Terms of Service

The following defined terms apply throughout these Terms of Service: "AffectLog", "we", "us", "our" means the entity operating the Provena by AffectLog platform. "You", "User" means the individual accessing or using the Service, or, where applicable, the Organisation on whose behalf that individual acts. "Organisation" means the legal entity (company, partnership, sole trader, or other body) on whose behalf you access the Service. "Service" means the Provena by AffectLog software platform, web application, APIs, webhooks, documentation, and all associated features and services. "Account" means the user account registered to access the Service. "Workspace" means the organisational environment created within the Service for your Organisation. "Your Content" means all data, text, files, documents, and other materials you upload to, create within, or generate using the Service. "Subscription" means a paid plan entitling you to access specified features and usage limits. "Free Tier" means access to limited features of the Service at no charge. "Order Form" means a separate signed commercial agreement between your Organisation and AffectLog specifying subscription terms, pricing, and special conditions. "Effective Date" means the date you first accept these Terms by clicking "I agree", completing registration, or executing an Order Form, whichever is earliest. "Confidential Information" has the meaning given in Section 11. "Data Processing Agreement" or "DPA" means the data processing terms at affectlog.com/dpa, incorporated into these Terms by reference. "Documentation" means technical and user documentation published by AffectLog at affectlog.com/docs or as otherwise made available. "Intellectual Property Rights" means all patents, copyrights, design rights, trade marks, trade secrets, database rights, domain names, and all other intellectual property and proprietary rights worldwide, whether registered or unregistered. "Force Majeure Event" has the meaning given in Section 17. "SLA" means a service level agreement separately agreed in writing in an Order Form.

2.1 By clicking "I agree", completing account registration, executing an Order Form, or otherwise accessing or using the Service, you confirm that you: (a) have read, understood, and agree to be legally bound by these Terms of Service ("Terms") and all documents incorporated by reference, including our Privacy Policy, the DPA, and any applicable Order Form; (b) are at least 18 years of age (or the applicable age of majority in your jurisdiction); (c) have the legal capacity and authority to enter into a binding contract; (d) if acting on behalf of an Organisation, have the authority to bind that Organisation to these Terms, and these Terms shall be binding on the Organisation; and (e) are not located in, organised in, or a resident of any jurisdiction subject to comprehensive trade sanctions or embargo administered by the European Union, the United States (OFAC), the United Kingdom (OFSI), or the United Nations. 2.2 If you do not agree to these Terms in their entirety, you must immediately cease all use of the Service and, if applicable, close your Account. No access to the Service is granted except on the basis of these Terms. 2.3 These Terms govern your use of the Service to the exclusion of all other terms. Any purchase order, terms and conditions, or other document issued by you that purports to add to, vary, or replace these Terms shall have no legal effect unless expressly accepted in a signed Order Form. 2.4 Modifications by us: We may modify these Terms from time to time in accordance with Section 21. Your continued use of the Service after a change takes effect constitutes acceptance of the modified Terms.

3.1 Provena by AffectLog provides software tools and AI-powered features to assist organisations in: (a) documenting, cataloguing, and assessing AI systems and AI supplier relationships; (b) creating, managing, and sharing Evidence Passports for AI governance; (c) conducting governance readiness assessments and audit preparation workflows; (d) managing AI agent safety boundaries, credentials, and scope controls; (e) tracking compliance programme progress and generating audit-ready evidence records; (f) role-based evidence review workflows for DPOs, CISOs, procurement, and legal teams. 3.2 LEGAL DISCLAIMER — PLEASE READ CAREFULLY: THE SERVICE IS A TECHNICAL DOCUMENTATION AND GOVERNANCE WORKFLOW TOOL. IT DOES NOT AND IS NOT INTENDED TO CONSTITUTE LEGAL ADVICE, REGULATORY APPROVAL, CERTIFICATION, ACCREDITATION, AUDIT OPINION, OR ANY REPRESENTATION THAT YOUR ORGANISATION IS COMPLIANT WITH ANY LAW, REGULATION, STANDARD, OR REGULATORY EXPECTATION. ALL GOVERNANCE, LEGAL, AND COMPLIANCE DETERMINATIONS MUST BE MADE BY QUALIFIED LEGAL, REGULATORY, AND COMPLIANCE PROFESSIONALS. AFFECTLOG OUTPUTS ARE SUPPORTING DOCUMENTATION ONLY AND DO NOT REPLACE QUALIFIED PROFESSIONAL ADVICE. 3.3 AI accuracy disclaimer: AI-powered features of the Service may generate outputs that are inaccurate, incomplete, outdated, or not appropriate for your specific circumstances or jurisdiction. You are solely responsible for reviewing, validating, and applying professional expertise to any AI-generated content before relying upon it for any governance, compliance, legal, or business decision. 3.4 Regulatory landscape disclaimer: AI regulation is rapidly evolving. AffectLog endeavours to keep the Service aligned with current regulatory requirements, but cannot guarantee that use of the Service satisfies the requirements of any specific regulation in your jurisdiction. We strongly recommend you engage qualified advisers to interpret and apply regulatory requirements to your specific circumstances.

