Acceptable Use Policy

This Acceptable Use Policy (this "AUP") governs use of the Service provided by Cap Orbit (Cap Orbit, Inc., a Delaware corporation, "Cap Orbit", "we", "us", or "our"). This AUP is incorporated by reference into, and forms a part of, the Cap Orbit Terms of Service (the "Terms"). Capitalized terms used but not defined in this AUP have the meanings given to them in the Terms.

1. Purpose and Applicability

1.1. The Service is a productivity and drafting tool for institutional commercial real estate deal teams. It is offered to businesses only and is not intended for personal, household, or consumer use.

1.2. This AUP applies to the Customer and to every Authorized User. The Customer is responsible for ensuring that each of its Authorized Users understands and complies with this AUP, and the Customer is responsible for all activity that occurs under its account and seats. A violation of this AUP by an Authorized User is treated as a violation by the Customer.

1.3. This AUP applies to all use of the Service, including all Input submitted to the Service and all Output generated by the Service, and applies regardless of whether the Customer is on a Cap Orbit-hosted (Pro) plan or an Enterprise (bring-your-own-cloud) deployment.

2. Prohibited Uses

The Customer and its Authorized Users will not, and will not permit or assist any third party to, do any of the following.

2.1. Unlawful activity. Use the Service in violation of any applicable law, regulation, or order, or for any unlawful, fraudulent, deceptive, or harmful purpose.

2.2. Infringement. Use the Service to infringe, misappropriate, or violate the intellectual property, privacy, publicity, contractual, or other rights of any person.

2.3. Content the Customer lacks rights to. Upload, submit, or otherwise process through the Service any content that the Customer does not have all rights, licenses, consents, and authority necessary to provide and to have processed as contemplated by the Terms, including any third-party Personal Information.

2.4. Reverse engineering and model extraction. Reverse engineer, decompile, disassemble, or otherwise attempt to derive, extract, replicate, or reconstruct the source code, underlying artificial intelligence or machine-learning models, model weights, architecture, or training data of the Service, or use the Service or any Output to do so.

2.5. Circumventing controls. Circumvent, disable, or attempt to defeat any security feature, tenant isolation boundary, authentication or access control, rate limit, or usage restriction of the Service, or attempt to access any account, data, environment, or resource that the Customer is not authorized to access.

2.6. Scraping and abusive volumes. Use any automated means to scrape, crawl, harvest, or extract data from the Service except through interfaces and APIs we expressly make available for that purpose, or generate request volumes that are excessive, abusive, or that impair, overburden, or degrade the Service or its infrastructure.

2.7. Credential sharing. Share, transfer, or permit the use of seat credentials or access tokens by more than the single individual to whom a seat is assigned, or otherwise exceed the number of seats licensed under the applicable Order.

2.8. Competing models and services. Use the Service, any Input, or any Output to develop, train, or improve any artificial intelligence or machine-learning model, or to build or operate any product or service, that competes with the Service.

2.9. Malware and harmful code. Upload, submit, or transmit through the Service any virus, worm, ransomware, or other malicious or harmful code, or any material designed to interfere with the operation of, or to gain unauthorized access to, any system or data.

2.10. Fully automated decisions about individuals. Use the Service or any Output as the sole basis for any fully automated decision that produces a legal or similarly significant effect concerning an individual (for example, decisions about credit, housing, or employment), without meaningful human review and validation.

2.11. Out-of-scope special categories of data. Submit to the Service any of the following categories of data, which the Service is not designed to receive or process, unless separately agreed in writing with Cap Orbit: biometric identifiers as defined by applicable state biometric privacy laws (for example, the Illinois Biometric Information Privacy Act); payment card or full financial account access credentials subject to the Payment Card Industry Data Security Standard; and protected health information subject to the Health Insurance Portability and Accountability Act. Customer Content properly includes the deal and borrower financial materials described in the Terms and the Privacy Policy; this restriction addresses only the special categories named in this Section 2.11.

