WHISTLEBLOWER POLICY V8
WHISTLEBLOWER POLICY
VERSION 8.0 | MARCH 2026
GROOVY COMPANY, INC. DBA OTCM PROTOCOL
Wyoming Corporation | CIK: 1499275 | OTC: GROO | 12 Daniel Rd East, Fairfield, NJ 07004
SEC Category 1 Model B | Release No. 33-11412 | BOARD APPROVED | PUBLIC
Field | Value |
Document ID | OTCM-POL-WBP-001 |
Version | 8.0 (supersedes V1.0) |
Effective Date | March 2026 |
Classification | PUBLIC |
Approved By | Board of Directors |
Legal Entity | Groovy Company, Inc. dba OTCM Protocol |
Article I: Purpose and Commitment
Section 1.1 — Purpose
This Whistleblower Policy (the “Policy”) establishes a framework for the reporting, investigation, and resolution of concerns regarding illegal, unethical, or improper conduct at Groovy Company, Inc. dba OTCM Protocol (the “Company”). The Policy encourages reporting, protects whistleblowers from retaliation, enables early detection of misconduct, ensures legal and regulatory compliance, fosters a culture of integrity, and safeguards the OTCM Protocol ecosystem including CEDEX and all ST22 Digital Securities infrastructure.
Section 1.2 — Company Commitment
Groovy Company, Inc. dba OTCM Protocol is committed to maintaining the highest standards of ethical conduct, legal compliance, and corporate governance. We encourage all individuals to report concerns without fear of retaliation. Every report will be taken seriously and investigated appropriately.
Section 1.3 — Regulatory Framework
Regulation | Description |
Sarbanes-Oxley Act §301 | Audit Committee complaint procedures |
Sarbanes-Oxley Act §806 | Whistleblower protections for employees of public companies |
Dodd-Frank Act §922 | SEC whistleblower program and financial awards |
SEC Rule 21F | Whistleblower rules and awards (10–30% of sanctions over $1M) |
Securities Exchange Act | Anti-fraud provisions |
Release No. 33-11412 | SEC–CFTC Digital Securities taxonomy (March 17, 2026, binding) |
Wyoming / New Jersey Statutes | State whistleblower protections |
Article II: Scope and Coverage
Section 2.1 — Who May Report
This Policy applies to reports by employees (full-time, part-time, temporary), officers and directors, contractors and consultants, vendors and service providers, platform participants (issuers, ST22 Digital Securities holders, CEDEX traders), family members of any of the above, and any third party with knowledge of misconduct.
Section 2.2 — Protected Activities
• Making a good faith report of suspected misconduct
• Participating in an investigation
• Providing information to investigators
• Reporting to regulatory agencies (SEC, CFTC, FinCEN, DOJ, OSHA)
• Testifying in legal or regulatory proceedings
• Refusing to participate in illegal activity
Section 2.3 — Good Faith Requirement
Reports must be made in good faith — the reporter genuinely believes the information is true at the time of reporting. Good faith reports are protected even if the investigation determines the concern was unfounded. Knowingly false, malicious, or fabricated allegations are not protected and may result in disciplinary action.
Article III: Reportable Concerns
Section 3.1 — Financial and Accounting
Financial statement fraud, asset misappropriation, improper revenue recognition, expense manipulation, interference with auditors, circumvention of internal controls, misleading SEC filings, omission of material facts, tax evasion, and improper tax positions.
Section 3.2 — Securities Law Violations
Insider trading (trading on MNPI, tipping), market manipulation (wash trading, pump-and-dump on CEDEX), disclosure violations, undisclosed related party transactions, misrepresentations in ST22 Digital Securities or OTCM token offerings, and false SEC filings.
