Policies

This Acceptable Use Policy sets out a list of acceptable and unacceptable conduct for our Services. If we believe a violation of the policy is deliberate, repeated or presents a credible risk of harm to other users, our customers, the Services or any third parties, we may suspend or terminate your access. This policy may change as Kriv Technologies grows and evolves, so please check back regularly for updates and changes. Capitalized terms used herein have the meanings given in the Business Terms.

Do:

• Comply with all Customer Terms of Service, including the terms of this Acceptable Use Policy.
• Comply with all applicable laws and governmental regulations, including, but not limited to, all intellectual property, data, privacy, and export control laws, and regulations promulgated by any government agencies.
• Use commercially reasonable efforts to prevent unauthorized access to or use of the Services.
• Keep passwords and all other login information confidential.
• Monitor and control all activity conducted through your account in connection with the Services.
• Promptly notify us if you become aware of or reasonably suspect any illegal or unauthorized activity or a security breach involving your accounts or teams, including any loss, theft, or unauthorized disclosure or use of a username, password, or account.

Do Not:

• Permit any third party that is not an Authorized User (as defined in Business Terms or applicable agreement) to access or use a username or password for the Services.
• Share, transfer or otherwise provide access to an account designated for you to another person.
• Upload to, or transmit from, the Services any data, file, software, or link that contains or redirects to a virus, Trojan horse, worm, or other harmful component or a technology that unlawfully accesses or downloads content or information stored within the Services.
• Attempt to reverse engineer, decompile, hack, disable, interfere with, disassemble, modify, copy, translate, or disrupt the features, functionality, integrity, or performance of the Services (including any mechanism used to restrict or control the functionality of the Services), any third party use of the Services, or any third party data contained therein (except to the extent such restrictions are prohibited by applicable law).
• Attempt to gain unauthorized access to the Services or related systems or networks or to defeat, avoid, bypass, remove, deactivate, or otherwise circumvent any software protection or monitoring mechanisms of the Services.
• Access the Services in order to build a similar or competitive product or service or copy any ideas, features, functions, or graphics of the Services.
• Impersonate any person or entity, including, but not limited to, an employee of ours, a Customer, or any other Authorized User, or falsely state or otherwise misrepresent your affiliation with a person, organization or entity.
• Sublicense, resell, time share or similarly exploit the Services.
• Use the Services for consumer purposes, as analyst is intended for use by businesses and organizations.
• Authorize, permit, enable, induce or encourage any third party to do any of the above.

Kriv Technologies ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our analyst platform ("Services").

Information We Collect

• Account Information: When you register for an account, we collect information such as your name, email address, company name, and payment information (processed by a third-party payment processor).
• Usage Information: We collect information about how you interact with our Services, such as the features you use, queries run (metadata, not the underlying data), dashboards created, and performance metrics.
• Technical Information: We automatically collect certain technical information, including IP address, browser type, operating system, and device identifiers.
• Credentials (Encrypted): To connect to your data sources, we securely store necessary credentials (like database usernames, passwords, API keys) using industry-standard encryption (e.g., AES-128 or stronger). These are used solely to execute queries on your behalf.
• Cached Query Results (Optional & Temporary): If you enable caching for performance, the results of queries run against your data sources may be temporarily stored in our secure infrastructure. You control the duration of this cache, and it is automatically deleted thereafter. Caching can be disabled entirely.

How We Use Your Information

• To provide, operate, maintain, and improve our Services.
• To process transactions and send you related information, including confirmations and invoices.
• To send technical notices, updates, security alerts, and support messages.
• To respond to your comments, questions, and requests.
• To monitor and analyze trends, usage, and activities in connection with our Services.
• To detect, investigate, and prevent fraudulent transactions and other illegal activities and protect the rights and property of Kriv Technologies and others.
• To comply with legal obligations.

Information We DO NOT Collect or Store

• We do not store a copy of your underlying database or raw data from your connected data sources. Analyst operates by sending queries (e.g., SQL) to your data source and retrieving only the results necessary to display visualizations or answer questions. Your data stays within your infrastructure.
• We do not share your specific Customer Data (query results or credentials) with third parties, except with subprocessors necessary to provide the service (as outlined in the DPA) who are bound by strict confidentiality and data protection obligations, or as required by law.

