SiteTrust Privacy Policy

Table of Contents

1. Who We Are

SiteTrust ("SiteTrust," "we," "our," or "us") is an AI governance certification and advisory company. We operate The Accountability Standard for Responsible AI — a four-pillar certification framework covering Transparency, Governance, Compliance, and Workforce Sustainability. Our services include:

• AI governance certifications at Tier 1 (self-assessment), Tier 2 (advisory-led), and Tier 3 (enterprise/continuous monitoring) levels

• The Trust Center platform, a secure back-end environment where certified companies access templates, tools, compliance dashboards, and governance resources

• The Certified Trust Advisor (CTA) program, through which qualified professionals deliver AI governance advisory services to client organizations

• Professional services including pillar assessments, implementation guidance, compliance monitoring, and regulatory intelligence

SiteTrust operates as both a data controller (for our own service delivery) and, in certain contexts involving the Trust Center, as a data processor acting on behalf of client organizations. This policy addresses both roles.

Data Controller Contact: SiteTrust | Attn: Privacy | [Address] | wecare@sitetrust.com

2. Scope of This Policy

This Privacy Policy applies to:

• All individuals who visit the SiteTrust website (sitetrust.com and affiliated domains)

• Prospective clients and CTAs who inquire about or apply for our services

• Client organizations and their designated representatives who access the Trust Center

• Certified Trust Advisors (CTAs) who participate in the CTA program

• Users of any SiteTrust-operated software, tools, or platforms

This policy does not apply to the data practices of certified client companies operating independently under their own privacy policies. SiteTrust provides template privacy language to clients as part of the Trust Center library; client companies are responsible for their own privacy compliance.

3. Information We Collect

3.1 Information You Provide Directly

We collect information you provide when you:

• Register for an account or apply for certification

• Submit a certification application, self-assessment, or pillar health assessment

• Upload documents, policies, or governance materials to the Trust Center

• Complete training modules, assessments, or CTA program requirements

• Contact us via email, phone, or web form

• Participate in webinars, events, or advisory sessions

This information may include: name, email address, job title, company name, business address, phone number, professional credentials, payment information, and any content you choose to upload or enter into our systems.

3.2 Information We Collect Automatically

When you access our website or platform, we may automatically collect:

• Device and browser information (type, operating system, browser version)

• IP address and approximate location (city/region level)

• Pages visited, time spent, links clicked, and navigation paths

• Referring URLs and exit pages

• Session identifiers and authentication tokens

We collect this information through server logs, cookies, and similar technologies. See Section 11 (Cookies and Tracking Technologies) for details.

3.3 Information from Third Parties

We may receive information about you from:

• CTA professionals who refer you for certification or advisory services (referral context and contact information)

• Third-party identity verification services (for CTA credentialing)

• Publicly available sources (for business verification and regulatory compliance purposes)

• Integration partners, where you have authorized data sharing

4. AI-Specific Data Processing Disclosures

4.1 How AI Is Used in Service Delivery

SiteTrust uses AI systems in the following service contexts:

4.2 Adaptive AI Systems

Some AI tools used by SiteTrust may learn or adapt based on usage patterns or new data inputs. Where adaptive AI systems are in use:

• We monitor for behavioral drift and unintended changes in AI outputs

• We implement version control for AI models used in service delivery

• We notify affected users of material changes in AI system behavior that could affect their certification status or compliance posture

• We maintain human oversight of all AI-assisted certification decisions

SiteTrust does not use AI systems that make fully autonomous decisions affecting certification status. All certification determinations require human review and final approval.

4.3 AI Vendor Disclosure

SiteTrust uses third-party AI service providers in the delivery of our services. Current AI service providers are listed in our AI System Inventory, available upon request by certified clients and CTAs. When we add or change AI service providers, we update this policy and notify affected users with at least 30 days advance notice for material changes.

All AI vendors are subject to SiteTrust's vendor due diligence process, including data processing agreements, security assessments, and contractual commitments regarding data use and retention.

4.4 No AI-Driven Certification Decisions

SiteTrust does not make final certification determinations through automated processing alone. AI tools may assist in analysis and gap identification, but all certification awards, tier placements, badge issuances, and certification revocations are reviewed and confirmed by a qualified SiteTrust professional. You have the right to request human review of any assessment finding that adversely affects your certification status. See Section 9 (Your Rights) for the process.

