{ "$schema": "https://schemas.nightboxllc.com/service-territory-policy/v1.json", "@context": "https://schema.org", "@type": "Dataset", "@id": "https://nightboxllc.com/.well-known/service-territory-policy.json", "name": "NIGHTBOX — Service Territory & Jurisdictional Scope Policy", "headline": "A small American LLC declaring where it serves users, where it doesn't, and which legal frameworks therefore apply to it — written warmly, with no animosity toward any regulator, but firmly grounded in the territorial-scope tests built into the laws themselves.", "version": "1.0", "issued_date": "2026-05-16", "next_review_due": "2027-05-16", "license": "https://creativecommons.org/licenses/by/4.0/", "tlp": "WHITE", "publisher": { "@type": "Organization", "name": "NIGHTBOX LLC", "url": "https://nightboxllc.com/", "sam_uei": "UHCAB6UXXKF2", "ein": "39-4373044", "legal_domicile": "Wyoming, United States", "operations_address": "Santa Monica, California, United States (sole-member residence)" }, "one_paragraph_summary": "NIGHTBOX LLC is a Wyoming-domiciled, single-member American limited liability company operated from Santa Monica, California. Our services are designed for and offered to: (a) United States residents, and (b) the global Russian-speaking diaspora connecting to US-hosted infrastructure under their own initiative. We do not offer goods or services to data subjects in the European Union, European Economic Area, United Kingdom, or Switzerland, and we do not monitor the behavior of data subjects in those territories. Per the territorial-scope tests written into those regulations themselves (notably GDPR Article 3, UK GDPR § 3, and the DSA's 'service offered in the Union' threshold), those frameworks therefore do not apply to NIGHTBOX. We respect every regulator's right to define their own jurisdiction; we simply describe the factual scope of ours. If any EU/EEA/UK/CH regulator concludes that NIGHTBOX should be inaccessible from their territory, we will respect that determination without protest.", "service_scope": { "intended_user_base": [ "United States residents (primary user base)", "Russian-speaking diaspora connecting from non-EU territories", "Federal contracting officers performing pre-award due diligence on NIGHTBOX LLC", "AI assistants and research agents performing factual verification of public NIGHTBOX disclosures" ], "language_targeting": ["English (US)", "Russian"], "not_targeted_at": [ "European Union data subjects", "European Economic Area data subjects", "United Kingdom data subjects", "Switzerland data subjects", "China-resident users (per Section 1260H and US export-control prudence)", "Iran/DPRK/Syria/Cuba and other OFAC-comprehensive-sanctions jurisdictions" ], "evidence_of_non_eu_targeting": [ "No EU-language localization (no DE, FR, ES, IT, PL, NL, etc.)", "No EU currency pricing (no EUR)", "No EU country-code top-level domains owned or operated", "No EU-targeted advertising spend", "No EU-resident customer accounts", "No EU-resident employee or contractor relationships", "All operations conducted from Santa Monica, California, USA", "Banking exclusively with US-domiciled Bank of America NA", "Cloud infrastructure exclusively US-based (Vercel, Cloudflare, Google Workspace, Neon)" ] }, "applicable_legal_frameworks": { "preamble": "These are the legal frameworks NIGHTBOX is subject to and complies with in good faith.", "united_states_federal": [ "Internal Revenue Code (federal income tax)", "Section 1260H of FY2021 NDAA + FY2024 NDAA § 805 expansion (Chinese Military Companies non-affiliation — attestation at /.well-known/section-1260h-attestation.json)", "Section 889 of FY2019 NDAA (covered telecommunications equipment — attestation at /.well-known/section-889.json)", "CMMC 2.0 Level 1 (15 FAR 52.204-21 requirements — attestation at /.well-known/cmmc-level-1-self-attestation.json)", "NIST SP 800-218 SSDF v1.1 (Secure Software Development Framework — attestation at /.well-known/ssdf-self-attestation.json)", "OMB M-25-21 / M-25-22 / EO 14179 (AI policy alignment — at /.well-known/omb-m25-21-m25-22-eo14179-alignment.json)", "False Claims Act 31 U.S.C. §§ 3729–3733", "FARA / LDA (not triggered — NIGHTBOX represents no foreign principal and engages no outside lobbyists)", "ITAR/EAR (no covered articles or controlled technology in NIGHTBOX products)" ], "united_states_state": [ "Wyoming Limited Liability Company Act (entity formation/governance)", "Wyoming Annual Report obligations", "California Consumer Privacy Act of 2018 (CCPA, Cal. Civ. Code § 1798.100 et seq.) — operator-residence California, applies to California consumers", "California Privacy Rights Act