Privacy and Data Processing Policy

1. Definitions

The following terms have the meanings set forth below when used in this Policy. Capitalized terms not defined here have the meanings ascribed to them in context throughout this Policy or in ThirdProof's Terms of Service.

• “Customer” means a registered user or paying subscriber of the Platform who initiates Investigations.
• “Data Sources” means the publicly available government registries, sanctions databases, cybersecurity intelligence feeds, adverse media repositories, certificate transparency logs, and other public intelligence sources queried during Investigations. A current list of Data Sources is maintained at thirdproof.ai/learn.
• “Investigation” means an autonomous vendor risk assessment conducted by the Platform at the request of a Customer, comprising the automated querying of Data Sources, rule-based risk tier assignment, and AI-generated narrative synthesis.
• “Investigated Vendor” means a third-party company or legal entity that is the subject of an Investigation. Investigated Vendors are not Customers of ThirdProof and do not participate in or influence Investigations.
• “Network Intelligence” means anonymized, aggregated signals derived from Customer review decisions across the ThirdProof customer base, as described in Section 11.
• “Partner” means a vCISO, MSP, CPA, or other channel partner who accesses ThirdProof's white-label investigation services to deliver Reports under their own branding.
• “Platform” means the ThirdProof vendor risk intelligence platform available at thirdproof.ai, including all associated subdomains, APIs, and services.
• “Report” means the vendor risk intelligence report generated by the Platform as the output of an Investigation, including the risk tier assignment, executive summary, evidence chain, compliance framing, and all supporting analysis.
• “Verified Vendor” means a vendor participating in the ThirdProof Verified program described in Section 8.

2. Introduction and Scope

ThirdProof, Inc., a Delaware corporation doing business as ThirdProof.ai (“ThirdProof,” “we,” “us,” or “our”), operates the Platform. This Privacy and Data Processing Policy (“Policy”) describes how we collect, use, disclose, retain, and protect personal information in connection with the Platform. This Policy is an informational disclosure provided in compliance with applicable privacy laws; it supplements and is incorporated into our Terms of Service, which govern your use of the Platform. Disputes arising under this Policy are subject to the dispute resolution provisions of the Terms of Service.

This Policy applies to six categories of individuals:

• Visitors to thirdproof.ai and its subdomains;
• Customers and their authorized personnel;
• Natural persons whose personal data may be incidentally processed as part of Investigations conducted at Customer request, including key personnel, directors, beneficial owners, and registered agents of Investigated Vendors;
• End clients of Partners who access ThirdProof-generated Reports through Partner-branded interfaces;
• Vendors who participate in or are the subject of the Verified Vendor program; and
• Natural persons who interact with ThirdProof through marketing channels, events, or communications.

ThirdProof is a business-to-business (B2B) platform. Our primary data subjects are businesses and legal entities. However, where our Investigations incidentally surface personal data about natural persons associated with those entities — including names, contact information, and professional affiliations sourced from public registries — we treat that data with the same care as Customer data and comply with applicable individual rights requirements.

This Policy is available for download in PDF format at thirdproof.ai/privacy. Dated copies of future versions will be archived and available upon request.

For questions about this Policy, contact privacy@thirdproof.ai.

3. Nature of ThirdProof Reports — Analytical Opinions

3.1 Reports Are Opinions, Not Certifications

ThirdProof publishes risk intelligence ratings based on independently sourced evidence and a published methodology. Reports constitute analytical opinions — not factual certifications, regulatory determinations, audit findings, guarantees, or warranties of any kind. Reports reflect the Investigated Vendor's observable risk posture as assessed by ThirdProof's methodology at the time of Investigation. ThirdProof does not certify, approve, or endorse any vendor. This characterization of Reports as opinions is central to ThirdProof's analytical function and is protected under the First Amendment to the United States Constitution and applicable state law opinion privileges.

3.2 No-Reliance Disclosure

ThirdProof ratings are one input into a broader risk management program. They are not a substitute for independent legal, compliance, or security review. Customers retain sole responsibility for all vendor onboarding, contracting, and risk acceptance decisions. ThirdProof makes no warranty, express or implied, regarding the completeness, accuracy, or fitness for any particular purpose of information sourced from third-party Data Sources. ThirdProof's Reports should not be the sole basis for any business, legal, or compliance decision.

3.3 AI Synthesis Disclosure and Limitations

Report narratives, executive summaries, and compliance framing text are generated using AI synthesis technology (currently Anthropic's Claude API). Risk tier assignments are determined by a deterministic, rule-based engine and are not AI-generated. AI-synthesized narrative sections may contain inaccuracies, generalizations, or interpretive statements that do not precisely reflect the underlying evidence data. Customers should review the evidence chain and source data independently and not rely solely on AI-generated narrative text. Each Report identifies the methodology version and AI model version used at the time of generation.

3.4 Independence Declaration

ThirdProof's Investigations are conducted without vendor participation, cooperation, or influence. All evidence is independently sourced from publicly available government records, regulatory databases, adverse media, cybersecurity intelligence feeds, certificate transparency logs, and other public intelligence sources. Investigated Vendors have not provided information directly to us. ThirdProof does not solicit, accept, or incorporate vendor-supplied information into its risk tier determinations. This structural independence is a defining characteristic of our Platform and methodology.

3.5 Methodology Governance

ThirdProof's risk tier assignments are determined by a deterministic, rule-based engine according to our published methodology at thirdproof.ai/methodology. The AI synthesis layer generates interpretive narrative around those rule-based assignments but does not independently determine risk tiers. Every Report issued is traceable to the methodology version active at the time of Investigation. Prior methodology versions are archived and available upon request.

3.6 Compliance Framing Disclaimer

Reports may include compliance-framework-specific context (e.g., HIPAA, SOC 2, PCI-DSS, CMMC). This compliance framing is informational and educational. It does not constitute legal advice, regulatory guidance, or a professional compliance opinion. Customers should consult qualified legal and compliance professionals before making regulatory determinations based on Report content.

