Effective Date: November 1, 2025

This document outlines the legal and procedural framework under which SCALIBIT, in its role as a technical infrastructure provider, responds to law enforcement and government requests for customer-related information. It explains the jurisdictional, contractual, and technical limitations governing any form of data disclosure, in compliance with applicable U.S. Federal laws — including the Electronic Communications Privacy Act (ECPA – 18 U.S.C. §§2701–2712), the Stored Communications Act (SCA), and data preservation obligations under 18 U.S.C. §2703(f) — as well as mandatory privacy and data protection frameworks in the jurisdictions where infrastructure is physically hosted, such as CCPA/CPRA, EU GDPR, UK GDPR, and equivalent legal frameworks.

High-level technical access and infrastructure limitations applicable to lawful requests are summarized in the Critical Technical Access Limitation Notice below and further detailed in Sections 3, 4, 6, and 7 of this Policy. SCALIBIT does not disclose any customer-related information to law enforcement or third parties, except where strictly required under a valid and binding legal process (for example, a U.S. court order or a lawful international mechanism such as an MLAT).

SCALIBIT provides technical infrastructure only and, as an infrastructure provider, does not access, review, monitor, inspect, manage, or retain any customer-hosted content, files, databases, communications, or server/system activities — including any activities or usage conducted through the IP address(es) assigned for use with the Customer’s services.

SCALIBIT has no visibility into any actions or activities performed within any Customer-controlled and Customer-used server or the IP address(es) assigned to that server, and cannot retrieve, reconstruct, monitor, or disclose any server files, databases, mailboxes, application logs, user activity records, traffic content, connection history, usage patterns, or any other server-level content or activities — including those conducted through the assigned IP address(es).

All such data and activities remain entirely under the Customer’s exclusive care, custody, and control. The assigned servers, services, and IP address(es) are not used by SCALIBIT in any manner; they are solely utilized by the Customer. SCALIBIT does not possess, store, manage, or have access to any form of server-level access credentials — including root/administrator passwords, SSH private keys, SSH port configurations, RDP login information, VPN access credentials, or similar authentication data. These server access credentials are known only to the Customer and are not stored, retained, or visible in any SCALIBIT-controlled system. Likewise, SCALIBIT does not have access to, store, manage, or monitor any customer-stored data, content, configurations, or any in-server activities within such environments.

SCALIBIT also cannot disclose any customer data — including server access credentials, communication logs, AI workloads, encryption keys, or server/system-level activities — beyond what already exists within SCALIBIT’s own administrative systems. If specific data is not in SCALIBIT’s possession or control, it cannot be provided or disclosed by any means.

All network routing, packet handling, and transit traffic (including all underlying switching, routing, transport, and network infrastructure) are operated directly by the upstream data center providers where the Customer-controlled and Customer-used servers and services are physically hosted. SCALIBIT does not operate or control any network-level surveillance, interception, or deep-inspection systems and has no capability to perform packet inspection, real-time traffic monitoring, content reconstruction, or data interception. Customers maintain full care, custody, and control over their hosted environments and are exclusively responsible for all content, usage, and activities originating from the services and IP address(es) assigned to them.

Any legal response by SCALIBIT is strictly limited to basic customer and order records and service/IP assignment metadata retained within SCALIBIT’s own administrative systems, and only where disclosure is required or permitted under applicable law and valid legal process.

Law Enforcement and Legal Requests for Customer Data

SCALIBIT (“SCALIBIT”) provides global technical infrastructure solutions — including Virtual Machines (VMs), Cloud Servers, Dedicated Servers or Bare Metal Servers, and GPU Servers — with available server locations in North America, South America, Europe, Middle East, Asia-Pacific, and Africa. SCALIBIT is not a content provider, Internet Service Provider (ISP), or communications carrier; it operates solely as a technical infrastructure provider.

SCALIBIT evaluates all legal requests in accordance with applicable U.S. Federal laws — including the Electronic Communications Privacy Act (ECPA – 18 U.S.C. §§2701–2712), the Stored Communications Act (SCA), and data preservation obligations under 18 U.S.C. §2703(f). Additionally, SCALIBIT complies with mandatory privacy and data protection frameworks in the jurisdiction where the infrastructure is physically hosted — such as CCPA/CPRA, EU GDPR, UK GDPR, or equivalent local regulations.

For cross-border or international disclosure requests, SCALIBIT requires the use of recognized judicial cooperation mechanisms (e.g., MLATs, the U.S. CLOUD Act, 18 U.S.C. §2523 Executive Agreements, EU GDPR Article 48 exceptions, or applicable bilateral treaties) to ensure legal validity across jurisdictions. No data will be disclosed solely based on the law or jurisdiction of one country when the data is physically located in another territory.

SCALIBIT does not voluntarily disclose any customer information, except as permitted under applicable law (for example, narrowly scoped emergency disclosures), and will only provide information in response to a valid, binding legal process issued by a competent authority, and only to the extent technically feasible and consistent with SCALIBIT’s limited role as an infrastructure provider.

SCALIBIT retains only limited administrative metadata for legitimate business, abuse mitigation, and billing purposes. This includes basic customer account details (name, company name if applicable, contact email, billing address, and phone number as provided by the customer), service or order records, IP assignment metadata, and activation/deactivation timestamps. SCALIBIT does not request, collect, process, or retain any government-issued identification (such as passport, driver’s license, or national ID card) from customers, unless explicitly required by law.

SCALIBIT does not have access to, manage, or control any customer-controlled and customer-used Virtual Machines (VMs), Cloud Servers, Dedicated Servers or Bare Metal Servers, and GPU Servers, nor any activities performed within those environments or through the IP address(es) assigned for use with such services. All such services and environments remain entirely under the Customer’s exclusive care, custody, and control. In addition, SCALIBIT does not access, monitor, log, or analyze any activities carried out via IP address(es) assigned to the Customer and does not generate or retain any traffic content, usage behavior, or detailed activity records relating to those IP ranges.

SCALIBIT does not operate as a network owner, carrier, ISP, or internet transit provider. All network infrastructure required to deliver connectivity to SCALIBIT services — including routing, switching, BGP announcements, bandwidth transit, DDoS protection, IP address allocation, and packet-level delivery — is fully owned and operated by the upstream data center providers and carriers from which SCALIBIT receives its infrastructure services.

SCALIBIT does not generate, collect, maintain, or retain any network-level logs, NetFlow data, packet captures, browsing records, communication metadata, connection histories, or traffic contents related to any customer-controlled and customer-used services, servers, infrastructure, or assigned IP address(es). SCALIBIT has no capability, system, or authorized access to perform packet inspection, traffic monitoring, interception, surveillance, or real-time identification of any activities conducted through customer-controlled and customer-used Virtual Machines (VMs), Cloud Servers, Dedicated Servers or Bare Metal Servers, and GPU Servers, or IP address allocations.

Any request for network traffic data, real-time monitoring, source/destination tracing, IP-based activity logs, packet-level records, or carrier-grade forensic information must be directed to the respective upstream data center provider or carrier that controls and operates the relevant infrastructure. SCALIBIT cannot provide information that it does not generate, store, or control.

Furthermore, some SCALIBIT customers act as resellers or manage multi-tenant environments; therefore, data sought by legal authorities may in fact pertain to a customer of a customer, who is not directly known to SCALIBIT.

1. GENERAL LEGAL & DISCLOSURE FRAMEWORK

SCALIBIT complies with valid, binding, and properly scoped legal processes in accordance with U.S. Federal Law, including the Electronic Communications Privacy Act (ECPA – 18 U.S.C. §§2701–2712), the Stored Communications Act (SCA), and preservation obligations under 18 U.S.C. §2703(f), as well as applicable U.S. state privacy laws (including CCPA/CPRA), the EU General Data Protection Regulation (EU GDPR), the UK GDPR, and other relevant national data protection frameworks. Disclosure is only made when a competent authority with proper jurisdiction submits a valid, written, and binding legal request.

SCALIBIT does not voluntarily disclose or provide any customer information except as legally permitted, and only when compelled under a valid and binding legal process (e.g., subpoena, court order, MLAT-based request, or narrowly scoped emergency disclosure) — and never engages in proactive monitoring, data interception, or surveillance activities. All switching, routing, transit, and packet-level network infrastructure is operated solely by the upstream data center providers and carriers where the Customer-controlled and Customer-used servers and services are physically hosted; SCALIBIT has no technical capability or legal authority to monitor, intercept, or access any such network traffic.

1.1 Legal Basis & Compliance Standards

The legal validity of any request is assessed based on the applicable jurisdiction, the issuing authority, the level of authentication (such as a subpoena, court order, warrant, or MLAT-based request), legal necessity and proportional scope, and whether it is technically feasible for SCALIBIT to comply. Depending on where the request originates and where the relevant data is physically or legally located, applicable legal frameworks may include:

• United States: Electronic Communications Privacy Act (ECPA), Stored Communications Act (SCA), Computer Fraud and Abuse Act (CFAA), 18 U.S.C. §2703 and §2703(f) Data Preservation, CLOUD Act, Federal Rules of Criminal Procedure
• European Union & United Kingdom: EU GDPR (Articles 6, 28, 46), Law Enforcement Directive (LED), UK GDPR, Investigatory Powers Act, and applicable national data protection, surveillance, and data retention laws
• International: Mutual Legal Assistance Treaties (MLAT), Hague Convention, cross-border judicial cooperation mechanisms

All legal requests are assessed based on jurisdiction, authority, necessity, authentication, scope, and technical feasibility. SCALIBIT does not voluntarily disclose any customer information except as permitted under applicable law, and responds only when legally compelled under a valid, binding legal process (e.g., 18 U.S.C. §§ 2702–2703 and comparable international frameworks).

