Law Enforcement and Government Data Request Policy

Alephic is committed to protecting the data our clients entrust to us. This policy describes how we respond to requests from law enforcement or government agencies for access to data, and how we notify affected customers.

This policy applies to all requests from government bodies, law enforcement agencies, intelligence services, or regulators seeking access to customer data held by Alephic.

1. Our Commitment

We do not voluntarily provide customer data to any government agency. We will only disclose customer data when legally compelled to do so by a valid legal process, and only after following the procedures described in this policy.

2. Evaluating Requests

Every government data request received by Alephic is reviewed by General Counsel (or designated legal representative). We evaluate each request against the following criteria:

• Validity: Is the request issued by an authorized body with proper jurisdiction?
• Specificity: Does the request clearly identify the data sought and the legal basis?
• Scope: Is the request narrowly tailored, or does it seek data beyond what is necessary?
• Applicable law: Does the request comply with applicable laws, including US federal and state law, GDPR, and any relevant international agreements?

We will challenge any request that we determine to be overbroad, vague, or otherwise legally deficient.

3. Challenging Requests

Where we believe a request is unlawful, overbroad, or conflicts with our obligations under international data protection law (including GDPR), we will:

• Object formally to the requesting authority, identifying the legal deficiency.
• Seek to narrow the scope of the request to the minimum data necessary.
• Pursue legal remedies, including motions to quash or judicial review where appropriate.
• Engage external counsel with expertise in government data access and international privacy law as needed.

4. Customer Notification

We believe our customers have the right to know when their data is requested by a government authority. Our policy is to notify affected customers promptly before disclosing any data, unless:

• Legal prohibition: We are legally prohibited from doing so (e.g., by a court order or statutory gag provision).
• Imminent danger: Notification would create a risk of injury, death, or significant damage to property.

If we are prohibited from notifying a customer, we will seek to have the prohibition lifted at the earliest opportunity. Once the prohibition expires or is removed, we will notify the customer promptly.

5. Data Minimization in Responses

When we are legally compelled to produce data, we will:

• Limit disclosure to only the specific data covered by the valid legal process.
• Exclude data that is outside the scope of the request.
• Provide data in the most limited format that satisfies the legal requirement.

6. Record Keeping

We maintain a log of all government data requests received, including the requesting authority, date, scope, our response, and whether the customer was notified. This log is reviewed by General Counsel and is available to affected customers upon request.

7. Transparency

We have not received any government data requests to date. If we receive requests in the future, we will publish aggregate statistics about the number and type of requests received, to the extent permitted by law.

8. International Transfers

For European Personal Data, we apply the safeguards required by the GDPR and the EU-US Data Privacy Framework. We will not comply with a government request that would require us to violate EU data protection law without first exhausting all available legal remedies.

9. Review

This policy is owned by Noah Brier and reviewed at least annually or following any government data request. Updates are communicated company-wide and published on our website.

For questions about this policy, contact [email protected].