3.7 Intellectual Property and Report Licensing

ThirdProof retains all intellectual property rights in its methodology, analytics engine, report templates, and AI-generated content. Customers receive a non-exclusive, non-transferable license to use Reports for their internal vendor risk management purposes. Reports may be shared with (a) regulators and auditors in connection with compliance documentation, (b) the Investigated Vendor for the purpose of remediation discussions, and (c) internal personnel with a legitimate need to know. Reports may not be published, redistributed commercially, or used to create competing products without ThirdProof's prior written consent. Detailed licensing terms are set forth in the Terms of Service.

4. Fair Credit Reporting Act (FCRA) Non-Applicability

4.1 ThirdProof Is Not a Consumer Reporting Agency

ThirdProof is not a “consumer reporting agency” as defined in 15 U.S.C. §1681a(f) of the Fair Credit Reporting Act (FCRA). ThirdProof Reports are not “consumer reports” as defined in 15 U.S.C. §1681a(d). Reports assess the risk posture of legal entities (companies and organizations), not the creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living of individual consumers.

4.2 ThirdProof Is Not a Furnisher

ThirdProof is not a “furnisher of information” to consumer reporting agencies within the meaning of 15 U.S.C. §1681s-2. ThirdProof does not provide information to any consumer reporting agency for inclusion in consumer reports. ThirdProof does not create, compile, or maintain files on individual consumers for the purpose of evaluating their eligibility for personal credit, insurance, employment, or any other consumer purpose.

4.3 Prohibited Uses of ThirdProof Reports

By using the Platform, Customers acknowledge and agree that Reports shall not be used for any purpose governed by the FCRA, including but not limited to:

• Evaluating an individual consumer for credit, insurance, or employment purposes;
• Making any decision about an individual consumer's eligibility for a benefit, account, or service;
• Evaluating an individual for tenancy or rental housing;
• Taking any “adverse action” against a natural person as that term is defined under 15 U.S.C. §1681a(k); or
• Any other purpose that would cause ThirdProof to be deemed a consumer reporting agency under FCRA, any state equivalent (including the California Investigative Consumer Reporting Agencies Act), or any international equivalent.

This prohibition is absolute and is not limited to “sole” or “primary” reliance. Customers who use Reports in a manner that triggers FCRA obligations do so in violation of ThirdProof's Terms of Service, assume all associated legal risk, and shall indemnify ThirdProof for any claim, loss, or liability arising from such misuse, including legal fees, regulatory fines, and settlement costs.

4.4 Incidental Personal Data in Reports

Reports may contain incidental references to natural persons associated with Investigated Vendors (e.g., directors, officers, registered agents) as described in Section 7.2. The inclusion of such incidental personal data in a B2B vendor risk assessment does not transform the Report into a “consumer report” under the FCRA. ThirdProof does not compile, maintain, or furnish information about individual consumers for the purpose of evaluating their eligibility for personal credit, insurance, employment, or any other consumer purpose. ThirdProof does not create individual profiles, maintain individual consumer files, or assign risk scores to natural persons.

4.5 Reasonable Procedures for Accuracy

ThirdProof maintains reasonable procedures designed to ensure the accuracy of information contained in Reports, including: (a) sourcing evidence exclusively from authoritative, publicly maintained data sources; (b) applying a deterministic, rule-based methodology with defined criteria for risk tier assignments; (c) maintaining SHA-256 hash records for Report integrity verification; (d) maintaining a dispute and correction process as described in Section 7.4; and (e) versioning methodology changes with a traceable audit trail.

5. Data Broker Registration Status

ThirdProof has evaluated its obligations under California's Delete Act (Cal. Civ. Code §1798.99.80 et seq.), Texas's Data Broker Law (Tex. Bus. & Com. Code Ch. 509), Vermont's Data Broker Law (9 V.S.A. §2446 et seq.), and Oregon's data broker registration requirements.

ThirdProof's current assessment is that it does not meet the definition of a “data broker” under these laws because:

• ThirdProof does not “sell” personal information to third parties as defined under applicable law. Customers pay for Investigation services, not for the purchase of pre-compiled personal information;
• Reports are generated on-demand in response to specific Customer Investigation requests, not pre-aggregated for resale;
• ThirdProof maintains a direct Customer relationship with every entity that receives its Reports; and
• ThirdProof's primary processing involves business entity data, not consumer personal information.

ThirdProof will reassess its data broker registration obligations annually, upon any material change to its business model, and as regulatory guidance evolves. Questions regarding ThirdProof's data broker status may be directed to legal@thirdproof.ai.

6. Data Source Access and Legal Compliance

6.1 Authorized Access Only

ThirdProof collects Investigation data exclusively through authorized access channels in compliance with the Computer Fraud and Abuse Act (18 U.S.C. §1030) and applicable state computer access laws. All Data Source queries are conducted through: (a) publicly available government APIs and web portals; (b) commercial API agreements with licensed data providers (e.g., VirusTotal, Shodan, Hunter.io, SSL Labs); (c) publicly accessible web pages and records that are freely available without authentication; and (d) standard DNS, WHOIS, and certificate transparency log queries using publicly documented protocols. ThirdProof does not circumvent access controls, bypass authentication mechanisms, use stolen credentials, or access non-public systems.

6.2 Data Source Accuracy Limitations

Data Sources are maintained by independent third parties, including government agencies, commercial intelligence providers, and open-source databases. ThirdProof does not control the accuracy, completeness, or timeliness of Data Source content. Government registries may reflect information that is weeks or months behind actual corporate events. Cybersecurity intelligence feeds reflect point-in-time external observations. Adverse media results depend on the coverage and indexing of independent news sources. These temporal and coverage limitations are inherent to the Investigation model and are reflected in the confidence scoring methodology.

7. Information About Investigated Vendors and Their Personnel

7.1 Our Investigation Model

ThirdProof generates risk assessment Reports about Investigated Vendors at the request of Customers. Reports are compiled exclusively from publicly available Data Sources including government-maintained business registries, OFAC and EU sanctions databases, adverse media sources, cybersecurity intelligence feeds, certificate transparency logs, domain registration records, and other public intelligence sources. ThirdProof does not solicit, accept, or incorporate vendor-supplied information into its Investigations.

