This Data Sovereignty Policy (“DSA”) is a core provision incorporated into the Membership and User Agreement and Privacy Policy of Sourcery Trade, LLC (“Sourcery”). It governs the ownership, control, storage, and monetization of data captured via the Sourcery Connect Platform.

Sourcery is built on the fundamental belief that the individual or entity that creates data should own that data. We reject the traditional platform model where the service provider captures and exploits user data. Instead, we provide the infrastructure for you to capture, process, store manage, and monetize your own digital assets that include data, documents, images, video, audio and other media that you capture in the Sourcery Connect Platform.

1. The Core Provision: Ownership and Control

1.1 User Ownership. You, as the Data Creator or Primary Data Subject, retain full, exclusive ownership and control of all underlying data, documents, and media that you create, upload, or originate via the Sourcery Connect Platform.

1.2 Sourcery’s Recognition. As stated in our Membership Agreements:

“Sourcery recognises and imparts full ownership and control of data (and documents) collected, stored, licensed to the primary data subject.”

1.3 Scope of Data. This ownership applies to all forms of data captured, including but not limited to receipts, invoices, shipping documents, photographs, video, messages, packing slips, farm-level metrics, and related commercial, social, or environmental impact data.

2. Intellectual Property of the Collection Methodology

2.1 Distinction of IP. While you own the content (the data points and documents), you acknowledge that the method of collection is proprietary to Sourcery. 2.2 Sourcery’s IP Rights. Any commercial, transactional, and impact data captured and aggregated via Sourcery is collected using a unique and novel data collection process and methodology that is protected by intellectual property laws in the United States and other jurisdictions. You agree not to reverse-engineer, copy, or replicate this data collection methodology.

3. Technical Implementation: Zero-Knowledge Partner Data Vault (PDV)

To operationalize your data sovereignty, Sourcery employs Self-Sovereign Identity (SSID) technology and a Zero-Knowledge architecture:

3.1 Bluenumber Identity. Your access to data is secured by your Bluenumber (B#), a unique digital identity that links your verified existence to your data. 3.2 Partner Data Vault (PDV). All data you create is encrypted and stored in your Partner Data Vault (PDV).

• Zero-Knowledge Architecture: Your PDV is a zero-knowledge system. This means that by default, Sourcery cannot see, access, or decrypt the raw data stored inside your PDV.

• Encryption Keys: You hold the private digital keys to your PDV. You are the only party that can grant access to the data stored within.

4. Data Monetization and Lifetime Royalty Value

4.1 Purpose of Sovereignty. The Sourcery Data Sovereignty Policy is designed to protect the integrity and privacy of your data specifically to preserve the lifetime royalty value for all Partners.

4.2 Bluechips. When you choose to monetize your data, it is aggregated and anonymized into non-fungible digital assets called Bluechips.

• Licensing: You license the data from your PDV to create the Bluechip.

• Royalties: When Bluechips are sold on the Bluechip Exchange, royalties are paid directly to your wallet in BluePoints (convertible to fiat currency).

• Control: Data is never sold without your permission (manifested through your acceptance of the User Agreement and participation in the Exchange).

5. Restrictions on Sharing & Sourcery Access

To protect the value of the data marketplace and maintain security:

5.1 Restriction. Data captured by the Connect Platform may not be used by a Grower Partner or shared with other Commercial Partners or third parties outside of the Connect Platform ecosystem without explicit written consent from both:

1. Sourcery; and

2. The Data Subject/Owner (You).

5.2 Exception for Trade Disputes (Trust Line). While Sourcery cannot access your data by default, you may grant "View Only" access to specific Sourcery Engagement team members for the sole purpose of resolving trade disputes. This permission must be explicitly granted by you following a formal request via the Trust Line and is revoked immediately upon resolution.

6. Blockchain and Immutability

6.1 Immutable Record. To ensure trust and verify provenance, data hashes (fingerprints of your data) are recorded on a distributed ledger (blockchain). 6.2 No Deletion of History. While you own your data, you acknowledge that blockchain records are immutable. Once written, they cannot be altered or deleted. 6.3 Effect of Deactivation. If you leave Sourcery:

• We sever the link between your personal identity and the blockchain record (pseudonymization).

• The historic ledger entry remains to prove the validity of past trades, but it can no longer be associated with you personally or accessed for new commercial purposes.

7. Third-Party Access (Impact Partners)

7.1 Auditing. To validate your data for Bluechip creation, you may grant temporary access to approved Impact Partners (auditors/verifiers). 7.2 Limited Scope. These partners are granted access only to verify specific data points. They do not acquire ownership of your data, and their access is revoked once the verification is complete, subject to audit record retention laws.

8. Third-Party API Integrations and Data Liability

8.1 Strict Prohibition on Reuse. Any third-party partners connecting via API or other integration methods are strictly forbidden from using any data transmitted into their systems for marketing, resale, data mining, or any commercial purpose other than the specific service functionality authorized by you.

8.2 DPA and Monitoring. Prior to connecting any third-party system, Sourcery executes a specific Data Processing Addendum (DPA) with the partner. We actively monitor the use of data by these partners through metadata analysis, digital signature verification, system tracking, and manual observation by our Data Integrity Teams.

8.3 Liability and Restitution. Third-party partners remain legally liable for any unauthorized use, leakage, or commercialization of your data.

• Penalties: Partners are required to pay fees and damages for verified unauthorized use.

• Distribution to Owners: These fees are collected by Sourcery and distributed to the affected Data Owners (You), less any reasonable legal and administration costs incurred by Sourcery to enforce the claim.

9. Security Standards and Protocols

9.1 Encryption. All data stored in your PDV is secured using AES-256 bit encryption (Advanced Encryption Standard) at rest. Data transmitted between your device, the Platform, and our APIs is protected via TLS 1.3 (Transport Layer Security) protocols to ensure integrity and confidentiality during transit.

9.2 Access Control. Access to your PDV and sensitive functionality requires strong authentication linked to your Bluenumber identity, utilizing cryptographic signatures and, where supported, biometric verification on your trusted device.

9.3 Standards Alignment. The Sourcery Connect Platform infrastructure is designed in alignment with ISO/IEC 27001 information security standards and NIST cybersecurity frameworks to ensure the highest level of protection for your digital assets.

10. Contact

To learn more about Sourcery data policies, provisions and compliance, please visit: www.thesourcery.io/security-connectplatform