I. PURPOSE AND SCOPE

This Artificial Intelligence Acceptable Use Policy (“AI Policy”) governs PARTNER’s use, deployment, and operation of any artificial intelligence, machine learning, large language model, generative AI, agentic workflow, decision-support, recommendation, summarization, or other automated processing functionality (collectively, “AI Functionality”) in connection with the Partner Services, APIs, interfaces, or any other services provided to Eltropy or End Users under the Agreement. This AI Policy is incorporated into and forms part of the Agreement between PARTNER and Eltropy. This AI Policy may be updated from time to time in accordance with Section X (Updates and Modifications). The version of this AI Policy currently in effect is identified by the version date set forth above.

II. DEFINITIONS

For purposes of this AI Policy:

“AI Functionality” means any artificial intelligence, machine learning, large language model, generative AI, agentic workflow, decision-support, recommendation, summarization, or similar automated processing functionality included in or enabled by the Partner Services.

“AI-Generated Content” means any output, response, recommendation, decision, summary, classification, prediction, or other content produced by AI Functionality.

“High-Risk Actions” means actions that could result in financial loss, unauthorized access, legal obligation, regulatory violation, or material harm to Eltropy or End Users, including but not limited to: funds movement, external communications purporting to bind a party, account changes, credential resets, configuration changes affecting security or access, legally significant decisions, or transactions affecting End User rights or obligations.

“Zero-Retention Processing” means processing End User Data, prompts, outputs, and related content through AI Functionality without retaining, caching, storing, or reusing such data beyond the minimum duration necessary to complete the applicable session or transaction, except for narrowly scoped compliance, audit, security, fraud-prevention, or incident-investigation logs as expressly permitted under this AI Policy.

III. DATA HANDLING AND RETENTION REQUIREMENTS

3.1 Zero-Retention Model. PARTNER shall implement a zero-retention processing model for all End User Data, prompts, outputs, and related content processed through AI Functionality to the maximum extent technically feasible and permitted by law. PARTNER shall not retain, cache, store, disclose, or reuse any such End User Data except solely to provide the Partner Services during the applicable session.

3.2 Permitted Logs. PARTNER may retain narrowly scoped immutable logs solely for compliance, audit, security, fraud-prevention, or incident-investigation purposes. Such logs shall:

(a) Be limited to the minimum information reasonably necessary for the stated purpose;

(b) Be retained for at least two (2) years only to the extent required by applicable law or documented regulatory need;

(c) In all other cases, be retained for the shortest period reasonably necessary;

(d) Be stored in segregated environments with strict access controls;

(e) Not be used for training, tuning, testing, analytics unrelated to the Partner Services, or product improvement.

3.3 Data Location and Security. All End User Data processed by AI Functionality shall be stored and processed solely within the continental United States of America, unless Eltropy expressly approves otherwise in writing. PARTNER shall maintain encryption of End User Data at rest and in transmission using TLS or similar commercially reasonable technologies.

IV. PROHIBITED USES

PARTNER shall not, and shall not permit any third party to:

4.1 Use End User Data, metadata, conversation content, prompts, outputs, or any derivative data derived therefrom for model training, tuning, fine-tuning, reinforcement learning, testing, benchmarking, analytics unrelated to the Partner Services, or product improvement.

4.2 Use End User Data to develop or improve any artificial intelligence or machine learning models or services, whether for PARTNER’s benefit or for third parties.

4.3 Sell, share, disclose, mine, profile, or otherwise exploit End User Data for advertising, cross-customer analytics, generalized model improvement, or other secondary purposes.

4.4 Permit AI Functionality to take High-Risk Actions without appropriate authorization controls, identity verification, logging, and, where appropriate, human review.

4.5 Represent that AI-Generated Content is guaranteed accurate, complete, or suitable for independent reliance without human review unless expressly supported by applicable documentation and approved use case.

4.6 Use AI Functionality in any manner that violates applicable law, this Agreement, or documented customer-facing product descriptions.

V. AUTHORIZATION AND CONTROL REQUIREMENTS

5.1 Guardrails. PARTNER shall implement commercially reasonable guardrails designed to prevent unauthorized or unsafe AI-enabled actions, including escalation and/or human review mechanisms for high-risk use cases.

5.2 Identity Verification. PARTNER shall not initiate or permit any transaction, funds movement, change to an End User account, or change to account settings based on AI-generated or automated instructions unless:

(a) The applicable individual’s identity has been verified through appropriate authentication mechanisms; and

(b) The action is taken only pursuant to clear affirmative instruction from the applicable authorized person.

