API Usage Policy

1. Scope and Applicability

This API Usage Policy (“Policy”) governs all access to and use of the VARL Application Programming Interface (“API”), including all endpoints, SDKs, client libraries, documentation, and any data transmitted to or from the API. This Policy applies to every individual, organization, research institution, government entity, and automated system that interacts with the VARL API, regardless of the method of access.

This Policy supplements and is incorporated by reference into the VARL Terms of Use and Privacy Policy. In the event of a conflict between this Policy and the Terms of Use with respect to API-specific matters, this Policy shall control.

VARL operates at the intersection of artificial intelligence and biological systems — constructing digital twins of living organisms, simulating molecular pathway interactions, detecting biomarkers, predicting disease trajectories, and modeling therapeutic interventions. The extraordinary power of these capabilities demands an equally extraordinary standard of responsible use. This Policy exists to ensure that the VARL API is used exclusively for lawful, ethical, and scientifically responsible purposes.

2. API Access and Authentication

Access to the VARL API is granted on a case-by-case basis following approval of an API Access Request. Each approved applicant receives unique API credentials that serve as the sole means of authentication. These credentials are confidential and non-transferable.

You are responsible for:

• Storing API keys securely using environment variables, secrets management systems, or hardware security modules — never in client-side code, version control repositories, or public-facing configurations
• Immediately revoking and rotating any key that has been or may have been exposed, compromised, or accessed by unauthorized parties
• Ensuring that all personnel who use your API credentials are authorized, trained, and bound by obligations consistent with this Policy
• Maintaining a current and accurate record of all systems, services, and individuals with access to your API credentials

You agree to comply with all rate limits, usage quotas, and technical restrictions applicable to your API access. Exceeding these limits may result in throttling, temporary suspension, or permanent revocation of your access. VARL monitors API usage for compliance, security, and performance purposes. All API calls are logged, timestamped, and subject to audit.

2.1 Technical Standards and Operational Requirements

In addition to the general authentication obligations above, all API users must adhere to the following technical standards:

• Authentication Method: All API requests must be authenticated using bearer tokens transmitted in the HTTP Authorization header. Alternative authentication methods (e.g., query parameter tokens, basic authentication) are not supported and will be rejected.
• Key Rotation: API keys must be rotated at least every 90 days, or immediately upon discovery of a suspected compromise. VARL may enforce mandatory rotation at any time by invalidating existing keys with at least 7 days' advance notice (except in emergency situations under Section 11.1).
• IP Allowlisting: Enterprise and institutional accounts may restrict API access to a defined set of IP addresses. VARL recommends configuring IP allowlists for production environments to reduce credential abuse risk.
• Transport Security: All API communications must occur over HTTPS (TLS 1.2 or higher). Plaintext HTTP connections are not accepted. Clients must validate TLS certificates and must not disable certificate verification.
• Test and Production Separation: Users are strongly encouraged to maintain separate API credentials for test/development and production environments. VARL may issue dedicated sandbox credentials for testing purposes. Test environment usage does not count toward production rate limits.
• Rate Limits and Throttling: Specific rate limits are communicated at the time of API access approval and may vary based on the nature of the approved use case. Users approaching their rate limits will receive HTTP 429 (Too Many Requests) responses with a Retry-After header. Sustained abuse of rate limits may trigger graduated enforcement under Section 11.2.
• API Versioning and Deprecation: VARL follows semantic versioning for API endpoints. When an API version is scheduled for deprecation, users will receive at least 90 days' advance written notice via email and API response headers. Users are responsible for migrating to supported versions before the deprecation date.
• Webhook Security: If you configure webhooks to receive API callbacks, you must verify webhook signatures using the shared secret provided at configuration time. You must serve webhook endpoints over HTTPS and respond within 30 seconds to avoid timeout retries.
• Key Compromise Response: If you suspect or confirm that your API credentials have been compromised, you must (1) immediately revoke the compromised credentials through the VARL dashboard or by contacting api@varl.net, (2) generate new credentials, (3) review access logs for unauthorized activity, and (4) notify VARL within 24 hours with details of the suspected compromise.
• Incident Response: For API-related security incidents, availability issues, or suspected unauthorized access, contact security@varl.net. VARL aims to acknowledge all incident reports within 4 business hours and provide initial assessment within 24 hours.

