Distributive Corp.
Suite 403, 303 Bagot Street
Kingston ON Canada K7K 5W7
Updated: 25 November, 2024
PRIVACY POLICY
IN NO EVENT SHALL THE COMPANY BE LIABLE TO ANY PARTY FOR DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, INCLUDING LOST PROFITS, ARISING OUT OF THE USE OF THE SOFTWARE, THE NETWORK AND ITS DOCUMENTATION, EVEN IF THE COMPANY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
THE COMPANY SPECIFICALLY DISCLAIMS ANY WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE SOFTWARE, THE NETWORK, AND ACCOMPANYING DOCUMENTATION, IF ANY, PROVIDED HEREUNDER IS PROVIDED "AS IS". THE COMPANY HAS NO OBLIGATION TO PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS.
Distributive Corp. ("Distributive") is a Canadian corporation that maintains and operates the Distributive Compute Platform ("DCP") and its corresponding products, services, and offerings.
Distributive is bound by the terms of this privacy policy ("Policy", "Agreement", or "Framework"). Distributive will be referred to by "We", "Us", "Company", and "Our" throughout this policy.
Distributive’s registered office is at 303 Bagot St. Suite 403, Kingston, K7K 5W7, Ontario, Canada. The corporation is under the prudential supervision of Canadian authorities for tax compliance, legal relations, and all other operating purposes.
This privacy policy is designed to inform all customers, compute providers, business partners, regulatory entities, and all other relevant entities (collectively, "Users") about our privacy practices. It describes the exact terms we use in our service, how we collect, store, protect, and utilize data, as well as other important operational disclosures as they pertain to data.
For the purposes of this Policy, Users are determined to be any natural person, corporation, or other entity which interacts with Distributive or its products through all online and offline channels.
In this policy, we sometimes refer to "You" or "Your". These terms will generally refer to every category of User described above, unless otherwise specified to describe a specific entity described in the section Definitions.
Please contact the Company if you have any questions about our privacy practices that are not addressed in this Policy.
“DCP” means the Distributive Compute Platform, Distributive’s distributed computing orchestration and monetization software platform that allows Users to buy, sell, or trade computing power on public or private networks;
“DCP Job” means the computer code describing a data-parallel or embarrassingly parallel workload to be distributed on DCP and the data associated with that workload. A DCP Job is sliced into individual computations for distributed execution;
“DCP Job Slice” means an element of a DCP Job that gets distributed to a DCP Worker for execution.
“dcp-client” means the software library which is distributed with DCP applications that contains utility functions for authentication, encoding DCP messages, dispatching DCP Jobs, executing work, querying various services, etc;
“DCP Compute Credits” denoted by ⊇ or DCC, means the unit of account used to meter computing resource consumption within DCP computing networks (similar to how kilowatt-hours (kWh) meter energy consumption within electrical grids);
“DCP Compute Group” is an abstract concept which associates a collection of DCP Jobs with a collection of DCP Workers, mediated by a variety of AAA (Access, Authentication, Authorization) and accounting means;
“DCP Portal” means the web site to view and manage DCP Bank balances, DCP Jobs, and DCP Compute Groups. The DCP Portal facilitates the purchase and sale of DCP Compute Credits;
“DCP Scheduler and DCP Bank” means Distributive’s proprietary workload orchestrator and DCP Compute Credit ledger, hosted in a secure colocation facility in Toronto, Ontario, Canada, and managed by Distributive;
“DCP Worker” means a software application installed on Client's digital infrastructure and responsible for retrieving and processing slices of DCP Jobs;
“Anonymization” is the deletion or changing of personal data in such a way that it can no longer be assigned to a certain or ascertainable individual or only with a disproportionately high effort in terms of time, cost, and work.
“Cookies” are small files stored on your device (computer or mobile device used to access the Service) that help the Service’s website keep track of visits and activity for the benefit of the User.
“Consent” is any freely given, specific and transparently, well-informed indication of the will of the individual, whereby the individual agrees that his or her Personal Data may be processed.
“Data Controller” means the natural or legal person who determines the purposes for which and the manner in which any Worker Metrics, Job Metrics, Usage Data, and Personal Data are, or are to be, processed.
“Data Processors” (or Service Providers) means any natural or legal person who processes the data on behalf of the Data Controller. Every Data Processor at Distributive will be strictly expected to adhere to this policy. In addition, we may use the services of various Service Providers in strict accordance with this Policy in order to process your data more effectively.