1.2 Applicable Laws & Data Protection Regulations

Applicable legal and data protection rules depend on:

• The physical location of the server and infrastructure
• The jurisdiction of the requesting authority
• The nature of the data requested (administrative metadata vs content)
• Data protection laws applicable to the affected customer:
  • U.S. Federal & State privacy laws (CCPA/CPRA, HIPAA, VPPA, etc.)
  • GDPR (European Union) and UK GDPR (United Kingdom)
  • Local privacy laws in data-hosting countries (e.g., Germany BDSG, Netherlands UAVG, Canada PIPEDA)

SCALIBIT acts as a Data Controller only for customer account, billing, authentication, communication, and support metadata stored within SCALIBIT’s own administrative systems. This includes information held in the Client Portal, billing platform, and support/ticketing systems. SCALIBIT does not act as a Data Controller for any customer-controlled and customer-used servers, services, data, applications, or hosted environments. All operational data within customer-managed systems remains exclusively under the Customer’s control and responsibility. Important – Customer Account Data Accuracy: All administrative account and billing details stored in SCALIBIT’s systems are provided directly by the Customer. SCALIBIT does not independently verify the accuracy of this information, except where required by law or for fraud prevention.

SCALIBIT acts solely as an Infrastructure Provider for all services — including Virtual Machines (VMs), Cloud Servers, Dedicated Servers or Bare Metal Servers, and GPU Servers. SCALIBIT does not access, monitor, store, process, or host any customer content or data (including server files, databases, mailboxes, model outputs, or user-generated logs).

The Customer retains full administrative control and assumes exclusive responsibility for all technical, legal, and data protection obligations as both the Data Controller and the Data Processor. SCALIBIT is neither a Data Controller nor a Data Processor for any content or data hosted within Infrastructure Services. The Customer remains both the Controller and the Processor.

1.3 Disclosure Policy & Lawful Process Requirement

SCALIBIT discloses customer information only when compelled through a valid, lawful, and jurisdictionally binding legal instrument, such as:

• Subpoena or Court Order
• Search Warrant
• Preservation Orders under 18 U.S.C. §2703(f)
• MLAT-based international judicial cooperation requests
• Legally binding orders issued by competent authorities in the country where the data or infrastructure is physically hosted

To be considered valid, a legal request must clearly identify the issuing authority, legal basis, case reference number, and provide sufficient technical identifiers — such as IP address, date and timestamp, domain name, or relevant service location — to allow SCALIBIT to perform internal verification using its own administrative systems. SCALIBIT will refuse to process any request that lacks proper legal authority, authentication, jurisdiction, or specificity.

SCALIBIT also evaluates cross-border or international legal requests — including requests made under Mutual Legal Assistance Treaties (MLAT), Letters Rogatory, or other international judicial cooperation mechanisms — strictly in accordance with the jurisdictional requirements, data location, data sovereignty principles, and applicable host-country laws. SCALIBIT does not respond directly to legal requests issued by foreign authorities unless they are lawfully validated and transmitted through appropriate channels in accordance with Section 5: Jurisdiction-Based Legal Request Handling.

Where legally required and technically available, SCALIBIT may disclose a limited set of administrative and billing metadata stored in its internal systems, such as customer-created service/order records, assigned IP address(es), service/server activation or deactivation timestamps, account registration details, customer name, billing address, and contact email — however, SCALIBIT never discloses any server-level content, credentials, hosted files, encryption keys, SSH access, or communication logs. Such data remains entirely under customer control and is not accessible to SCALIBIT.

Note: SCALIBIT does not disclose any customer information to private individuals, civil litigants, attorneys, corporations, or other non-governmental entities — regardless of the nature of the request. All requests must originate from a competent government, judicial, or law enforcement authority and be supported by a valid and jurisdictionally binding legal instrument.

For detailed jurisdiction-based procedures — including requests involving U.S. authorities, EU/UK jurisdictions, host-country enforcement, and third-country cross-border access — please refer to Section 5: Jurisdiction-Based Legal Request Handling.

1.4 Notification to Customer (When Permitted)

SCALIBIT may notify affected customers prior to disclosure only where legally permitted, unless:

• Notification is prohibited by law, court order, or binding confidentiality directive
• A gag order or secrecy obligation applies
• Notification would compromise an active investigation or national security interest
• The request involves emergency or imminent threats (life, safety, critical infrastructure, terrorism)

If notification is permitted, SCALIBIT may provide basic information regarding the requesting authority, type of request, data categories sought, and available legal remedies, where applicable.

SCALIBIT does not voluntarily disclose or provide any customer information and only discloses customer information when required or expressly permitted under applicable law, pursuant to a valid and binding legal process and only to the extent technically feasible.

2. SUBMISSION & VERIFICATION REQUIREMENTS

(What to Include in Your Request)

All legal requests submitted to SCALIBIT must be formally issued, properly served, and verifiable. Requests must originate from an official government or law enforcement authority and clearly identify the issuing body, legal basis, and specific technical identifiers that enable accurate data lookup (where technically possible). Requests that are incomplete, overly broad, unverifiable, or lacking proper jurisdictional authority may be rejected or returned for clarification.

Accurate service or customer identification is only possible when the request includes precise technical identifiers (such as IP address, timestamp, or domain name).
For required identifiers, see Section 2.3 — Required Technical Identifiers.

2.1 Information-Requesting Legal Authority & Legal Authentication

The information-requesting legal authority must provide verifiable identification and demonstrate lawful authority by including:

• Official name of the information-requesting agency or competent legal authority, including jurisdiction
• Full name, title, and official contact details (government email, phone) of the information-requesting officer or prosecutor
• Badge number, legal identification number, or court authorization reference (if applicable)
• Valid legal instrument (subpoena, court order, search warrant, MLAT request, preservation order, or request issued by law enforcement or prosecutorial authorities in the country where the relevant server or data is physically hosted)
• Certification of legal authority under the applicable framework (e.g., ECPA, EU GDPR Art. 48, UK GDPR, MLAT, or relevant local laws of the hosting country)

Note on Non-Government Requests: SCALIBIT does not disclose any customer information to private individuals, civil litigants, or non-governmental entities under any circumstances. All legal requests must originate from a competent government, judicial, or law enforcement authority and be accompanied by proper legal documentation. Informal communications, such as personal emails, chat messages, or non-legally binding correspondence, are not processed.

2.2 Acceptable Submission Channels & Service of Process

All legal requests must be submitted in writing to SCALIBIT’s Legal Compliance Department at legalrequests@scalibit.com, accompanied by all relevant supporting legal documentation. Requests sent to any other address or using unauthorized channels may experience delays or may not be processed.

• legalrequests@scalibit.com — Official submission address for all lawful requests

Important: SCALIBIT does not accept legal requests via telephone, chat, social media, fax, or general support channels. Informal email communications, including those from law enforcement, that do not include a valid subpoena, court order, or warrant will not be processed.

2.3 Required Technical Identifiers (What to Include)

To enable accurate and lawful data lookup, every request must include at least one of the following technically relevant identifiers:

• Assigned IP address(es) — including precise UTC date and timestamp range (start–end)
• Domain name (Must resolve to a SCALIBIT-assigned IP address for identification)
• Server location or data center region (if known and relevant)
• ASN or network allocation reference (for internet infrastructure cases)
• Specific legal case reference linked to IP misuse, cybercrime, or similar investigation

Requests must be specific, narrowly scoped, legally valid, and technically feasible to allow identification through SCALIBIT’s administrative systems. Please include as much detail as possible to help us identify the relevant customer, account, or service. SCALIBIT does not process blanket, speculative, or exploratory (“fishing”) requests that lack precise technical identifiers or lawful basis. Only requests that are directly tied to a lawful criminal investigation, prosecution, or valid court order will be considered. Requests lacking proper jurisdictional authority, supporting documentation, or sufficient technical detail may be lawfully rejected or returned for clarification.

2.4 Valid Legal Basis & Jurisdiction Confirmations

SCALIBIT requires that all legal information requests must:

• Be issued by a competent authority with legal jurisdiction over SCALIBIT or the data-hosting location
• Include a valid legal basis (e.g., subpoena, court order, search warrant, or MLAT-validated request)
• Specify the type of data requested and clearly define the relevant timeframe
• Demonstrate legal necessity and connection to a lawful investigation or proceeding

SCALIBIT evaluates all requests in accordance with applicable laws and data protection frameworks, including ECPA and 18 U.S.C. §2703(f) (United States), EU GDPR, the Law Enforcement Directive (LED), and UK GDPR, and any other mandatory local regulations where the data is physically hosted.

Cross-Border & Third-Country Requests: When the requesting country, the data-hosting country, and SCALIBIT’s jurisdiction are not the same, requests must be submitted through MLAT or other formally recognized international judicial cooperation mechanisms. SCALIBIT does not process bypassed, extrajudicial, or informal international requests under any circumstances.

For location-based handling of legal information requests, see Section 5 — Jurisdiction-Based Legal Information Request Handling .

2.5 Preservation Requests (18 U.S.C. §2703(f))

SCALIBIT honors properly issued preservation requests under 18 U.S.C. §2703(f). Upon receipt of a valid written request, SCALIBIT will preserve existing responsive records for up to 90 days, renewable once for an additional 90 days upon timely written extension — pending receipt of a formal legal process (such as subpoena, court order, or warrant).

Preservation applies only to administrative metadata already stored by SCALIBIT in its systems — such as account registration timestamps, service activation records, billing metadata, or IP address assignment logs (i.e., which customer account, service, or server was assigned a particular IP address at a specific time). It does not require SCALIBIT to:

• Collect or generate any new logs, records, or system data
• Access, monitor, or retrieve customer-controlled servers or hosted content
• Create or enable any form of surveillance, live monitoring, or data interception
• Inspect or access any authentication credentials — including root or administrator passwords, SSH keys, control panel credentials, API keys, MFA tokens, or encryption keys

SCALIBIT can only access and preserve a limited set of administrative metadata that resides in SCALIBIT-controlled systems — such as account registration timestamps, service provisioning records, billing metadata, IP address assignment logs (showing which customer account, service, or server was assigned a specific IP or IP block at a specific time), or basic customer account information (name, company, billing address, contact email, phone number, and order reference identifiers).

Where technically available, SCALIBIT may also preserve limited client account metadata — such as customer-initiated service order records, service activation timestamps, basic customer-provided registration details (name, company name, billing address, email, phone number), and the last successful Client Portal login IP and timestamp — strictly for verification or legal audit purposes, provided such preservation is lawfully requested, narrowly scoped, and technically feasible.

Preserved data is not disclosed unless a valid and binding legal instrument (subpoena, court order, or warrant) is subsequently received.