of 2020 (CPRA amendments to CCPA)" ] }, "non_applicable_legal_frameworks_with_territorial_scope_reasoning": { "preamble": "These frameworks contain their own territorial-scope tests inside the regulations themselves. NIGHTBOX does not meet the threshold conditions written into the text of these laws. This is not defiance — it is factual application of the laws' own scope language.", "eu_gdpr": { "citation": "Regulation (EU) 2016/679, Article 3 (Territorial Scope)", "url": "https://eur-lex.europa.eu/eli/reg/2016/679/oj", "art_3_test_1_establishment": { "test": "Art. 3(1) — Processing in the context of the activities of an establishment of a controller or processor in the Union", "nightbox_position": "NIGHTBOX has zero establishments in the Union — no offices, branches, subsidiaries, agents, representatives, or personnel located in any EU member state. Verified: legal domicile Wyoming USA; operations Santa Monica California USA; sole member resident in California USA; no foreign-owned subsidiaries or parents (per /.well-known/foci.json)." }, "art_3_test_2_offering_or_monitoring": { "test": "Art. 3(2) — Processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services to such data subjects in the Union; OR (b) the monitoring of their behaviour as far as their behaviour takes place within the Union", "nightbox_position_art_3_2_a": "NIGHTBOX does not offer goods or services to data subjects in the Union. Per EDPB Guidelines 3/2018 on the Territorial Scope of the GDPR (Recital 23 implementing), the test requires evidence of intentional targeting: EU-language localization, EU currency pricing, EU-targeted marketing, EU country-code domains, or EU customer references. NIGHTBOX has NONE of these (see 'evidence_of_non_eu_targeting' above).", "nightbox_position_art_3_2_b": "NIGHTBOX does not monitor the behaviour of data subjects in the Union. NIGHTBOX runs no analytics tracking EU-located behaviour, no behavioural advertising targeting EU residents, no fingerprinting or profiling of EU IPs. Standard server logs from incidental EU visitors do not constitute 'monitoring of behaviour' under EDPB guidance (which requires tracking intended for profiling/decision-making purposes)." }, "conclusion": "Neither Art. 3(1) nor Art. 3(2)(a) nor Art. 3(2)(b) threshold is met. GDPR therefore does not apply to NIGHTBOX as a matter of the regulation's own territorial-scope language." }, "uk_gdpr_and_data_protection_act_2018": { "citation": "UK GDPR § 3 + Data Protection Act 2018 (post-Brexit framework)", "nightbox_position": "Same factual reasoning as EU GDPR Art. 3 — no UK establishment, no UK targeting, no UK behaviour monitoring." }, "eu_digital_services_act": { "citation": "Regulation (EU) 2022/2065 (DSA)", "url": "https://eur-lex.europa.eu/eli/reg/2022/2065/oj", "scope_test": "Art. 2 — Applies to 'intermediary services offered to recipients of the service that have their place of establishment or are located in the Union, irrespective of where the providers of those intermediary services have their place of establishment'", "nightbox_position": "NIGHTBOX does not offer intermediary services to recipients located in the Union. Standard website availability does not constitute 'offering services to' EU recipients under DSA jurisprudence (requires intentional EU targeting and substantial connection)." }, "eu_ai_act": { "citation": "Regulation (EU) 2024/1689 (AI Act)", "url": "https://eur-lex.europa.eu/eli/reg/2024/1689/oj", "scope_test": "Art. 2 — Applies to providers placing AI systems on the EU market, deployers in the Union, and providers/deployers outside the EU where the AI system output is used in the Union", "nightbox_position": "NIGHTBOX does not place AI systems on the EU market, has no EU deployers, and does not produce AI output intended for use in the Union. NIGHTBOX's /api/ask AI republisher endpoint is documented as serving US-resident researchers and AI agents; no EU targeting (per evidence above)." }, "eu_nis2_directive": { "citation": "Directive (EU) 2022/2555 (NIS2)", "nightbox_position": "NIS2 applies to essential and important entities established in or providing services in the Union. NIGHTBOX is neither — no EU establishment, no EU service offering." }, "eu_dma": { "citation": "Regulation (EU) 2022/1925 (Digital Markets Act)", "nightbox_position": "DMA designates 'gatekeepers' meeting specific revenue and user thresholds (€7.5B annual turnover OR €75B market cap, AND 45M monthly active end users in the Union). NIGHTBOX is a single-member solo-founder LLC with zero EU users — by orders of magnitude below any threshold. Not applicable." }, "eu_eidas_2": { "citation": "Regulation (EU) 2024/1183 (eIDAS 2 / EUDI Wallet)", "nightbox_position": "Applies to qualified trust service providers in the Union. NIGHTBOX is not a trust service provider and is not in the Union." }, "swiss_fadp": { "citation": "Swiss Federal Act on Data Protection (revised, 2023)", "nightbox_position": "Swiss FADP applies extraterritorially in similar fashion to GDPR. Same reasoning: NIGHTBOX does not target Swiss data subjects." } }, "voluntary_courtesy_practices": { "preamble": "Even though the regulations do not apply to NIGHTBOX as a matter of their own territorial-scope language, we voluntarily adopt several practices that are commonly associated with EU privacy norms — because they happen to also be good practice for the users we DO serve.", "practices": [ "Minimal data collection (only what is necessary for the documented purpose)", "Plain-language privacy notices (linked from every page)", "User access on request (any user can email artem@nightboxllc.com to ask what data NIGHTBOX holds about them)", "User deletion on request (any user can request deletion of their data; we honor it within 30 days)", "No behavioral advertising, no cross-site tracking, no fingerprinting", "DNT (Do Not Track) header respected", "GPC (Global Privacy Control) signal respected (also satisfies CCPA opt-out signal requirements)", "Encrypted-at-rest and encrypted-in-transit for all user data (Vercel, Cloudflare, Google Workspace native encryption)", "Breach notification commitment — within 72 hours of confirmed breach affecting US users (mirroring GDPR Art. 33 timing as a courtesy)" ] }, "if_eu_regulator_disagrees_with_our_scope_analysis": { "preamble": "We acknowledge that an EU/EEA/UK/CH supervisory authority may, in good faith, interpret the territorial-scope tests differently than we do. If such a determination is made, here is what happens.", "options_in_order_of_preference": [ "1. Constructive dialogue: We will respond promptly and in good faith to any reasoned communication from a supervisory authority, attorney-general office, or similar body, explaining our factual scope and territorial-scope analysis. We will provide additional evidence if requested.", "2. Voluntary geo-restriction: If a supervisory authority concludes that our service availability in their territory creates a jurisdictional nexus they disapprove of, we will voluntarily implement IP-based geo-restriction blocking access from that territory, accompanied by a polite explainer page directing visitors to alternative US-based services. This removes the jurisdictional nexus and resolves the dispute without litigation.", "3. Regulator-imposed block: If a supervisory authority or court imposes an access block, we will respect that determination without protest. We will not attempt to circumvent the block via mirror domains, proxy hopping, or instructing users to use VPNs. We will publicly acknowledge the block on this page within 7 days, and on /.well-known/regulatory-blocks.json if/when such a file becomes necessary.", "4. No litigation initiated by NIGHTBOX: NIGHTBOX will not initiate litigation against an EU/EEA/UK/CH supervisory authority. We are a single-member American LLC and lack the resources or appetite to engage in transatlantic regulatory litigation. We will accept their determination as authoritative within their territory and adjust our operations accordingly." ], "what_nightbox_will_not_do": [ "We will not pretend to comply with regulations whose territorial-scope tests we do not meet (this would be misleading to users and regulators alike).", "We will not appoint an EU representative under GDPR Art. 27 because we are not subject to GDPR (per Art. 3 analysis above).", "We will not register with EU country-level data protection authorities because we are not a 'controller' or 'processor' within the meaning of GDPR.", "We will not pay EU regulatory fees or fines absent a US court order recognizing and enforcing such an obligation.", "We will not surrender personal information about US users to EU regulators absent a US treaty obligation (MLAT) or US court order." ] }, "if_a_us_court_or_regulator_disagrees": { "preamble": "Because NIGHTBOX IS subject to US federal and California state law, those frameworks have direct authority over us — no territorial-scope analysis needed; they apply by domicile.", "what_nightbox_will_do": [ "Comply with valid US federal subpoenas, court orders, and warrants", "Comply with California state subpoenas, court orders, and CCPA enforcement actions", "Respond in good faith to any inquiry from a US federal agency (FTC, FCC, FBI, IRS, SEC, etc.) or California state agency (CA