BitLease Technologies Ltd. A subsidiary of 49G Holding Incorporated in Abu Dhabi Global Market (ADGM) ADGM Registration No.: Unit PC-1, Level 7, Al Maryah Tower, Abu Dhabi Global Market Square, Abu Dhabi, Al Maryah Island, United Arab Emirates
Last Updated: 21 March 2026
Effective Date: 21 March 2026
Version: 1.0
This Operational Risk Notice (“Notice”) describes the operational risks inherent in using the BitLease Platform, including risks arising from technology infrastructure, third-party dependencies, blockchain networks, cybersecurity threats, and human factors. It is provided to ensure that users make informed decisions with full awareness of the operational environment in which the Platform operates.
Every technology platform carries operational risk. BitLease is no exception. What distinguishes BitLease is the degree to which these risks are identified, disclosed, and mitigated. This Notice describes the risks that exist despite those mitigations, because understanding what can go wrong is part of making an informed decision.
This Notice supplements the Risk Disclosure Statement, which addresses market, financial, and LTO-specific risks. Together, these documents provide comprehensive risk disclosure.
BitLease is a structured digital asset financing platform operating the Lease-to-Own (LTO) model. The Platform relies on complex, interconnected technology systems, including proprietary software, MPC custody infrastructure (Fireblocks), blockchain networks, stablecoin payment rails, monitoring and compliance systems, and the HyperHedge™ solvency engine developed by 49G Holding.
While BitLease implements institutional-grade controls, no technology system is immune to failure. This Notice describes the operational risks that exist despite those controls.
The BitLease Platform comprises the following interconnected components: Understanding this architecture is important because a failure in any one component can affect others, and the risks described in this notice are best understood in the context of how these systems work together.
| Component | Function | Provider | Criticality |
|---|---|---|---|
| Web and mobile application | User interface for all Platform interactions | BitLease | Critical, all user-facing operations |
| Backend services | Contract engine, payment processing, account management, amortization calculations | BitLease | Critical, all financial operations |
| LTO Wallet system | Stablecoin balance management, deposit/withdrawal processing, reward distribution | BitLease | Critical, all payment flows |
| MPC custody system | Digital asset escrow, key management, transaction signing | Fireblocks | Critical all-asset security |
| HyperHedge™ engine | Solvency monitoring, hedge management, risk calculations, exposure throttling | 49G Holding | Critical, solvency assurance |
| Platform Reference Price system | Price aggregation, valuation methodology, execution calculations | BitLease | Critical, all contract valuations |
| Monitoring and compliance | Transaction monitoring, sanctions screening, KYT analytics, fraud detection | BitLease + third parties | Critical, regulatory compliance |
| Blockchain interfaces | Interaction with Bitcoin, Ethereum, BNB Chain, Solana, XRP Ledger for ownership transfer and staking | Public blockchain networks | Critical, ownership transfer, and staking |
| Stablecoin rails | USDT/USDC transaction processing for payments and settlements | Stablecoin issuers + blockchain networks | Critical, all payment processing |
| Cloud infrastructure | Hosting, compute, storage, networking, load balancing, CDN | Cloud provider | Critical, Platform availability |
| Identity verification | KYC/KYB document verification, biometric matching | Third-party provider | Essential, onboarding |
| Communication systems | Email delivery, SMS, push notifications, in-app messaging | Third-party providers | Important, user communications |
These components are interdependent. A failure in one component can cascade to affect others. The following examples illustrate how this works in practice:
Custody system failure: If Fireblocks experiences an outage, Full Settlement ownership transfers, Buyout liquidations, and termination settlements may be delayed.
Blockchain congestion: If the stablecoin’s underlying blockchain is congested, LTO Wallet deposits, withdrawals, and payment confirmations may be delayed.
Price feed disruption: If Platform Reference Price data feeds are disrupted; contract execution, Buyout calculations, and termination settlements may be affected.
Cloud infrastructure failure: If the cloud provider experiences a major outage, the entire Platform may become unavailable.
HyperHedge™ input disruption: If price feeds or position data feeding HyperHedge™ are delayed or inaccurate, solvency monitoring may temporarily operate on stale data;
Compliance system failure: If sanctions screening or monitoring systems fail, new contract executions and significant transactions may be held pending system restoration.