“Data Subject” (or User) is any living individual who is using DCP and is the subject of Personal Data.
“Job Metrics” (or Slice Characteristics) means the execution performance of workloads dispatched by a User onto DCP. Job Metrics are required by the DCP Scheduler for workload scheduling and routing.
“Personal Data” means data about a natural person or living individual who can be identified from that data or from that and other information either in our possession or likely to come into our possession.
“Pseudonymization” is the replacement of an individual’s name and other identifiable characteristics with a label to prevent identification of the individual by unauthorized parties or to render such identification substantially difficult.
“Service” means the distributed computing service provided by DCP plus the Distributive’s website, consulting functions, and any other interactions where financial value is exchanged with any Users.
“Worker Metrics” means metadata pertaining to a DCP Worker’s performance or that is directly relevant to operations, such as workload scheduling and routing, that is collected, processed, or otherwise stored by Distributive.
“Usage Data” is data collected automatically either generated by the use of the Service or from the Service infrastructure itself.
We collect data to provide the Service and fulfill our obligations under applicable Know Your Customer (KYC) regulations, ensuring compliance with anti-money laundering (AML) laws, fraud prevention protocols, and other regulatory requirements.
Our data collection is grouped into four primary categories: Worker Metrics, Job Metrics, Usage Data, and Personal Data. While these categories are mutually exclusive, they are not collectively exhaustive. Therefore, we also recognize secondary types of data, referred to as "Other Data", that may be collected or exposed during the provision of the Service.
Additionally, certain data necessary for Customers and Suppliers to use the Service is provided to and managed by third-party Data Controllers, not Distributive.
Distributive will adhere to privacy laws in all jurisdictions where it operates. Any mandatory registration provisions that may exist according to legal requirements must be observed. Where uncertain, management may consult general counsel.
Collection of data by Distributive, and the disclosure to governmental institutions and authorities, will be carried out only on the basis of specific legal provisions. In all cases, this privacy policy imposes those restrictions that are necessary to meet the legal requirements of these specific laws.
This Policy does not apply to DCP Job Data that a User dispatches to DCP, as it is the customer’s sole responsibility to decide where their workloads are executed. A User may intentionally or unintentionally dispatch their workload to a DCP Compute Group potentially causing it to be executed by DCP Workers in another jurisdiction (for example, DCP Jobs deployed to the Public Compute Group).
This privacy policy is governed and will be interpreted in accordance with the laws of the Province of Ontario, Canada.
If you use Distributive’s services and reside outside of Canada, your information will be transferred here and will be processed and stored here under its stringent privacy standards as well as all other policies listed in this Agreement. By using our services and providing information to Distributive, you consent to such transfer.
We collect pseudonymized Worker Metrics that are necessary for the scheduling, routing, and pricing of DCP Jobs deployed by customers. This data might be collected through direct interaction, or it might be collected indirectly through digital analytics.
Examples of Worker Metrics include, but are not limited to:
We collect pseudonymized Job Metrics that are necessary for the scheduling, routing, and pricing of workloads deployed on DCP.
Examples of Job Metrics include, but are not limited to:
We collect pseudonymized information about general DCP usage patterns through general interactions with the Service. This typically includes non-identifiable data automatically sent by your browser when you access the Service. We use this information to maintain DCP functionality, inform future development, and to inform business decisions.
Examples of Usage Data include, but are not limited to:
We may request that you provide Personal Data to contact or identify you, or to ensure compliance with data residency requirements. Additionally, some of this data may be collected indirectly under this Agreement.
Examples of Personal Data include, but are not limited to:
We may collect data when you interact with the Service or Company through email, our support pages, and more. This may be personally identifiable data, which will be handled in strict accordance with this Policy. Some examples of this might include:
We collect tracking and cookie data to analyze the activity on our Service. Types of Cookies we collect include:
All types of these Cookies may be non-persistent (meaning they will terminate when you close your browser) or persistent (meaning they will persist indefinitely, unless you manually empty your browser’s Cookie and browsing data. All Cookies can be controlled by your browser’s Do Not Track ("DNT") settings. Note that if you do so, some aspects of our Services might not be available to you.
Much of this data will be Pseudonymized or Anonymized through the third party services we use to collect it, and will thus never be personally identifiable. All information is handled under the same strict procedures that are laid out in this Policy, regardless of its category or personally identifiable characteristics.
