Lenzo. Acceptable Use Policy

Genio Group, Inc.
Effective Date: January 1, 2024
Last Updated: December 20, 2025

‍

1. INTRODUCTION AND DEFINITIONS

1.1 Policy Overview

This Acceptable Use Policy (the "Policy" or "AUP") governs the access to and use of the Lenzo^™ export and import compliance platform and all related services, application programming interfaces, software, documentation, and materials (collectively, the "Services") provided by Genio Group, Inc., a Delaware corporation ("Company," "Genio," "we," "us," or "our"). Lenzo is a proprietary software-as-a-service platform and trademark owned and operated by Genio Group, Inc. The Services are made available through the domain lenzo.ai and associated subdomains (the "Platform").

1.2 Definitions

For purposes of this Policy:

(a) "Authorized User" means any individual authorized by Customer to access and use the Services, including Customer's employees, contractors, agents, and consultants.

(b) "Customer Data" means all data, content, and information that Customer or Authorized Users submit to, store in, or process through the Services, including partner screening data, product classification information, trade compliance records, and any personal information contained therein.

(c) "Documentation" means Company's user guides, technical specifications, and other materials describing the functionality and proper use of the Services.

(d) "Security Incident" means unauthorized access to, or acquisition, use, or disclosure of Customer Data that compromises the security, confidentiality, or integrity of such data.

(e) "Terms" means the Terms of Service or other master agreement governing Customer's use of the Services.

1.3 Service Description

Lenzo provides cloud-based export and import compliance monitoring, partner screening, product classification, and regulatory alert tools designed to help businesses manage trade compliance obligations. The Services enable customers to screen partners against global sanctions and restricted party lists, classify products for export controls, monitor regulatory changes, and maintain compliance documentation. THE SERVICES ARE INFORMATIONAL TOOLS ONLY AND DO NOT CONSTITUTE LEGAL, REGULATORY, OR COMPLIANCE ADVICE. COMPANY DOES NOT WARRANT THE ACCURACY, COMPLETENESS, OR TIMELINESS OF ANY SANCTIONS DATA, REGULATORY INFORMATION, OR CLASSIFICATION GUIDANCE PROVIDED THROUGH THE SERVICES. CUSTOMER REMAINS SOLELY RESPONSIBLE FOR ALL TRADE COMPLIANCE DECISIONS AND OBLIGATIONS.

1.4 Binding Effect

By accessing or using the Services, Customer agrees to be bound by this Policy. This Policy applies to Customer and all Authorized Users. Customer is responsible for ensuring that all Authorized Users comply with this Policy.

1.5 Relationship to Other Agreements

This Policy is incorporated by reference into and forms an integral part of the Terms. In the event of any conflict between this Policy and the Terms, the following order of precedence shall apply: (i) any executed written agreement between the parties, (ii) this Policy, and (iii) the Terms.

1.6 Governing Law and Dispute Resolution

(a) Governing Law: This Policy shall be governed by and construed in accordance with the laws of the State of Delaware, United States of America, without regard to its conflicts of law principles.

(b) Arbitration Agreement: Any dispute, controversy, or claim arising out of or relating to this Policy, or the breach, termination, enforcement, interpretation, or validity thereof, including the determination of the scope or applicability of this agreement to arbitrate, shall be determined by binding arbitration in Wilmington, Delaware, before a single arbitrator. The arbitration shall be administered by JAMS pursuant to its Comprehensive Arbitration Rules and Procedures. Judgment on the award may be entered in any court having jurisdiction. This clause shall not preclude parties from seeking provisional remedies in aid of arbitration from a court of appropriate jurisdiction.

(c) Exception for Injunctive Relief: Notwithstanding Section 1.6(b), either party may seek injunctive or other equitable relief in any court of competent jurisdiction to prevent the actual or threatened infringement, misappropriation, or violation of a party's intellectual property rights, confidential information, or proprietary rights.

(d) Class Action Waiver: EACH PARTY WAIVES ITS RIGHT TO PARTICIPATE IN A CLASS ACTION, CLASS ARBITRATION, OR OTHER REPRESENTATIVE PROCEEDING. All disputes must be brought in the parties' individual capacity and not as a plaintiff or class member in any purported class, collective, representative, or private attorney general proceeding.

(e) Jury Trial Waiver: TO THE MAXIMUM EXTENT PERMITTED BY LAW, EACH PARTY WAIVES ITS RIGHT TO A JURY TRIAL IN CONNECTION WITH ANY DISPUTE ARISING OUT OF OR RELATING TO THIS POLICY.

(f) Mandatory Consumer Rights: Nothing in this Policy shall be construed to waive any mandatory consumer protection rights or dispute resolution mechanisms available to Customer under applicable law in Customer's jurisdiction of residence, including rights under GDPR or similar data protection legislation, to the extent such waiver would be prohibited by applicable law.

(g) Limitation Period for Claims: Except where prohibited by applicable law, any claim or cause of action arising out of or relating to this Policy or the Services must be filed within one (1) year after such claim or cause of action arose, or be forever barred.

1.7 Policy Modifications

(a) Company reserves the right to modify this Policy at any time by posting an updated version on the Platform and providing written notice to Customer at the email address associated with Customer's account.

(b) Material changes shall become effective thirty (30) days after notice is provided. Non-material changes (such as clarifications, formatting updates, or contact information changes) shall become effective immediately upon posting.

