Koios Global – Global Data Privacy Compliance Statement

Effective Date: October 6. 2025
Last Updated: October 6. 2025

Introduction

Koios Global (“we,” “us,” “our”) is committed to protecting personal data in compliance with applicable data protection and privacy laws worldwide.
This Global Data Privacy Compliance Statement describes our adherence to key international frameworks governing personal information, including:

  • The European Union General Data Protection Regulation (EU GDPR)

  • The United Kingdom General Data Protection Regulation (UK GDPR) and UK Data Protection Act 2018

  • The Swiss Federal Act on Data Protection (FADP)

  • The United States privacy regimes, including the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)

  • The People’s Republic of China Personal Information Protection Law (PIPL)

This statement supplements Koios Global’s Privacy Policy by clarifying how we align with regional regulatory requirements, ensure lawful data transfers, and maintain consistent protections globally.

European Union (EU) – GDPR Compliance

Koios Global acts as a data controller or data processor depending on the nature of our engagement.
We process personal data in accordance with the principles set forth in Regulation (EU) 2016/679 (GDPR), ensuring:

  • Lawfulness, fairness, and transparency in all data processing.

  • Purpose limitation — data is processed only for legitimate and clearly defined purposes.

  • Data minimization — only information necessary for those purposes is collected and retained.

  • Accuracy and integrity of all stored data.

  • Security and confidentiality through appropriate technical and organizational measures.

Data subjects in the EU are entitled to rights under Articles 12–22 of the GDPR, including access, rectification, erasure, restriction, portability, and objection.
Koios Global maintains internal policies and Data Protection Impact Assessment (DPIA) procedures where required.

For transfers outside the European Economic Area (EEA), we implement Standard Contractual Clauses (SCCs) and additional safeguards as approved by the European Commission.

United Kingdom (UK) – UK GDPR & Data Protection Act 2018

Following the UK’s withdrawal from the EU, Koios Global complies with the UK GDPR and Data Protection Act 2018, which mirror GDPR obligations but apply to data processed under UK jurisdiction.

Cross-border transfers from the UK are governed by the UK International Data Transfer Agreement (IDTA) or Addendum to the EU SCCs, as issued by the UK Information Commissioner’s Office (ICO).
Koios Global maintains a UK-based representative where required and cooperates with the ICO on regulatory oversight.

Switzerland – Federal Act on Data Protection (FADP)

Koios Global adheres to the Swiss Federal Act on Data Protection (FADP), which governs the processing of personal data by both private entities and federal bodies.

For transfers from Switzerland to non-adequate jurisdictions, we apply the revised EU SCCs adapted for Swiss law, ensuring equivalency of protection.
We also cooperate with the Swiss Federal Data Protection and Information Commissioner (FDPIC) where oversight or inquiry is required.

Our Swiss data protection commitments extend to respecting individual rights to access, correction, and deletion, and ensuring that personal data is processed lawfully and proportionately.

United States – CCPA, CPRA, and Other State Privacy Laws

Koios Global respects and complies with applicable U.S. privacy laws, including the California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA).

We recognize and uphold the following principles for U.S. residents:

  • Right to know what personal information is collected and how it is used.

  • Right to access, correct, and delete personal data.

  • Right to opt out of the sale or sharing of personal data (Koios Global does not sell personal information).

  • Right to non-discrimination for exercising privacy rights.

In addition to California, Koios Global monitors emerging U.S. state-level data protection laws (including those in Virginia, Colorado, Connecticut, and Utah) and applies consistent safeguards across all jurisdictions.

We maintain robust information security controls aligned with U.S. regulatory expectations and sectoral laws applicable to financial, healthcare, and professional services data.

People’s Republic of China – Personal Information Protection Law (PIPL)

Koios Global complies with the Personal Information Protection Law of the People’s Republic of China (PIPL) when processing personal information related to individuals within China.

Under the PIPL, we ensure:

  • Lawful, justified, and necessary processing consistent with specified purposes.

  • Separate and explicit consent for sensitive personal information where required.

  • Localization or approved security mechanisms for cross-border data transfers (e.g., CAC security assessment, standard contractual clauses, or certification).

  • Full transparency on data collection and usage, including data retention and contact information for data controllers.

We respond promptly to data subject requests to access, correct, or delete their personal information and comply with any notification requirements to Chinese regulators in the event of a significant data incident.

Cross-Border Transfers

Given Koios Global’s international presence, data may be transferred between our entities or third-party service providers located in different countries.

We ensure that all transfers comply with applicable legal requirements by implementing:

  • Standard Contractual Clauses (EU/UK/Swiss)

  • Binding Corporate Rules (BCRs) where appropriate

  • Adequacy decisions recognized by relevant authorities

  • Encryption and access control safeguards to maintain confidentiality and integrity

All Koios Global entities and partners processing personal data are bound by equivalent privacy and confidentiality obligations.

Accountability and Governance

Koios Global maintains a global data protection governance framework, which includes:

  • Designated Data Protection Officers (DPOs) or privacy leads in key jurisdictions.

  • Data privacy training for all employees and contractors.

  • Vendor and subprocessor due diligence and contractual safeguards.

  • Incident response protocols for potential data breaches, including notification in accordance with applicable laws (e.g., GDPR Articles 33–34, PIPL Article 57).

  • Periodic reviews of compliance against evolving legal and regulatory standards.

Contact Information

For inquiries, requests, or concerns regarding data protection or privacy compliance, please contact:

Koios Global – Data Protection Office

Email: privacy@koiosglobal.com

Koios Global will respond to verified data privacy requests within the timeframes required under applicable laws.
You may also contact the supervisory authority relevant to your jurisdiction (e.g., the European Data Protection Board, the UK Information Commissioner’s Office, the Swiss FDPIC, or Chinese CAC).

Updates to This Statement

We may update this Global Data Privacy Compliance Statement periodically to reflect legal developments, regulatory guidance, or operational changes.
The latest version will always be available on our website, with an effective date clearly indicated.