Acceptable Use Policy

How AriaPLT™ must, and must not, be used.

This Acceptable Use Policy (the "AUP") sets out the conduct, safety and security standards that apply to all use of the AriaPLT™ industrial AgenticAI platform (the "Platform") by Customers, Authorised Users, Affiliates, contractors and any other person accessing or operating the Platform. The AUP is an integral part of the Terms of Service (the "ToS") and the Master Services Agreement (the "MSA"). Violation of this AUP constitutes a material breach of the Agreement and entitles SINAURA S.R.L. ("SINAURA") to suspend, throttle or terminate access without prior notice, subject to the proportionality and right-to-be-heard provisions of §07.

Version 1.1 · Effective date: 16 May 2026 · Reference: ToS Art. 05 · MSA §1.3 · DPA · GDPR (Reg. (EU) 2016/679) · EU AI Act (Reg. 2024/1689) · NIS2 (Dir. 2022/2555) · D.Lgs. 138/2024 · Data Act (Reg. (EU) 2023/2854) · Dual-use (Reg. (EU) 2021/821) · Machinery Reg. (EU) 2023/1230 · IEC 61508 / 61511 · ISO 27001

01 · SCOPE AND APPLICATION

Summary: This AUP applies to all use of AriaPLT™. It is structured in three tiers: universal standards, high-risk industrial use-case requirements, and additional guidelines. Violations trigger enforcement under §08.

1.1 — This AUP applies to every Customer, Authorised User, Affiliate, contractor and any other person submitting Inputs to, configuring, integrating, deploying or otherwise operating the Platform, regardless of Subscription tier (including Evaluation Accounts, paid Subscriptions and Beta / Labs Features).

1.2 — Capitalised terms used and not otherwise defined in this AUP have the meaning ascribed to them in the ToS or in the MSA. In case of conflict between this AUP and the ToS or the MSA, the order of precedence set out in §11.10 of the MSA applies.

1.3 — This AUP is structured in three tiers, modelled on industry best practice:

• (I) Universal Standards — apply to all users of the Platform at all times.
• (II) High-Risk Industrial Use Case Requirements — apply where the Customer integrates the Platform into safety-critical, mission-critical or regulated industrial workflows.
• (III) Additional Guidelines — apply to specific deployment patterns, including agentic automation and integrations with operational-technology (OT) systems.

1.4 — This AUP supplements and does not replace the Customer's and Authorised Users' statutory, regulatory and contractual obligations. In case of conflict between this AUP and any other standard applicable to the Customer (including sector-specific safety, environmental, cybersecurity or data-protection law), the standard providing the higher level of protection for persons, the environment, critical infrastructure and the Platform shall prevail.

1.5 — The processing of personal data carried out by SINAURA in connection with the Platform — including telemetry, audit logs, security monitoring and incident-response data — is governed by the SINAURA Privacy Policy available at sinauragroup.com/en/legal/platform-privacy-policy and by the Data Processing Agreement (DPA) executed between the parties, which form an integral part of the Agreement and are incorporated herein by reference.

1.6 — The Platform is intended for professional, business-to-business use in industrial environments. It is not directed at, and shall not be made accessible to, natural persons under 18 years of age.

1.7 — The English version of this AUP is the prevailing one. Any translation made available by SINAURA is provided as a courtesy and has no contractual value in case of discrepancy with the English text.

02 · UNIVERSAL STANDARDS — PROHIBITED USES

Summary: All users must comply with these standards at all times. The list is non-exhaustive: any use that contradicts the spirit of this AUP is also prohibited.

You must not use the Platform, the Agents, the APIs, the Outputs or any information obtained through the Platform for any of the activities listed below. The list is non-exhaustive.