Preservation Requests under 18 U.S.C. §2703(f) apply primarily to U.S.-based lawful requests. For all other jurisdictions, SCALIBIT will honor preservation obligations only when legally required under applicable local laws or through valid MLAT-based international cooperation requests (where SCALIBIT is legally compelled).

2.6 Emergency or Expedited Disclosure Requests

Emergency disclosure requests — including cases involving imminent threat to life, serious bodily harm, child protection, terrorism, or critical cybersecurity incidents — must be clearly identified and formally justified by the requesting authority. All such requests must include:

• Clear statement of the emergency and legal justification
• Applicable legal authority supporting expedited processing (e.g., 18 U.S.C. §2702(b)(8))
• Specific IP address(es), domain name(s), or other technical identifiers with relevant UTC timestamps
• Official agency information and point of contact (government-issued email and phone required)

SCALIBIT evaluates emergency requests on a case-by-case basis and, where lawful and technically feasible, may disclose only the minimum administrative metadata necessary to prevent imminent harm — such as limited account identification details, account registration timestamps, service activation records, or IP address assignment logs (showing which customer account, Virtual Machine, Cloud Server, Dedicated/Bare Metal Server, or GPU Server was assigned a specific IP or IP block at a specific time).

2.7 Cost Reimbursement (18 U.S.C. §2706)

SCALIBIT reserves the right to seek reimbursement for reasonable costs incurred in responding to legally valid requests, as authorized under 18 U.S.C. §2706 and applicable international standards. This may include costs associated with identifying, retrieving, reviewing, preserving, or producing responsive metadata retained within SCALIBIT’s administrative systems.

Cost reimbursement is requested only where permitted by applicable law and is limited exclusively to the direct and necessary expenses associated with fulfilling the legal request. SCALIBIT does not charge any fees for rejecting invalid, incomplete, or unlawful requests.

3. DATA ACCESS & DISCLOSURE LIMITATIONS

As a technical infrastructure provider, SCALIBIT has access only to a limited set of non-content administrative metadata required for service provisioning, billing, IP assignment, abuse mitigation, legal verification, and account authentication. SCALIBIT does not access, view, monitor, retain, or supervise any customer-hosted content, server files, databases, credentials, email/mailbox data, application logs, AI workloads, or communication records — all of which remain entirely under the control, care, and custody of the Customer.

SCALIBIT has no visibility into any actions or activities performed by the Customer using the server(s), service(s), or IP address(es) assigned to them, and cannot retrieve, recover, reconstruct, monitor, or disclose any server files, databases, mailboxes, application logs, user activity records, traffic content, connection history, usage patterns, encryption keys, or other server-level data — including content transmitted through the assigned IP address(es).

All such data and activities remain exclusively under the Customer’s care, custody, and control. SCALIBIT does not possess, store, manage, or have access to any form of server-level access credentials — including root or administrator passwords, SSH private keys, SSH port configurations, VPN credentials, RDP login details, database passwords, control panel credentials, or similar authentication data. Accordingly, SCALIBIT cannot disclose, generate, recreate, or infer any such information by any technical means.

SCALIBIT can only disclose limited administrative metadata that already exists within its internal management systems (such as basic customer registration details, account identifiers, service/order records, assigned IP address logs, activation/deactivation timestamps, and service-related billing information) — and only when legally compelled through a valid, binding legal process. No server-level content, hosted data, access credentials, or communication logs are ever disclosed, as SCALIBIT does not have possession or custody of such information.

All switching, routing, packet handling, and transit-level network infrastructure is operated solely by upstream data center providers and regional carriers where the Customer-controlled and Customer-used servers and services are physically hosted. SCALIBIT does not own or operate any network surveillance, monitoring, interception, NetFlow, or deep packet inspection (DPI) systems, and has no capability or legal authority to perform packet inspection, real-time interception, traffic monitoring, or content reconstruction.

Customers maintain full responsibility and accountability for all activities, content, and usage conducted through their assigned servers, services, and IP address(es). SCALIBIT provides only the underlying infrastructure required to deliver the service and cannot be held liable for any actions performed within customer-controlled environments.

Ownership, access, and disclosure responsibilities are distributed across three distinct parties:

Compliance reference: Applicable U.S. privacy laws (including CCPA/CPRA, VCDPA, and CPA), the EU GDPR, the UK GDPR, and other applicable international data protection frameworks.

3.1 Customer-controlled and Customer-used servers/services – No Content Access

Customers maintain exclusive administrative control over all hosted systems, including operating systems, applications, databases, file storage, email servers, logs, VPN services, APIs, backups, encryption mechanisms, and system configurations. SCALIBIT does not have access to:

• Root / Administrator / SSH / RDP access credentials
• Control panel logins (cPanel/WHM, Plesk, DirectAdmin, etc.) or VPN authentication keys
• Server files, folders, databases, mailboxes, logs, or hosted applications
• SSL private keys, encryption keys, database credentials, or MFA tokens
• AI model files, datasets, inference logs, training outputs, or application runtime logs

The Customer bears full responsibility and legal accountability for any activities, usage, or communications conducted through the assigned service(s), server(s), or IP address(es) for the duration of the service term — from activation until suspension, termination, or IP reassignment — including any actions performed by downstream users, third parties, or through VPN/proxy/anonymization tools configured within their environment.

3.2 What SCALIBIT May Disclose (Non-Content Administrative Metadata Only)

Subject to valid and binding legal process, SCALIBIT may disclose a limited and strictly defined set of non-content administrative metadata stored in its internal administrative systems, including (if available):

• Customer-provided account information: name, billing address, email, phone number, and company name (if provided)
• Order-related administrative metadata — including order creation records, invoice reference numbers, and masked payment transaction metadata (no card numbers, CVV, or full bank details)
• Service/server provisioning metadata — including activation dates, delivery/provisioning confirmations, configuration assignments, and deactivation or cancellation timestamps
• Administrative records identifying which Customer account a specific service/server or assigned IP address was associated with at a given time
• IP address allocation metadata — indicating which Customer account, service, or server was assigned a specific IP address or IP block at a given time, including initial IP assignments, Customer-requested IP block expansions (e.g., /29, /28), subsequent additions or removals, and the dates on which such changes occurred (administrative metadata only)
• Account registration IP and the most recent Client Portal login IP (limited — not full login history)
• Service configuration metadata: plan type, server location (country/region), and selected service options
• Abuse/complaint ticket metadata — timestamps and reference IDs only, if an abuse report exists (never complaint content or message details)
• Support request or provisioning-related ticket metadata — timestamps, ticket reference IDs, and status, only if such ticket- or email-based communication exists (metadata only — not message content or attachments)

Compliance reference: Applicable U.S. Privacy Laws (CCPA/CPRA, VCDPA, CPA), EU GDPR, UK GDPR, and other international data protection frameworks.

3.3 What SCALIBIT Does Not Have and Cannot Disclose

SCALIBIT does not possess, retain, control, or have access to the following categories of customer data, as these remain fully within the exclusive care, custody, and control of the Customer:

• Files, databases, cloud storage, hosted applications, or website content
• Email contents, attachments, message bodies, or mail server logs
• SSH/FTP/RDP credentials, private keys, API tokens, VPN configurations, or passwords
• Packet captures, ISP-level logs, DPI surveillance data, or browsing records
• AI datasets, model weights, compute artifacts, or inference tracking
• System snapshots, VM images, backup archives, or disk contents
• Any activity logs, usage behavior, or actions performed by the Customer within any Customer-controlled and Customer-used service or server — including activities conducted through assigned IP address(es), VPN usage, outbound or inbound traffic, hosted applications, proxy usage, AI workloads, or any other in-server operations.

SCALIBIT does not monitor, collect, generate, or retain any customer server activity, including login history, access commands, authentication events, or communication content.

SCALIBIT has no visibility into any actions, activities, or communications performed through the Customer’s service(s), server(s), or the IP address(es) assigned to those services. SCALIBIT cannot technically determine whether any activity originated from the Customer, a downstream user, a VPN/proxy source, automated bot/system, malicious intruder, or any other indirect usage source.

SCALIBIT is not a network owner, carrier, ISP, or internet transit provider. All routing, switching, bandwidth delivery, BGP announcements, transit logs, NetFlow data, packet telemetry, and network-level monitoring are fully operated by upstream data center providers and carriers where the Customer-controlled and Customer-used servers and services are physically hosted. Accordingly, SCALIBIT does not generate, collect, maintain, or retain any network-layer logs, packet captures, connection traces, or traffic content.

SCALIBIT cannot generate, reconstruct, decrypt, synthesize, or recover any server files, logs, encryption keys, communications, or customer-stored content that are not already present within SCALIBIT-controlled administrative systems. If specific data does not exist within SCALIBIT’s custody or control, it cannot be produced, recreated, or inferred by any technical means — even under a valid court order, or with console / IPMI access (where hardware support is available).

All responsibility for hosted content, system actions, IP usage, network traffic, application behavior, and any third-party or downstream user activity lies exclusively with the Customer. SCALIBIT provides only the underlying infrastructure and cannot be held liable for any actions initiated, controlled, or performed within Customer-controlled and Customer-used environments, services, or servers.

Requests for network traffic data, packet-level records, session tracing, or source attribution must be directed to the respective upstream data center provider or carrier where the Customer-controlled and Customer-used servers and services are physically hosted and which operates the underlying network infrastructure. SCALIBIT cannot provide data that it does not generate, store, or control.

Geographic Location Verification: SCALIBIT relies solely on the location metadata (country, region, facility) provided by upstream data center operators for service configuration and billing. SCALIBIT does not perform independent technical or physical verification of server location or data residency compliance, as this responsibility lies exclusively with the upstream operator.

3.4 No Content Logging, Monitoring, or Network Traffic Capture

SCALIBIT does not intercept, monitor, analyze, generate, or retain any content-level or packet-level data, including:

• Web traffic logs, HTTP/S request or response data
• Packet inspection, mirrored traffic, port scanning, or DPI (Deep Packet Inspection)
• ISP-level traffic logs, NetFlow/sFlow records, or packet telemetry analytics
• DNS query logs, resolver logs, or packet-based tracing
• Port usage history, session tracing, or VPN/proxy connection records
• Email content, chat messages, API traffic, or communication metadata
• AI usage logs, inference outputs, model activity, or behavioral analytics

Network & Traffic Control Limitations: All network routing, packet handling, BGP announcements, bandwidth transit, DDoS mitigation, and packet-level transport infrastructure are operated exclusively by the upstream data center providers and carriers where the Customer-controlled and Customer-used servers and services are physically hosted. SCALIBIT is not a network owner, ISP, carrier, or internet transit provider. Accordingly, SCALIBIT does not generate, collect, maintain, or retain any NetFlow records, packet telemetry, connection histories, detailed port usage data, browsing logs, or packet-based surveillance records.