5. Trust Center Data Handling

5.1 What Is the Trust Center

The Trust Center is SiteTrust's secure, client-facing platform through which certified companies and CTAs access governance templates, compliance tools, pillar health dashboards, and training resources. When you upload materials, complete assessments, or otherwise interact with the Trust Center, we process those inputs in accordance with this section.

5.2 Data You Upload to the Trust Center

Clients may upload governance documents, policies, AI system inventories, and other materials to the Trust Center for purposes of completing assessments, receiving advisory support, or maintaining certification records. Regarding this data:

• SiteTrust stores uploaded documents in encrypted, access-controlled environments

• Documents are logically isolated by client account — no client can access another client's uploaded materials

• SiteTrust staff access uploaded documents only as necessary to deliver contracted services or respond to support requests

• Uploaded documents are not shared with other clients, third parties, or used for SiteTrust marketing purposes

• AI processing of uploaded document content requires explicit opt-in consent from the client administrator

5.3 Compliance Dashboard and Analytics

The Trust Center's compliance dashboard aggregates data from your assessment responses, regulatory tracker outputs, and document uploads to generate your compliance posture view. This analytical processing is performed:

• Within your isolated account environment

• Using aggregation methods that do not expose individual data points to other users

• Without transferring your data to external analytics platforms not covered by data processing agreements

SiteTrust may use aggregated, de-identified insights from across the Trust Center platform to improve our certification standards and tools. Such aggregated data cannot be used to identify any individual client or their specific compliance status.

5.4 CTA Access to Client Data

When a certified company engages a Certified Trust Advisor (CTA), the client may grant the CTA access to certain Trust Center materials and data. The following governs CTA data access:

All CTAs execute a CTA-Specific Non-Disclosure Agreement and are bound by the SiteTrust CTA Code of Conduct, which includes data confidentiality obligations. Violations may result in CTA decertification.

6. How We Use Information

We use the information we collect for the following purposes:

7. How We Share Information

SiteTrust does not sell personal information. We share information only in the following circumstances:

7.1 Service Providers

We engage third-party vendors who process data on our behalf under contractual data processing agreements. These providers are limited to using data only for the services they deliver to us and include:

• Cloud infrastructure and hosting providers

• AI service providers (as disclosed in Section 4.3)

• Payment processors (for subscription and service fees)

• Email and communication platforms

• Identity verification services (for CTA credentialing)

• Legal, accounting, and professional services firms

7.2 Certified Trust Advisors (CTAs)

As described in Section 5.4, clients may authorize CTAs to access their Trust Center data. Such sharing occurs only with explicit client authorization and is governed by CTA confidentiality obligations.

7.3 Certification Status Disclosure

SiteTrust publishes a public registry of certified companies, including company name, certification tier, date of certification, and badge status. Companies are informed of this disclosure at the time of certification. Companies may request removal from the public registry upon certification lapse or voluntary withdrawal, subject to SiteTrust's verification process.

7.4 Legal Requirements

We may disclose information if required by applicable law, court order, or government request, or to protect the rights, property, or safety of SiteTrust, our clients, CTAs, or the public. We will notify affected users of legal process to the extent permitted by law.

7.5 Business Transfers

In the event of a merger, acquisition, or sale of substantially all of SiteTrust's assets, personal data may be transferred as part of the transaction. We will notify affected users of any such transfer and any material changes to this Privacy Policy resulting from the transaction.

7.6 Aggregated or De-Identified Data

We may share aggregated, de-identified information (such as industry-wide AI governance adoption trends) with clients, CTAs, partners, or the public. Such data cannot reasonably be used to identify any individual or specific client organization.

8. Automated Decision-Making and Profiling

8.1 AI-Assisted Analysis

SiteTrust uses automated tools to analyze documentation and assessment responses submitted by clients. These tools may identify potential gaps, flag areas for review, and generate preliminary findings. The significance and limitations of this automated analysis are as follows:

• Automated tools generate preliminary findings only — they do not issue certification decisions

• All findings are reviewed by a qualified SiteTrust professional before being communicated to the client

• Clients have the right to request explanation of any automated finding that influences a professional's assessment

• Clients have the right to request human-only review of their certification assessment (see Section 9)

8.2 Risk Scoring

The Trust Center compliance dashboard may generate a risk score or compliance posture indicator based on assessment inputs. This scoring is:

• A diagnostic tool for the client's own use, not a certification determination

• Based on transparent criteria tied to the four-pillar framework

• Not shared with third parties (including insurers or regulators) without client consent

• Subject to client review and correction if factual inputs are incorrect

8.3 Profiling for Marketing

SiteTrust does not engage in behavioral profiling for targeted advertising. We do not use personal data to build profiles for sale to data brokers or third-party advertisers.

9. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

To exercise any of the above rights, contact us at wecare@sitetrust.com. We will respond within 30 days (or within the period required by applicable law). We may request verification of your identity before processing your request.

10. Data Retention

SiteTrust retains personal information only as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, and resolve disputes. The following retention schedules apply:

When retention periods expire, data is securely deleted or anonymized. Clients may request earlier deletion of their Trust Center uploaded documents at any time, subject to minimum legal retention requirements. SiteTrust will confirm deletion within 30 days of a valid deletion request.

11. Cookies and Tracking Technologies

SiteTrust uses the following types of cookies and similar technologies on our website and platform:

You may manage cookie preferences through your browser settings or our cookie preference center [link]. Disabling strictly necessary cookies will impair platform functionality. Analytics cookies may be disabled without affecting core features.

12. Cross-Border Data Transfers

12.1 U.S.-Based Operations

SiteTrust is headquartered in the United States. When we receive personal data from individuals in the European Union, European Economic Area, United Kingdom, or other jurisdictions with cross-border transfer requirements, we ensure appropriate safeguards are in place.

12.2 Transfer Mechanisms

For transfers of EU/UK personal data to the United States, SiteTrust relies on the following transfer mechanisms:

• Standard Contractual Clauses (SCCs): Where required, we execute EU Standard Contractual Clauses (Commission Implementing Decision 2021/914) with our EU/UK clients and service providers

• UK International Data Transfer Agreements (IDTAs): For UK data subjects, we execute IDTAs as required under UK GDPR

• EU-U.S. Data Privacy Framework: To the extent SiteTrust self-certifies under the EU-U.S. Data Privacy Framework, we comply with its requirements for onward transfers and data subject rights

Clients requiring specific transfer agreements (such as SCCs or data processing addenda) for their own regulatory compliance should contact wecare@sitetrust.com to request the applicable documentation.

12.3 EU AI Act Compliance

SiteTrust's service delivery to EU clients, and our use of AI systems that may process EU personal data, is subject to the EU AI Act's GPAI (General-Purpose AI) provisions effective March 2026. We maintain transparency documentation for AI systems used in EU-facing service delivery, available upon request by EU clients.

13. Data Security

SiteTrust implements administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, disclosure, alteration, or destruction. Our security program includes:

• Encryption of data in transit (TLS 1.2 or higher) and at rest (AES-256)

• Role-based access controls limiting data access to personnel with a business need

• Multi-factor authentication for all Trust Center access

• Regular security assessments and penetration testing

• Incident response procedures with defined notification timelines

• Vendor security assessments for all AI and data service providers

• Employee security training and acceptable use policies

No security system is impenetrable. In the event of a data breach that creates a risk to the rights and freedoms of affected individuals, SiteTrust will notify affected parties and applicable regulatory authorities within the timeframes required by applicable law (72 hours for GDPR, as required for applicable state breach notification laws).

14. Children's Privacy

SiteTrust's services are intended for business professionals and are not directed to individuals under the age of 18. We do not knowingly collect personal information from minors. If we learn we have collected personal information from a minor, we will delete it promptly. If you believe we have inadvertently collected information from a minor, please contact wecare@sitetrust.com.

15. Changes to This Privacy Policy

SiteTrust reviews this Privacy Policy on a quarterly basis to reflect regulatory developments, service changes, and evolving best practices. When we make material changes, we will:

• Post the updated policy on our website with a new effective date

• Notify active clients and CTAs by email at least 30 days before material changes take effect

• Maintain a version history of prior policies accessible upon request

Non-material changes (such as clarifications that do not alter rights or practices) will be effective upon posting. Continued use of SiteTrust services after the effective date of an updated policy constitutes acceptance of the updated terms.

16. How to Contact Us

For privacy-related inquiries, requests to exercise your rights, data processing agreements, or questions about AI data processing, contact:

EU/UK users also have the right to lodge a complaint with their local data protection authority if they believe their rights under GDPR or UK GDPR have been violated. We encourage you to contact us first so we can address your concern directly.