MoxyWolf LLC Privacy Policy

Last Updated: March 26, 2026

Effective Date: March 26, 2026

Version: 1.0

MoxyWolf LLC (“MoxyWolf,” “we,” “us,” or “our”) operates the SAMS subscription platform, built on STIGViewer® and RegGenome® infrastructure (collectively, the “Federated Platform”). This Privacy Policy explains how we collect, use, disclose, and protect information about you when you use our Federated Platform, and describes your rights with respect to that information.

This Privacy Policy applies to all users of the Federated Platform, including users in the United States, the European Union, the European Economic Area (EEA), and the United Kingdom.

If you have any questions about this Privacy Policy, please contact us at:

1. Scope and Application

This Privacy Policy covers personal information collected through:

• The STIGViewer® platform and associated APIs
• The RegGenome® platform and associated APIs
• Our website(s) and any successor domains
• Communications between you and MoxyWolf (email, support requests, billing inquiries, etc.)

This Privacy Policy does not apply to:

• Federated Linked Data (FLD) submitted to the Federated Platform by Contributors, which is governed by the MoxyWolf LLC Federated Platform Participation Agreement
• Third-party websites or services linked from our Federated Platform
• The internal data practices of Distributors who access FLD through our platform, which are governed by those Distributors' own privacy policies

HIPAA Notice

MoxyWolf does not collect, process, store, or transmit Protected Health Information (PHI) as defined under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations. Our Federated Platform is not a covered entity or business associate under HIPAA. MoxyWolf acknowledges that many of our enterprise customers operate in HIPAA-regulated industries and has designed our data practices to be compatible with their compliance obligations to the extent reasonably practicable. Enterprise customers with specific HIPAA-related contractual requirements should contact info@moxywolf.com.

2. Data Controller Information

For the purposes of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and UK GDPR, MoxyWolf LLC is the data controller responsible for your personal data.

EU, EEA, and UK data subjects may contact our DPO directly with any privacy-related inquiries, requests, or complaints. We will respond to all DPO inquiries within thirty (30) days.

3. Personal Data We Collect

We collect the following categories of personal data:

3(a). Account Registration Data

When you create an account on the Federated Platform, we collect:

• Full name
• Email address
• Organization or employer name
• Job title or role (if provided)
• Username and password (stored in hashed, salted form — plaintext passwords are never stored)
• Account creation date and account preferences

Lawful basis (GDPR): Contractual necessity (Article 6(1)(b)) — this data is required to create and maintain your account and provide the Federated Platform services.

3(b). Billing and Payment Data

When you purchase a subscription or other paid services, we collect:

• Billing name and billing address
• Tokenized payment references and transaction identifiers

Payment card data (card number, CVV, expiration date) is processed directly and exclusively by Stripe, Inc. and is never transmitted to or stored by MoxyWolf. MoxyWolf receives only tokenized payment references from Stripe. Stripe's privacy practices are governed by the Stripe Privacy Policy. MoxyWolf and Stripe have executed a Data Processing Agreement in compliance with GDPR Article 28, and Stripe participates in the EU-U.S. Data Privacy Framework.

Lawful basis (GDPR): Contractual necessity (Article 6(1)(b)) — billing data is required to process payments and administer your subscription.

3(c). Usage and Access Logs

When you use the Federated Platform, we automatically collect:

• IP address and approximate geographic location (country and region only)
• Browser type and version
• Operating system and device type
• Pages visited, features accessed, and actions taken within the platform
• Access timestamps and session duration
• API request logs, including endpoints accessed and response codes
• Error logs and diagnostic information

Lawful basis (GDPR): Legitimate interests (Article 6(1)(f)) — MoxyWolf has a legitimate interest in maintaining the security, stability, and performance of the Federated Platform, detecting and preventing unauthorized access, and understanding aggregate usage patterns to improve the platform. This processing does not override your interests or fundamental rights and freedoms.