Section 3.3 — Platform and Blockchain Concerns
Category | Examples |
Smart Contract Issues | Vulnerabilities, unauthorized modifications to Transfer Hook controls or CEDEX contracts |
Liquidity Manipulation | Global Unified CEDEX Liquidity Pool manipulation, unfair trading advantages |
Custody Concerns | Mishandling of custodied Common B shares or Series “S” shares at Empire Stock Transfer |
Issuer Misconduct | Fraud by platform issuers, misrepresentation of business status or financials |
Key Management | Improper handling of Ledger Enterprise keys, unauthorized wallet access |
Security Breaches | Unauthorized access, hacks, compromised oracle systems |
Oracle Manipulation | Falsified custody attestation data, manipulated price feeds |
Transfer Hook Tampering | Unauthorized changes to any of the 42 Transfer Hook controls |
Section 3.4 — Legal and Regulatory
Bribery and corruption, AML violations and suspicious transactions, OFAC sanctions violations, operating without required licenses, data protection and privacy violations, and anti-competitive conduct.
Section 3.5 — Workplace and Ethical Concerns
Discrimination, harassment, unsafe working conditions, wage/hour violations, retaliation against whistleblowers, conflicts of interest, improper gifts or entertainment, falsification of records, misappropriation of Company property, breach of confidentiality, and Code of Conduct violations.
Article IV: Reporting Channels
Section 4.1 — Internal Reporting Channels
Channel | Contact | Best For |
Option 1: Compliance Officer | compliance@otcm.io — Subject line: “Whistleblower Report – Confidential” | General concerns, platform/blockchain issues |
Option 2: Legal Counsel | frank@otcm.io — Subject line: “Whistleblower Report – Confidential” | Legal/regulatory concerns, concerns about Compliance Officer |
Option 3: Audit Committee Chair | auditcommittee@otcm.io — Direct to independent directors | Financial/accounting concerns, concerns about management |
Option 4: Ethics Hotline | ethics@otcm.io — Anonymous reporting available. Operated by independent third party. | Anonymous reporting, any concern |
Option 5: Direct Supervisor | Your immediate supervisor | Routine workplace concerns (escalate if not resolved) |
Section 4.2 — Anonymous Reporting
Anonymous reports ARE accepted and will be investigated with the same process as identified reports. Anonymous reporting is available through the Ethics Hotline. Consider providing a contact method for follow-up questions, as anonymity may limit the ability to provide feedback or request additional information.
Section 4.3 — Information to Include
When making a report, include as much of the following as possible: what happened or is happening, individuals involved, dates and times, location (physical or system), documents or evidence, witnesses, potential or actual harm, and any other relevant context.
Section 4.4 — Blockchain-Specific Reports
For concerns involving blockchain or platform operations, also include: relevant Solana wallet addresses, transaction signatures (hashes), smart contract program addresses, ST22 Digital Securities token symbol or OTCM token, relevant block numbers or slots, and Solscan or Solana Explorer links.
Article V: Confidentiality
Section 5.1 — Commitment
The Company will protect the confidentiality of whistleblowers to the fullest extent possible. Reporter’s identity is kept confidential, reports are stored securely with limited access, information is shared only on a need-to-know basis, and anonymous reporting is available.
Section 5.2 — Limits on Confidentiality
Confidentiality may be limited by: court order or subpoena, necessity for a fair investigation, prevention of imminent serious harm, required disclosure to regulators, or reporter’s consent. Investigation details are kept confidential, witness statements are not disclosed to the accused, findings are shared on a need-to-know basis, and the accused is informed of allegations but not the source.
Article VI: Anti-Retaliation Protection
RETALIATION AGAINST WHISTLEBLOWERS IS STRICTLY PROHIBITED AND WILL NOT BE TOLERATED. Any person who retaliates against a whistleblower will be subject to disciplinary action, up to and including termination.
Section 6.1 — Definition of Retaliation
Retaliation includes any adverse action taken because of a protected activity: termination, demotion, compensation reduction, undesirable assignments, involuntary transfer, intimidation or threats, negative performance reviews, denial of promotion or training, negative references or blacklisting, and threats of legal action.