SCALIBIT does not monitor, generate, collect, or log any customer IP address activity, session behavior, usage patterns, or network flow records. While SCALIBIT retains only basic IP assignment metadata (e.g., which IP address was assigned to which customer, service, or server at a specific time), it does not possess, generate, or retain any historical traffic logs, port mapping data, packet-level trace information, or connection records associated with that IP address.

SCALIBIT does not collect, capture, or retain any server-level authentication or activity logs (including SSH, FTP, RDP, VPN, SMTP, or database access), firewall logs, DNS query logs, system security logs, or command execution history. These logs exist only within Customer-controlled and Customer-used systems and are never visible to SCALIBIT. Network-layer telemetry (such as NetFlow records, packet counts, or connection traces) — where generated — is held exclusively by the upstream data center providers and carriers where the Customer-controlled and Customer-used servers and services are physically hosted, not by SCALIBIT.

SCALIBIT cannot generate, synthesize, decrypt, or reconstruct any network-level telemetry, packet logs, DPI records, or browsing histories that were never generated or technically stored in SCALIBIT-controlled systems. If specific data does not exist in SCALIBIT’s custody or systems, it cannot be produced by any technical means — even under a valid court order.

3.5 IP Address and Network Control Limitations

SCALIBIT’s responsibilities and technical capabilities regarding IP address allocation, routing, and network traffic are strictly limited by its role as an infrastructure hosting provider and its reliance on the upstream data center providers where the Customer-controlled and Customer-used servers and services are physically hosted. SCALIBIT is not a network carrier, ISP, backbone operator, transit provider, or LIR (Local Internet Registry), and does not operate any autonomous system (ASN), router infrastructure, or network surveillance systems.

3.6 Third-Country Requests, MLAT & Sovereignty Limitations

SCALIBIT does not comply with any foreign or third-country legal demand that attempts to bypass the jurisdiction of the data-hosting country, MLAT procedures, or established international judicial cooperation mechanisms. Requests issued directly by foreign law enforcement agencies, courts, or administrative authorities have no legal effect unless validated and re-issued by the competent authority of the host-country through the appropriate legal channel.

Valid Submission Path (Required Flow):
Requesting Country Authority → Host-Country Competent Authority → MLAT / Judicial Cooperation Review →
Host-Country Court Order / Legal Compulsion → SCALIBIT (limited metadata only, if legally compelled)

Data Sovereignty & Local Law Primacy: All disclosure obligations are governed by the laws of the country where the data is physically hosted, including U.S. Federal Law (such as the Stored Communications Act), EU GDPR, UK GDPR, and other applicable regional privacy and data protection regulations. This includes national restrictions on cross-border data transfers, privacy and confidentiality protections, and legal limitations on compelled disclosure.

Technical Reality: Even where a request is properly validated, SCALIBIT can only disclose limited administrative metadata stored in its internal systems (see Section 3.2). SCALIBIT does not possess or control server-level logs, traffic content, hosted files, communication records, encryption keys, or any customer-generated data—therefore, SCALIBIT cannot disclose data that it does not create, store, or control.

Any request for network traffic data, packet captures, interception records, flow telemetry, or IP-based attribution information must be directed to the relevant upstream data center providers and carriers where the Customer-controlled and Customer-used servers and services are physically hosted. Such upstream operators may be subject to their own legal and jurisdictional requirements. SCALIBIT cannot provide network traffic data or attribution information that it does not generate, store, or control.

3.7 No Email Hosting or Storage Services

SCALIBIT does not provide email hosting, mailbox services, SMTP relay, or centralized mail storage. SCALIBIT is not an email service provider (ESP) or communications carrier.

Any email services running on Customer-controlled Virtual Machines (VMs), Cloud Servers, Dedicated Servers or Bare Metal Servers, and GPU Servers are deployed, managed, and controlled exclusively by the Customer. SCALIBIT has no technical access to mailbox contents, message logs, email headers, attachments, or communication metadata within these customer-managed environments.

3.8 Limited Support Credentials – Temporary & Voluntary Access Only

In limited support scenarios, Customers may voluntarily provide temporary access credentials (such as SSH, RDP, VPN, or cPanel login) solely for troubleshooting or resolving a specific support-related issue. Such credentials are not automatically collected, logged, stored, or archived by SCALIBIT’s systems.

Temporary credentials are used only for the duration of the support session and are manually deleted immediately upon issue resolution, ticket closure, or at the explicit request of the Customer — whichever occurs first. SCALIBIT does not store, retain, recreate, or have access to any access credentials after the support session has ended.

SCALIBIT’s access — if granted — is strictly voluntary, temporary, customer-controlled, and revocable at any time. Once access ends, SCALIBIT has no visibility into the system and no technical ability to retrieve, recover, or reconstruct any prior server access credentials or customer-stored server content, even under legal order.

For details on technical access limitations, refer to Section 6 — Access to Customer Systems & Management Interfaces.

3.9 Hardware Management Interfaces (iDRAC, IPMI, iLO, KVM-over-IP)

For Dedicated Servers, Bare Metal Servers, or GPU Servers, hardware-level management interfaces (such as IPMI, iDRAC, iLO, or KVM-over-IP) are provided directly by the upstream data center facility. These tools are strictly limited to hardware diagnostics, remote power control (reboot, shutdown, reset), OS reinstall, and basic console-level access during provisioning. These interfaces do not provide SCALIBIT with file-level visibility into customer-stored data, encrypted partitions, or system contents.

For Virtual Machines (VMs) and Cloud Servers, all operating system installations, re-installations, power controls (reboot, shutdown), and service configuration actions are performed directly by the Customer through the SCALIBIT Customer Panel. Customers also have access to a built-in VNC console, which provides basic terminal access during installation, troubleshooting, or recovery.

The VNC console is strictly limited to screen and keyboard interaction and does not grant SCALIBIT any visibility into customer data, filesystem contents, hosted applications, or in-guest activities. When using VNC terminal access, the Customer may perform operations that require their own SSH or root credentials; however, these credentials are never known, stored, accessed, or visible to SCALIBIT.

All provisioning, configuration, use of server access credentials, and console operations remain fully and exclusively under the Customer’s control. SCALIBIT has no technical ability to access, retrieve, or reconstruct any server access credentials used within the VNC or hardware console environment (such as root passwords, SSH keys, control-panel logins, or other authentication data).

4. NETWORK & TRAFFIC DATA LIMITATIONS

(Upstream Network Ownership, No Monitoring, No Packet Visibility)

All network routing, switching, packet handling, bandwidth delivery, transport, and transit operations (including all underlying infrastructure such as routers, switches, carrier transport links, transit uplinks, and traffic engineering systems) are fully operated by the upstream data center providers and regional carriers where the Customer-controlled and Customer-used servers and services are physically hosted. SCALIBIT is not a network owner, ISP, carrier, or internet transit provider and does not operate any backbone or access-layer network infrastructure.

SCALIBIT does not operate or control any network-level surveillance, interception, monitoring, packet inspection, or deep-inspection systems and has no capability or legal authority to monitor, intercept, inspect, reconstruct, analyze, or access any network traffic or IP address–level activity flowing to or from Customer-controlled servers, services, or IP address(es). Customers retain full care, custody, and control over their hosted environments, including all content, usage, IP address activity, and all actions originating from the services and IP address(es) assigned to them.

SCALIBIT does not possess or generate any source–destination mapping, port activity history, traffic direction logs (inbound/outbound), remote-IP communication logs, or timestamped IP activity data for any IP address that has been assigned to and is used by Customer-controlled services or servers. No such IP-level activity data exists within SCALIBIT’s systems.

4.1 Upstream Data Center Ownership of All Network Infrastructure

All routing tables, switching paths, BGP announcements, bandwidth delivery, transit routing, carrier handoffs, DDoS mitigation systems, flow-telemetry engines, and packet-level transport mechanisms are operated exclusively by the upstream data center providers and carriers. SCALIBIT does not manage, influence, or participate in these systems and has no access to their telemetry, operational tooling, forensic platforms, or monitoring interfaces.

4.2 No Packet Inspection, Monitoring, or Traffic Visibility

SCALIBIT has no technical capability to perform packet inspection, real-time traffic monitoring, packet capture, data interception, content reconstruction, traffic mirroring, wiretapping, or any form of lawful interception. SCALIBIT cannot observe, analyze, attribute, or access:

• packet contents or payload data, including HTTP bodies and application-layer content,
• browsing activity, visited websites, or destination URLs,
• incoming or outgoing traffic flows (inbound/outbound breakdown),
• which IP address connected to which remote IP address or service (source/destination mapping),
• which ports or protocols (e.g., HTTP, HTTPS, SSH, RDP, SMTP, VPN) were used,
• connection durations, session lengths, or traffic volume per connection,
• traffic patterns, rate, or behavioral usage data,
• DNS queries, domain lookups, or name-resolution histories,
• encrypted or unencrypted payloads, or any form of DPI (Deep Packet Inspection) output.

SCALIBIT also does not possess any IP address traffic direction logs, port usage logs, source/destination IP communication records, or timestamped activity attribution data. No such records exist within SCALIBIT-controlled systems.

SCALIBIT has zero operational visibility into any transit-layer traffic and cannot perform source/destination tracing or activity attribution at the network level.

4.3 No Network-Layer Logs, Traffic Records, or Forensic Data

SCALIBIT does not generate, collect, maintain, store, retain, or control any network-layer information, including:

• packet captures (PCAP files) or raw packet logs,
• NetFlow, IPFIX, or other flow telemetry records,
• connection histories, session traces, or connectivity records,
• port mapping, port usage, or firewall traffic logs,
• IP activity logs, IP reputation logs, or outbound spam traffic logs,
• traffic metadata, packet-level logs, or per-flow counters,
• browsing histories, destination IP logs, or web access logs,
• DDoS telemetry or mitigation statistics,
• router or switch operational logs or BGP flow records.

