AML policy.

1. Purpose

Arizet Labs ME Limited ("the Company") is committed to preventing money laundering, terrorist financing, and other financial crimes. This policy outlines the Company's framework for identifying, assessing, and mitigating such risks in full compliance with the EU Anti-Money Laundering Directives (AMLD4/5/6), applicable Cyprus AML legislation, EU sanctions regulations, and the Transfer of Funds Regulation (TFR).

2. Scope

This policy applies to all directors, employees, contractors, and business partners of the Company, and covers all business relationships, transactions, and services offered by the Company.

3. Compliance Officer (MLRO)

The Company has appointed a Money Laundering Reporting Officer (MLRO), a Director of Arizet Labs ME Limited, who is responsible for overseeing AML compliance, receiving internal suspicious activity reports, and filing Suspicious Activity Reports (SARs) with the relevant authorities where required.

4. Know Your Customer (KYC) Policy

The Company applies a mandatory, risk-based KYC process to all clients and counterparties. No business relationship may be established and no services may be provided until KYC verification has been successfully completed.

4.1 When full verification is required

Full KYC verification is required in the following circumstances:

• Prior to onboarding any new client or business partner, without exception
• When there is any suspicion of money laundering, terrorist financing, or fraud
• When there are doubts about the accuracy or validity of previously obtained identification data
• For any occasional or one-off transactions where the client has not been previously verified
• Periodically for existing clients as part of ongoing due diligence reviews
• When a material change occurs in the client's circumstances, ownership, or risk profile

4.2 How verification is performed

The Company uses Sumsub (sumsub.com) as its third-party KYC verification provider. Sumsub performs automated identity verification including:

• Document authentication: government-issued ID or passport scanned and verified for authenticity
• Liveness check: biometric facial recognition to confirm the document belongs to the person
• Sanctions and PEP screening: checked against EU, UN, OFAC, and HM Treasury lists
• Address verification: utility bill or bank statement not older than 3 months

For legal entity clients, verification additionally includes a Certificate of Incorporation, a UBO declaration, a Certificate of Directors, and government-issued ID for each UBO and director.

All received verification data (ID copies, documents, liveness results) is reviewed by the MLRO or a designated compliance team member before the client relationship is approved. Verification data is stored securely in accordance with GDPR.

4.3 KYC provider

KYC Provider: Sumsub (sumsub.com), an EU-compliant identity verification platform used for document verification, biometric checks, and sanctions/PEP screening. The Company may supplement Sumsub with manual review where required.

5. Customer Due Diligence (CDD)

The Company applies three levels of due diligence based on assessed risk:

• Standard CDD: applied to all clients, covering identity verification, understanding of business purpose, and source of funds assessment.
• Simplified CDD: may apply to demonstrably low-risk clients such as regulated financial institutions in the EU/EEA or equivalent trusted jurisdictions.
• Enhanced Due Diligence (EDD): mandatory for Politically Exposed Persons (PEPs), clients from high-risk or sanctioned jurisdictions, complex ownership structures, and transactions with no apparent economic purpose.

6. Prohibited Jurisdictions

The Company does not provide services to any individual, entity, or beneficial owner who is a citizen of, resident in, or located in any of the following prohibited jurisdictions, in accordance with EU sanctions regulations and the requirements of the local regulator:

• Iran
• North Korea (Democratic People's Republic of Korea)
• Myanmar
• Russian Federation
• Belarus
• Occupied territories of Ukraine: Crimea, and parts of the Donetsk, Luhansk, Zaporizhzhia, and Kherson regions

This list is reviewed and updated at least quarterly in line with EU, UN, OFAC, and HM Treasury sanctions lists. Any client found to be connected to a prohibited jurisdiction after onboarding will have their account immediately suspended and reported to the MLRO for review and potential SAR filing.

7. Sanctions Screening

All clients and counterparties are screened against the following sanctions and watchlists prior to onboarding and on an ongoing basis via Sumsub:

• EU Consolidated Sanctions List
• UN Security Council Sanctions List
• OFAC (US Treasury) Specially Designated Nationals (SDN) List
• HM Treasury (UK) Financial Sanctions List
• PEP (Politically Exposed Persons) databases

8. Suspicious Activity Reporting

All directors and staff must report any suspicious transactions or activity to the MLRO immediately. The MLRO will evaluate the report within 24 hours and, where required, file a SAR with the relevant Cyprus or EU financial intelligence authorities. Tipping off clients about a SAR or investigation is strictly prohibited under penalty of law.

9. Record Keeping

The Company retains all KYC documents, transaction records, correspondence, and due diligence files for a minimum of 5 years from the end of the business relationship or the date of the transaction, in compliance with the EU AML Directives.

10. Risk Assessment

The Company conducts an enterprise-wide AML/CFT risk assessment at least annually, evaluating risks related to its client base, products, services, delivery channels, and geographic exposure. Results are used to calibrate the Company's AML controls and CDD procedures.

11. Training

All directors and relevant staff receive AML/KYC training upon onboarding and at least annually thereafter. Training covers current AML regulations, red flags for money laundering and terrorist financing, reporting obligations, and this policy.

12. Policy Review

This policy is reviewed at least annually, or immediately upon significant changes to the Company's business activities, applicable regulations, or sanctions requirements. All revisions are approved by the MLRO and recorded with version history.