UPEXI, INC. 10-K Cybersecurity GRC - 2025-09-24

Page last updated on September 24, 2025

UPEXI, INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-09-24 16:58:38 EDT.

Filings

10-K filed on 2025-09-24

UPEXI, INC. filed a 10-K at 2025-09-24 16:58:38 EDT
Accession Number: 0001477932-25-006996

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity risks are overseen by the full Board of Directors and the Audit Committee as part of their regular oversight. Members of the Board and Audit Committee are encouraged to engage in ad hoc conversations with management on cybersecurity related updates to our risk management and strategy. Cybersecurity incidents are reported to the Chief Financial Officer to determine incident severity and response. In an effort to deter and detect cyber threats, we also provide all employees with access to digital assets with an ongoing cybersecurity awareness training program, which further educates employees and covers timely and relevant topics, including phishing, password protection, asset use and mobile security. The Company has established processes to assess, identify, and manage material risks from cybersecurity threats as part of its overall enterprise risk management system. Its cybersecurity processes include security monitoring and detection through third-party vendors. The processes also extend to oversight and identification of risks associated with vendors and customers if their computer systems interface with the Company’s information systems. Upon detection of a potentially material cybersecurity incident, the Company initiates its cyber incident procedure to investigate, contain, and remediate the incident. The Company has not experienced any material cybersecurity incidents, and the expenses incurred from any security incidents have been immaterial. However, as discussed under “Risk Factors” in Part I, Item 1A of this Annual Report, cybersecurity threats pose multiple and potentially material risks to the Company, including potentially to the Company’s results of operations and financial condition. The Company relies extensively on information technology systems and could face cybersecurity risk. As cybersecurity threats become more frequent, sophisticated, and coordinated, it is reasonably likely that the Company may expend greater resources to continue to modify and enhance protective measures against such security risks. Storage of Our Digital Assets in our SOL Treasury The Custodians The Custodians are responsible for safekeeping all of the SOL owned by the Company. We maintain multiple Custodians to reduce the risk of a single failure and we plan to expand to additional custodians as our Treasury grows. The Custodian accounts are all opened by the Company, this segregates our assets into an individual custodian account owned by the Company and access is monitored and controlled by the Company. Our Asset Management Company is given access to the Custodian accounts with established controls to ensure transactions require consensus of a minimum of two individuals when assets are being transferred between wallets and additional controls if an asset of the Treasury is moved out of the Custodians control. The assets go through the Custodians Trust Company, which maintains its own insurance and is regulated by their respective state where the trust is incorporated in. Our primary custodian is currently BitGo Trust Company, Inc. a South Dakota corporation (“BitGo”) and is regulated by the state of South Dakota. On May 1, 2025, we entered into a Custodial Services Agreement with BitGo (the “BitGo Agreement”) to hold our digital currency. The term of the BitGo Agreement is for one year with successive one-year renewals unless prior notice of non-renewal is given by either party. The Company pays BitGo a monthly digital asset storage fee based upon the market value of the assets in storage, plus $500. The BitGo Agreement is terminable by either the Company or BitGo on thirty days’ notice as a result of a breach of the Agreement and may be suspended by BitGo if the Company violates the intended use of the account or due to a change in the applicable law, litigation or bankruptcy. Our secondary custodian is Coinbase Inc., a subsidiary of Coinbase Global, Inc., a Delaware corporation, which is primarily used for the acquisition of digital assets. On May 5, 2025, the Company entered into an Institutional Client Agreement with Coinbase (the “Coinbase Agreement”). The Coinbase Agreement is terminable at will by either the Company or Coinbase. The Company pays Coinbase its regularly scheduled fees based on the dollar trading volume over a thirty-day period. The Coinbase Agreement is terminable by either the Company or Coinbase on ten days’ notice as a result of a breach of the Agreement and may be suspended by Coinbase if the Company violates the intended use of the account or due to a change in the applicable law, governmental proceeding, litigation or bankruptcy. Coinbase may also close the Company’s account if it has been inactive for more than one year. BitGo maintains a $250,000,000 policy against loss, theft and misuse. Currently we have approximately $253,000,000 of treasury value at Bitgo, based on the SOL price of $202.51 per token. Coinbase has an insurance policy for any cash held in the account of $250,000. We currently have less than $250,000 of cash held at Coinbase and less than $6,000,000 in SOL value, based on the SOL price of $202.51 per token. At the current price of SOL as of the date of this report, these policies are not adequate to fully cover the full loss of our SOL. Solana, as with all digital assets, can be highly volatile. Management reviews the account balances and the total value held with a custodians to allocate the Company’s holdings between multiple accounts and custodians to mitigate risk. We do not use self-storage for any of the SOL treasury assets. Private keys are generated by the Custodian in key generation ceremonies at secure locations using offline devices that have never been connected to a network. Private keys are generated according to detailed procedures using specialized offline devices and within these secure facilities to mitigate risk of hacks, errors, or other unintended external exposure. Key ceremony processes are highly controlled, require segregation of duties across multiple parties and are reviewed and witnessed by designated oversight personnel. Thorough validations and signoffs are performed to verify the integrity and security of key generation ceremonies. The Custodians hold a majority of SOL in cold storage and provides a user interface for the Company to manage the allocation of SOL between cold and hot storage for the wallets. The Company maintains more than 98% of its SOL treasury in cold wallets. The Custodians have multiple, redundant cold storage sites, which are geographically distributed including sites within the United States. Cold storage locations of the Custodian are monitored by 24x7 on-site security, video surveillance and alarms, hardened room structures, and access to these facilities is controlled by multi-person controls, multi-team access rules, and multi-factor authentication. The locations of the cold storage sites may change at the discretion of the Custodian and are kept confidential by the Custodian for security purposes. Transactions from cold to hot storage require physical access, according to the above controls, to one or more cold storage facilities, as well as systematically enforced approvals and integrity verifications, before the secure device can be used to cryptographically complete the transaction. At no point during this process is the private key removed from the secure device(s) nor the cold storage facility. Once these security processes have been completed, a transfer on the Solana network can be executed, as signed using the private keys held offline in cold storage. The Custodians also maintain geographically dispersed backups of private keys, which are cryptographically generated into shards and stored in separate locations; multiple locations must be accessed to reconstruct a single key. The storage facilities are highly secured, and include 24x7 on-premises security presence, video surveillance, and alarms for unexpected entry. Access to facilities is controlled by multi-person controls, multi- team access rules, and multi-factor authentication. All of our Custodians have SOC type 2 reports that the Company has reviewed and we get regular bridge reports from our Custodians to help ensure the controls are being maintained. Our Custodians maintain their own insurance policies to cover our loss, which is in addition to the policies that we maintain ourselves. We currently have two qualified Custodians that we have approved for our treasury use and we are in the process of onboarding a third as part of our risk management process. The Company is charged for storage fees, staking fees and transaction fees for services specifically requested by the Company or the Asset Management Company. Except as set forth above, the contract terms of the agreements are typically for one to three years and can be terminated upon 30 day notice and payment of all fees due and one month of additional fees.

Company Information