7.2 Personal Data of Investigated Vendor Personnel

While ThirdProof primarily investigates legal entities, Investigations may incidentally surface personal data about natural persons associated with those entities, including: registered agents, directors, and officers listed in corporate registries; beneficial owners disclosed in government filings; key personnel identified in adverse media; and domain registrants identified in WHOIS records where not redacted by privacy services.

This incidental personal data is: (a) sourced exclusively from publicly available records maintained by government authorities or published in journalism; (b) processed for the sole purpose of assessing the risk profile of the associated legal entity; (c) not combined with private data sources or enhanced with commercially purchased personal data; and (d) where GDPR applies, processed on the lawful basis of legitimate interests (Article 6(1)(f)) as further described in Section 20.

7.3 Legal Basis for Adverse Media Processing

ThirdProof's processing of adverse media content — including news articles, regulatory enforcement records, and court filings that reference natural persons — is conducted for purposes of vendor risk intelligence, which serves a legitimate commercial and public interest in transparency. ThirdProof does not originate adverse media content; it references and contextualizes previously published material from independent sources. ThirdProof asserts qualified privilege for the communication of this information to Customers who have a legitimate business interest in the risk profiles of their vendors.

7.4 Vendor Dispute and Correction Process

If you represent an Investigated Vendor or are a natural person whose data appeared in a ThirdProof Investigation, you may:

• Request information about what Data Sources contributed to an Investigation involving your organization;
• Submit a correction request if you believe specific data points are factually inaccurate, providing supporting documentation;
• Exercise applicable data subject rights under GDPR, CCPA, or other applicable law as described in Sections 18 and 20; and
• Request that ThirdProof evaluate whether its processing of your personal data is compatible with applicable law.

Submit requests to privacy@thirdproof.ai. We will acknowledge receipt within five (5) business days and respond substantively within thirty (30) days.

Where a dispute is upheld, ThirdProof will correct the relevant data point and, if the correction materially affects the risk tier assignment, re-run the rule-based tier engine and update the Report. Where a dispute is denied, ThirdProof will provide a written explanation. Requests to remove accurate, publicly sourced information from Reports will be evaluated under applicable law and our methodology governance framework.

7.5 GDPR Article 14 Notification Analysis

GDPR Article 14 requires controllers to provide notice to data subjects when personal data is obtained from sources other than the data subject. ThirdProof relies on the Article 14(5)(b) exemption, which applies where providing such information would involve a disproportionate effort. Given that ThirdProof may investigate thousands of entities, each with multiple associated natural persons in public registries, individual notification to every person referenced in every Investigation would constitute disproportionate effort. ThirdProof publishes this Policy as a compensating measure and makes this information available at thirdproof.ai/privacy. Where a specific data subject contacts ThirdProof, we will provide all required Article 14 information upon request.

8. Verified Vendor Program and Conflict-of-Interest Disclosure

8.1 Verified Vendor Program

ThirdProof operates, or may in the future operate, a Verified Vendor program through which vendors may obtain a published, continuously monitored risk intelligence rating. Participation in this program constitutes a separate commercial relationship between the vendor and ThirdProof, independent of Customer-initiated Investigations.

8.2 Conflict-of-Interest Firewall

ThirdProof will maintain a permanent structural firewall between its analytical function and its commercial relationships with Verified Vendors:

• A vendor's participation or non-participation in the Verified Vendor program will have no influence on the risk tier assigned in any Customer-initiated Investigation;
• The analytical methodology, evidence sources, and rule-based tier assignment engine will be identical for Verified Vendors and non-participating vendors;
• Revenue from Verified Vendor subscriptions will not fund or influence the analytical function or methodology governance; and
• No vendor will be able to improve, suppress, or modify their risk rating through any commercial arrangement with ThirdProof.

9. Information We Collect

9.1 Information You Provide Directly

When you create an account, subscribe to the Platform, or contact us, we collect: first name, last name, email address, company name, job title, and professional context. We also collect Investigation query data including domain names, entity names, and vendor identifiers you submit for Investigation, and communications including support requests, feedback, and other messages you send to us.

Payment Information: Billing details submitted in connection with paid subscriptions are processed directly by Stripe, Inc. ThirdProof does not store payment card numbers, CVVs, or full billing addresses on its own systems.

9.2 Information Collected Automatically

When you visit thirdproof.ai or use the Platform, we automatically collect: pages visited, features used, Investigation queries submitted, Report downloads, session duration, and Platform interaction patterns. We also collect browser type, operating system, IP address, referring URLs, and general geographic location derived from IP address (city or region level, not precise GPS location).

9.3 Analytics and Tracking Technologies

We use the following analytics tools. None use third-party advertising cookies or cross-site behavioral tracking:

• Plausible Analytics (Plausible Insights OU, Estonia): A privacy-first tool that does not use cookies, does not collect personal data, and does not track users across websites. GDPR-compliant by design.
• Vercel Analytics (Vercel Inc., USA): Measures Platform performance and aggregated visitor metrics without fingerprinting individual users.
• Microsoft Clarity (Microsoft Corporation, USA): Session recording and heatmap analysis. May collect mouse movements, clicks, and scrolling behavior. Respects Do Not Track browser signals.
• PostHog (PostHog, Inc., USA): Product analytics, feature usage tracking, and event capture. PostHog uses first-party cookies to maintain session identity and track feature interactions. Does not engage in cross-site tracking.

9.4 Information We Do Not Collect

ThirdProof does not collect or process: precise GPS location data, phonebook or contacts lists, camera or microphone data, Social Security numbers or government identification numbers, biometric data, racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, or health data about our Customers or their personnel.