Data Security

We implement reasonable and appropriate technical and organizational measures designed to protect the security of any personal information we process. This includes encryption of credentials and data in transit (SSL/TLS) and at rest (for cached data and credentials), access controls, logging, and regular security assessments. Please see our DPA Exhibit B for more details.

Data Retention

We retain your account information and usage data for as long as your account is active or as needed to provide you Services, comply with our legal obligations, resolve disputes, and enforce our agreements. Cached query results are retained only for the duration you specify via the cache controls, or not at all if caching is disabled. Credentials are deleted upon account termination or disconnection of the data source.

Your Data Protection Rights

Depending on your location, you may have certain rights regarding your personal information, such as the right to access, correct, update, or request deletion. To exercise these rights, please contact us at privacy@kriv.tech.

Changes to this Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Updated" date.

Last Updated: 1^stApril 2025

These Business Terms are an agreement between Kriv Technologies ("Kriv", "we", "us") and you (“Customer”) that governs your use of our Services (as defined below). By signing up to use the Services, you agree to be bound by these Business Terms. You represent to us that you are lawfully able to enter into contracts and, if you are entering into these Business Terms for an entity, that you have legal authority to bind that entity. These Business Terms also refer to and incorporate the Acceptable Use Policy, Privacy Policy, Data Processing Addendum (DPA), and any other guidelines or policies we may provide in writing (the “Kriv Policies”) and any ordering document signed by you and Kriv (collectively, the “Agreement”).

Thank you for choosing analyst!

1. Services

1.1 Use of Services. “Services” means any services for businesses and developers we make available for purchase or use via kriv.tech, specifically the analyst platform, along with any of our associated software, tools, developer services, documentation, and websites. We grant you a non-exclusive right to access and use the Services during the Term (as defined below). This includes the right to use Kriv's platform, Software Development Kit (SDK) if applicable, and APIs, to integrate the Services into your applications, products, or services (each a “Customer Application”) and to make the Services and Customer Applications available to Collaborators (as defined below) and your own users and customers (”End Users”).

1.2 Responsibilities for Your Account. You must provide accurate and up-to-date account information. You are responsible for all activities that occur under your account, including the activities of any collaborator (each, an “Collaborator”) who is provisioned with an account under your account (an “Collaborator Account”) or accesses the Services through your Customer Application. You may not make account access credentials available to third parties, share individual login credentials between multiple users on an account, or resell or lease access to your account or any Collaborator Account. You will promptly notify us if you become aware of any unauthorized access to or use of your account or our Services.

2. Restrictions

We own all right, title, and interest in and to the Services. You only receive rights to use the Services as explicitly granted in this Agreement. You will not, and will not permit Collaborators to:

• (a) use the Services or analyst Content (as defined below) in a manner that violates any applicable laws or Kriv Policies;
• (b) use the Services or Customer Content in a manner that infringes, misappropriates, or otherwise violates any third party’s rights;
• (c) send us any personal information of children under 13 or the applicable age of digital consent or allow minors to use our Services without consent from their parent or guardian;
• (d) reverse assemble, reverse compile, decompile, translate, engage in stealing attacks, or otherwise attempt to discover the source code of the Services, algorithms, and systems of the Services (except to the extent these restrictions are contrary to applicable law);
• (e) use any method to extract data from the Services other than as permitted.

3. Content

3.1 Customer Content. You and Collaborators may use the Services to build analytics experiences using our tools (”analyst Content”) and embed these in other websites or applications. To do this, you may connect data sources to the Services (requiring secure storage of credentials) and define charting or other components (”Customer Input”). Together, Customer Input, credentials necessary to access Customer Input, and any temporarily cached query results derived from Customer Input are known as “Customer Content”. As between you and Kriv, and to the extent permitted by applicable law, you retain all ownership rights in Customer Input. Kriv owns all rights in the analyst platform itself and the analyst Content (excluding your Customer Input). You are permitted to use analyst Content generated through your use of the service during the Term.

3.2 Our Obligations for Customer Content. We will only use Customer Content as necessary to provide you with the Services (including running queries against your data sources using stored credentials and optionally caching results), comply with applicable law, and enforce Kriv Policies. We do not store your underlying data sources. We treat your Customer Content as Confidential Information.

