EVENHAND LLC — ACCEPTABLE USE POLICY

Effective Date: May 21, 2026 Last Updated: May 21, 2026

Reader's Note

This Acceptable Use Policy (the "AUP") governs your use of the Evenhand platform operated by Evenhand LLC, a Washington limited liability company ("Evenhand," "we," "us," or "our"). It is incorporated into our Terms of Service available at https://evenhandhq.com/terms (the "Terms") and forms part of the legal agreement between you and Evenhand. Capitalized terms not defined in this AUP have the meanings given in the Terms.

By accessing or using the Platform, you agree to comply with this AUP. Violation of this AUP may result in suspension or termination of your account, removal of content, forfeiture of fees, civil claims, criminal referral, and reporting to applicable authorities, including law enforcement, banking and financing partners affected by misconduct, and professional licensing bodies.

This AUP supplements — and does not limit — the conduct restrictions in the Terms. Where this AUP and the Terms conflict, the Terms control unless this AUP imposes a stricter standard, in which case the stricter standard applies.

1. Purpose and Scope

1.1 Why This AUP Exists

Evenhand is a deal management platform for the lower middle market and small business mergers and acquisitions. Deal Participants exchange offers, financial records, confidential business information, and integrity-bearing signals (attestations, prequalification confirmations, fit scores) on which other parties rely to make significant economic decisions. Misconduct on the Platform — fabricated documents, false offers, identity misrepresentation, integrity-signal abuse — does not merely violate Evenhand's terms; it can defraud sellers, mislead buyers, expose lenders and service providers to liability, and undermine market confidence in the broader M&A ecosystem.

This AUP sets out the conduct standards we require of every User. It is non-exhaustive. The fact that a particular act is not specifically listed below does not mean it is permitted; if conduct violates the spirit of this AUP or the Terms, it is prohibited.

1.2 Who This AUP Applies To

This AUP applies to every User of the Platform regardless of role, including:

• Broker Users (Brokers, Brokerage Administrators, Brokerage Managers);
• Buyers (whether invited or accessing under a Buyer Self-Serve QoE Subscription);
• Sellers (including Direct Sellers);
• Service Providers;
• Post-Close Observers;
• Holders of API tokens, MCP delegate tokens, and Webhook endpoint credentials; and
• Any individual or system acting on behalf of any of the foregoing.

It also applies to your use of any output of the Platform — including AI-generated extractions, QoE outputs, fit-scoring signals, verified-financing badges, comparison matrices, and audit logs — wherever you display, transmit, or rely on that output.

1.3 Geographic Scope

The Platform is offered only in the United States (see Section 1.4 of the Terms). This AUP applies to your activities on the Platform regardless of where you access from. Conduct that is lawful in a non-U.S. jurisdiction but prohibited by U.S. law or this AUP is prohibited.

2. Prohibited Content

You will not submit, upload, store, transmit, publish, or make available through the Platform any content that:

• contains malware, viruses, worms, Trojan horses, ransomware, keyloggers, spyware, cryptocurrency miners, or any other malicious code or executable payloads, including such content embedded in uploaded documents, spreadsheets, image files, or attachments;
• infringes, misappropriates, or violates the intellectual property, publicity, privacy, contractual, or other rights of any third party, including by uploading documents you do not have the legal right to share;
• contains personal information of any individual that the individual has not consented to your sharing for the relevant Deal purpose (e.g., undisclosed customer lists obtained from a prior employer in violation of restrictive covenants);
• contains Protected Health Information ("PHI") subject to the Health Insurance Portability and Accountability Act ("HIPAA"), full payment card numbers, full Social Security Numbers or other government identifiers not necessary for the Deal, financial account credentials (other than information uploaded to authorized OAuth integrations), or biometric identifiers;
• contains information classified as "Controlled Unclassified Information," ITAR-controlled technical data, or any export-controlled material (see Section 12);
• contains child sexual abuse material ("CSAM"), non-consensual intimate imagery, or any other content that is illegal under U.S. federal or state law;
• contains material designed to harass, threaten, defame, or incite violence against any individual;
• contains hateful content targeting individuals on the basis of race, ethnicity, national origin, religion, disability, gender, gender identity, sexual orientation, or other protected characteristics under U.S. federal or state law;
• consists of advertising, marketing, or promotional content for products or services unrelated to the Deal or to legitimate Platform use; or
• is otherwise unlawful or violates the Terms, this AUP, or any policy referenced in either.

