AutoRevolution Acceptable Use Policy

1. Acceptance of Policy

This Acceptable Use Policy ("AUP") governs Customer's access to and use of the Services provided by Metzger Enterprises LLC d/b/a AutoRevolution, a Texas limited liability company, together with its subsidiaries, affiliates, successors, and assigns (collectively, "Provider, "Company," "AutoRevolution," "LotPix," "Vehicle Image Studio," "Forward2Phone," "IIManager," "we," "us," or "our"), and the entity, organization, dealership, business, or other legal person accessing, purchasing, subscribing to, or otherwise using the Services ("Customer"). References to "you" or "your" mean Customer and any individual authorized by Customer to access or use the Services on Customer's behalf ("Authorized Users"). This AUP is incorporated into and forms part of the applicable Master Subscription Agreement, Data Processing Addendum, Information Security Addendum, Terms of Service, Order Form, or other agreement between Provider and Customer (collectively, the "Agreement"). Violations of this AUP may result in suspension, restriction, or termination of access to the Services, in addition to any other remedies available under applicable law or contract.

Each Customer shall designate one or more authorized administrators ("Customer Administrators") who are responsible for managing access to the Services on behalf of the Customer.

This AUP applies to:

• Customer Administrators have authority to accept this Agreement on behalf of the Customer;
• Customer Administrators are responsible for provisioning, modifying, and revoking access for Authorized Users;
• Customer Administrators are responsible for configuring roles, permissions, and access controls within the Customer environment;
• Customer is solely responsible for all acts, omissions, and configurations performed by its Customer Administrators and Authorized Users;
• Contractors and temporary workers;
• Third-party service providers acting on Customer's behalf;

Customer is responsible for ensuring compliance with all applicable laws, regulations, and industry requirements relating to its use of the Services, including vehicle photography, data capture, and operational workflows.

2.4 Verison Control and Agreement Updates

This Agreement is version-controlled and maintained by the Company. The current version is v1.0.

• (a) The Company may update, modify, or replace this Agreement from time to time in its sole discretion;
• (b) Material updates may require Customer re-acceptance as a condition of continued access to the Services;
• (c) Continued use of the Services after an update becomes effective constitutes acceptance of the updated Agreement, where permitted by law;
• (d) The Company may maintain historical versions of this Agreement for audit, compliance, and vendor due diligence purposes.

3. Definitions

Capitalized terms not otherwise defined in this Acceptable Use Policy have the meanings assigned to them in the applicable agreement between Customer and Provider, including any master services agreement, subscription agreement, order form, terms of service, privacy policy, or definitions glossary made available by Provider. For purposes of this Acceptable Use Policy, the following additional definitions apply:

3.1 Applicable Laws

"Applicable Laws" means all applicable international, federal, state, provincial, territorial, local, tribal, and foreign laws, statutes, regulations, rules, ordinances, directives, governmental guidance, industry standards, judicial decisions, consent decrees, regulatory settlements, administrative orders, and legally binding requirements of any governmental authority, regulatory body, self-regulatory organization, or industry oversight entity, as amended, supplemented, superseded, or replaced from time to time.

Applicable Laws include, without limitation, laws and regulations relating to:

• telecommunications;
• electronic communications;
• SMS, MMS, RCS, voice, and messaging communications;
• email communications;
• telemarketing and solicitation activities;
• marketing and advertising;
• consumer protection;
• unfair, deceptive, or abusive acts or practices;
• privacy and data protection;
• data retention and records managment;
• cybersecurity and information security;
• accessibility and disability rights;
• artificial intelligence and automated decision-making;
• biometrics and biometric identifiers;
• identity verification;
• data retention and records management;
• financial services;
• lending and financing;
• consumer credit;
• credit reporting;
• debt collection;
• insurance products and services;
• employment and labor matters;
• discrimination and equal opportunity;
• fraud prevention;
• sanctions and export controls;
• anti-money laundering requirements;
• anti-corruption requirements;
• intellectual property rights;
• automotive sales, leasing, financing, servicing, and repair operations; and
• automotive dealer licensing and regulatory requirements.

Applicable Laws include, without limitation, where applicable:

• Telephone Consumer Protection Act ("TCPA");
• Telemarketing Sales Rule ("TSR");
• CAN-SPAM Act;
• California Consumer Privacy Act and California Privacy Rights Act ("CCPA/CPRA");
• Gramm-Leach-Bliley Act ("GLBA");
• Fair Credit Reporting Act ("FCRA");
• Truth in Lending Act ("TILA");
• Equal Credit Opportunity Act ("ECOA");
• Americans with Disabilities Act ("ADA");
• Illinois Biometric Information Privacy Act ("BIPA");
• state mini-TCPA laws;
• state consumer protection and unfair or deceptive acts and practices laws;
• state privacy and data protection laws;
• state biometric privacy laws;
• state telemarketing laws;
• state marketing and advertising laws;
• state lending and financing laws;
• state automotive dealer regulations;
• applicable Canadian anti-spam, privacy, and telecommunications laws;
• applicable international privacy and electronic communications laws; and
• any successor, amended, replacement, or substantially similar laws;
• export control laws;
• sanctions laws;
• anti-corruption laws;
• employment laws; and
• intellectual property laws.

3.2 Authorized User

"Authorized User" means an employee, contractor, agent, representative, dealer principal, manager, administrator, service provider, consultant, or other individual authorized by Customer to access or use the Services.

3.3 Confidential Information

"Confidential Information" means all non-public information disclosed by or on behalf of either party that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure, includes, without limitation, Company Data, system architecture, security documentation, pricing, business processes, technical specifications, and non-public operational information.

• Confidential Information shall be protected using no less than reasonable care;
• Access shall be limited to personnel with a legitimate business need;
• Confidential Information shall not be disclosed to third parties except as permitted under this Agreement;
• Obligations survive termination of the Agreement.

3.4 Consumer-Facing Content

"Consumer-Facing Content" means any content, communication, message, information, representation, advertisement, disclosure, statement, recommendation, offer, solicitation, response, interaction, or material that is displayed, transmitted, delivered, published, distributed, made available to, or otherwise intended for viewing, receipt, or use by a Consumer, prospective customer, vehicle purchaser, lessee, borrower, service customer, website visitor, or member of the public.

3.5 Customer

"Customer" means the legal entity that enters into an agreement with Provider for access to or use of the Services, including its affiliates, subsidiaries, parent entities, dealership locations, business units, contractors, and Authorized Users acting on its behalf.

3.6 Customer Data

"Customer Data" means all information, content, communications, documents, records, files, biometric information, messages, images, videos, audio recordings, videos, consumer information, lead information, vehicle information, transaction information, financing information, service records, and other data submitted to, uploaded to, transmitted through, stored within, processed by, generated through, or otherwise made available to the Services by or on behalf of Customer.

Customer Data includes Personal Information, Sensitive Information, Consumer Data, Vehicle Data, Communication Data, and AI Input.

3.7 Financial Information

"Financial Information" means information relating to a Consumer's financial condition, creditworthiness, banking relationships, financing arrangements, insurance products, payment history, income, employment, assets, liabilities, credit applications, or financing transactions.

3.8 Personal Information

"Personal Information" means information relating to an identified or identifiable individual, including personal data, personally identifiable information (PII), nonpublic personal information (NPI), consumer report information, protected consumer information, household information, or any substantially similar category of information regulated under Applicable Laws.

3.9 Prohibited Content

"Prohibited Content" means any content, data, communication, activity, or material that violates Applicable Laws, infringes intellectual property rights, facilitates unlawful conduct, promotes fraud, contains malware, constitutes spam, contains deceptive or misleading content, violates privacy rights, or otherwise violates this Acceptable Use Policy.

3.10 Provider

"Provider" means the entity identified in the applicable agreement that owns, operates, licenses, or provides the Services.

3.11 Security Incident

"Security Incident" means any actual, suspected, attempted, threatened, or reasonably likely unauthorized access to, acquisition of, disclosure of, alteration of, destruction of, loss of, misuse of, or inability to access Customer Data, systems, accounts, networks, or Services.

3.12 Sensitive Information

"Sensitive Information" means any information requiring heightened protection under Applicable Laws, including:

• government-issued identification numbers;
• driver's license information;
• passport information;
• tax identification numbers;
• Social Security numbers;
• financial account information;
• payment card information;
• authentication credentials;
• security questions and answers;
• geolocation information;
• precise location information;
• health information;
• insurance information;
• biometric identifiers;
• biometric information;
• consumer report information;
• criminal history information;
• information concerning minors; and
• any information designated as sensitive, special-category, regulated, or protected under Applicable Laws.

3.13 Services

"Services" means all software, software-as-a-service offerings, applications, websites, portals, APIs, communication tools, messaging services, hosting services, artificial intelligence capabilities, machine learning features, analytics tools, databases, integrations, support services, professional services, and related products, features, functionality, or technology provided by Provider.

4. Purpose; Automotive Industry Requirements

4.1 Purpose

This Acceptable Use Policy ("AUP") establishes the rules governing access to and use of the software, platforms, applications, APIs, integrations, websites, hosting environments, communications systems, analytics tools, artificial intelligence features, and related services (collectively, the "Services") provided by Provider.

The purpose of this AUP is to:

• Protect the security, availability, integrity, and reliability of the Services;
• Promote lawful and responsible use of the Services;
• Protect consumers and third parties;
• Reduce regulatory, operational, legal, reputational, and cybersecurity risks;
• Ensure compliance with applicable laws and industry requirements;
• Prevent misuse of telecommunications, messaging, marketing, financing, credit, consumer information, biometric information, and data processing capabilities made available through the Services.

Compliance with this AUP is a condition of access to and use of the Services.

4.2 Automotive Industry Compliance and Data Integrity

Because the Services are designed for use by automotive dealerships, dealer groups, original equipment manufacturers ("OEMs"), finance and insurance providers, fleet operators, service and repair businesses, vehicle remarketing businesses, and other automotive industry participants, Customer shall ensure that all vehicle, inventory, customer, consumer, financing, leasing, service, warranty, telematics, inspection, repair, parts, operational, transactional, and other data submitted to, transmitted through, generated by, or otherwise processed using the Services (collectively, "Automotive Data") is accurate in all material respects, complete as required for its intended use, current as appropriate, lawfully obtained, and processed in compliance with Applicable Laws and all applicable contractual, regulatory, and industry requirements.

Customer shall not submit, upload, process, disclose, or otherwise make available through the Services any Automotive Data that Customer is not legally authorized to collect, use, disclose, transfer, store, or process.

Customer shall ensure that all dealership, automotive retail, finance and insurance ("F&I"), vehicle sales, vehicle acquisition, trade-in, appraisal, leasing, financing, refinancing, servicing, repair, warranty administration, protection product administration, parts operations, fleet management, customer communications, lead management, marketing, advertising, consumer engagement, and related business activities conducted through or in connection with the Services comply with Applicable Laws.

Without limiting the foregoing, Customer shall not:

• Misrepresent vehicle pricing, availability, incentives, rebates, discounts, financing terms, lease terms, payment amounts, vehicle condition, mileage, ownership history, title status, accident history, warranty coverage, service history, inspection results, vehicle specifications, or any other material vehicle information;
• Create, submit, maintain, transmit, or rely upon false, misleading, inaccurate, incomplete, fraudulent, or deceptive vehicle records, customer records, deal jackets, financing applications, credit-related information, lease documentation, service records, repair orders, inspection reports, warranty claims, insurance-related records, title documents, registration documents, odometer disclosures, or transactional records;
• Facilitate, conceal, or participate in odometer fraud, title fraud, financing fraud, warranty fraud, insurance fraud, consumer fraud, identity theft, deceptive advertising, unfair or deceptive trade practices, or any other unlawful automotive-related activity;
• Submit inaccurate or misleading information to consumers, lenders, lessors, insurers, warranty administrators, OEMs, governmental authorities, vehicle history providers, payment processors, or other third parties;
• Circumvent, disable, avoid, or otherwise interfere with disclosures, notices, consent requirements, recordkeeping requirements, retention requirements, audit requirements, or compliance controls required by Applicable Laws;
• Use the Services in a manner that results in unlawful discrimination, unfair treatment, or prohibited decision-making affecting consumers, employees, applicants, borrowers, lessees, or other individuals; or
• Use the Services to process telematics data, location data, connected vehicle data, biometric data, driver behavior data, or other sensitive information without all permissions, notices, consents, authorizations, and legal bases required under Applicable Laws.

Customer remains solely responsible for the accuracy, quality, legality, integrity, and appropriateness of all Automotive Data and for ensuring that Customer's use of the Services complies with all Applicable Laws, OEM requirements, lender requirements, insurer requirements, warranty program requirements, industry standards, and contractual obligations applicable to Customer's business.

5. Scope

This AUP applies to:

• All Customers and Customer personnel;
• Authorized users;
• Administrators;
• Dealership employees;
• Contractors and temporary workers;
• Third-party service providers acting on Customer's behalf;
• Any individual or entity accessing the Services through Customer accounts.

This AUP applies to all use of the Services, including:

• Software applications;
• Cloud-hosted platforms;
• APIs;
• Integrations;
• Data processing services;
• Messaging services;
• Artificial intelligence and machine learning features;
• Customer relationship management functionality;
• Inventory management functionality;
• Dealer management functionality;
• Marketing and advertising functionality;
• Analytics and reporting functionality;
• Mobile applications;
• Websites and portals;
• Any related services, systems, or infrastructure.

The Services are provided exclusively for business-to-business ("B2B") commercial use. Consumer, personal, household, recreational, educational, research, competitive analysis, benchmarking, or other non-commercial use of the Services is prohibited unless expressly authorized by Company in writing.

The Services are intended solely for use by legally organized and authorized business entities operating within the automotive industry, including without limitation licensed automotive dealerships, dealer groups, reseller organizations, automotive marketplaces, auction companies, fleet operators, inventory management providers, OEM-affiliated entities, and other automotive businesses approved by Company (each, a "Customer").

Access to the Services is limited to Customer's employees, contractors, temporary workers, agents, and representatives who have been expressly authorized by Customer and provided valid credentials ("Authorized Users").

Customer shall:

• (a) maintain an accurate inventory of Authorized Users;
• (b) promptly disable access for any Authorized User whose employment, engagement, or authorization terminates;
• (c) ensure that Authorized Users comply with this Agreement and all Company policies;
• (d) maintain appropriate internal access controls and user provisioning procedures; and
• (e) immediately notify Company of any known or suspected unauthorized access, credential compromise, or account misuse.

Company reserves the right, in its sole discretion, to determine eligibility for use of the Services and may suspend, restrict, or terminate access by any individual or entity that does not satisfy Company's eligibility requirements.

Customer remains fully responsible for all actions and omissions of its Authorized Users.

Customer shall not permit any third party to access or use the Services except as expressly authorized under the applicable agreement with Company.

6.2 Bring Your Own Device (BYOD)

Company may permit Authorized Users to access the Services using either Customer-owned devices or personally owned devices under a bring-your-own-device ("BYOD") model.

Customer is solely responsible for all device-level security controls applicable to devices used to access the Services, including:

• (a) device passcodes or authentication controls;
• (b) operating system updates and security patches;
• (c) device encryption where available;
• (d) malware protection where appropriate;
• (e) mobile device management controls implemented by Customer; and
• (f) procedures for lost, stolen, compromised, replaced, or decommissioned devices.

Customer acknowledges that Company does not own, manage, monitor, control, secure, or administer Customer-owned or personally owned devices and shall not be responsible for losses resulting from Customer's device management practices or failures.

7. Customer Responsibility For Compliance

Customer is solely responsible for its use of the Services and for ensuring that its use of the Services, Customer Data, business practices, communications, and operations comply with all Applicable Laws.

Without limiting the foregoing, Customer is solely responsible for:

1. Its use of the Services and all activities conducted through Customer's account;
2. The legality, ownership, accuracy, completeness, quality, integrity, reliability, and lawfulness of Customer Data;
3. Obtaining, maintaining, documenting, and honoring all required consents, authorizations, notices, permissions, opt-ins, acknowledgements, and legal bases necessary for the collection, processing, storage, disclosure, transfer, marketing use, and other use of Customer Data;
4. Compliance with all Applicable Laws, regulations, governmental requirements, industry standards, self-regulatory requirements, and contractual obligations applicable to Customer's business;
5. The acts, omissions, and compliance of its Authorized Users, employees, contractors, agents, affiliates, service providers, and representatives;
6. All communications initiated, transmitted, scheduled, generated, or delivered through the Services, including email, SMS, MMS, telephone, voicemail, chat, social media, direct mail, and other marketing or customer communications;
7. Compliance with laws governing marketing, advertising, telemarketing, electronic communications, text messaging, robocalls, consumer outreach, promotions, contests, and lead generation activities;
8. The content, timing, recipients, frequency, and legality of marketing campaigns, sales campaigns, service reminders, promotional offers, and customer communications conducted through the Services;
9. Providing all required consumer notices, disclosures, acknowledgements, authorizations, terms, policies, and consent mechanisms required by Applicable Laws;
10. Compliance with privacy, consumer protection, data protection, cybersecurity, recordkeeping, retention, disclosure, and consumer rights requirements;
11. The collection, use, disclosure, transfer, storage, retention, and deletion of personal information, customer information, consumer reports, financial information, vehicle information, and other regulated information;
12. Compliance with laws governing consumer credit, financing, leasing, lending, insurance products, aftermarket products, payment processing, debt collection, and related financial activities;
13. All financing, credit, leasing, underwriting, pricing, eligibility, qualification, approval, denial, and lending decisions made by Customer;
14. Compliance with fair lending, anti-discrimination, consumer financial protection, equal credit opportunity, and similar legal requirements;
15. The accuracy and legality of vehicle listings, pricing information, incentive offers, rebates, payment calculations, trade-in valuations, financing representations, warranty information, and dealership disclosures;
16. Compliance with automotive industry laws, dealer licensing requirements, advertising regulations, title requirements, registration requirements, and consumer sales regulations applicable to Customer's operations;
17. Accessibility compliance for Customer-controlled websites, content, digital assets, communications, forms, and customer-facing experiences;
18. The collection, processing, storage, disclosure, retention, and use of biometric information, biometric identifiers, facial recognition data, voice prints, fingerprints, or similar sensitive information;
19. The implementation of appropriate internal policies, procedures, controls, training, supervision, monitoring, and compliance programs necessary to satisfy Customer's legal obligations;
20. Reviewing and validating the accuracy, appropriateness, completeness, and legal compliance of reports, recommendations, predictions, classifications, content, communications, analyses, calculations, or other outputs generated by the Services;
21. All consumer-facing, employment-related, credit-related, insurance-related, pricing-related, financing-related, marketing-related, or operational decisions made by Customer using information, recommendations, analyses, or outputs generated by the Services;
22. Determining whether any output generated by the Services may be relied upon, used in business operations, disclosed to consumers, or incorporated into decision-making processes;
23. Maintaining all licenses, permits, registrations, certifications, approvals, and authorizations required for Customer's business operations; and
24. Any legal, regulatory, compliance, tax, accounting, lending, employment, or business decisions made by Customer.

Provider does not provide legal, regulatory, compliance, tax, accounting, auditing, lending, financial, insurance, employment, investment, or other professional advice. Customer is solely responsible for obtaining advice from qualified professional advisors regarding Customer's legal and regulatory obligations.

Provider is not responsible for Customer's compliance obligations under Applicable Laws, nor does Provider assume any duty to monitor Customer's compliance with Applicable Laws. The availability of compliance-related features, workflows, templates, disclosures, consent tools, reports, or automation within the Services does not constitute legal advice, a guarantee of compliance, or an assumption of Customer's compliance responsibilities.

8. Prohibited Uses

Customer shall not, and shall not permit any Authorized User or third party to, use the Services in any manner that is unlawful, fraudulent, deceptive, misleading, abusive, harmful, unethical, discriminatory, infringing, unauthorized, or otherwise prohibited by this Acceptable Use Policy.

Customer may not use the Services to engage in, facilitate, promote, support, encourage, enable, assist, attempt, or conceal any activity that violates Applicable Laws, infringes the rights of others, compromises the security or integrity of the Services, or interferes with the legitimate use of the Services by any person or entity.

Without limiting the foregoing, Customer shall not use the Services to:

8.1 Illegal Activity

Customer and its Authorized Users may not use, access, permit access to, or otherwise utilize the Services for any unlawful, fraudulent, deceptive, misleading, abusive, unethical, discriminatory, harmful, or unauthorized purpose, otherwise prohibited by this Acceptable Use Policy, or in any manner that violates applicable laws, regulations, industry requirements, contractual obligations, or third-party rights.

Customer may not use the Services to engage in, facilitate, promote, support, encourage, enable, assist, attempt, or conceal any activity that violates Applicable Laws, infringes the rights of others, compromises the security or integrity of the Services, or interferes with the legitimate use of the Services by any person or entity.

Without limiting the foregoing, Customer and its Authorized Users shall not use the Services to:

• Violate, facilitate the violation of, or encourage the violation of any applicable federal, state, provincial, local, or foreign law, regulation, ordinance, rule, court order, administrative order, governmental requirement, contractual obligations, or legally binding industry standard;
• Engage in any activity that is illegal, fraudulent, false advertising, deceptive trade practices, unfair business practices, misrepresentation, abusive, harmful, unethical, unauthorized, dishonest or misleading conduct;
• Create, submit, process, transmit, store, or facilitate false, misleading, manipulated, or fabricated records, transactions, contracts, applications, customer information, vehicle information, financing information, service records, warranty claims, insurance claims, rebates, incentives, or other business documentation;
• Infringe, misappropriate, dilute, violate, or otherwise interfere with the intellectual property rights, privacy rights, publicity rights, contractual rights, proprietary rights, or other legal rights of any person or entity;
• Commit, facilitate, promote, or assist any criminal offense or unlawful activity, including theft, identity theft, organized retail crime, embezzlement, extortion, forgery, wire fraud, mail fraud, bank fraud, financial fraud, consumer fraud, cybercrime, or conspiracy to commit any such acts;
• Launder money, conceal the proceeds of crime, structure transactions, evade reporting obligations, facilitate terrorist financing, or violate anti-money laundering ("AML"), counter-terrorist financing ("CTF"), or similar financial crime prevention laws;
• Evade taxes, facilitate tax evasion, create false tax records, conceal taxable activities, or otherwise violate applicable tax laws or reporting requirements;
• Circumvent, evade, undermine, or interfere with regulatory compliance, licensing requirements, disclosure obligations, audit requirements, recordkeeping requirements, consumer protection requirements, or governmental oversight mechanisms;
• Violate, evade, facilitate the violation of, or attempt to circumvent applicable economic sanctions, trade restrictions, export controls, embargoes, restricted-party prohibitions, or import/export laws;
• Conduct business with, provide services to, transmit data to, or otherwise support individuals, entities, organizations, jurisdictions, or parties that are prohibited under applicable sanctions, export control, or trade restriction laws;
• Engage in bribery, corruption, kickbacks, improper influence, commercial bribery, unlawful gifts, facilitation payments, or violations of applicable anti-corruption laws;
• Engage in identity theft, account takeover, impersonation, credential theft, social engineering, document forgery, synthetic identity schemes, or unauthorized use of another person's identity or information;
• Facilitate unlawful lending, predatory lending, discriminatory lending, unlawful credit practices, or other activities that violate consumer financial protection laws;
• Facilitate odometer fraud, title washing, VIN manipulation, vehicle history falsification, warranty fraud, insurance fraud, financing fraud, rebate fraud, incentive fraud, emissions fraud, or any other automotive industry-related fraudulent activity;
• Circumvent, disable, interfere with, compromise, or undermine any security, authentication, authorization, monitoring, auditing, usage limitation, access control, or protective feature of the Services;
• Interfere with, disrupt, damage, impair, overload, degrade, or adversely affect the operation, availability, integrity, reliability, performance, or security of the Services or any connected systems, networks, users, or third parties;
• Attempt to conceal, disguise, misrepresent, or falsify the nature, source, ownership, destination, purpose, or legality of any activity, transaction, communication, data, or business operation conducted through the Services;
• Attempt, assist, direct, encourage, or conspire with others to engage in any activity prohibited by this Acceptable Use Policy.
• Assist, encourage, enable, direct, conspire with, or knowingly benefit from any third party engaging in conduct prohibited by this Acceptable Use Policy.
• Use the Services to generate, distribute, or support fraudulent leads, fake customer accounts, fake reviews, fraudulent transactions, deceptive marketing campaigns, or artificially inflated business metrics;
• Use the Services to harass, threaten, exploit, discriminate against, or unlawfully target individuals or groups based on protected characteristics or other legally protected status;
• Use the Services to distribute, store, transmit, generate, publish, process, or facilitate unlawful, infringing, harmful, fraudulent, deceptive, malicious, or otherwise prohibited content, data, communications, or materials;
• Use the Services in a manner that creates legal, regulatory, operational, security, reputational, financial, or compliance risks for Provider, its customers, partners, service providers, or third parties;
• Use the Services in a manner inconsistent with the Documentation, Agreement, intended purpose of the Services, or Provider's reasonable instructions; or
• Use the Services to facilitate, support, or benefit any third party engaged in conduct prohibited by this Acceptable Use Policy;

Customer is solely responsible for ensuring that its use of the Services, and the use of the Services by its Authorized Users, contractors, agents, affiliates, and service providers, complies with all applicable laws, regulations, and industry requirements. The Company reserves the right to investigate suspected violations and to suspend or terminate access to the Services where it reasonably believes that the Services are being used in connection with prohibited or unlawful activity.

The categories of prohibited conduct described in this Section are not exhaustive. Provider reserves the right to determine, acting reasonably, whether Customer's use of the Services presents security, legal, regulatory, operational, reputational, or business risks inconsistent with the intended use of the Services or the terms of the Agreement.

The specific prohibited activities described in the following Sections are intended to supplement, and not limit, the general prohibitions set forth in this Section.

8.2 Deceptive Practices

Customers may not use the Services to engage in, facilitate, promote, automate, support, or enable deceptive, misleading, unfair, fraudulent, unethical, or unlawful conduct. Customers remain solely responsible for the accuracy, legality, completeness, and substantiation of all content, communications, advertisements, disclosures, records, transactions, and business activities conducted using the Services.

The Services may not be used to create, distribute, modify, automate, suppress, conceal, manipulate, or otherwise facilitate any representation, omission, practice, scheme, or course of conduct that could reasonably mislead consumers, regulators, manufacturers, lenders, insurers, vendors, business partners, or other third parties.

Without limiting the foregoing, prohibited conduct includes:

• Misrepresenting products, services, vehicles, parts, accessories, financing products, insurance products, warranties, service contracts, subscriptions, memberships, or protection products;
• Making false, misleading, unsubstantiated, deceptive, or unsupported claims regarding any product or service;
• Falsifying, altering, fabricating, backdating, destroying, concealing, or manipulating records, documents, communications, or business information;
• Creating, generating, or modifying records in a manner intended to deceive consumers, regulators, lenders, manufacturers, insurers, auditors, law enforcement, or other third parties;
• Manipulating, suppressing, obscuring, removing, altering, or concealing required disclosures, notices, warnings, terms, conditions, limitations, qualifications, or other material information;
• Concealing material facts that a reasonable consumer or business partner would consider important to a purchasing, financing, leasing, service, warranty, or insurance decision;
• Generating false, fictitious, fabricated, or misleading documentation, correspondence, certifications, approvals, authorizations, inspections, invoices, repair orders, contracts, disclosures, acknowledgments, signatures, or transaction records;
• Creating false documentation for regulators, manufacturers, lenders, insurers, vendors, auction providers, title agencies, consumers, or other third parties;
• Misrepresenting vehicle history, ownership history, title history, lien status, registration status, accident history, damage history, repair history, maintenance history, odometer readings, mileage, usage history, fleet history, rental history, theft history, recall status, inspection status, emissions status, certification status, or reconditioning status;
• Misrepresenting vehicle condition, functionality, performance, safety, features, specifications, options, equipment, trim levels, availability, location, age, model year, or eligibility for incentives, programs, certifications, warranties, or promotions;
• Advertising, listing, marketing, displaying, or offering vehicles that are unavailable, materially different from the advertised vehicle, or not reasonably obtainable under the advertised terms;
• Misrepresenting inventory levels, inventory status, reservation status, delivery timing, production status, allocation status, or expected availability;
• Misrepresenting pricing, discounts, rebates, incentives, trade-in values, vehicle valuations, market adjustments, fees, taxes, charges, financing costs, lease costs, ownership costs, or total transaction costs;
• Advertising pricing, payments, offers, promotions, discounts, incentives, rebates, lease terms, financing terms, or savings claims that are false, misleading, unavailable, expired, inadequately disclosed, or otherwise deceptive;
• Advertising prices or payment amounts that omit required fees, disclosures, qualifications, limitations, or material terms where prohibited by applicable law;
• Misrepresenting financing, leasing, refinancing, credit, insurance, warranty, service contract, GAP, maintenance, subscription, or vehicle protection product terms;
• Misrepresenting approval likelihood, credit qualifications, interest rates, payment amounts, residual values, money factors, eligibility requirements, lender participation, or financing outcomes;
• Misrepresenting manufacturer relationships, franchise relationships, certifications, authorizations, endorsements, affiliations, sponsorships, partnerships, awards, rankings, accreditations, or business credentials;
• Misrepresenting dealership ownership, control, location, operating status, licensing status, business identity, or corporate affiliations;
• Impersonating another business, dealership, manufacturer, lender, insurer, vendor, regulator, individual, or organization;
• Creating fake business identities, fictitious dealerships, fabricated service providers, fraudulent lead sources, or misleading online profiles;
• Generating, purchasing, soliciting, incentivizing, coordinating, or publishing false, fabricated, misleading, undisclosed, or deceptive reviews, ratings, testimonials, endorsements, recommendations, or customer feedback;
• Generating communications that falsely appear to originate from consumers, manufacturers, lenders, insurers, regulators, or other third parties;
• Using synthetic content, automated communications, artificial intelligence systems, voice synthesis, image generation, video generation, or other technologies to impersonate real persons or create deceptive impressions regarding identity, authenticity, approval, endorsement, consent, or participation;
• Creating deceptive advertisements, marketing campaigns, websites, landing pages, lead-generation materials, social media content, emails, text messages, chat interactions, or customer communications;
• Engaging in bait-and-switch advertising, deceptive lead generation, deceptive sales practices, deceptive retention practices, or deceptive customer service practices;
• Manipulating search results, marketplace listings, ratings systems, consumer reviews, comparison tools, vehicle listings, or online reputation systems through deceptive means;
• Submitting false information to credit bureaus, lenders, insurers, manufacturers, regulators, consumers, vendors, or business partners;
• Providing false information in connection with financing applications, leasing applications, insurance applications, warranty claims, service claims, incentive claims, rebate claims, regulatory filings, audits, investigations, or compliance reviews;
• Misrepresenting legal rights, legal obligations, regulatory requirements, consumer protections, warranty coverage, return rights, cancellation rights, dispute rights, privacy rights, or contractual obligations;
• Creating, modifying, or maintaining records intended to evade audits, investigations, regulatory oversight, litigation obligations, contractual requirements, or compliance obligations;
• Falsifying compliance records, training records, audit records, inspection records, consent records, disclosure records, communication logs, transaction histories, or customer acknowledgments;
• Concealing, deleting, altering, or suppressing information relevant to regulatory inquiries, audits, investigations, litigation, arbitration, consumer complaints, chargebacks, warranty claims, or insurance claims;
• Using the Services to facilitate fraud, consumer deception, financial fraud, identity fraud, insurance fraud, warranty fraud, financing fraud, leasing fraud, title fraud, odometer fraud, document fraud, or any other fraudulent activity; and
• Assisting, encouraging, directing, enabling, coordinating, or facilitating any third party in engaging in conduct prohibited by this Section.

Provider may investigate suspected violations of this Section and may suspend or terminate access to the Services where it reasonably determines that Customer has used the Services in connection with deceptive, misleading, fraudulent, unlawful, or unethical conduct, or where continued provision of the Services could expose Provider, its customers, users, partners, or the public to legal, regulatory, financial, reputational, or operational risk.

8.3 Consumer Harm

Customers may not use the Services in any manner that causes, facilitates, promotes, enables, encourages, or creates a substantial risk of physical, financial, economic, reputational, emotional, psychological, privacy-related, legal, or other harm to consumers, prospective consumers, employees, applicants, vehicle owners, vehicle operators, or other individuals.

Customers remain solely responsible for ensuring that their use of the Services complies with applicable consumer protection, privacy, financial services, automotive retail, advertising, communications, anti-discrimination, accessibility, and other applicable laws and regulations. Customers may not use the Services to interfere with, diminish, evade, restrict, or circumvent consumer rights or protections.

Without limiting the foregoing, prohibited conduct includes:

• Harming consumers or creating unreasonable risks of consumer harm;
• Violating, restricting, suppressing, circumventing, or interfering with consumer rights provided by applicable law, regulation, contract, or regulatory guidance;
• Facilitating identity theft, identity fraud, synthetic identity fraud, account takeover, credential theft, impersonation, or unauthorized use of personal information;
• Facilitating financial fraud, payment fraud, lending fraud, insurance fraud, warranty fraud, chargeback fraud, title fraud, odometer fraud, or any other fraudulent activity affecting consumers;
• Facilitating deceptive, misleading, unfair, manipulative, coercive, or abusive sales, marketing, advertising, financing, leasing, collections, or customer-service practices;
• Facilitating predatory lending, unfair financing practices, abusive lease practices, unlawful credit practices, or unlawful financial products or services;
• Facilitating unlawful debt collection activities, abusive collection practices, deceptive collection communications, harassment, intimidation, threats, or improper collection efforts;
• Targeting, exploiting, manipulating, or taking unfair advantage of vulnerable individuals or populations, including minors, elderly individuals, financially distressed consumers, individuals with disabilities, non-native language speakers, or other protected or vulnerable groups;
• Harassing, threatening, intimidating, stalking, coercing, abusing, humiliating, or otherwise mistreating consumers or other individuals;
• Engaging in discriminatory, exclusionary, biased, or unfair treatment of individuals or groups in violation of applicable law;
• Using the Services to make decisions or recommendations that unlawfully discriminate on the basis of race, color, ethnicity, national origin, citizenship, religion, creed, sex, gender, gender identity, gender expression, sexual orientation, age, disability, veteran status, genetic information, marital status, or any other legally protected characteristic;
• Using automated systems, algorithms, scoring systems, artificial intelligence tools, profiling systems, or decision-making systems in a manner that unlawfully discriminates against individuals or protected groups;
• Misusing, disclosing, selling, sharing, transferring, exposing, retaining, processing, or otherwise handling consumer information in violation of applicable law, contractual obligations, privacy notices, consumer expectations, or valid consumer choices;
• Collecting, using, or disclosing personal information without legally required notice, authorization, consent, or other lawful basis where required by applicable law;
• Circumventing privacy rights, consumer access rights, deletion rights, correction rights, opt-out rights, consent requirements, communication preferences, or similar legal protections;
• Ignoring, suppressing, overriding, or circumventing consumer opt-outs, unsubscribe requests, consent withdrawals, do-not-call requests, do-not-contact requests, or similar consumer preferences;
• Processing transactions, applications, agreements, enrollments, subscriptions, purchases, financing arrangements, leases, warranties, service contracts, or other transactions without legally required notice, authorization, acknowledgement, acceptance, or consent;
• Generating deceptive, misleading, fabricated, manipulative, or coercive communications directed toward consumers or prospective consumers;
• Generating communications that falsely claim urgency, scarcity, legal consequences, regulatory requirements, account problems, credit impacts, vehicle availability, pricing changes, or other material circumstances;
• Generating or facilitating spam, unsolicited communications, excessive communications, robocalls, automated text messages, bulk messaging campaigns, or similar communications in violation of applicable law or industry requirements;
• Facilitating unauthorized electronic communications, telemarketing, text messaging, email marketing, or contact campaigns directed at consumers without appropriate permissions or legal authority;
• Manipulating consumers into providing personal information, payment information, financial information, credentials, authentication codes, or other sensitive information through deceptive means;
• Creating, distributing, or facilitating phishing schemes, impersonation schemes, social engineering attacks, fraudulent surveys, fraudulent promotions, or fraudulent customer-service interactions;
• Misrepresenting consumer obligations, payment requirements, legal rights, cancellation rights, warranty rights, financing obligations, collection obligations, or dispute rights;
• Interfering with a consumer's ability to understand, review, retain, print, access, or exercise rights related to disclosures, contracts, financing terms, lease terms, warranties, privacy notices, or other legally significant information;
• Using dark patterns, deceptive user interfaces, misleading workflows, manipulative consent mechanisms, hidden fees, hidden terms, forced continuity practices, or similar practices intended to impair consumer decision-making;
• Creating or facilitating unauthorized charges, unauthorized subscriptions, unauthorized renewals, unauthorized transactions, or unauthorized account activity;
• Facilitating unfair denial of benefits, services, warranties, rebates, incentives, claims, refunds, cancellations, or other consumer entitlements;
• Interfering with consumer complaints, dispute processes, regulatory inquiries, chargebacks, warranty claims, insurance claims, arbitration rights, or legal remedies;
• Knowingly exposing consumers to foreseeable risks of physical injury, vehicle safety risks, data compromise, identity theft, financial loss, reputational damage, emotional distress, or other material harm;
• Using the Services to facilitate unlawful surveillance, tracking, monitoring, profiling, or collection of consumer information;
• Publishing, exposing, transmitting, or disclosing personal information, financial information, vehicle ownership information, account information, authentication credentials, or other sensitive information without authorization;
• Facilitating retaliation against consumers for exercising legal rights, submitting complaints, participating in investigations, leaving reviews, disputing transactions, requesting refunds, or asserting contractual or statutory protections; and
• Assisting, directing, encouraging, enabling, coordinating, or facilitating any third party in engaging in conduct prohibited by this Section.

Provider may investigate suspected violations of this Section and may suspend or terminate access to the Services where it reasonably determines that Customer has used the Services in a manner that harms consumers, creates unreasonable risks of consumer harm, interferes with consumer rights, violates applicable law, or exposes Provider, its customers, users, partners, or the public to legal, regulatory, financial, operational, security, or reputational risk.

8.4 Harmful Content

Customer shall not upload, submit, transmit, publish, display, generate, distribute, store, process, share, facilitate, or otherwise make available through the Services any content, data, materials, communications, media, software, code, documentation, or other information that is unlawful, harmful, fraudulent, abusive, deceptive, infringing, malicious, or otherwise prohibited under this Agreement.

Customer is solely responsible for all content submitted to, processed by, generated through, stored within, or distributed using the Services, including content created through automated systems, artificial intelligence systems, integrations, third-party applications, employees, contractors, agents, or end users acting on Customer's behalf.

Without limiting the foregoing, prohibited content includes:

• Content that is unlawful, illegal, or prohibited by applicable law, regulation, court order, or governmental directive;
• Content that facilitates, promotes, encourages, instructs, or enables unlawful conduct;
• Defamatory, libelous, false, misleading, or knowingly inaccurate content regarding any person, business, organization, government entity, or other third party;
• Fraudulent, deceptive, misleading, fabricated, manipulated, or falsified content;
• Content intended to impersonate another individual, business, dealership, manufacturer, lender, insurer, regulator, government authority, or other entity without authorization;
• Content that misrepresents identity, source, sponsorship, affiliation, endorsement, approval, authenticity, qualifications, credentials, authority, or business relationships;
• Threatening, intimidating, coercive, abusive, harassing, bullying, stalking, or extortionate content;
• Content that promotes, advocates, glorifies, incites, facilitates, or encourages violence, criminal activity, property damage, terrorism, or other unlawful conduct;
• Content that unlawfully discriminates against, targets, excludes, harasses, or attacks individuals or groups based on legally protected characteristics;
• Unlawful hate speech, unlawful discriminatory content, or content intended to promote hatred, hostility, or unlawful discrimination against protected groups;
• Child sexual abuse material, child exploitation material, or any content depicting, promoting, facilitating, or sexualizing the abuse or exploitation of minors;
• Content that exploits, harms, endangers, or facilitates the abuse of children or other vulnerable individuals;
• Unlawful obscene content or other unlawful sexually explicit content prohibited by applicable law;
• Content that promotes, facilitates, advertises, or enables human trafficking, sexual exploitation, forced labor, or other forms of exploitation;
• Content that violates privacy rights, confidentiality obligations, data protection obligations, or other legal rights of individuals or organizations;
• Content that unlawfully discloses personal information, financial information, authentication credentials, government-issued identifiers, account information, health information, vehicle ownership information, or other sensitive information;
• Content that violates rights of publicity, personality rights, image rights, likeness rights, moral rights, or similar rights;
• Content that infringes, misappropriates, dilutes, or otherwise violates intellectual property rights, including copyrights, trademarks, patents, trade secrets, database rights, proprietary rights, or other protected rights;
• Content that contains forged signatures, falsified records, fabricated documents, altered evidence, counterfeit records, or fraudulent business documentation;
• Content designed to deceive consumers, regulators, lenders, insurers, manufacturers, vendors, auditors, law enforcement, courts, or other third parties;
• Spam, unsolicited bulk communications, unauthorized marketing materials, deceptive advertising content, or other abusive communications;
• Phishing content, social engineering content, credential-harvesting content, impersonation schemes, fraudulent solicitations, or scam-related materials;
• Content that promotes, facilitates, or enables identity theft, financial fraud, payment fraud, insurance fraud, financing fraud, warranty fraud, or other fraudulent activity;
• Content that encourages self-harm, suicide, eating disorders, dangerous activities, or conduct that presents a substantial risk of physical injury;
• Content that knowingly contains false emergency information, false safety information, false recall information, false vehicle information, or other content likely to create material harm or confusion;
• Content intended to manipulate, interfere with, or improperly influence legal proceedings, regulatory proceedings, audits, investigations, compliance reviews, or law enforcement activities;
• Content containing malware, malicious code, viruses, worms, trojan horses, ransomware, spyware, keyloggers, logic bombs, rootkits, malicious scripts, malicious executables, or other harmful software;
• Content designed to disrupt, damage, interfere with, degrade, disable, monitor, exfiltrate data from, gain unauthorized access to, or compromise any system, network, device, account, application, or service;
• Content containing code, scripts, files, payloads, or instructions intended to evade security controls, bypass access restrictions, conceal malicious activity, or facilitate unauthorized access;
• Content that interferes with the operation, security, integrity, availability, confidentiality, or performance of the Services or any third-party systems;
• Content generated through automated systems, artificial intelligence systems, synthetic media tools, or similar technologies that is used to deceive, defraud, impersonate, manipulate, or mislead others;
• Deepfakes, synthetic media, manipulated recordings, altered images, fabricated documents, or AI-generated content falsely represented as authentic, verified, factual, or originating from a real person or entity;
• Content that creates a substantial risk of physical, financial, reputational, emotional, legal, privacy-related, cybersecurity, or economic harm to any person or organization;
• Content that violates the rights, safety, security, dignity, or lawful interests of others; and
• Any content that Provider reasonably determines poses a material risk to the Services, Provider, other customers, consumers, business partners, regulatory compliance obligations, or the public.

Customer may not use the Services to store, distribute, generate, transmit, or facilitate the distribution of prohibited content, whether directly or indirectly, manually or through automated means, including through artificial intelligence systems, integrations, APIs, automated workflows, third-party applications, or other technologies.

Provider may remove, restrict access to, disable, quarantine, investigate, report, or otherwise take action regarding content that Provider reasonably believes violates this Agreement, applicable law, the rights of any person or entity, or the security, integrity, availability, or reputation of the Services. Provider may suspend or terminate access to the Services for violations of this Section.

8.5 Circumvention of Security, Access Controls, and Platform Restrictions

Customer shall not, and shall not permit any Authorized User, contractor, agent, affiliate, service provider, integration partner, or third party acting on Customer's behalf to circumvent, bypass, disable, interfere with, penetrate, evade, undermine, defeat, test without authorization, or otherwise attempt to overcome any security, technical, operational, contractual, or administrative controls implemented by Provider or its service providers.

Customer may use the Services only through authorized interfaces, documented functionality, approved integrations, and authorized access methods expressly provided by Provider.

Without limiting the foregoing, Customer shall not:

• Circumvent, disable, interfere with, penetrate, defeat, or bypass any security measure, security control, security feature, safeguard, protection mechanism, or security-related configuration of the Services;
• Circumvent, disable, interfere with, or defeat authentication controls, identity verification mechanisms, multi-factor authentication requirements, credential protections, session controls, account protections, or access-management systems;
• Attempt to gain unauthorized access to any account, user profile, customer environment, tenant, database, application, network, infrastructure component, system, service, API, model, feature, dataset, log, record, or resource;
• Access, use, retrieve, modify, copy, monitor, observe, intercept, or collect information, data, content, metadata, credentials, communications, or resources that Customer is not expressly authorized to access;
• Circumvent, bypass, evade, manipulate, or defeat authorization controls, permission structures, role-based access controls, tenant-isolation controls, segmentation controls, or other access restrictions;
• Circumvent, evade, manipulate, exceed, or defeat usage limits, subscription limitations, licensing restrictions, seat limitations, feature restrictions, storage limitations, transaction limits, consumption limits, or other technical or contractual restrictions;
• Circumvent, evade, disable, manipulate, or defeat rate limits, throughput restrictions, concurrency restrictions, API restrictions, traffic controls, workload controls, or resource-allocation mechanisms;
• Use any method designed to conceal, distribute, rotate, spoof, disguise, mask, or misrepresent usage in order to avoid platform limitations, billing mechanisms, access restrictions, monitoring systems, or enforcement mechanisms;
• Bypass, remove, alter, disable, obscure, or interfere with audit controls, logging systems, monitoring systems, tracking mechanisms, telemetry systems, compliance controls, fraud-detection systems, abuse-prevention systems, or security monitoring mechanisms;
• Attempt to conceal activities, obscure attribution, falsify logs, manipulate audit trails, interfere with forensic investigations, or otherwise prevent Provider from monitoring or investigating use of the Services;
• Probe, scan, test, benchmark, crawl, scrape, enumerate, map, fingerprint, monitor, analyze, or assess the Services, infrastructure, APIs, applications, networks, security controls, or related systems for vulnerabilities, weaknesses, architecture details, performance characteristics, or security configurations without Provider's prior written authorization;
• Conduct penetration testing, vulnerability testing, security assessments, red-team exercises, exploit testing, load testing, stress testing, denial-of-service testing, or similar activities against the Services without Provider's prior written authorization;
• Exploit, attempt to exploit, disclose, trade, weaponize, or publicly disclose any vulnerability, security weakness, misconfiguration, software defect, or unintended functionality of the Services;
• Use automated tools, scripts, bots, crawlers, scrapers, scanners, agents, frameworks, or similar technologies to circumvent platform restrictions or gain unauthorized access to information or functionality;
• Reverse engineer, decompile, disassemble, decode, reconstruct, derive source code from, or otherwise attempt to discover non-public components, security mechanisms, underlying models, algorithms, architecture, or proprietary functionality of the Services, except to the extent such restriction is prohibited by applicable law;
• Attempt to access non-public features, administrative functionality, internal systems, development environments, testing environments, staging environments, support tools, security tools, or diagnostic interfaces;
• Interfere with, disrupt, degrade, disable, impair, overload, or adversely affect the operation, integrity, security, performance, availability, or reliability of the Services or any related systems;
• Use the Services in a manner intended to evade enforcement of contractual restrictions, acceptable use requirements, subscription terms, licensing requirements, compliance obligations, or security requirements;
• Create, use, or distribute tools, software, code, instructions, services, or methodologies designed to bypass, defeat, disable, or interfere with protections implemented by Provider;
• Attempt to bypass restrictions governing artificial intelligence features, automated decision-making systems, content controls, model safeguards, output restrictions, usage quotas, or other platform governance mechanisms;
• Use compromised credentials, shared credentials, unauthorized credentials, stolen credentials, fraudulent identities, synthetic identities, or unauthorized authentication tokens to access the Services;
• Forge, alter, manipulate, spoof, or falsify headers, identifiers, authentication information, telemetry, API requests, account information, device information, usage information, source information, or attribution information;
• Use proxies, anonymization services, relay services, intermediary systems, automated account creation techniques, credential-sharing arrangements, or similar mechanisms to evade restrictions or conceal prohibited activity;
• Access or use the Services in a manner intended to avoid fees, licensing requirements, subscription requirements, metering systems, billing systems, or usage-based pricing mechanisms;
• Attempt to obtain services, functionality, resources, support, storage, processing capacity, AI capabilities, or platform benefits beyond those expressly authorized under Customer's subscription or agreement;
• Assist, encourage, direct, facilitate, coordinate, permit, or enable any third party to engage in conduct prohibited by this Section; or
• Engage in any activity that Provider reasonably determines is intended to circumvent the security, integrity, governance, monitoring, licensing, operational, or commercial controls of the Services.

Nothing in this Section prohibits legitimate use of the Services in accordance with Provider's documentation, authorized security reviews expressly approved in writing by Provider, or activities otherwise expressly permitted under a written agreement with Provider.

Provider may investigate suspected violations of this Section and may suspend, restrict, or terminate access to the Services where it reasonably determines that Customer has engaged in activities intended to circumvent, defeat, interfere with, or compromise the security, integrity, availability, monitoring, governance, or operational controls of the Services.

8.6 Unauthorized Access

Customer shall not, and shall not permit any Authorized User, employee, contractor, agent, affiliate, integration partner, service provider, or other third party acting on Customer's behalf to access, attempt to access, obtain, use, retrieve, modify, disclose, monitor, intercept, or otherwise interact with any system, account, environment, resource, or data beyond the scope of Customer's authorized access rights.

Customer may access and use only those portions of the Services, accounts, data, functionality, APIs, systems, and resources that Provider expressly authorizes Customer to access under the applicable Order, subscription, documentation, permissions, and account configuration.

Without limiting the foregoing, Customer shall not:

• Access or attempt to access any system, network, database, application, service, API, infrastructure component, environment, account, resource, or data without authorization;
• Access or attempt to access systems, resources, or information belonging to Provider, another customer, another user, or any third party without express authorization;
• Access data, content, records, communications, metadata, analytics, reports, logs, configurations, credentials, files, or other information that Customer is not expressly authorized to access;
• Access, retrieve, export, copy, download, transmit, disclose, or use information belonging to another customer, dealership, dealer group, manufacturer, lender, insurer, vendor, consumer, or other third party without authorization;
• Attempt to gain elevated permissions, expanded access rights, administrative privileges, system-level permissions, privileged credentials, or other unauthorized access rights;
• Engage in privilege escalation or attempt to obtain access beyond Customer's assigned permissions, user role, subscription level, license scope, or authorized functionality;
• Access or attempt to access administrative interfaces, management consoles, support systems, internal tools, development environments, staging environments, testing environments, security tools, monitoring systems, logging systems, or other non-public systems;
• Bypass, evade, defeat, circumvent, interfere with, or attempt to overcome authentication mechanisms, authorization controls, identity verification processes, account restrictions, or access controls;
• Use stolen, compromised, fraudulent, unauthorized, shared, borrowed, purchased, leased, transferred, or otherwise improperly obtained credentials, authentication tokens, certificates, session identifiers, API keys, access keys, passwords, or other authentication mechanisms;
• Access or attempt to access accounts using credentials assigned to another individual or entity without authorization;
• Share credentials in violation of Provider's documentation, security requirements, licensing restrictions, or account-management requirements;
• Permit multiple individuals to use credentials assigned to a single authorized user where such use is not expressly authorized by Provider;
• Create, use, acquire, or maintain accounts using false identities, fraudulent information, synthetic identities, impersonated identities, or misleading registration information;
• Use compromised accounts, compromised credentials, compromised authentication tokens, or compromised systems to access the Services;
• Attempt to intercept, capture, harvest, collect, obtain, monitor, decode, decrypt, or misuse authentication credentials, authentication data, session information, security tokens, or access credentials belonging to another party;
• Use social engineering, impersonation, deception, fraudulent communications, credential harvesting, phishing, or similar techniques to obtain access credentials or access rights;
• Attempt to discover, enumerate, map, identify, or access accounts, resources, endpoints, tenants, databases, records, or systems that are not intended for Customer's use;
• Access or attempt to access data across customer, dealership, dealer group, franchise, business-unit, organizational, tenant, or account boundaries without authorization;
• Attempt to defeat, bypass, manipulate, or exploit tenant-isolation controls, segmentation controls, permission models, access-control mechanisms, or data-separation safeguards;
• Use vulnerabilities, software defects, configuration errors, unintended functionality, exposed interfaces, security weaknesses, or other technical conditions to gain unauthorized access;
• Attempt to access information through scraping, automated extraction, interception, querying, enumeration, or other techniques designed to obtain unauthorized information;
• Probe, scan, test, assess, benchmark, audit, or evaluate systems, networks, applications, APIs, infrastructure, or security controls for vulnerabilities, weaknesses, or access opportunities without Provider's prior written authorization;
• Access, monitor, collect, or retrieve information through means not expressly authorized by Provider;
• Use the Services as a means of obtaining unauthorized access to third-party systems, networks, services, applications, devices, databases, or information;
• Facilitate, encourage, coordinate, direct, assist, permit, or enable any third party to engage in unauthorized access activities prohibited by this Section; or
• Engage in any activity that Provider reasonably determines is intended to obtain access to systems, accounts, resources, functionality, or data beyond Customer's authorized permissions.

Customer shall promptly notify Provider upon becoming aware of any unauthorized access, attempted unauthorized access, compromised credentials, account compromise, security incident, access-control failure, or other event that may affect the security or integrity of the Services.

Nothing in this Section prohibits access expressly authorized by Provider in writing, including approved support activities, approved integrations, approved security assessments, or other activities expressly permitted under a written agreement with Provider.

Provider may investigate suspected violations of this Section and may suspend, restrict, disable, or terminate access to the Services where Provider reasonably determines that Customer has engaged in unauthorized access activities or has created a material risk to the security, confidentiality, integrity, or availability of the Services, Provider systems, customer environments, or third-party information.

8.7 Security Violations and Malicious Activity

Customer shall not use the Services to engage in, facilitate, support, coordinate, promote, enable, or attempt any activity that compromises, threatens, disrupts, interferes with, damages, exploits, or otherwise adversely affects the confidentiality, integrity, availability, security, reliability, or performance of the Services, Provider systems, customer environments, third-party systems, networks, devices, data, or users.

Customer shall not upload, submit, transmit, generate, distribute, store, execute, deploy, host, facilitate, or otherwise make available any malicious software, malicious code, attack infrastructure, exploit mechanism, unauthorized access tool, or other harmful technology through or in connection with the Services.

Without limiting the foregoing, prohibited conduct includes:

• Uploading, transmitting, distributing, deploying, facilitating, hosting, storing, executing, or delivering malware, ransomware, spyware, viruses, worms, trojan horses, rootkits, keyloggers, logic bombs, backdoors, malicious scripts, malicious executables, malicious macros, cryptojacking software, or other malicious code;
• Creating, deploying, operating, facilitating, or supporting botnets, command-and-control infrastructure, malware distribution systems, exploit delivery systems, or similar malicious infrastructure;
• Developing, distributing, hosting, promoting, facilitating, or deploying tools designed to steal credentials, authentication tokens, account information, financial information, personal information, confidential information, or other sensitive data;
• Creating, distributing, transmitting, facilitating, or supporting phishing content, credential-harvesting content, impersonation schemes, fraudulent login pages, social-engineering campaigns, or similar deceptive security threats;
• Attempting to obtain unauthorized access to systems, networks, devices, accounts, applications, databases, APIs, services, infrastructure, or information belonging to Provider, other customers, consumers, business partners, or third parties;
• Compromising, attempting to compromise, or facilitating the compromise of user accounts, credentials, authentication mechanisms, access controls, encryption systems, security controls, or identity-management systems;
• Introducing, transmitting, distributing, or facilitating malicious payloads, exploit code, attack scripts, malicious files, or harmful software components;
• Interfering with, disrupting, degrading, disabling, damaging, overloading, or impairing the operation, availability, performance, security, or reliability of any system, network, application, device, service, API, infrastructure component, or data environment;
• Conducting, facilitating, participating in, or supporting denial-of-service attacks, distributed denial-of-service attacks, resource exhaustion attacks, amplification attacks, application-layer attacks, or similar disruptive activities;
• Attempting to disrupt, disable, impair, manipulate, interfere with, or circumvent security monitoring systems, intrusion-detection systems, fraud-prevention systems, logging systems, telemetry systems, alerting systems, or incident-response mechanisms;
• Intercepting, monitoring, capturing, redirecting, manipulating, altering, or tampering with network traffic, communications, transactions, sessions, data transmissions, or system communications without authorization;
• Exfiltrating, extracting, harvesting, collecting, exporting, transferring, copying, or disclosing data without authorization;
• Using the Services to store, process, transmit, distribute, or conceal data obtained through unauthorized, unlawful, fraudulent, or malicious means;
• Deploying code, software, workflows, integrations, automations, or configurations intended to create unauthorized persistence, conceal malicious activity, evade detection, or maintain unauthorized access;
• Using the Services as a platform for launching, coordinating, managing, facilitating, relaying, routing, masking, or conducting attacks against any person, organization, device, system, service, network, application, or infrastructure;
• Attempting to exploit software vulnerabilities, security weaknesses, configuration errors, design flaws, business logic flaws, exposed interfaces, or other technical conditions for unauthorized purposes;
• Developing, testing, deploying, or distributing exploit code, exploit kits, attack frameworks, or other tools intended to compromise systems or security controls;
• Facilitating unauthorized surveillance, monitoring, interception, tracking, collection, or acquisition of information, communications, credentials, or data;
• Tampering with, disabling, bypassing, removing, altering, or undermining encryption technologies, security safeguards, integrity protections, access controls, or other protective mechanisms;
• Introducing malicious content, malicious data, malicious prompts, malicious files, malicious integrations, malicious workflows, or other harmful inputs intended to compromise the Services or connected systems;
• Using automated tools, scripts, bots, agents, frameworks, or artificial intelligence systems to facilitate cyberattacks, unauthorized access, malicious automation, or other prohibited security-related activities;
• Creating, facilitating, or distributing deceptive security alerts, fraudulent incident notifications, fake support communications, fraudulent software updates, or other security-related scams;
• Using the Services to conceal the source of malicious activity, launder malicious traffic, relay attack traffic, obscure attribution, evade detection, or otherwise support malicious operations;
• Knowingly assisting, directing, coordinating, encouraging, sponsoring, enabling, or facilitating any third party in engaging in activities prohibited by this Section;
• Attempting to compromise the confidentiality, integrity, availability, authenticity, accountability, or security of the Services or any related system; or
• Engaging in any activity that Provider reasonably determines poses a material cybersecurity, operational, legal, regulatory, or security risk to the Services, Provider, other customers, consumers, or third parties.

Customer shall promptly notify Provider upon becoming aware of any malware infection, account compromise, unauthorized access, security incident, vulnerability exploitation, credential compromise, data breach, or other security event involving the Services or Customer's use of the Services.

Nothing in this Section prohibits legitimate defensive security activities expressly authorized in writing by Provider, including approved security assessments, vulnerability disclosures conducted in accordance with Provider's policies, or activities otherwise authorized under a written agreement with Provider.

Provider may investigate suspected violations of this Section and may remove content, disable integrations, suspend access, restrict functionality, isolate affected environments, report activity to appropriate authorities, or terminate access to the Services where Provider reasonably determines that Customer has engaged in malicious activity, security violations, or conduct creating a material cybersecurity risk.

8.8 Intellectual Property and Proprietary Rights Violations

Customer shall not use the Services in any manner that infringes, misappropriates, violates, dilutes, interferes with, or unlawfully exploits the intellectual property rights, proprietary rights, confidentiality rights, privacy rights, publicity rights, or other legal rights of Provider or any third party.

Customer is solely responsible for ensuring that Customer has all necessary rights, licenses, permissions, authorizations, and legal bases to upload, submit, process, display, distribute, publish, transmit, modify, store, or otherwise use any content, data, materials, software, integrations, documentation, media, or information through the Services.

Without limiting the foregoing, Customer shall not use the Services to:

• Infringe, misappropriate, dilute, or otherwise violate copyrights, including rights in software, documentation, written materials, images, photographs, videos, graphics, advertisements, vehicle listings, marketing materials, databases, designs, creative works, or other copyrighted content;
• Infringe, misuse, dilute, or otherwise violate trademarks, service marks, trade names, logos, brand identifiers, trade dress, or other source-identifying rights;
• Use manufacturer, dealership, lender, insurer, vendor, partner, or third-party branding, logos, names, certifications, affiliations, or marketing materials without appropriate authorization;
• Misrepresent, imply, or falsely suggest sponsorship, endorsement, certification, affiliation, partnership, authorization, ownership, approval, or relationship with any manufacturer, dealership, business, organization, or individual;
• Infringe, misappropriate, or violate patent rights, design rights, industrial rights, database rights, or other intellectual property protections;
• Misappropriate, disclose, misuse, reverse engineer, exploit, or improperly obtain trade secrets, confidential information, proprietary information, non-public business information, or other protected information belonging to Provider or any third party;
• Use the Services to obtain, extract, copy, reproduce, scrape, harvest, download, compile, aggregate, distribute, or exploit proprietary data, databases, catalogs, pricing information, inventory feeds, vehicle information, business information, customer information, or other protected materials without authorization;
• Upload, distribute, transmit, or make available content, data, software, code, materials, documentation, images, videos, text, audio, designs, or other materials without sufficient rights or permissions;
• Upload or distribute pirated software, unauthorized copies, cracked software, unauthorized modifications, unauthorized licenses, counterfeit materials, or content obtained through improper means;
• Remove, obscure, alter, disable, or conceal copyright notices, trademark notices, proprietary legends, attribution information, licensing information, ownership markings, watermarks, metadata, or other rights-management information;
• Modify, adapt, translate, reverse engineer, decompile, disassemble, reconstruct, or create derivative works of third-party software, content, documentation, APIs, data sources, or proprietary materials except as expressly permitted by applicable law or written agreement;
• Attempt to discover source code, object code, algorithms, models, systems, architectures, designs, technical documentation, proprietary workflows, or other confidential components of the Services except as expressly permitted;
• Use the Services to create, train, improve, benchmark, replicate, or develop competing products, services, models, systems, datasets, or technologies using Provider's proprietary materials or confidential information, except as expressly permitted by agreement;
• Use the Services to create derivative works from third-party content, customer data, OEM materials, marketplace content, or other protected materials without appropriate authorization;
• Violate contractual intellectual property obligations, licensing restrictions, confidentiality obligations, data-use restrictions, vendor agreements, manufacturer agreements, franchise agreements, or other applicable restrictions;
• Publish, distribute, sell, sublicense, transfer, lease, assign, or otherwise provide access to proprietary materials, content, data, software, or functionality without authorization;
• Misrepresent ownership, authorship, origin, licensing status, rights ownership, permissions, or authority relating to any content or data;
• Claim ownership of content, data, materials, software, records, communications, or other information that Customer does not own or have rights to claim;
• Use third-party intellectual property in a manner that violates license terms, attribution requirements, usage restrictions, geographic restrictions, commercial restrictions, or other applicable limitations;
• Violate rights of publicity, personality rights, image rights, likeness rights, voice rights, or other rights associated with individuals, including consumers, employees, customers, contractors, or representatives;
• Use personal images, recordings, signatures, names, likenesses, testimonials, reviews, or endorsements without appropriate authorization;
• Distribute unauthorized vehicle images, manufacturer photography, stock images, advertising assets, technical specifications, product descriptions, or other automotive-related materials;
• Use unauthorized data feeds, integrations, APIs, catalogs, inventory data, pricing data, market data, or business intelligence obtained from third parties;
• Facilitate the infringement, misappropriation, or violation of intellectual property or proprietary rights by any third party; or
• Assist, encourage, direct, enable, or permit any person or entity to engage in conduct prohibited by this Section.

Customer shall promptly notify Provider if Customer becomes aware of any suspected infringement, unauthorized use, intellectual property dispute, misuse of proprietary information, or violation of third-party rights involving the Services.

Provider may investigate suspected violations of this Section and may remove content, disable access to affected materials, restrict functionality, suspend accounts, or terminate access to the Services where Provider reasonably determines that Customer's use of the Services violates intellectual property rights, proprietary rights, contractual obligations, or applicable law.

9. Information Security Requirements

Customer shall maintain commercially reasonable administrative, technical, and physical safeguards appropriate to the nature, sensitivity, volume, and intended use of data processed through the Services. Customer is responsible for maintaining the security of Customer-controlled systems, networks, devices, accounts, integrations, credentials, and Authorized Users used to access the Services.

Customer shall implement reasonable security practices designed to protect the confidentiality, integrity, availability, and appropriate use of Customer data, consumer information, business information, credentials, and other information processed through the Services.

Customer shall:

• Maintain appropriate access controls designed to ensure that only authorized individuals can access the Services and Customer data;
• Assign user accounts only to authorized personnel with a legitimate business need;
• Maintain appropriate user roles, permissions, and access levels based on job responsibilities and least-privilege principles;
• Regularly review user access permissions and promptly remove or modify access that is no longer required;
• Promptly disable, suspend, or remove access for terminated employees, contractors, vendors, temporary workers, or other individuals who no longer require access;
• Use strong, unique passwords and follow reasonable credential-management practices;
• Enable and use multifactor authentication or other enhanced authentication mechanisms where available;
• Protect authentication credentials, API keys, access tokens, certificates, passwords, security codes, and other authentication information from unauthorized disclosure or use;
• Ensure Authorized Users understand applicable security responsibilities and requirements relating to use of the Services;
• Maintain appropriate endpoint security controls, including reasonable protections against malware, unauthorized software, credential theft, and compromise of devices used to access the Services;
• Maintain appropriate network security practices, including reasonable protections for networks, wireless environments, remote access connections, and connected systems used with the Services;
• Maintain reasonable administrative processes for onboarding, modifying, and offboarding users and integrations;
• Ensure integrations, third-party applications, connectors, plugins, APIs, and automated workflows connected to the Services are authorized and appropriately secured;
• Review and manage third-party access granted to Customer environments, accounts, data, or integrations;
• Protect consumer information, dealership information, business information, financial information, vehicle-related information, credentials, and other sensitive data accessed through the Services;
• Use reasonable safeguards to prevent unauthorized disclosure, alteration, loss, destruction, misuse, or access to data processed through the Services;
• Maintain appropriate procedures for identifying, responding to, and mitigating suspected security incidents affecting Customer's use of the Services;
• Promptly notify Provider of any suspected compromise of Customer accounts, credentials, integrations, or access methods that could affect the security of the Services;
• Cooperate reasonably with Provider regarding security investigations, incident response activities, and mitigation efforts;
• Use the Services in accordance with Provider documentation, security requirements, and applicable contractual obligations;
• Comply with applicable laws and regulations relating to data protection, privacy, cybersecurity, consumer information, and information security; and
• Maintain appropriate safeguards for any Customer-controlled systems or third-party systems integrated with the Services.

Customer shall not:

• Share user credentials, authentication credentials, API keys, access tokens, passwords, or security information in a manner inconsistent with Provider's requirements;
• Allow multiple individuals to use a single user account where individual accounts are available or required;
• Use another person's credentials, account, authentication information, or access rights without authorization;
• Permit unauthorized individuals, contractors, vendors, applications, integrations, or systems to access the Services;
• Disable, remove, alter, interfere with, or circumvent security features, safeguards, logging mechanisms, monitoring tools, authentication controls, or access controls;
• Attempt unauthorized access to the Services, Provider systems, other customer environments, third-party systems, or protected data;
• Probe, scan, test, assess, or evaluate vulnerabilities, security controls, networks, applications, or infrastructure without Provider's prior written authorization;
• Introduce malware, malicious code, harmful files, unauthorized software, or security threats into the Services or connected systems;
• Attempt to bypass access restrictions, tenant isolation controls, authentication requirements, usage controls, or other security mechanisms;
• Modify, disable, tamper with, or interfere with audit logs, security records, monitoring systems, or incident-response information;
• Export, transfer, disclose, or expose data obtained through the Services except as authorized and permitted;
• Use compromised devices, compromised accounts, stolen credentials, or unauthorized access methods to connect to the Services;
• Connect unauthorized third-party systems, applications, integrations, or automated tools that create unreasonable security risks;
• Use the Services as a means to access, attack, disrupt, monitor, or compromise other systems or networks;
• Attempt to discover, exploit, or publicly disclose vulnerabilities affecting the Services without following Provider's approved security reporting process;
• Store or process data through the Services in a manner that violates applicable law, contractual obligations, or required security practices; or
• Assist, encourage, permit, or enable any third party to engage in prohibited security-related activity.

Customer shall promptly notify Provider of any actual or suspected unauthorized access, security incident, credential compromise, data exposure, malware event, or other security issue involving Customer's use of the Services.

Provider may investigate suspected security violations and may take reasonable protective measures, including restricting access, disabling accounts, suspending integrations, limiting functionality, or temporarily suspending Services where necessary to protect the security, confidentiality, integrity, or availability of the Services, Provider systems, customers, consumers, or third parties.

10. Telecommunications, SMS, MMS, Voice, Electronic Communications, and Marketing Compliance

Customer acknowledges that telecommunications, electronic communications, advertising, and marketing activities are subject to independent legal, regulatory, contractual, and industry requirements. Customer is solely responsible for ensuring that all communications initiated, transmitted, generated, automated, or facilitated through the Services comply with all Applicable Laws and applicable third-party requirements.

Customer shall use communication features, messaging tools, calling functionality, marketing automation, lead-management tools, customer engagement tools, and related Services only for lawful purposes and in accordance with applicable requirements governing consumer communications.

Customer shall comply with all Applicable Laws, regulations, industry standards, carrier requirements, and platform rules governing:

• SMS text messaging;
• MMS messaging;
• voice calls;
• automated calls;
• autodialed communications;
• prerecorded voice communications;
• ringless voicemail or similar voice messaging technologies;
• email communications;
• marketing communications;
• customer notifications;
• appointment reminders;
• service reminders;
• customer relationship communications;
• lead follow-up communications;
• consumer outreach;
• lead generation;
• lead acquisition;
• advertising campaigns;
• promotional campaigns;
• customer solicitation; and
• automated or AI-assisted communications.

Customer shall ensure that all communications sent through the Services accurately identify the sender, purpose, nature, and source of the communication and do not contain deceptive, misleading, fraudulent, or unlawful content.

10.1 Required Consents, Notices, and Authorizations

Customer shall obtain and maintain all legally required permissions, consents, disclosures, authorizations, and notices before initiating or facilitating communications through the Services.

Customer shall obtain any required:

• express consent;
• prior express consent;
• prior express written consent;
• written authorizations;
• marketing permissions;
• communication preferences;
• privacy notices;
• required disclosures;
• recipient acknowledgments; and
• other legally required approvals.

Customer shall ensure that consent mechanisms, disclosures, and authorizations are clear, accurate, properly presented, and consistent with the communications actually sent.

Customer shall not rely on assumptions, outdated records, invalid permissions, or improperly obtained information as a basis for initiating communications where applicable law requires consent or authorization.

10.2 Consent, Preference, and Compliance Records

Customer shall maintain records sufficient to demonstrate compliance with Applicable Laws and applicable communication requirements, including evidence relating to consent, authorization, communication preferences, and opt-out requests.

Records may include, where applicable:

• consent source;
• consent date and timestamp;
• consent method;
• consent language presented;
• disclosures provided;
• recipient identity or contact information;
• telephone number or email address associated with consent;
• campaign or communication purpose;
• sender identity;
• communication history;
• opt-out requests;
• consent withdrawal records;
• preference changes;
• suppression records; and
• other documentation reasonably necessary to demonstrate compliance.

10.3 Opt-Out, Revocation, and Communication Preference Compliance

Customer shall honor legally required opt-outs, revocations, unsubscribes, do-not-contact requests, communication preference changes, and similar consumer requests.

Customer shall:

• Process opt-out requests within legally required timeframes;
• Maintain appropriate suppression lists or equivalent controls;
• Prevent future communications where consent has been revoked or where communications are otherwise prohibited;
• Honor communication channel preferences where required;
• Ensure that automated campaigns, workflows, integrations, and third-party systems respect applicable suppression requirements;
• Not attempt to override, bypass, ignore, or evade consumer communication preferences.

10.4 Prohibited Communications Practices

Customer shall not use the Services to send, initiate, facilitate, automate, or distribute communications that violate Applicable Laws, consumer rights, carrier requirements, or this Agreement.

Prohibited conduct includes:

• Sending spam, unsolicited communications, or unauthorized bulk messages;
• Sending communications without required consent, authorization, disclosures, or legal basis;
• Sending misleading, deceptive, fraudulent, or inaccurate messages;
• Misrepresenting sender identity, dealership identity, business affiliation, purpose, urgency, or communication source;
• Using deceptive caller identification information or spoofed sender information;
• Engaging in unlawful robocalling, autodialing, automated calling, or prerecorded communications;
• Using purchased, scraped, harvested, or improperly obtained contact lists where prohibited or inappropriate;
• Communicating with consumers who have opted out, revoked consent, or requested no further communications;
• Concealing required disclosures, sender information, opt-out instructions, or legally required notices;
• Using communications to harass, threaten, intimidate, pressure, or manipulate recipients;
• Sending fraudulent promotions, fake offers, deceptive vehicle availability claims, misleading pricing claims, or false incentives;
• Using messaging or calling features to facilitate scams, phishing, identity theft, fraud, or unlawful activity;
• Using automated communications in a manner likely to create consumer harm or unreasonable annoyance;
• Attempting to evade carrier filtering, messaging restrictions, reputation systems, or compliance controls;
• Using communication features to distribute prohibited content under this Agreement; or
• Assisting, encouraging, enabling, or permitting third parties to engage in prohibited communications practices.

10.5 Campaign Monitoring, Enforcement, and Platform Protection

Provider may monitor communication activity, messaging performance indicators, abuse signals, delivery patterns, complaint rates, opt-out rates, carrier feedback, and other relevant indicators for security, reliability, compliance, and platform-protection purposes.

Provider may restrict, suspend, pause, disable, or terminate communications, campaigns, accounts, integrations, or related functionality where Provider reasonably determines that activity:

• violates Applicable Laws;
• violates carrier requirements or messaging standards;
• creates excessive complaints, abuse reports, or consumer harm;
• creates regulatory, legal, security, or reputational risk;
• threatens message deliverability or platform integrity;
• indicates spam, fraud, abuse, or unauthorized communications; or
• creates risk to Provider, customers, consumers, carriers, or third parties.

Customer acknowledges that Provider may be required to cooperate with carriers, regulators, law enforcement, or other third parties regarding suspected unlawful or abusive communications activity.

11. Privacy and Data Protection

Customer acknowledges that the Services may process personal information, consumer information, business information, dealership information, vehicle-related information, customer relationship information, employee information, and other data subject to privacy, confidentiality, cybersecurity, and data protection requirements.

Customer shall comply with all Applicable Laws governing privacy, data protection, confidentiality, consumer rights, cybersecurity, information security, and the collection, use, disclosure, retention, and disposal of personal information.

Customer is solely responsible for determining the lawful purposes, means, scope, and methods of Customer's processing activities and for ensuring that Customer has all required rights, permissions, notices, disclosures, consents, authorizations, and legal bases necessary to process information through the Services.

Customer shall:

• Provide legally required privacy notices, disclosures, and transparency information to individuals;
• Maintain an appropriate lawful basis, authorization, consent, contractual basis, or other permitted basis for collecting, using, processing, sharing, or disclosing personal information where required by Applicable Laws;
• Process personal information only for permitted, disclosed, and legitimate business purposes;
• Honor applicable consumer privacy rights, including requests relating to access, correction, deletion, portability, opt-out, restriction, consent withdrawal, or similar rights where applicable;
• Maintain appropriate administrative, technical, and physical safeguards designed to protect personal information and confidential information;
• Implement reasonable access controls, authentication measures, and authorization procedures for users accessing the Services;
• Restrict access to personal information to authorized personnel with a legitimate business need;
• Maintain appropriate procedures for onboarding, modifying, and removing user access;
• Maintain reasonable security and privacy practices for devices, systems, networks, integrations, and third-party services connected to the Services;
• Ensure that employees, contractors, agents, vendors, and other personnel with access to personal information understand applicable confidentiality and privacy obligations;
• Maintain appropriate incident response procedures for suspected unauthorized access, disclosure, loss, misuse, or compromise of personal information;
• Promptly investigate and address suspected privacy or security incidents involving Customer-controlled data or Customer use of the Services;
• Notify Provider where required of incidents that may affect the Services, Provider systems, other customers, or third-party information;
• Maintain appropriate records demonstrating compliance with applicable privacy and data protection obligations;
• Ensure that integrations, APIs, data connections, and third-party applications used with the Services are authorized and appropriately managed;
• Process personal information only in accordance with Customer's stated privacy practices, contractual obligations, and Applicable Laws;
• Ensure that any personal information uploaded, transmitted, imported, or otherwise provided to the Services was collected and provided lawfully;
• Use reasonable measures to protect consumer, employee, customer, and business information from unauthorized access, disclosure, alteration, loss, or misuse; and
• Comply with applicable privacy and data protection obligations applicable to automotive dealerships and related businesses, including obligations relating to consumer information, marketing data, customer records, and business operations.

Customer shall not use the Services to:

• Collect, access, use, disclose, or process personal information without lawful authority, appropriate permission, or other valid basis where required;
• Process personal information beyond the scope, purpose, authorization, or permissions applicable to such information;
• Access personal information, customer records, consumer data, dealership data, employee data, or other information without authorization;
• Share, sell, disclose, transfer, license, or otherwise provide personal information to third parties in violation of Applicable Laws, contractual obligations, or disclosed privacy practices;
• Use personal information for unauthorized advertising, profiling, targeting, enrichment, analytics, resale, or other purposes not permitted by law or applicable agreements;
• Circumvent, disable, ignore, or interfere with privacy rights, consumer preferences, consent choices, opt-outs, deletion requests, or other legally protected rights;
• Reidentify, reverse engineer, deanonymize, or attempt to discover the identity of individuals from de-identified, anonymized, aggregated, or masked information without authorization;
• Track, monitor, record, profile, or analyze individuals through unlawful or unauthorized means;
• Use personal information to make unlawful discriminatory decisions, unlawful eligibility determinations, or prohibited automated decisions;
• Collect sensitive personal information without appropriate authority, disclosures, consent, or lawful basis where required;
• Upload or process personal information obtained through fraud, deception, unauthorized access, scraping, harvesting, or other improper means;
• Use the Services to facilitate identity theft, fraud, impersonation, unauthorized account access, or misuse of personal information;
• Disclose credentials, authentication information, personal information, financial information, or confidential information without authorization;
• Combine, match, enrich, or link personal information with external datasets in a manner prohibited by Applicable Laws or applicable agreements;
• Use consumer information, vehicle ownership information, customer records, lead information, or service information for purposes inconsistent with applicable privacy requirements;
• Retain personal information longer than permitted by applicable law, contractual obligations, or documented retention requirements;
• Transfer personal information internationally or across jurisdictions in violation of applicable legal requirements;
• Use the Services to avoid, bypass, or undermine privacy, security, or data protection obligations;
• Process information where Customer lacks the required legal authority, rights, permissions, notices, consents, or contractual basis to do so; or
• Assist, encourage, enable, or permit any third party to engage in prohibited privacy or data protection practices.

Customer shall maintain appropriate privacy notices, consent mechanisms, permissions, contractual arrangements, records, and safeguards required by Applicable Laws.

Customer shall not use the Services to process personal information where Customer lacks the necessary rights, authority, lawful basis, permissions, or legal justification to do so.

Provider may investigate suspected privacy or data protection violations and may take reasonable protective measures, including restricting access, disabling integrations, limiting functionality, suspending accounts, or terminating Services where Provider reasonably determines that Customer's use creates a privacy, security, legal, regulatory, or operational risk.

13.6 No Guarantee of Complete Local Deletion

Customer acknowledges and agrees that deletion of locally stored media may be delayed, incomplete, unsuccessful, or otherwise impacted by factors outside AutoRevolution's reasonable control, including without limitation:

• (a) device hardware limitations;
• (b) operating system behavior;
• (c) offline operation;
• (d) synchronization delays or failures;
• (e) network connectivity issues;
• (f) user actions or device settings;
• (g) third-party applications or integrations;
• (h) backup systems, caches, temporary files, or system-generated copies; or
• (i) other technical limitations.

Accordingly, AutoRevolution does not warrant or guarantee the immediate, complete, or permanent removal of images, videos, or related media from all local storage locations, caches, backups, temporary storage areas, or third-party systems.

13.7 Mobile Device Access Requirements

The Services are designed, optimized, provisioned, tested, and supported exclusively for use on compatible mobile smartphone devices running supported versions of iOS or Android operating systems.

Except as expressly authorized by Company in writing, Customer shall not access or use the Services through:

• (a) desktop computers;
• (b) laptop computers;
• (c) tablets;
• (d) mobile device emulators;
• (e) simulators;
• (f) virtual machines;
• (g) remote access environments;
• (h) device farms;
• (i) automated testing platforms;
• (j) containerized environments;
• (k) headless environments; or
• (l) any unsupported hardware or software configuration.

Customer acknowledges that use of unsupported environments may impair functionality, security, performance, reliability, data integrity, or service availability.

Mobile-device operation constitutes a material condition of Customer's right to access and use the Services.,/p>

13.8 Indemnification for Biometric Data Claims

Customer shall defend, indemnify, and hold harmless AutoRevolution and its affiliates, officers, directors, employees, contractors, successors, and assigns from and against any claims, demands, actions, investigations, regulatory proceedings, damages, fines, penalties, settlements, judgments, costs, and expenses (including reasonable attorneys' fees) arising out of or relating to:

• (a) Customer's collection, use, disclosure, storage, transmission, retention, destruction, or processing of Biometric Data;
• (b) Customer's failure to obtain required notices, consents, releases, or authorizations;
• (c) Customer's violation of any biometric privacy, data protection, consumer protection, employment, surveillance, or privacy law; or
• (d) any allegation that AutoRevolution's provision of the Services resulted in liability arising from Customer's handling of Biometric Data.

Customer is solely responsible for determining whether any image, video, or related media captured, uploaded, transmitted, stored, or processed through the Services contains Biometric Data or other regulated information.

Customer assumes all responsibility and liability arising from its collection, use, disclosure, retention, destruction, storage, transmission, or processing of such information in connection with the Services.>/p>

Accordingly, AutoRevolution does not warrant or guarantee the immediate, complete, or permanent removal of images, videos, or related media from all local storage locations, caches, backups, temporary storage areas, or third-party systems.

14. Accessiblity Compliance

14.1 Accessibility Responsibilities

Customer is solely responsible for ensuring that all Consumer-Facing Content, Digital Experiences, Communications, Customer Content, workflows, forms, documents, media, advertisements, websites, mobile experiences, chat experiences, and other materials created, controlled, published, distributed, transmitted, or made available by Customer through the Services comply with Applicable Laws relating to accessibility, disability rights, equal access, and non-discrimination.

Consumer-Facing Content includes, without limitation:

• (a) Vehicle listings, inventory descriptions, vehicle detail pages, pricing information, payment estimates, financing information, lease offers, promotional offers, incentives, rebates, warranties, vehicle history information, service descriptions, and dealership marketing materials;
• (b) Website content, landing pages, digital advertisements, display advertisements, search engine marketing content, social media content, online marketplace content, directory listings, blog posts, articles, videos, images, audio content, and other publicly accessible materials;
• (c) Email messages, text messages, SMS messages, MMS messages, chat messages, live chat communications, chatbot responses, AI-generated communications, direct messages, push notifications, and other electronic communications;
• (d) Sales communications, customer service communications, financing communications, collections communications, service appointment communications, recall communications, and customer relationship management communications;
• (e) Consumer disclosures, notices, consent requests, legal notices, privacy notices, marketing disclosures, financing disclosures, and other legally required communications;
• (f) Reviews, testimonials, ratings, endorsements, responses to reviews, reputation management content, and customer engagement communications;
• (g) Documents, reports, proposals, applications, forms, contracts, agreements, or records provided to or intended for consumers; and
• (h) Any content generated, modified, enhanced, translated, summarized, recommended, ranked, optimized, or assisted by Artificial Intelligence, Machine Learning, automation, analytics systems, or other functionality available through the Services.

Consumer-Facing Content includes content whether created by Customer personnel, generated through the Services, generated by artificial intelligence systems, generated by third parties acting on Customer's behalf, or created through a combination of human and automated processes.

For the avoidance of doubt, Consumer-Facing Content includes communications and materials delivered through existing or future communication channels, media formats, technologies, platforms, devices, or methods of consumer interaction.

Customer remains solely responsible for the accuracy, legality, completeness, substantiation, compliance, and appropriateness of all Consumer-Facing Content published, distributed, transmitted, displayed, or otherwise used by Customer through or in connection with the Services.

14.2 Prohibited Accessibility-Related Uses

Customer shall not use the Services to create, publish, distribute, deploy, or maintain any Consumer-Facing Content, Digital Experience, Communication, process, or interaction that Customer knows, or reasonably should know:

• (a) excludes, disadvantages, discriminates against, or materially impairs access for individuals with disabilities in violation of Applicable Law;
• (b) interferes with, disables, circumvents, or degrades accessibility features, assistive technologies, accommodations, or accessibility-related functionality;
• (c) creates barriers that prevent individuals with disabilities from obtaining information, accessing services, completing transactions, communicating with Customer, submitting requests, exercising legal rights, or otherwise participating in Customer's products, services, programs, or offerings;
• (d) materially reduces the accessibility of content, websites, applications, communications, or digital experiences without implementing reasonable alternative means of access where required by Applicable Law; or
• (e) knowingly deploys inaccessible content, forms, workflows, or customer interactions after receiving notice of material accessibility deficiencies where remediation is reasonably available.

14.3 AI-Generated and Accessibility Content

Customer acknowledges that content generated or assisted by artificial intelligence, machine learning systems, automation tools, templates, content generation features, or similar functionality may not satisfy applicable accessibility requirements.

Customer is solely responsible for reviewing, testing, validating, modifying, and approving all generated content before publication or use and shall not rely exclusively on automated tools to determine accessibility compliance.

14.4 Provider Tools and Functionality

Provider may make available tools, features, templates, accessibility checks, testing capabilities, content recommendations, user-interface components, design systems, integrations, documentation, or other functionality intended to assist Customer in addressing accessibility considerations.

Such tools are provided solely as aids and do not constitute legal advice, compliance certifications, accessibility guarantees, or representations that Customer's use of the Services complies with Applicable Law.

Customer retains sole responsibility for determining whether its Consumer-Facing Content, Digital Experiences, Communications, Customer Content, business processes, and implementations satisfy applicable accessibility requirements.

14.5 Third-Party Content and Integrations

Customer remains responsible for accessibility compliance relating to:

• (a) Customer Content;
• (b) third-party content;
• (c) third-party websites;
• (d) third-party applications;
• (e) third-party integrations;
• (f) embedded media;
• (g) dealer inventory feeds;
• (h) advertising content;
• (i) manufacturer-supplied materials; and
• (j) any other content or functionality that Customer elects to publish, display, transmit, or make available through the Services.

Customer shall not use third-party content or integrations in a manner that causes Customer's Digital Experiences or Communications to violate Applicable Law.

14.6 Accessibility Standards

Where Applicable Law references or incorporates technical accessibility standards, Customer is responsible for determining the standards applicable to its business operations and implementing appropriate measures to satisfy such requirements.

Provider does not warrant that compliance with any particular technical standard, guideline, framework, specification, or testing methodology will satisfy Customer's legal obligations.

14.7 Remediation and Corrective Measures

Upon becoming aware of a material accessibility issue affecting Customer's use of the Services, Customer shall take commercially reasonable steps to investigate, assess, and remediate the issue as required by Applicable Law.

Customer shall not knowingly continue using the Services in a manner that creates unlawful accessibility barriers after receiving notice of such barriers and having a reasonable opportunity to address them.

14.8 Accessibility Complaints and Claims

Customer is solely responsible for responding to accessibility-related complaints, inquiries, requests for accommodation, regulatory investigations, administrative proceedings, and legal claims arising from Customer's content, business practices, products, services, communications, or implementation of the Services.

15. AI, Automation, and Decision-Making

15.1 AI Enabled Features

The Services may include artificial intelligence ("AI"), machine learning, predictive analytics, automation, computer vision, image processing, natural language processing, generative AI, recommendation engines, decision-support tools, scoring models, workflow automation, and other automated or semi-automated functionality (collectively, "AI Features").

Customer acknowledges and agrees that AI Features are intended to assist human users and are not a substitute for independent professional judgment, legal compliance obligations, or required human review.

15.2 Prohibited Uses of AI Features

Customer shall not use, and shall not permit any Authorized User or third party to use, AI Features to:

• (a) Generate, distribute, or facilitate unlawful, fraudulent, deceptive, misleading, defamatory, harassing, or otherwise harmful content;
• (b) Generate false, fabricated, manipulated, or materially misleading records, documents, communications, vehicle information, transaction data, customer information, disclosures, compliance records, vehicle histories, repair records, warranty information, financing information, insurance information, or other business records;
• (c) Generate or submit fake consumer reviews, testimonials, ratings, endorsements, social media content, or other content intended to mislead consumers, regulators, lenders, manufacturers, or business partners;
• (d) Impersonate any individual or entity, misrepresent identity, forge communications, or otherwise deceive recipients regarding the source, authorship, or authenticity of content;
• (e) Circumvent, avoid, suppress, manipulate, or interfere with legally required disclosures, notices, consent requirements, recordkeeping obligations, or consumer protection requirements;
• (f) Generate discriminatory, biased, unlawful, or unfair outcomes on the basis of race, color, national origin, religion, sex, gender, gender identity, sexual orientation, disability, age, veteran status, marital status, citizenship status, or any other characteristic protected by applicable law;
• (g) Engage in unlawful profiling, unlawful surveillance, unlawful monitoring, or prohibited automated decision-making;
• (h) Manipulate, probe, reverse engineer, exploit vulnerabilities in, poison, improperly train, benchmark for competitive purposes, or otherwise interfere with AI Features or underlying models except as expressly authorized by Provider in writing; and
• Use AI Features in any manner that violates applicable laws, regulations, industry standards, contractual obligations, lender requirements, OEM requirements, or regulatory guidance.

15.3 Credit, Lending, and Consumer Decisions

Without limiting the foregoing, Customer shall not use AI Features as the sole basis for:

• (a) Any credit decision;
• (b) Any lending decision;
• (c) Any underwriting determination;
• (d) Any adverse action affecting a consumer;
• (e) Any legally significant decision affecting an individual's eligibility for financing, credit, insurance, employment, housing, benefits, pricing, or other rights or opportunities; or
• (f) Any decision for which applicable law requires meaningful human review, human involvement, or human oversight.

Where applicable law requires human review, Customer shall ensure that qualified personnel independently evaluate relevant information before making a final decision.

Customer remains solely responsible for determining whether any particular use of AI Features is subject to federal, state, local, or industry-specific requirements governing automated decision-making, consumer protection, fair lending, equal credit opportunity, privacy, employment, insurance, or related regulatory obligations.

15.4 Human Review and Verification

Customer shall independently review, evaluate, and validate all outputs generated by AI Features before relying upon, implementing, publishing, transmitting, or distributing such outputs.

Customer shall not:

• (a) Represent AI-generated content as independently verified, professionally reviewed, or factually confirmed unless such verification has actually occurred;
• (b) Rely exclusively on automated outputs where independent review is reasonably necessary to assess accuracy, legality, completeness, fairness, or suitability;
• (c) Assume that outputs are free from errors, inaccuracies, hallucinations, bias, omissions, or outdated information.

Customer is solely responsible for all business decisions, consumer communications, transactions, recommendations, disclosures, actions, and outcomes arising from Customer's use of AI Features or AI-generated outputs.

15.5 No Warranty Regarding AI Outputs

AI Features may generate inaccurate, incomplete, inconsistent, biased, offensive, outdated, or otherwise unsuitable outputs.

Provider does not represent, warrant, or guarantee that any AI-generated output will be accurate, complete, reliable, lawful, non-infringing, unbiased, merchantable, fit for a particular purpose, or suitable for Customer's intended use.

AI-generated outputs are provided on an "as is" and "as available" basis and should be independently reviewed and validated by Customer prior to use.

15.6 AI Compliance Responsibility

AI Features may generate inaccurate, incomplete, inconsistent, biased, offensive, outdated, or otherwise unsuitable outputs.

Customer is solely responsible for ensuring that its use of AI Features complies with all applicable laws, regulations, regulatory guidance, industry standards, contractual obligations, and internal governance requirements, including those relating to consumer protection, advertising, privacy, automated decision-making, lending, fair lending, equal credit opportunity, discrimination, recordkeeping, disclosures, and communications.

Customer bears sole responsibility for obtaining any required approvals, consents, notices, disclosures, authorizations, or human reviews associated with its use of AI Features.

15.7 Suspension for AI Misuse

AI Features may generate inaccurate, incomplete, inconsistent, biased, offensive, outdated, or otherwise unsuitable outputs.

Provider may suspend, restrict, disable, or terminate access to AI Features if Provider reasonably believes Customer's use of such functionality violates this Agreement, applicable law, regulatory requirements, third-party provider requirements, or presents material legal, operational, security, reputational, or compliance risk.

16. Data Security Requirements

Customer shall implement, maintain, and continuously monitor administrative, technical, organizational, and physical safeguards designed to protect the confidentiality, integrity, availability, and security of the Services and all Customer Data accessed, processed, transmitted, stored, or otherwise handled in connection with the Services.

Such safeguards shall be appropriate to:

• (a) the nature, sensitivity, volume, and risk profile of Customer Data;
• (b) Customer's size, operational complexity, and business activities;
• (c) generally accepted information security practices and applicable industry standards;
• (d) Applicable Laws, regulations, and regulatory guidance; and
• (e) reasonably foreseeable internal and external threats, vulnerabilities, and risks.

16.1 Access Controls and Authentication

Without limiting the foregoing, Customer shall:

• (a) Use strong authentication mechanisms for all user accounts with access to the Services;
• (b) Require unique user credentials and prohibit the sharing of user accounts;
• (c) Implement and maintain password policies consistent with recognized security standards, including minimum complexity, length, expiration, and reuse restrictions where appropriate;
• (d) Enable multi-factor authentication ("MFA") for administrative, privileged, remote-access, and other high-risk accounts whenever available;
• (e) Promptly disable, remove, or modify access rights for personnel who no longer require access to the Services, including upon termination of employment or engagement; and
• (f) Restrict access to the Services and Customer Data on a least-privilege and need-to-know basis.

16.2 Account Monitoring and User Activity

Without limiting the foregoing, Customer shall:

• (a) Maintain reasonable procedures to monitor user accounts and access activity associated with the Services;
• (b) Review and investigate unauthorized, suspicious, anomalous, or potentially fraudulent account activity;
• (c) Maintain audit logs, access records, or equivalent monitoring controls to the extent reasonably necessary to detect unauthorized access or misuse; and
• (d) Promptly revoke credentials reasonably believed to have been compromised.

16.3 Endpoint and Device Security

Without limiting the foregoing, Customer shall:

• (a) Maintain commercially reasonable endpoint security protections on devices used to access the Services, including workstations, laptops, mobile devices, servers, and other computing assets;
• (b) Deploy and maintain anti-malware, endpoint detection and response, or equivalent security controls where appropriate;
• (c) Implement device management, encryption, screen-lock, and remote-wipe capabilities for devices that access sensitive Customer Data, where commercially reasonable; and
• (d) Restrict use of unsupported, insecure, or unauthorized devices to access the Services.

16.4 Vulnerability Management and System Maintenance

Without limiting the foregoing, Customer shall:

• (a) Apply security patches, updates, and fixes to operating systems, applications, browsers, firmware, and security tools within a commercially reasonable timeframe based on risk and severity;
• (b) Conduct periodic vulnerability assessments and remediate identified vulnerabilities as appropriate;
• (c) Maintain reasonable change management procedures designed to minimize security risks associated with system modifications; and
• (d) Use supported software versions and maintain systems in accordance with vendor security recommendations.

16.5 Personnel Security and Training

Without limiting the foregoing, Customer shall:

• (a) Require personnel with access to the Services or Customer Data to receive reasonable security awareness training appropriate to their responsibilities;
• (b) Maintain policies and procedures addressing acceptable use, access management, and information security;
• (c) Maintain reasonable change management procedures designed to minimize security risks associated with system modifications; and
• (d) Take reasonable steps to ensure personnel understand and comply with applicable confidentiality and security obligations.

16.6 Protection of Automotive and Consumer Information

To the extent Customer accesses, stores, processes, transmits, or otherwise handles consumer, vehicle, financing, insurance, driver, dealership, employee, or other regulated automotive-related information through the Services, Customer shall implement safeguards designed to protect such information from unauthorized access, use, disclosure, alteration, or destruction and shall comply with all Applicable Laws governing such information.

16.7 Compliance and Continuous Improvement

Customer shall periodically review and update its security controls, policies, and procedures to address evolving threats, technology changes, operational risks, legal requirements, and industry best practices. Customer shall maintain security measures that are no less protective than those required under this Agreement and shall promptly address material deficiencies identified through audits, assessments, investigations, or security reviews.

16.7 Responsibility for Customer Environment

Customer acknowledges that Provider's security obligations apply only to the Services under Provider's control. Customer remains solely responsible for the security of:

19. Investigation, Compliance Verification, and Cooperation

Customer shall reasonably cooperate with Provider in connection with any investigation, inquiry, review, assessment, or response relating to suspected or actual violations of this Acceptable Use Policy, the Agreement, Applicable Laws, applicable security requirements, third-party requirements applicable to the Services, or activities that may threaten the security, integrity, availability, or lawful operation of the Services.

Without limiting the foregoing, Customer shall provide reasonable and timely assistance requested by Provider to investigate, assess, mitigate, remediate, or respond to suspected or actual:

• Violations of this Acceptable Use Policy;
• Violations of the Agreement or applicable Documentation;
• Violations of Applicable Laws or regulatory requirements;
• Security incidents, cybersecurity events, unauthorized access incidents, or credential compromises;
• Fraudulent, deceptive, abusive, or unlawful activities;
• Misuse of the Services or Customer accounts;
• Complaints from customers, consumers, users, business partners, or other third parties;
• Carrier, telecommunications provider, messaging provider, platform provider, payment processor, lender, OEM, warranty administrator, or other third-party inquiries relating to Customer's use of the Services;
• Governmental, regulatory, administrative, judicial, or law enforcement inquiries, investigations, requests, orders, or proceedings; and
• Activities that may adversely affect the Services, Provider's systems, Provider's customers, or third parties.

Provider may request information, records, documentation, explanations, certifications, logs, screenshots, transactional records, communications records, consent records, authorization records, policies, procedures, technical information, or other materials reasonably necessary to investigate, verify, assess, or respond to:

• Complaints, abuse reports, or suspected misuse;
• Security incidents or cybersecurity threats;
• Suspected violations of this Policy or the Agreement;
• Regulatory, governmental, carrier, platform, lender, OEM, or third-party inquiries;
• Suspected unlawful, fraudulent, deceptive, or unauthorized activities;
• Excessive, abnormal, or potentially harmful usage patterns; or
• Customer's compliance with applicable requirements governing Customer's use of the Services.

Customer shall provide requested information within a reasonable period of time, taking into account the nature, urgency, and potential impact of the matter under investigation. Where Provider reasonably determines that immediate action is necessary to protect the Services, Provider, other customers, consumers, third parties, or the public, Customer shall cooperate on an expedited basis.

Customer shall preserve relevant records, logs, evidence, and information relating to any matter under investigation to the extent required by Applicable Laws and reasonably necessary to support the investigation, response, remediation, or resolution of the matter.

Provider may take reasonable steps to investigate suspected violations of this Policy, including reviewing account activity, usage patterns, technical logs, security events, system interactions, and other information available to Provider in connection with Customer's use of the Services. Nothing in this Policy obligates Provider to monitor Customer's activities or to investigate any particular matter.

If Customer fails to reasonably cooperate with an investigation, fails to provide information reasonably requested by Provider, provides materially inaccurate or misleading information, or otherwise impedes an investigation relating to the Services, Provider may take protective measures, including restricting functionality, suspending access to affected Services, delaying requested transactions, disabling integrations, or exercising any other rights available under the Agreement or Applicable Laws.

Nothing in this Section requires Customer to disclose information protected by attorney-client privilege, work-product protection, or other applicable legal privilege; provided, however, that Customer shall cooperate in good faith to provide non-privileged information reasonably necessary to address the matter at issue.

20. Third-Party Integrations

The Services may permit Customer to connect, access, enable, configure, or use third-party applications, platforms, websites, software, services, databases, APIs, communication providers, payment processors, lenders, OEM systems, dealer management systems, customer relationship management systems, inventory management platforms, telematics providers, marketing platforms, lead providers, messaging services, analytics tools, and other third-party products or services (collectively, "Third-Party Integrations").

Customer is solely responsible for its selection, use, configuration, authorization, and management of any Third-Party Integrations. Without limiting the foregoing, Customer is solely responsible for:

• Obtaining and maintaining all rights, licenses, permissions, consents, approvals, and authorizations necessary to enable and use Third-Party Integrations with the Services;
• Any access rights, credentials, permissions, roles, scopes, tokens, keys, or authorizations granted to third parties through or in connection with the Services;
• The accuracy, legality, integrity, security, and appropriateness of data transmitted to, from, or through any Third-Party Integrations;
• Compliance with all contractual obligations, privacy obligations, security obligations, data-sharing restrictions, licensing requirements, and Applicable Laws arising from or relating to Third-Party Integrations;
• The acts, omissions, content, services, software, data practices, security practices, and conduct of third-party providers; and
• Any disclosure, transfer, transmission, processing, modification, deletion, corruption, loss, or misuse of Customer Data resulting from Customer's use of Third-Party Integrations.

Customer shall not use any Third-Party Integration to:

• Circumvent, disable, avoid, interfere with, or bypass security controls, authentication mechanisms, authorization controls, access restrictions, audit controls, monitoring systems, usage limits, or technical safeguards implemented by Provider or any third party;
• Access, acquire, extract, aggregate, copy, transmit, export, disclose, transfer, or exfiltrate data in an unauthorized, unlawful, deceptive, or prohibited manner;
• Violate the rights of Provider, any third party, any consumer, or any other person or entity, including privacy rights, confidentiality obligations, intellectual property rights, contractual rights, or data protection rights;
• Engage in conduct prohibited by this Acceptable Use Policy, the Agreement, Applicable Laws, or applicable third-party terms;
• Introduce malicious code, malware, ransomware, spyware, unauthorized scripts, or other harmful technology into the Services;
• Create unauthorized interoperability, unauthorized data aggregation, unauthorized data brokerage activities, or unauthorized secondary uses of data; or
• Enable activities that could reasonably compromise the security, integrity, availability, performance, or lawful operation of the Services.

Provider may disable, suspend, restrict, remove, or refuse any Third-Party Integration that Provider reasonably believes creates security risks, legal risks, operational risks, performance issues, compliance concerns, or violations of this Policy, the Agreement, Applicable Laws, or applicable third-party requirements.

20.1 Data Accuracy, Data Integrity, and Records Management

Customer is solely responsible for all Customer Data submitted to, stored within, transmitted through, generated by, or otherwise processed using the Services. Customer acknowledges and agrees that Provider does not independently verify the accuracy, completeness, legality, authenticity, or reliability of Customer Data.

Customer is solely responsible for:

• The accuracy, quality, integrity, and reliability of Customer Data;
• The legality of collecting, using, disclosing, transferring, storing, and processing Customer Data;
• The completeness and suitability of Customer Data for Customer's intended business purposes;
• Compliance with Applicable Laws governing records management, retention, preservation, deletion, archiving, and disposal of records;
• Compliance with all applicable dealership, automotive retail, finance and insurance ("F&I"), lending, leasing, warranty, service, telematics, marketing, privacy, and consumer protection requirements applicable to Customer Data;
• Maintaining records necessary to support Customer's legal, regulatory, contractual, audit, litigation hold, evidentiary, and business obligations; and
• Reviewing and validating information, reports, analytics, outputs, recommendations, calculations, communications, and records generated through the Services before relying upon or acting on them.

Customer shall ensure that Customer Data is accurate in all material respects, current as appropriate for its intended use, and maintained in a manner consistent with Customer's legal and business obligations.

Customer shall not knowingly, recklessly, or fraudulently submit, upload, generate, transmit, store, maintain, or process through the Services:

• False, inaccurate, or materially misleading information;
• Fraudulent, deceptive, manipulated, or unlawfully altered information;
• Fabricated, forged, fictitious, or counterfeit records or documents;
• Information intended to deceive consumers, regulators, lenders, insurers, OEMs, warranty providers, service providers, governmental authorities, or other third parties;
• Material omissions that render submitted information misleading in the circumstances; or
• Records relating to vehicle sales, financing, leasing, trade-ins, service operations, warranty administration, inspections, insurance products, customer interactions, or other automotive transactions that Customer knows or reasonably should know are materially inaccurate or fraudulent.

Without limiting the foregoing, Customer shall not use the Services to create, maintain, transmit, or rely upon fraudulent deal jackets, financing applications, lease records, customer records, vehicle history records, service records, repair orders, inspection reports, title records, odometer disclosures, warranty claims, insurance-related records, compliance records, or other business records.

Customer remains solely responsible for the business decisions, regulatory filings, consumer communications, disclosures, transactions, and records created, maintained, transmitted, or relied upon through Customer's use of the Services.

21. Suspension, Restriction, and Protective Actions

Provider may, in its sole discretion and without limiting any other rights or remedies available under the Agreement, this Acceptable Use Policy, or Applicable Laws, immediately suspend, restrict, disable, remove, quarantine, limit, or terminate access to all or any portion of the Services, Customer accounts, Authorized User accounts, integrations, communications capabilities, APIs, data flows, functionality, or content, with or without prior notice, if Provider reasonably determines that such action is necessary to protect the Services, Provider, Customer, other customers, users, consumers, business partners, or third parties.

Without limiting the foregoing, Provider may take such action if Provider reasonably believes that:

• Customer, an Authorized User, or any person acting through Customer's account has violated or is likely to violate this Acceptable Use Policy, the Agreement, applicable Documentation, or applicable usage restrictions;
• Customer's use of the Services presents, creates, enables, contributes to, or is reasonably likely to create a security risk, cybersecurity threat, privacy risk, fraud risk, compliance risk, operational risk, or other material risk;
• Customer's activities threaten or adversely affect the security, confidentiality, integrity, availability, reliability, functionality, performance, or lawful operation of the Services or any related systems, networks, infrastructure, or third-party services;
• Customer's use of the Services interferes with, disrupts, degrades, or negatively affects other customers, users, consumers, communications providers, OEMs, lenders, warranty administrators, integration partners, regulators, or other third parties;
• Customer's activities may expose Provider, its affiliates, subcontractors, licensors, service providers, customers, or business partners to actual or potential legal, regulatory, contractual, financial, operational, reputational, or security-related liability;
• Customer is engaged in fraudulent, deceptive, unlawful, unauthorized, abusive, or prohibited conduct;
• Customer has experienced a credential compromise, unauthorized access event, malware infection, ransomware incident, security incident, or other event that may compromise the Services or other users;
• Provider receives a complaint, abuse report, regulatory inquiry, governmental request, court order, subpoena, carrier notice, OEM notice, lender notice, warranty administrator notice, or other request that reasonably necessitates investigation or protective action;
• Continued access to the Services could reasonably be expected to result in harm to Provider, other customers, users, consumers, business partners, third parties, or the public; or
• Suspension or restriction is otherwise necessary to comply with Applicable Laws, legal process, contractual obligations, security requirements, industry standards, or third-party provider requirements.

Provider may implement suspension or restriction measures on a targeted or system-wide basis and may take any action Provider reasonably determines is necessary under the circumstances, including disabling accounts, revoking credentials, suspending communications, restricting integrations, limiting functionality, quarantining content or data, imposing usage restrictions, throttling activity, blocking transactions, or otherwise limiting access to the Services.

Where reasonably practicable under the circumstances, Provider may provide notice of a suspension or restriction and an opportunity to remediate the underlying issue. However, Provider shall have no obligation to provide advance notice where Provider reasonably determines that immediate action is necessary to protect the Services, Provider, other customers, users, consumers, business partners, or third parties, or to comply with Applicable Laws or legal obligations.

Customer shall cooperate with Provider's reasonable requests to investigate, mitigate, remediate, and resolve the circumstances giving rise to any suspension or restriction. Provider may restore access when Provider reasonably determines that the underlying issue has been adequately resolved and that continued access no longer presents material risk.

Provider shall not be liable for any suspension, restriction, disabling, removal, delay, interruption, loss of access, loss of functionality, or other protective action taken in good faith or in a manner Provider reasonably believes is necessary to protect the Services, comply with Applicable Laws, enforce the Agreement or this Acceptable Use Policy, respond to security threats, investigate suspected misconduct, or prevent harm to Provider, its customers, users, business partners, or third parties.

22. Reporting Suspected Violations

Provider encourages Customer, Authorized Users, security researchers, business partners, customers, and other third parties to promptly report suspected violations of this Acceptable Use Policy, the Agreement, Applicable Laws, security requirements, or misuse of the Services.

Reports of suspected violations may be submitted to Provider through the following channels:

• Acceptable Use and Abuse Reports: Click here to submit an Acceptable Use Abuse Report
• Security Incident Reports: Click here to submit a Security Incident Report
• Written Notice: AutoRevolution, Attn: Security Incident Report, 334 East Church Street, Lewisville, TX 75057

Reports should include, to the extent reasonably available:

• A description of the suspected violation or concern;
• The date, time, and nature of the suspected activity;
• The affected Services, accounts, systems, integrations, or users;
• Relevant account identifiers, transaction identifiers, URLs, logs, screenshots, communications, records, or other supporting information;
• Any known or suspected impact to Customer Data, consumer information, the Services, Provider systems, or third parties; and
• Contact information sufficient for Provider to request additional information or follow up regarding the report.

Provider may review, investigate, evaluate, prioritize, respond to, or take action regarding reported concerns in its reasonable discretion. Provider may request additional information, documentation, records, technical details, evidence, cooperation, or other materials reasonably necessary to investigate or address an alleged violation.

Customer and Authorized Users shall reasonably cooperate with Provider's investigation of reported violations, including by providing relevant information relating to Customer accounts, Customer Data, integrations, usage activity, communications, configurations, and other matters reasonably necessary to determine whether a violation has occurred.

Provider may take any action it reasonably determines appropriate in response to a reported or suspected violation, including issuing warnings, requesting remediation, restricting functionality, suspending access, disabling accounts or integrations, removing content, implementing security controls, notifying affected parties, or referring matters to appropriate third parties or authorities where permitted or required by Applicable Laws.

Provider does not guarantee that it will investigate every report, take any particular action, or disclose investigation results, except as required by Applicable Laws or expressly agreed in writing.

Provider prohibits retaliation against individuals who submit good-faith reports of suspected violations, security concerns, or misuse of the Services. Reports made knowingly and intentionally with false, misleading, or malicious information may themselves constitute a violation of this Acceptable Use Policy.

23. Relationship to Governing Agreements

This Acceptable Use Policy ("AUP") is incorporated into and forms part of the agreement governing Customer's access to and use of the Services. Customer's use of the Services is also subject to the terms of any applicable Master Services Agreement ("MSA"), Order Form, Statement of Work, Data Processing Addendum ("DPA"), Information Security Addendum ("ISA"), Service Level Agreement ("SLA"), End User Agreement, Product Terms, Documentation, or other written agreement entered into between Customer and AutoRevolution (collectively, the "Agreement Documents").

Customer acknowledges that the Agreement Documents are intended to be interpreted together as a single contractual framework governing Customer's use of the Services, and each Agreement Document shall be interpreted, to the extent reasonably possible, to give effect to all applicable provisions without creating an inconsistency.

In the event of an actual conflict, inconsistency, or ambiguity between provisions of the Agreement Documents, the following order of precedence shall apply solely with respect to the subject matter of the conflict, with the document listed first controlling over any document listed thereafter:

1. Any mutually executed amendment, addendum, exhibit, or other written agreement expressly stating that it modifies, overrides, or supersedes a specific provision of an Agreement Document;
2. The applicable Order Form, Statement of Work, or ordering document, solely with respect to the Services, subscription scope, quantities, fees, commercial terms, or other matters expressly addressed therein;
3. The Master Services Agreement ("MSA");
4. The Data Processing Addendum ("DPA"), solely with respect to privacy, Personal Data, data processing, data subject rights, and related data protection obligations;
5. The Information Security Addendum ("ISA"), solely with respect to information security requirements, security controls, incident response, and related security obligations;
6. Any applicable Service Level Agreement ("SLA"), solely with respect to service availability, support commitments, service credits, and related service performance obligations;
7. This Acceptable Use Policy ("AUP"), solely with respect to acceptable use requirements, prohibited activities, platform protection requirements, and permitted use restrictions;
8. Applicable Product Terms, Documentation, or End User Agreement, solely with respect to operational use requirements and user-facing functionality; and
9. Any applicable Privacy Policy, solely to the extent expressly incorporated into the Agreement and applicable to Customer's use of the Services.

For clarity, this order of precedence shall not be interpreted to permit Customer to disregard security requirements, privacy obligations, acceptable use requirements, or other operational restrictions applicable to the Services unless the applicable Agreement Document expressly states that it supersedes such requirements.

In the event of any uncertainty regarding whether a conflict exists, the Agreement Documents shall be interpreted to avoid a conflict and to preserve the validity and enforceability of each provision whenever reasonably possible.

Nothing in this Section limits AutoRevolution's rights to enforce this AUP, protect the Services, restrict prohibited activity, suspend access, or take other protective actions as permitted under the Agreement Documents or Applicable Laws.

24. Reservation of Rights

AutoRevolution reserves the right to administer, interpret, enforce, update, and modify this Acceptable Use Policy ("AUP") in accordance with the Agreement Documents and Applicable Laws.

Without limiting the foregoing, AutoRevolution reserves the right to:

• Interpret the requirements, restrictions, and obligations set forth in this AUP;
• Investigate suspected or actual violations of this AUP, the Agreement Documents, Applicable Laws, security requirements, or applicable third-party requirements;
• Monitor, review, analyze, and evaluate use of the Services to the extent permitted by Applicable Laws, the Agreement, and applicable privacy and security obligations, including for security, abuse prevention, operational protection, compliance, and service improvement purposes;
• Establish, modify, and enforce technical, operational, security, usage, or access controls necessary to protect the Services and their users;
• Modify this AUP as permitted under the Agreement, including to address changes in Applicable Laws, regulatory requirements, security practices, technology, industry standards, or Service functionality;
• Protect the confidentiality, integrity, availability, reliability, and security of the Services, AutoRevolution systems, Customer Data, and other customers' information; and
• Take any reasonable action necessary to investigate, prevent, mitigate, remediate, or address violations, security risks, misuse, operational risks, legal risks, or threats to AutoRevolution, Customer, users, consumers, business partners, or third parties.

AutoRevolution reserves all rights, remedies, claims, and defenses available under the Agreement, Applicable Laws, principles of equity, and applicable contractual rights with respect to any violation of this AUP.

No failure or delay by AutoRevolution in exercising any right, remedy, power, or privilege under this AUP or the Agreement Documents shall operate as a waiver of that right, remedy, power, or privilege. Any waiver must be express and in writing and shall apply only to the specific instance for which it is granted.