SCALIBIT retains only the administrative assignment record indicating which Customer account a specific IP address was assigned to at the time of provisioning. SCALIBIT does not retain:

• source-IP logs,
• destination-IP logs,
• port usage logs,
• traffic timestamps,
• connection attempts or accepted/rejected packet activity,
• traffic direction or attribution records.

Any network-layer telemetry that exists is held exclusively by the upstream data center providers and carriers.

4.4 No Server-Level Logs or Authentication Records

SCALIBIT does not collect, store, capture, or have access to any operating system–level or service-level logs generated within Customer-controlled servers, including:

• SSH, RDP, FTP, VPN, SMTP, or database authentication logs,
• system authentication logs or login attempt histories,
• firewall logs or port activity logs,
• IDS/IPS or security event logs,
• DNS resolver or DNS query logs,
• web server access/error logs (Apache, Nginx),
• command execution histories or shell command logs.

All such logs exist only within Customer-controlled systems and remain fully outside SCALIBIT’s visibility and control.

4.5 Requests for Network Traffic Data Must Be Directed to Upstream Providers

Any request for network traffic data, packet-level records, flow telemetry, DPI reports, connection histories, port usage data, DDoS telemetry, session tracing, IP-based attribution, payload content, browsing histories, or any other carrier-grade forensic information must be directed to the upstream data center provider or carrier that operates the underlying network infrastructure.

Requests seeking to determine which IP address contacted which destination IP, which ports were used, traffic timestamps, connection direction (inbound/outbound), or any other activity attribution cannot be fulfilled by SCALIBIT, as SCALIBIT does not collect or control any such IP-level traffic data.

SCALIBIT cannot obtain network-layer records from upstream providers on behalf of any requesting party.

4.6 No Ability to Generate, Reconstruct, or Recover Missing Data

SCALIBIT cannot generate, synthesize, decrypt, recreate, reconstruct, or retroactively produce:

• traffic logs or histories that were never captured,
• packet contents or PCAP data,
• NetFlow, IPFIX, or any other flow telemetry records,
• browsing histories or destination IP logs,
• DPI-derived metadata or deep packet inspection results,
• port usage histories, connection histories, or attribution records,
• router, switch, or carrier-side operational logs.

If a specific category of data does not exist within SCALIBIT’s custody or systems, it cannot be produced — even under a valid court order.

4.7 No Real-Time Interception, Surveillance, or Lawful Intercept Capabilities

SCALIBIT does not provide real-time interception, wiretapping, traffic mirroring, real-time surveillance, live packet capture, or forensic tracing capabilities. Any legally authorized interception must be performed by the Customer or the upstream provider with operational control.

4.8 No Operational Visibility Into Transit Traffic

Network traffic, packet-level data, and communication metadata (NetFlow, flow telemetry, destination IP logs, browsing activity, DPI records, packet content) are handled solely by the upstream operators. SCALIBIT has no visibility into such transit traffic and cannot access, monitor, or retrieve any network-level logs — even under subpoena, court order, MLAT, emergency disclosure, or foreign request.

4.9 Final Limitation Statement

SCALIBIT cannot generate, obtain, reconstruct, or produce any network-layer traffic data, packet-level information, flow telemetry, browsing activity, interception logs, or activity attribution records that are not created, controlled, or stored by SCALIBIT. All such data resides solely with the upstream data center providers and carriers and remain completely outside SCALIBIT’s technical reach and operational control.

5. JURISDICTION-BASED LEGAL INFORMATION REQUEST HANDLING

Legal request processing depends primarily on (1) the jurisdiction of the requesting authority and (2) the physical location of the infrastructure used by the Customer to store or process data (including Virtual Machines (VMs), Cloud Servers, Dedicated Servers or Bare Metal Servers, and GPU Servers, or the geographic location associated with the assigned IP address). SCALIBIT applies a structured legal assessment model based on these determinations.

SCALIBIT also evaluates cross-border or international legal requests — including requests made under Mutual Legal Assistance Treaties (MLAT), Letters Rogatory, or other international judicial cooperation mechanisms — strictly in accordance with the jurisdictional requirements, data location, data sovereignty principles, and applicable host-country laws. SCALIBIT does not respond directly to legal requests issued by foreign authorities unless they are lawfully validated and transmitted through appropriate channels in accordance with Section 5 (Jurisdiction-Based Legal Request Handling).

5.1 U.S. Authorities → Data Located Inside the United States

(ECPA / Stored Communications Act — Domestic Scope)

Requests submitted by U.S. law enforcement or judicial authorities concerning services, servers, data stored within those environments, or IP addresses assigned to such servers that are physically hosted within the United States are governed by the Electronic Communications Privacy Act (ECPA), specifically 18 U.S.C. §§2701–2713. Because both the requesting authority and the underlying infrastructure (servers, stored data, and assigned IP resources) are located within United States jurisdiction, these requests do not require international cooperation mechanisms such as MLAT.

Specificity Requirement: Legal requests must clearly identify the subject of inquiry — including the exact IP address(es), relevant date and time range (in UTC), service type, and associated infrastructure region. Broad, vague, or unspecified requests (e.g., “all data related to a user”) cannot be processed and will be returned without action.

SCALIBIT cannot provide any server content, OS logs, email content, or file-level data — even if served with a valid Search Warrant — because although SCALIBIT provides the infrastructure, it does not host, monitor, or have access to any customer-controlled environments (such as Virtual Machines (VMs), Cloud Servers, Dedicated Servers or Bare Metal Servers, and GPU Servers). All hosted content and in-server activity remain under the Customer’s exclusive care, custody, and control.

SCALIBIT does not monitor or supervise any activities performed on customer infrastructure. Therefore, it cannot determine whether an action originating from an IP address was performed by the Customer, a downstream reseller client, VPN/proxy user, TOR exit node, automated bot or AI system, or any unauthorized third party. SCALIBIT has no technical or legal ability to attribute an individual identity to any IP-based activity.

5.2 U.S. Authorities → Data Located Outside the United States

(MLAT / Host-Country Legal Control & Data Sovereignty)

When U.S. authorities seek information concerning any Virtual Machines (VMs), Cloud Servers, Dedicated Servers or Bare Metal Servers, and GPU Servers physically located outside the United States, SCALIBIT cannot process or respond to any direct U.S. legal demand (including Subpoenas, Court Orders, or Search Warrants). Disclosure is governed exclusively by the laws and judicial authority of the country where the infrastructure is located.

Accordingly, any such request must be handled through the appropriate international judicial cooperation mechanism, such as:

• Mutual Legal Assistance Treaty (MLAT) recognized between the United States and the host country;
• International Letters Rogatory or equivalent bilateral cooperation channel;
• Executive Agreements under 18 U.S.C. §2523 (CLOUD Act–compliant jurisdictions).

Once a request is validated and executed by the competent host-country authority, SCALIBIT will — if lawfully compelled — process only the scope of the local order, strictly in accordance with the data classification rules of that jurisdiction:

Any court or agency seeking network traffic records, packet-level captures, NetFlow or flow telemetry, or forensic IP tracing data must direct such requests to the relevant upstream data center provider or carrier that operates the network infrastructure where the Customer-controlled and Customer-used servers and services are physically hosted. SCALIBIT cannot generate, obtain, reconstruct, or produce any network-layer traffic data that it does not create, control, or store.

If a local legal authority requests Content Data, SCALIBIT can disclose such data only when both conditions below are met:

• The requested data is actually stored within SCALIBIT-controlled administrative systems, such as support ticket messages or Client Portal communications (SCALIBIT does not store or host any customer server content).
• The request is supported by a valid, binding, and jurisdictionally competent legal order issued by the appropriate host-country authority.

SCALIBIT has no technical ability, access, or system-level visibility into any files, databases, logs, emails, encryption keys, or application data stored inside Customer-controlled and Customer-used environments, including:

• Virtual Machines (VMs)
• Cloud Servers
• Dedicated Servers or Bare Metal Servers
• GPU Servers
• Any customer-managed storage, application, or runtime environment

Because SCALIBIT does not host, retain, or process such content, no customer-stored data can be produced under any legal request unless it exists within SCALIBIT’s own administrative systems.

This approach ensures full compliance with host-country data protection regulations (including EU GDPR, UK GDPR, and other applicable local data protection frameworks), preserves customer privacy and data sovereignty, and maintains SCALIBIT’s role strictly as an infrastructure provider, not a data owner, controller, or manager.

5.3 Foreign Authorities → Data Located in the United States

(Non-U.S. Requests for U.S.-Hosted Infrastructure)

When a foreign (non-U.S.) law enforcement or government authority seeks information relating to any infrastructure physically located within the United States (including Virtual Machines (VMs), Cloud Servers, Dedicated Servers or Bare Metal Servers, and GPU Servers, or associated IP address records), SCALIBIT cannot directly disclose any information. All such requests must be transmitted and validated through an appropriate U.S. legal authority.

Accepted international cooperation mechanisms include:

1. A valid U.S. Court Order, Subpoena, or Search Warrant issued under ECPA (18 U.S.C. §2701 et seq.);
2. A formal Mutual Legal Assistance Treaty (MLAT) request initiated by the requesting country and executed by the United States Department of Justice;
3. A recognized Executive Agreement under the CLOUD Act (18 U.S.C. §2523), where applicable.

SCALIBIT will not process or respond to any foreign request that:

• Is not formally endorsed by a competent U.S. judicial authority, or
• Attempts to bypass U.S. legal review, sovereignty, or judicial due process.

Only after a request has been validated and executed by a competent U.S. authority may SCALIBIT, if legally compelled, provide limited non-content administrative metadata (such as account identifiers, billing records, or IP assignment timestamps) — and only where such data exists within SCALIBIT-controlled systems.

SCALIBIT does not possess, monitor, or retain any server access credentials, server-level content, network traffic logs, packet captures, or OS-level activity data from customer-controlled and customer-used servers, Virtual Machines, or Dedicated / Bare Metal environments.

For access limitation policies concerning customer systems and hosted content, see Section 6 — Access to Customer Systems & Credentials.

