CORPORATE CODE OF CONDUCT V8

CORPORATE CODE OF CONDUCT

VERSION 8.0 | MARCH 2026

GROOVY COMPANY, INC. DBA OTCM PROTOCOL

Wyoming Corporation | CIK: 1499275 | OTC: GROO

12 Daniel Rd East, Fairfield, NJ 07004

SEC Category 1 Model B | Release No. 33-11412 (March 17, 2026)

Introduction

Groovy Company, Inc. dba OTCM Protocol (“OTCM Protocol” or the “Company”) is a Wyoming Corporation operating a blockchain-based platform that enables the tokenization of equity securities as ST22 Digital Securities on the Solana blockchain under the SEC Category 1 Model B (Issuer-Sponsored Tokenized Securities) framework, pursuant to Release No. 33-11412 (March 17, 2026).

We publish regular updates and reports containing information regarding our platform operations, internal policies, business practices, and Category 1 Model B compliance status.

Scope of Application

This Corporate Code of Conduct applies to the Company and any subsidiaries, all personnel working in the United States, all personnel in foreign countries, and all contractors and consultants acting on behalf of the Company. This Code supplements, emphasizes, and clarifies certain aspects of the Company’s internal policies.

1. Obeying the Law

Obeying the law, both in letter and spirit, is the foundation on which OTCM Protocol’s ethical standards are built. The Company expects its personnel to maintain the highest ethical standards of business conduct and comply with all applicable federal laws and regulations, all applicable state laws, laws of countries where we operate, all internal policies and procedures, federal and state securities laws, and SEC Category 1 Model B compliance requirements under Release No. 33-11412.

Although personnel are not expected to know the details of each law, we encourage seeking advice from supervisors and managers for initial guidance, Legal Counsel for legal and regulatory questions, the Compliance Team for Category 1 and securities compliance questions, and Human Resources for employment and workplace questions.

2. Regulatory Compliance

2.1 Securities Compliance — Category 1 Model B Framework

OTCM Protocol operates SEC Category 1 Model B compliant infrastructure for issuer-sponsored ST22 Digital Securities under Release No. 33-11412. We maintain strict compliance with:

Regulation	Description
Securities Act of 1933	Registration requirements and exemptions
Securities Exchange Act of 1934	Trading and reporting requirements
State Securities Laws	Blue Sky laws in applicable jurisdictions
Reg D	Accredited investor offering exemption (U.S.)
Reg S	Offshore transaction framework (non-U.S. investors)
Transfer Agent Regulations	Empire Stock Transfer partnership compliance (Exchange Act §17A)
Release No. 33-11412	Binding Digital Securities taxonomy (March 17, 2026)

Category 1 Model B Compliance Requirements

Personnel must understand and support compliance with all Category 1 requirements:

Requirement	Personnel Obligation
Direct Issuer Authorization	Verify board resolutions are obtained before Common Class B creation
Official Shareholder Register	Ensure proper Certificate of Designation filing with issuer’s state of incorporation
Regulated Custody	Coordinate with Empire Stock Transfer (qualified custodian)
True Equity Backing	Verify 1:1 Common B share backing on all transactions via oracle attestation
Clear Ownership Chain	Maintain CUSIP assignment and documentation
Investor Protection	Ensure 42 Transfer Hook controls function on every transaction
Token Standard Compliance	Maintain SPL Token-2022 Transfer Hook compliance

2.2 Blockchain and AML Compliance

Regulation	Description
Bank Secrecy Act / FinCEN	AML program requirements, SAR/CTR filing obligations
OFAC Sanctions	Three-layer sanctions screening (wallet match, fuzzy entity, 2-hop clustering) via Chainalysis KYT + TRM Labs
Wyoming Business Corporation Act	Wyoming corporate governance requirements
KYC/KYB/KYW	Know Your Customer, Know Your Business, and Know Your Wallet verification via Empire Stock Transfer
Accredited Investor Verification	SEC Rule 501 verification by Empire Stock Transfer (sole onboarding authority)

2.3 Cybersecurity

Given our blockchain-based platform and the sensitive nature of Category 1 Model B compliant Digital Securities trading, we maintain strict cybersecurity policies:

• Regular smart contract security audits (Quantstamp, Halborn, Certora formal verification)

• Multi-signature wallet controls for treasury and protocol upgrades (3-of-5 / 5-of-9)

• Documented incident response procedures

• Regular penetration testing of all systems

• Continuous monitoring of 42 Transfer Hook controls

• Secure integration with Empire Stock Transfer custody systems

• Ledger Enterprise key management for institutional issuer token operations

3. Confidential Information and Insider Trading

We treat all non-public information about the Company, partner companies, ST22 Digital Securities, and business operations as confidential information.