In addition to the primary categories of data that we collect that are listed above, we may also collect various secondary forms of data. These may be provided directly by you, collected indirectly from your engagement with the Company, or that we may obtain knowingly or unknowingly from third party sources like social media and third-party data providers.
Under this Policy, this information is subject to the same regulations and controls by the Company as are primary sources of User data.
Users may be required to provide additional data to access or utilize our Services. In such cases, the Company does not directly receive or store any data beyond what is identified above.
The Company collaborates with carefully selected business partners (“External Operators”) who may process and store User data on its behalf. These External Operators are chosen based on their adherence to global best practices for data privacy and security. While the Company ensures a high standard of consideration for Users’ data privacy rights, it cannot be held liable for how these operators handle or secure data.
Certain External Operators are classified as Payment Processors. These entities adhere to the PCI-DSS standards managed by the PCI Security Standards Council, a collaboration of brands such as Visa, MasterCard, American Express, and Discover. PCI-DSS ensures secure handling of payment information. Payment Processors also comply with international payment regulations and standards, such as the European Payment Services Directive.
The Company does not store any payment-related sensitive data, such as:
However, we may collect data provided by External Operators directly related to your use of our Services, including but not limited to:
The Company may also use External Operators for analytics, marketing, or similar purposes. These providers are verified to ensure compliance with privacy best practices. Data collected by these entities is categorized as Usage Data.
Since the Company does not own or store data collected by External Operators, this privacy policy does not cover their data collection or usage practices. Users should consult the respective privacy policies of these providers. If you have concerns about their data handling practices, please contact us.
List of External Operators Acting as Data Controllers
Privacy Policy: Braintree Privacy Policy
Privacy Policy: PayPal Privacy Policy
Privacy Policy: Google Privacy Policy
The Company collects data through the regular operation of its Services, as well as in other interactions with Users that fall outside the scope of its primary business. These may be broken into several categories which are all considered to be collected with your Consent by virtue of you confirming this Agreement and using our Services.
We may request and collect several types of information directly from Users through web forms, the digital user interface, by email, and elsewhere that is directly sent as a result of your conscious effort. This information is necessary for the adequate performance of our contract with you to enable you to gain value from our Services, as well as to comply with our legal obligations. Without this information, we may not be able to provide you with all the requested Services.
Users may also opt to provide us with more information that will help us improve our service offering. Some categories of this might include computational skills and training, accreditations, computational research interests, and more. Although this information is not required for accessing the DCP Network, we highly encourage Users to provide any such data they are comfortable sharing that may help us improve our Services.
When you use our Services, we may automatically collect data from several different categories ("Passive Data Collection", or "Passive Data"). These are digitally collected by the information systems the Company has enacted to operate its business. Unlike Information We Collect from Third Parties, the exclusive Data Controller of this information will be Distributive bound by Canadian law and regulations. This information is also necessary for the adequate performance of the contract, to enable us to comply with our legal obligations, and improve the functionalities of our Services in accordance with this Agreement and our legitimate business interests.
Your confirmation of this Agreement and usage of our Services is explicit permission that we may collect this information. You may choose to opt out of some or all of these collections methods, including but not limited to enabling your browser’s DNT function. However, some parts of our Service may not be accessible if you choose to opt out of this, or will otherwise display information that is less valuable and relevant to you.
The company may use third party services and External Operators to collect data about its Users, or request that they collect and handle this data exclusively. These third party services include payments processing partners, as well as software for analytics and general marketing purposes.
Not all data collected by External Operators on behalf of the Company will actually be transmitted to us. In some cases, the only data from these processes that we will handle is aggregate performance reports, general verification announcements, and similarly non-sensitive information. For example, we will store data about how much a Supplier was paid but never their financial information or personal documents.
Each of these External Operators will collect data in different ways, adhere to their own policies, and comply with the appropriate regulations. We are therefore in no way to discuss the specifics in how they collect and handle this data. Their policies can be seen in the previous section entitled List of External Operators Acting as Data Controllers.
We take great steps to ensure that digital data of all descriptions are protected both in situ on production hard drives, backup hard drives as well as in transit from server to client and to long-term backup storage.
All data transferred over the open internet is done through SSH tunneling and is encrypted from point to point. Backups contain transient customer data (example: IP addresses of currently connected workers; JobIDs; Progress data etc.) inherent in backing up the production systems at a particular moment.