We may, but are not obligated to, scan uploaded content for malware and for compliance with this Section 2. The presence of such scanning does not relieve you of responsibility for the content you upload.

3. Prohibited Activities — Platform Integrity

Because the Platform mediates real economic transactions involving significant sums, integrity violations are the most serious form of misconduct under this AUP. The activities below are flatly prohibited and will result in immediate suspension upon credible report or detection, regardless of intent.

3.1 False or Forged Documents

You will not:

• submit forged, altered, manipulated, or fabricated prequalification letters, proof-of-funds statements, term sheets, financing commitment letters, bank statements, tax returns, audited financial statements, customer contracts, employment agreements, or any other document on which any other Deal Participant or Evenhand may rely;
• alter the apparent date, amount, signatory, letterhead, account number, or any other material fact of a document before uploading;
• misrepresent the source, custodian, or authenticity of any document; or
• replay, reuse, or recycle prequalification or financing documents for Deals to which they do not apply or after the documents have expired.

Evenhand uses heuristic forgery-detection signals to flag suspect prequalification documents and conducts issuer-confirmation email outreach (see Section 11 below). Documents flagged or contradicted by an issuer confirmation are subject to removal, the badge to which they entitled the User is subject to revocation, and the User who submitted them is subject to account suspension and reporting.

3.2 False or Non-Bona Fide Offers

You will not:

• submit an offer that you do not have the present intention or the present capacity to perform;
• submit an offer for the purpose of obtaining confidential information about the seller or the business with no genuine intent to close;
• submit shill, decoy, stalking-horse, or coordinated bids on behalf of a third party without disclosure;
• submit duplicate offers under multiple accounts or aliases to manipulate the comparison matrix or competitive-position signals;
• modify offers immediately before or after viewing competing offers' confidential terms with the intent to circumvent the hybrid disclosure auction-theory protections (see Terms §3.3); or
• engage in collusive bidding with other Buyers (whether through direct agreement, signaling, or any other coordination) to depress price or otherwise rig the bidding process.

Every offer submission requires acceptance of an in-product attestation (Terms §5.5). False attestations expose the attesting party to fraud claims, contractual indemnification, and potential criminal liability. Evenhand will preserve attestation records and, in response to a lawful subpoena or compulsory process, produce them.

3.3 Falsified Financial Data and QoE Manipulation

You will not:

• upload to a Deal financial data that you know to be inaccurate, fabricated, or materially misleading;
• alter exported QoE outputs and represent the altered outputs as Platform outputs;
• circumvent the append-only QoE upload mechanism by attempting to delete, edit, or backdate prior uploads, mask the supersedes chain, or otherwise hide the fact that an earlier version existed (see Terms §8); or
• use the QoE features to "stress test" the Platform with fictitious data on a live Deal in a manner that would mislead other Deal Participants.

If you discover that financial data you have uploaded contains errors, the correct response is to upload a corrected version (which will supersede the prior version with a documented supersedes chain), not to delete the original or attempt to alter the audit log.

3.4 Identity Misrepresentation

You will not:

• create an account using a false name, a false email address, a false business identity, or stolen credentials;
• impersonate any other person, including any other User, any officer or employee of Evenhand, any officer or employee of a Brokerage, any issuer of financing or other documents, or any government official;
• create multiple accounts in violation of the single-account-per-individual rule in Terms §4.4 (one Clerk identity per human; family or device sharing is not permitted);
• transfer or sell your account or any access token associated with your account to any other person; or
• access the Platform under an account belonging to another User.

3.5 Multi-Role Gaming

The Platform detects when a single network identifier (IP address) is used to sign in as both a Broker User and a Deal Participant on the same Deal. The resulting multi-role collision flag is advisory; the underlying conduct may or may not be prohibited depending on disclosure and context. However:

• You will not use a single account or device to participate as both a Broker User and a Deal Participant on the same Deal, except where (i) you have disclosed the dual role to all other parties to the Deal in writing, and (ii) such dual role is permitted by your professional and contractual obligations.
• You will not use VPN rotation, proxy services, residential proxies, or other network obfuscation techniques for the purpose of evading collision detection.
• You will not coordinate with another individual to act as your nominee, alter-ego, or front for a role that you are professionally or contractually prohibited from holding.

3.6 Service Provider Conflicts of Interest

If you are a Service Provider, you will:

• disclose any actual, potential, or apparent conflict of interest to the Brokerage and to every Deal Participant relying on your services before accepting an engagement;
• not represent both buyer and seller in the same Deal unless dual representation is permitted by your professional obligations and is consented to in writing by both parties; and
• comply with all professional, regulatory, and ethical obligations applicable to your discipline (legal, accounting, banking, valuation, etc.).

Evenhand surfaces COI signals (e.g., when a Service Provider is associated with both buyer-side and seller-side parties in the same Deal) for the use of the Brokerage and the Deal Participants. These signals are advisory. The Service Provider is solely responsible for the substantive determination of whether a conflict exists and whether disclosure or recusal is required.

3.7 Confidentiality Violations

You will not, in violation of any non-disclosure agreement to which you are bound (click-through, master, or otherwise) and regardless of whether such NDA is enforceable in a particular jurisdiction:

• disclose, transmit, publish, or share Confidential Information, Deal Data, or any output of the Platform that includes Confidential Information with any person not authorized to receive it under the applicable NDA;
• export, screenshot, photograph, transcribe, or otherwise reproduce Confidential Information for the purpose of avoiding the access-control and audit-log mechanisms of the Platform;
• use Confidential Information of a Deal you participated in to compete with the seller's business, solicit the seller's customers or employees, or otherwise act in a manner inconsistent with the NDA's purpose; or
• contact a seller, their employees, customers, suppliers, or counterparties outside the Platform on the basis of information learned through the Platform unless explicitly authorized to do so.

The Seller Confidentiality Register, when in use, captures named-individual access to Deal Data for the Seller's awareness. Acceptance of an invitation to a Deal constitutes consent to such logging.

3.8 Issuer Confirmation Process Abuse

You will not:

• send a forged confirmation email to a Buyer or to Evenhand purporting to be an issuer of a prequalification document or financing commitment when you are not such an issuer;
• represent to an issuer that Evenhand or the Buyer has authorized you to confirm a document when no such authorization exists;
• pressure, harass, or improperly influence an issuer in the course of the confirmation process;
• use information obtained from the issuer-confirmation process (issuer contact information, email content) for any purpose other than verification of the document at issue; or
• circumvent the issuer-confirmation process by providing alternative or false issuer contact information.

4. Prohibited Activities — Security

4.1 Unauthorized Access

You will not:

• access or attempt to access any portion of the Platform, any User's account, any Deal, or any data to which you have not been expressly granted access by Evenhand, the relevant Brokerage, the relevant Deal Participant, or these policies;
• exploit, attempt to exploit, or assist a third party in exploiting any vulnerability in the Platform — including authorization bypass, IDOR, SQL injection, server-side request forgery, deserialization, or any technique not specifically enumerated;
• bypass, disable, or circumvent any access-control mechanism, including row-level security boundaries, organization isolation, OAuth scopes, MCP permission grants, or cross-tenant probes;
• bypass, disable, or circumvent rate limits, Cloudflare Turnstile challenges, IP-based protections, or any other anti-abuse mechanism;
• access the Platform other than through interfaces and protocols expressly authorized in the documentation (the user interface; the public REST API at /api/v1/; the MCP server at /api/mcp/v1/server over OAuth 2.1 with PKCE); or
• use credentials, session tokens, or API tokens obtained without authorization, including via phishing, credential stuffing, password reset abuse, session hijacking, or social engineering.

4.2 Credential Discipline

You will:

• maintain the confidentiality of your account credentials, including password, MFA seeds or hardware factors, and recovery codes;
• enable multi-factor authentication where available and required, and use phishing-resistant factors (e.g., hardware security keys, platform authenticators) where supported;
• never share API tokens, MCP refresh tokens, MCP access tokens, or Webhook signing secrets with any other person, except as expressly necessary for the operation of authorized integrations under the control of the same User or Brokerage;
• promptly rotate compromised credentials and notify security@evenhandhq.com of any known or suspected compromise; and
• not store unencrypted credentials in source code repositories, configuration files, or any location accessible to unauthorized persons.

