Business Continuity Plan

This summary describes how Amaltash prepares for, responds to, and recovers from emergencies and significant business disruptions (SBDs) so that our customers retain access to their assets.

Last Updated: June 2026|Version: 1.0

1. Overview

Rainbow Labs Inc ("Amaltash," "we," "us," or "our") maintains a written Business Continuity Plan (BCP) — a documented system of prevention, response, and recovery designed to address potential threats to the firm and its services.

The BCP's objective is to recover and resume business operations as quickly and completely as possible following an emergency or significant business disruption, while safeguarding customer assets, books, and records throughout the event.

Scope

The BCP applies to all Amaltash systems, services, employees, contractors, and third-party vendors that support the availability of the platform or the protection of customer assets and records. Because the severity and scope of any disruption can vary, the plan is flexible and is adjusted to the nature of each event.

2. Regulatory Context

Amaltash operates under a combination of its own regulatory registrations and obligations and those of its regulated brokerage and custodian partner, Alpaca. Maintaining a Business Continuity Plan is both a direct expectation at the regulated layers of our own business and a requirement of Alpaca's regulators (including obligations modeled on FINRA Rule 4370 and SEC Regulation SCI principles). Amaltash maintains this BCP to meet those obligations and to uphold the resilience our customers depend on.

Amaltash is a technology platform operated by Rainbow Labs Inc. We do not take custody of customer assets ourselves. Customer assets are held one of two ways:

  • Amaltash brokerage accounts — custody of assets and the execution and clearing of securities transactions are provided by our regulated brokerage and custodian partner, Alpaca, which is responsible for the regulatory obligations attaching to those activities.
  • Connected (bring-your-own) brokerages and exchanges — customers may instead connect their own third-party broker or exchange. In that model the customer's assets remain custodied at their own institution; Amaltash connects only through trading-scoped API keys and has no custody of, and no ability to withdraw or move, those assets.

3. Mission-Critical Systems & Contacts

The BCP identifies every mission-critical system — those required to keep customers' orders, funds, and records available — and assigns each a named internal owner and an escalation contact. The table below summarizes these systems and their responsible parties.

Mission-Critical SystemProviderResponsible Owner & Contact
Customer asset custody, clearing & executionAlpaca (regulated brokerage, clearing & custodian partner)Head of Brokerage Operations — support@amaltash.com
Trading & strategy execution engineAmaltash (FastAPI services on Google Cloud Run)Head of Engineering — support@amaltash.com
Customer database & books/recordsGoogle Cloud SQL (PostgreSQL 17, Regional HA)Head of Engineering — support@amaltash.com
Authentication & access controlSelf-hosted Ory Kratos identity service (Google Cloud Run)Head of Engineering — support@amaltash.com
Web & dashboard front endNext.js on Vercel / Cloudflare DNS & CDNHead of Engineering — support@amaltash.com
Customer communications (email)Transactional email providerHead of Operations — support@amaltash.com

The internal contacts above are role-based addresses monitored by the responsible team. The full BCP retains the names, phone numbers, and after-hours contact details for each system owner and for the corresponding vendor support escalation paths; that non-public detail is held internally and is available to regulators and our brokerage partner on request.

4. Plan Review & Maintenance

The BCP is a living document with a defined review and update cadence so that it stays accurate as our systems, vendors, and obligations evolve.

  • Annual review: The plan is formally reviewed and updated at least once every twelve (12) months.
  • Event-driven review: The plan is additionally reviewed whenever there is a material change to our business operations, technology stack, mission-critical vendors, key personnel, or regulatory requirements.
  • Post-incident review: Following any significant business disruption or test, a retrospective is conducted and resulting changes are incorporated into the plan.
  • Approval & versioning: Each revision is approved by senior management, dated, and versioned, and prior versions are retained for compliance reference.

5. Customer Access to Assets During an SBD

A central objective of the BCP is to ensure that, in the event of an emergency or significant business disruption, customers continue to have prompt access to their funds and securities.

Critically, Amaltash never holds customer assets itself, so a disruption to Amaltash's own systems does not put customer funds or securities out of reach. The protection works the same way under both of our custody models:

Amaltash Brokerage Accounts (custodied at Alpaca)

  • Customer cash and securities are held at our regulated brokerage and custodian partner, Alpaca, not by Amaltash. If Amaltash's systems are disrupted, customer assets remain custodied and protected at Alpaca.
  • If the platform is unavailable, customers may contact Amaltash support — or, where applicable, the custodian — to access their accounts, request funds, or place instructions through alternative channels.