3.3 Your Obligations for Customer Content. You are responsible for all Customer Input and represent and warrant that you have all rights, licenses, and permissions required to provide Customer Input (including credentials) to the Services and grant us the necessary rights to process it as described. You are solely responsible for all use of analyst Content and evaluating this for accuracy and appropriateness for your use case.

4. Confidentiality

4.1 Use and Nondisclosure. “Confidential Information” means any business, technical or financial information, materials, or other subject matter disclosed by one party (“Discloser”) to the other party (“Recipient”) that is identified as confidential at the time of disclosure or should be reasonably understood by Recipient to be confidential under the circumstances (including Customer Content). Recipient agrees it will: (a) only use Discloser's Confidential Information to exercise its rights and fulfill its obligations under this Agreement, (b) take reasonable measures to protect the Confidential Information, and (c) not disclose the Confidential Information to any third party except as expressly permitted in this Agreement or the DPA.

4.2 Exceptions. The obligations in Section 4.1 do not apply to any information that (a) is or becomes generally available to the public through no fault of Recipient, (b) was in Recipient’s possession or known by it prior to receipt from Discloser, (c) was rightfully disclosed to Recipient without restriction by a third party, or (d) was independently developed without use of Discloser’s Confidential Information. Recipient may disclose Confidential Information only to its employees, contractors, and agents (including subprocessors as defined in the DPA) who have a need to know and who are bound by confidentiality obligations at least as restrictive as those of this Agreement. Recipient will be responsible for any breach of this Section 4 by its employees, contractors, and agents. Recipient may disclose Confidential Information to the extent required by law, provided that Recipient uses reasonable efforts to notify Discloser in advance.

5. Security

5.1 Our Security Program. We will maintain an information security program (including the adoption and enforcement of internal policies and procedures) designed to (a) protect the Services and Customer Content (specifically stored credentials and cached data) against accidental or unlawful loss, access, or disclosure, (b) identify reasonably foreseeable and internal risks to security and unauthorized access, and (c) minimize security risks, including through regular risk assessments and testing. See DPA Exhibit B for more details.

5.2 Our Security Obligations. As part of our information security program, we will implement and enforce appropriate technical and organizational measures as detailed in our DPA.

6. Privacy

6.1 Personal Data. If you use the Services to process personal data (including within Customer Input or data accessed via the Services), you must (a) provide legally adequate privacy notices and obtain necessary consents for the processing of personal data by the Services, (b) process personal data in accordance with applicable law, and (c) if processing “personal data” or “Personal Information” as defined under applicable data protection laws (like GDPR, CCPA), execute our Data Processing Addendum (DPA), which is incorporated herein by reference.

6.2. Data breach notification. In the event of a data breach involving unauthorized access to Customer Content held by Kriv (credentials, cached data) or account information, Kriv will promptly notify the Customer without undue delay and, where feasible, not later than 72 hours of becoming aware of the breach. We will provide the Customer with sufficient information regarding the breach, its impact, and our response actions. Customers are responsible for maintaining up-to-date contact information. We will take necessary steps to mitigate harm and prevent future occurrences in accordance with applicable laws.

7. Payment; Taxes

7.1 Fees and Billing. You agree to pay all fees charged to your account (“Fees”) according to the prices and terms specified in your Contract or Order Form. Subscriptions are typically billed on a monthly basis in advance. We have the right to correct pricing errors. You authorize us and our third-party payment processor(s) to charge your provided payment method periodically. Fees are payable in the currency specified (e.g., U.S. dollars) and are due upon invoice issuance or the start of the billing period. Payments are nonrefundable, and no refunds or credits will be provided for partial months of service, upgrade/downgrade refunds, or unused months with an open account. No credits or subscription time will be carried forward if a subscription is paused or terminated mid-cycle.

7.2 Taxes. Fees are exclusive of taxes (like VAT or sales tax), which we will charge as required by applicable law.

7.3 Disputes and Late Payments. To dispute an invoice, contact us within thirty (30) days of issuance. Overdue undisputed amounts may be subject to a finance charge (e.g., 1.5% per month) and we may suspend the Services after providing written notice of late payment.

8. Term; Termination

8.1 Term. The term of this Agreement commences upon your acceptance or first use of the Services and remains in effect until terminated (“Term”). Monthly subscriptions automatically renew unless either party gives notice of non-renewal at least thirty (30) days before the start of the next renewal period.