3(d). FLD Contribution and Submission Data

When you submit Federated Linked Data (FLD) as a Contributor, we collect:

• Attribution data identifying you as the Contributor, as defined by https://grcschema.org/contributor
• Organizational and employer affiliation disclosures required under the Federated Platform Participation Agreement
• Metadata associated with submitted FLD, including submission timestamps and version history
• Communications related to FLD submissions

Lawful basis (GDPR): Contractual necessity (Article 6(1)(b)) — this data is required to provide attribution, maintain the integrity of the Federated Platform, and fulfill obligations under the Federated Platform Participation Agreement.

3(e). Communications Data

When you contact MoxyWolf via email, support requests, or other channels, we collect:

• Your name and contact information
• The content of your communications
• Records of our responses and resolutions

Lawful basis (GDPR): Legitimate interests (Article 6(1)(f)) — MoxyWolf has a legitimate interest in maintaining records of communications for support, legal compliance, and dispute resolution purposes.

3(f). Partner Data

When you onboard as a Partner through our Stripe onboarding flow, we collect:

• Legal entity name, address, and primary contact information as provided during Stripe onboarding
• Stripe Connected Account identifiers and onboarding status
• Deal registration records, including prospective Customer information submitted by Partner
• Partner Commission transaction history and Application Fee records
• NFR License usage records
• Partner Platform descriptions and Data Integration configurations (where Exhibit B is active)

Payment account data (bank account numbers, routing numbers, payout settings) is managed directly and exclusively by Stripe through Partner's Stripe Connected Account and is never transmitted to or stored by MoxyWolf.

Lawful basis (GDPR): Contractual necessity (Article 6(1)(b)) — this data is required to administer the Partner relationship, process commissions, and fulfill obligations under the MoxyWolf Partner Agreement.

3(g). Analytics and Session Data

Subject to your consent where required, we collect analytics and session behavior data as described in Section 4 below.

Lawful basis (GDPR): Consent (Article 6(1)(a)) — analytics and session recording cookies are only activated upon your affirmative consent through our consent management platform. You may withdraw consent at any time as described in Section 4(d).

4. Cookies and Tracking Technologies

4(a). Our Consent Management Platform

MoxyWolf uses Microsoft's Consent Management Platform to manage cookie consent for all users of the Federated Platform. When you first access the Federated Platform, you will be presented with a consent banner that allows you to accept or decline non-essential cookies. Your consent preferences are recorded and honored across your sessions.

For EU, EEA, and UK users, non-essential cookies (including analytics and session recording cookies) will not be activated until you provide affirmative consent. Strictly necessary cookies do not require consent and are activated automatically as they are essential to the operation of the Federated Platform.

You may update your cookie preferences at any time by accessing the cookie settings tool available on the Federated Platform.

4(b). Strictly Necessary Cookies

These cookies are essential for the Federated Platform to function and are activated automatically regardless of consent. They cannot be disabled without rendering the platform non-functional.

Lawful basis (GDPR): Legitimate interests / contractual necessity — strictly necessary cookies do not require consent under applicable cookie regulations.

4(c). Analytics and Session Recording Cookies (Consent Required)

These cookies are only activated upon your affirmative consent through our consent management platform. If you are an EU, EEA, or UK user and do not provide consent, these cookies will not be set and no analytics or session recording data will be collected.

4(d). Managing Your Cookie Preferences

You may manage your cookie preferences in the following ways:

• Consent banner: Update your preferences at any time through the cookie settings tool on the Federated Platform
• Browser settings: Most browsers allow you to block or delete cookies through browser settings. Note that disabling strictly necessary cookies will impair or prevent your use of the Federated Platform
• Google Analytics opt-out: Install the Google Analytics Opt-out Browser Add-on
• Microsoft Clarity opt-out: Visit Microsoft's privacy controls

Withdrawing consent does not affect the lawfulness of processing that occurred prior to withdrawal.