The platform may be unavailable for both planned and unplanned reasons:
| Cause | Type | Typical Duration | Mitigation |
|---|---|---|---|
| Scheduled maintenance | Planned | Hours (off-peak, with advance notice) | Maintenance windows are communicated in advance |
| Software deployment | Planned | Minutes to hours | Rolling deployments, canary releases, and rollback capability |
| Infrastructure failure | Unplanned | Minutes to hours | Redundant infrastructure, automatic failover, multi-region deployment |
| Cloud provider outage | Unplanned | Hours to days (in extreme cases) | Multi-availability-zone architecture, disaster recovery procedures |
| DDoS attack | Unplanned | Minutes to hours | DDoS mitigation services, WAF, traffic filtering |
| Database failure | Unplanned | Minutes to hours | Replicated databases, automated failover, point-in-time recovery |
| Critical bug | Unplanned | Variable | Incident response, hotfix procedures, and rollback |
What downtime means for you in practical terms:
During a downtime event, you may be unable to log in or access your account, make installment payments, initiate Buyouts or Full Settlements, fund or withdraw from your LTO Wallet, or receive payment reminders and notifications in real time. Portfolio values and Platform Reference Prices may not update until the Platform is restored.
BitLease does not guarantee uninterrupted Platform availability. While we target high availability (99.9%+), zero downtime is not achievable in any complex technology system. This is a reality of operating in a digital environment, not a deficiency specific to BitLease.
Even when the Platform is operational, processing delays may occur. These delays are distinct from downtime because the Platform is functioning, but specific operations take longer than expected.
Transaction processing for installment payments, Buyout settlements, and ownership transfers may be slower than expected due to blockchain confirmation times, custody system processing queues, or compliance verification requirements. The time between initiating a Buyout and receiving the settlement may vary from minutes to hours depending on system load, blockchain conditions, and custody processing, and if the asset is staked, the unbonding period adds additional days. The 24-hour target for ownership transfer following Full Settlement depends on custody system availability and blockchain network conditions, and delays beyond 24 hours are possible. Stablecoin deposits require blockchain confirmations (the number varies by stablecoin and network), and withdrawals are subject to security review processes that may add processing time. Identity verification may take longer during periods of high application volume or when additional documentation is required.
Despite rigorous testing and quality assurance, software errors can occur. The Platform is a complex system with many interacting components, and no testing regime can eliminate all errors.
Calculation errors may occur in amortization calculations, Buyout settlement amounts, staking yield distribution, or Platform Reference Price calculations. While BitLease implements automated reconciliation and validation, no system is error-free. Display errors may cause information on the Platform (balances, prices, contract status) to temporarily show incorrect values due to rendering errors, caching issues, or data synchronization delays. Display errors do not necessarily reflect the actual state of your account. Integration errors between Platform components (e.g., between the contract engine and the custody system) may cause transactions to fail, be duplicated, or be processed incorrectly. Edge case failures, meaning unusual combinations of events, timing conditions, or data values, may trigger software behavior not anticipated during testing.
How BitLease responds to errors:
Identified errors are prioritized and resolved as rapidly as possible. If an error results in an incorrect financial calculation affecting your account, BitLease will correct the calculation and adjust your account accordingly. You may report suspected errors through the Platform or via support@bitlease.com. Errors do not create an obligation for BitLease to honor an erroneous transaction at the erroneous value if the error is identified and corrected promptly.
The Platform depends on third-party services that BitLease does not control. The following table identifies each critical dependency, the risk if that service becomes unavailable, and the mitigation BitLease has in place.
