Responsible AI and Biometric Governance Policy

Effective Date: 15 June 2026  |  Last Updated: 15 June 2026

1. Purpose

This Policy describes how VeryAI approaches responsible artificial intelligence and biometric data governance in connection with our palm-recognition biometric authentication service (the "Service"). It is intended to support our enterprise customers, their privacy, compliance and procurement teams, and our end users in understanding our governance approach.

This Policy supplements our Privacy Policy, Terms of Use, Data Processing Agreement (for enterprise customers) and applicable services agreement. Capitalised terms not defined here have the meanings given in those documents.

This Policy is intended to provide transparency regarding our governance approach. It does not constitute a certification, regulatory approval, conformity assessment, legal opinion or guarantee that a particular Customer deployment complies with applicable AI, biometric, privacy, consumer protection or sector-specific law.

This Policy includes two Annexes: Annex 1 (AI System Factsheet), summarising the Service for vendor diligence purposes, and Annex 2 (Customer-Specific Intended Application), which records the Customer Application and Intended Application approved by VeryAI for the specific Customer relationship to which this Policy is provided.

2. Who We Are

The Service is provided by Veros Inc, an exempted company incorporated with limited liability in the Cayman Islands with registration number OS-420535, operating under the VeryAI brand, together with such affiliates, sub-processors and other authorised service providers as Veros Inc engages from time to time in connection with the Customer relationship. References in this Policy to "VeryAI", "we", "us" and "our" are to the entity or entities providing the Service under the applicable Terms of Use, Data Processing Agreement, Service Agreement, Order Form or other Customer agreement.

3. The Service and Its AI Components

The Service supports biometric verification (one-to-one matching: confirming that a person presenting their palm is the same person who previously enrolled or is associated with the relevant account) and, where enabled by VeryAI, biometric identification (one-to-many matching against enrolled records). The Service is not provided as a surveillance tool. One-to-many matching is made available only subject to the applicable agreement, appropriate safeguards and Applicable Law. Internal fraud, duplicate-account, liveness and abuse-prevention checks are limited to protecting the security and integrity of the Service.

The Service includes supporting machine-learning components used for liveness detection (distinguishing a live palm presentation from a spoof attack), fraud detection (identifying patterns of abusive or fraudulent use), and quality assurance, debugging and service-integrity monitoring, including assessment of capture quality and failure modes for security, reliability and abuse-prevention purposes.

The Service does not currently include generative AI, large language models, chatbot models, emotion recognition, or biometric categorisation by sensitive attributes.

4. Our Approach to AI Governance

Our governance approach is built on the following principles:

1. Purpose-limited. Each machine-learning component of the Service is designed for a defined function and is not repurposed without appropriate internal review.
2. Transparent. We describe in our Privacy Policy and this Policy how the Service uses personal data and biometric data, and we make this Policy available to support enterprise customer diligence.
3. Customer-aware. We recognise that our enterprise customers operate in different sectors and jurisdictions, and we work with them to support compliance with their applicable obligations.
4. Bounded. We operate under clear restrictions on what data we use for AI development and what uses we authorise customers to make of the Service.
5. Iterative. Where appropriate and technically feasible, we evaluate the Service across relevant operating conditions and use commercially reasonable efforts to identify, investigate and mitigate material performance, reliability, security or fairness issues.

5. Biometric Data and Training Restrictions

VeryAI does not use Customer Personal Data or Biometric Data to train, fine-tune, adapt or improve third-party AI models or general-purpose AI systems. Any internal improvement using Service data is limited to fraud-detection, liveness-detection, abuse-prevention, quality-assurance, debugging, audit and security mechanisms, and only where authorised by the applicable agreement, disclosed to end users where required, and permitted by Applicable Law.

Audit Images may be limited low-resolution images, crops or derived visual records retained for security, fraud prevention, liveness detection, quality assurance, debugging, audit and abuse-prevention purposes. VeryAI treats Audit Images as Biometric Data and/or sensitive personal information where required by Applicable Law.

VeryAI does not sell or share Customer Personal Data or Biometric Data for cross-context behavioural advertising, and does not use Customer Personal Data for advertising, targeted marketing or profiling for purposes other than fraud detection, security and the integrity of the Service.