(c) Company shall clearly identify material changes in the notice provided to Customer.

(d) Customer's continued use of the Services after the effective date of modifications constitutes acceptance of the modified Policy. If Customer does not agree to any modification, Customer may terminate the agreement in accordance with the Terms and contact support@lenzo.airegarding any applicable refund rights.

1.8 Acceptance

Customer's initial access to or use of the Services following the Effective Date constitutes Customer's acceptance of this Policy. For existing customers, continued use after receiving notice of this Policy constitutes acceptance.

2. SCOPE AND APPLICABILITY

2.1 Covered Parties

This Policy applies to:

(a) Customer, being the entity or individual that has entered into an agreement with Company for access to the Services;

(b) All Authorized Users who access or use the Services on Customer's behalf or with Customer's permission;

(c) Any third party granted access to Customer's account or data within the Services with Customer's explicit authorization; and

(d) Any person or entity accessing the Services through Customer's credentials or systems, provided that Customer shall not be held liable for unauthorized access that occurs after Customer has: (i) implemented security measures reasonably appropriate to Customer's size and resources, and (ii) provided timely notice to Company in accordance with Section 5.1(d).

2.2 Covered Resources

This Policy governs all use of and access to:

(a) The Lenzo platform, including all partner screening, product classification, regulatory monitoring, and compliance reporting features;

(b) All application programming interfaces ("APIs") made available by Company;

(c) All integrations with third-party services, including but not limited to sanctions data providers, regulatory databases, single sign-on providers, and enterprise resource planning systems;

(d) All Documentation, support materials, and other resources provided by Company; and

(e) All data, content, and information processed, stored, or transmitted through the Services.

2.3 Geographic Scope and Data Residency

(a) The Services are controlled and operated from the United States. Customer Data may be processed and stored in the United States and other jurisdictions where Company or its service providers maintain facilities.

(b) For customers subject to GDPR or other data protection laws requiring specific data handling practices, the parties' respective obligations are set forth in the Data Processing Agreement available at lenzo.ai/dpa, which includes Standard Contractual Clauses where applicable.

(c) Customer acknowledges that the Services may not be available or appropriate for use in all jurisdictions. Customer is responsible for determining whether use of the Services complies with applicable laws in Customer's jurisdiction.

2.4 Export Control Compliance

(a) Customer shall not access or use the Services from any jurisdiction where such access or use would violate applicable export control laws or economic sanctions.

(b) Customer represents that neither Customer nor any Authorized User is: (i) identified on the U.S. Specially Designated Nationals and Blocked Persons List or any other applicable restricted party list, or (ii) owned or controlled by any such person or entity. Customer shall promptly notify Company if this representation becomes untrue.

(c) Company reserves the right to suspend or terminate access to the Services if Company reasonably believes that continued access would violate applicable export control or sanctions laws.

3. PERMITTED USES

3.1 Authorized Business Purposes

Customer may access and use the Services solely for Customer's legitimate internal business purposes, including:

(a) Screening partners, customers, suppliers, and other third parties against global sanctions and restricted party lists for Customer's own compliance purposes;

(b) Classifying products, technology, and software for export control purposes using Company's classification tools;

(c) Monitoring regulatory changes and receiving alerts related to trade compliance obligations;

(d) Generating compliance reports, audit trails, and documentation for regulatory purposes;

(e) Maintaining records of screening activities, classification decisions, and compliance workflows;

(f) Training personnel on trade compliance requirements using materials within the Services; and

(g) Integrating compliance workflows with Customer's existing enterprise systems.

3.2 Authorized Integrations

Customer may connect the Services to third-party systems and services as expressly supported and documented by Company, including ERP systems, trade management software, identity management systems, and business intelligence platforms.

3.3 Data Handling Standards

When using the Services, Customer shall:

(a) Process, store, and transmit data through the Services in accordance with applicable data protection laws and regulations governing Customer's industry and jurisdiction;

(b) Maintain the accuracy and completeness of information provided to the Services to the extent reasonably practicable;

(c) Implement appropriate safeguards to protect sensitive compliance information accessed through the Services;

(d) Limit access to Customer Data within the Services to Authorized Users who have a legitimate business need for such access; and

(e) Comply with all third-party terms and conditions applicable to data accessed through integrations.

3.4 API Usage

Customer may access the Services' APIs subject to the following conditions:

(a) API usage shall remain within the rate limits and usage quotas specified in the Documentation or Customer's service plan;

(b) API credentials shall be kept confidential and used solely for Customer's internal business purposes;

(c) API access shall not be used to develop or distribute a product that directly competes with the Services by replicating the Services' core trade compliance and screening functionality as a primary offering to third parties;

(d) API usage shall not interfere with or materially degrade the integrity or performance of the Services; and

(e) Customer shall implement appropriate error handling and rate limiting in any applications that access the APIs.

For clarity, Section 3.4(c) does not prohibit Customer from building internal tools, integrating the Services with other applications, or exporting Customer Data for use in other systems.

3.5 Data Backup, Export, and Portability

(a) Customer may export and backup Customer Data from the Services using functionality provided within the Platform or through documented API methods for internal business continuity, regulatory compliance, data portability, and archival purposes.