| Third Party | Service | Risk if Unavailable | BitLease Mitigation |
|---|---|---|---|
| Fireblocks | MPC custody, escrow, transaction signing | Asset transfers halted; Buyouts, settlements, and ownership transfers delayed | SLA with Fireblocks; incident escalation procedures; Fireblocks redundancy and SOC 2 certification |
| Cloud provider | Hosting, compute, storage, networking | Platform unavailable | Multi-AZ deployment; disaster recovery, and infrastructure-as-code for rapid re-deployment |
| Blockchain networks | Transaction processing, ownership transfer, staking | Payments delayed; transfers delayed; staking disrupted | Multi-network monitoring; transaction retry logic; user communication |
| Stablecoin issuers | Stablecoin value maintenance, transfer processing | Payment processing disrupted; depeg risk | Multiple stablecoin support (planned); monitoring of issuer health |
| KYC/KYB provider | Identity verification | Onboarding delayed; re-verification delayed | SLA with provider; fallback manual review process |
| Sanctions screening provider | Real-time sanctions list screening | New contracts and significant transactions are held pending restoration | Redundant screening capability; cached list fallback |
| Blockchain analytics provider | KYT, wallet risk scoring, transaction monitoring | Compliance monitoring degraded; incoming deposits held for manual review | SLA with provider; backup provider evaluation |
| Payment processors | Fiat on/off-ramp (where available) | Fiat-related services disrupted | Not critical to core LTO operations (stablecoin-native) |
| Email/SMS providers | Notifications, payment reminders, security alerts | Communication delays | Multiple provider redundancy; in-app notifications as fallback |
To make these risks concrete, here is how specific failure scenarios would affect you:
Scenario 1, Fireblocks major outage: If Fireblocks experiences a prolonged outage, all asset movements are halted. Active LTO Contracts continue (payments can still be tracked), but Full Settlements, Buyouts, and termination settlements are delayed until custody operations resume. BitLease communicates the situation to affected users and processes delayed operations as soon as custody is restored.
Scenario 2, Blockchain network halt: If a blockchain network (e.g., Solana) halts or experiences severe degradation, transactions on that network are delayed. LTO Contracts for assets on that network are unaffected in terms of payment obligations (which are stablecoin-based on a different network), but ownership transfers and staking operations for that asset are delayed until the network recovers.
Scenario 3, Stablecoin depeg: If the stablecoin used for LTO Contract denomination experiences a depeg event, the nominal value of payments remains unchanged, but the real economic value of those payments (in fiat terms) may be affected. BitLease monitors stablecoin health but cannot prevent or reverse a depeg. Full details are in the Risk Disclosure Statement.
Scenario 4, Cloud infrastructure failure: If the cloud provider experiences a regional outage, BitLease activates disaster recovery procedures. Platform availability may be restored to a secondary region within the recovery time objective (RTO). During the outage, no Platform operations are available, but underlying assets remain secure in Fireblocks custody (which operates on independent infrastructure).
BitLease selects third-party providers with care, maintains contractual SLAs, and implements redundancy where feasible. However, BitLease cannot guarantee the performance, availability, or security of third-party services. To the maximum extent permitted by law, BitLease is not liable for losses arising from third-party service failures beyond BitLease’s control, as described in the Terms of Service.
Blockchain networks have finite transaction throughput. During periods of high demand, transaction fees may increase significantly, confirmation times may extend from seconds or minutes to hours, stablecoin transfers (deposits, withdrawals, payment settlements) may be delayed, ownership transfer transactions may take longer to confirm, and staking delegation and undelegation transactions may be delayed.
BitLease monitors network conditions but cannot control blockchain throughput or fee markets.
Blockchain protocols may undergo hard forks or major upgrades that temporarily halt the network or specific operations, create competing chains raising questions about which chain is canonical, change transaction formats, APIs, or staking mechanics; require BitLease to update its blockchain integration software, or result in the temporary suspension of services for the affected asset while BitLease evaluates and implements necessary changes.
BitLease monitors scheduled protocol upgrades and prepares in advance where possible. Unscheduled or contentious forks may require reactive measures.
Where LTO Staking Delegation involves interaction with smart contracts (e.g., staking routers, liquid staking wrappers), those contracts may contain vulnerabilities. An exploit could result in loss of staked value. BitLease selects established, audited staking infrastructure but cannot guarantee smart contract security. Full staking risks are described in the Staking Disclosure.
In rare cases, blockchain networks may experience chain reorganizations (“reorgs”) where confirmed transactions are reversed. This could affect the finality of stablecoin deposits to LTO Wallets, the confirmation status of ownership transfer transactions, and staking reward calculations.
BitLease waits for sufficient block confirmations before considering transactions final, but the required number of confirmations is a risk-based judgment, not a guarantee of finality.