10. How We Use Your Information

We use the information we collect to:

• Provide and operate the Platform, including processing Investigation requests and generating AI-assisted Reports;
• Create and manage your account and subscription;
• Process payments and manage billing through Stripe;
• Send transactional communications including account confirmation, Investigation completion notifications, and support responses;
• Send product updates, compliance content, and marketing communications where permitted by applicable law;
• Improve and develop the Platform by analyzing usage patterns, identifying errors, and enhancing Investigation accuracy;
• Generate Network Intelligence from Investigation patterns across our Customer base as described in Section 11;
• Comply with applicable legal obligations and respond to lawful requests from regulatory authorities;
• Protect the security, integrity, and lawful operation of the Platform; and
• Enforce our Terms of Service, investigate potential violations, and protect the rights of ThirdProof, our Customers, and third parties.

We do not use your personal information to train AI models without your prior written consent as described in Section 12.5.

11. Cross-Customer Network Intelligence

11.1 What Network Intelligence Is

ThirdProof is designed to operate a cross-customer intelligence network that will collect anonymized signals from Customer Investigation review decisions. When Customers approve or reject a vendor, an anonymized signal will be recorded — without any identifying information about the originating organization — to help other Customers understand aggregate risk sentiment.

11.2 Strict Anonymization Model

• ThirdProof will never store which organization made which decision in the Network Intelligence database;
• ThirdProof will never allow a signal to be traced back to its source organization;
• No organization name, reviewer name, specific notes, or identifying context will be recorded;
• The only data stored per signal will be: vendor domain, decision type (approved/rejected), risk tier assigned, finding category, and data access level context; and
• Network Intelligence data will be stored in a separate database table with no foreign key to any organization or user record.

11.3 Consent Model

When operational, Network Intelligence contribution will be enabled by default for new Customer accounts. Customers may disable Network Intelligence contribution at any time through their organization settings page. Previously recorded signals are already anonymized and cannot be attributed to any organization; they will not be retroactively deleted as they are no longer personal data within the meaning of applicable privacy law.

11.4 Source Caching

ThirdProof caches Investigation source data with configurable time-to-live (TTL) periods to reduce API costs and improve Investigation speed. Cached data from one Customer's Investigation may be used to accelerate a subsequent Customer's Investigation of the same vendor. Sanctions data is never served from cache if the cached data is older than 24 hours. Caching does not share any Customer-identifiable information between Customers.

12. AI-Powered Processing and Automated Decision-Making

12.1 How We Use AI

ThirdProof uses large language model (LLM) technology provided by Anthropic, PBC through its Claude API to generate executive summaries, risk narratives, compliance framework context, and analytical conclusions from evidence collected by our automated Investigation pipeline. The AI synthesis layer does not independently determine risk tier assignments — risk tiers are assigned by a deterministic, rule-based engine according to our published methodology.

12.2 Automated Processing Disclosure

ThirdProof's Investigation pipeline constitutes automated processing of information about legal entities and, incidentally, about natural persons associated with those entities. We disclose this automated processing transparently because: (a) GDPR Article 22 provides rights regarding solely automated individual decision-making; (b) the EU AI Act's transparency obligations apply to AI systems; (c) the Colorado Artificial Intelligence Act imposes obligations on deployers of high-risk AI systems; and (d) we believe transparency about automated processing is fundamental to responsible intelligence operations.

12.3 EU AI Act Compliance

ThirdProof monitors its obligations under the EU AI Act. ThirdProof's current assessment is that its AI synthesis layer does not constitute a high-risk AI system under Annex III because: (a) risk tier assignments are determined by a deterministic rule engine, not by AI alone; (b) Reports are analytical opinions positioned as one input into Customer decision-making; and (c) the Platform explicitly requires Customer human oversight before any vendor onboarding decision. ThirdProof is committed to implementing transparency obligations consistent with EU AI Act principles.

12.4 Colorado Artificial Intelligence Act (CAIA) Compliance

The Colorado Artificial Intelligence Act (SB 24-205), with enforcement effective June 30, 2026, imposes obligations on deployers of “high-risk AI systems.” ThirdProof's current assessment is that the Platform is not a “high-risk AI system” under the CAIA because Reports assess organizational risk profiles of business entities, not individual consumers, and risk tier assignments are determined by a rule-based engine, not AI. ThirdProof will monitor Colorado Attorney General rulemaking and reassess its classification as the business scales.

12.5 AI Training Prohibition

ThirdProof will not use your personal data, Investigation queries, Report outputs, or any other information submitted by or generated for you to train, fine-tune, improve, or develop any AI model without your prior express written consent. Customer data processed by our AI synthesis layer is used solely to generate Reports for you and is not retained by Anthropic for AI training purposes under our current API agreement. ThirdProof will notify Customers by email within thirty (30) days if this arrangement materially changes.

13. How We Share Your Information

13.1 Subprocessors

We share information with subprocessors who process data on our behalf. A current, complete list of subprocessors is maintained at thirdproof.ai/subprocessors. We will notify Customers by email at least thirty (30) days before engaging any new subprocessor that processes Customer personal data.

13.2 White-Label Partners

ThirdProof may provide white-label Investigation services to Partners who deliver Reports under their own branding. The Partner is the data controller for their end-client relationship; ThirdProof acts as a data processor on behalf of the Partner. Partner end-client data is logically segregated from other Customer data. Upon termination of any Partner relationship, ThirdProof will delete or return Partner end-client data within ninety (90) days of receiving a written request.

13.3 Advertising Partners

We use or plan to use advertising platforms for customer acquisition. These platforms may place tracking pixels or cookies on your device, enabling targeted advertising to previous site visitors. This constitutes “sharing” of personal information under CPRA. Advertising pixels are loaded only after cookie consent is obtained where required by applicable law.

13.4 No Sale of Personal Information

ThirdProof does not sell personal information as that term is defined under the CCPA, and has never sold personal information. We do not sell Customer data, Investigation data, or any other personal information to data brokers, advertising networks, or any third party for their own commercial use.

13.5 Legal Requirements and Protection of Rights

We may disclose personal information when required by law, regulation, or court order; when necessary to protect the rights, property, or safety of ThirdProof, our Customers, or the public; in connection with legal proceedings; and to enforce our Terms of Service.