2.1 — Industrial AI Safety and Critical Infrastructure

• Generate Outputs intended to disrupt, sabotage or impair the safe operation of industrial facilities, including power generation, transmission and distribution, water and wastewater systems, oil & gas extraction, refining, pipelines, chemical and petrochemical plants, transport (rail, maritime, aviation, road), telecommunications, healthcare facilities, food production and any other entity covered by Directive (EU) 2022/2555 (NIS2) or by Italian D.Lgs. 138/2024.
• Use the Platform to design, implement or operate procedures, code, set-points or control logic that would foreseeably cause loss of containment, runaway reaction, structural failure, explosion, fire, flooding, electrical fault, mechanical damage, environmental release or any other catastrophic industrial event.
• Generate or deploy Agents that bypass, disable or override Safety Instrumented Systems (SIS), Emergency Shutdown Systems (ESD), interlocks, alarms, permits-to-work, lock-out / tag-out (LOTO) procedures, functional-safety controls (IEC 61508, IEC 61511, ISO 13849), or any other engineered safety barrier.
• Use the Platform to instruct, calibrate, control or modify safety-critical components (relief valves, blow-down systems, fire-and-gas detectors, machinery guards) without explicit human authorisation by a qualified engineer.

2.2 — Unauthorised Manipulation of Plants, Equipment and Production Systems

• Use the Platform or the Agents to issue commands, set-points, recipes or configuration changes to PLCs, DCS, SCADA, MES, CMMS, ERP, BMS or any other industrial control system without the Customer's documented authorisation, change-management approval and applicable Management of Change (MoC) procedure.
• Execute write operations, parameter changes, firmware updates, configuration uploads or remote-control actions on machinery, production lines or utility systems outside the scope of the integration declared by the Customer and approved through the Customer's change-management process.
• Connect the Platform to operational-technology (OT) networks that are not properly segmented from the IT network in accordance with the Customer's own cybersecurity architecture (e.g., Purdue model, IEC 62443 zone-and-conduit model).
• Use the Agents to autonomously trigger irreversible actions (start-up, shutdown, batch changeover, mass-balance update, financial transaction, regulatory submission) on production systems without a human approval step recorded in the audit trail.

2.3 — Human-in-the-Loop Bypass for Critical Actions

• Deploy or configure the Platform so as to execute, without human-in-the-loop review and explicit approval, actions that may: (i) endanger human life, health or safety; (ii) cause material environmental impact; (iii) result in significant property damage; (iv) trigger regulatory notification obligations; (v) materially affect product quality, batch integrity or compliance with applicable standards.
• Disable, remove or otherwise circumvent the human-confirmation prompts, approval workflows, dual-control mechanisms or supervisor sign-off procedures provided by the Platform or by integrated Customer Systems.
• Use the Agents in fully autonomous mode for any decision that, if executed incorrectly, cannot be reversed within a reasonable time and without operational, safety or financial consequences.

› The Agents are designed as decision-support tools requiring human review. They are not, by themselves, decision-makers within the meaning of Art. 22 GDPR.

2.4 — Cybersecurity Compromise

• Attempt to gain unauthorised access to the Platform, to other Customers' workspaces, to the underlying infrastructure, to the source code of the Agents or to any non-public component of SINAURA's systems.
• Probe, scan, port-sweep, fuzz, fingerprint, reverse-engineer or otherwise test the security of the Platform without prior written authorisation from SINAURA under a written penetration-test agreement.
• Develop, distribute or deploy through the Platform any malware, ransomware, worm, virus, rootkit, spyware, keylogger, credential-stuffing tool, botnet command-and-control, persistence implant or other malicious code.
• Use the Platform to facilitate unauthorised network intrusion, lateral movement, privilege escalation, data exfiltration or denial-of-service against any computer, network, OT system or industrial asset, whether or not owned by the Customer.
• Bypass, disable or interfere with rate limits, quotas, MFA, RBAC, tenant segregation, audit trails, telemetry, anomaly detection or any other security control of the Platform.
• Use the Platform to plan, automate or assist any cyber-attack against critical infrastructure, supply chains, vendors or business partners.

