Effective Date: May 1, 2026 Last Updated: May 29, 2026 Version: 1.0

1. Overview

Ziru Labs develops infrastructure technology positioned at the intersection of artificial intelligence, hardware security, and regulated commercial and federal deployment environments. The category in which Ziru Labs operates is subject to a substantive regulatory frame across U.S., European, U.K., allied, and multilateral regimes. This page sets out the company's regulatory posture and the operational approach by which Ziru Labs maintains compliance with the frameworks applicable to its technology, its publications, its counterparty engagements, and its corporate operations.

The page is published as a counterparty-facing reference. It supplements but does not modify the Ziru Labs Privacy Policy, Terms of Use, or Research Licensing terms. It is informational in nature and does not constitute legal advice, contractual commitment, or regulatory determination. Counterparties evaluating engagement with Ziru Labs in regulated procurement, sovereign, or other contexts requiring specific compliance representations should engage the company directly through the counterparty engagement workflow at contact@zirulabs.com.

2. The Regulatory Frame

Ziru Labs operates against a regulatory frame composed of overlapping regimes. The frame is mapped below at the level of regimes applicable to the company's category, not at the level of individual statutory provisions, and is current as of the Last Updated date. Each regime carries its own specific compliance obligations, which are operationalized through the company's programs described in Section 3.

2.1 U.S. Export-Control Regimes

Export Administration Regulations (EAR). Administered by the U.S. Department of Commerce Bureau of Industry and Security. The EAR governs commercial and dual-use technology, software, and technical data. Ziru Labs technology and the technical data describing it are subject to classification analysis under the Commerce Control List, with particular attention to Category 5 Part 2 (Information Security) and Category 3 (Electronics, Computers, and Telecommunications) where applicable.

International Traffic in Arms Regulations (ITAR). Administered by the U.S. Department of State Directorate of Defense Trade Controls. The ITAR governs defense articles, defense services, and technical data on the United States Munitions List. The applicability of ITAR to specific Ziru Labs technology is the subject of commodity jurisdiction analysis. Where applicability is uncertain or contested, the company seeks commodity jurisdiction determinations from DDTC.

Office of Foreign Assets Control (OFAC). Administered by the U.S. Department of the Treasury. OFAC administers comprehensive and selective economic sanctions programs against specific countries, regimes, entities, and individuals. Ziru Labs conducts counterparty screening against OFAC's Specially Designated Nationals and Blocked Persons List and other OFAC-administered restricted-parties lists.

Foreign Corrupt Practices Act (FCPA). Administered by the U.S. Department of Justice and the Securities and Exchange Commission. The FCPA prohibits corrupt payments to foreign government officials and imposes accounting and internal-controls obligations on U.S. companies and their affiliates. Ziru Labs maintains an anti-corruption posture consistent with FCPA obligations.

Federal Procurement Frameworks. Where Ziru Labs engages with U.S. federal counterparties, applicable procurement frameworks include the Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS), Cybersecurity Maturity Model Certification (CMMC) at the level applicable to specific engagements, FedRAMP for cloud-deployed services as applicable, the Foreign Ownership, Control, or Influence (FOCI) framework administered by the Defense Counterintelligence and Security Agency where defense-procurement engagements warrant, and the substrate-integrity requirements being developed under FY2026 National Defense Authorization Act Section 1513.

Executive Order 14179 (2025). "Removing Barriers to American Leadership in Artificial Intelligence" and the implementation activities at the Office of Management and Budget and federal agencies under this Executive Order shape the federal AI procurement frame within which Ziru Labs operates.

2.2 U.K., European, and Allied Export-Control Regimes

United Kingdom Export Control Order. Administered by the U.K. Department for Business and Trade Export Control Joint Unit. Governs U.K.-origin and U.K.-transferred controlled technology, including dual-use items under the U.K. Strategic Export Control Lists.

Council Regulation (EU) 2021/821. Establishes the European Union regime on the export, transfer, brokering, and transit of dual-use items. Operates alongside member-state implementation and enforcement.

Wassenaar Arrangement and successor multilateral arrangements. Ziru Labs technology is positioned at the intersection of categories that have been the subject of multilateral export-control discussion, including encryption and information-security technology, cybersecurity tools, and emerging technology categories. The company tracks Wassenaar control-list updates and analogous multilateral activity.