(b) Upon termination of Customer's account, Company shall provide Customer with the ability to export Customer Data for thirty (30) days, after which Customer Data may be deleted in accordance with Company's data retention policies and applicable law.

3.6 Security Testing

(a) Customer may conduct reasonable security assessments of the Services, including vulnerability scanning and penetration testing, provided that Customer:

(i) Provides Company with at least fifteen (15) business days' prior written notice at support@lenzo.aiand receives written approval before commencing testing;

(ii) Limits testing to Customer's own account and does not engage in activities that would disrupt the Services for other customers;

(iii) Promptly reports any security vulnerabilities discovered to Company at support@lenzo.ai;

(iv) Treats all findings as Company's confidential information and does not disclose such information to third parties without Company's prior written consent; and

(v) Allows Company ninety (90) days to remediate identified vulnerabilities before any public disclosure, except where immediate disclosure is required by law.

(b) Company may suspend security testing activities that violate these conditions or pose risk to the Services.

3.7 Benchmarking

Customer may conduct internal benchmarking and performance testing for Customer's own evaluation purposes. Customer shall not publicly disclose performance benchmarks that identify Company or the Services by name without Company's prior written consent, except as required by law or in generalized form that does not identify Company.

4. PROHIBITED ACTIVITIES

Customer shall not, and shall ensure that Authorized Users do not, engage in any of the following activities in connection with the Services:

4.1 Illegal Activities

(a) Using the Services in any manner that violates applicable federal, state, local, or international law;

(b) Engaging in or facilitating fraudulent activities, including falsification of screening results, misrepresentation of compliance status, or material misrepresentation of trade compliance information;

(c) Using the Services to facilitate money laundering, terrorist financing, sanctions evasion, or other financial crimes;

(d) Intentionally accessing compliance data or systems belonging to third parties without proper authorization;

(e) Violating data protection or privacy laws applicable to Customer's processing of personal information through the Services;

(f) Infringing or misappropriating intellectual property rights of third parties; or

(g) Using the Services in connection with illegal goods, services, or activities.

4.2 Security Violations

(a) Intentionally attempting to gain unauthorized access to any portion of the Services, other customers' accounts, or Company's systems through means designed to circumvent authentication mechanisms;

(b) Knowingly probing, scanning, or testing vulnerabilities of the Services or breaching security measures, except as expressly authorized under Section 3.6;

(c) Reverse engineering, decompiling, or disassembling software comprising the Services for the purpose of developing a competitive product, except to the extent such restriction is prohibited by applicable law;

(d) Knowingly using any device, software, or routine with intent to interfere with the proper working of the Services;

(e) Taking any action that imposes an excessive or unreasonable load on Company's infrastructure, including denial-of-service attacks;

(f) Intentionally forging headers or manipulating identifiers to disguise the origin of content for malicious purposes;

(g) Knowingly distributing viruses, malware, or other malicious code through the Services;

(h) Disabling or circumventing security-related features of the Services for unauthorized purposes;

(i) Knowingly using another user's account or credentials without proper authorization; or

(j) Sharing account credentials with unauthorized persons without implementing appropriate security controls.

4.3 Data Misuse and Unauthorized Access

(a) Intentionally accessing, collecting, or storing personal data or compliance information belonging to other customers;

(b) Selling or commercializing screening data, classification results, or compliance information obtained through the Services to third parties, except where such disclosure is required for Customer's legitimate business purposes, made to Customer's service providers subject to confidentiality safeguards, required by law, or expressly authorized by Company;

(c) Using web crawlers, scrapers, or automated means to extract data outside of documented API functionality;

(d) Using the Services to collect or process data in knowing violation of applicable data protection laws;

(e) Intentionally exceeding the scope of authorized access permissions; or

(f) Knowingly modifying or falsifying screening results, classification data, or compliance records to create false or misleading information.

4.4 Intellectual Property Violations

(a) Copying, reproducing, or distributing substantial portions of the Services or creating derivative works, except as expressly permitted in the Terms;

(b) Framing or mirroring any part of the Services without Company's prior written consent;

(c) Using the "Lenzo" name, trademark, or logo in a manner that creates confusion, suggests endorsement, or violates Company's trademark rights, except as reasonably necessary to identify that Customer uses the Services;

(d) Removing or altering copyright notices or proprietary rights notices within the Services;

(e) Using the Services as a primary component in developing or distributing a trade compliance or screening product that directly competes with the Services; or

(f) Publicly disseminating performance benchmarks identifying Company or the Services without prior written approval, except as permitted under Section 3.7.

4.5 Service Integrity Violations

(a) Registering accounts or providing materially false information with intent to deceive or obtain unauthorized access;

(b) Creating multiple accounts to evade service limitations, circumvent pricing restrictions, or obtain multiple trial periods;

(c) Intentionally manipulating usage metrics or screening counts to avoid applicable fees;

(d) Circumventing technological measures implemented to meter usage or enforce pricing;

(e) Reselling or sublicensing the Services to third parties as a service bureau, except where Customer is an authorized reseller or where use on behalf of affiliates is expressly authorized;

(f) Using the Services primarily to provide trade compliance screening services to third parties without a separate written agreement with Company;

(g) Using automated systems to create accounts, submit data, or generate requests in volumes that exceed documented rate limits or materially impact service availability; or

(h) Interfering with other customers' use of the Services through excessive resource consumption or repeated policy violations.