2.5 — Industrial Data Protection

• Upload, process or generate Output containing trade secrets, recipes, formulations, process parameters, control logic, P&IDs, plant schematics, intellectual property, proprietary specifications or personal data belonging to third parties without all necessary rights, authorisations and consents.
• Upload special categories of personal data within the meaning of Art. 9 GDPR (health, biometric, ethnic, religious, trade-union) without a prior written agreement with SINAURA and a documented Data Protection Impact Assessment (DPIA). The DPIA is and remains an obligation of the Customer in its capacity as controller pursuant to Art. 35 GDPR; SINAURA shall provide reasonable assistance in its capacity as processor pursuant to Art. 28(3)(f) GDPR.
• Use the Platform to aggregate, correlate, profile or re-identify individuals from operational, telemetry or sensor data, unless the Customer has a clear legal basis under the GDPR and the use case complies with Art. 22 GDPR.
• Use the Platform to perform predictive surveillance of workers (productivity scoring, emotion recognition, biometric monitoring) in violation of Art. 5 of the EU AI Act, of Italian Workers' Statute (Art. 4 L. 300/1970, including the prior trade-union agreement or, in its absence, the prior authorisation of the territorial Labour Inspectorate – Ispettorato Territoriale del Lavoro) or of equivalent worker-protection laws of the applicable jurisdiction.
• Upload Customer Data that the Customer is not entitled to share with a Processor under the applicable confidentiality, contractual or regulatory obligations.

2.6 — Limits on AI Output Use

• Represent an Output as having been produced by a human professional, or otherwise omit disclosure that AI was used to generate or materially shape advice, recommendations, calculations or content, where such disclosure is required by law (including Art. 50 EU AI Act) or by professional practice.
• Rely on Outputs for safety-critical decisions without independent verification by a qualified human operator, engineer or other competent professional.
• Use Outputs as the sole basis for regulatory submissions, compliance certifications, safety-case approvals or other determinations that require human professional judgment under applicable law (e.g., notified-body certifications, Inspectorate reports, environmental impact assessments, technical files under the Machinery Regulation (EU) 2023/1230).
• Use Outputs to mislead End Users, regulators, customers, employees or the public about the nature, source or accuracy of information.
• Publish Outputs containing references, citations, datasheets, technical standards or regulatory clauses without verifying that the cited material actually exists and is correctly represented (the Customer remains responsible for AI hallucinations in published material).

2.7 — Intellectual Property and Anti-Plagiarism

• Use the Platform, the Agents, the Outputs, the prompts, the workflows, the look-and-feel, the documentation or any other proprietary element of AriaPLT™ to design, develop, train, benchmark or launch a product, service, agent, model or interface that is identical or substantially similar to AriaPLT™ — as further detailed in Art. 19 of the ToS (Anti-Plagiarism).
• Train, fine-tune or distil generalist AI models, foundation models, voice models or other large-scale models on Outputs, agent behaviour, prompts or any other content obtained from the Platform.
• Infringe, misappropriate or otherwise violate any third party's intellectual property rights (copyright, patent, trademark, design, trade secret, sui generis database rights) through Inputs or Outputs.
• Register or use trademarks, domain names, trade dress, designs or copyrights that are identical, confusingly similar or evocative of AriaPLT™, SINAURA™ or Sinaura Group™ in any jurisdiction worldwide.
• Use Inputs or Outputs in disregard of the text-and-data-mining reservation expressed by SINAURA pursuant to Art. 4(3) of Directive (EU) 2019/790 on copyright in the Digital Single Market: all proprietary content of the Platform (including Agents, prompts, documentation, look-and-feel and Outputs) is expressly reserved against any text-and-data-mining use for AI training or model development purposes.

2.8 — EU AI Act Article 5 Prohibited Practices

• Deploy AI techniques that materially distort behaviour through subliminal, manipulative or deceptive means likely to cause significant harm.
• Exploit vulnerabilities of specific groups of natural persons (age, disability, socio-economic situation) to materially distort their behaviour.
• Implement social-scoring systems that classify natural persons based on social behaviour or personal characteristics, leading to detrimental or unfavourable treatment.
• Conduct untargeted scraping of facial images from the internet or CCTV footage to create or expand facial-recognition databases.
• Operate emotion-recognition systems in workplace or educational settings, except where required for medical or safety reasons and authorised by law.
• Implement biometric categorisation that classifies natural persons by sensitive characteristics (race, political opinions, trade-union membership, religion, sexual orientation).
• Perform real-time remote biometric identification of natural persons in publicly accessible spaces for law-enforcement purposes (save the narrow exceptions of Art. 5(1)(h) AI Act).
• Predict the risk of a natural person committing a criminal offence based solely on profiling or personality traits.

