Key Risks Disclosure

This Key Risks Disclosure summarizes the most important risks of using Tomorrow. It is incorporated by reference into our Terms of Service (available at https://tomorrow.xyz/legal/terms) and our Beneficiary Terms of Service (available at https://tomorrow.xyz/legal/beneficiary-terms). Please read it carefully before using Tomorrow. If you have questions, talk to a qualified attorney, tax advisor, or financial advisor.

This is a summary, not the whole picture. The Terms of Service govern.

1. You hold the keys. We can't recover them.

Tomorrow is a self-custody wallet. You control the keys to your money. We don't. That means:

• We can't freeze, seize, or move your assets — not even if you ask us to.

• We can't recover your Recovery Password if you forget it. It cannot be changed after setup.

• We can't reset your wallet if you lose all your Recovery Materials.

• If you lose your Recovery Password AND any registered Security Keys (which may be hardware tokens like YubiKeys, or passkeys synced to your iCloud Keychain or Google Password Manager), your wallet is permanently inaccessible to you and to your Beneficiary.

What this means for you: Back up your Recovery Materials. Store them in physically separate locations. Register multiple Security Keys. Test that your Beneficiary can complete a claim before you need them to.

2. Crypto transactions are irreversible.

When you send digital assets on a blockchain, the transaction cannot be reversed. Not by us. Not by anyone. If you send to the wrong address, the wrong network, or the wrong amount — the assets are gone. Always verify the address, network, and amount before signing.

3. The trigger can fire while you're alive.

Your Account moves from "Active" to "Triggered" status when either (i) you miss a Digital Heartbeat check-in within the interval and grace period you configured, or (ii) the Trusted Group attestation quorum you configured is reached. Either can fire while you're alive:

• Heartbeat reminders are sent on a best-efforts basis. Email delivery can fail, be filtered as spam, or be missed.

• You may have disabled email reminders in your settings.

• You may be traveling, hospitalized, or otherwise unable to check in.

• Trusted Group attestations are honor-system. Members can be wrong, can collude, can be impersonated, or can act in bad faith. We do not verify attestations.

Once a trigger fires, you cannot reverse it through the in-app interface. Recovery from a stuck Triggered state requires support intervention from us, which we may provide in our sole discretion but are not obligated to provide.

What this means for you: Configure conservative intervals. Don't rely on our reminders as your primary calendar. Choose Trusted Group members carefully and set a quorum that reflects the risk of false attestation. If you travel often or have unreliable email access, use a longer interval or rely primarily on Trusted Group.

4. Your Beneficiary gets access — not ownership.

When a trigger fires and your Beneficiary completes a claim, the Beneficiary gets operational access to your wallet. That is not the same as ownership. Ownership of the assets is determined by:

• Your valid will, trust, or other estate planning instrument; or

• Intestacy laws if you have no will; or

• Order of a probate court of competent jurisdiction.

A Tomorrow Beneficiary designation is not a will, trust, transfer-on-death designation, or other testamentary instrument. It does not satisfy execution formalities under any state's law. To make sure your digital assets go to the right people, you need an actual estate plan — talk to an attorney. Tomorrow operates alongside your estate plan, not in place of it.

If a Beneficiary takes assets without being the rightful owner under your estate plan, they hold those assets in constructive trust for the rightful owner and can be personally liable for conversion and related claims.

5. Trusted Group attestation is honor-system.

If you enable Trusted Group as a trigger, you name a group of people (by email) and a quorum (e.g., 2-of-3). When that many of them submit attestations that you have died, the trigger fires. We do not:

• verify the identity of any Trusted Group Member;

• verify the truth of any attestation;

• collect death certificates or any other documentation;

• investigate disputes between members.

Members can be mistaken, can collude, can have their email accounts compromised, or can act maliciously. Even one bad actor combined with one mistaken member can fire a 2-of-3 trigger on a living owner. Choose your members carefully. Consider setting a higher quorum (e.g., 3-of-5) for higher-value Accounts.

6. AI Agents can spend up to your limit.

If you connect an AI Agent to your wallet, you configure (i) an auto-approve limit, (ii) a maximum per-transaction limit, and (iii) a daily limit. Within those limits, the Agent can sign transactions automatically, without prompting you for each one. That means:

• A malfunctioning Agent can drain up to your daily limit before you notice.

• A compromised Agent or a malicious prompt-injection can similarly empty up to the daily limit.

• The limits are maxima — not targets. Set them as if the entire daily limit could be lost in a single bad day.

• We do not vet, audit, or guarantee any Agent.

What this means for you: Use a dedicated, low-balance wallet for AI Agent activity. Set conservative limits. Monitor activity. Disconnect Agents you're not actively using.

7. Earn (yield) involves smart contract risk.

Our "Earn" feature lets you deposit digital assets into smart contract vaults that we operate, which in turn deposit into third-party lending protocols (currently Aave V3). Yield is variable, not guaranteed. We take a performance fee on yield earned. Risks include:

• Bugs or exploits in our vault contracts;

• Bugs or exploits in Aave (or other underlying protocols);

• Failure of the underlying protocol to support withdrawals (illiquidity);

• Loss of value of the deposited asset;

• Governance changes by the underlying protocol that materially affect Earn economics.

The APY shown in the app is a current estimate, not a guarantee. You can lose principal. We are not your investment adviser. Earn is not insured.

8. Blockchain transactions are public.

When you send, receive, swap, or deposit digital assets, those transactions are recorded on a public ledger. Your wallet address, transaction amounts, counterparties, and history are visible to anyone. We cannot anonymize what the blockchain records. Your privacy is what your operational security gives you, plus what the underlying network provides — not what we provide.

9. No KYC. No insurance. No reversal.

Tomorrow is not a bank, broker, exchange, money transmitter, or custodian. We don't identity-verify you (no "KYC"). Your assets are not on deposit with us, are not insured by FDIC or SIPC, and are not held by us in any account, trust, escrow, or fiduciary capacity. If a transaction goes wrong, there is no chargeback, no fraud department, no claims process.

10. Third parties are not us.

The Services depend on third parties for MPC wallet infrastructure, authentication, database hosting, payment processing, blockchain RPC, hosting, email delivery, dApp connectivity, and any DeFi protocols accessed through the Services. We do not control them. They have outages, security incidents, and changes in terms. Their failures can affect your ability to use the Services, though the underlying wallet keys remain valid against the underlying networks regardless.

Your Acknowledgment

By using Tomorrow, you acknowledge that you have read and understood this Key Risks Disclosure, that you accept all of these risks, and that you are responsible for your own use of the Services and for the outcomes of every transaction signed from your wallet — regardless of whether you signed personally, through an AI Agent, through a dApp, through a Beneficiary claim, or otherwise.

If you don't accept these risks, don't use Tomorrow. A custodial service may be more appropriate for you.

END OF KEY RISKS DISCLOSURE