Five Eyes intelligence-community frameworks. Where Ziru Labs engages with Five Eyes counterparties (U.S., U.K., Canada, Australia, New Zealand) in classified or sensitive contexts, applicable national classification systems and intelligence-community frameworks apply.

NATO frameworks. Where Ziru Labs engages with NATO member states or NATO directly, NATO Standardization Agreement (STANAG) frameworks, NATO security classification systems, and NATO industrial security frameworks may apply.

2.3 Anti-Money-Laundering and Sanctions Frameworks

Bank Secrecy Act and U.S. AML frameworks. Where Ziru Labs operations touch financial transactions subject to U.S. AML obligations, the company maintains program elements consistent with applicable AML requirements.

U.K. Money Laundering Regulations and EU AML Directives. Where Ziru Labs operations touch financial transactions subject to U.K. or EU AML obligations, applicable AML requirements operate alongside U.S. AML obligations.

Sanctions regimes beyond OFAC. Including U.K. Office of Financial Sanctions Implementation (OFSI), EU sanctions administered by the Council of the European Union, U.N. Security Council sanctions, and analogous regimes administered by allied jurisdictions.

2.4 Privacy and Data-Protection Regimes

General Data Protection Regulation (GDPR). Governs processing of personal data of individuals in the European Economic Area. The Ziru Labs Privacy Policy describes the company's compliance with GDPR obligations.

United Kingdom General Data Protection Regulation (UK GDPR) and Data Protection Act 2018. Govern processing of personal data of individuals in the United Kingdom.

California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). Governs processing of personal information of California residents.

Other privacy regimes. Including Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), Australia's Privacy Act, Brazil's Lei Geral de Proteção de Dados Pessoais (LGPD), and the growing set of U.S. state privacy laws (Virginia, Colorado, Connecticut, Utah, and successor states).

2.5 AI-Specific Regulatory Frameworks

European Union AI Act. Regulation (EU) 2024/1689 establishes harmonized rules on artificial intelligence, including conformity assessment requirements under Article 40 for high-risk AI systems. Ziru Labs technology is positioned to support Article 40 conformity assessment for substrate-integrity properties.

NIST AI Risk Management Framework. Establishes the U.S. framework for AI risk management. Ziru Labs technology is positioned to support the AI RMF's GOVERN and MAP functions for AI infrastructure programs.

Sectoral and national AI frameworks. Including U.K. AI Safety Institute activities and analogous activities of allied AI safety institutes, the Bletchley and Seoul successor AI safety summit frameworks, national AI strategies of Five Eyes, NATO, and Gulf Cooperation Council member states, and sectoral frameworks in financial services, healthcare, transportation, and other regulated verticals.

2.6 Information Security and Cryptographic Frameworks

FIPS 140-3 and successor FIPS publications. Establish requirements for cryptographic modules used in U.S. federal information systems.

Common Criteria (ISO/IEC 15408) and the Common Criteria Recognition Arrangement. Establish the international framework for IT security evaluation, applicable to specific Ziru Labs technology evaluations as those evaluations are undertaken.

Trusted Computing Group specifications. Including TPM, DICE Architecture, and successor specifications applicable to hardware-rooted trust mechanisms.

ISO/IEC 27001:2022, ISO/IEC 27701, and related information-security management system standards. Establish the international framework for information-security management.

3. Operational Compliance Programs

Ziru Labs maintains operational programs designed to satisfy the regulatory frame set out in Section 2. The programs are described below at the level of operational posture. Specific certifications, registrations, audit reports, and program documentation are made available to counterparties through the counterparty engagement workflow under appropriate confidentiality arrangements.

3.1 Export-Control Compliance Program

The company's export-control compliance program includes: classification analysis of Ziru Labs technology, software, and technical data under applicable U.S., U.K., and EU control regimes, conducted with the support of qualified export-control counsel; commodity jurisdiction determinations from the U.S. Department of State Directorate of Defense Trade Controls for technology where ITAR applicability is uncertain or contested; export licensing analysis and license applications where required for specific transactions; counterparty screening against U.S., U.K., EU, and U.N. denied-parties and sanctions lists at engagement initiation and periodically thereafter; export-control training for personnel with access to controlled technology or technical data; technical-data control measures, including access controls, marking, and handling procedures for controlled technical data; and recordkeeping consistent with the recordkeeping requirements of the applicable regulations.

