accessing information through desktop and mobile devices. As our services will be largely offered online, we have the flexibility of carrying out our work in a different location (where internet services are available), should a disaster hit our office area.
   • Locations of data centres across the United States. Being in a different region and in several US states, provides risk diversification versus having only back up storage located in Malaysia or in neighbouring countries.
   • Ease in collaboration and file-sharing among employees, which is crucial in a disaster situation wherein employees may have to work in different locations.

3. In addition our service level agreement with our cloud servers providers includes a 99.9% network & hardware service level agreement. This includes the following systems in place.

   • Malware protection & scanning done by a combination of automated malware scans, integrity checks and web application firewall.
   • Brute force attacks are monitored and intrusions are prevented on both the server layer & web application layer.
   • Server is configured for elastic demand to cope with unexpected traffic request.
   • Data storage is configured with a CDN delivery network to ensure reachable access regardless of user location.

Varying Disruptions – Significant business disruptions can vary in their scope, such as only our firm, a single building housing our firm, the business district where our firm is located, the city where we are located, or the whole region.

Within each of these areas, the severity of the disruption can also vary from minimal to severe. In a disruption to only our firm or a building housing our firm, we will transfer our operations to a local site when needed and expect to recover and resume business within a 24 hours’ time period. In a disruption affecting our business district, city, or region, we will transfer our operations to a site outside of the affected area, and recover and resume business within a 24 hours’ time period.

In either situation, we plan to continue in business, transfer operations to our trustee if necessary, and notify you through our website at  www.nusakapital.com and our customer emergency number on how to contact us. If the significant business disruption is so severe that it prevents us from remaining in business, we will assure our customer’s prompt access to their fund.