Despite institutional-grade security measures, the Platform faces ongoing cybersecurity threats. These threats are not unique to BitLease. They are inherent to operating any digital financial service. What matters is how they are managed.
| Threat | Description | Potential Impact |
|---|---|---|
| External hacking | Targeted attacks against Platform infrastructure, APIs, or administrative systems | Data breach, service disruption, unauthorized access |
| Insider threat | Malicious or negligent actions by employees, contractors, or service provider personnel | Data breach, unauthorized transactions, policy violations |
| Phishing / social engineering | Attacks targeting users’ credentials through fake emails, websites, or communications | Account compromise, unauthorized contract actions |
| DDoS attacks | Volumetric attacks designed to overwhelm Platform infrastructure | Service unavailability |
| Zero-day exploits | Exploitation of previously unknown vulnerabilities in software or protocols | Variable, depends on the vulnerability |
| Supply chain attacks | Compromise of third-party software libraries, SDKs, or service providers | Variable, depends on the compromised component |
| Ransomware | Encryption of systems or data with an extortion demand | Service disruption, potential data loss |
| Cryptographic attacks | Future advances (including quantum computing) potentially weaken current encryption | Long-term risk to the cryptographic security of custodied assets |
BitLease implements comprehensive security measures as described in the Custody & Asset Handling Disclosure and Terms of Service, including MPC custody (Fireblocks), AES-256 encryption, TLS 1.3, mandatory MFA, 24/7 SOC monitoring, IDS/IPS, WAF, DDoS mitigation, regular penetration testing; SSDLC, SOC 2 Type II program, and employee security training.
These measures significantly reduce but do not eliminate cybersecurity risk. No organization, regardless of size, resources, or sophistication, is immune to all cybersecurity threats.
Many security incidents originate from the user’s side, not the Platform. This is an important distinction because the strongest platform security cannot compensate for compromised user credentials or devices.
Credential compromise occurs through weak passwords, password reuse, or credential exposure through phishing. Device compromise results from malware, keyloggers, or unauthorized access on the user’s device. MFA bypass can occur through SIM swapping, MFA fatigue attacks, or social engineering of MFA providers. Email compromise allows an attacker to gain access to the user’s email and initiate password resets. Public Wi-Fi usage may allow traffic interception on unsecured networks.
You are responsible for maintaining the security of your account credentials, devices, and email. BitLease provides security tools (MFA, session management, trusted device controls) but cannot protect against user-side security failures. Losses arising from compromised credentials are the user’s responsibility, as described in the Terms of Service.
Technology is only one dimension of operational risk. Human and process factors also play a role.
Despite training and controls, BitLease employees may make errors in operations, compliance decisions, or customer support responses. Internal processes may fail due to inadequate design, lack of adherence, or unusual circumstances not covered by existing procedures. Dependence on specific individuals for critical functions (e.g., MLRO, key technical personnel) may create risk if those individuals are unavailable. Internal miscommunication may lead to delayed or incorrect actions. Inadequate oversight of third-party providers may result in service degradation.
Events beyond the technology layer can also affect Platform operations. These include natural disasters (earthquakes, floods, hurricanes, tsunamis, volcanic eruptions), epidemics, pandemics, or public health emergencies, war, armed conflict, terrorism, civil unrest, or insurrection; government actions, sanctions changes, or political instability affecting ADGM or other jurisdictions where BitLease operates, unexpected regulatory orders, license revocation, or enforcement actions that could affect Platform operations, and financial stress if BitLease or 49G Holding experiences financial difficulty, which could affect Platform operations and the HyperHedge™ solvency program.
BitLease maintains documented business continuity and disaster recovery plans designed to address these risks. Critical systems are deployed across multiple availability zones. Data is replicated and backed up with defined recovery point objectives (RPO). Recovery time objectives (RTO) are defined for all critical systems. Business continuity plans are tested periodically. Key person risk is mitigated through documented procedures, cross-training, and succession planning. Fireblocks custody infrastructure operates independently, ensuring asset security even during a BitLease operational disruption.
The HyperHedge™ solvency engine is a critical system, and its effectiveness depends on accurate and timely price feeds from institutional data sources, accurate position and exposure data from the Platform’s contract engine, functioning hedge execution infrastructure, computational infrastructure for stress testing and risk calculations, and human oversight by the 49G Holding risk management team.
Like any complex system, HyperHedge™ has potential failure modes that are important to understand.
Data feed latency: If price feeds are delayed, HyperHedge™ may temporarily operate on stale data, potentially underestimating or overestimating risk. Data feed inaccuracy: Erroneous price data from data providers could lead to incorrect solvency calculations. Hedge execution failure: If hedging transactions cannot be executed (due to exchange outages, liquidity gaps, or technical failures), the hedging component of HyperHedge™ may be temporarily impaired. Model risk: The mathematical models underlying HyperHedge™ are based on assumptions that may not hold under all market conditions. Unprecedented market events may exceed model parameters. Software bugs: Errors in the HyperHedge™ codebase could lead to incorrect calculations. Infrastructure failure: If HyperHedge™ computational infrastructure fails, monitoring may be temporarily degraded.
