KYC/KYB and Sanctions Screening Policy

1. Scope

1.1 This KYC/KYB and Sanctions Screening Policy (the "Policy") describes how [LEGAL ENTITY NAME — confirm exact legal name, entity type, jurisdiction] ("Escrow Bunny," "we," "us") verifies the identity of individuals (KYC), verifies organizations and their beneficial owners (KYB), and conducts sanctions/watchlist, politically-exposed-person (PEP), and adverse-media screening and ongoing monitoring in connection with the Escrow Bunny platform (the "Platform" or "Service").

1.2 This Policy applies to all Users, Organizations, and beneficial owners and is incorporated by reference into the Terms of Service and the Standard Escrow Agreement. It is read together with the Privacy Policy (data handling), the Prohibited Transactions Policy, and the Funds Release and Refund Authorization Policy.

1.3 In the event of conflict, the [order of precedence in the Terms of Service Section 1.3 / Standard Escrow Agreement Section 1.4 controls — PLACEHOLDER pending counsel confirmation].

1.4 Capitalized terms not defined here have the meaning given in the Terms of Service and the Standard Escrow Agreement.

2. Definitions

• "KYC" — Know Your Customer: verification of an individual's identity.
• "KYB" — Know Your Business: verification of an organization, its formation/registration, and its beneficial owners and controllers.
• "Beneficial owner" — an individual who ultimately owns or controls an Organization, as defined by applicable law. [Confirm ownership/control thresholds with counsel; jurisdiction-dependent.]
• "Sanctions screening" — checking Users, Organizations, and beneficial owners against applicable sanctions, denied-party, and restricted-party lists.
• "PEP" — politically exposed person, as defined by applicable law/provider methodology.
• "Adverse media" — negative information from media or other sources relevant to financial-crime risk.
• "Verified by Toni" — the third-party identity and business verification provider used by Escrow Bunny, subject to provider documentation and counsel-approved disclosures.
• "Verification gate" — a required verification/screening step that must pass before funding of an Escrow.
• "Ongoing monitoring" — periodic or event-driven re-screening and review after onboarding.
• Other capitalized terms have the meaning given in the Terms of Service and Standard Escrow Agreement.

3. Purpose and Legal Basis

3.1 The purpose of this Policy is to support lawful operation of the Service, deter and detect fraud and financial crime, comply with applicable legal and regulatory obligations, and protect Users and the integrity of the Platform.

3.2 [CRITICAL PLACEHOLDER — counsel must determine which anti-money-laundering, counter-terrorist-financing, sanctions, customer-due-diligence, and licensing/registration obligations apply to Escrow Bunny, in each jurisdiction, taking into account the unresolved escrow-role determination (Terms of Service Section 3.1 / Standard Escrow Agreement Section 3.1). The level and type of due diligence, recordkeeping, reporting (e.g., suspicious-activity reporting), and any obligated-entity status all depend on this. Do not assert any regulatory conclusion. This Policy presently describes a risk-based program at a level of generality that must be tailored once the applicable framework is confirmed.]

3.3 The legal bases for processing personal data for these purposes are described in the Privacy Policy (compliance with legal obligations, performance of contract, legitimate interests, and consent where required, including for any biometric/sensitive data).

4. Eligibility Precondition

4.1 Verification and screening are preconditions to use of key Service functions. Funding of an Escrow is blocked until all required Buyer, Seller, and Organization Verification gates pass and the Standard Escrow Agreement is accepted by all required Parties.

4.2 Escrow Bunny may decline to onboard, may suspend, or may offboard any User or Organization that does not satisfy verification or screening requirements or that presents unacceptable financial-crime, sanctions, fraud, or legal risk.

5. Identity Verification (KYC) — Individuals

5.1 Individuals are verified through Verified by Toni. The categories of data collected and processed for KYC are described in the Privacy Policy and Section 8 below.

5.2 [PLACEHOLDER — confirm the KYC method(s) and data elements against Verified by Toni provider documentation and the internal KYC integration requirements: e.g., government-issued ID document verification, selfie/photo match, liveness check, biometric/facial-geometry processing, date of birth, nationality, residential address, and any tax identifiers. State each element's status (collected / not collected) once confirmed and classify any biometric/sensitive categories with the legally required consent.]