13.6 Business Transfers

If ThirdProof is acquired, merges with another company, or transfers substantially all of its assets, personal information held by ThirdProof may be transferred as part of that transaction. We will provide at least thirty (30) days' advance notice by email before personal information becomes subject to a materially different privacy policy.

14. Data Retention

Upon termination of your account, ThirdProof will delete Customer-identifiable Investigation data within ninety (90) days of receiving a verified deletion request. We will confirm deletion in writing within thirty (30) days of completing the process. Data in encrypted backups will be overwritten through normal backup rotation cycles (maximum 90 days). ThirdProof reviews its data retention schedules annually to ensure retention periods remain appropriate and proportionate.

15. Security

ThirdProof implements technical and organizational security measures designed to protect your information:

• Encrypted data transmission using TLS 1.2 minimum (TLS 1.3 preferred) for all data in transit;
• AES-256 encryption at rest for all database storage, with additional field-level encryption for sensitive data elements where supported;
• Secure authentication including multi-factor authentication where available;
• Role-based access controls limiting data access to personnel with a legitimate need;
• Content Security Policy (CSP) headers to mitigate cross-site scripting and injection attacks;
• Periodic security assessments of Platform infrastructure; and
• Business continuity and disaster recovery capabilities provided by our infrastructure partners (Vercel, Supabase, Stripe), all of which maintain SOC 2 Type II certification.

ThirdProof does not currently hold an independent SOC 2 Type II, ISO 27001, or HITRUST certification at the application layer. We are working toward SOC 2 Type II certification. Customers requiring formal security documentation may contact security@thirdproof.ai.

Responsible Disclosure: If you discover a security vulnerability in the Platform, please report it to security@thirdproof.ai. We will acknowledge receipt within 48 hours.

In the event of a data breach, ThirdProof will: (a) notify the relevant supervisory authority within 72 hours as required by GDPR Article 33; (b) notify affected individuals without undue delay where required by GDPR Article 34; and (c) comply with applicable US state breach notification requirements, including California's breach notification law (Cal. Civ. Code §1798.82).

16. Marketing Communications and Anti-Spam Compliance

• United States (CAN-SPAM Act): All marketing emails include a valid physical mailing address and a clear unsubscribe mechanism. Opt-out requests are honored within ten (10) business days.
• European Economic Area, UK, and Switzerland (GDPR / ePrivacy): Marketing communications to EEA, UK, and Swiss data subjects are sent only with prior affirmative opt-in consent. Consent may be withdrawn at any time.
• Canada (CASL): Marketing communications to Canadian recipients are sent only with express consent.

Transactional communications (account confirmations, Investigation completion notifications, security alerts) are not marketing and are sent regardless of marketing preferences.

17. Cookies, Tracking Technologies, and Similar Technologies

This section describes the cookies, pixels, local storage mechanisms, and other tracking technologies (collectively, “Tracking Technologies”) used on the ThirdProof Platform, the purposes for which they are used, the legal bases for their use, and the choices available to you. For the purposes of this section, “cookies” includes both traditional HTTP cookies and similar browser-based storage mechanisms unless otherwise specified.

17.1 Cookie Categories

ThirdProof classifies its Tracking Technologies into three categories based on purpose. This classification determines the consent requirements applicable to each technology under the ePrivacy Directive (2002/58/EC as amended), GDPR, UK GDPR, and applicable US state privacy laws.

Category 1 — Strictly Necessary (Essential): Required for the Platform to function. These technologies enable core functionality such as user authentication, session persistence, security protections, and load balancing. They cannot be disabled without breaking Platform functionality. No consent is required under the ePrivacy Directive Article 5(3) exemption for technologies that are strictly necessary for the provision of a service explicitly requested by the user.

Category 2 — Analytics and Performance: Used to understand how visitors interact with the Platform, measure performance, identify errors, and improve the user experience. These technologies collect aggregated or pseudonymized usage data. Where these technologies set cookies or access information on your device, consent is required under the ePrivacy Directive for visitors in the EEA, UK, and Switzerland. For US visitors, these technologies are disclosed here and are subject to opt-out rights where applicable under state law.

Category 3 — Advertising and Retargeting: Used for customer acquisition through targeted advertising on third-party platforms. These technologies may enable advertising partners to build a profile of your interests and show you relevant advertisements on other websites. Consent is always required before these technologies are activated for visitors in all jurisdictions. This sharing constitutes “sharing” of personal information under CPRA and may constitute “targeted advertising” under other US state privacy laws.

17.2 Cookie and Tracking Technology Inventory

The following table identifies each Tracking Technology currently used on the Platform. Cookie names and durations may change as providers update their technologies; this inventory reflects our most recent audit as of the Last Updated date of this Policy. We will update this inventory when we become aware of material changes.

Category 1 — Strictly Necessary

Category 2 — Analytics and Performance

Category 3 — Advertising and Retargeting

Advertising pixels listed above are loaded only after obtaining consent where required by applicable law (see Section 17.3). These advertising platforms may also use cookieless tracking mechanisms (such as server-side conversion APIs) that do not store data on your device but may still constitute “sharing” under CPRA. ThirdProof treats these mechanisms as subject to the same consent and opt-out requirements as cookie-based tracking.

In addition to HTTP cookies, the Platform and its third-party providers may use similar technologies including browser local storage (used by Supabase for authentication and PostHog for event queuing), session storage, pixel tags (used by advertising partners for conversion tracking and in marketing emails for open rate measurement), and JavaScript SDKs (used by Plausible, Microsoft Clarity, and PostHog to collect page URLs, referrer information, and interaction events). These technologies are functionally equivalent to cookies for the purposes of the ePrivacy Directive and are subject to the same consent and opt-out requirements described in this section. Non-essential scripts are loaded only after consent is obtained where required.

17.3 Cookie Consent

For visitors from jurisdictions requiring affirmative cookie consent (including the EEA, UK, and Switzerland under the ePrivacy Directive 2002/58/EC as amended), Category 2 (Analytics) and Category 3 (Advertising) Tracking Technologies are loaded only after consent is obtained through our cookie consent mechanism. Category 1 (Essential) technologies do not require consent under the ePrivacy Directive Article 5(3) exemption.