8.2 Termination. Unless on a committed duration contract, you may terminate this Agreement by deleting your account or providing written notice. Termination will be effective at the end of the current billing period. Either party may terminate upon written notice if the other materially breaches the Agreement and fails to cure within thirty (30) days, or if the other ceases business operations or becomes insolvent. We may suspend access or terminate this Agreement: (i) if required by law; (ii) to prevent security risks or harm; or (iii) for repeated or material violations of Kriv Policies. We will use reasonable efforts to notify you prior to suspension or termination.

8.3 Effect of Termination. Termination does not affect accrued rights or obligations (including payment). Provisions intended to survive (Confidentiality, Disclaimers, Indemnification, Limitations of Liability, etc.) will survive. Upon termination or expiration, we have the right and obligation to delete all Customer Content (including credentials and cached data) from our systems within thirty (30) days, in accordance with applicable laws (like GDPR), unless legally required to retain it. This deletion obligation also applies within thirty (30) days after a subscription is paused.

9. Disclaimer

THE SERVICES ARE PROVIDED “AS IS”. WE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NON-INFRINGEMENT, AND ANY WARRANTIES ARISING OUT OF COURSE OF DEALING OR TRADE USAGE. WE MAKE NO REPRESENTATIONS OR WARRANTIES THAT USE OF THE SERVICES WILL BE UNINTERRUPTED, ERROR-FREE, OR SECURE, THAT DEFECTS WILL BE CORRECTED, THAT CUSTOMER CONTENT OR ANALYST CONTENT WILL BE ACCURATE, OR WITH RESPECT TO THIRD-PARTY OFFERINGS. KRIV SHALL NOT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL OR EXEMPLARY DAMAGES, INCLUDING DAMAGES FOR LOSS OF PROFITS, GOODWILL, USE, DATA OR OTHER INTANGIBLE LOSSES, RESULTING FROM YOUR USE OF THE SERVICE.

10. Indemnification

You agree to indemnify and hold harmless Kriv Technologies, its affiliates, officers, agents, and employees from any third-party claim arising from or related to your use of the Service (including use by Collaborators or End Users via Customer Applications), your violation of this Agreement, or your violation of any third-party rights, including any liability or expense arising from claims, losses, damages, suits, judgments, litigation costs and attorneys' fees. We will provide written notice of such claim.

11. Limitation of Liability

11.1 Limitations on Indirect Damages. EXCEPT FOR (I) A PARTY’S GROSS NEGLIGENCE OR WILFUL MISCONDUCT, (II) YOUR BREACH OF SECTION 2 (RESTRICTIONS), (III) EITHER PARTY’S BREACH OF SECTION 4 (CONFIDENTIALITY), (IV) OUR BREACH OF SECTION 5 (SECURITY) AS DETAILED IN THE DPA, OR (V) A PARTY’S INDEMNIFICATION OBLIGATIONS, NEITHER PARTY WILL BE LIABLE UNDER THIS AGREEMENT FOR ANY INDIRECT, PUNITIVE, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR EXEMPLARY DAMAGES (INCLUDING LOST PROFITS) EVEN IF ADVISED OF THE POSSIBILITY.

11.2 Liability Cap. EXCEPT FOR (I) A PARTY’S GROSS NEGLIGENCE OR WILFUL MISCONDUCT OR (II) A PARTY’S INDEMNIFICATION OBLIGATIONS, EACH PARTY’S TOTAL LIABILITY UNDER THE AGREEMENT WILL NOT EXCEED THE TOTAL AMOUNT YOU HAVE PAID TO US IN THE TWELVE (12) MONTHS IMMEDIATELY PRIOR TO THE EVENT GIVING RISE TO LIABILITY. THESE LIMITATIONS APPLY TO THE MAXIMUM EXTENT PERMITTED UNDER APPLICABLE LAW.

12. Trade Controls

You must comply with all applicable trade laws, including sanctions and export control laws. Our Services may not be used in or for the benefit of, or exported or re-exported to (a) any U.S. embargoed country or territory or other restricted jurisdictions or (b) any individual or entity prohibited under applicable trade laws. Our Services may not be used for prohibited end uses.

13. Governing law

This Agreement shall be governed by and construed in accordance with the laws of the United Kingdom, without giving effect to any principles of conflicts of law.