Section 6.2 — Reporting and Investigating Retaliation
If you believe you have experienced retaliation: report immediately to the Compliance Officer, Legal Counsel, or Audit Committee; document all instances; identify witnesses; and preserve relevant communications. All retaliation claims are investigated promptly, may involve outside counsel, and may result in interim protective measures. Retaliators are subject to discipline up to and including termination.
Section 6.3 — Protection Period
Anti-retaliation protections apply during reporting, throughout the investigation, indefinitely after the matter is concluded, and for participation in any investigation.
Article VII: Investigation Procedures
Section 7.1 — Receipt and Assessment
Step | Timeline |
Report received and logged | Within 24 hours |
Acknowledgment to reporter (if not anonymous) | Within 48 hours |
Initial assessment completed | Within 5 business days |
Decision on investigation scope | Within 5 business days |
Section 7.2 — Investigation Assignment
Concern Type | Primary Investigator |
Financial / Accounting | Audit Committee (may retain external counsel or forensic accountants) |
Legal / Regulatory | Legal Counsel (may involve external counsel) |
HR / Workplace | Human Resources (may involve external counsel) |
Platform / Technical / Blockchain | CTO + Compliance Officer (may involve blockchain security firm) |
Senior Management | Audit Committee (external counsel required) |
Board Members | Special Committee of independent directors |
Section 7.3 — Investigation Process
• Step 1: Plan — develop investigation plan and timeline
• Step 2: Preserve — preserve relevant documents, blockchain data, and platform logs
• Step 3: Collect — gather documents, records, on-chain data, Chainalysis/TRM reports
• Step 4: Interview — interview witnesses and relevant parties
• Step 5: Analyze — analyze evidence and identify findings
• Step 6: Report — prepare written investigation report
• Step 7: Recommend — recommend corrective actions
• Step 8: Close — close investigation and document resolution
Section 7.4 — Blockchain Investigations
For blockchain-related concerns, investigations may include on-chain transaction analysis, wallet tracing via Chainalysis KYT and TRM Labs, smart contract code audit and execution review, blockchain forensics, Ledger Enterprise key management log review, CEDEX platform activity log analysis, and Transfer Hook event log review.
Section 7.5 — Communication and Corrective Actions
Reporters receive acknowledgment within 48 hours, status updates every 30 days during ongoing investigations, and outcome notification upon conclusion (to the extent appropriate). Corrective actions may include disciplinary measures (warning through termination), financial recovery or compensation clawback, policy/procedure changes, additional training requirements, referral to law enforcement or regulators (SEC, CFTC, FinCEN, DOJ), or platform-level action (suspension, ST22 token freezing via Transfer Hook Control 42).
Article VIII: Audit Committee Oversight
The Audit Committee has primary oversight responsibility for: establishing complaint receipt procedures, overseeing investigation of financial/accounting concerns, handling concerns about senior management, receiving whistleblower activity reports, and monitoring program effectiveness.
Any person may report directly to the Audit Committee at auditcommittee@otcm.io without going through management. Reports go directly to the Audit Committee Chair and bypass all management channels.
The Compliance Officer reports to the Audit Committee: quarterly summary of reports received, quarterly investigation status, significant matters immediately, trends and patterns annually, and program effectiveness annually.
Article IX: External Reporting Rights
Section 9.1 — Right to Report Externally
Nothing in this Policy prevents any person from reporting concerns directly to government agencies or regulators. You have the right to report to:
Agency | Types of Concerns |
SEC | Securities law violations — sec.gov/whistleblower — (202) 551-4790 |
CFTC | Commodities law violations — cftc.gov/whistleblower |
FinCEN | Money laundering, BSA violations — fincen.gov |
DOJ | Criminal matters |
EEOC | Employment discrimination — eeoc.gov |
OSHA | Workplace safety, whistleblower retaliation — osha.gov |
State Regulators | State law violations (Wyoming, New Jersey, others) |
Section 9.2 — SEC Whistleblower Program
The SEC Whistleblower Program provides financial awards (10–30% of sanctions exceeding $1 million), federal anti-retaliation protections, confidentiality of whistleblower identity, and private right of action for retaliation.