Our cookie consent mechanism allows you to accept or reject each non-essential category independently. You may change your preferences at any time by accessing the cookie settings link in the Platform footer. Consent choices are stored locally and do not require account creation.

For visitors from the United States and other jurisdictions where prior consent is not required for analytics cookies, Category 2 technologies may be loaded without affirmative consent but are subject to opt-out rights described in Section 17.5. Category 3 (Advertising) technologies always require consent regardless of jurisdiction.

17.4 Do Not Track, Global Privacy Control, and Do Not Sell

ThirdProof honors Global Privacy Control (GPC) browser signals as a legally valid request to opt out of the “sharing” of personal information with advertising partners under CPRA and equivalent state laws. When we detect a GPC signal, we automatically suppress Category 3 (Advertising) Tracking Technologies for that browser session without requiring additional action from you.

Plausible Analytics respects Do Not Track (DNT) signals by design. Microsoft Clarity responds to Do Not Track signals. PostHog does not independently respond to DNT signals; for PostHog, use the cookie consent mechanism or GPC signal to opt out. When required by applicable law, ThirdProof will maintain a “Do Not Sell or Share My Personal Information” link at thirdproof.ai/privacy.

17.5 How to Manage Cookies and Similar Technologies

You have multiple options for managing Tracking Technologies used on the Platform:

• Cookie Consent Mechanism: Use the cookie settings link in the Platform footer to adjust your consent preferences for Category 2 and Category 3 technologies at any time.
• Browser Settings: Most web browsers allow you to control cookies through their settings. You can typically find these options under “Privacy,” “Security,” or “Cookies” in your browser's preferences. You can delete existing cookies, block new cookies, or configure your browser to notify you when a cookie is being set. Note that blocking essential cookies will prevent you from logging into or using the Platform.
• Global Privacy Control: Install a browser extension or use a browser that supports GPC (such as Brave, DuckDuckGo, or Firefox with the appropriate extension) to automatically signal your opt-out preference to all websites you visit.
• Platform-Specific Opt-Outs: You may also opt out of interest-based advertising directly with our advertising partners: Google Ads at myadcenter.google.com; LinkedIn through your LinkedIn account settings; Reddit through your Reddit account settings. Industry-wide opt-out tools are available through the Network Advertising Initiative (optout.networkadvertising.org) and the Digital Advertising Alliance (optout.aboutads.info).

18. United States Privacy Rights

18.1 California Privacy Rights (CCPA/CPRA)

If you are a California resident, the CCPA/CPRA provides you with the following rights:

Categories of Personal Information Collected: Identifiers (name, email, IP address, company, job title); Commercial Information (subscription plan, transaction history, Investigation activity); Internet or Network Activity (pages visited, session duration); Professional Information (job title, company); Inferences (aggregated, anonymized usage patterns for Platform improvement — we do not create individual behavioral profiles for advertising).

Your California Rights:

• Right to Know: Request disclosure of personal information collected, sources, purposes, and third-party recipients.
• Right to Delete: Request deletion, subject to legal retention obligations and audit trail requirements.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt Out of Sale or Sharing: ThirdProof does not sell personal information. We share with advertising partners as described in Section 13.3. Opt out via privacy@thirdproof.ai, GPC, or platform opt-out mechanisms.
• Right to Data Portability: Request your personal data in a structured, commonly used, machine-readable format.
• Right to Limit Use of Sensitive Personal Information: ThirdProof does not collect sensitive personal information as defined under CPRA beyond payment data processed by Stripe.
• Right to Non-Discrimination: We will not discriminate against you for exercising privacy rights.

To exercise California privacy rights, contact privacy@thirdproof.ai or visit thirdproof.ai/privacy. You may designate an authorized agent to submit requests on your behalf; we may require written authorization and identity verification. We will respond within forty-five (45) days, extendable by an additional forty-five (45) days with prior notice.

18.2 Other US State Privacy Rights

Residents of the following states have privacy rights under applicable state law that ThirdProof honors: Colorado (CPA), Connecticut (CTDPA), Virginia (VCDPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Indiana (INCDPA), Iowa (ICDPA), Tennessee (TIPA), Delaware (DPDPA), New Hampshire (NHPA), New Jersey (NJDPA), Nebraska (NDPA), Maryland (MODPA), Minnesota (MNDPA), Kentucky (KCDPA), and other states with enacted comprehensive privacy laws. Contact privacy@thirdproof.ai specifying your state of residence. ThirdProof will not discriminate against any individual for exercising privacy rights under any applicable state law.

19. Children's Privacy

ThirdProof is a B2B compliance platform intended exclusively for professionals. We do not knowingly collect personal information from children under the age of thirteen (13) as defined under COPPA, or under the age of sixteen (16) as defined under GDPR Article 8. If we become aware that we have inadvertently collected personal information from a child under these thresholds, we will delete that information promptly. If you believe we have collected information from a child, please contact privacy@thirdproof.ai immediately.

20. European, Swiss, and International Privacy Rights

20.1 Scope

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the General Data Protection Regulation (EU GDPR), UK GDPR, Swiss Federal Act on Data Protection (nFADP), and applicable national implementing legislation provide you with additional rights and impose additional obligations on ThirdProof as a data controller.

20.2 Legal Bases for Processing

ThirdProof processes personal data under the following legal bases, documented internally and will be formalized in a Records of Processing Activities (RoPA) in accordance with GDPR Article 30 as the scale of our operations warrants:

• Contractual Necessity (Article 6(1)(b)): Account information, Investigation query data, and payment metadata as necessary to perform our contractual obligations to Customers.
• Legitimate Interests (Article 6(1)(f)): Usage analytics, security monitoring, Network Intelligence processing, and personal data incidentally surfaced during Investigations. ThirdProof processes this data on the basis that it is necessary for the legitimate interests pursued by ThirdProof and its Customers — specifically, cybersecurity risk assessment, fraud prevention, and regulatory compliance facilitation — and that those interests are not overridden by the rights of the data subjects concerned, given that the data is sourced exclusively from publicly available records and processed at the organizational rather than individual level. Inquiries may be directed to privacy@thirdproof.ai.
• Compliance with Legal Obligation (Article 6(1)(c)): Financial record-keeping, breach notification, and responding to lawful regulatory requests.
• Consent (Article 6(1)(a)): Marketing communications and optional analytics beyond essential Platform operation. Consent may be withdrawn at any time.