14. Dispute Resolution

YOU AGREE TO THE FOLLOWING MANDATORY ARBITRATION AND CLASS ACTION WAIVER PROVISIONS:

14.1 MANDATORY ARBITRATION. You and Kriv agree to resolve any claims arising out of or relating to this Agreement or our Services (“Dispute”) through final and binding arbitration.

14.2 Informal Dispute Resolution. Before filing a claim, we both agree to try to resolve the Dispute informally by sending notice to the other party's provided contact information. If unresolved within 60 days, either party may initiate arbitration. We both agree to attend an individual settlement conference if requested during this period. Any statute of limitations will be tolled during this process.

14.3 Exceptions. Arbitration is not required for: (a) individual claims in small claims court; or (b) injunctive relief for unauthorized use/abuse of Services or IP infringement.

14.4 Severability. If any part of this Section 14 is found illegal or unenforceable, the remainder remains in effect, unless a finding would allow class/representative arbitration, then Section 14 is unenforceable entirely. Nothing limits the right to seek public injunctive relief.

15. Modifications

We may update these Business Terms or Kriv Policies by providing reasonable notice (e.g., posting on kriv.tech/policies). Material updates impacting your rights/obligations will have at least 30 days' notice before effect, unless required sooner by law. Your continued use after an update constitutes acceptance. If you disagree, you may stop using the Services and terminate this Agreement per Section 8.

Last Updated: 1^stApril 2025

This Data Processing Addendum (“DPA”) governs Kriv Technologies’ processing of Customer Data provided by Customer to Kriv Technologies during the provision of analyst services under the terms of the Kriv Technologies Business Terms (located at kriv.tech/policies/business-terms) or other agreement between Customer and Kriv Technologies governing Customer’s use of the Services (the “Agreement”). If language in this DPA conflicts with the Agreement, this DPA controls. Capitalized terms not defined here have the meaning in the Agreement.

Kriv Technologies and Customer agree to comply with their respective obligations under applicable data privacy and data protection laws (“Data Protection Laws”), which may include U.S. Privacy Laws, GDPR, UK GDPR, etc. Customer is the Data Controller, determining the purposes and means of processing Customer Data. Kriv Technologies is the Data Processor, processing Customer Data on behalf of and according to Customer's instructions.

“Personal Data” has the meaning under applicable Data Protection Laws. “Customer Data” means Personal Data contained within the information Customer provides to Kriv Technologies (like account details, collaborator info) or makes accessible via connected data sources (including credentials and any temporarily cached query results) that Kriv Technologies processes on Customer’s behalf to provide the Services. Kriv Technologies does not store the underlying data from Customer's data sources.

Kriv Technologies will process Customer Data as Customer’s Data Processor to provide/maintain the Services and for purposes in this DPA and the Agreement.

1. Processing Requirements

As Data Processor, Kriv Technologies agrees to:

• a. process Customer Data only (i) on Customer’s behalf for providing/supporting Services (including security monitoring, analytics on service usage); (ii) per Customer instructions; (iii) with no less privacy protection than required by Data Protection Laws.
• b. promptly inform Customer if it cannot comply with this DPA.
• c. not provide remuneration for Customer Data. Customer has not “sold” Customer Data to Kriv Technologies.
• d. not “sell” or “share” Personal Data (as defined by U.S. Privacy Laws/CCPA).
• e. inform Customer if an instruction violates Data Protection Laws.
• f. require employees and other persons engaged (subprocessors) to be subject to confidentiality and comply with data protection obligations comparable to Kriv Technologies'.
• g. engage Subprocessors listed at kriv.tech/policies/subprocessors . Customer consents to these Subprocessors. Kriv will provide notice of new Subprocessors via the list. Customer may object within 15 days on reasonable data protection grounds by contacting privacy@kriv.tech . If objection cannot be resolved via options (i)-(iv) outlined in the reference text (cancel use, corrective steps, cease feature use, cease data provision), either party may terminate affected Services, with a refund of pre-paid fees for the post-termination period. Kriv will have contractual agreements with Subprocessors ensuring comparable data protection.
• h. upon reasonable request (max once/year), provide information to demonstrate compliance with this DPA and Data Protection Laws.
• i. cooperate with reasonable assessments/audits by Customer (at Customer's expense, minimally disruptive) necessary to confirm compliance, where required by law. Kriv may provide third-party audit summaries instead. Results are Kriv's Confidential Information.
• j. if processing deidentified/anonymized data per Customer instruction, adopt measures to prevent reidentification, not attempt reidentification (except for process validation), and contractually obligate recipients similarly.
• k. where CCPA applies, not retain/use/disclose Customer Data except for specified business purposes in the Agreement/DPA, not outside the direct business relationship, nor combine with other data unless directed by Customer or permitted by CCPA.
• l. where required by law, grant Customer rights to take steps to ensure compliant use (via audits) and stop/remediate unauthorized use (e.g., request deletion confirmation).