4.1 You must provide accurate, complete, and current information during registration. You must promptly update your account information if it changes. Providing false, misleading, or outdated information is a material breach of these Terms. 4.2 You are solely and fully responsible for: (a) maintaining the strict confidentiality of your login credentials, including your password and any MFA codes; (b) all activities and transactions that occur under your Account, whether or not you authorised them; (c) ensuring that all users to whom you grant access to your Workspace comply with these Terms; (d) the appropriateness of all Your Content uploaded or generated under your Account; and (e) immediately notifying AffectLog at [email protected] upon becoming aware of any actual or suspected unauthorised access to your Account or credentials. 4.3 AffectLog will not be liable for any loss, liability, cost, or damage arising from your failure to comply with this Section 4, including where such failure arises from your failure to keep credentials confidential. 4.4 One natural person per Account. Sharing login credentials with other individuals is strictly prohibited. Organisations wishing to grant access to multiple individuals must invite each individual separately under their Workspace plan. 4.5 Multi-factor authentication (MFA): AffectLog strongly recommends enabling MFA on all Accounts. Administrator accounts in Organisations with paid Subscriptions are required to have MFA enabled. AffectLog reserves the right to enforce MFA requirements for security reasons. 4.6 Account suspension for security: AffectLog may immediately suspend an Account if we reasonably suspect it has been compromised, is being used fraudulently, or poses a security risk to the Platform or other users. We will notify you as soon as reasonably practicable.

5.1 Permitted use: You are permitted to use the Service solely for your lawful internal business purposes, in compliance with these Terms, all applicable laws, and all applicable regulations, including data protection law, AI regulation, export control law, anti-corruption law, anti-money-laundering law, and applicable securities law. 5.2 Prohibited uses: You must not, and must not permit any third party to: (a) use the Service to generate, create, submit, or cause to be submitted any false, fabricated, misleading, or fraudulent compliance documentation, certifications, assessments, audit records, or evidence; (b) impersonate any person, entity, or AI system, or misrepresent your identity or affiliation with any organisation; (c) upload, transmit, or display any content that: infringes the intellectual property rights of any third party; contains personal data of individuals without a valid legal basis; defames any person; is unlawful, abusive, harassing, or discriminatory; or violates applicable equality, anti-discrimination, or hate-speech law; (d) process the personal data of third parties through the Service without holding a valid legal basis under applicable data protection law, and — where required — executing a data processing agreement with AffectLog; (e) use the Service to process data of individuals in connection with any illegal discrimination on the basis of race, national origin, religion, gender, sexual orientation, disability, or other protected characteristics; (f) attempt to reverse-engineer, decompile, disassemble, decode, or extract the source code, underlying algorithms, model weights, or proprietary data of the Service by any means; (g) access the Service through automated scripts, bots, crawlers, or scrapers except through our officially published and documented API, and subject to our published rate limits; (h) resell, sublicence, rent, lease, or otherwise transfer or make available access to the Service to any third party for commercial gain, except as expressly permitted in a signed Order Form; (i) use the Service to develop a competing product or service, to benchmark the Service for publicly distributed competitive intelligence, or to derive proprietary business intelligence about AffectLog's commercial terms without prior written consent; (j) circumvent, disable, bypass, or interfere with any authentication mechanism, access control system, security feature, rate limiter, encryption, or network protection of the Service; (k) upload, introduce, or transmit any malware, ransomware, virus, worm, Trojan, spyware, or any other malicious or harmful code; (l) conduct or facilitate any denial-of-service (DoS), distributed denial-of-service (DDoS), network flooding, or other attack against the Service, its infrastructure, or its users; (m) use the Service in any manner that places an unreasonable or disproportionate load on our infrastructure, as determined by AffectLog in its reasonable discretion; (n) use the Service in any way that violates applicable AI-specific regulation, including operating a high-risk AI system as defined under the EU AI Act without the required conformity assessments and safeguards; (o) violate any applicable export control regulations or trade sanctions, including by providing access to the Service to any sanctioned individual, entity, or jurisdiction; or (p) assist or encourage any person to do any of the above. 5.3 Investigation and enforcement: AffectLog reserves the right to investigate any suspected violation of this acceptable use policy. Upon discovering a violation, we may: immediately suspend or terminate your Account; remove or disable access to offending content; report the matter to relevant law enforcement or regulatory authorities; seek civil and criminal remedies; and publicise the breach to the extent required by law or to protect other users. 5.4 Cooperation: You agree to cooperate fully and promptly with any AffectLog investigation of a suspected violation of this Section 5.