20.3 Data Protection Impact Assessments

ThirdProof is committed to conducting Data Protection Impact Assessments (DPIAs) under GDPR Article 35 for processing activities likely to result in high risk to the rights and freedoms of natural persons, as the scale of our operations warrants. As the Platform's customer base and Investigation volume grow, ThirdProof will document DPIAs for its automated Investigation pipeline that incidentally processes personal data from public records. DPIA findings will inform our data minimization practices, security measures, and processing safeguards.

20.4 Data Protection by Design and Default

In accordance with the principles of GDPR Article 25, ThirdProof is committed to implementing data protection by design and by default throughout its Platform development and operational processes, with safeguards appropriate to the current scale of operations. This includes data minimization in Investigation queries, pseudonymization where feasible, strict access controls, and default privacy-protective settings for new Customer accounts.

20.5 Your GDPR Rights

You have the following rights, exercisable by contacting privacy@thirdproof.ai. We will respond within one calendar month (extendable by two additional months for complex requests with prior notice):

• Right of Access (Article 15): Request a copy of the personal data we hold about you.
• Right to Rectification (Article 16): Request correction of inaccurate personal data.
• Right to Erasure (Article 17): Request deletion where processing is no longer necessary, consent has been withdrawn, or data was unlawfully processed. ThirdProof may decline erasure requests where processing is necessary for the establishment, exercise, or defense of legal claims (Article 17(3)(e)), for archiving purposes in the public interest (Article 17(3)(d)), or for the exercise of the right of freedom of expression and information (Article 17(3)(a)). These exceptions are particularly relevant to Investigated Vendor personnel data sourced from public records.
• Right to Restriction (Article 18): Request restriction of processing while accuracy is contested.
• Right to Data Portability (Article 20): Receive your personal data in a structured, machine-readable format.
• Right to Object (Article 21): Object to processing based on Legitimate Interests. For Investigated Vendor personnel, ThirdProof will evaluate the objection but may continue processing where compelling legitimate grounds exist, including maintaining the integrity of published Reports and the public interest in vendor risk transparency.
• Rights Related to Automated Decision-Making (Article 22): Where our automated processing constitutes a solely automated decision producing legal or similarly significant effects on a natural person, you have the right to obtain human review.
• Right to Lodge a Complaint: EU residents may contact their national data protection authority. UK residents may contact the ICO at ico.org.uk. Swiss residents may contact the FDPIC.

20.6 Data Transfers Outside the EEA

ThirdProof is headquartered in the United States. If and when ThirdProof processes personal data of EEA, UK, or Swiss data subjects, such data will be transferred to the United States. For these transfers, ThirdProof will implement appropriate safeguards, which may include: Standard Contractual Clauses (SCCs) adopted by the European Commission; Transfer Impact Assessments (TIAs) as warranted by the scope and volume of cross-border data transfers; for UK transfers, the UK International Data Transfer Agreement (IDTA) or addendum to the EU SCCs; and for Swiss transfers, the Swiss-specific SCC provisions. ThirdProof will evaluate self-certification under the EU-US Data Privacy Framework as the scope of EU data processing warrants. A Data Processing Agreement (DPA) incorporating the relevant transfer mechanisms will be available upon request at legal@thirdproof.ai.

20.7 Brazil, Canada, and Other International Privacy Laws

ThirdProof is committed to complying with applicable international privacy laws as our customer base and Investigation scope expand:

• Brazil (LGPD): To the extent ThirdProof processes personal data of Brazilian data subjects, we comply with the Lei Geral de Proteção de Dados and honor applicable data subject rights.
• Canada (PIPEDA): To the extent ThirdProof processes personal information of Canadian individuals, we comply with the Personal Information Protection and Electronic Documents Act and applicable provincial legislation.

As ThirdProof expands internationally, we will evaluate compliance obligations under additional jurisdictions including Australia (Privacy Act 1988), Singapore (PDPA), Japan (APPI), and other applicable data protection regimes. Questions about international privacy compliance may be directed to privacy@thirdproof.ai.

21. Industry-Specific Data Handling

21.1 Healthcare Customers

ThirdProof does not create, receive, maintain, or transmit protected health information (PHI) as defined under HIPAA. ThirdProof investigates vendor risk profiles using publicly available data; it does not process patient records, clinical data, or insurance information. Accordingly, ThirdProof is not a Business Associate under HIPAA and does not execute Business Associate Agreements (BAAs) for its standard Investigation services. Healthcare customers who require ThirdProof to process PHI in connection with a future product or integration should contact legal@thirdproof.ai to discuss appropriate safeguards.

Reports generated for healthcare customers may include HIPAA-specific compliance framing as described in Section 3.6. This framing is informational and does not create a Business Associate relationship.

21.2 Government Contractor Customers

All ThirdProof customer data is processed and stored exclusively in the United States, on US-based infrastructure. ThirdProof does not process Controlled Unclassified Information (CUI) or classified information. Government contractor customers with specific data handling requirements should contact security@thirdproof.ai to discuss applicable controls.

22. Export Controls and Sanctions Compliance

ThirdProof complies with all applicable US export control and economic sanctions laws, including regulations administered by the Office of Foreign Assets Control (OFAC), the Bureau of Industry and Security (BIS), and the Export Administration Regulations (EAR).

The Platform is not available to, and may not be used by, individuals or entities in countries or regions subject to comprehensive US sanctions, including Cuba, Iran, North Korea, Syria, and the Crimea, Donetsk, and Luhansk regions of Ukraine. ThirdProof will not provide services to any entity or individual designated on any US government restricted party list, including the OFAC Specially Designated Nationals (SDN) list.