4(e). Do Not Track Signals

MoxyWolf does not currently respond to “Do Not Track” (DNT) browser signals, as there is no industry-accepted standard for how to respond to such signals. If a uniform standard is adopted, we will update this policy accordingly.

5. How We Use Your Personal Data

MoxyWolf uses the personal data we collect for the following purposes:

6. How We Share Your Personal Data

MoxyWolf does not sell your personal data. We do not share your personal data with third parties for their own marketing purposes. We share personal data only in the following circumstances:

(a) Service providers and processors. We share personal data with third-party service providers who process data on our behalf and under our instruction:

All service providers are bound by data processing agreements requiring them to process personal data only as instructed by MoxyWolf and in compliance with applicable data protection law.

(b) Attribution disclosures. Contributor attribution data (name and organizational affiliation) is published as part of FLD metadata on the Federated Platform as required by the Federated Platform Participation Agreement and as defined by https://grcschema.org/contributor. Contributors acknowledge this disclosure as part of their agreement to the Federated Platform Participation Agreement.

(c) Distributors. MoxyWolf may disclose to Distributors information necessary to administer their distribution agreements, including account status and usage data relevant to their licensed FLD. Distributors are not permitted to use such information for purposes other than administering their distribution relationship with MoxyWolf.

(d) Legal requirements. We may disclose personal data if required to do so by law, regulation, or legal process, including in response to a court order, subpoena, or lawful request from a government authority. Where permitted by law, we will notify you of such requests.

(e) Protection of rights. We may disclose personal data where we believe disclosure is necessary to protect the rights, property, or safety of MoxyWolf, our users, or the public, including to enforce our Federated Platform Participation Agreement.

(f) Business transfers. In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of MoxyWolf's assets, personal data may be transferred to the successor entity. We will provide notice of any such transfer and any material changes to this Privacy Policy.

7. International Data Transfers

MoxyWolf is headquartered in the United States. If you are located in the EU, EEA, or UK, your personal data will be transferred to and processed in the United States, which may not provide the same level of data protection as your home jurisdiction.

MoxyWolf relies on the following mechanisms to lawfully transfer personal data from the EU, EEA, and UK to the United States:

For more information about the safeguards in place for international data transfers, please contact our DPO at info@moxywolf.com.

8. Data Retention

MoxyWolf retains personal data only for as long as necessary to fulfill the purposes for which it was collected, to comply with legal obligations, and to resolve disputes and enforce our agreements.

Upon expiration of the applicable retention period, personal data is securely deleted or anonymized. MoxyWolf does not maintain personal data beyond these periods unless required by law or ongoing legal proceedings.

9. Data Security

MoxyWolf implements appropriate technical and organizational measures to protect your personal data against unauthorized access, disclosure, alteration, or destruction. These measures include:

• Encryption of data in transit using TLS 1.2 or higher
• Encryption of sensitive data at rest
• Password hashing using industry-standard algorithms (plaintext passwords are never stored)
• Access controls limiting personal data access to authorized personnel on a need-to-know basis
• Regular security assessments and vulnerability monitoring
• Incident response procedures

No method of transmission over the internet or electronic storage is completely secure. While MoxyWolf implements commercially reasonable security measures, we cannot guarantee absolute security. In the event of a personal data breach that poses a risk to your rights and freedoms, MoxyWolf will notify affected users and relevant supervisory authorities in accordance with applicable law, including within 72 hours of becoming aware of the breach where required by GDPR Article 33.

10. Your Privacy Rights

10(a). Rights of All Users

Regardless of your location, you have the following rights with respect to your personal data:

• Access: Request confirmation of whether MoxyWolf processes your personal data and request a copy of that data.
• Correction: Request correction of inaccurate or incomplete personal data.
• Deletion: Request deletion of your personal data, subject to our legal retention obligations and the terms of the Federated Platform Participation Agreement. Note: Contributor attribution data embedded in FLD metadata is not subject to deletion as it constitutes a permanent record of FLD provenance.
• Opt-out of analytics: Withdraw consent for analytics and session recording cookies at any time through our consent management platform or the opt-out mechanisms described in Section 4(d).