6.1 Tiers: AffectLog offers both a Free Tier and paid Subscription tiers. The features and usage limits of each tier are described at affectlog.com/pricing. We reserve the right to modify tier features and limits with reasonable advance notice. 6.2 Pricing: Subscription prices are stated in the currency shown on the applicable pricing page or Order Form, exclusive of all applicable taxes (including VAT, GST, sales tax, digital services tax, and similar levies). You are responsible for determining and paying all applicable taxes. Where we are required by law to collect and remit taxes on your behalf, we will add the applicable tax to your invoice. 6.3 Auto-renewal: Subscriptions renew automatically at the end of each billing period (monthly or annual, as selected at the time of purchase) at the then-current renewal price, unless cancelled before the renewal date. You authorise AffectLog and our payment processor (Stripe) to charge the payment method on file for each renewal without further authorisation. 6.4 Price changes: We will provide at least 30 days' prior written notice of any price increase. A price increase will not apply to you until the next renewal date after the notice period. If you do not agree to a price increase, you must cancel your Subscription before the next renewal date. 6.5 Free trial: Where AffectLog offers a free trial period, your payment method may be required at sign-up but will not be charged until the trial period expires. You may cancel at any time before the end of the trial at no charge. If you do not cancel before the end of the trial, your Subscription will automatically activate and your payment method will be charged. 6.6 Payment failure: If your payment method is declined or a payment otherwise fails, we will notify you by email and may restrict access to paid features after a grace period of 7 days. If payment is not resolved within 14 days of the initial failure, we may terminate your Subscription. 6.7 Cancellation: You may cancel your Subscription at any time through your billing settings in the Platform. Cancellation takes effect at the end of the then-current billing period. You will retain access to paid features until that date. Cancellation does not entitle you to a refund for the remainder of the current billing period except as stated in Section 6.8. 6.8 Refund policy: All fees paid are non-refundable except: (a) where required by mandatory consumer protection law in your jurisdiction; (b) if the Service has been materially unavailable for more than 48 consecutive hours due to a fault attributable to AffectLog (prorated refund for the period of unavailability only); (c) as expressly agreed in writing in a signed Order Form. 6.9 Disputed charges: If you believe you have been incorrectly charged, you must notify us within 30 days of the charge by emailing [email protected]. We will investigate in good faith and, if we determine the charge was incorrect, provide a credit or refund.

7.1 AffectLog may offer free, limited, or evaluation access to the Service ("Free Tier"). Your access to the Free Tier is subject to these Terms in full. AffectLog may, at any time and with reasonable notice, change, restrict, or discontinue the Free Tier. 7.2 Free Tier users acknowledge and agree that: (a) certain features, data export options, retention periods, and compliance-grade capabilities may not be available under the Free Tier; (b) the Service is provided under the Free Tier on an "as available" basis with no uptime target; (c) data stored under the Free Tier may be subject to shorter retention periods as stated in our Privacy Policy; (d) AffectLog may impose usage rate limits and storage quotas on Free Tier Accounts without notice. 7.3 Any Workspace that has remained on the Free Tier for more than 24 consecutive months with no recorded activity may be suspended or deleted, with 30 days' prior email notice.