By using the Platform, you represent and warrant that you are not located in, organized under the laws of, or a resident of any country or region subject to comprehensive US sanctions, and that you are not named on any US government restricted party list.

23. CalOPPA Disclosure

Pursuant to the California Online Privacy Protection Act: Users may visit thirdproof.ai anonymously. We will provide notice of Policy changes by updating the Effective Date and by emailing registered users for material changes. Plausible Analytics does not track users across websites. Microsoft Clarity responds to Do Not Track signals. PostHog does not independently respond to Do Not Track signals but is subject to our cookie consent mechanism and GPC signal processing. We honor GPC signals for advertising-related sharing as described in Section 17.

24. Third-Party Links and Data Sources

The Platform may contain links to third-party websites. Reports reference external Data Sources. This Policy applies only to thirdproof.ai and the ThirdProof Platform. We are not responsible for the privacy practices of third-party websites, Data Sources, or linked resources.

25. Disclaimer of Warranties and Limitation of Liability

THIRDPROOF REPORTS ARE PROVIDED “AS IS” AND “AS AVAILABLE.” TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THIRDPROOF DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, ACCURACY, COMPLETENESS, AND NON-INFRINGEMENT, WITH RESPECT TO REPORTS, THE PLATFORM, AND ALL INFORMATION DERIVED FROM THIRD-PARTY DATA SOURCES.

ThirdProof does not warrant that: (a) Data Sources will be available, accurate, or complete at all times; (b) Reports will identify all risks associated with an Investigated Vendor; (c) risk tier assignments will predict future vendor behavior; or (d) the Platform will operate without interruption or error.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THIRDPROOF'S TOTAL LIABILITY ARISING OUT OF OR RELATED TO THIS POLICY, THE PLATFORM, OR ANY REPORT SHALL NOT EXCEED THE GREATER OF (A) THE AMOUNTS PAID BY THE CUSTOMER TO THIRDPROOF IN THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO LIABILITY, OR (B) ONE HUNDRED US DOLLARS ($100). IN NO EVENT SHALL THIRDPROOF BE LIABLE FOR INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES.

This limitation does not apply to liability that cannot be excluded or limited under applicable law, including liability for fraud, gross negligence, or willful misconduct.

25.1 Customer Indemnification

Customers agree to indemnify, defend, and hold harmless ThirdProof and its officers, directors, employees, and agents from any claim, demand, loss, or liability (including reasonable legal fees) arising from: (a) Customer's use of Reports in violation of this Policy or the Terms of Service, including any FCRA-regulated use; (b) Customer's publication, redistribution, or disclosure of Reports in a manner not authorized by Section 3.7; (c) any third-party claim arising from Customer's use of Reports as a basis for decisions about natural persons; and (d) Customer's violation of applicable law in connection with the Platform. This indemnification obligation survives termination of the Customer's account.

25.2 Force Majeure

ThirdProof shall not be liable for delays or failures in performance resulting from causes beyond its reasonable control, including Data Source outages, API provider service disruptions, acts of government, natural disasters, cyberattacks, or other force majeure events. Force majeure provisions are further detailed in the Terms of Service.

26. Changes to This Policy

We may update this Policy to reflect changes in our data practices, technology, legal requirements, or business operations. We will notify registered users of material changes by email at least thirty (30) days before the effective date. Non-material changes will be posted at thirdproof.ai/privacy with an updated Last Updated date. Material changes apply to existing users after the notice period; new users are bound by the current version at the time of account creation. For Customers whose processing is based on consent under GDPR, material changes to processing activities will require re-consent where legally required.

Prior versions of this Policy will be archived and available upon request at privacy@thirdproof.ai as future updates are published.

27. Governing Law, Severability, and Dispute Resolution

27.1 Governing Law

This Policy shall be governed by and construed in accordance with the laws of the State of Delaware, without regard to conflict of law principles, except to the extent that mandatory provisions of applicable data protection law (including GDPR, UK GDPR, nFADP, CCPA, CPRA, and state privacy laws) require application of a different jurisdiction's law to specific processing activities or data subject rights.

27.2 Severability

If any provision of this Policy is held to be invalid, illegal, or unenforceable by a court of competent jurisdiction, such invalidity shall not affect any other provision. The invalid provision shall be modified to the minimum extent necessary to make it valid while preserving its original intent.

27.3 Dispute Resolution

Disputes arising under or in connection with this Policy are subject to the dispute resolution provisions of ThirdProof's Terms of Service, which may include binding arbitration and a class action waiver. Nothing in this Policy limits any data subject's right to lodge a complaint with a supervisory authority under applicable data protection law, or to seek judicial remedy through the courts of their jurisdiction where permitted by mandatory law.

28. Contact and Data Protection Inquiries

For questions, concerns, privacy requests, or complaints regarding this Policy, contact us through the channels below:

ThirdProof, Inc. (d/b/a ThirdProof.ai)
Apex, North Carolina 27502, United States

• Privacy inquiries and data subject requests: privacy@thirdproof.ai (response within 30 days; California residents: 45 days; GDPR data subjects: one calendar month)
• Legal and contractual inquiries (DPA, transfer mechanisms): legal@thirdproof.ai
• Security inquiries, breach notification, and responsible disclosure: security@thirdproof.ai (vulnerability reports acknowledged within 48 hours)

• Privacy Policy: thirdproof.ai/privacy
• Subprocessor list: thirdproof.ai/learn
• Methodology documentation: thirdproof.ai/methodology
• Data Sources list: thirdproof.ai/learn
• Acceptable Use: thirdproof.ai/acceptable-use

ThirdProof does not currently designate a formal Data Protection Officer (DPO). As our customer base grows to include significant volumes of EEA, UK, or Swiss customer data, we will evaluate the DPO designation requirement under GDPR Article 37 and appoint a DPO if required. In the interim, privacy@thirdproof.ai serves as the primary point of contact for all data protection matters. ThirdProof will provide privacy training to all personnel with access to personal data, with training frequency and scope appropriate to the size of the team and the nature of processing activities.