4.6 Content and Communication Violations

(a) Using the Services to transmit, upload, or store content that is illegal under applicable law, violates third-party rights, contains malicious code, or is intended to harass or abuse any individual;

(b) Using the Services to send unsolicited commercial emails, spam, phishing messages, or messages violating the CAN-SPAM Act or GDPR;

(c) Impersonating Company, Company's employees, or other users with intent to deceive;

(d) Publishing materially false or defamatory statements about the Services or Company with intent to harm reputation;

(e) Engaging in harassment, intimidation, or threats of violence directed at other users or Company personnel; or

(f) Using the Services to coordinate, promote, or facilitate illegal activity.

4.7 Compliance Data Processing Restrictions

Customer shall not:

(a) Use the Services to process compliance data that Customer is not legally authorized to access;

(b) Submit partner or entity information for screening without proper authorization from the data owner where required;

(c) Use screening results or classification data obtained through the Services for purposes unrelated to trade compliance;

(d) Share authentication credentials with Company except through authorized secure integration methods;

(e) Store highly sensitive authentication credentials in unencrypted form within Customer Data fields; or

(f) Use screening results or compliance information in a manner that violates applicable privacy, data protection, or anti-discrimination laws.

5. CUSTOMER RESPONSIBILITIES

5.1 Account Security and Access Control

Customer shall implement and maintain security measures appropriate to the sensitivity of Customer Data, including:

(a) Credential Management: Maintaining confidentiality of all account credentials and not sharing credentials except as necessary for legitimate business purposes with appropriate security controls.

(b) Password Policy: Implementing password policies requiring passwords that meet reasonable security standards.

(c) Multi-Factor Authentication: Enabling multi-factor authentication where made available by Company, particularly for administrative accounts.

(d) Breach Notification: Notifying Company at support@lenzo.ai within seventy-two (72) hours after discovering unauthorized access, unauthorized credential use, security breaches, or suspected system compromise. If discovery occurs outside business hours, the 72-hour period commences on the next business day. Company maintains emergency security contact at support@lenzo.ai for urgent matters.

(e) Access Controls: Taking reasonable steps to prevent unauthorized access through Customer's systems and networks, including implementing appropriate network security, maintaining security patches, and educating users about security best practices.

(f) Role-Based Access: Limiting Authorized Users' access to features and data necessary for their legitimate job functions.

(g) Access Revocation: Promptly revoking access for Authorized Users who no longer require access, terminate employment, violate this Policy, or have potentially compromised credentials. Customer shall use commercially reasonable efforts to revoke access within twenty-four (24) hours.

(h) Access Review: Conducting periodic reviews of Authorized Users and access permissions at least annually.

5.2 Billing, Payment, and Financial Obligations

(a) Billing Information: Customer shall provide accurate, current billing information including valid payment methods.

(b) Information Updates: Customer shall promptly update billing information changes through the Platform or by contacting support@lenzo.ai.

(c) Payment of Fees: Customer shall pay all applicable fees according to the selected pricing plan:

Pricing Plans:

Starter Plan:

Annual: $1,188/year (equivalent to $99/month, billed annually as one payment)

Monthly: $119/month (billed monthly as recurring payments)

Professional Plan:

Annual: $2,388/year (equivalent to $199/month, billed annually as one payment)

Monthly: $239/month (billed monthly as recurring payments)

Premium Plan:

Annual: $11,988/year (equivalent to $999/month, billed annually as one payment)

Monthly: $1,199/month (billed monthly as recurring payments)

All fees are in U.S. Dollars. Annual subscriptions are billed in advance for the full twelve-month period. Monthly subscriptions are billed in advance on a recurring monthly basis.

(d) Liability for Charges: Customer is responsible for all charges incurred through Customer's account, except Customer shall not be liable for unauthorized charges occurring after timely notice to Company under Section 5.1(d) that result from a Security Incident for which Company is responsible under Section 6.1, or billing errors Customer reports within thirty (30) days that Company verifies as erroneous.

(e) Disputed Charges: Customer shall notify Company at support@lenzo.ai of disputed charges within thirty (30) days, including account information, specific charge disputed, basis for dispute, and supporting documentation. Company shall investigate and respond within fifteen (15) business days. During investigation, Company shall not suspend services for non-payment of disputed amounts, provided undisputed charges are paid when due.

(f) Taxes: Customer is responsible for all sales, use, value-added, and other taxes (excluding taxes based on Company's income) associated with purchase and use of the Services. If Company must collect such taxes, they will be invoiced unless Customer provides a valid tax exemption certificate.

5.3 Data Accuracy

Customer shall provide accurate information when configuring integrations to the extent within Customer's knowledge and control, review data for accuracy where material to business operations, correct material inaccuracies promptly, ensure Customer Data does not knowingly violate third-party rights, maintain appropriate backups, and verify data exports before relying on them for critical decisions.

5.4 Security Incident Reporting and Cooperation

(a) Reporting Obligation: Customer shall report suspected Security Incidents, unauthorized access, data breaches, or security concerns to Company at support@lenzo.aiwithin seventy-two (72) hours after discovery. The report should include nature and scope of incident, discovery date, potentially affected data, actions taken to contain the incident, and contact information. Updates shall be provided as additional information becomes available.