2.9 — Illegal Activities

• Use the Platform for any activity that violates applicable law, including criminal law, anti-corruption law (Italian D.Lgs. 231/2001, UK Bribery Act, U.S. FCPA), competition law, environmental law, occupational-safety law (Italian D.Lgs. 81/2008), product-safety law or consumer-protection law.
• Use the Platform to facilitate fraud, money laundering, terrorism financing, tax evasion, market manipulation, insider trading or other financial crimes.
• Generate or distribute defamatory, harassing, threatening or discriminatory content directed at any individual or group based on protected attributes.
• Engage in any activity that violates export-control or sanctions regimes (EU Reg. 2021/821, U.S. EAR, ITAR, OFAC, UN sanctions), as further detailed in Art. 14 of the ToS.

2.10 — Weapons, Dual-Use and Hazardous Goods

• Use the Platform to design, manufacture, modify or test weapons (including conventional, chemical, biological, radiological or nuclear weapons), explosives, ammunition or weaponised drones.
• Use the Platform to circumvent regulatory controls on dual-use items, military goods, controlled chemicals or hazardous materials.
• Use the Platform to plan or operate critical infrastructure or industrial activities in violation of applicable safety, environmental or licensing regimes.

2.11 — Privacy and Impersonation

• Use the Platform to impersonate any natural or legal person, organisation, brand, public official or AriaPLT™ itself, or to misrepresent the source or authorship of communications.
• Use Outputs to generate synthetic media (deepfakes) depicting real individuals without their informed consent or without complying with Art. 50 EU AI Act labelling obligations.
• Collect, store or process biometric data, location data, communication metadata or other sensitive personal data through the Platform without a clear legal basis under applicable data-protection law.

2.12 — Platform Abuse

• Create multiple Accounts or use multiple Evaluation Accounts to circumvent rate limits, quotas, pricing tiers, security controls or prior suspension / termination of an Account.
• Share, sell, lease, sub-licence or transfer named credentials or API keys, or use API keys outside the systems and integrations declared by the Customer (see also Art. 03 of the ToS).
• Engage in prompt injection, jailbreak techniques, system-prompt extraction, output-leak attacks or any other technique designed to cause the Agents to violate this AUP, the ToS or applicable law.
• Use the Platform to facilitate violation of this AUP by any other party.
• Engage in model-extraction attacks or training-data-extraction attacks aimed at reconstructing, inferring, stealing or otherwise deriving the parameters, weights, architecture, training data, system prompts or other proprietary characteristics of the Agents or of the underlying models, including through systematic querying, distillation, membership-inference, model-inversion or any analogous technique.

03 · HIGH-RISK INDUSTRIAL USE CASE REQUIREMENTS

Summary: When AriaPLT™ is integrated into safety-critical, mission-critical or regulated industrial workflows, the Customer must implement additional safeguards including human-in-the-loop, disclosure and engineering validation.

3.1 — This Section applies whenever the Customer integrates the Platform — directly or indirectly through Authorised Users, contractors or downstream systems — into use cases that pose an elevated risk of harm to humans, the environment, property or compliance posture. Such use cases include without limitation:

• operations on or in proximity to safety-instrumented systems (SIL-rated SIS, ESD, F&G);
• control or monitoring of hazardous-materials handling (oil & gas extraction, refining, petrochemical, chemicals, nuclear);
• process automation impacting product safety, environmental compliance or worker safety;
• predictive maintenance recommendations affecting equipment relied upon for personnel safety;
• AI-assisted decisions regarding access, work permits, hot-work authorisations or confined-space entry;
• operations on facilities classified as Operators of Essential Services or Important Entities under NIS2 / D.Lgs. 138/2024;
• use cases falling within Annex III of the EU AI Act (critical infrastructure, employment, access to essential services, law enforcement).