To the extent that any data is used to develop, test, validate or improve the Service, VeryAI seeks to ensure that it is handled in accordance with applicable contractual, privacy, biometric and data protection requirements. Details of personal data processing are set out in the Privacy Policy and, for enterprise customers, the Data Processing Agreement.

6. Automated Authentication Signals and Customer Decisioning

The Service may generate automated authentication or verification signals. VeryAI does not intend those signals, by themselves, to be the sole legal or business decision-maker for Customer-side eligibility decisions. Where a Customer uses Service outputs in a workflow that produces legal or similarly significant effects on individuals, the Customer is responsible for implementing any required lawful basis, notice, human review, appeal or user-facing rights process, with VeryAI providing reasonable assistance as required by the applicable agreement.

7. Human Oversight

The Service is designed to support appropriate human oversight by providing authentication or verification outputs, logs and support channels where applicable. Customers are responsible for determining what human review or appeal process is required for their deployment context, and for integrating those processes into their Customer-side workflows.

8. Accuracy, Bias and Performance

Where appropriate and technically feasible, VeryAI evaluates the Service across relevant operating conditions and uses commercially reasonable efforts to identify, investigate and mitigate material performance, reliability, security or fairness issues.

VeryAI does not provide specific accuracy, demographic performance, bias audit or certification claims unless separately confirmed in writing.

We welcome reports from Customers and end users of suspected performance, reliability, security or fairness issues, which may be sent to the contact point set out below for investigation.

9. Security and Sub-processors

The Service is protected by technical and organisational measures described in the applicable Privacy Policy, Data Processing Agreement and/or customer security documentation, which may include encryption in transit and at rest, access controls, multi-factor authentication for internal access, segregated storage of biometric templates, logging and monitoring, as applicable to the Service and as implemented from time to time.

VeryAI may use sub-processors and third-party service providers in accordance with the applicable agreement and Data Processing Agreement. VeryAI does not authorise sub-processors to use Customer Personal Data or Biometric Data to train third-party AI models. Material sub-processors are subject to contractual obligations designed to protect the relevant data and support the Service.

10. Classification under AI-specific Laws

Classification of the Service under AI-specific laws, including Regulation (EU) 2024/1689 (the "EU AI Act"), depends on the actual deployment context, intended purpose, technical configuration and Customer use case.

VeryAI's current understanding is that one-to-one biometric verification (used solely to confirm that a person is who they claim to be) is generally treated differently under the EU AI Act and similar frameworks from one-to-many or remote biometric identification, which may attract additional obligations. Where the Service is used for one-to-many biometric identification, or in high-risk sectors or to determine access to important services, additional obligations may apply, and VeryAI makes such functionality available only subject to the applicable agreement, appropriate safeguards and the Customer's compliance with Applicable Law. This remains subject to the actual deployment context, evolving guidance and Applicable Law.

Where applicable to a particular deployment, VeryAI will work with the Customer to provide reasonable documentation and cooperation required under applicable AI, privacy and biometric laws, subject to the applicable agreement and protection of confidential, security-sensitive and proprietary information.

VeryAI may take account of recognised AI governance frameworks where appropriate, but this Policy should not be read as a certification of compliance with any particular voluntary framework.

11. Restricted Uses

Customers are authorised to use the Service only for the Intended Application set out in Annex 2 (Customer-Specific Intended Application) and in accordance with the applicable agreement.

Without limiting the foregoing, Customers should not use the Service for any of the following without prior written approval from VeryAI and appropriate legal review:

1. one-to-many biometric identification, other than any one-to-many matching functionality made available by VeryAI as part of the Service and used in accordance with the applicable agreement and Applicable Law;
2. surveillance or tracking of individuals;
3. law enforcement use;
4. worker monitoring, productivity surveillance, behavioural analytics, emotion recognition in the workplace, or HR decisioning (including hiring, firing, promotion, discipline, performance review or compensation), but excluding ordinary workforce identity, authentication, access control (physical or logical) and time-and-attendance use cases;
5. eligibility determination or access scoring for credit, housing, education, insurance, healthcare or other essential public or private services, but excluding authentication of users who are already entitled to use such services;
6. border, migration or asylum contexts;
7. use cases where children are the primary data subjects of biometric processing;
8. any prohibited, unlawful or high-risk use under applicable AI, biometric, privacy or consumer protection law; and
9. developing, benchmarking, validating or improving competing biometric, identity verification, authentication or similar technology.

These restrictions are in addition to the use restrictions set out in our Terms of Use, Data Processing Agreement and applicable services agreement.

12. Incident Response

VeryAI maintains processes for identifying, investigating and responding to incidents affecting the security, reliability or integrity of the Service. Where an incident triggers notification obligations under Applicable Law or the applicable agreement, VeryAI will notify affected Customers or regulators as required. This Policy does not expand or replace the incident notification obligations in the Data Processing Agreement or applicable services agreement.

13. Relationship to Other Documents

This Policy is to be read together with our Privacy Policy, Terms of Use, Data Processing Agreement (for enterprise customers) and applicable services agreement. In the event of any conflict between this Policy and any of those documents, the order of precedence set out in the relevant agreement applies. Annex 1 (AI System Factsheet) and Annex 2 (Customer-Specific Intended Application) form part of this Policy.

14. Updates and Contact

We may update this Policy from time to time. The "Last Updated" date at the top reflects the most recent revision. Where changes are material, we will provide notice to Customers where required by the applicable agreement, our customary customer-notification practices or Applicable Law.

For questions or requests relating to this Policy, including in support of Customer diligence, please contact us at the email address provided to Customers under the applicable agreement.

---

Annex 1 — AI System Factsheet

Summary of the Service for vendor diligence purposes. To be read with the Responsible AI and Biometric Governance Policy above.

System name	VeryAI palm-recognition biometric authentication Service.
Provider / contracting entity	The Service is provided by Veros Inc, an exempted company incorporated with limited liability in the Cayman Islands with registration number OS-420535, operating under the VeryAI brand, together with such affiliates, sub-processors and other authorised service providers as Veros Inc engages from time to time in connection with the Customer relationship.
Function	Biometric verification (one-to-one matching) and, where enabled by VeryAI, biometric identification (one-to-many matching against enrolled records). Not provided as a surveillance tool. Supporting machine-learning components for liveness detection, fraud detection and quality assurance / service-integrity monitoring.
Automated processing used	Machine-learning models for biometric matching (one-to-one and, where enabled, one-to-many), liveness detection, fraud detection and quality assurance / service-integrity monitoring. No generative AI, large language models, chatbots, emotion recognition or biometric categorisation by sensitive attributes.
Data categories	Palm Images (transient), Palm Models, Audit Images, Pseudonymous Account Identifier, authentication and activity logs, device information, optional email address. See Privacy Policy and Data Processing Agreement for full description.
Biometric data handling	Palm Images deleted immediately after Palm Model generation. Palm Models stored encrypted in segregated database. Audit Images treated as Biometric Data and/or sensitive personal information where required by Applicable Law.
Model training position	No use of Customer Personal Data or Biometric Data to train third-party AI models or general-purpose AI systems. Internal improvement limited to fraud-detection, liveness-detection, abuse-prevention, quality-assurance, debugging, audit and security mechanisms.
Human oversight allocation	Service provides authentication or verification signals. Customer is responsible for human review, appeal and user-facing rights processes in the Customer's deployment context.
Customer responsibilities	Lawful basis; notices and consents; Customer-side human oversight; deployment-specific risk assessment; use within agreed scope; compliance with restricted-use list.
Restricted uses	See Restricted Uses section of the Policy above.
Security / governance controls	Technical and organisational measures described in the applicable Privacy Policy, Data Processing Agreement and/or customer security documentation, which may include encryption in transit and at rest, access controls, multi-factor authentication for internal access, segregated storage of biometric templates, and logging and monitoring, as applicable to the Service and as implemented from time to time.
Retention summary	Palm Images: deleted on Palm Model generation. Palm Models, Audit Images and other categories: as set out in the Privacy Policy and Data Processing Agreement.
Regulatory classification note	Classification depends on the actual deployment context, intended purpose, technical configuration and Customer use case. One-to-one verification is generally treated differently under the EU AI Act and similar frameworks from one-to-many or remote biometric identification, which may attract additional obligations. One-to-many functionality is made available only subject to the applicable agreement, appropriate safeguards and Applicable Law. This remains subject to evolving guidance and Applicable Law.
Contact point	The email address provided to Customers under the applicable agreement, or as published by VeryAI from time to time.