• Information Security – network/application security, access control, encryption, vulnerability/patch management, incident response.

• Privacy & Data Protection – GDPR/UK GDPR, state privacy laws, data residency, DPA terms, data subject rights.

• Anti-Bribery & Corruption (FCPA/ABC) – policies, training, third-party oversight, gifts & entertainment controls.

• Regulatory & Compliance Fit – sector rules applicable to the service (e.g., DORA/MiCA for EU crypto/ops resiliency; SEC/FINRA where relevant).

• Financial Viability – going-concern indicators, adverse media/litigation, insurance coverage.

• Business Continuity / Disaster Recovery (BC/DR) – RTO/RPO, test cadence and results, dependency mapping.

• Workforce Integrity (as applicable) – background checks for staff in scope (esp. temp labor/staff aug).

Provide via AuditBoard; if your policy prohibits uploads, share via secure links or your trust portal.

• Security Assurance: SOC 2 Type II (or ISO/IEC 27001 certificate + SoA), recent pen-test summary & remediation status, vulnerability management policy, incident response plan.

• Privacy & Data: Privacy Notice, DPA, subprocessors list, data-flow diagrams (collection → processing → storage → transfer → deletion), data residency statement, retention schedule.

• Technical Controls: encryption at rest/in transit details, key management, access control/SSO/MFA, logging/monitoring, SDLC/secure coding, change management.

• BC/DR: BCP/DRP summary, most recent BC/DR test report with outcomes/RTO/RPO, dependency mapping (cloud/third parties).

• Regulatory Artifacts (as applicable): PCI AoC (if cardholder data), HIPAA/BAA (if PHI), DORA operational resilience attestation (if service supports EU operations), export control/sanctions screening posture.

• Financial & Corporate: latest financials or credit report, insurance (Cyber/Tech E&O/GL; limits & carriers), legal entity details, ultimate parent/ownership.

• People & ABC: ABC/anti-corruption policy & training overview; background-check attestations where persons access Kraken sensitive data or facilities.

Vendors will receive a welcome email from AuditBoard ([email protected]) containing their login credentials (example shown below). Shortly after, a second email will provide access to their assigned due diligence questionnaires (DDQs).

These questionnaires are tailored to the nature and risk level of the services being provided. Vendors can add additional contacts within AuditBoard to assist with completion, or contact <[email protected]> for support with the tool.

• Complete the onboarding process via the Zip Vendor Portal

• Undergo required due diligence reviews (as assigned by AuditBoard)

• Have a fully executed contract in place (e.g., MSA, SOW, Order Form)

Kraken’s Procurement and Legal teams will initiate the appropriate agreement based on the engagement type. All contracts must:

• Be reviewed and approved by Kraken’s Procurement and Legal teams

• Be executed via DocuSign with valid signature authority

Once the agreement is signed and onboarding is complete, a Purchase Order (PO) will be issued.

For any contract questions, contact your Kraken business sponsor.

The Zip Vendor Portal is localized and available in:

• English

• Chinese

• French

• German

• Japanese

• Portuguese

• Spanish

You can change the language via the dropdown menu at the top of the portal.