Flowrex Code of Conduct & Ethics Policy

Introduction

This Code of Conduct and Ethics Policy (“Code”) defines the standards of integrity, professionalism, and compliance expected of all employees and officers of the firm, a Crypto-Asset Service Provider (CASP). The Code is aligned with the EU Markets in Crypto-Assets (MiCA) Regulation and international best practices, including MiCA Article 66 on acting in clients’ best interests and MiCA Article 72 on conflicts of interest. It also incorporates principles from ISO/IEC 27001:2022 (information security management) and relevant laws (e.g. GDPR for data protection). Every employee is required to understand and adhere to these guidelines to ensure ethical conduct and full compliance across all operations.

1. General Ethical Principles

• Fair and Honest Trading Practices: All personnel must engage in business and trading activities with honesty, fairness, and integrity. Employees shall act honestly, fairly, and professionally in accordance with the best interests of clients and prospective clients. This means avoiding deceptive practices, treating all clients fairly, and not giving any client an unfair advantage. Our trading practices and pricing must be transparent and MiCA-compliant, ensuring no manipulation or unfair discrimination among clients.
• Professionalism and Transparency in Client Interactions: Employees are expected to maintain the highest level of professionalism when dealing with clients, colleagues, and counterparties. We communicate in a clear, accurate, and non-misleading manner at all times. All marketing materials, client communications, and disclosures must be truthful and complete, properly explaining the risks of crypto-asset services. We foster trust by being responsive to client inquiries, providing timely and transparent information about services, fees, and terms. Any potential conflicts or issues affecting a client’s interest should be proactively disclosed and explained in plain language.
• Market Integrity and Anti-Manipulation: The Firm is committed to upholding market integrity. Employees must never engage in or facilitate market manipulation, spreading of false information, or any activities that could disrupt fair price formation. We have zero tolerance for any form of deceitful market conduct. All trading shall reflect genuine supply and demand. Attempts to artificially influence prices, volumes, or market metrics (e.g. through wash trading, pump-and-dump schemes, spoofing orders, etc.) are strictly prohibited. These principles align with MiCA’s requirements to maintain honest markets and avoid manipulative behavior.

2. Market Conduct & Integrity

• Prohibition of Market Abuse (Insider Trading & Manipulation): Engaging in insider dealing or any form of market abuse is strictly forbidden. Employees must not use inside information about crypto-assets or clients to trade improperly or tip others. We adhere to MiCA’s market integrity rules, which establish strict rules to detect and prevent insider dealing, unlawful disclosure of inside information, and market manipulation. This includes refraining from trading on material non-public information, not sharing confidential information outside authorized channels, and avoiding any conduct that could constitute market manipulation. The firm maintains surveillance and reporting systems to monitor trading activities and will report suspected market abuse to regulators as required.
• Anti-Money Laundering (AML) Compliance: The Firm fully complies with all Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) laws and regulations. All employees are responsible for following the company’s AML policies and procedures. This includes conducting thorough Customer Due Diligence (“Know Your Customer” checks) during onboarding and ongoing monitoring of client transactions for suspicious activity. Employees must promptly escalate any red flags or unusual transactions to the Compliance team for investigation. We maintain record-keeping and reporting mechanisms (e.g. filing Suspicious Activity Reports) as mandated by law. By rigorously enforcing AML compliance, we protect the platform from being misused for illicit purposes and uphold the integrity of the financial system.
• Prevention of Conflicts of Interest (MiCA Article 72): We have robust policies to identify, prevent, and manage conflicts of interest in our business. A conflict of interest arises when personal, financial, or other considerations may compromise an employee’s objectivity or loyalty to the company or its clients. In accordance with MiCA Article 72, the firm implements procedures for the identification, prevention, management, and disclosure of conflicts of interest. All employees must avoid situations where their private interests (or those of close relatives or associates) conflict with the interests of clients or the company. For example, employees may not preferentially trade on their own account ahead of client orders (no front-running), and any personal crypto investments must comply with our personal trading policy (including pre-clearance and holding period requirements, where applicable). If a potential conflict is identified, it must be promptly disclosed to management. The Firm will transparently inform affected clients of the general nature and source of conflicts when they cannot be fully prevented, and obtain clients’ consent if required. The client’s interests shall always be placed paramount unless explicit informed consent is given by the client to proceed otherwise.

3. Client Protection & Confidentiality

• Safeguarding Client Funds and Assets: Protecting client assets is a fundamental fiduciary duty of The Firm. All client crypto-assets and fiat funds are safeguarded with a high level of care, including use of secure custody solutions and segregation of client assets from the company’s own assets. Under MiCA, CASPs must not use clients’ assets for their own accounts, so we never rehypothecate or leverage client holdings without explicit prior client consent and full disclosure. Internal controls ensure accurate record-keeping of each client’s balances and prompt reconciliation of assets. We maintain appropriate insurance or compensation arrangements where applicable to cover potential losses or theft of client assets. Employees handling client funds must follow strict security procedures (e.g. multi-signature approvals, hardware security modules) to prevent unauthorized access or misappropriation. Any breach of asset safeguarding protocols is treated with utmost severity.
• Data Protection and Privacy (ISO 27001 A.5.18 & GDPR): We are committed to protecting the confidentiality and privacy of client data. All personal data and sensitive information obtained from clients or generated through our operations are handled in compliance with the EU General Data Protection Regulation (GDPR) and applicable privacy laws. We collect and process only the data that is necessary for legitimate business purposes and regulatory obligations, and we do so lawfully and transparently. Access to client data is tightly controlled under the principle of least privilege – only authorized personnel with a clear business need are granted access, in line with ISO 27001:2022 control A.5.18 (Access Rights) which ensures that access to information assets is defined and restricted. We implement strong security measures (encryption, two-factor authentication, network security controls, etc.) to safeguard data against unauthorized access or breaches. Employees must keep client information strictly confidential and must not disclose or share it with any unauthorized parties. Any suspected data breach or loss of confidential information must be immediately reported to the Information Security and Compliance teams for prompt action. Regular audits are conducted to ensure adherence to our data protection policies, and employees receive training on data privacy requirements and cybersecurity hygiene.
• Responsible Marketing and Communication: Our marketing and communications adhere to high ethical standards and regulatory requirements. We do not engage in misleading advertising, overstate the benefits of crypto-asset investments, or downplay the risks. All promotional materials, social media posts, and public statements must be reviewed (e.g. by Compliance or Legal) for fairness and clarity. We ensure that risk warnings and disclaimers are prominently included where required. Targeted marketing is conducted responsibly, avoiding vulnerable populations and ensuring suitability where appropriate. In client communications, we provide balanced information – for instance, we communicate pricing, fees, and terms in a transparent manner, and we notify clients of important changes or incidents promptly. Employees must refrain from making any false or unsubstantiated claims about our services or the crypto market. By communicating honestly and responsibly, we protect our clients from misunderstandings and help maintain trust in our brand and the broader market.

4. Whistleblower Protection & Reporting Mechanisms

• Internal Reporting Procedures: The firm encourages all employees to speak up and report any suspected misconduct, unethical behavior, or violations of this Code or laws. We maintain clear internal procedures for reporting such concerns, including anonymous or confidential channels. Employees can report issues to their manager, the Compliance Officer, the Risk Officer, or through a dedicated whistleblower system from Iubenda. Reports can be made without fear – even suspicions or preliminary concerns should be raised so that they can be properly investigated. The company will investigate all reports promptly and thoroughly, taking appropriate action to address any confirmed wrongdoing. We also fulfill any regulatory reporting duties (e.g. notifying authorities when required by law). Documentation of reported incidents and follow-up actions are kept to ensure accountability and continuous improvement of our controls.
• Non-Retaliation Policy: Retaliation against anyone who in good faith reports a concern or potential violation is strictly prohibited. This non-retaliation protection covers all whistleblowers, whether they are employees, contractors, or other stakeholders reporting issues. Any form of retaliation – such as demotion, harassment, intimidation, dismissal, or discrimination – will itself be treated as a serious violation of the Code. Managers have a special responsibility to foster an environment where team members feel safe to voice concerns. If an employee believes they have faced retaliation, they should report it immediately to senior management or the Board, and it will be addressed decisively. By guaranteeing protection to whistleblowers, we ensure that ethical and legal issues can be raised early and corrected, which ultimately strengthens the company’s governance.
• Accountability and Alignment with ISO 27001 A.5.3: We foster a culture of accountability and responsibility at all levels of the organization. Everyone, from senior executives to junior staff, is expected to take ownership of their actions and uphold the principles of this Code. Management will not only set a strong “tone from the top” but also be accountable for addressing any reported issues in a timely and fair manner. This approach aligns with ISO 27001:2022 guidelines (e.g. control A.5.3 on segregation of duties and avoidance of conflicting responsibilities) by ensuring no individual has unchecked power that could enable unethical conduct​. Duties and decision-making powers are distributed so that oversight is in place – for example, critical processes require dual-control or approval from independent functions (Compliance, Risk, or Audit). Such internal checks and balances support an environment where wrongdoing is less likely to occur or be concealed, and where employees feel confident that reporting a concern will lead to accountable action. In essence, ethical conduct is everyone’s responsibility, and the organization’s structure and culture reinforce that principle.

5. Compliance & Disciplinary Actions

• Enforcement of the Code: This Code is an integral part of the firm’s internal governance. All employees and associated persons are expected to comply with it fully. The Compliance Department, in coordination with HR and senior management, will enforce the Code. Any breach of the Code or relevant laws/regulations will result in prompt investigation and, if substantiated, appropriate disciplinary action. Disciplinary measures may range from retraining and warnings for minor or unintentional violations, up to suspension, termination of employment, or legal action for serious misconduct or willful breaches. In cases of illegal activity or regulatory violations, the company will report to the appropriate authorities as required. No individual, regardless of rank or position, is exempt from the Code. Willful ignorance or failure to report a known violation is itself a breach of this policy. Regular reviews of compliance with this Code will be conducted, and any identified weaknesses will be remedied.
• Regular Staff Training and Acknowledgment: The firm provides comprehensive training to ensure all staff understand this Code of Conduct, relevant regulations, and their ethical responsibilities. New employees receive training on the Code and must sign an acknowledgment that they have read, understood, and agree to abide by it. All staff are required to reaffirm their commitment to the Code at least annually (for example, through annual compliance refresher courses and a signed attestation). Training covers key topics such as MiCA obligations, anti-money laundering procedures, data protection duties, cybersecurity awareness (in line with ISO 27001 standards), and how to handle ethical dilemmas. We keep records of all training and attestations as evidence of compliance. By regularly educating our team and refreshing their knowledge, we embed a continuous awareness of ethical best practices and regulatory requirements in our corporate culture.
• Oversight by Compliance and Risk Functions: The Compliance and Risk functions have oversight responsibilities to ensure that the principles of this Code are integrated into daily operations. The Compliance Officer is responsible for monitoring adherence to regulatory obligations (MiCA, AML, etc.) and this Code, providing guidance to the business, and reporting compliance issues to senior management and the Board. The Risk Management function identifies and assesses risks (including misconduct or fraud risks) and ensures that adequate controls (policies, procedures, system safeguards) are in place to mitigate them. These control functions operate independently of the business lines to provide objective oversight. They conduct periodic reviews and audits of activities to detect any deviations from the Code or regulatory requirements. Findings and recommendations are reported to leadership, and follow-up is tracked. Senior management and the Board of Directors receive regular reports on compliance and ethics matters, and they endorse a strong compliance culture. In addition, an internal or external audit may periodically evaluate the effectiveness of our compliance program and ethical controls. Through diligent oversight and a commitment to continuous improvement, The Firm ensures that the spirit and letter of this Code of Conduct and Ethics Policy are upheld at all times.

Conclusion: This Code of Conduct and Ethics Policy is approved by the firm’s Board of Directors and is binding on all employees and contractors. It is reviewed at least annually (and whenever significant regulatory changes occur) to ensure it remains up-to-date with evolving laws, regulations, and best practices. Every member of The Firm is responsible for reading, understanding, and living by this Code. By following these principles, we not only comply with MiCA, ISO 27001, and other legal requirements, but we also reinforce a culture of trust, integrity, and excellence that defines how we do business. Compliance with the Code is a condition of employment, and it is crucial for protecting our clients, our organization’s reputation, and the integrity of the crypto-asset market as a whole.