10(b). Additional Rights for EU, EEA, and UK Users (GDPR)

If you are located in the EU, EEA, or UK, you have the following additional rights under GDPR:

• Right of access (Article 15): Request a copy of your personal data and information about how it is processed.
• Right to rectification (Article 16): Request correction of inaccurate personal data.
• Right to erasure (Article 17): Request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, where you have withdrawn consent, or where processing is unlawful. Subject to exceptions including legal retention obligations.
• Right to restriction of processing (Article 18): Request that we restrict processing of your personal data in certain circumstances.
• Right to data portability (Article 20): Request that we provide your personal data in a structured, commonly used, machine-readable format where technically feasible. Applies to data processed on the basis of consent or contractual necessity.
• Right to object (Article 21): Object to processing based on legitimate interests. MoxyWolf will cease such processing unless we can demonstrate compelling legitimate grounds that override your interests or the processing is necessary for legal claims.
• Right to withdraw consent (Article 7(3)): Withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.
• Right not to be subject to automated decision-making (Article 22): MoxyWolf does not make decisions about you solely based on automated processing that produce legal or similarly significant effects.

To exercise any of these rights, submit a written request to our DPO at info@moxywolf.com or by mail to 10001 Park Run Drive, Las Vegas, NV 89145. We will respond within thirty (30) days. We may request verification of your identity before processing your request. We will not charge a fee for reasonable requests but reserve the right to charge a reasonable fee or decline manifestly unfounded or excessive requests.

Right to lodge a complaint: EU and EEA users may lodge a complaint with the supervisory authority in their Member State of residence. A list of EU supervisory authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en. UK users may contact the Information Commissioner's Office (ICO) at https://ico.org.uk.

10(c). Rights of Nevada Residents

Under Nevada Revised Statutes Chapter 603A, Nevada residents may submit a verified request to opt out of the sale of their personal information. MoxyWolf does not sell personal information. Nevada residents with questions may contact us at info@moxywolf.com.

10(d). Rights of California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to know: Request disclosure of the categories and specific pieces of personal information collected, the sources, the business or commercial purposes, and the categories of third parties with whom we share it.
• Right to delete: Request deletion of personal information, subject to applicable exceptions.
• Right to correct: Request correction of inaccurate personal information.
• Right to opt out of sale or sharing: MoxyWolf does not sell personal information and does not share personal information for cross-context behavioral advertising.
• Right to non-discrimination: MoxyWolf will not discriminate against you for exercising your CCPA/CPRA rights.

To exercise California privacy rights, contact us at info@moxywolf.com or (302) 615-1820. We will respond within forty-five (45) days.

11. Children's Privacy

The Federated Platform is not directed to individuals under the age of 18. MoxyWolf does not knowingly collect personal data from children under 18. If we become aware that we have collected personal data from a child under 18 without parental consent, we will take steps to delete that data promptly. If you believe we have inadvertently collected personal data from a minor, please contact us at info@moxywolf.com.

12. Third-Party Links and Services

The Federated Platform may contain links to third-party websites, services, or resources. MoxyWolf is not responsible for the privacy practices or content of those third parties. We encourage you to review the privacy policies of any third-party services you access through our Federated Platform. The inclusion of a link does not imply endorsement by MoxyWolf.

13. Changes to This Privacy Policy

MoxyWolf may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or platform features. If we make material changes, we will provide notice by:

• Sending an email notification to the address associated with your account
• Displaying a prominent notice on the Federated Platform
• Updating the “Last Updated” date at the top of this policy

For material changes affecting EU, EEA, or UK users that require a new or different legal basis for processing, we will seek fresh consent where required by GDPR. Your continued use of the Federated Platform following notice of changes constitutes acceptance of the revised Privacy Policy. If you do not agree to the revised policy, you must stop using the Federated Platform.

14. Contact Us

For any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact:

[End of MoxyWolf LLC Privacy Policy]