5.3 The User must provide truthful, accurate, current, and authorized information and documents. Providing false, altered, or unauthorized identity information is a serious breach of the Terms of Service and may result in decline, freeze, offboarding, and other consequences permitted by law.

6. Organization Verification (KYB) — Organizations and Beneficial Owners

6.1 Organizations are verified through Verified by Toni, including, where applicable, verification of formation/registration and identification and verification of beneficial owners and controllers.

6.2 [PLACEHOLDER — confirm the KYB data elements against provider documentation and the internal KYC integration requirements: e.g., legal name, registration/identifier, formation jurisdiction, registered address, status, authorized representatives, ownership structure, and beneficial-owner identity and ownership-percentage data. Confirm beneficial-owner ownership/control thresholds with counsel.]

6.3 The Organization's representative must be duly authorized and must provide truthful, accurate, current, and authorized organization and beneficial-owner information and documents.

7. Sanctions, PEP, and Adverse-Media Screening; Ongoing Monitoring

7.1 Users, Organizations, and beneficial owners are screened at onboarding against applicable sanctions, denied-party, and restricted-party lists. [PLACEHOLDER — confirm which lists are screened and the provider/methodology; confirm whether PEP and adverse-media screening are performed at launch.]

7.2 Ongoing monitoring. Screening is repeated on a [periodic and/or event-driven basis — PLACEHOLDER; confirm cadence and triggers, e.g., list updates, profile changes, new Escrow, or risk events].

7.3 A positive or potential match may result in a hold, freeze, request for additional information, manual review, escalation, decline, or offboarding, and may trigger legal/regulatory reporting obligations. [Counsel to determine reporting obligations (e.g., suspicious-activity/sanctions reporting) and any prohibition on disclosing the reason for an action (anti-tipping-off). Do not assert reporting conclusions until confirmed.]

7.4 Escrow Bunny [does / does not] provide services to Users, Organizations, or beneficial owners that are sanctioned or located/ordinarily resident/organized in prohibited jurisdictions, consistent with the Prohibited Transactions Policy. [Confirm prohibited jurisdictions and the controlling list with counsel.]

8. Verified by Toni — Data, Processing, and Consent Disclosures

8.1 What is sent to Verified by Toni. To perform verification and screening, we transmit the User/Organization data necessary for those purposes. [PLACEHOLDER — confirm against Verified by Toni provider documentation and the internal KYC integration requirements exactly which categories are transmitted, stating each as sent / not sent: biometric data; liveness/facial-geometry data; document image data; residential address; tax data; business registration/formation data; beneficial-owner identity and ownership data; sanctions screening data; PEP data; adverse-media data.]

8.2 Purpose of provider processing. Identity (KYC) verification, organization (KYB) verification, beneficial-owner verification, sanctions/watchlist screening, PEP screening, adverse-media screening, and ongoing monitoring, to the extent provided. [Confirm which checks are active at launch.]

8.3 Controller/processor status. [PLACEHOLDER — confirm whether Verified by Toni acts as an independent controller for some processing (e.g., maintaining its own verification/fraud records) or solely as Escrow Bunny's processor; disclose accordingly and align with Privacy Policy Section 8.3.]

8.4 Provider retention and deletion. [PLACEHOLDER — state Verified by Toni's retention and deletion periods for submitted data and verification results per provider documentation. Do not assert periods until confirmed. Align with Privacy Policy Section 8.4 and the Data Retention and Deletion Policy.]

8.5 User consent. Where consent is required, the User consents to the transmission and processing of their information (including any sensitive/biometric categories, if applicable) by Verified by Toni for the purposes above. Consent language and the specific categories are presented at the point of verification and captured by document type and exact version, with associated User, timestamp, IP address, and user agent. [Counsel to finalize consent text, with particular attention to biometric/liveness processing and jurisdiction-specific biometric-privacy requirements.]

9. Verification Outcomes and Flows

9.1 Verification and screening may result in the following states. [Confirm exact state names, transitions, and timeouts against the internal KYC integration requirements and product specification; not available for this draft.]

• Approved — verification/screening passed; the associated Verification gate is satisfied (subject to ongoing monitoring).
• Rejected — verification/screening failed; the associated functions (including Escrow funding) remain blocked. The User is informed to the extent permitted by law. [Confirm reject messaging and any anti-tipping-off constraint.]
• Expired — a verification result or document has lapsed and must be renewed before the gate can be (re)satisfied.
• Needs review / Manual review — the case requires human review before an outcome is determined; functions remain gated pending review.
• Appeal — the User may seek reconsideration of an adverse determination, subject to Section 10.