2.12. Export controls and sanctions. Use the Service in violation of any United States export-control or economic-sanctions law or regulation, including the Export Administration Regulations and the regulations administered by the Office of Foreign Assets Control. The Customer will not access the Service from, or provide access to the Service to any person in or ordinarily resident in, any country or territory subject to comprehensive United States embargo, and will not provide access to the Service to any party that is the subject of United States sanctions or that appears on any United States government restricted-party or denied-party list.

3. AI-Specific Responsible-Use Obligations

3.1. Human review before reliance. Output is generated by artificial intelligence, is produced probabilistically, and may be inaccurate, incomplete, outdated, or otherwise wrong, even where it appears authoritative. The Customer will maintain meaningful human review of Output and will have a qualified professional independently review and verify all Output before using or relying on it. The Customer is solely responsible for verifying Output and for all decisions, actions, and outcomes based on it.

3.2. No presentation as professional advice. The Customer will not present Output as, or rely on Output as a substitute for, professional advice. Output is not investment, underwriting, valuation, appraisal, accounting, tax, legal, brokerage, or regulatory advice, is not a substitute for independent due diligence, and use of the Service creates no fiduciary, advisory, brokerage, appraisal, or other professional relationship.

3.3. No deceptive or fraudulent materials. The Customer will not use the Service or any Output to create or disseminate materials that are deceptive, fraudulent, or misleading, including materials that misrepresent their AI-generated origin where that origin is material, or that are intended to deceive any counterparty, investor, lender, regulator, or other person.

3.4. Responsibility for use. The Customer is responsible for determining whether Output is appropriate for its intended use and for the Customer's compliance with all laws applicable to that use.

4. Security and Integrity Expectations

4.1. The Customer will use the Service in a manner that preserves the security and integrity of the Service and of the data within it. This includes safeguarding account and seat credentials, promptly deactivating access for individuals who are no longer Authorized Users, configuring the Customer single sign-on and identity provider responsibly, and not interfering with or disrupting the Service or the networks or systems connected to it.

4.2. Reporting. The Customer and its Authorized Users will promptly report any suspected security vulnerability, security incident, unauthorized access, or other suspected misuse of the Service to our security contact at security@cap-orbit.com. The Customer will not publicly disclose any suspected vulnerability before we have had a reasonable opportunity to investigate and remediate it, and will not access, modify, or destroy data belonging to any other party, or degrade the Service, in the course of any security testing or research.

5. Enforcement and Changes

5.1. Consequences of violation. A violation of this AUP is a material breach of the Terms. We have no obligation to monitor use of the Service, but we may do so to enforce this AUP and to protect the Service and its users. We may investigate any suspected violation and may, consistent with the Terms, suspend or terminate access to the Service, in whole or in part, and remove or disable access to offending content. Where practicable and not prohibited by law or by the need to protect the Service or any person, we will seek to provide notice before suspending or terminating access. We may suspend access immediately and without prior notice where we reasonably determine that doing so is necessary to prevent ongoing harm, a security risk, a violation of law, or material harm to the Service or to others. Suspension or termination under this AUP does not relieve the Customer of its obligations under the Terms, including the indemnification obligations described in the Terms.

5.2. Relationship to other agreements. This AUP supplements, and does not limit, the Terms, the Privacy Policy, the Data Processing Addendum, and the Subprocessor List. The Customer's other obligations and representations under those documents, including its representations and warranties regarding rights, notices, and consents for Customer Content and its responsibility for its own regulatory obligations, continue to apply.

5.3. Changes to this AUP. We may update this AUP from time to time. When we make changes, we will revise the date below and, where the changes are material, provide notice as described in the Terms. The Customer's continued use of the Service after an update takes effect constitutes acceptance of the updated AUP.

Effective date: June 18, 2026.

(c) 2026 Cap Orbit