2. Notice to Customer

Kriv Technologies will inform Customer if it becomes aware of:

• a. legally binding request for Customer Data disclosure by law enforcement (unless prohibited).
• b. notice/inquiry/investigation by a Supervisory Authority regarding Customer Data.
• c. complaint/request from Customer’s data subjects (will not respond without Customer authorization).

3. Assistance to Customer

Kriv Technologies will provide reasonable assistance regarding:

• a. information needed to respond to data subject requests (access, rectification, erasure, etc.). Will forward direct requests to Customer.
• b. investigation of Personal Data Breaches involving Customer Data processed by Kriv.
• c. mandatory DPIAs and consultations with supervisory authorities related to Kriv's processing.

4. Required Processing

If required by Data Protection Laws to process Customer Data other than per the Agreement, Kriv will inform Customer beforehand, unless legally prohibited.

5. Security

Kriv Technologies will:

• a. maintain reasonable and appropriate organizational and technical security measures (detailed in Exhibit B) to protect Customer Data (especially credentials and cached data) against unauthorized/accidental access, loss, alteration, disclosure, or destruction.
• b. take steps to ensure personnel protect Customer Data security/privacy/confidentiality.
• c. notify Customer of any Personal Data Breach by Kriv, its Subprocessors, or agents without undue delay after awareness.

6. Obligations of Customer

• a. represents and warrants it has necessary rights/consents to provide Customer Data (including credentials) and authorize Kriv's processing as per this DPA/Agreement.
• b. shall comply with all applicable Data Protection Laws.
• c. shall reasonably cooperate with Kriv regarding data subject requests.
• d. acknowledges responsibility for secure configuration/design decisions within the Services under its control.
• e. shall only transfer Customer Data using secure mechanisms under its control.
• f. shall not take actions rendering Kriv not a "service provider"/"processor" or the data provision a "sale"/"share" under applicable U.S. Privacy Laws.

7. Standard Contractual Clauses

a. For processing Customer Data originating in the EEA, the EU SCCs (adopted June 4, 2021) are incorporated by reference, completed as follows:

• i. Module Two (Controller to Processor) applies when Customer is controller, Kriv is processor.
• ii. Module Three (Processor to Sub-Processor) applies when Customer is processor, Kriv is sub-processor.

b. For Swiss data, EU SCCs apply with specified amendments (reference FDPIC, Revised FADP, rights in Switzerland, protection for legal entities until Revised FADP force).

c. For UK data, the UK Addendum (B.1.0) is incorporated. Part 1 details are in Annex I of Appendix A to this DPA. Either party may end UK Addendum per Section 19.

8. Term; Data Return and Deletion

This DPA is effective as long as Kriv processes Customer Data or until Agreement termination. Cached Customer Data (query results) retrieved from Customer’s Data Source is retained only for the duration set by Customer in cache controls, then automatically deleted. Caching can be disabled.

Upon termination of the DPA (or if a subscription is paused), Kriv will delete all Customer Data (including credentials and cached data) within thirty (30) days, and direct Subprocessors to do the same, unless prohibited by law. This aligns with requirements under laws like GDPR.

---

Appendix A to DPA

Annex I

A. LIST OF PARTIES

Data exporter(s): The Services customer identified on the applicable Services registration documents or Agreement.

Data importer(s):

• Name: Kriv Technologies
• Address: 35, Utthan Nagar, Gorewada Road, Nagpur
• Contact Person’s name, position and contact details: Vedant Thakre, Founder support@kriv.tech
• Activities relevant to the data transferred under these Clauses: Performance of the analyst services as described in the Agreement.
• Role: Processor (or Sub-processor if Customer is a Processor)

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred:
Customer may submit or grant access to Personal Data via the Services, the extent determined by Customer, potentially including: Users, Collaborators, employees, consultants, contractors, agents of Customer, and/or third parties Customer interacts with whose data is in connected sources.