3. Permitted Use

The VARL API may be used for the following purposes, provided that all use complies with applicable law, this Policy, and any supplemental agreements between you and VARL:

• Internal research and development in the fields of computational biology, bioinformatics, drug discovery, agricultural science, and related disciplines
• Academic research conducted under the oversight of an institutional review board (IRB) or equivalent ethics committee
• Clinical decision support that operates under appropriate regulatory clearance (e.g., FDA, EMA, MHRA) and is used only as a supplemental tool by qualified healthcare professionals — never as a sole basis for diagnosis or treatment
• Integration into internal platforms, dashboards, or analytical pipelines within your organization, provided that API outputs are not redistributed to third parties without VARL's prior written authorization
• Publication of results derived from API outputs in peer-reviewed journals, preprints, and conference proceedings, with appropriate attribution to VARL as the computational platform

4. Prohibited Use — General

The following activities are strictly prohibited in connection with the VARL API:

• Reverse Engineering: Decompiling, disassembling, or attempting to extract the source code, algorithms, model architectures, training data, or model weights underlying the API or any of its components.
• Scraping and Harvesting: Systematically downloading, extracting, or caching data from the API beyond what is necessary and proportionate for your approved use case.
• Redistribution: Sublicensing, reselling, white-labeling, or otherwise making API access or outputs available to third parties without VARL's prior written authorization.
• Circumvention: Attempting to bypass, disable, or interfere with any authentication mechanism, rate limit, access control, security feature, or usage restriction of the API.
• Competing Product Development: Using the API to build, train, fine-tune, or validate products or services that substantially replicate VARL's core functionality or compete directly with VARL's commercial offerings.
• Service Impairment: Using the API in any manner that could damage, disable, overburden, or impair the stability, availability, or performance of the Services for other users.
• Fraud and Misrepresentation: Providing false or misleading information in your API access request, account registration, or any communication with VARL regarding your intended use of the API.

5. Prohibited Use — Biosecurity and Human Safety

VARL's platform enables capabilities that, if misused, could pose serious risks to human health, public safety, national security, and global biosecurity. The following activities are absolutely and unconditionally prohibited. Violation of any provision in this section will result in immediate and permanent revocation of API access, referral to law enforcement and relevant national and international authorities, and pursuit of all available legal remedies.

5.1 Pathogen Enhancement and Gain-of-Function

You shall not use the VARL API — including but not limited to the digital twin engine, molecular pathway simulator, or predictive modeling endpoints — to design, simulate, optimize, or inform the enhancement of any pathogen's virulence, transmissibility, host range, immune evasion capability, or resistance to antimicrobial agents. This prohibition extends to any computational workflow that could contribute to gain-of-function research conducted outside the scope of authorized national oversight frameworks (e.g., the U.S. P3CO framework, or equivalent regulatory bodies in other jurisdictions).

5.2 Biological Weapons and Toxic Agents

You shall not use the API to design, model, simulate, synthesize, produce, or optimize any biological weapon, toxin, chemical weapon, radiological agent, or delivery system for any such weapon. This prohibition encompasses all activities governed by the Biological Weapons Convention (BWC), the Chemical Weapons Convention (CWC), UN Security Council Resolution 1540, and all applicable national implementing legislation. Specifically, you shall not use VARL's biomarker detection, digital twin construction, or simulation capabilities to identify molecular targets for the purpose of creating agents intended to cause harm to human, animal, or plant populations.

5.3 Unauthorized Human Experimentation

You shall not use outputs from the VARL API — including digital twin simulations, predictive disease trajectories, biomarker analyses, or therapeutic intervention models — to design, justify, or conduct human experimentation without prior approval from an accredited institutional review board (IRB) or independent ethics committee (IEC). You shall not use API outputs to develop genetic modification protocols, gene therapy vectors, or cellular reprogramming procedures intended for human application without full regulatory authorization from the relevant authorities (FDA, EMA, or equivalent). The use of VARL simulations as a substitute for required in vivo or in vitro safety testing is strictly prohibited.

5.4 Genetic Targeting of Populations

You shall not use the API's biomarker detection, genomic analysis, or predictive modeling capabilities to design, develop, or optimize biological agents, therapies, or interventions that selectively target individuals or populations based on genetic ancestry, ethnicity, race, sex, or any heritable biological characteristic. This includes, without limitation, using VARL's molecular pathway analysis to identify population-specific vulnerabilities for the purpose of differential harm.

5.5 Unregulated Therapeutic Deployment

You shall not use API outputs — including drug target predictions, compound interaction simulations, dosage modeling results, or treatment efficacy forecasts — as the basis for administering therapeutic interventions to humans or animals without appropriate regulatory clearance (e.g., FDA approval, EMA authorization, Investigational New Drug exemption, or equivalent). API outputs are computational predictions generated from models; they are not clinically validated endpoints. Presenting API outputs as validated therapeutic guidance, marketing them as medical products, or deploying them in direct patient care without regulatory oversight constitutes a violation of this Policy and potentially applicable law.

5.6 Toxin Synthesis and Optimization

You shall not use the API to model, simulate, or optimize the synthesis pathways, potency, stability, delivery mechanisms, or environmental persistence of any toxin, venom, or poisonous substance for purposes other than legitimate pharmaceutical research (e.g., antivenom development, toxin-based cancer therapeutics) conducted under institutional oversight. VARL's molecular simulation and pathway analysis tools must not be used to increase the lethality or reduce the detectability of any toxic substance.

5.7 Agricultural Bioweapons

You shall not use the API to develop, simulate, or optimize biological agents intended to damage or destroy agricultural crops, livestock, fisheries, or ecosystems. This includes using VARL's agricultural optimization endpoints or digital twin capabilities to model plant pathogens, animal diseases, or ecological disruptions for the purpose of causing economic harm, food supply disruption, or environmental destruction.

5.8 Surveillance via Biological Data

You shall not use biomarker data, genomic profiles, proteomic signatures, metabolomic patterns, or any other biological data processed through the VARL API to conduct unauthorized surveillance, discriminatory profiling, identification, tracking, or monitoring of individuals or populations. This includes using VARL's prediction engine to infer health conditions, genetic predispositions, or behavioral characteristics for the purpose of discrimination in employment, insurance, law enforcement, immigration, or any context prohibited by applicable anti-discrimination and data protection laws (including but not limited to GINA, GDPR Article 9, and the Universal Declaration on the Human Genome and Human Rights).

6. Dual-Use Research of Concern

VARL recognizes that legitimate scientific research may involve computational work that has dual-use potential — research that could be directly misapplied to pose a threat to public health, agriculture, the environment, or national security. Such research is not automatically prohibited, but it is subject to heightened scrutiny and additional controls.

The following categories of API usage are automatically flagged for manual review by VARL's Biosecurity and Ethics Board before processing is permitted:

• Simulations involving Select Agents and Toxins as defined by the U.S. Federal Select Agent Program, or equivalent lists maintained by other national authorities
• Digital twin construction or molecular pathway analysis involving pathogens classified at Biosafety Level 3 (BSL-3) or higher
• Gain-of-function modeling for any respiratory pathogen, regardless of stated research purpose
• Toxicology simulations involving Schedule 1, 2, or 3 chemicals under the Chemical Weapons Convention
• Genetic modification workflows targeting germline cells or heritable genetic changes in any organism
• Population-level biomarker screening or genomic analysis that could enable selective biological targeting
• Any simulation or analysis request that VARL's automated risk-scoring system flags as exceeding normal research parameters

Users conducting dual-use research of concern must provide documented institutional approval (IRB, IBC, or equivalent), evidence of compliance with applicable national oversight frameworks (e.g., U.S. P3CO, EU Dual-Use Regulation 2021/821), and a risk-benefit analysis prior to API access being granted for the specific workflow in question.

7. Monitoring, Detection, and Enforcement

VARL employs multi-layered monitoring systems to detect and prevent misuse of the API. These systems operate continuously and are designed to identify patterns of use that are inconsistent with declared research purposes, indicative of prohibited activities, or suggestive of biosecurity risk.

Monitoring capabilities include:

• Automated anomaly detection using machine learning models trained to identify usage patterns associated with dual-use risk, including unusual query sequences involving pathogen genomics, toxin structure databases, or antimicrobial resistance markers
• Real-time risk scoring of all API requests, with requests exceeding configurable risk thresholds automatically queued for human review before execution
• Structured audit logging of all API interactions, including request metadata (endpoint, method, timestamp, response code, latency, authenticated user identifier, originating IP address) — retained for a minimum of seven years. Request payload contents are not stored in standard audit logs. For flagged requests under dual-use review, payload summaries (not raw data) are retained in access-restricted investigation logs accessible only to the Biosecurity and Ethics Board (see Section 9.2)
• Periodic review of aggregate usage patterns by VARL's internal security team and, where applicable, by independent third-party auditors
• Automated suspension of API access when high-confidence misuse indicators are detected, pending investigation

Enforcement actions are graduated and may include: warning notifications, temporary suspension of access, permanent revocation of API credentials, notification of the user's institutional compliance office, referral to national law enforcement agencies, and referral to international bodies including the Organisation for the Prohibition of Chemical Weapons (OPCW) and the Biological Weapons Convention Implementation Support Unit.

7.1 False Positive Resolution and Appeal Process

VARL acknowledges that automated monitoring systems may, in rare cases, produce false positive results — flagging or suspending legitimate research activity. The following safeguards are in place to protect users conducting lawful research:

• Notification: If your API access is suspended due to automated risk detection, VARL will notify you at the email address associated with your account within 48 hours of the suspension, stating the general nature of the concern. The notification will not disclose specific details that could compromise ongoing security investigations or monitoring methodologies.
• Written Appeal: You may submit a written appeal to api@varl.net within 14 calendar days of receiving the suspension notification. Appeals should include any relevant documentation supporting the legitimacy of the flagged activity (e.g., IRB approvals, institutional authorization letters, research protocols).
• Review Timeline: Appeals are reviewed by VARL's Biosecurity and Ethics Board within 30 business days of receipt. Complex cases involving multi-jurisdictional regulatory considerations may require additional time; in such cases, VARL will provide a status update at the 30-day mark.
• Reinstatement: If the suspension is determined to be a false positive, API access will be reinstated promptly and VARL will issue written confirmation of reinstatement. No record of the false positive will be used as a negative factor in future access evaluations.
• Exclusions: Suspensions involving suspected violations of Section 5 (Biosecurity and Human Safety) that have been referred to law enforcement or national security authorities are excluded from this appeal process. In such cases, resolution is subject to the outcome of the external investigation.

8. Reporting Obligations

If you become aware of or reasonably suspect any use of the VARL API that violates this Policy — including use by persons within your organization, your collaborators, or any third party who may have obtained access through your credentials — you are obligated to report such use to VARL immediately at security@varl.net.

VARL, in turn, maintains the following reporting obligations:

• Suspected violations involving biological weapons, chemical weapons, or threats to national security are reported to relevant national authorities without prior notice to the user, as required or permitted by applicable law
• Suspected violations involving unauthorized human experimentation are reported to the appropriate institutional review board, national regulatory authority, and law enforcement
• VARL publishes an annual Transparency Report documenting the number of API access requests denied, credentials revoked, investigations initiated, and referrals made to external authorities, in aggregate and without identifying specific users except where legally required
• VARL cooperates fully with investigations conducted by law enforcement, regulatory agencies, and international treaty organizations, including providing relevant API logs and usage data pursuant to valid legal process

9. Data Handling via API

9.1 Encryption and Isolation

All data transmitted to and from the VARL API is encrypted in transit using TLS 1.3 (or the highest protocol version supported by the connecting client) and encrypted at rest using AES-256. API request payloads containing biological data, genomic sequences, proteomic profiles, or patient-derived information are processed in logically isolated compute environments designed to prevent cross-tenant data access under normal operating conditions.

These security measures apply to production systems. The following operational contexts operate under equivalent or substantially similar controls:

• Encrypted backup replicas and disaster recovery environments, which are subject to the same encryption standards and access controls as production systems
• Authorized sub-processors engaged by VARL to provide infrastructure or ancillary services, which are contractually bound to maintain security measures no less protective than those described herein
• Temporary diagnostic copies created during incident investigation or support operations, which are subject to production-grade encryption, accessible only to authorized personnel under role-based access controls, and deleted within 48 hours of resolution
• Authorized VARL personnel with support, debugging, or operational access, who operate under strict role-based access controls, mandatory multi-factor authentication, and are bound by confidentiality obligations

VARL implements commercially reasonable measures to maintain these security standards. No system can guarantee absolute security, and VARL does not warrant that its security measures will prevent every unauthorized access, disclosure, or breach. In the event of a security incident affecting API-transmitted data, VARL will follow its incident response procedures as described in the Compliance page.

9.2 Data Categories and Retention

VARL classifies API-transmitted data into the following categories, each subject to distinct retention schedules:

• Raw Input Data: User-submitted biological data, genomic sequences, molecular structures, and other research inputs transmitted through API request payloads. Processed transiently and deleted from active production systems within 72 hours of processing completion, unless the user explicitly opts into extended retention for reproducibility purposes.
• Derived Outputs: Simulation results, prediction outputs, digital twin models, and other computational products generated from Raw Input Data. Retained in association with the user's account for the duration of the account's active status. Deleted within 90 days of account closure or upon user request, subject to legal hold obligations.
• Request Metadata: Structured operational data including endpoint, HTTP method, timestamp, response code, latency, authenticated user identifier, and originating IP address. Does not include request payload contents. Retained for 7 years for audit, compliance, and security investigation purposes.
• Cached and Intermediate Data: Temporary computational artifacts, intermediate processing results, and session-scoped cache. Automatically purged upon processing completion or session expiration; not retained beyond the active computation lifecycle.
• Backup Copies: Encrypted replicas of production data maintained for disaster recovery and business continuity purposes. Subject to the same retention schedules and access controls as the corresponding production data category. Backups are encrypted at rest and access-restricted to authorized infrastructure personnel.
• Support and Debug Artifacts: Temporary diagnostic data created during incident investigation, troubleshooting, or authorized support operations. Deleted within 48 hours of resolution. Not used for any purpose other than resolving the specific incident.
• Investigation Logs: For API requests flagged under the dual-use review process (Section 6), payload summaries — not raw payload data — are retained in access-restricted investigation logs, accessible only to the Biosecurity and Ethics Board, and deleted within 12 months of case closure.
• Legal Hold Data: Data subject to a legal hold, active investigation, regulatory inquiry, or litigation preservation notice is retained until the hold is formally released, regardless of standard retention schedules.

9.3 Regulatory Compliance and Data Processing Roles

For users processing protected health information (PHI) through the API, a HIPAA-compliant Business Associate Agreement (BAA) must be executed prior to data transmission. For users processing personal data subject to the GDPR, a Data Processing Agreement (DPA) must be in place. VARL will not process PHI or GDPR-regulated personal data through the API absent the appropriate agreement.

In the context of API data processing:

• Data Controller / Data Processor Roles: The user (or the user's organization) acts as the data controller for all personal data submitted through the API. VARL acts as a data processor, processing personal data solely on the controller's documented instructions and for the purposes specified in the applicable DPA or BAA.
• International Data Transfers: Where API data is transferred across national borders, VARL relies on Standard Contractual Clauses (SCCs) approved by the European Commission, the UK International Data Transfer Agreement (IDTA), or other legally recognized transfer mechanisms appropriate to the jurisdictions involved. Users may request a copy of the applicable transfer mechanism by contacting privacy@varl.net.
• Sub-Processors: VARL engages a limited number of sub-processors for infrastructure and ancillary services. A current list of sub-processors is available upon request. VARL provides at least 30 days' advance notice before engaging a new sub-processor that will handle API-transmitted data, allowing users to object if the change is incompatible with their data protection obligations.
• Breach Notification: In the event of a confirmed personal data breach involving API-transmitted data, VARL will notify the affected data controller without undue delay and in any event within 72 hours of becoming aware of the breach (in compliance with GDPR Article 33), or within 60 days (in compliance with the HIPAA Breach Notification Rule), whichever is applicable. Notification will include the nature of the breach, the categories of data affected, and the measures taken or proposed to address the breach.
• Data Subject Rights: Where VARL receives a request from a data subject (e.g., access, rectification, erasure, portability) relating to personal data processed through the API, VARL will forward the request to the relevant data controller within 48 hours and provide reasonable technical assistance to enable the controller to fulfill the request within statutory timelines.

10. Liability and Indemnification

You are solely responsible for all activities conducted through the API using your credentials, whether or not such activities are authorized by you. VARL provides the API on an “as is” and “as available” basis. API outputs — including simulation results, predictions, biomarker analyses, and digital twin models — are computational approximations derived from statistical models and should not be treated as experimentally validated findings, clinical endpoints, or regulatory-grade data without independent verification.

You agree to indemnify, defend, and hold harmless VARL and its officers, directors, employees, agents, and affiliates from and against any and all claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising out of or in connection with: (a) your use of the API; (b) any data you transmit through the API; (c) any violation of this Policy, the Terms of Use, or any applicable law; (d) any allegation that your use of the API caused harm to a third party, including but not limited to harm resulting from biosecurity violations, unauthorized clinical use, or data misuse; or (e) any unauthorized use of the API through your credentials.

11. Termination and Revocation

11.1 Emergency Suspension

VARL may immediately suspend API access without prior notice in the following circumstances where delay would pose an unacceptable risk:

• Detection of usage patterns that present an imminent biosecurity threat, active danger to human safety, or strong indicators of prohibited activity under Sections 4 and 5
• Confirmed or reasonably suspected compromise of API credentials, where continued access could enable unauthorized use
• A legally binding directive from a law enforcement, national security, or regulatory authority requiring immediate suspension of the account
• Circumstances in which continued access poses an immediate, demonstrable risk to VARL infrastructure, other users, or the public

In the case of an emergency suspension, VARL will notify the account holder at the registered email address within 48 hours of the suspension, unless prohibited by law. The notice will describe the general nature of the concern. Users may exercise appeal rights under Section 7.1 where applicable.

11.2 Standard Termination for Cause

For violations that do not constitute an emergency under Section 11.1, VARL will follow a graduated process:

• Written Notice: VARL will provide written notice to the account holder specifying the nature of the violation and the corrective action required.
• Cure Period: The user has 30 calendar days from receipt of notice to cure the violation or provide a satisfactory remediation plan. VARL may extend this period at its reasonable discretion for complex compliance matters.
• Termination: If the violation is not cured within the cure period, VARL may revoke API access by providing 14 calendar days' advance written notice.

Non-exhaustive grounds for standard termination include:

• Violation of any provision of this Policy, particularly Sections 4, 5, and 6
• Failure to provide requested documentation regarding institutional oversight, regulatory compliance, or research authorization within a reasonable timeframe
• Non-payment of applicable fees or material breach of any supplemental agreement
• Persistent or repeated violations of technical usage standards (Section 2.1) after receiving written notice

11.3 Voluntary Termination

You may terminate your API access at any time by providing written notice to api@varl.net. Upon voluntary termination, data retention and deletion will proceed in accordance with Section 9.2.

11.4 Post-Termination Obligations

Upon termination or revocation (whether emergency, standard, or voluntary), you must immediately cease all use of the API, delete all API credentials in your possession, and certify in writing that you have done so within 14 calendar days. Termination does not release you from any obligations under this Policy that, by their nature, survive termination, including indemnification obligations, confidentiality requirements, data handling obligations, and liability for prior use.

12. Governing Law and Geographic Scope

12.1 Governing Law

This Policy shall be governed by and construed in accordance with the laws of the State of Delaware, United States, without regard to its conflict-of-laws principles. The United Nations Convention on Contracts for the International Sale of Goods does not apply.

12.2 Dispute Resolution

Any dispute arising out of or relating to this Policy that is not resolved through the dispute resolution procedures set forth in the Terms of Use shall be submitted to binding arbitration administered by the American Arbitration Association (AAA) in Wilmington, Delaware. Notwithstanding the foregoing, VARL retains the right to seek injunctive or equitable relief in any court of competent jurisdiction for violations involving biosecurity, intellectual property, or threats to public safety.

12.3 Geographic Scope and User Obligations

The VARL API is available to users worldwide, subject to applicable export controls and sanctions. This Policy references specific regulatory frameworks — including U.S. federal regulations (FDA, P3CO, GINA, HIPAA, export controls), European Union regulations (GDPR, EMA), and United Kingdom regulations (MHRA, IDTA) — as primary compliance baselines.

Users accessing the API from jurisdictions outside the United States, European Union, and United Kingdom are responsible for identifying and complying with all local and national laws, regulations, and ethical standards applicable to their use of the API, including but not limited to:

• Local biosafety and biosecurity regulations, including institutional and national biosafety committee approvals where required
• National data protection and privacy laws that may impose obligations different from or additional to those described in Section 9.3
• Export control and trade sanction regimes applicable to the user's jurisdiction, particularly regarding dual-use biological materials and technologies
• Local requirements for ethical review, informed consent, and institutional oversight of research involving human-derived biological data
• National and regional regulations governing artificial intelligence, algorithmic decision-making, and clinical decision support systems where the API is used in connection with healthcare applications

Where a local law imposes a higher standard of protection than this Policy, the higher standard prevails for users in that jurisdiction. Where a conflict exists between this Policy and mandatory local law, the user must notify VARL at compliance@varl.net before commencing or continuing use of the API. VARL may, at its discretion, establish jurisdiction-specific addenda to this Policy to address material regulatory differences.

13. Contact

For questions, concerns, or reports related to this API Usage Policy: