Digital Millennium Copyright Act Policy

1. Policy Statement

CYFR Technology, Inc. and its wholly-owned subsidiaries (collectively, "CYFR" or the "Company") respect the intellectual property rights of third parties and expect all users of the CYFR platform and related services (the "Platform") to do the same. This Digital Millennium Copyright Act Policy (this "Policy") sets forth the Company's procedures for responding to notices of alleged copyright infringement in compliance with the Digital Millennium Copyright Act of 1998, 17 U.S.C. § 512 (the "DMCA"), and applicable international copyright treaties including the WIPO Copyright Treaty and the Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS).

This Policy is incorporated by reference into the CYFR Terms of Service and the CYFR Master Services Agreement. Capitalized terms not defined herein shall have the meanings ascribed to them in the Terms of Service.

2. Zero-Knowledge Architecture and Its Legal Implications

CYFR operates a zero-knowledge architecture by design. All Customer Data is encrypted using AES-256-GCM prior to transmission to CYFR infrastructure. Encryption keys are generated, held, and managed exclusively by the Customer. CYFR has no technical mechanism to access, inspect, decrypt, or monitor Customer Data in unencrypted form.

As a consequence of this architecture:

1. CYFR qualifies as a "service provider" under 17 U.S.C. § 512(a)-(c) and is entitled to the safe harbor protections afforded thereunder;
2. CYFR does not have the practical ability to independently identify infringing material hosted on its Platform, as such material exists only in encrypted form within isolated Customer storage silos;
3. CYFR therefore relies on rights holders and their authorized representatives to (i) identify allegedly infringing material and (ii) provide the specific access URL or path at which such material was encountered, consistent with the DMCA's requirement that a notice identify the material claimed to be infringing with sufficient particularity;
4. CYFR's per-session cryptographically signed URL architecture — described more fully in the Security Architecture documentation — enables the Company to map a reported access URL to a specific Customer account and content identifier without accessing, reading, or decrypting the underlying content.

3. Designated Agent

Pursuant to 17 U.S.C. § 512(c)(2), CYFR's designated agent to receive notifications of claimed copyright infringement (the "DMCA Agent") is:

The foregoing information is also on file with the United States Copyright Office in accordance with 37 C.F.R. § 201.38. CYFR's DMCA Agent registration is renewed annually.

4. Requirements for a Valid DMCA Notice

To be effective under 17 U.S.C. § 512(c)(3)(A), a notification of claimed copyright infringement must be a written communication provided to the DMCA Agent that includes substantially the following:

1. Identification of the copyrighted work claimed to have been infringed or, if multiple copyrighted works at a single online site are covered by a single notification, a representative list of such works. Generic descriptions (e.g., "movies" or "TV shows") are insufficient. Provide the title, registration number (if applicable), and a description sufficient to distinguish the work from unrelated content.
2. Identification of the material claimed to be infringing, including the specific URL or access path at which the material was encountered. This is the single most critical element of an effective notice. CYFR's architecture requires the exact access URL — which embeds a non-reversible session identifier — to identify the relevant Customer account and content reference. Notices lacking a specific URL cannot be processed.
3. Information reasonably sufficient to permit CYFR to contact the complaining party, such as a physical address, telephone number, and an electronic mail address at which the complaining party may be contacted.
4. A statement that the complaining party has a good faith belief that use of the material in the manner complained of is not authorized by the copyright owner, its agent, or the law. This statement must reflect an actual, subjective good faith belief — conclusory recitations are insufficient. See Lenz v. Universal Music Corp., 815 F.3d 1145 (9th Cir. 2016).
5. A statement that the information in the notification is accurate, and under penalty of perjury, that the complaining party is authorized to act on behalf of the owner of an exclusive right that is allegedly infringed.
6. A physical or electronic signature of a person authorized to act on behalf of the owner of the exclusive right.

Notices that do not substantially comply with the requirements of 17 U.S.C. § 512(c)(3)(A) will not be considered in determining whether CYFR has actual knowledge or is aware of facts or circumstances from which infringing activity is apparent. The Company may, in its sole discretion, attempt to contact the complaining party to request supplementation of a deficient notice; however, the Company is under no obligation to do so.

For convenience, notices may be submitted through our standardized reporting form, which collects the required elements in a structured format.

5. Counter-Notification Procedure

If a Customer believes that material they have stored on the Platform was removed or access to it was disabled as a result of mistake or misidentification, the Customer may submit a counter-notification to the DMCA Agent. A valid counter-notification must include:

1. Identification of the material that has been removed or to which access has been disabled, and the location at which the material appeared before it was removed or access was disabled;
2. A statement, under penalty of perjury, that the Customer has a good faith belief that the material was removed or disabled as a result of mistake or misidentification;
3. The Customer's name, address, and telephone number;
4. A statement that the Customer consents to the jurisdiction of the United States District Court for the District of Delaware, and that the Customer will accept service of process from the person who provided the original notification or an agent of such person;
5. A physical or electronic signature of the Customer.

Upon receipt of a valid counter-notification, CYFR will promptly provide the complaining party with a copy and inform them that the removed material will be restored or access re-enabled in not less than ten (10) and not more than fourteen (14) business days, unless the DMCA Agent receives notice that the complaining party has filed an action seeking a court order to restrain the Customer from engaging in infringing activity.

6. Repeat Infringer Policy

In accordance with 17 U.S.C. § 512(i)(1)(A), CYFR has adopted and reasonably implemented a policy that provides for the termination, in appropriate circumstances, of Customers and account holders who are repeat infringers.

For purposes of this Policy:

1. A Customer shall be deemed a "repeat infringer" upon receipt by CYFR of three (3) or more valid, substantially complete DMCA notices targeting content associated with such Customer's account within any rolling twelve-month period, regardless of whether the underlying content is the same or different;
2. Each valid notice is logged in CYFR's immutable compliance ledger with a unique reference identifier, timestamp, and disposition;
3. Upon the third qualifying notice, CYFR will: (i) permanently terminate the Customer's account; (ii) render all Customer Data stored on CYFR infrastructure irrecoverable through cryptographic key destruction; (iii) notify the Customer of the termination and the basis therefor; and (iv) record the termination in the compliance ledger;
4. A Customer who has been terminated as a repeat infringer is permanently ineligible to create a new account or access the Platform through any means, including through an MSP partner;
5. CYFR maintains a centralized register of terminated repeat infringers for the purpose of enforcing this provision. Attempts to circumvent termination through re-registration constitute a material breach of the Terms of Service.

Notices directed to a particular Customer that are ultimately determined to be invalid, deficient, or submitted in bad faith under 17 U.S.C. § 512(f) shall not count toward the repeat infringer threshold for such Customer.

7. Bad Faith Notices — 17 U.S.C. § 512(f)

Any person who knowingly materially misrepresents that material or activity is infringing, or that material or activity was removed or disabled by mistake or misidentification, shall be liable for any damages, including costs and attorneys' fees, incurred by the alleged infringer, by any copyright owner or copyright owner's authorized licensee, or by CYFR, as the result of CYFR relying upon such misrepresentation in removing or disabling access to the material or activity claimed to be infringing, or in replacing the removed material or ceasing to disable access to it. CYFR reserves all rights to pursue such remedies against bad-faith complainants to the fullest extent permitted by law.

8. Subpoenas and Legal Process

CYFR will respond to properly issued subpoenas, court orders, and other valid legal process in accordance with applicable law. However, due to the Company's zero-knowledge architecture:

1. CYFR cannot produce Customer Data in unencrypted form, as it does not possess or have access to Customer encryption keys;
2. CYFR can produce: (i) account metadata, including account creation date, last login timestamp, and associated email address; (ii) access logs reflecting which encrypted content references were accessed at which times; and (iii) billing and payment records;
3. Production of encrypted data without the corresponding decryption keys is technically feasible but the Company will assert, where appropriate, that such production is unduly burdensome and of minimal evidentiary value, consistent with Fed. R. Civ. P. 26(b)(2)(B);
4. All legal process must be served on the Company's registered agent for service of process: The Corporation Trust Company, 1209 Orange Street, Wilmington, DE 19801. Service on any other address or individual is not effective.

9. Limitation of Liability

CYFR's liability with respect to any DMCA notice, takedown, or related action is limited to the maximum extent permitted by applicable law and the limitations set forth in the Terms of Service and any applicable Master Services Agreement. Nothing in this Policy shall be construed to waive any immunity, safe harbor, defense, or limitation of liability available to CYFR under the DMCA, the Communications Decency Act (47 U.S.C. § 230), or any other applicable law.

10. Amendments

CYFR reserves the right to amend this Policy at any time. Amendments will be effective upon posting to this page. The "Effective" date above reflects the most recent revision. Customers are encouraged to review this Policy periodically. Material amendments may be communicated to active Customers via electronic mail not less than thirty (30) days prior to effectiveness, where required by applicable law.