Backend data storage is also backed up on a regular basis (daily). This is likewise transmitted via SSH tunneling. Neither source nor destination file systems are encrypted, yet access to server-side and storage systems are protected by Key-only SSH access and is accessible only to internal security personnel.
Backend services that are essential to the functioning of the DCP Network and contain the majority of data identified in Data Collected by Distributive are isolated from the internet and are only accessible from the portal and scheduler hosts.
Qualified system administrators as well as qualified development team members can request access to data for the purposes of support, debugging, and Service improvements.
Access to the backup and production machines is only gained through system administration consisting of Key-Only SSH access. Reasons for data access are limited to issues involving customer support, debugging, dispute resolution, and generating important performance metrics. Anonymized aggregated data and statistical metrics are derived from the data via scripted commands or other querying methods, and are used for understanding operational effectiveness and optimizing system functionality.
Breaches of security that involve the theft of data from our Services as well as our physical office space are taken very seriously ("Personal Data Breach", "Breach"). We constantly monitor system status, machine statistics, and all other incoming and outgoing data.
In the event of a Personal Data Breach, we first determine whether valuable and sensitive data was compromised using log files, system state, and more. A determination as to the severity of the Breach is taken and a decision is made as to what actions to perform, how to mitigate the risk, who to report to, and how to fix the leak. In the case of a serious issue, the entire system will be halted in order to effect repairs and ensure ongoing vulnerabilities cannot be exploited. This response and remediation will have the effect of fixing the breach as well as documenting the updated working process. Following Breach mitigation and resumption of full network operations, retrospective analysis is taken to ensure that learning from this incident takes place and vulnerabilities are eliminated.
Depending on the jurisdiction of the Data Subjects whose data is compromised in a Breach, the Company will take steps to immediately notify the relevant DPAs within 72 hours of becoming aware. If we determine the Breach is likely to result in a high risk of adversely affecting the rights and freedoms of the Users whose data is affected, we will also inform these Users without undue delay.
In the interests of transparency, we will maintain a list of these Personal Data Breaches that Users can request from us at any time by contacting privacy@distributive.network.
If the Company undertakes or is involved in any merger, acquisition, reorganization, sale of assets, bankruptcy, or insolvency event, then your data might be transferred in conjunction with this event for reasons such as due diligence. In this event, we will notify you before your personal information is transferred and becomes subject to a different privacy policy. Before this time, you will have the same rights afforded to you by this Policy including the Right to erase, access, or restrict the processing of this data.
Distributive may disclose your Personal Data in the good faith belief that such action is necessary to:
The Company as your Data Controller is committed to maintaining global best practices for the handling and storage of your information as the Data Subject. Therefore, you may exercise any of the rights listed below at any time by sending an email to privacy@distributive.network.
Please note that we may ask you to verify your identity and confirm your request before taking action. Once we have all the appropriate information, we will take action within 72 hours unless the response time for this action is even less as specified under GDPR requirements.
In addition to all of these rights below, you the User have the Right to refuse to become a Data Subject at all. However, your use of the Service and confirmation of this Agreement represents explicit Consent to become a Data Subject. In other words, if you refuse all data collection then you will not be able to use any of our Services.
You have the right to be informed about what data we collect, how we collect it and store it, and how we use it. You also have a right to be informed about what other entities may gain access to your data, and the process by which we will transfer ownership of such.
You also have a right to be informed about how you can dispute a provision of this agreement or lodge a complaint with the appropriate regulatory body ("Data Protection Authority", "DPA").
You have the Right to request access to your own data that is held by the Company, as well as specific details about how it is being used. Each request to do so will be considered a "Subject Access Request" under GDPR, and will be processed as such.
You have the Right to require that we correct errors in any information that we may hold, and that we permanently erase all such mistaken information.
You have the Right to request that we erase all data that we hold on you, or withdraw your consent to future data collection and processing. In this case, we will not collect any more information from you as well as securely delete all existing information we do hold.
Your ability to access our Service may be severely limited or even removed as a result of this action.
You have the Right to strictly limit the purposes for which we may process your data. In this case, we will segregate the designated data that you do not wish to be processed from your main profile. If we must resume processing of this information for any legal obligation, we must inform you in a concise manner as soon as possible.
You may also object that any data we hold be processed in any form whatsoever.
Your ability to access our Service may be severely limited or even removed as a result of this action.