Required safeguards

3.2 — Human-in-the-loop. The Customer shall ensure that a qualified human operator, engineer or competent professional reviews every Output that informs a safety-critical, mission-critical or regulated decision before the decision is finalised, executed or communicated. The human reviewer must have the authority and the means to reject or modify the Output.

3.3 — Disclosure. Where Outputs are presented directly to End Users, the Customer shall disclose that AI is used to produce or shape advice, recommendations or decisions, at a minimum at the beginning of each session, and in accordance with Art. 50 of the EU AI Act.

3.4 — Engineering validation. Before deploying the Agents in safety-critical or regulated contexts, the Customer shall validate the configuration, prompts and Output behaviour through documented testing, risk assessment (e.g., HAZOP, LOPA, FMEA), functional-safety analysis (IEC 61508 / 61511 / ISO 13849) and change-management procedures appropriate to the criticality of the use case.

3.5 — Post-deployment monitoring. The Customer shall continuously monitor the Outputs in production, maintain an audit trail of human approvals, log all anomalies and report material issues to SINAURA at info@sinauragroup.com without undue delay and in any case within 72 hours of detection. The Customer's autonomous obligations under Art. 33 GDPR (notification of personal data breaches to the competent supervisory authority within 72 hours of awareness) and under Art. 25 of D.Lgs. 138/2024 (NIS2 incident-reporting obligations applicable to the Customer in its own capacity) remain unaffected and shall be discharged by the Customer in accordance with the timelines provided therein.

3.6 — Operator competence. The Customer shall ensure that all personnel operating the Platform in high-risk contexts have received training appropriate to the criticality of the use case and to the limitations of AI-generated content (including hallucination, miscalibration and out-of-distribution behaviour).

04 · CUSTOMER AND AUTHORISED-USER RESPONSIBILITIES

Without prejudice to any obligations set out in the ToS or the MSA, the Customer and its Authorised Users are responsible for:

• ensuring the lawfulness, accuracy, integrity and quality of all Customer Data and Inputs;
• maintaining adequate human-in-the-loop controls for any action taken on the basis of an Output;
• documenting the configurations, prompts, workflows and approvals applied to the Agents;
• monitoring Agent decisions and Outputs, and intervening promptly where a deviation from expected behaviour is detected;
• complying with sector-specific regulations (industrial safety, environmental, financial, pharma, healthcare, food, transport) applicable to the Customer's use of the Platform;
• training personnel on the safe and appropriate use of AI-assisted decision support, including the limits of AI Outputs and the risk of hallucination;
• promptly notifying SINAURA of any suspected security incident, unauthorised access, abnormal Agent behaviour, or other event that may indicate a breach of this AUP;
• complying with the obligations of deployer or provider under the EU AI Act where the Customer's use case is high-risk (Art. 6 and Annex III AI Act);
• ensuring that contractors, vendors and any third parties accessing the Platform on behalf of the Customer are bound by terms no less protective than this AUP;
• maintaining and keeping up-to-date an internal inventory of the use cases for which the Customer deploys the Platform, including their classification under the risk tiers of the EU AI Act (prohibited, high-risk, limited-risk, minimal-risk, general-purpose AI), and making such inventory available to SINAURA on reasonable request in the event of a regulatory inquiry, audit or investigation;
• cooperating in good faith with SINAURA in case of requests, inspections or investigations by competent authorities, including the Italian Data Protection Authority (Garante per la protezione dei dati personali), the Italian National Cybersecurity Agency (ACN), the AI Office, the Labour Inspectorate (ITL), ANAC and any other sector-specific authority.

05 · ADDITIONAL GUIDELINES

5.1 — Agentic use cases

Where the Platform is used to drive autonomous or semi-autonomous workflows (chained Agent calls, tool use, retrieval-augmented generation, code execution, automated actions on Customer Systems), the Customer shall maintain a documented control plane including: (i) explicit scope of authorised tools and actions; (ii) automated guardrails on irreversible or high-impact actions; (iii) human-confirmation steps at critical junctures; (iv) full audit trail of decisions and actions; (v) circuit-breakers to halt the Agent in case of detected anomalies.

5.2 — Integrations with OT systems

Integrations between the Platform and operational-technology systems (PLC, DCS, SCADA, MES, BMS, IoT gateways) shall be implemented through read-mostly patterns wherever possible. Write operations to control systems shall be governed by explicit authorisation rules, change-management approval and an additional human-confirmation step within the OT environment, regardless of any approval recorded inside the Platform.

5.3 — Synthetic media and AI labelling

Where Outputs include images, audio, video or other synthetic media depicting real persons, places or events, the Customer shall ensure compliance with Art. 50 of the EU AI Act and apply the technical labelling means provided by SINAURA (digital signatures and metadata on Outputs).

5.4 — Beta / Labs Features

Beta / Labs Features (Art. 09 of the ToS) shall not be used for production, safety-critical or business-critical workflows. The Customer's use of Beta / Labs Features is at its own risk and outside the scope of any SLA.

06 · SINAURA COMMITMENTS

SINAURA, on its side, undertakes to:

• design and operate the Platform in alignment with the technical and organisational measures set out in Annex 1 of the DPA (TOMs) and with the NIS2 Directive (Reg. (EU) 2022/2555) in its role as ICT service provider;
• make available human-confirmation primitives, audit-trail logging, role-based access control, tenant segregation, output signing and other safety/security mechanisms required for compliant industrial use;
• support the Customer's compliance with the EU AI Act through transparency tooling, model documentation and accessible logs;
• implement detection and monitoring to identify usage incompatible with this AUP, including prompt-injection attempts, automated abuse, capacity-exhaustion attacks and cross-tenant probing;
• operate a channel for the reporting of security vulnerabilities affecting the Platform through the contact details indicated in §10;
• maintain an up-to-date list of authorised subprocessors at sinauragroup.com/en/legal/dpa#annex-3-authorised-sub-processors; the Customer's right of objection to new or replacement subprocessors is governed by the DPA;
• implement, within the limits of applicability of Regulation (EU) 2023/2854 (Data Act) to the service, the access-by-design and data-portability requirements provided therein, starting from 12 September 2026, in respect of new functionalities developed after that date.

07 · ENFORCEMENT

7.1 — Monitoring. SINAURA's Safeguards Team implements detection and monitoring to enforce this AUP. Detected violations may result in throttling, suspension, termination of access, removal of offending content, modification of Outputs or other measures appropriate to the severity of the violation. Enforcement measures shall be applied on a proportionate and graduated basis (notice → throttling → suspension → content removal → termination), taking into account the severity of the violation, its persistence, its reversibility and the actual or potential harm caused.

7.2 — Severity. SINAURA classifies AUP violations by severity, taking into account the actual or potential harm to humans, environment, property, the Customer, third parties or SINAURA. Severe violations — including those affecting safety, critical infrastructure or cybersecurity — entitle SINAURA to immediate suspension or termination without prior notice.

By way of clarification, the right of SINAURA to act without prior notice applies exclusively where: (i) there is an imminent risk to persons, safety, the environment, critical infrastructure or the integrity, confidentiality or availability of the Platform; (ii) SINAURA is required to do so by an order, injunction or instruction of a competent authority or court; or (iii) a Severe Violation as defined in this §7.2 has occurred.

In all other cases, the procedure set out in §7.6 shall apply.

7.3 — Reporting to authorities. Where required by law — including incident-reporting obligations under Art. 25 of D.Lgs. 138/2024 (NIS2), personal-data breach notification under Art. 33 GDPR, reporting of serious incidents under Art. 73 of the EU AI Act and applicable criminal-law obligations — SINAURA shall report violations to the competent authorities and shall cooperate with law-enforcement investigations.