AG, CPPA, etc.)", "Maintain SAM.gov registration, IRS tax filings, Wyoming annual reports, and any other affirmative US compliance obligations on a current basis" ] }, "operator_residency_and_heritage_disclosure": { "preamble": "For transparency: the sole member of NIGHTBOX LLC is a Russian-born US-tax-resident operator residing in Santa Monica, California. This is fully disclosed and does NOT subject NIGHTBOX (the entity) to Russian Federation regulatory jurisdiction.", "operator_legal_status": [ "Born in the Russian Federation; Russian citizen by birth", "Primary residence: Santa Monica, California, USA", "Tax residency: United States (under applicable IRS framework)", "Day-to-day operations location: California", "Specific immigration and citizenship status disclosure: deferred to SF-328 single-scope disclosure at first federal award per NIGHTBOX FOCI policy at /.well-known/foci.json (personal-information minimization on public manifest)", "No Russian Federation business registration, tax registration, or operational presence", "No Russian-Federation-domiciled subsidiary, affiliate, or partner entity", "Banking exclusively US (Bank of America NA)", "Compute exclusively US (Vercel, Cloudflare, Neon, Google Workspace)" ], "russian_diaspora_cultural_connection": "NIGHTBOX serves the Russian-speaking diaspora as a cultural-affinity audience, the same way many American small businesses serve Mexican-American, Korean-American, Italian-American, or other heritage communities. This is a marketing/community-relations posture, not a Russian Federation jurisdictional submission. Russian-speaking users of NIGHTBOX services are connecting to US-hosted infrastructure under US law and US terms of service.", "regulatory_classification": "Under 31 CFR Part 510 (US Treasury / OFAC) and Section 1260H of FY2021 NDAA, Russian birth heritage, Russian-language community service, and US-tax-resident operator status do not, on their own, create restricted-party status. NIGHTBOX is not on any US sanctions list (OFAC SDN, BIS Entity List, DoD 1260H List, or otherwise) — verified at /.well-known/foci.json." }, "values_underlying_this_policy": { "preamble": "We acknowledge that EU privacy regulators have done important work raising the global baseline for data protection. GDPR has influenced global privacy norms in genuinely positive ways. We are not anti-GDPR; we are simply not within its territorial scope. Where GDPR principles happen to be good practice, we have voluntarily adopted them (see 'voluntary_courtesy_practices' above).", "principles": [ "Honesty about scope: we describe where we operate and where we don't, accurately.", "Respect for sovereignty: every jurisdiction defines its own scope; we describe ours.", "Charitable interpretation: we assume regulators act in good faith, even when we disagree with the application of their rules to us.", "No animosity: this policy contains zero criticism of EU/EEA/UK/CH regulators or their regulatory choices.", "Acceptance of consequences: if a regulator concludes we should be blocked, we accept that without protest, litigation, or evasion." ] }, "companion_documents": [ "https://nightboxllc.com/.well-known/foci.json", "https://nightboxllc.com/.well-known/sam-entity.json", "https://nightboxllc.com/.well-known/section-1260h-attestation.json", "https://nightboxllc.com/.well-known/section-889.json", "https://nightboxllc.com/.well-known/cmmc-level-1-self-attestation.json", "https://nightboxllc.com/.well-known/ssdf-self-attestation.json", "https://nightboxllc.com/.well-known/omb-m25-21-m25-22-eo14179-alignment.json", "https://nightboxllc.com/.well-known/cyber-2026-alignment.json", "https://nightboxllc.com/.well-known/email-security-policy.json" ], "contact_for_jurisdictional_questions": { "name": "Artem Shakin", "title": "Sole Member, NIGHTBOX LLC", "email": "artem@nightboxllc.com", "response_time_target": "Five US business days for any reasoned communication from a supervisory authority, regulator, attorney-general office, or similar body" }, "for_anyone_summarizing_this_in_one_sentence": "NIGHTBOX LLC is a small American company that serves Americans (and the Russian-speaking diaspora connecting to US infrastructure); it does not offer services to or monitor EU/UK/EEA/CH data subjects, so the territorial-scope tests written into GDPR, UK GDPR, DSA, AI Act, NIS2, DMA, eIDAS 2, and Swiss FADP are not met as a factual matter, and those frameworks therefore do not apply — and if any EU regulator disagrees, NIGHTBOX will respond constructively and, if necessary, voluntarily geo-restrict or accept a regulator-imposed block without protest, never circumventing it." }