The company commits not to engage in any transaction prohibited by applicable export-control law and to seek appropriate licensing or authorization for transactions that require it.

3.2 Sanctions and Counterparty Screening Program

The company's sanctions and counterparty screening program includes: screening of counterparties, prospective counterparties, and material contacts against OFAC's SDN List, OFAC's Sectoral Sanctions Identifications List and other OFAC-administered restricted-parties lists, U.S. Department of Commerce Entity List, Denied Persons List, and Unverified List, U.S. Department of State debarred-parties list, U.K. OFSI consolidated list, EU consolidated list of persons, groups and entities subject to financial sanctions, and U.N. Security Council Consolidated List; declination of engagement with parties subject to comprehensive sanctions or restricted-party designation that would prohibit engagement under applicable law; ongoing rescreening at engagement-renewal points and at periodic intervals; and recordkeeping consistent with applicable sanctions regulations.

3.3 Anti-Corruption Program

The company's anti-corruption posture includes: written anti-corruption policies consistent with FCPA, U.K. Bribery Act, and analogous obligations; due-diligence procedures for engagement with foreign government officials, government-controlled entities, and high-corruption-risk counterparties; books-and-records and internal-accounting-controls practices consistent with FCPA Section 13(b)(2)(A) and (B) obligations as applicable; declination of facilitation payments and improper payments of any kind; and personnel training on anti-corruption obligations.

3.4 Federal-Procurement Compliance

The company's posture toward U.S. federal procurement obligations includes: registration in the System for Award Management (SAM) as appropriate for engagement type; compliance with applicable FAR and DFARS clauses incorporated into specific contracts; preparation for CMMC certification at the level applicable to anticipated engagements, as the CMMC framework matures and as specific engagements warrant; preparation for FedRAMP authorization where Ziru Labs offerings are deployed as cloud services subject to FedRAMP scope; engagement with the FOCI framework where defense-procurement engagements warrant; and substrate-integrity preparation against FY2026 NDAA Section 1513 and successor procurement-level substrate requirements.

The company's specific certification and registration status under each of the foregoing frameworks is shared with counterparties through the counterparty engagement workflow as engagements develop.

3.5 Privacy and Data-Protection Program

The company's privacy and data-protection program is described in the Ziru Labs Privacy Policy. The program includes data-minimization practices, lawful-basis analysis for processing activity, data-subject-rights handling, international-transfer safeguards, security measures, breach-response procedures, and recordkeeping practices consistent with applicable privacy law.

3.6 Information Security Program

The company maintains an information security program designed to protect Ziru Labs technology, technical data, intellectual property, and counterparty information. The program includes: access controls, including role-based access and least-privilege provisioning; encryption of data in transit and at rest; secure development practices for software components; security review of third-party processors and service providers; incident-response procedures; personnel security including background screening as appropriate for specific roles and engagements; physical security for facilities housing sensitive technical data; and recordkeeping consistent with applicable security frameworks.

Specific certifications under information-security management frameworks (including ISO/IEC 27001 and analogous frameworks) are pursued as the company's operational posture and counterparty engagement profile warrant.

3.7 AI-Specific Compliance Posture

The company's posture toward AI-specific regulatory frameworks is informed by the substantive analytical work the company has published on the trust layer for AI category. Ziru Labs technology is designed to support the substrate-integrity requirements being developed across the EU AI Act Article 40 conformity assessment, the NIST AI RMF, the FY2026 NDAA Section 1513 substrate-integrity requirements, the NATO STANAG AI trust frameworks, and analogous frameworks. The company participates in the standards-codification activity that operationalizes these frameworks, and contributes to the technical work as appropriate.

The company does not represent that any specific Ziru Labs technology is certified under any specific framework at the time of publication of this page. Specific certifications are pursued as the relevant frameworks mature and as specific engagements warrant.

4. Counterparty Engagement and Diligence

Engagement with Ziru Labs in regulated procurement, sovereign, defense, or other contexts requiring specific compliance representations proceeds through the counterparty engagement workflow. The workflow typically includes:

Initial inquiry and counterparty screening. Counterparties initiate engagement through contact@zirulabs.com. The company conducts initial counterparty screening against applicable sanctions and denied-parties lists.

Confidentiality arrangement. Where the engagement contemplates exchange of information beyond what is publicly available, the parties enter into a confidentiality arrangement appropriate to the scope of the prospective engagement.

Mutual diligence. The company and the counterparty conduct mutual diligence appropriate to the prospective engagement, including diligence on regulatory standing, organizational identity, ownership and control, contractual capacity, and specific regulatory or procurement requirements applicable to the engagement.

Engagement structuring. Where mutual diligence supports proceeding, the parties structure the engagement to comply with applicable regulatory requirements, including export-control licensing or authorization where required, security frameworks applicable to the engagement context, and contractual terms appropriate to the regulatory posture of both parties.

Ongoing compliance. Engagements proceed under ongoing compliance discipline, including periodic re-screening, regulatory-development monitoring, and contractual compliance.

Counterparties operating under specific regulatory frameworks (including U.S. federal procurement, U.K. defense procurement, EU procurement, Five Eyes intelligence-community arrangements, NATO procurement, GCC sovereign procurement, and analogous frameworks) may have specific representations, certifications, or documentation requirements that engagement structuring will address.

5. Publications and Regulatory Posture

The Ziru Labs research publications and analytical work are made publicly available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license, subject to the limitations and reservations identified in the Ziru Labs Research Licensing terms. The publications are positioned as analytical and reference materials at category level. They are not implementation specifications, technical data subject to controlled-information designation, defense articles, or controlled technology as published.

The company applies pre-publication compliance review to its analytical work, including export-control and sanctions screening of substantive content, to ensure that the publications operate at the analytical and reference level appropriate for public distribution and do not constitute controlled disclosure.

Specific implementation-level technical work, including hardware designs, integrated-circuit topographies, mask works, firmware, software, test results, performance specifications, and analogous technical data, is handled under controlled-information practices and is shared only with appropriately cleared counterparties under appropriate contractual and security arrangements.

6. Updates and Material Changes

Ziru Labs's regulatory posture is reviewed periodically and updated as the regulatory frame evolves, as the company's operational programs mature, as specific certifications or registrations are obtained, and as material changes in counterparty engagement warrant. Material updates are reflected in revisions to this page, with the Last Updated date revised accordingly.

Where the company obtains specific certifications, registrations, or authorizations of material counterparty relevance (including ITAR registration if obtained, CMMC certification at specific levels, FedRAMP authorization at specific impact levels, ISO/IEC 27001 certification, and analogous milestones), the relevant updates will be reflected in revisions to this page.

The current version of this page is published at zirulabs.com/legal/regulatory-posture. Prior versions are not maintained as canonical, given that the page is operational positioning rather than historical record.

7. No Representations of Specific Certification Status

For the avoidance of doubt: nothing on this page constitutes a representation that Ziru Labs holds any specific certification, registration, authorization, or clearance unless such certification, registration, authorization, or clearance is expressly named in the current version of this page. The page describes the regulatory frame within which the company operates and the operational programs by which the company maintains compliance with that frame. Specific certifications and registrations applicable to a prospective engagement are confirmed through the counterparty engagement workflow under appropriate confidentiality arrangements.

8. Forward-Looking Statements

This page contains forward-looking statements regarding the company's anticipated regulatory engagements, prospective certifications, prospective registrations, and prospective compliance milestones. Forward-looking statements are inherently uncertain and depend on factors outside the company's control, including regulatory developments, framework evolution, engagement-specific requirements, and operational timing. The company makes no representation or warranty regarding the realization of any forward-looking statement and undertakes no obligation to update any such statement.

9. Contact

For inquiries regarding Ziru Labs's regulatory posture, specific compliance questions, counterparty engagement under specific regulatory frameworks, or related matters, contact us at:

Email: contact@zirulabs.com Subject Line: Regulatory Inquiry

For specific subject-matter inquiries, the following subject-line conventions help route your inquiry promptly:

• Export-control inquiries: "Export Control"

• Federal procurement inquiries: "Federal Procurement"

• Allied or sovereign procurement inquiries: "Sovereign Engagement"

• Standards-body inquiries: "Standards Engagement"

• Privacy and data-protection inquiries: "Privacy Inquiry"

• General regulatory questions: "Regulatory Inquiry"

Postal Address: Martin Ventures Ltd. dba Ziru Labs, Attention: Regulatory and Compliance, 1375 East 9th St., One Cleveland Center 29th Floor, Cleveland, OH 44114.