5.4 Host-Country Authorities → Data Located in Their Own Country

(Local Law Compliance — EU GDPR, UK GDPR, and Applicable National Laws)

When a legal request originates from authorities in the same country where the infrastructure (including Virtual Machines (VMs), Cloud Servers, Dedicated Servers or Bare Metal Servers, GPU Servers, and any related IP address allocations or administrative records) is physically located, SCALIBIT will review and process the request strictly in accordance with the applicable local laws and data protection regulations (e.g., EU GDPR, UK GDPR, and other mandatory host-country legal frameworks), as well as all due-process requirements of that host jurisdiction.

SCALIBIT will comply only with requests submitted by a competent judicial or regulatory authority within that jurisdiction (such as a national court, public prosecutor’s office, or data protection authority), and only when supported by a valid, binding, and properly scoped legal order that clearly identifies:

• the exact IP address(es) or service identifier(s)
• the relevant date and time range (in UTC)
• the specific legal basis (e.g., EU GDPR Art. 6(1)(c), or applicable national criminal law)
• the type of data sought
  SCALIBIT can only disclose the limited administrative metadata that exists within its own account, billing, and support systems. SCALIBIT does not have access to any files, logs, databases, traffic data, server access credentials (such as root/administrator login details, SSH keys, SSH/RDP login information, or port configurations), or any system content stored within Customer-controlled and Customer-used servers or environments.

In these cases, SCALIBIT may disclose only the limited non-content administrative metadata stored in SCALIBIT-controlled systems—such as basic account identifiers, service activation timestamps, and IP assignment records—unless customer content is stored within SCALIBIT-managed support systems (e.g., internal support emails or invoices).

Requests for network-level traffic data, packet captures, payload content, browsing histories, or any form of activity attribution must be directed to the upstream data center where the servers/services are physically hosted, as SCALIBIT does not generate, store, or control such information.

All disclosures are strictly governed by the host country’s data protection laws (such as EU GDPR, UK GDPR, or other equivalent mandatory frameworks) and are limited to the minimum scope strictly required to satisfy the binding legal order. For SCALIBIT’s technical access limitations, see Section 6 — Access to Customer Systems & Management Interfaces.

5.5 Third-Country (Cross-Jurisdiction) Legal Requests

(Neither U.S. Nor Host-Country Authority)

A legal request is considered a Third-Country Request when it originates from a country that is neither (1) the United States (SCALIBIT’s legal domicile), nor (2) the host country where the infrastructure — including the customer’s service/server and any IP address(es) assigned to that service — is physically located. In these cases, SCALIBIT cannot directly respond or disclose any data based solely on the third-country authority’s request.

Instead, any such request must first be:

• Validated and authorized by the competent authority of the Host Country where the data is located;
• Transmitted through a U.S. MLAT process, 18 U.S.C. §2523 Executive Agreement, or equivalent diplomatic/judicial cooperation mechanism, depending on jurisdiction.

SCALIBIT does not process or respond to any legal demand that attempts to bypass either Host Country sovereignty or United States jurisdiction. Requests lacking both jurisdictional validation and appropriate legal pathway are returned without processing.

SCALIBIT may only disclose non-content administrative metadata if required by a valid and binding legal order from either (1) the Host Country where the data is located, or (2) United States competent authority. SCALIBIT cannot disclose customer content, hosted files, logs, or any system-level data, as such content is not stored on SCALIBIT-controlled systems.

SCALIBIT does not accept or process legal or investigative requests submitted by private parties, individuals, attorneys, or corporations unless supported by a valid and binding court order issued by a competent judicial authority.

Technical access limitations and system access principles are explained in Section 6 — Access to Customer Systems & Management Interfaces.

6. ACCESS TO CUSTOMER SYSTEMS & TECHNICAL LIMITATIONS

SCALIBIT operates strictly as an infrastructure provider and does not manage, monitor, or retain any customer-hosted system content, files, databases, mailboxes, communications, network traffic, or encryption keys. Customers maintain exclusive administrative control and custody over all hosted environments—including Virtual Machines (VMs), Cloud Servers, Dedicated Servers or Bare Metal Servers, and GPU Servers

SCALIBIT cannot access, inspect, decrypt, or retrieve any data stored within customer-controlled and customer-used systems. Access is only possible if the Customer voluntarily provides temporary server access credentials via the secure Client Portal ticket system. Even when served with a valid and binding legal process, SCALIBIT cannot access or obtain any in-server data unless such credentials are explicitly supplied by the Customer, because SCALIBIT does not retain or possess any system-level credentials.

6.1 No Credential Storage / No Access to OS-Level Systems

SCALIBIT does not store, retain, or monitor any credentials for any customer-controlled and customer-used systems, including:

• Root / Administrator usernames or passwords
• SSH/RDP login details, VPN credentials, or private keys
• SSH port configurations, firewall rules, or MFA tokens
• Database passwords, web panel logins, or application-level credentials
• Encryption keys, passphrases, SSL private keys, or full-disk decryption keys

Consequently, SCALIBIT cannot access, monitor, recover, or disclose:

• Files, databases, applications, mailboxes, or backups
• Operating system logs, SSH/RDP activity, or system command histories
• Packet-level traffic, network flow data, web activity, or communication content
• Encrypted or password-protected data in any form

During initial provisioning of Virtual Machines, Cloud Servers, and Bare Metal servers, the system may generate temporary first-access credentials (such as initial root/administrator password, default SSH port, assigned IP address, or IPMI/iDRAC/iLO management console URL). These credentials are delivered only once to the Customer and are not retained, logged, or recoverable by SCALIBIT after delivery. Customers must change and secure these credentials, and SCALIBIT cannot assist in credential recovery unless explicitly authorized or legally compelled and technically feasible.

SCALIBIT may — in rare cases — assist with resetting credentials or performing system reinstalls only when explicitly authorized by the Customer or legally compelled through a valid and binding court order. Even in such cases, access depends exclusively on hardware-level capabilities and cannot override operating system authentication, encryption, or customer-controlled access controls.

SCALIBIT does not know or retain the SSH port number, RDP configuration, or any post-deployment changes made by the Customer, including firewall rules, installed applications, port forwarding, or network-level access policies. After provisioning, all such configurations are exclusively customer-controlled.

In cases where SCALIBIT is asked to “reset a password”, this can only be performed via an operating system reinstallation, rescue boot, or hardware-level reset — and only if encryption is not enabled. SCALIBIT cannot retrieve or reveal the existing password, nor override system-level protections such as full-disk encryption, SSH key-based login, MFA, or passphrase prompts.

6.2 Provisioning, Metadata, and Infrastructure Records Only

SCALIBIT’s systems generate and retain only limited infrastructure metadata necessary for billing, provisioning, network allocation, compliance, and lawful request validation. This administrative metadata may include:

• Assigned IP address(es), corresponding customer account, and timestamp of assignment
• Service activation, suspension, or cancellation timestamps
• Hardware specifications, bandwidth quota, network routing, or rDNS configuration metadata (if applicable)
• Client Portal or SCALIBIT Panel login metadata (limited to timestamp and IP — no session content)
• Order reference numbers, invoice identifiers, and customer billing/contact information (as provided by customer)

These records do not include any server-level logs, SSH/RDP access logs, hosted content, or system-generated application data. All content, user activity, and system logs reside solely within the customer-managed environment.

SCALIBIT does not host, retain, or process mailbox content, email communications, or message logs. Mail servers running on Virtual Machines (VMs), Cloud Servers, Dedicated Servers or Bare Metal Servers, and GPU Servers are fully customer-controlled and customer-used, and SCALIBIT has no technical ability to access or retrieve any mailbox data, message logs, headers, or content residing within those systems.

The metadata retained by SCALIBIT is strictly limited to infrastructure administration records. This metadata is used for billing, provisioning diagnostics, and lawful validation only. It does not include:

• SSH/RDP login history or system authentication logs
• cPanel/WHM login content, admin logs, or command history
• Mail transfer logs, inbox contents, SMTP/IMAP details, or email headers
• HTTP logs, web analytics, access/error logs, or vulnerability scan records
• Bandwidth usage per URL, per IP, or per request (only total data transfer quota is retained)

All system-level content, activity records, and log files are generated and stored exclusively within the customer-controlled and customer-used operating system, and are not mirrored, replicated, or backed up by SCALIBIT in any form.

6.3 Temporary Credentials for Support — Strict Usage Control

In rare cases where a customer voluntarily provides temporary credentials for troubleshooting or system recovery:

• Credentials must be shared exclusively via the secure Client Portal ticket system
• Used strictly for the authorized support purpose, under time-limited access
• Immediately invalidated, revoked, or reset following resolution
• Never retained, archived, or reused by SCALIBIT personnel

Customers are strongly advised to revoke or change temporary credentials immediately following issue resolution. SCALIBIT does not accept credentials via email, phone, chat, or third-party sharing methods.

6.4 Encryption, Credential Custody & Access Impossibility

If customer systems employ full-disk encryption, password hashing, SSH key authentication, or other cryptographic protections, SCALIBIT cannot decrypt, recover, reconstruct, or bypass protected content — even if console, hypervisor, or hardware access is available.

• SCALIBIT does not store or retain encryption keys, passphrases, or SSH private keys
• Console or IPMI access does not override encryption, password prompts, or MFA protection
• Encrypted data, backups, or archives remain inaccessible without Customer cooperation

Console access, hypervisor access, or remote management (IPMI/iDRAC/iLO) do not bypass full-disk encryption, passphrase entry screens, SSH key-based authentication, or MFA enforcement. If encryption or authentication is Customer-controlled, SCALIBIT cannot unlock or recover data without valid credentials voluntarily provided by the Customer.

For lawful requests involving encrypted or customer-held data, requesting authorities must seek access directly from the Customer or Data Controller, not from SCALIBIT.

7. DATA RETENTION & CONTROL BY CUSTOMER

Customers retain full custody, control, and responsibility over all data hosted on their Virtual Machines (VMs), Cloud Servers, Dedicated Servers or Bare Metal Servers, and GPU Servers. SCALIBIT does not monitor, replicate, store, or retain any customer server content, credentials, system-level logs, or hosted data — unless a separate and explicitly contracted Backup Service is enabled.