Connected (Bring-Your-Own) Brokerages & Exchanges

  • When a customer connects their own broker or exchange, their assets stay custodied at that institution at all times. Amaltash connects only through trading-scoped API keys and has no custody of, and no ability to withdraw or move, those assets.
  • Because Amaltash neither holds nor can transfer these assets, an Amaltash disruption does not affect a customer's ability to access or withdraw them — they continue to do so directly with their own broker or exchange.

Across both models we maintain redundant infrastructure and documented failover procedures so that account access and core trading functions are restored as quickly as practicable, and if a disruption is expected to be prolonged we will provide customers with clear instructions on how to reach the firm and access their assets.

6. Books, Records & Data Backup

The BCP documents where the firm maintains its books and records and how that data is backed up and recovered.

Where Records Are Maintained

  • Customer, account, transaction, and strategy records are maintained electronically in Google Cloud SQL (PostgreSQL), a managed, access-controlled database hosted in Google Cloud (primary region us-central1) with Regional high availability.
  • Records relating to custody, clearing, and execution of securities transactions are additionally maintained by our regulated brokerage and custodian partner, Alpaca, as the books-and-records keeper for those activities. For customers who connect their own broker or exchange, those records remain with the customer's own institution.
  • Documents and statements are stored in encrypted Google Cloud Storage buckets.

How Data Is Backed Up

  • The database is backed up automatically with daily snapshots and point-in-time recovery (PITR) enabled, and backups are encrypted using the same standards as primary storage.
  • Backups are retained for an extended period (target: 365 days) to satisfy regulatory records-retention expectations, and are stored in multi-region backup storage so that records survive the loss of any single facility or region.
  • The primary database runs with Regional high availability (automatic zone failover, typically in 60–120 seconds), and a cross-region disaster-recovery replica can be promoted to primary if an entire region becomes unavailable.
  • Object-storage data is additionally replicated to a separate multi-region backup bucket, and backup restoration is tested periodically to verify data integrity and recovery time.

7. Operational, Financial & Credit Risks

The BCP and associated procedures consider the operational, financial, and credit risks that could threaten the firm's ability to continue operating, and how each is mitigated.

Operational Risk

  • System outages, vendor failures, cyber incidents, and loss of key personnel
  • Mitigated through redundant infrastructure, multi-region deployments, automated failover, vendor diversification, documented runbooks, and cross-training of staff

Financial Risk

  • Liquidity and capital adequacy needed to continue operations through a disruption
  • Monitored by management; the firm maintains sufficient resources to fund continued operations and orderly wind-down if ever required

Credit Risk

  • Exposure to counterparties, banking partners, and the brokerage/clearing partner
  • Reduced by holding customer assets at a regulated custodian, using established banking partners, and monitoring counterparty standing

8. Communications Plan

The BCP defines how the firm communicates with its customers, employees, and regulators during a significant business disruption.

Customers

  • Customers are notified through email, in-app messaging, and updates posted to our website and status channels
  • Notifications include the nature of the disruption, its expected impact, and how to access accounts and assets in the interim

Employees

  • Employees are reached through out-of-band channels (mobile, secure messaging, and a maintained emergency contact list) that do not depend on the disrupted systems
  • Roles, responsibilities, and escalation paths during an incident are predefined

Regulators & Partners

  • Our regulated brokerage and clearing partner is notified promptly so any required regulatory reporting and customer-protection obligations can be met
  • Regulatory bodies are notified as and when required by applicable law

9. Governance & Responsible Personnel

Accountability for the BCP and for the firm's risk and regulatory obligations is assigned to designated individuals.

  • Dedicated risk professional: The firm designates a senior individual responsible for risk management who owns the BCP, oversees the operational, financial, and credit risk program, and coordinates the response to any disruption.
  • Regulatory reporting: The firm designates responsible personnel to fulfill its regulatory reporting requirements, working in coordination with our regulated brokerage and clearing partner where those obligations attach to brokerage activities.
  • Senior management oversight: Senior management approves the BCP, reviews incident retrospectives, and ensures adequate resourcing for continuity and risk functions.

10. Contact

If you have questions about this Business Continuity Plan, or need to reach us during a disruption, please contact us:

Rainbow Labs Inc

2261 Market St, STE 5460

San Francisco, CA 94114

Email: support@amaltash.com

This page is a public summary of our Business Continuity Plan. Because the full plan contains sensitive operational and contact detail, it is maintained internally and shared with our brokerage partner and regulators on request. Amaltash may modify its continuity arrangements at any time as systems and obligations evolve.