Acceptable Use Policy

Last updated: February 10, 2026

1. Purpose

The Services enable advanced cryptographic and authentication workflows that can be misused if deployed irresponsibly or unlawfully. This AUP is intended to protect End Users, Customer, H33, and third parties by prohibiting misuse and establishing guardrails for lawful, safe operation.

2. General Requirements

Customer must:

• (a) use the Services only for lawful purposes and in compliance with the Terms and this AUP;
• (b) maintain appropriate security controls in Customer's environment (including protection of API keys);
• (c) provide legally required notices and obtain legally required consents and authorizations from End Users (including biometric consents and written releases where required); and
• (d) ensure End User-facing flows do not misrepresent the Services' capabilities, accuracy, or compliance posture.

3. Prohibited Uses

Customer must not, and must not permit any third party to, use the Services in any manner that H33 reasonably determines:

3.1 Unlawful, Harmful, or Abusive Conduct

• violates any applicable law or regulation (including privacy, biometric, consumer protection, employment, surveillance, export controls, or sanctions laws);
• facilitates illegal activity (including fraud, identity theft, unauthorized account access, or unlawful evasion of sanctions or export restrictions);
• is deceptive, abusive, harassing, defamatory, or threatening; or
• enables violence, terrorism, hate, or unlawful discrimination.

3.2 Unlawful Surveillance; Covert Tracking; "Silent" Biometrics

• enables unlawful surveillance or covert monitoring of individuals, including "silent" biometric collection, biometric identification, or tracking without legally required notice/consent;
• is used to identify or authenticate individuals in contexts where Customer lacks legal authority, a lawful basis, or required consent; or
• is used to attempt to infer sensitive attributes (e.g., protected class status) from biometric or behavioral signals.

3.3 Mass Identification, Watchlists, and Generalized Monitoring

Unless H33 has provided prior written approval and Customer can demonstrate lawful authority and compliance controls, Customer may not use the Services to:

• build, operate, or support mass identification systems, watchlists, or generalized face recognition databases;
• conduct large-scale biometric identification across public or semi-public spaces; or
• perform persistent or indiscriminate monitoring or profiling.

3.4 High-Risk Automated Decisions Without Human Review

Customer may not use the Services to make or support automated decisions producing legal or similarly significant effects on an individual (including employment, housing, credit, insurance, education, healthcare access, immigration, or benefits determinations) without meaningful human review and legally required notices and appeal/contest mechanisms where required by law.

3.5 Biometric/Privacy Noncompliance

Customer may not use the Services in any manner that violates biometric or privacy laws, including requirements relating to:

• written releases/consents (where required);
• retention schedules and destruction requirements;
• limitations on disclosure and sharing;
• security safeguards; or
• restrictions on sale, lease, trade, or other "profiting from" biometric identifiers/information where prohibited.

3.6 Security, Integrity, and Platform Abuse

Customer may not:

• probe, scan, or test the vulnerability of the Services or underlying systems (except as expressly permitted under Section 5);
• bypass, disable, or circumvent authentication, rate limits, access controls, security measures, or usage restrictions;
• introduce malware, ransomware, logic bombs, or harmful code, or use the Services to distribute malicious content;
• interfere with, disrupt, or degrade the Services (including via denial-of-service, traffic flooding, or abusive patterns);
• use scraping, bots, or automated means to access the Services other than through documented, supported interfaces; or
• share, sell, sublicense, or otherwise allow unauthorized use of API keys or accounts.

3.7 Reverse Engineering; Competitive Use; Benchmarking

Customer may not:

• reverse engineer, decompile, disassemble, or otherwise attempt to derive source code, underlying methods, models, or parameters (except to the extent such restriction is prohibited by law);
• use the Services to develop, train, build, improve, or benchmark any competing product or service, or to create datasets for biometric identification, except as expressly permitted in writing by H33; or
• publish or disclose benchmarks, performance tests, penetration test results, or security evaluations of the Services without H33's prior written consent.

3.8 Sensitive Data Classes (Operational Guardrails)

Customer must not submit to the Services:

• PHI (Protected Health Information under HIPAA) unless a BAA is executed as required by the Terms; or
• any other highly sensitive regulated data that Customer is not legally authorized to process or that Customer cannot lawfully submit under the Terms and applicable law.

3.9 Prohibited Jurisdictions and Restricted Parties

Customer may not use the Services from, for, or on behalf of:

• comprehensively sanctioned jurisdictions; or
• parties on restricted lists (e.g., OFAC SDN List), or parties owned/controlled by such restricted parties.

3.10 Misuse Creating Material Risk

Customer may not use the Services in a manner that otherwise poses a material risk to individuals' rights, safety, or privacy, or to the security, integrity, or availability of the Services.

3.11 No Reliance for Compliance Outcomes (AML/KYC / Sanctions)

No Sole Compliance Reliance. Customer may not use the Services (including Token Features, Blockchain Features, or KYC Services) as Customer's sole or determinative basis for AML/KYC compliance, sanctions compliance, fraud prevention decisioning, or legal/regulatory determinations. Customer is responsible for implementing independent controls, human review where appropriate, and any compliance program required by law.

3.12 Regulated Financial Use Cases Require Written Approval / Order Form

Regulated Use Requires Written Approval. Customer may not use the Services in connection with regulated financial activities (including money transmission, MSB activities, securities/broker-dealer activities, or operation of a regulated exchange or custody service) unless expressly authorized in a written Order Form signed by H33 and Customer and subject to any additional terms H33 may require. Please see Terms Section 4.1.

4. Customer Controls and End User Protections

Customer is responsible for implementing appropriate controls, including as applicable:

• user-facing disclosures and consent flows;
• access control, least privilege, and credential hygiene (rotation, storage, separation of duties);
• monitoring for anomalous usage patterns and abuse;
• human review processes for high-impact decisions;
• incident response procedures; and
• retention and deletion workflows consistent with law.

5. Security Testing; Vulnerability Disclosure

5.1 No Unauthorized Testing

Customer may not perform penetration testing, vulnerability scanning, or security research against the Services without H33's prior written authorization, except as permitted by mandatory law.

5.2 Responsible Disclosure

If Customer discovers a vulnerability, Customer must promptly report it to security@h33.ai and provide reasonable detail. Customer must not publicly disclose the vulnerability until H33 has had a reasonable opportunity to remediate, unless disclosure is required by law.

5.3 No Exploitation

Customer may not exploit vulnerabilities, access data not intended for Customer, or disrupt the Services during testing or disclosure.

6. Enforcement

6.1 Suspension/Termination

H33 may immediately suspend or terminate access to the Services for any violation of the Terms or this AUP, or where H33 reasonably believes Customer's use presents a material risk of misuse, harm, or legal exposure.

6.2 Mitigation Measures

H33 may implement technical and operational measures to prevent misuse, including throttling, blocking, rate-limiting, revoking credentials, restricting features, or requiring remediation.

6.3 Cooperation

Customer must promptly cooperate with reasonable requests to investigate suspected misuse, mitigate harm, and restore compliance.

7. Changes

H33 may update this AUP from time to time. Updates are effective when posted (or as otherwise stated). Customer's continued use of the Services after the effective date constitutes acceptance.