Section 9.3 — No Prior Internal Reporting Required
You are NOT required to report internally before reporting to a government agency. However, internal reporting may allow faster resolution and demonstrate good faith.
Section 9.4 — Defend Trade Secrets Act Notice
Pursuant to the Defend Trade Secrets Act of 2016 (18 U.S.C. § 1833(b)): An individual shall not be held criminally or civilly liable under any federal or state trade secret law for the disclosure of a trade secret made in confidence to a government official or attorney solely for the purpose of reporting or investigating a suspected violation of law, or in a complaint or other document filed under seal in a lawsuit. An individual who files a retaliation lawsuit may disclose trade secrets to their attorney and use them in court proceedings if filed under seal.
Article X: Administration
Section 10.1 — Policy Owner
The Compliance Officer is responsible for day-to-day administration, receiving and logging reports, tracking investigations and outcomes, reporting to the Audit Committee, conducting training, and recommending program improvements.
Section 10.2 — Training
Type | Audience | Frequency |
Policy Overview | All employees | Upon hire + annually |
Investigation Training | Designated investigators | Upon assignment + annually |
Audit Committee Training | Committee members | Annually |
Management Training | Supervisors and managers | Annually |
Platform-Specific | Technical staff (blockchain, CEDEX, Transfer Hooks) | Annually |
Section 10.3 — Recordkeeping
Record | Retention Period |
Reports Received | 7 years |
Investigation Files | 7 years after closure |
Audit Committee Reports | Permanent |
Training Records | 5 years |
Retaliation Complaints | 7 years after resolution |
Section 10.4 — Annual Review and Amendments
This Policy is reviewed annually by the Compliance Officer and Audit Committee covering legal compliance, program effectiveness, process improvements, industry best practices, and platform changes. Administrative changes may be approved by the Compliance Officer; reporting channel changes require Legal Counsel approval; material changes require Audit Committee approval.
Questions: compliance@otcm.io
Acknowledgment and Certification
I acknowledge that I have received and read the Groovy Company, Inc. dba OTCM Protocol Whistleblower Policy. I understand its contents and my rights and responsibilities under this Policy.
I understand that I may report concerns through any of the channels described in this Policy, I may report anonymously through the Ethics Hotline, I will be protected from retaliation for good faith reports, and I may report directly to government agencies at any time.
I agree to report any concerns about illegal, unethical, or improper conduct that I become aware of in connection with my relationship with the Company.
Field |
|
Signature | _________________________________ |
Date | _________________________________ |
Printed Name | _________________________________ |
Title / Position | _________________________________ |
Appendix A: Reporting Quick Reference
Internal Channels
Channel | Contact | Best For |
Compliance Officer | compliance@otcm.io | General concerns |
Legal Counsel | frank@otcm.io | Legal/regulatory issues |
Audit Committee | auditcommittee@otcm.io | Financial, senior management |
Ethics Hotline | ethics@otcm.io | Anonymous reporting |
External Agencies
Agency | Contact |
SEC Whistleblower | sec.gov/whistleblower — (202) 551-4790 |
CFTC Whistleblower | cftc.gov/whistleblower |
FinCEN | fincen.gov |
EEOC | eeoc.gov |
OSHA | osha.gov |
Document Information
Field | Value |
Document ID | OTCM-POL-WBP-001 |
Version | 8.0 |
Effective Date | March 2026 |
Classification | PUBLIC |
Legal Entity | Groovy Company, Inc. dba OTCM Protocol |
Entity Type | Wyoming Corporation |
Governing Law | Federal Securities Law, SOX, Dodd-Frank, and New Jersey State Law |
Approved By | Board of Directors |
© 2026 Groovy Company, Inc. dba OTCM Protocol | All Rights Reserved