You have the Right to obtain and reuse your data that we hold as the Data Controller. In this action, we will provide you with a secure but easily transmittable copy of some or all of this data for you to transfer to another IT environment.
You have the right to not be subject to decisions that will significantly affect you that are made solely by automated processing. You also have the Right to request the ways in which we implement this type of automated processing.
Even if you give your continued consent to this type of processing, you also have the right to request human intervention, express your point of view, obtain an explanation of the decision making process, and challenge the ultimate decision.
The Company maintains a legal basis for collecting Personal Data and all other categories of data in the European Union under the following four out of six allowable scenarios:
Under GDPR, the Company is not required to have a dedicated employee who ensures we apply all laws protecting your data ("Data Protection Officer", "DPO"). This is because we do not meet any of the three cases where a Data Controller must designate such a DPO. We also are not required to have an EU representative, since the Company does not meet any of the three thresholds for which a representative must be appointed. Namely, we process Personal Data only occasionally, this processing does not relate to special or sensitive categories of Personal Data, and this processing is unlikely to result in a risk to the rights and freedoms of EU Data Subjects.
This Agreement satisfies the fundamental rights of all EU citizens in the section Customer Data Rights. These same rights also apply to non-citizens of the EU who are Users of our Services.
The Company follows the regulations and guidelines of the 10 Fair Information Principles that are set out by PIPEDA. This Agreement pertains directly to the principles of Identifying Purposes, Consent, Limiting Collection, Limiting Use, Disclosure, & Retention, Accuracy, Safeguards, Openness, and Individual Access.
The Company fulfills the principle of being Accountable for its compliance through its appointment of a Canadian Privacy Officer ("Privacy Officer") who ensures the other principles are upheld. We also fulfill the principle of Challenging Compliance through informing our Users how they can raise a complaint, and providing appropriate review and records from our end to satisfy this.
Under PIPEDA, any User may be able to challenge our compliance with these principles by addressing the issue to our Privacy Officer via email at privacy@distributive.network.
The Company follows the California Online Privacy Protection Act. This Policy addresses all requirements of the law, as does our website which clearly displays it using obvious contrast to the rest of the page. This policy was written with the intention to be readable by the average person, and meets all data requirements of the law in the section Customer Data Rights.
We do support Do Not Track requests. A Do Not Track is a preference you can set in your web browser to inform websites that you do not want to be tracked. You can enable or disable Do Not Track by visiting the Preferences or Settings page of your web browser.
The Company is compliant with all provisions of the APPI Act that apply to companies who supply a good or service in Japan, collect data about a Principal, and store this data in a foreign country (collectively, "Foreign Business Operators", "FBO"). A "Principal" under the APPI Act is substantially the same legal entity as a Data Subject defined in this report.
Further, we do not request, nor do we foreseeably expect to handle data that is highly sensitive and personally identifiable such as medical history, criminal history, or race ("Special-Care Required Personal Information").
Although we are not regulated by definition under the Australian Privacy Principles Act, we are compliant with the 13 Privacy Principles contained within it.
The Company is compliant under the 2018 Data Protection Act of the United Kingdom, which is the UK’s national implementation of the GDPR Act. We meet all requirements for the collection and use of personal information it stipulates directly through the section Customer Data Rights.
We do not collect any information the DPA identifies as being sensitive such as race, ethnic background, political opinions, genetics, and more.
Our Service does not address anyone under the age of 13 ("Children"). We do not knowingly collect Personal Data from anyone under the age of 13. If you are a parent or guardian and you are aware that your Child has provided us with Personal Data, please contact us. If we become aware that we have collected Personal Data from children, we take steps to permanently and securely erase that information from our servers.
If you would like to dispute any portion of this Agreement or believe we are non-compliant with your data, please contact us first. We will investigate and attempt to resolve complaints in accordance with this Policy and the applicable law.
If this does not satisfactorily resolve your complaint, you have a right to file a complaint with the competent data authority from your jurisdiction.
We reserve the right to update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page. We will also let you know via email and/or a prominent notice on our Service, prior to the change becoming effective and update the "effective date" at the top of this Privacy Policy.
You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.
We reserve the right to delete User data that is listed on our service which we believe by our sole discretion to be misleading, false, or misrepresentative. This will be in accordance with the same due process outlined in this document.
Any User whose data is removed in such a way may see their Service privileges revoked.
If you have any questions about this Privacy Policy, please contact us: