XZiel

Acceptable Use Policy

Last update: April 22, 2026

This Acceptable Use Policy ("AUP") is published by Finray Technologies Ltd and forms part of the Standard Terms and Conditions governing access to the XZiel platform. This AUP is available at: https://xziel.com/legal/AUP 

By accessing the Platform or executing an Order Form that incorporates the Standard Terms and Conditions, Customer and each Authorised User agree to comply with this AUP. Violation of this AUP may result in immediate suspension of Platform access in accordance with the Standard Terms and Conditions.

  1. PURPOSE

    The XZiel Platform is designed exclusively for legitimate compliance, transaction risk management, and financial crime prevention operations by regulated and regulated-equivalent financial institutions. This AUP defines the boundaries of permitted use to protect the integrity of the Platform, the rights of Finray and third-party providers, and the regulatory environment in which all parties operate.


  2. PERMITTED USES

    Customer and its Authorised Users may use the Platform solely for the following purposes:

    • Monitoring and screening Customer's own transaction flows, payment records, and customer data for financial crime risk, in accordance with Customer's AML/CFT compliance programme.

    • Screening Customer's own customers, counterparties, IBAN details, wallet addresses, and payment participants against sanctions lists, PEP databases, and adverse media sources integrated into the Platform.

    • Obtaining blockchain analytics and chain-of-custody risk assessments for Customer's own crypto-asset transaction activity via the TRM Labs integration.

    • Managing alerts, cases, and investigation workflows arising from the above monitoring and screening activities.

    • Generating compliance reports and audit-ready outputs for Customer's own regulatory purposes and internal governance.

    • Integrating the Platform with Customer's own internal systems (core banking, payment gateway, CRM) via the XZiel API, in accordance with the API documentation and applicable rate limits.

    • Testing integrations and Platform configuration in the designated sandbox environment, using synthetic or properly anonymised test data only.


  3. PROHIBITED USES – GENERAL

    Customer and its Authorised Users must NOT use the Platform for any of the following:

    3.1 Illegal and Harmful Purposes

  • Using the Platform in violation of any applicable law or regulation, including AML/CFT legislation, sanctions regulations, data protection law, export controls, or financial services regulation.

  • Using the Platform to facilitate, conceal, or assist any form of money laundering, terrorist financing, fraud, sanctions evasion, or other financial crime.

  • Submitting Customer Data that contains information obtained unlawfully or in violation of third-party rights.

  • Using the Platform to target, discriminate against, or unlawfully profile any individual or group.

3.2  Unauthorised Access and Security Violations

  • Access to the Platform is restricted to natural persons older than 18 years old.

  • Attempting to gain unauthorised access to any part of the Platform, its underlying infrastructure, or any other customer's data or environment.

  • Probing, scanning, or testing the Platform for vulnerabilities without Finray's prior written authorisation.

  • Introducing malware, viruses, Trojan horses, ransomware, worms, logic bombs, or other malicious code into the Platform or any connected system.

  • Circumventing, disabling, or interfering with any authentication, access control, encryption, rate-limiting, or security feature of the Platform.

  • Sharing login credentials between Authorised Users or permitting any person who is not an Authorised User or Named User to access the Platform.

  • Accessing the Platform using automated scripts, bots, crawlers, or other non-human agents without Finray's prior written consent.

3.3  Data Misuse

  • Using Customer Data, Third-Party Service data, or any Platform output for purposes other than Customer's own compliance programme.

  • Selling, transferring, licensing, or otherwise commercialising Platform outputs or Third-Party Service data to any third party.

  • Aggregating, compiling, or combining Platform outputs with data from other sources to create a competing compliance intelligence product or service.

  • Retaining or storing Platform outputs beyond the periods permitted under applicable law and Customer's own data retention policy.

  • Using the Platform to process special categories of Personal Data (as defined under applicable Data Protection Law) without prior written agreement with Finray.

  • Submitting another organisation's customer or transaction data for screening without the lawful authority and, where required, the consent of that organisation.

3.4  Third-Party Service Misuse (TRM Labs and OpenSanctions)

  • Benchmarking TRM Labs' blockchain analytics data, scoring models, or outputs against any competing service, or using TRM Labs data for competitive intelligence against TRM Labs Inc.

  • Extracting, bulk-downloading, exporting, or harvesting TRM Labs data outside the normal workflow of the Platform (e.g., via automated scraping, API data dumps, or systematic bulk export).

  • Permitting more individuals to access TRM Labs functionality through the Platform than the number of Named Users specified in the Order Form.

  • Attempting to reverse engineer, decompile, or otherwise derive TRM Labs' proprietary risk models, scoring algorithms, or entity intelligence datasets.

  • Using TRM Labs data or OpenSanctions data to disadvantage TRM Labs Inc. or OpenSanctions, or to facilitate a claim against them.

  • Re-distributing OpenSanctions data outside the Platform or to third parties without appropriate licensing.

  • Representing to any third party that Platform screening results constitute a complete or legally sufficient sanctions compliance check without appropriate qualification.

3.5  Platform Integrity and Performance

  • Conducting load testing, stress testing, or performance benchmarking of the Platform without Finray's prior written consent and agreed testing schedule.

  • Submitting API requests at rates that consistently exceed the limits specified in the Order Form, or that are designed to degrade Platform performance for other customers.

  • Initiating bulk screening operations that would consume a disproportionate share of Platform resources without prior notification to and scheduling with Finray.

  • Attempting to reverse engineer, decompile, disassemble, or derive the source code of any component of the Platform.

  • Modifying, adapting, translating, or creating derivative works of the Platform or its documentation without Finray's prior written consent.

3.6  Misrepresentation and Regulatory Risk

  • Representing that Platform outputs are endorsed by Finray, TRM Labs, or OpenSanctions as legally sufficient compliance determinations.

  • Using Platform outputs as the sole basis for a regulatory decision without human review, where applicable law or regulatory guidance requires human oversight.

  • Filing false or misleading regulatory reports based on Platform outputs.

  • Misrepresenting the scope, accuracy, or completeness of Platform screening to any regulatory authority.

  1. API-SPECIFIC RULES

    4.1  Customer must use the XZiel API only in accordance with the published API documentation and within the API Call limits. Customer accepts Finray's rate-limiting and error-handling practices.

    4.2  Customer must not: (a) use the API to systematically extract all or a substantial part of any dataset accessible through the Platform; (b) use the API to scrape, mirror, or replicate Platform functionality outside the intended integration use case; (c) expose API credentials to Authorised Users beyond those who require programmatic access; or (d) use a single API service account credential for more than the number of permitted concurrent integrations specified in the Order Form.

    4.3  Customer must rotate API credentials immediately upon suspicion of compromise and notify Finray promptly.


  2. SANDBOX ENVIRONMENT RULES

    5.1  The sandbox environment is provided exclusively for integration development, testing, and training purposes.

    5.2  Customer must not: (a) submit real Customer Data (including real personal data, real account numbers, or real transaction records) to the sandbox environment; (b) rely on sandbox outputs for any operational compliance decision; or (c) attempt to use the sandbox to circumvent production access controls or Named User limits.

    5.3  Finray may reset or refresh the sandbox environment at any time without notice. Finray makes no commitment regarding the persistence of data in the sandbox.


  3. REPORTING VIOLATIONS

    6.1  Customer shall promptly notify Finray at security@xziel.com if it becomes aware of any violation of this AUP by an Authorised User, a third party, or any unauthorised use of Customer's Platform credentials.

    6.2  Finray operates a responsible disclosure programme for security vulnerability reports. Researchers who discover potential vulnerabilities should contact security@xziel.com and must not publicly disclose any vulnerability without Finray's prior written consent.


  4. ENFORCEMENT

    7.1  Finray may take any or all of the following actions in response to a breach of this AUP, without prejudice to its rights and remedies under the Standard Terms and Conditions or applicable law:

    • Issue a written warning to Customer.

    • Suspend access to the Platform (including immediate suspension for serious or security-critical breaches).

    • Permanently terminate Platform access in accordance with Clause 14 of the Standard Terms and Conditions.

    • Cooperate with law enforcement and regulatory authorities, including disclosure of relevant information in response to lawful requests.

    • Pursue damages, injunctive relief, or any other remedy available at law or in equity.

    7.2  Finray will consider the severity, nature, and frequency of the breach in determining its response and will apply proportionate enforcement. Customer will be given a reasonable opportunity to remedy a non-critical breach before termination, except where the breach is a serious, repeated, or irreparable violation.


  5. UPDATES TO THIS AUP

    8.1  Finray may update this AUP from time to time to reflect changes to the Platform, applicable law, Third-Party Service provider requirements, or Finray's operational policies. Finray shall notify Customer of material updates with at least thirty (30) days' advance notice by email to Customer's named contact and by posting the updated AUP at https://xziel.com/legal/AUP

    8.2  Continued use of the Platform following the effective date of an updated AUP constitutes Customer's acceptance of the updated version.


  6. CONTACT

Questions about this AUP may be directed to: legal@xziel.com

  1. API-SPECIFIC RULES

    4.1  Customer must use the XZiel API only in accordance with the published API documentation and within the API Call limits. Customer accepts Finray's rate-limiting and error-handling practices.

    4.2  Customer must not: (a) use the API to systematically extract all or a substantial part of any dataset accessible through the Platform; (b) use the API to scrape, mirror, or replicate Platform functionality outside the intended integration use case; (c) expose API credentials to Authorised Users beyond those who require programmatic access; or (d) use a single API service account credential for more than the number of permitted concurrent integrations specified in the Order Form.

    4.3  Customer must rotate API credentials immediately upon suspicion of compromise and notify Finray promptly.


  2. SANDBOX ENVIRONMENT RULES

    5.1  The sandbox environment is provided exclusively for integration development, testing, and training purposes.

    5.2  Customer must not: (a) submit real Customer Data (including real personal data, real account numbers, or real transaction records) to the sandbox environment; (b) rely on sandbox outputs for any operational compliance decision; or (c) attempt to use the sandbox to circumvent production access controls or Named User limits.

    5.3  Finray may reset or refresh the sandbox environment at any time without notice. Finray makes no commitment regarding the persistence of data in the sandbox.


  3. REPORTING VIOLATIONS

    6.1  Customer shall promptly notify Finray at security@xziel.com if it becomes aware of any violation of this AUP by an Authorised User, a third party, or any unauthorised use of Customer's Platform credentials.

    6.2  Finray operates a responsible disclosure programme for security vulnerability reports. Researchers who discover potential vulnerabilities should contact security@xziel.com and must not publicly disclose any vulnerability without Finray's prior written consent.


  4. ENFORCEMENT

    7.1  Finray may take any or all of the following actions in response to a breach of this AUP, without prejudice to its rights and remedies under the Standard Terms and Conditions or applicable law:

    • Issue a written warning to Customer.

    • Suspend access to the Platform (including immediate suspension for serious or security-critical breaches).

    • Permanently terminate Platform access in accordance with Clause 14 of the Standard Terms and Conditions.

    • Cooperate with law enforcement and regulatory authorities, including disclosure of relevant information in response to lawful requests.

    • Pursue damages, injunctive relief, or any other remedy available at law or in equity.

    7.2  Finray will consider the severity, nature, and frequency of the breach in determining its response and will apply proportionate enforcement. Customer will be given a reasonable opportunity to remedy a non-critical breach before termination, except where the breach is a serious, repeated, or irreparable violation.


  5. UPDATES TO THIS AUP

    8.1  Finray may update this AUP from time to time to reflect changes to the Platform, applicable law, Third-Party Service provider requirements, or Finray's operational policies. Finray shall notify Customer of material updates with at least thirty (30) days' advance notice by email to Customer's named contact and by posting the updated AUP at https://xziel.com/legal/AUP

    8.2  Continued use of the Platform following the effective date of an updated AUP constitutes Customer's acceptance of the updated version.


  6. CONTACT

Questions about this AUP may be directed to: legal@xziel.com