3.1 Prohibited Activities

Personnel with access to confidential information are NOT permitted to:

• Buy or sell securities (including ST22 Digital Securities) based on material non-public information (MNPI)

• Disclose confidential information without authorization

• Use confidential information for personal financial gain

3.2 Protected Information

Information Type	Examples
Tokenization Plans	Upcoming ST22 Digital Securities tokenizations, issuer pipeline
Platform Metrics	Trading volumes, platform performance, CEDEX liquidity data
Business Development	Partnership negotiations, investor outreach, SEC engagement
Technical Information	Technical developments, vulnerabilities, Transfer Hook configurations, oracle systems
Customer Information	Investor data, trading patterns, accreditation status, wallet addresses
Regulatory Matters	Compliance issues, SEC Crypto Task Force correspondence, no-action letter status
Issuer Information	Non-public information about companies with tokenized Common B shares

ST22 Digital Securities are securities under federal securities laws (Release No. 33-11412). Insider trading prohibitions apply fully to ST22 tokens. Using non-public information for personal financial benefit is unethical, illegal under federal securities law, a violation of Company policy, and subject to immediate termination and regulatory referral.

4. Fair Competition and Market Integrity

OTCM Protocol is committed to open competition and fair dealing, transparent market operations without manipulation, accurate representation of our services, ethical marketing practices compliant with securities laws, and maintaining the integrity of Category 1 Model B compliance.

Personnel Expectations

• Conduct business in full compliance with all applicable competition laws

• Not engage in any anti-competitive behavior

• Avoid market manipulation or wash trading of ST22 Digital Securities

• Report any suspicious trading activities to the Compliance Team

• Maintain integrity of CEDEX bonding curve, Global Unified CEDEX Liquidity Pool, and Transfer Hook mechanisms

• Ensure all marketing complies with Reg D and Reg S requirements

Transfer Hook Integrity

Personnel must never:

• Attempt to bypass or disable any of the 42 Transfer Hook controls

• Make unauthorized changes to security parameters or governance settings

• Manipulate custody verification, oracle attestation, or compliance checks

• Help any person circumvent investor protection controls

5. Data Privacy and Protection

OTCM Protocol is committed to complying with all applicable data privacy laws while maintaining Category 1 Model B compliance data requirements, including CCPA/CPRA (California), GDPR (where applicable), state-specific privacy requirements, and regulatory data retention requirements for securities compliance.

Personnel Obligations

• Handle customer and investor data with utmost care and confidentiality

• Follow data retention and deletion policies

• Report data breaches immediately to the Compliance Team

• Complete required privacy training annually

• Understand that Category 1 compliance requires retention of KYC/AML/accreditation/KYW data

Category 1 Data Retention Requirements

Data Type	Retention Period	Regulatory Basis
KYC/KYW Records	5 years after account closure	Bank Secrecy Act
Transaction Records	7 years	Securities laws, IRS requirements
Accreditation Records	5 years	Reg D
OFAC Screening Records	5 years	OFAC regulations

6. Financial Integrity and Responsibility

Financial integrity and fiscal responsibility are core values. All Company team members are responsible for ensuring Company funds are appropriately spent, maintaining complete and accurate financial records, following internal controls and approval processes, protecting Company assets including cryptocurrency holdings and the OTCM Protocol Solana Treasury, reporting any suspected fraud or financial irregularities, and protecting SOL treasury and protocol funds.

Internal Controls

• Segregation of duties — no single person controls an entire transaction

• Multi-level approval workflows for significant transactions

• Internal and external audit processes

• Regular reconciliation of blockchain and traditional accounts

• Regular verification of Empire Stock Transfer custody holdings against on-chain token supply

7. Conflicts of Interest

All Company personnel have an obligation to always do what is best for the Company and its users.

Potential Conflicts Include

• Personal investments in companies seeking ST22 Digital Securities tokenization

• Financial interests in competing platforms

• Outside business activities interfering with job duties

• Accepting gifts or entertainment from vendors beyond nominal value

• Family members working for competitors or partners

• Personal trading in ST22 Digital Securities or OTCM Utility Tokens on CEDEX

• Personal relationships with issuer management

Personnel Must

• Disclose all actual and potential conflicts to their supervisor and the Compliance Team

• Obtain approval before engaging in potentially conflicting activities

• Avoid situations that could create conflicts

• Pre-clear all personal trading in ST22 and OTCM tokens

• Complete annual conflict of interest certification

Personal Trading Policy

Personnel with access to material non-public information must observe trading blackout periods around material events, obtain pre-clearance before trading ST22 Digital Securities or OTCM Utility Tokens, report all personal holdings and transactions in platform tokens, and observe minimum holding periods established by the Compliance Team.

8. Anti-Corruption and Sanctions

8.1 Anti-Bribery

OTCM Protocol prohibits ALL forms of bribery and corruption. Personnel may NOT offer, promise, or give bribes; request or accept bribes; make facilitation payments; use third parties to engage in prohibited conduct; or make improper payments to government officials.

8.2 International Trade and Sanctions

We maintain strict compliance with economic sanctions imposed by the United States (OFAC), the United Nations, and the European Union (where applicable). Personnel must screen all transactions and counterparties, not engage with sanctioned parties, report any potential sanctions issues immediately, complete required sanctions training, and understand that Transfer Hook Controls 8–10 enforce OFAC screening on every ST22 transaction automatically.

All ST22 Digital Securities transactions are automatically screened against OFAC sanctions lists via the three-layer Transfer Hook architecture (exact wallet match, fuzzy entity name, 2-hop address clustering). Personnel must never attempt to circumvent these controls.

9. Workplace Policies

9.1 Health and Safety

OTCM Protocol strives to provide a safe and healthy workplace. All Company locations must comply with OSHA requirements, local health and safety regulations, and Company safety policies. Personnel are responsible for following all safety procedures, reporting hazards and incidents, using required safety equipment, and supporting a culture of safety.

9.2 Equal Opportunity Employment

OTCM Protocol is an equal opportunity employer. Employment decisions are based solely on merit, qualifications, and abilities. We do not discriminate based on race, color, national origin, religion, gender, gender identity, gender expression, sexual orientation, age, disability, military or veteran status, genetic information, pregnancy, or any other characteristic protected by law.

9.3 Anti-Harassment

We are committed to maintaining a workplace free from all forms of harassment, including sexual harassment, verbal harassment, visual harassment, digital harassment, and bullying. All personnel must treat colleagues with respect, report harassment immediately, cooperate with investigations, and complete required training.

10. Modern Slavery and Human Trafficking

OTCM Protocol is committed to ensuring that modern slavery and human trafficking are not taking place in our business or supply chain. We conduct due diligence on suppliers and partners, include anti-slavery provisions in contracts, train personnel on recognizing signs of modern slavery, and report any suspected instances to authorities.

11. Reporting Violations

11.1 Reporting Obligation

All personnel have an obligation to report violations of this Code of Conduct, violations of law or regulation, unethical business conduct, concerns about accounting or auditing matters, Category 1 Model B compliance concerns, and cybersecurity or Transfer Hook security concerns.

11.2 Reporting Channels

Channel	Contact
Direct Supervisor	Your immediate supervisor
Legal Counsel	frank@otcm.io
Compliance Team	compliance@otcm.io
Human Resources	hr@otcm.io
Anonymous Ethics Hotline	ethics@otcm.io (anonymous reporting available)

11.3 No Retaliation

OTCM Protocol prohibits retaliation against anyone who makes a good faith report of violations, participates in investigations, refuses to participate in wrongdoing, or exercises legal rights.

12. Consequences of Violations

Violations of this Code of Conduct may result in:

• Verbal warning for initial minor violations

• Written documented warning for repeated or serious violations

• Financial penalties including forfeiture of bonus or clawback of compensation

• Reassignment to a different role

• Termination of employment

• Civil or criminal prosecution

• Referral to the SEC, FinCEN, OFAC, or other regulators

13. Acknowledgment and Certification

All personnel must:

• Read and understand this Code of Conduct

• Acknowledge receipt and understanding annually

• Certify compliance with all provisions

• Complete all required training

• Disclose conflicts of interest annually

• Disclose personal trading in platform tokens

14. Amendments

This Code of Conduct may be amended at any time by the Company’s Board of Directors. All amendments will be communicated to personnel, posted on the Company website, and personnel will be notified via email.

15. Contact Information

Contact	Email
Legal Counsel	frank@otcm.io
Compliance Team	compliance@otcm.io
Human Resources	hr@otcm.io
Ethics Hotline	ethics@otcm.io
Mailing Address	12 Daniel Rd East, Fairfield, NJ 07004
Phone	1-404-734-3277

Document Information

Field	Value
Document Title	Corporate Code of Conduct
Version	8.0
Effective Date	March 2026
Legal Entity	Groovy Company, Inc. dba OTCM Protocol
Entity Type	Wyoming Corporation
Governing Law	New Jersey State Law and Federal Law
Regulatory Framework	SEC Category 1 Model B — Release No. 33-11412 (March 17, 2026)

By working at Groovy Company, Inc. dba OTCM Protocol, you acknowledge that you have read and understood this Corporate Code of Conduct, agreed to comply with all provisions, understand our Category 1 Model B compliance obligations, understand that ST22 Digital Securities are securities under federal law, and are committed to maintaining Transfer Hook and compliance system integrity.

ST22 Digital Securities are Category 5 Digital Securities under SEC–CFTC Release No. 33-11412 (March 17, 2026). Personnel must understand and comply with all applicable securities laws and Category 1 Model B requirements. Groovy Company, Inc. dba OTCM Protocol is a Wyoming Corporation (CIK: 1499275).