BitLease and 49G Holding mitigate these risks through multiple independent price feed sources with failover logic, automated anomaly detection on price feed data, multiple hedge execution venues, regular model validation and stress testing, conservative calibration with safety buffers, human oversight and manual intervention capability, independent monitoring alerts for solvency threshold breaches, and Chainlink Proof of Reserve integration (planned) for independent verification.
Neither BitLease nor the user is liable for failure or delay in performance caused by events beyond reasonable control. These include natural disasters (earthquakes, floods, hurricanes, tsunamis, volcanic eruptions), epidemics, pandemics, or public health emergencies, war, armed conflict, terrorism, civil unrest, or insurrection, government actions, sanctions changes, embargoes, or trade restrictions, regulatory orders, license revocation, or emergency regulatory action, systemic blockchain network failures affecting multiple networks simultaneously, catastrophic failure of major cloud infrastructure providers, major stablecoin depeg events affecting multiple stablecoins simultaneously, widespread internet outages or DNS infrastructure failures, electromagnetic pulse (EMP) events or catastrophic hardware destruction, and acts of God.
Even during a Force Majeure event, certain obligations continue. BitLease will make reasonable efforts to restore Platform operations as quickly as possible and will communicate the status and expected resolution timeline to users. Payment obligations under LTO Contracts may be suspended or extended for the duration of the event, at BitLease’s reasonable determination. BitLease’s obligation to protect client assets in custody is not suspended by Force Majeure. Assets remain in segregated MPC escrow and BitLease will take all reasonable steps to ensure their security. BitLease’s obligation to return Surplus Value is not extinguished by Force Majeure. It may be delayed but must be fulfilled once the event concludes.
These last two points are important. Force Majeure may delay operations, but it does not erase the obligation to protect your assets or return what is owed to you.
BitLease does not guarantee uninterrupted, continuous, or error-free operation of the Platform; that the Platform will be available at any specific time or from any specific location; that defects or errors will be corrected within any specific timeframe; that the Platform will be free from viruses, malware, or other harmful components; that third-party services integrated with the Platform will perform as expected; that blockchain networks will process transactions within any specific timeframe; that price feeds will be accurate and timely at all times; that the HyperHedge™ engine will operate without interruption or error; or any specific level of system uptime, performance, or reliability.
While guarantees are not possible, BitLease commits to operating with the standards and discipline that the LTO model requires:
| Commitment | Description |
|---|---|
| Institutional-grade infrastructure | Enterprise-level hosting, redundancy, and monitoring |
| Proactive maintenance | Regular updates, patches, and infrastructure improvements |
| Incident response | Documented incident response procedures with defined severity levels and escalation paths |
| Transparent communication | Prompt notification of significant outages, delays, or incidents affecting users |
| Business continuity | Documented BCP/DR plans, tested periodically |
| Continuous improvement | Ongoing investment in reliability, performance, and security |
| Asset protection | Client assets in segregated MPC custody remain protected even during operational disruptions |
| Post-incident review | Root cause analysis and remediation after significant incidents |
If you experience any operational issue, including system errors, processing delays, incorrect calculations, or suspected security incidents, please report it immediately:
| Issue Type | Contact | Expected Response |
|---|---|---|
| General operational issues | support@bitlease.com | Acknowledgment within 4 hours; resolution per severity |
| Suspected security incident | security@bitlease.com | Immediate triage; acknowledgment within 1 hour |
| Account access issues | support@bitlease.com | Acknowledgment within 4 hours |
| Payment or settlement issues | support@bitlease.com | Acknowledgment within 4 hours; investigation within 1 business day |
| Formal complaint | complaints@bitlease.com | Acknowledgment within 2 business days; response within 15 business days |
BitLease Technologies Ltd. A subsidiary of 49G Holding Incorporated in Abu Dhabi Global Market (ADGM) Registered Address: Unit PC-1, Level 7, Al Maryah Tower, Abu Dhabi Global Market Square, Abu Dhabi, Al Maryah Island, United Arab Emirates
ADGM Registration No.: 34619
| Department | |
|---|---|
| Support | support@bitlease.com |
| Security | security@bitlease.com |
| Compliance | compliance@bitlease.com |
| General | info@bitlease.com |
Website: www.bitlease.com