7.4 — Customer remediation. Upon notice of a suspected violation, SINAURA may request the Customer to provide information, modify configurations, remove offending Inputs or Outputs, or otherwise remediate the violation within the following SLAs, calculated from receipt of SINAURA's notice:

• Critical severity: within 24 hours;
• High severity: within 72 hours;
• Medium severity: within 5 business days.

Failure to remediate within the applicable SLA constitutes a material breach of the Agreement.

7.5 — Survival of remedies. Enforcement actions under this AUP are without prejudice to SINAURA's right to seek damages, indemnification, injunctive relief, liquidated damages or any other remedy available under the Agreement or applicable law, including under Art. 11 (Indemnification), Art. 19 (Anti-Plagiarism) and Art. 20 (NDA and Lockout) of the ToS.

7.6 — Right to be heard. Save in the cases of imminent risk, authority order or Severe Violation expressly covered by §7.2, before applying any suspension, termination or other materially adverse enforcement measure SINAURA shall: (i) notify the Customer in writing (including by email to the contact address on file) of the suspected violation, identifying the conduct, the clauses of this AUP allegedly breached and the enforcement measure envisaged; (ii) grant the Customer no less than five (5) business days to submit observations, evidence and remediation proposals; (iii) assess the Customer's response in good faith before adopting the final enforcement measure.

This procedure is intended to ensure the proportionate and good-faith exercise of SINAURA's enforcement powers, consistently with the general principles of Italian contract law (including Artt. 1175, 1366 and 1375 of the Italian Civil Code).

7.7 — Survival. The obligations of confidentiality, intellectual-property protection, maintenance of audit trails, reporting of violations and cooperation with SINAURA and competent authorities, as well as the provisions concerning indemnification and limitation of liability, shall survive the suspension, termination or expiration of the Agreement to the extent necessary to give them effect.

08 · REPORTING VIOLATIONS

If you become aware of any use of the Platform that violates this AUP, including model outputs that are potentially inaccurate, biased, unsafe or unlawful, please notify SINAURA promptly through one of the following channels:

SINAURA will acknowledge receipt of reports submitted through the other channels above within five (5) business days and will provide updates to the reporter where appropriate and legally permitted.

09 · UPDATES TO THIS AUP

9.1 — Reasons for updates. SINAURA may update this AUP from time to time to reflect: (i) changes in applicable law or regulatory guidance (including the EU AI Act, NIS2, the Data Act, the Machinery Regulation and sector-specific safety standards); (ii) the evolution of the Platform and of its functionalities; (iii) emerging operational, security or safety risks; (iv) decisions, recommendations or guidelines issued by competent authorities.

9.2 — Material amendments. An amendment is "material" if it objectively: (a) reduces the rights or permissions of the Customer; (b) increases the obligations or liabilities of the Customer; (c) introduces new categories of prohibited conduct; or (d) materially modifies the enforcement regime set out in §07. Material amendments shall be notified to the Customer at least thirty (30) days in advance by email to the contact address on file and through update of sinauragroup.com/en/legal/aup. During such 30-day notice period the Customer shall have the right to terminate the Agreement, with effect at the latest on the date of entry into force of the amendment, without any termination charge or penalty, by written notice to SINAURA. Failure to terminate within the notice period shall constitute tacit acceptance of the amendment.

9.3 — Non-material amendments. Amendments that do not qualify as material under §9.2 — including editorial corrections, clarifications, updates of references to standards and regulations, and addition of examples — are effective upon publication on sinauragroup.com/en/legal/aup and shall be reflected in the change-log.

9.4 — Version history. SINAURA shall maintain and keep accessible at sinauragroup.com/en/legal/aup an archive of the previous versions of this AUP together with a change-log describing the modifications introduced in each version.

10 · CONTACT

For questions, comments or feedback regarding this AUP:

© 2026 SINAURA S.R.L. · AriaPLT™ and Sinaura™ are registered trademarks of SINAURA S.R.L · Version 1.1 · Last updated: 16 May 2026