(b) Investigation Cooperation: Customer shall provide reasonable cooperation in investigating Security Incidents, including providing access to relevant logs and records, making knowledgeable personnel available, preserving evidence per legal requirements, and implementing recommended remediation where appropriate.

(c) Legal Compliance: Customer shall comply with applicable breach notification laws in Customer's jurisdiction.

(d) Responsible Disclosure: Customer shall not publicly disclose security vulnerabilities without first providing detailed information to Company, allowing Company ninety (90) days to remediate (or shorter period based on severity), and coordinating disclosure, except where immediate disclosure is required by law or necessary to protect against imminent substantial harm.

5.5 Third-Party Integration Compliance

Customer shall:

(a) Comply with terms of service and policies of third-party services integrated with the Services;

(b) Obtain and maintain necessary permissions to connect third-party services to the Services and allow Company to access data on Customer's behalf;

(c) Configure integrations using secure authentication methods, limit permission scope to minimum necessary, regularly review and rotate API keys, monitor for suspicious use, and promptly revoke unneeded integrations;

(d) Periodically review active integrations (at least annually), disconnect unneeded integrations, verify integrated services maintain appropriate security controls, and update configurations when third-party services change; and

(e) Acknowledge that third-party services may modify their APIs, terms, or availability, which may affect integration functionality. Company shall use commercially reasonable efforts to maintain compatibility but does not guarantee uninterrupted availability of any integration.

5.6 Authorized User Management

(a) Responsibility for User Actions: Customer is responsible for actions of Authorized Users to the extent such users are acting within the scope of authority granted by Customer, using credentials provided by Customer, or acting in a manner a reasonable person would have detected and prevented. Customer shall not be held responsible for unauthorized actions of rogue employees if Customer implemented security measures reasonably appropriate to Customer's size and resources and promptly took corrective action.

(b) Policy Education: Customer shall inform Authorized Users of obligations under this Policy, provide access to the Policy, implement appropriate onboarding procedures, and provide periodic reminders regarding policy requirements.

(c) User Monitoring: Customer shall monitor Authorized User activities to the extent reasonable and appropriate for Customer's organization, proportionate to data sensitivity and organization size.

(d) User Records: Customer shall maintain reasonably current records of Authorized Users, their contact information, access permissions, grant dates, and department affiliations.

(e) Access Revocation: Customer shall promptly remove or suspend access for Authorized Users who no longer require access, terminate employment, transfer to roles not requiring access, violate this Policy, have potentially compromised credentials, or are under investigation. Customer shall use commercially reasonable efforts to revoke access within twenty-four (24) hours.

(f) Periodic Access Review: Customer shall review Authorized User access at least annually to ensure access remains appropriate, no former employees retain access, administrative access is limited appropriately, and any anomalies are corrected.

(g) Reporting User Violations: Customer shall promptly report suspected policy violations by Authorized Users that may impact Services security, affect other customers, create legal risks for Company, or involve suspected criminal activity.

5.7 Customer's Sole Responsibility for Compliance Decisions

CUSTOMER ACKNOWLEDGES AND AGREES THAT:

(a) The Services are informational tools designed to assist with trade compliance workflows and do not constitute legal, regulatory, or compliance advice;

(b) Customer is solely responsible for all export, import, and trade compliance decisions, including but not limited to decisions regarding partner eligibility, product classifications, license requirements, and transaction approvals;

(c) Company does not guarantee the accuracy, completeness, or timeliness of any sanctions data, restricted party lists, regulatory information, or classification guidance provided through the Services;

(d) Customer must independently verify all screening results, classification recommendations, and regulatory information before making compliance decisions;

(e) Customer is solely responsible for understanding and complying with all applicable export control laws, sanctions regulations, customs requirements, and other trade compliance obligations in all relevant jurisdictions;

(f) Company shall not be liable for any fines, penalties, enforcement actions, or other consequences resulting from Customer's compliance decisions, including decisions based on information or results provided by the Services; and

(g) Customer should consult with qualified legal counsel and compliance professionals regarding specific trade compliance obligations and decisions.

6. DATA SECURITY AND PRIVACY

6.1 Company's Security Obligations

Company shall:

(a) Implement and maintain administrative, physical, and technical safeguards designed to protect Customer Data from unauthorized access, use, or disclosure;

(b) Encrypt Customer Data in transit using industry-standard protocols (TLS 1.2 or higher);

(c) Limit access to Customer Data to Company personnel who require such access to provide the Services or fulfill obligations under this Policy;

(d) Conduct regular security assessments and reviews of the Services;

(e) Maintain security practices that are reasonable and appropriate for a SaaS provider handling compliance data; and

(f) Provide security awareness training to Company personnel who have access to Customer Data.

6.2 Company's Breach Notification Obligations

In the event Company becomes aware of a Security Incident affecting Customer Data, Company shall:

(a) Notify Customer at the email address associated with Customer's account within seventy-two (72) hours of Company's confirmation of the Security Incident, unless a longer period is permitted by law;

(b) Provide Customer with available information regarding nature and scope of the Security Incident, types and approximate number of affected records, discovery date, likely consequences, and measures taken or planned to address the incident;

(c) Take commercially reasonable steps to investigate, contain, remediate, prevent recurrence, and preserve evidence;

(d) Provide Customer with reasonable assistance in meeting Customer's breach notification obligations, including providing additional information, cooperating in investigations, and where required and feasible, assisting with notifications; and

(e) Coordinate with Customer regarding public statements, regulatory notifications, or communications concerning the Security Incident.

6.3 Allocation of Breach Costs

(a) Company shall be responsible for reasonable documented costs of notifying affected individuals and regulators in the event of a Security Incident resulting from Company's failure to implement security measures required under Section 6.1, up to an aggregate amount equal to fees paid by Customer in the twelve (12) months preceding the Security Incident, subject to the overall liability cap in Section 10.3.

(b) Customer shall be responsible for notification costs arising from Customer's failure to implement security measures under Section 5.1, compromised credentials Customer failed to secure, actions of Authorized Users violating this Policy, or Customer's failure to promptly report security incidents.

(c) For Security Incidents resulting from actions or omissions of both parties, costs shall be allocated equitably based on relative degrees of responsibility.

6.4 Customer Data Ownership and Privacy

(a) Data Ownership: Customer retains all ownership rights in Customer Data. Company does not acquire any rights except as necessary to provide the Services.

(b) Limited License: Customer grants Company a limited, non-exclusive license to access, process, store, and transmit Customer Data solely to provide the Services, perform support, comply with legal obligations, enforce this Policy, detect and prevent security incidents and fraud, and generate aggregated anonymized data as permitted below.

(c) Aggregated Data: Company may collect, use, and disclose aggregated, anonymized data derived from Customer Data for business purposes including improving the Services, conducting research, creating benchmarking reports, and training machine learning models, provided such data cannot reasonably identify Customer or any individual and does not reveal Customer's confidential business information in a manner harmful to Customer's business interests.

(d) Privacy Policy: Company's collection and use of personal information is governed by Company's Privacy Policy at lenzo.ai/privacy.

(e) Customer Privacy Obligations: Customer is solely responsible for providing necessary privacy notices, obtaining required consents, ensuring Customer's use complies with privacy laws, responding to data subject requests concerning Customer Data, and maintaining appropriate processing records.

(f) Children's Data: The Services are not directed to individuals under eighteen (18) years of age in the United States or under applicable minimum age in other jurisdictions. Customer shall not use the Services to process personal information of minors without implementing appropriate safeguards and obtaining legally required consents.

6.5 Data Processing Compliance

(a) Data Processing Agreement: To the extent Customer Data includes personal information subject to GDPR, CCPA, or other data protection laws imposing specific obligations on processors or service providers, the parties' obligations are set forth in the Data Processing Agreement ("DPA") at lenzo.ai/dpa.

(b) Incorporation of DPA: The DPA is incorporated by reference and shall be binding to the extent applicable data protection laws require a written data processing agreement.

(c) Standard Contractual Clauses: For transfers of personal information from the EEA, UK, or Switzerland to jurisdictions lacking adequate data protection, Standard Contractual Clauses in the DPA shall apply as required by law.

(d) Data Controller/Processor Roles: Customer is the data controller with respect to personal information in Customer Data. Customer has provided all necessary notices and obtained required consents. Customer's processing instructions are set forth in this Policy, the Terms, and the DPA. Company acts as data processor and shall process personal information only on Customer's documented instructions except where required by law.

(e) Subprocessors: Company may engage third-party subprocessors to assist in providing the Services. Company maintains a list of subprocessors available upon request at support@lenzo.ai. Company shall impose data protection obligations on subprocessors substantially similar to those in this Policy and remain liable for subprocessor acts and omissions. Company shall provide Customer thirty (30) days' notice of new subprocessors or changes. Customer may object on reasonable data protection grounds within fifteen (15) days. If Company cannot accommodate the objection, Customer may terminate affected Services and receive pro-rata refund of prepaid fees.

(f) Data Retention and Deletion: Upon termination, Customer may export Customer Data per Section 3.5(b). Company shall retain Customer Data for thirty (30) days, then delete or anonymize it per Company's data retention policies and applicable law, except where retention is required by law or necessary for legitimate business purposes. Upon request, Company shall provide written certification of deletion, which shall not apply to data in backup systems (deleted per backup retention schedules, typically within ninety (90) days).

7. COMPLIANCE OBLIGATIONS

7.1 Customer's Compliance Responsibilities

Customer is solely responsible for ensuring Customer's use of the Services complies with all laws, regulations, and standards applicable to Customer's business, including export control regulations, sanctions and trade compliance laws, customs and import regulations, data protection and privacy laws, anti-corruption and anti-bribery laws, industry-specific regulations, and employment laws. Customer acknowledges the Services are tools to assist with trade compliance monitoring and Customer remains solely responsible for all compliance decisions, regulatory obligations, and determinations regarding whether the Services suit Customer's regulatory requirements, implementing additional controls as necessary, maintaining required records and documentation, conducting required audits and certifications, training personnel on compliance requirements, and monitoring compliance. Customer shall not use the Services in any manner that would subject Company to regulatory oversight or licensing requirements beyond those applicable to Company as a general business software provider without Company's prior written consent.

7.2 Company's Compliance Commitments

Company shall maintain security practices designed to protect Customer Data per Section 6.1, comply with data protection laws in Company's role as processor per Section 6.5 and the DPA, process payment card information per applicable standards, comply with applicable U.S. laws, make available to Customer upon reasonable written request (no more than once per twelve months unless reasonable grounds exist) information necessary to verify Company's compliance (which Company may satisfy through third-party audit reports, certifications, or attestations, and Customer shall treat as confidential), notify Customer of material changes to security practices or compliance posture impacting Customer's use (with thirty days' advance notice where practicable), and maintain commercially reasonable business continuity and disaster recovery procedures.

7.3 No Warranty of Regulatory Compliance

(a) COMPANY DOES NOT WARRANT THAT THE SERVICES WILL MEET CUSTOMER'S SPECIFIC REGULATORY OR COMPLIANCE REQUIREMENTS, ENSURE CUSTOMER'S COMPLIANCE WITH ANY PARTICULAR LAW, REGULATION, OR STANDARD, OR THAT ANY SCREENING RESULTS, CLASSIFICATION GUIDANCE, OR REGULATORY INFORMATION PROVIDED THROUGH THE SERVICES WILL BE ACCURATE, COMPLETE, OR CURRENT.

(b) Company makes no representation regarding certification or compliance with specific frameworks (such as SOC 2, ISO 27001, PCI DSS, HIPAA, FedRAMP) unless expressly documented in a separate written agreement executed by both parties.

(c) Customer acknowledges regulatory requirements vary significantly, Customer is best positioned to understand its obligations, the Services are general-purpose tools that may be used across various industries and jurisdictions, Customer is responsible for assessing whether the Services are appropriate for Customer's needs and implementing additional controls as necessary, and Customer should consult legal counsel or compliance professionals regarding specific obligations.

(d) Nothing in this Section limits Company's obligations under Section 6.1 and Section 6.5.

7.4 Industry-Specific Considerations

(a) Defense and Aerospace: Customers in defense and aerospace industries acknowledge the Services are not specifically designed for ITAR-controlled technical data or classified information. Such customers are responsible for ensuring use complies with applicable defense trade control regulations.

(b) Healthcare: Customers in healthcare acknowledge the Services are not intended for processing protected health information under HIPAA without a separate Business Associate Agreement. Customer shall not use the Services to process protected health information without a fully executed Business Associate Agreement.

(c) Government: Government entity customers acknowledge the Services have not been certified under government-specific frameworks (such as FedRAMP or FISMA) unless expressly agreed in writing. Such customers are responsible for ensuring use complies with government procurement and security requirements.

(d) International: Customers outside the United States or processing data of non-U.S. individuals are responsible for ensuring use complies with applicable local laws, including data protection, privacy, and cross-border data transfer requirements.

7.5 Third-Party Data Sources Disclaimer

(a) THE SERVICES MAY INCORPORATE OR RELY UPON DATA FROM THIRD-PARTY SOURCES, INCLUDING BUT NOT LIMITED TO GOVERNMENT AGENCIES, SANCTIONS LIST PUBLISHERS, REGULATORY BODIES, AND DATA AGGREGATORS. COMPANY DOES NOT CONTROL THESE THIRD-PARTY SOURCES AND MAKES NO WARRANTY OR REPRESENTATION REGARDING THE ACCURACY, COMPLETENESS, TIMELINESS, OR RELIABILITY OF ANY THIRD-PARTY DATA.

(b) Company shall use commercially reasonable efforts to maintain current data sources but shall not be liable for delays, errors, or omissions in third-party data, including delays in sanctions list updates, regulatory changes, or other compliance-related information.

(c) Customer acknowledges that third-party data sources may change, become unavailable, or contain errors, and Customer is solely responsible for independently verifying all compliance-related information before making business decisions.

8. MONITORING AND ENFORCEMENT

8.1 Company's Monitoring Rights

Company reserves the right to monitor use of the Services to ensure Policy compliance, maintain security and integrity, detect and prevent fraud and illegal activity, troubleshoot technical issues, provide support, enforce intellectual property rights, comply with legal obligations, and protect rights and safety of Company, customers, and third parties. Monitoring may include employing automated systems to detect unusual activity and policy violations, analyzing usage patterns and resource consumption, maintaining system access and authentication logs, scanning for malware, monitoring API usage for rate limit compliance, and reviewing metadata and system information.

8.2 Customer Audit Rights

Upon reasonable written request to support@lenzo.ai, Customer may request documentation to verify Company's compliance with Section 6.1 (Security Obligations) and Section 6.5 (Data Processing Compliance). Requests are subject to frequency limitations, advance notice requirements, and Company may satisfy requests through third-party audit reports, certifications, completed questionnaires, documentation, conference calls, or on-site inspections at Company's discretion.

9. CONSEQUENCES OF VIOLATIONS

9.1 Investigation and Notice

Upon becoming aware of suspected violations, Company may investigate and shall provide Customer written notice of suspected violations at the email address associated with Customer's account, except where providing notice would compromise criminal investigations, Company is prohibited by law or court order, immediate suspension is necessary, or the violation is de minimis. Customer shall respond promptly to information requests, cooperate in good faith with investigations, take immediate action to cure violations, and provide written confirmation of remediation.

9.2 Suspension Rights

Company may immediately suspend access without prior notice if continued access poses immediate substantial security threat, Customer's use is causing material harm to other customers, Company is required to suspend by law, Customer's account appears compromised, Company detects fraud or illegal activity, or Customer's use creates substantial risk of legal liability. Company may suspend with reasonable prior notice for non-payment, material violations, repeated violations, or violations demonstrating willful disregard.

9.4 Termination Rights

Company may terminate Customer's account effective immediately upon written notice if Customer committed material breach not curable or failed to cure, Customer repeatedly violated this Policy, Customer's use created ongoing risk of material harm, Customer engaged in fraudulent or illegal activity, Customer violated intellectual property rights, Customer materially breached payment obligations, or Customer violated Section 4.1 or 4.2 demonstrating intentional misconduct.

10. LIMITATION OF LIABILITY

10.1 Warranty Disclaimer

EXCEPT AS EXPRESSLY SET FORTH IN SECTION 6.1 (COMPANY'S SECURITY OBLIGATIONS) AND SECTION 6.5 (DATA PROCESSING COMPLIANCE), THE SERVICES ARE PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, OR STATUTORY.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, COMPANY DISCLAIMS ALL WARRANTIES, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT; WARRANTIES ARISING FROM COURSE OF DEALING OR USAGE OF TRADE; WARRANTIES THAT THE SERVICES WILL BE UNINTERRUPTED, ERROR-FREE, COMPLETELY SECURE, OR FREE FROM VIRUSES; WARRANTIES REGARDING ACCURACY, RELIABILITY, OR COMPLETENESS OF DATA PROVIDED THROUGH THE SERVICES; WARRANTIES THAT THE SERVICES WILL MEET CUSTOMER'S SPECIFIC REQUIREMENTS; WARRANTIES THAT DEFECTS WILL BE CORRECTED; AND WARRANTIES REGARDING AVAILABILITY OF THIRD-PARTY INTEGRATIONS.

COMPANY SPECIFICALLY DISCLAIMS ANY WARRANTY THAT: (A) SANCTIONS DATA, RESTRICTED PARTY LISTS, OR REGULATORY INFORMATION PROVIDED THROUGH THE SERVICES WILL BE ACCURATE, COMPLETE, OR CURRENT; (B) PRODUCT CLASSIFICATION GUIDANCE OR RECOMMENDATIONS WILL BE CORRECT OR COMPLIANT WITH APPLICABLE REGULATIONS; (C) THE SERVICES WILL IDENTIFY ALL RESTRICTED PARTIES, SANCTIONED ENTITIES, OR COMPLIANCE RISKS; (D) CUSTOMER'S USE OF THE SERVICES WILL RESULT IN COMPLIANCE WITH ANY APPLICABLE LAW OR REGULATION; OR (E) THE SERVICES WILL PREVENT ANY VIOLATION OF EXPORT CONTROL, SANCTIONS, OR OTHER TRADE COMPLIANCE LAWS.

CUSTOMER ACKNOWLEDGES THAT NO SYSTEM IS COMPLETELY SECURE OR ERROR-FREE, INTERNET-BASED SERVICES ARE SUBJECT TO DISRUPTIONS BEYOND COMPANY'S CONTROL, DATA TRANSMISSION OVER THE INTERNET IS NOT COMPLETELY SECURE, AND CUSTOMER'S USE IS AT CUSTOMER'S OWN RISK. CUSTOMER IS RESPONSIBLE FOR IMPLEMENTING APPROPRIATE BACKUP, SECURITY, AND BUSINESS CONTINUITY MEASURES.

COMPANY PROVIDES NO SERVICE LEVEL AGREEMENT (SLA) GUARANTEEING SPECIFIC UPTIME OR AVAILABILITY METRICS UNLESS EXPRESSLY PROVIDED IN A SEPARATE WRITTEN AGREEMENT.

SOME JURISDICTIONS DO NOT ALLOW EXCLUSION OF IMPLIED WARRANTIES, SO SOME EXCLUSIONS MAY NOT APPLY TO CUSTOMER TO THE EXTENT PROHIBITED BY LAW. IN SUCH JURISDICTIONS, WARRANTIES SHALL BE LIMITED TO THE MINIMUM EXTENT REQUIRED BY LAW.

10.3 Aggregate Liability Cap

TO THE MAXIMUM EXTENT PERMITTED BY LAW, THE TOTAL AGGREGATE LIABILITY OF COMPANY PARTIES ARISING OUT OF OR RELATING TO THIS POLICY OR THE SERVICES SHALL NOT EXCEED THE GREATER OF: (a) THE TOTAL AMOUNT OF FEES ACTUALLY PAID BY CUSTOMER TO COMPANY DURING THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO LIABILITY; OR (b) FIVE THOUSAND U.S. DOLLARS ($5,000).

11. CONTACT INFORMATION

11.1 General Contact

For all inquiries, reports, or communications related to this Policy, contact:

Email: support@lenzo.ai

Website: lenzo.ai

Legal Entity: Genio Group, Inc.

12. GENERAL PROVISIONS

12.1 Entire Agreement

This Policy, together with the Terms, the DPA (if applicable), and any other agreements expressly incorporated by reference, constitutes the entire agreement between Customer and Company regarding the subject matter of this Policy and supersedes all prior or contemporaneous understandings, agreements, representations, and warranties, whether written or oral.

12.12 Compliance with Laws

Both parties shall comply with all applicable federal, state, local, and international laws, regulations, ordinances, and other legal requirements in connection with their respective performance under this Policy, including export control laws, economic sanctions, anti-corruption and anti-bribery laws, data protection and privacy laws, consumer protection laws, employment and labor laws, and tax laws.

‍