5.3 Human Oversight. For High-Risk Actions, PARTNER shall implement appropriate human review, approval workflows, or confirmation mechanisms prior to execution, unless a different approach is expressly approved in writing by Eltropy for a specific use case.

5.4 Audit Trail. PARTNER shall maintain comprehensive audit logs of all AI-driven actions, including the inputs, outputs, decision rationale (where feasible), user interactions, and any human review or override actions.

VI. DESIGN AND OPERATIONAL REQUIREMENTS

6.1 Lawful Operation. AI Functionality shall be designed and operated in a manner consistent with applicable law, this Agreement, and documented customer-facing product descriptions.

6.2 Transparency. PARTNER shall maintain reasonably current documentation describing:

(a) The AI Functionality included in the Partner Services;

(b) How End User Data is processed by AI systems;

(c) What data retention, if any, occurs and for what purpose;

(d) What safeguards are in place to prevent unauthorized actions;

(e) How human oversight is implemented for High-Risk Actions.

6.3 Accuracy and Reliability. PARTNER shall use commercially reasonable efforts to ensure that AI Functionality operates reliably and that AI-Generated Content is reasonably accurate for its intended purpose, while acknowledging the inherent limitations of AI systems.

6.4 Bias and Fairness. PARTNER shall implement reasonable measures to identify and mitigate unlawful bias, discrimination, or unfair outcomes in AI Functionality that could adversely affect End Users.

VII. LIABILITY AND RESPONSIBILITY

7.1 PARTNER Responsibility. PARTNER shall remain responsible for the operation of AI Functionality and for all actions initiated by the Partner Services, APIs, integrations, agents, automations, or other workflows acting on PARTNER’s behalf or within PARTNER-controlled functionality to the same extent as if such actions had been taken directly by PARTNER personnel.

7.2 Indemnification. PARTNER shall defend, indemnify, and hold harmless Eltropy from third-party claims arising out of unauthorized, unverified, or improperly automated AI-driven actions by the Partner Services, except to the extent caused by Eltropy-configured instructions not supplied or approved by PARTNER.

VIII. MONITORING AND INCIDENT RESPONSE

8.1 Monitoring. PARTNER shall monitor AI Functionality for:

(a) Abuse or misuse patterns;

(b) Anomalous behavior or outputs;

(c) Unauthorized actions;

(d) Data retention violations;

(e) Security incidents;

(f) Accuracy degradation or model drift.

8.2 Incident Notification. PARTNER shall notify Eltropy without undue delay and in no event later than twenty-four (24) hours after confirming any incident involving AI Functionality that:

(a) Results in unauthorized access to, acquisition of, or disclosure of End User Data;

(b) Causes or may cause financial loss, unauthorized transactions, or material harm to End Users;

(c) Involves use of End User Data for prohibited purposes (including model training);

(d) Constitutes a material breach of this AI Policy.

8.3 Remediation. Upon discovery of any violation of this AI Policy, PARTNER shall:

(a) Promptly investigate and contain the incident;

(b) Cease any prohibited use of End User Data

(c) Delete or purge any improperly retained End User Data;

(d) Implement corrective measures to prevent recurrence;

(e) Provide Eltropy with reasonable information regarding the incident and remediation efforts.

IX. COMPLIANCE AND AUDIT

9.1 Compliance Certification. Upon Eltropy’s reasonable request, PARTNER shall certify in writing its compliance with this AI Policy and provide supporting documentation, including:

(a) Data flow diagrams showing AI processing pathways;

(b) Data retention and deletion procedures;

(c) Model training data sources and confirmation that End User Data is not used;

(d) Guardrail and authorization control descriptions;

(e) Third-party AI service provider agreements and compliance measures.

9.2 Security Review. PARTNER shall participate in reasonable security reviews, architecture assessments, and AI-specific diligence exercises requested by Eltropy to verify compliance with this AI Policy.

9.3 Third-Party AI Providers. If PARTNER uses third-party AI service providers, PARTNER shall:

(a) Ensure such providers comply with obligations no less protective than those in this AI Policy;

(b) Implement zero-retention or equivalent data protection measures;

(c) Prohibit use of End User Data for model training or improvement by the third party;

(d) Maintain contractual rights to audit and enforce compliance;

(e) Remain fully responsible for such third parties’ acts and omissions.

X. UPDATES AND MODIFICATIONS

PARTNER shall provide Eltropy with reasonable advance notice of material changes to AI Functionality, AI service providers, data processing practices, retention policies, or guardrail implementations that could affect this AI Policy’s requirements or Eltropy’s risk assessment. Eltropy may condition continued use of AI Functionality on satisfactory resolution of any compliance concerns raised by such changes.