Accordingly, SCALIBIT cannot access, restore, decrypt, or retrieve any customer-stored data, credentials, backups, or logs once they have been deleted, encrypted, or overwritten by the Customer — even under subpoena, court order, or warrant — if the data no longer exists or was never stored by SCALIBIT.

7.1 Data Deletion by Customer

When a Customer deletes content, formats a disk, performs manual data wiping, reinstalls an operating system, or cancels a service, all associated data is permanently and irreversibly deleted from the server. SCALIBIT does not maintain any hidden archives, internal copies, or secondary backups of such erased data.

• Full OS reinstall → permanently deletes files, databases, logs, and credentials
• Service cancellation → triggers complete removal of hosted content and metadata
• Customer-initiated encryption → renders data technically inaccessible to SCALIBIT

Once deleted or overwritten, data is technically unrecoverable. SCALIBIT cannot restore or reconstruct any removed files, credentials, or logs — even under lawful request — because the data no longer exists.

SCALIBIT does not retain any alternate, hidden, or secondary copies of customer data. Once removed or replaced by the Customer, data is technically non-recoverable, and SCALIBIT cannot restore or recreate it — even when legally compelled — because it no longer exists within SCALIBIT custody.

7.2 Operating System Reinstallation Effects

Customers may reinstall an operating system via SCALIBIT’s management portals or through out-of-band management interfaces (e.g., IPMI, iDRAC, iLO, or KVM-over-IP). These actions permanently wipe all existing server data, including:

• Files, databases, backups, and hosted applications
• SSH/RDP credentials, API keys, and encryption configurations
• System logs, SSH histories, and firewall port settings

SCALIBIT does not retain or log any previous SSH ports, administrator passwords, database credentials, or encryption configurations once a server is reinstalled. Restoration is only possible if the Customer has separately retained backup or encryption keys. A wiped or freshly installed system contains no recoverable traces of any previous credentials, files, logs, or hosted applications.

7.3 Full Customer Custody & Custodian Responsibility

Customers act as the sole Data Custodian for all content stored, transmitted, or processed on their hosted services — including files, databases, system logs, encryption keys, SSH credentials, API tokens, ML/AI training artifacts, and user activity data. SCALIBIT has no visibility into customer data governance, retention policies, or regulatory compliance obligations.

Customers are fully responsible for:

• Applicable U.S. privacy laws (CCPA/CPRA), EU GDPR, UK GDPR, or other jurisdictional data protection compliance
• Defining retention periods, data destruction, anonymization, or encryption policies
• Managing access credentials, identity authentication, and key custody
• Responding directly to lawful requests involving hosted content or decrypted data

Legal authorities seeking access to actual content, user logs, or decrypted data must contact the Customer directly — not SCALIBIT.

SCALIBIT has no authority or independent right to alter, manage, or delete any content hosted within customer-controlled environments. All hosted content — including websites, applications, databases, AI workloads, and user communications — remains exclusively under the Customer’s custody and administrative control.

However, SCALIBIT reserves the limited right, without accessing content, to suspend, restrict, or terminate services where legally required to comply with applicable law, court orders, intellectual property infringement notices (such as DMCA/Fikir ve Sanat Eserleri Kanunu), or valid law enforcement instructions. Such actions do not involve accessing or modifying customer- hosted content, but rather suspending network or platform-level service delivery.

SCALIBIT is not a joint data controller or co-custodian. All requests involving the disclosure of customer-stored content, decrypted data, or user information must be directed to the Customer or legal Data Controller, not SCALIBIT.

7.4 Backups, Encryption & Irrecoverability

SCALIBIT does not automatically create, retain, or manage backups for any customer service unless the Customer explicitly purchases a separate Backup Service. Customers are responsible for their own backup, disaster recovery, encryption, and key management strategies.

When data is encrypted, deleted, or overwritten by the Customer:

• SCALIBIT cannot decrypt, recreate, or retrieve plaintext data
• Encryption keys, passphrases, and SSL certificates are not stored by SCALIBIT
• No recovery is possible — even under binding legal process — if the data no longer exists

Customers are free to determine the format, structure, and protection level of all data stored within their hosted environments — including plain-text, masked, pseudonymized, or encrypted forms. SCALIBIT does not impose any requirement regarding encryption or data structure, nor does it retain any keys, tokens, or credentials related to such protected data.

Compliance reference: 18 U.S.C. §2703(f) (U.S. Electronic Communications Privacy Act – data preservation), EU GDPR Articles 17 and 28, UK GDPR (as applicable), and U.S. State Privacy Laws including CCPA/CPRA.

SCALIBIT cannot bypass encryption or recover deleted data — even with a binding legal request — if the Customer has removed, wiped, or encrypted that data prior to the request. This is a direct result of SCALIBIT’s infrastructure-only operational model and the technical impossibility of recovering erased or customer-encrypted content.

8. RESPONSE TIME & COMMUNICATION

SCALIBIT processes legally valid and properly served requests in accordance with applicable laws, internal verification procedures, and the chronological order in which such requests are received — unless a properly identified emergency or expedited disclosure applies under statutory provisions (e.g., 18 U.S.C. §2702(b)(8) or Host-Country emergency/legal exceptions).

Estimated response time may vary depending on:

• Type, scope, and legal authority of the submitted request
• Completeness and clarity of legal documentation and technical identifiers (IP, timestamps, domain)
• Whether jurisdictional validation, MLAT routing, or international legal review is required
• Nature of requested data: live metadata, archived billing records, or no longer retained
• Whether the requested data ever existed or is still technically available

8.1 Standard Response Window

SCALIBIT generally provides responsive administrative metadata (if available and legally disclosable) within five (5) business days of receiving a valid, binding, and properly served legal request. This timeframe may be extended when:

• Additional verification or clarification is required
• Cross-border jurisdictional review or MLAT procedures apply
• Only archived billing metadata is available (not live system data)
• The requested information never existed or is no longer retained

When legally permissible, SCALIBIT will notify the requesting authority of any expected delay, insufficiency, or additional requirements needed to process the request.

Valid legal requests are handled in the chronological order received, unless officially identified as emergency or expedited under applicable legal provisions.

All legally valid requests are processed strictly in the order received, unless formally identified as emergency or expedited under applicable legal provisions. SCALIBIT does not provide live monitoring, surveillance, or real-time data interception under any circumstances.

8.2 Emergency Handling & Expedited Disclosure

Requests involving an imminent threat to life, serious bodily harm, child protection, terrorism, or critical cybersecurity incidents may qualify for expedited processing under provisions such as 18 U.S.C. §2702(b)(8) or applicable Host-Country emergency frameworks.

For emergency consideration, the request must:

• Be clearly labeled as “EMERGENCY DISCLOSURE REQUEST”
• Include factual and legal justification demonstrating urgency
• Identify the statutory emergency authority supporting such disclosure
• Provide specific technical identifiers (IP, domain, logs, timestamps in UTC)
• Include official agency contact details (government email and phone)

For detailed emergency procedures, see Section 2.6 — Emergency or Expedited Disclosure Requests .

Expedited processing applies only to the validation and review of the request — it does not grant access to content, encryption keys, or customer systems beyond what is legally authorized, technically feasible, and retained within SCALIBIT’s administrative systems.

8.3 Questions & Clarifications

All clarification, process confirmation, or non-urgent inquiries regarding lawful request handling must be submitted strictly in writing to: legalrequests@scalibit.com

Written submission ensures security, verification, audit traceability, and confidentiality. SCALIBIT will not confirm, interpret, or process legal requests through general support channels.

For confidentiality, legal integrity, and audit requirements, SCALIBIT will not confirm, interpret, or process legal requests through support tickets, live chat, sales chat, or telephone inquiries. All lawful request communications must be made strictly in writing to the designated address.

8.4 No Phone / Chat / Informal Processing

For legal, privacy, confidentiality, and compliance reasons, SCALIBIT does not accept or process legal requests through:

• Phone calls or voicemail
• Live chat, support chat, or sales chat
• Fax or SMS
• Social media (LinkedIn, Facebook, X/Twitter, Instagram, etc.)
• General support tickets or client portal messages

For security and traceability reasons, SCALIBIT does not process or discuss legal requests by phone, fax, chat, or social media — only written submissions via authorized channels are accepted.

Compliance references: ECPA (18 U.S.C. §2702, §2703(f)), EU GDPR Articles 12 and 15, UK GDPR (as applicable), MLAT-based judicial cooperation, host-country data protection laws, and recognized international lawful authority processing standards.

Only written, properly served legal requests sent to legalrequests@scalibit.com will be reviewed. Informal communications — including phone calls, chat, social media messages, or general support tickets — are not considered valid submissions under this Policy.

SCALIBIT cannot produce, disclose, or recover customer content, credentials, logs, or encrypted data that it does not retain, cannot access, or has been deleted, encrypted, or never stored within SCALIBIT’s systems.

9. AI-GENERATED CONTENT, SYNTHETIC IDENTITY, AND GPU INFRASTRUCTURE LEGAL REQUESTS

SCALIBIT operates strictly as a neutral technical infrastructure provider. We do not monitor, inspect, classify, analyze, moderate, reconstruct, store, or retain any content hosted, generated, processed, or transmitted through customer-controlled and customer-used services — including AI-generated, human-generated, synthetic, manipulated, biometric, deepfake, or model-assisted content.

SCALIBIT has no technical capability, legal authority, or contractual permission to determine whether any content is AI-generated, synthetic, altered, manipulated, authentic, or biometric in nature. We do not host, store, retain, or produce any AI model weights, training datasets, inference outputs, prompt logs, facial/voice embeddings, synthetic identity reconstruction data, or biometric classification records.

9.1 Infrastructure-Only Role (No Content Access or Analysis)

SCALIBIT provides infrastructure-level hosting, compute, networking, virtualization, and storage services — including Virtual Machines (VMs), Cloud Servers, Dedicated Servers or Bare Metal Servers, and GPU Servers. Customers independently deploy, configure, and control all operating systems, applications, security controls, AI/ML tools, datasets, identity systems, and content hosted within their environments.