4.3 Account Sharing

You will not share account credentials or active sessions with any other individual. Each human User must have their own account. Brokerage subscriptions are licensed per seat; do not assign one seat to a role inbox or to a team. If you need to delegate a task, use the in-product role-assignment, deal-invitation, or delegated-MCP-access mechanism appropriate to the task.

4.4 Responsible Disclosure of Vulnerabilities

If you discover or suspect a security vulnerability in the Platform, do not exploit it, do not access data belonging to other Users, do not exfiltrate data, and do not engage in self-help measures. Instead, report the vulnerability promptly to security@evenhandhq.com following the procedures published at https://evenhandhq.com/security. Good-faith research conducted in compliance with that page is covered by the safe harbor described there. Activity that exceeds the safe harbor is treated as unauthorized access.

5. Prohibited Activities — Technical and API/MCP/Webhook Abuse

5.1 Rate Limits and Volumetric Abuse

You will not:

• exceed the published rate limits for the API, the MCP server, the user interface, or any other Platform interface;
• evade rate limiting by rotating credentials, IPs, user agents, or accounts, or by distributing requests across multiple accounts you control;
• generate volumetric traffic — including bulk reads, bulk searches, automated polling, or scraping — beyond the patterns reasonably necessary for the legitimate use of the Platform;
• send malformed, oversize, or maliciously crafted requests intended to cause errors, resource exhaustion, denial of service, or unintended behavior; or
• engage in denial-of-service or distributed denial-of-service attacks against the Platform, against any User, or against any infrastructure provider whose service supports the Platform.

5.2 Scraping and Bulk Data Extraction

You will not:

• use robots, spiders, crawlers, headless browsers, or any other automated means to extract content from the Platform that is not reasonably accessible through the documented API and MCP interfaces;
• aggregate, compile, or republish Platform data for the purpose of building a competing service, training a generative model that competes with Evenhand, or providing data licensing to third parties; or
• circumvent the licensing restrictions in Terms §6.2 (Aggregated Data) by attempting to re-identify de-identified data or recombine fragments to reconstruct prohibited datasets.

5.3 API and MCP Discipline

You will:

• use API and MCP access only for the legitimate operation of the Brokerage's or User's business as authorized by the Terms;
• treat API tokens and MCP tokens as secrets (see Section 4.2);
• store MCP refresh tokens securely on the device or service that obtained them; not share them across machines, organizations, or users;
• abide by published scopes; do not attempt to escalate privileges through token exchange, race conditions, or scope-confused parsers; and
• comply with the deprecation schedule for any endpoint or feature, including the ninety (90) day deprecation notice procedure described in Terms §14.

If you are operating an MCP client on behalf of an end-user (e.g., a third-party assistant that obtained delegated access through OAuth 2.1 with PKCE), you are responsible for ensuring that your client honors the end-user's permission grants and revocations and that you do not retain or replay tokens beyond their authorized use.

5.4 Webhook Endpoints

If you configure a Webhook endpoint to receive outbound event payloads:

• you are solely responsible for the security of that endpoint, including TLS configuration, authentication, validation of the signing secret, and protection of the data it receives;
• you must validate the HMAC signature on every received payload and reject payloads that fail validation;
• you may not abuse the retry behavior of the Webhook system, including by intentionally returning errors to cause replay storms; and
• you must promptly disable or rotate any Webhook endpoint or signing secret known or suspected to be compromised.

5.5 Reverse Engineering and Decompilation

You will not reverse-engineer, decompile, disassemble, or otherwise attempt to derive the source code, underlying ideas, algorithms, file formats, or non-public APIs of the Platform, except to the limited extent that applicable law expressly permits despite this prohibition. You will not use the Platform for benchmarking against competing products or for the purpose of building a competing product.

6. Prohibited Activities — AI Misuse

6.1 AI Feature Scope

The Platform uses third-party large language model services (currently Anthropic's API; see Privacy Policy §5) for AI-assisted features, including PDF extraction of financial documents, structured-data column mapping, and content summarization. This Section 6 applies to your interactions with those features and to your use of their outputs.

6.2 Restricted Inputs

You will not submit through any AI-assisted feature:

• content that you would not be permitted to upload under Section 2 (no malware, CSAM, PHI, etc.);
• prompts or documents designed to extract another User's data, model weights, training data, or system instructions ("prompt injection");
• instructions intended to cause the AI service to produce unlawful, deceptive, or harmful output, including instructions to fabricate financial data, generate forged documents, or impersonate a person; or
• content that you do not have the legal right to submit to a third-party AI service.

Documents you upload for AI processing are transmitted to Anthropic (or any successor AI sub-processor disclosed in the Privacy Policy) for processing. By using these features, you authorize that transmission for the purpose of providing the requested service.

6.3 Output Discipline

Outputs of the AI-assisted features (extracted line items, suggested column mappings, summaries, normalization suggestions, anomaly flags) are decision-support outputs. They are subject to the no-reliance disclaimer in Terms §6.5. You will:

• review AI-generated outputs before relying on them for any material decision;
• not represent to any other party that AI-generated outputs are reviewed, audited, or verified by Evenhand;
• not submit AI-generated outputs as your own independent work product in a context where you are professionally obligated to perform that work (e.g., a CPA's quality of earnings opinion);
• correct or supersede AI-generated outputs that you identify as inaccurate using the append-only correction mechanism rather than by manual edit or deletion; and
• not use AI-generated outputs in violation of any of the restrictions in this AUP or the Terms.

6.4 No Training of External Models on Platform Content

You will not use Platform content (your own User Content, other Users' content shared with you under access controls, AI-generated outputs, or any Aggregated Data made available to you) to train, fine-tune, distill, or otherwise improve any machine-learning model not operated by Evenhand. This includes both general-purpose foundation models and special-purpose extraction or analysis models, regardless of whether the model is open weights, closed weights, or any other modality. This restriction is in addition to and not in lieu of the licensing restrictions in Terms §6.

6.5 Reporting AI Misuse and Hallucinations

If you observe an AI-assisted output that is materially inaccurate, fabricates data not present in the source document, exhibits prompt-injection symptoms, or otherwise appears compromised, please report it to support@evenhandhq.com with the relevant Deal identifier and a description of the issue. These reports help us improve safety and quality.

7. Prohibited Activities — Communications

7.1 Permissible Use of Email and Notification Channels

Evenhand sends transactional emails relating to the operation of the Platform, including issuer confirmation requests, invitation emails, attestation reminders, billing notices, and security alerts. You will not:

• use the Platform's email or notification channels to send unsolicited marketing communications, chain letters, surveys, recruiting messages, or other content unrelated to the legitimate business of the Deal;
• send messages, comments, or attachments to other Users that contain harassment, threats, defamation, racial or sexual epithets, or other content that would violate Section 2;
• use the Platform to phish, social-engineer, or otherwise defraud other Users;
• spoof email headers, alter signed message bodies, or otherwise misrepresent the origin or integrity of any communication; or
• use the Platform as part of any scheme to harvest email addresses, phone numbers, or other contact information of Users for use outside the Platform.

7.2 Direct Communications Between Users

The Platform may facilitate direct communication between Users in connection with a Deal (e.g., in-app comments, document annotations). Conduct in those channels is subject to this AUP. Evenhand reserves the right to remove content that violates this AUP or the Terms, including without prior notice in the case of severe or repeated violations.

7.3 Anti-Spam and CAN-SPAM Compliance

If you use any feature of the Platform to send mass communications (which is generally not permitted under Section 7.1), you must comply with all applicable anti-spam laws, including the U.S. CAN-SPAM Act of 2003 (15 U.S.C. §§ 7701 et seq.), the Telephone Consumer Protection Act of 1991 (47 U.S.C. § 227), and analogous state laws.

8. Prohibited Activities — Legal and Regulatory Misconduct

You will not use the Platform:

• in connection with any transaction, party, or counterparty subject to sanctions administered by the U.S. Office of Foreign Assets Control ("OFAC"), including parties on the Specially Designated Nationals and Blocked Persons List, the Sectoral Sanctions Identifications List, the Foreign Sanctions Evaders List, or any other sanctions list maintained by OFAC or by the U.S. Department of State;
• in connection with any country, region, or territory subject to comprehensive U.S. economic sanctions or embargoes (which presently include Cuba, Iran, North Korea, Syria, the Crimea region of Ukraine, the so-called Donetsk and Luhansk regions of Ukraine, and Russia, subject to applicable general and specific licenses);
• to facilitate money laundering, terrorist financing, tax evasion, or any other violation of the Bank Secrecy Act, the USA PATRIOT Act, or analogous laws;
• to facilitate fraud, including securities fraud, wire fraud, bank fraud, or fraud on consumers;
• to violate U.S. export control laws, including the Export Administration Regulations, the International Traffic in Arms Regulations, and any country, end-user, or end-use-based prohibition;
• to violate any applicable antitrust or competition law, including engaging in collusive bidding, price fixing, market allocation, or bid rigging (also addressed in Section 3.2);
• to violate any professional licensing requirement, including the unauthorized practice of law, accountancy, real-estate brokerage, business brokerage, securities-broker activity, money transmission, or investment advisory work;
• to violate any contractual obligation, including a non-compete, non-solicitation, confidentiality, or fiduciary duty owed to a third party (e.g., a former employer); or
• to violate any other applicable U.S. federal, state, or local law.

Evenhand reserves the right to report suspected violations to applicable authorities and to cooperate with law enforcement, regulators, and self-regulatory bodies in investigations of misconduct.

9. Confidentiality, Trade Secrets, and Data Protection Obligations

This Section 9 supplements (and does not replace) the confidentiality provisions of Terms §10 and any applicable click-through NDA.

You will:

• treat Confidential Information (as defined in the Terms) of other Deal Participants with at least the degree of care you apply to your own confidential information of like sensitivity, and in no event with less than reasonable care;
• limit internal access to Confidential Information to individuals with a need to know in connection with the Deal and who are bound by written confidentiality obligations at least as protective as those in Terms §10;
• not use Confidential Information for any purpose other than evaluation and completion of the Deal for which it was disclosed;
• not retain copies of Confidential Information after the Deal closes, terminates, or your participation ends, except (i) within the Platform per Evenhand's retention schedule, (ii) backup or archival copies created in the ordinary course that are not actively used, or (iii) to the limited extent required by law, regulation, or professional obligation; and
• protect any personal information you process in connection with the Deal in compliance with all applicable U.S. federal and state privacy laws.

If you are a recipient of Confidential Information that is reasonably expected to constitute a trade secret of the disclosing party (e.g., source code, customer lists, manufacturing processes, proprietary algorithms), your obligations with respect to that trade secret continue indefinitely under both this AUP and applicable trade-secret law.

10. Aggregated Data and De-Identified Data Misuse

Evenhand may make available certain Aggregated Data outputs (e.g., benchmarks, market reports, summary statistics) derived from Platform usage. You will not:

• attempt to re-identify any individual, Deal, business, or party from Aggregated Data;
• combine Aggregated Data with other datasets in your possession for the purpose of re-identification;
• represent Aggregated Data as containing information about a specific identifiable party; or
• use Aggregated Data in violation of Terms §6.2 (which prohibits, among other things, training third-party base models, targeted competitor sublicensing, and recombination to reconstruct prohibited datasets).

11. Issuer Confirmation Channel Abuse

The Platform sends confirmation emails to financing issuers (lenders, banks, family offices, equity sources) named in prequalification or proof-of-funds documents submitted by Buyers. This Section 11 governs use of that channel.

You will not:

• name a fictitious issuer or fictitious issuer contact in any document you submit;
• pre-emptively contact a named issuer to coach, prepare, or instruct them as to how to respond to the confirmation email;
• intercept, redirect, or impersonate the issuer in the confirmation response;
• use issuer contact information learned through the confirmation process for any purpose other than verification of the specific document at issue; or
• harass, retaliate against, or threaten an issuer who declines to confirm, who confirms partially, or who provides information contrary to the Buyer's representation.

Issuers who receive confirmation emails are not obligated to respond. The absence of a confirmation is not, by itself, evidence of forgery; it may simply indicate that the issuer chose not to participate. Evenhand will surface the response status (confirmed / declined / no response / contradicted) to the relying Buyer or Seller and to the Broker as part of the integrity-signal feature set.