9.2 During any non-approved state, the relevant Verification gate is not satisfied and dependent functions (including Escrow funding and, where applicable, Release/Refund) remain blocked or frozen.

9.3 All verification/screening events and state changes are recorded as immutable, hash-chained Audit Log events. Identity and screening records are retained per the Data Retention and Deletion Policy and applicable law.

10. Manual Review and Appeals

10.1 Manual review. Cases in "needs review / manual review" are evaluated by [the responsible reviewer/function — PLACEHOLDER; confirm who reviews, authority, and conflict controls] against the Escrow Parameters, the submitted information, and applicable requirements. Additional information or documents may be requested; failure to provide them promptly may result in continued blocking, decline, or offboarding.

10.2 Appeals. A User or Organization that receives an adverse determination (e.g., rejection) [may / may not — confirm] request reconsideration within [deadline — PLACEHOLDER], providing [permitted additional evidence — PLACEHOLDER]. The appeal is decided by [decision-maker — PLACEHOLDER].

10.3 Certain outcomes may be constrained by law (e.g., where a sanctions match exists, the outcome and any disclosure may be legally mandated or restricted). [Counsel to confirm limits, mandatory outcomes, and anti-tipping-off constraints; the appeal description must not imply a discretionary outcome where law mandates a result.]

10.4 Nothing in this Section limits any non-waivable legal rights a User may have, or any legal remedies under the Terms of Service. [Counsel to confirm.]

11. Recordkeeping

11.1 Identity records, organization and beneficial-owner records, screening results, verification outcomes, consents, and related Audit Logs are retained for the periods set out in the Data Retention and Deletion Policy and as required by applicable law and recordkeeping obligations. [Specific periods are PLACEHOLDERS pending counsel determination; recordkeeping periods for due-diligence and screening data are typically prescribed by law.]

11.2 Certain records reside in immutable, hash-chained Audit Logs and cannot be altered or selectively deleted; this constrains certain deletion requests as described in the Privacy Policy and the Data Retention and Deletion Policy.

12. User Obligations

12.1 Each User and Organization must:

• provide truthful, accurate, current, and authorized identity, organization, and beneficial-owner information and documents;
• promptly update information when it changes;
• respond promptly and truthfully to information requests, including during ongoing monitoring; and
• not attempt to evade, falsify, or circumvent verification or screening.

12.2 Breach of these obligations may result in decline, freeze, suspension, offboarding, reversal/withholding under the Funds Release and Refund Authorization Policy, and other consequences permitted by law.

13. User Acknowledgements

By using the Service, each User and Organization acknowledges and agrees that:

• Identity (KYC) and, where applicable, organization (KYB) and beneficial-owner verification, and sanctions/PEP/adverse-media screening and ongoing monitoring, are conditions of use.
• Funding of an Escrow is blocked until required Verification gates pass and the Standard Escrow Agreement is accepted.
• Their information is transmitted to Verified by Toni for verification and screening, and they consent where consent is required (including for any sensitive/biometric categories, subject to the final consent text).
• Verification may result in approved, rejected, expired, needs-review/manual-review, or appeal states, and that non-approved states block or freeze dependent functions.
• Certain outcomes and disclosures may be legally mandated or restricted.
• Verification and screening records are retained and reside, in part, in immutable Audit Logs.
• Providing false or unauthorized information has serious consequences.

Acceptance/consent capture: Acceptance of this Policy and provider-processing consent are recorded by document type and exact version, with associated User, timestamp, IP address, and user agent.

14. Contact / Legal Notice

• Operating entity: [LEGAL ENTITY NAME — PLACEHOLDER]
• Registered address: [ADDRESS — PLACEHOLDER]
• Compliance contact: [COMPLIANCE EMAIL — PLACEHOLDER]
• Verification support / appeals channel: [EMAIL / PORTAL — PLACEHOLDER]
• Privacy / data protection contact: [DPO OR PRIVACY CONTACT — PLACEHOLDER; see Privacy Policy]
• Legal notices: [LEGAL NOTICE EMAIL / POSTAL ADDRESS — PLACEHOLDER; see Support, Complaints, and Legal Notices Policy]

15. Change History