Categories of personal data transferred:
Account/registration data (name, email, company), collaborator details, credentials for data sources (securely stored), technical/usage data, and potentially Personal Data within temporarily cached query results if caching is enabled by Customer.

Sensitive data transferred (if applicable) and applied restrictions or safeguards:
Sensitive data processing is generally not intended. If Customer processes sensitive data via analyst, Customer is responsible for ensuring appropriate safeguards and legal basis. Kriv relies on Customer's compliance.

The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis):
Continuous basis during the term of the Agreement.

Nature of the processing:
Processing necessary to provide the analyst Services, including connecting to data sources using provided credentials, executing queries, optionally caching results, displaying analytics, user authentication, service maintenance, security monitoring, billing, and support, as per the Agreement and Customer instructions.

Purpose(s) of the data transfer and further processing:
To provide, maintain, secure, and improve the analyst platform and related services to the Customer.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:
As described in Section 8 of the DPA (Data Return and Deletion). Account data retained for Agreement duration + legally required period. Credentials/cached data deleted per DPA Section 8.

For transfers to (sub-)processors, also specify subject matter, nature and duration of the processing:
As specified in the Subprocessor List at kriv.tech/policies/subprocessors . Generally involves hosting, infrastructure, support tools, payment processing. Duration aligned with Kriv's processing.

C. COMPETENT SUPERVISORY AUTHORITY

In accordance with Clause 13 of the EU SCCs, the competent supervisory authority will be the authority of the EU Member State where the data exporter is established, or if not established in the EU, the authority designated by applicable law (e.g., Irish Data Protection Commission if appropriate under Art 27 representation, or the UK ICO for UK data).

Annex II: Technical and Organisational Measures (Exhibit B from Reference)

INTRODUCTION
Kriv Technologies maintains an information security program designed to safeguard its systems, data, and Customer Data processed via the analyst platform. This Annex describes the security standards Kriv maintains.

SECURITY MEASURES

Accessing Your Data

• We do not store a copy of Customer’s underlying database. Customer’s data stays securely in their own database.
• We send queries (e.g., SQL) over the wire and retrieve only the returned results for display or temporary caching.
• Cached results are stored temporarily for a duration set by Customer (or not at all), after which they are permanently deleted.
• Your SSH or database credentials are kept strictly private and securely encrypted using industry standard AES encryption (e.g., 128-bit or stronger) at rest.
• All connections established by analyst to your database use read-only permissions/transactions where technically feasible and configured by Customer. Analyst is designed not to write to or alter Customer data sources.
• Customer Data (credentials, cached results) is encrypted at rest and in transit (SSL/TLS).

Confidentiality

• Strict controls over Kriv team access to Customer Data (credentials, cached results, account info).
• Access granted only to limited, trained senior team members on a need-to-know basis for support or diagnostics.
• Access requires explicit Customer permission for support involving direct query execution or viewing cached data.
• Technical controls ensure access to production systems handling Customer Data is logged.

Access and Authentication

• Access to internal systems and third-party subprocessors is controlled, monitored, and reviewed. Provided on least-privilege / need-to-use basis.
• Use of secure authentication (e.g., SSO via Google Sign-in) with mandatory 2-Step Verification (MFA) for internal systems. No account sharing.
• Monitoring of sign-ins from new devices/locations. Review of active devices. Access revocation process for departing team members.

Hardware, Devices, and Storage

• Company hardware and personal hardware used for company purposes must be encrypted at rest, password-protected, locked when unattended, and use up-to-date anti-virus. Secure disposal of old devices.
• Infrastructure hosted on secure cloud platforms (e.g., Google Cloud Platform, AWS) with industry-standard certifications. Specific regions disclosed (e.g., US-East, EU-Central-1).

Logging

• Extensive, centralized logging in production for security, monitoring, availability, access, and other metrics.

Incident Response

• Incident response process in place to handle security events, including Personal Data Breaches, involving investigation, mitigation, and notification as per DPA Section 5.c and Business Terms Section 6.2.

Last Updated: 1^stApril 2025