12. Export Controls and Restricted-Party Screening

You represent and warrant on a continuing basis that:

• you are not located in, organized under the laws of, or ordinarily resident in any country, territory, or region subject to comprehensive U.S. sanctions;
• you are not identified on, and are not owned (50% or more in the aggregate) or controlled by any party on, the OFAC Specially Designated Nationals List, the Sectoral Sanctions Identifications List, the Foreign Sanctions Evaders List, the U.S. Department of Commerce Entity List, the Denied Persons List, the Unverified List, or any other U.S. government list of prohibited or restricted parties;
• you are not engaged in any activity described in Section 8 above; and
• you will not transfer Platform functionality, AI outputs, technical data, or any other Platform content to any party or country in violation of U.S. export control laws.

If your status changes during the term of your use of the Platform, you will notify Evenhand promptly at legal@evenhandhq.com and cease use of the Platform pending resolution.

13. Reporting Violations

If you observe or suspect a violation of this AUP, please report it promptly:

• For active fraud, integrity violations, or attestation concerns: integrity@evenhandhq.com
• For security vulnerabilities: security@evenhandhq.com (see Section 4.4)
• For content violations (harassment, inappropriate material, etc.): abuse@evenhandhq.com
• For general policy questions: legal@evenhandhq.com

Reports should include (i) a description of the suspected conduct, (ii) the User account(s), Deal(s), and date(s) involved to the extent known, and (iii) any supporting evidence. Reports made in good faith will be treated confidentially to the extent reasonably practicable. Knowingly false reports submitted to harass another User or to gain a competitive advantage are themselves a violation of this AUP.

Evenhand will use reasonable efforts to investigate timely reports but does not guarantee a particular outcome, timeline, or remedy.

14. Enforcement

14.1 Range of Responses

Evenhand may, in its sole discretion and without prior notice in cases involving urgent risk, take any of the following actions in response to a violation or suspected violation of this AUP:

• issue a written warning;
• require corrective action (e.g., re-uploading a forgery-free document; removing prohibited content);
• temporarily suspend access to all or part of the Platform;
• terminate the violating account, with or without notice depending on severity;
• terminate the underlying Brokerage Subscription or Buyer Self-Serve QoE Subscription with forfeiture of paid fees per Terms §12 and §19;
• revoke verified-financing or other integrity badges associated with the violating activity;
• preserve evidence and audit logs in support of investigation and downstream proceedings;
• notify affected Users (other Deal Participants, Brokerages, issuers, etc.) of the violation to the extent reasonably necessary for them to protect themselves;
• report the violation to applicable law enforcement, regulators, financial institutions, professional licensing bodies, or other authorities;
• pursue civil claims, including for breach of contract, fraud, indemnification under Terms §16, or any other applicable cause of action; and
• take any other action permitted by the Terms or by applicable law.

14.2 No Obligation to Act; No Waiver

Evenhand has no obligation to monitor, investigate, or take action with respect to any particular conduct. Evenhand's decision not to act in a particular instance is not a waiver of its rights with respect to that instance or any future instance.

14.3 Cooperation

You will cooperate in good faith with any investigation by Evenhand, including by providing requested information, preserving relevant records, making yourself available for interview, and refraining from spoliation. Failure to cooperate may itself constitute a violation of this AUP.

15. Changes to This AUP

We may update this AUP from time to time. When we make changes, we will:

• update the "Last Updated" date at the top;
• post the revised AUP at https://evenhandhq.com/acceptable-use;
• maintain a history of changes at https://evenhandhq.com/acceptable-use/history; and
• for Brokerages with active subscriptions, provide at least thirty (30) days' prior written notice of material changes via email to the address associated with the Brokerage Account.

A "material change" is one that meaningfully expands the scope of prohibited conduct, expands the enforcement remedies, or otherwise reduces your rights. Editorial, clarifying, or examples-only changes are not material. Your continued use of the Platform after the effective date of a revised AUP constitutes acceptance of the revised AUP.

16. Contact

For questions about this AUP, contact:

Evenhand LLC Attn: Legal [Physical address — to be inserted] Washington, United States

• Legal questions: legal@evenhandhq.com
• Integrity / fraud reports: integrity@evenhandhq.com
• Security reports: security@evenhandhq.com
• Content / abuse reports: abuse@evenhandhq.com
• General support: support@evenhandhq.com

This Acceptable Use Policy governs use of the Evenhand platform as of the Effective Date.