SCALIBIT does not:

• Host, store, or retain AI training files, model weights, inference logs, or synthetic fingerprints
• Classify or verify whether content is AI-generated, human-originated, manipulated, or biometric
• Inspect or analyze application-layer inputs/outputs (text, video, image, audio)
• Reconstruct, interpret, or monitor synthetic activity or automated decision-making
• Store encryption keys, biometric identifiers, or facial/voice model data

9.2 No AI Classification, No Synthetic Identity Analysis

SCALIBIT cannot detect, confirm, or validate whether any content:

• Is AI-generated, human-generated, co-created, or algorithmically modified
• Contains synthetic identity data, voice cloning, deepfake facial mapping, or biometric overlays
• Was produced by ML inference, neural training, reinforcement learning, or automated tools

SCALIBIT does not create, retain, or provide any:

• Inference logs, prompt usage records, or model fingerprints
• AI decision trees, accuracy metrics, or manipulation scores
• Content authenticity indicators, image/video hashing, or biometric classification markers
• Voice or facial recognition samples, synthetic identity reconstruction files, or model token logs

Requests seeking proof of whether content is AI-generated, synthetic, manipulated, authentic, or human-originated cannot be fulfilled by SCALIBIT. Such inquiries must be directed to the Customer or the relevant AI model/tool/platform operator.

Legal requests claiming involvement of AI-manipulated or synthetic identity content (e.g., deepfake impersonation, voice cloning, election interference, cyber-enabled fraud, identity theft, or child exploitation) must be directed to the Customer or relevant platform operator. SCALIBIT cannot analyze or validate any such content or its origin.

The disclosure limitations described in this section apply equally to AI-generated, human-created, co-created, or hybrid content, unless otherwise required by a valid and binding legal order.

9.3 What Authorities Must Specify

Legal requests involving AI-generated, manipulated, or synthetic identity material must clearly specify:

• Precise IP address(es), domain(s), or technical identifiers involved
• Exact UTC timestamp(s), including activity time windows where applicable
• Service type (Virtual Machines (VMs), Cloud Servers, Dedicated Servers or Bare Metal Servers, and GPU Servers)
• Legal authority basis (fraud, identity theft, cybercrime, election interference, child exploitation, etc.)
• Any relevant legal framework:
  • EU AI Act — Regulatory classification of AI systems
  • EU GDPR Articles 9 & 22 — biometric data, special categories of personal data, and automated decision-making
  • BIPA (Biometric Information Privacy Act)
  • Electronic Communications Privacy Act (ECPA)
  • 18 U.S.C. §2703(f) — preservation request (if applicable)
  • Budapest Convention on Cybercrime — identity fraud & cyber-enabled offenses

Where legally valid, SCALIBIT may preserve limited existing metadata in accordance with 18 U.S.C. §2703(f) — only if such metadata exists and is technically available.

9.4 Disclosure Limitations (Same as Standard Requests)

AI-related legal inquiries are handled under the same disclosure limitations described in Section 3 — Data Access & Disclosure Limitations. SCALIBIT may only provide existing Non-Content administrative records, such as:

• Customer identification and registration information
• Service activation or cancellation timestamps
• IP address assignment logs and hardware provisioning metadata
• Billing records, payment identifiers, and account status metadata
• Panel login metadata (limited to SCALIBIT-controlled systems)

SCALIBIT cannot disclose or produce any:

• AI-generated content, inference logs, prompt histories, or behavioral outputs
• Model fingerprints, synthetic identity files, deepfake detection results, or biometric samples
• Hosted content, server-level files, application logs, or OS-level data
• Packet-level network traffic, user activity, or AI authenticity analysis

Cross-border or foreign legal requests involving AI-generated or synthetic identity content are processed strictly through MLAT (Mutual Legal Assistance Treaty) or applicable international judicial cooperation channels, and only if validated by competent U.S. or Host-Jurisdiction courts.

For additional reference, see the SCALIBIT AI & GPU Server Usage Policy .

SCALIBIT's role is strictly limited to infrastructure administration. Legal authorities requiring access to AI-generated content, model analysis, authenticity validation, inference logs, or biometric data must contact the Customer or Data Controller directly.

10. TRANSPARENCY & REPORTING

SCALIBIT is committed to legal accountability, compliance visibility, and transparency in handling lawful requests for customer information. While respecting customer privacy, sovereignty of data, and applicable confidentiality restrictions, SCALIBIT may — where legally permissible — publish aggregate, anonymized statistics summarizing the nature and frequency of law enforcement and legal data access requests.

Such transparency reporting, when published, is intended exclusively to provide public insight into the type and volume of legal requests — without disclosing any customer-specific, service-specific, or request-specific information — and while fully complying with applicable U.S. Federal and State laws, EU GDPR, UK GDPR, and other applicable data protection regulations.

10.1 Disclosure Log & Recordkeeping

SCALIBIT maintains secure internal audit records of valid, properly authenticated legal requests received from government or judicial authorities. These records are retained solely for compliance, audit trail, legal verification, and defense purposes and may include:

• Date of receipt, processing, and response
• Issuing authority and jurisdiction (no personal identifiers)
• Type of legal process (e.g., subpoena, warrant, court order, MLAT, preservation request under 18 U.S.C. §2703(f))
• Category of information requested (e.g., subscriber metadata, account identifiers, or administrative records)
• Compliance determination (fulfilled, rejected, or further clarification requested)

These detailed logs are not publicly disclosed and are accessible only to authorized SCALIBIT compliance personnel.

10.2 Annual Transparency Summaries

At its sole discretion — and only where permissible under applicable law and confidentiality restrictions — SCALIBIT may publish annual transparency summaries containing general, anonymized, and statistical-only information such as:

• Total number of legal requests received (high-level volume only)
• Types of requests (e.g., preservation orders, metadata requests, court orders)
• General jurisdictional sources (e.g., U.S., EU, Other Regions)
• Approximate compliance determination rates (fulfilled vs. denied)

These summaries never reveal customer names, email addresses, service identifiers, specific IP addresses, timestamps, account identifiers, or any detailed request contents.

10.3 Aggregate Reporting Only (Non-Identifiable)

All reporting — whether internal or public — is strictly aggregate-only and fully anonymized. SCALIBIT does not publicly confirm or deny:

• Whether any specific request pertains to a particular Customer, account, or IP address
• Whether SCALIBIT has received a legal request from a specific government or agency
• Whether data was disclosed in connection with any particular customer or incident
• Any specific court order, subpoena, request copy, or legal correspondence

SCALIBIT never publishes or identifies:

• Customer names, contact data, or billing information
• Server IDs, IP addresses, or infrastructure identifiers
• Business, service usage, traffic, log, or content-related records
• Specific issuing agency, case identifier, or investigation status

Any public reporting — including transparency summaries — may be delayed, modified, or withheld if required under confidentiality obligations, non-disclosure restrictions, or enforceable court orders.

SCALIBIT does not indicate whether any specific government, security, or intelligence agency has issued a National Security Letter (NSL), FISA order, or other gag-restricted request, and it does not provide warrant canary notifications.

For related legal frameworks, see Section 1 — General Legal & Disclosure Principles and Section 3 — Data Access & Disclosure Limitations.

This Legal Requests Policy forms an integral part of the Terms of Service (ToS), the Privacy Notice, the Acceptable Use Policy (AUP), and the AI & GPU Server Usage Policy of SCALIBIT.com.

11. POLICY INTEGRATION & LEGAL EFFECT

This Law Enforcement & Legal Requests Policy is a legally binding component of SCALIBIT’s overall Legal, Compliance, and Governance Framework. It governs the handling, evaluation, and response to lawful requests for customer-related information and applies to all SCALIBIT infrastructure and services — including Virtual Machines (VMs), Cloud Servers, Dedicated Servers or Bare Metal Servers, and GPU Servers.

11.1 Terms of Service Linkage

This Policy is incorporated by reference into SCALIBIT’s Terms of Service (ToS) and holds the same contractual effect. All provisions of the ToS — including definitions, disclaimers, liability limitations, and governing law — apply equally to all procedures described in this Policy.

In any legal, compliance, or dispute resolution context, the Terms of Service serve as the primary contractual authority, with this Policy acting as a supplementary legal disclosure framework.

11.2 Privacy Notice / AUP / AI Usage

This Policy must be interpreted alongside the following SCALIBIT legal documents:

• Privacy Notice
• Acceptable Use Policy (AUP)
• AI & GPU Server Usage Policy

Unless otherwise required by law, the following priority order applies:

1. Terms of Service (ToS)
2. Privacy Notice
3. This Law Enforcement & Legal Requests Policy
4. Acceptable Use Policy (AUP)
5. AI & GPU Server Usage Policy

11.3 Supersession Clause

This document supersedes and replaces all prior versions of SCALIBIT’s Law Enforcement, Data Disclosure, or Legal Request Policies — including any unpublished, archived, or informal versions. Earlier versions are considered expired and unenforceable upon publication of this current Policy, except where retention is required for historical audit or regulatory inspection purposes.

Any prior verbal, informal, or unpublished guidelines are invalid and non-binding unless explicitly incorporated into this current Policy.

SCALIBIT reserves the right to amend, modify, or update this Policy at any time to reflect changes in applicable laws, regulatory requirements, infrastructure jurisdiction, or service offerings. Updated versions shall become legally binding upon publication at SCALIBIT.com.

11.4 Governing Law & Enforcement

SCALIBIT LLC is legally headquartered in the State of Wyoming, United States. Accordingly, this Policy is governed by and construed in accordance with the laws of the United States and the State of Wyoming, without regard to conflict-of-law principles — except where mandatory data protection or data localization laws of the host country in which the infrastructure is physically located require otherwise.

Any legal actions, claims, or disputes relating to this Policy shall be adjudicated exclusively in the State or Federal Courts located in Wyoming, USA, unless applicable law expressly mandates an alternate jurisdiction. Parties submitting legal requests to SCALIBIT acknowledge and consent to this jurisdictional framework.

SCALIBIT will comply with lawful cross-border disclosure requirements only when supported by valid and binding legal authority in both the United States and the host country, such as through MLAT-based judicial cooperation, the U.S. CLOUD Act (18 U.S.C. §2523), GDPR Article 48 exceptions, or other mutually recognized international legal cooperation frameworks.

Last Reviewed: November 1, 2025
Compliance Verification: SCALIBIT Legal Compliance Department — Wyoming, United States.