8.1 AffectLog's rights: AffectLog and its licensors own all Intellectual Property Rights in and to the Service and all components thereof, including: the software code (client and server); interface design, visual elements, and user experience design; proprietary AI models, algorithms, and scoring methodologies; training data owned by AffectLog; the AffectLog brand, trademarks, and logos; Documentation; and all improvements, modifications, and derivative works of the foregoing, whether created by AffectLog alone or in collaboration with you. 8.2 No assignment: Nothing in these Terms transfers or assigns to you any ownership of AffectLog's Intellectual Property Rights. You acquire only the limited licence described in Section 8.3. 8.3 Licence to you: Subject to your compliance with these Terms and payment of all applicable fees, AffectLog grants you a limited, non-exclusive, non-transferable, non-sublicensable, revocable licence to access and use the Service solely for your internal business purposes during the applicable Subscription term. 8.4 Your Content: You retain all Intellectual Property Rights in Your Content. By using the Service, you grant AffectLog a limited, worldwide, royalty-free, non-exclusive licence to access, store, process, reproduce, transmit, and display Your Content to the extent necessary to: (a) provide the Service to you; (b) comply with our legal obligations; and (c) enforce these Terms. This licence terminates upon closure of your Account, subject to data retention obligations in our Privacy Policy. 8.5 No AI training: AffectLog will not use Your Content to train, fine-tune, evaluate, or improve any artificial intelligence or machine learning model, whether operated by AffectLog or any third party, without your explicit, separate written consent. 8.6 Feedback: If you provide AffectLog with suggestions, ideas, feature requests, or other feedback about the Service ("Feedback"), you grant AffectLog a perpetual, irrevocable, royalty-free, worldwide licence to use, reproduce, modify, and incorporate such Feedback into the Service or other products without restriction or compensation to you. 8.7 Trade marks: You may not use AffectLog's name, trade marks, logos, or branding in any marketing, advertising, or other public material without our prior written consent, except to state truthfully that you are a customer of the Service. 8.8 Open source: The Service may include open-source software components governed by separate licences. Nothing in these Terms restricts your rights under any open-source licence applicable to such components.

9.1 Privacy Policy: AffectLog processes personal data as described in our Privacy Policy at affectlog.com/privacy, which is incorporated into these Terms by reference. By agreeing to these Terms, you also agree to our Privacy Policy. 9.2 Data Processing Agreement: Where you use the Service to process personal data of third parties (including your employees, clients, or AI system subjects), AffectLog acts as a data processor on your behalf. In such cases, the parties' obligations are governed by the Data Processing Agreement (DPA) at affectlog.com/dpa, which forms a binding part of these Terms. You, as data controller, are responsible for ensuring you have a valid legal basis for such processing. 9.3 Your representations: You represent and warrant that: (a) you have all necessary rights, permissions, consents, and legal bases required under applicable data protection law to upload personal data to the Service; (b) your instructions to AffectLog regarding the processing of personal data will not cause AffectLog to violate any applicable law; (c) you will not upload special category data (as defined under GDPR Article 9) to the Service without: (i) a valid legal basis under Article 9(2); (ii) appropriate technical and organisational safeguards; and (iii) prior written notice to AffectLog; (d) you have provided data subjects with the privacy information required under applicable law, including information about AffectLog's processing as a sub-processor. 9.4 Security obligations: AffectLog will implement and maintain the technical and organisational security measures described in the DPA and our Privacy Policy. You are responsible for the security of Your Content before it is transmitted to the Service.

10.1 Definition: "Confidential Information" means any non-public information disclosed by one party (the "Disclosing Party") to the other party (the "Receiving Party") in connection with these Terms, whether orally, in writing, electronically, or by any other means, that: (a) is designated or marked as "confidential", "proprietary", or similar; or (b) would reasonably be understood by a person in the Receiving Party's position to be confidential given the nature of the information and the circumstances of disclosure. Your Content is your Confidential Information. AffectLog's pricing (outside of published prices), technical architecture, unreleased features, product roadmap, and customer list are AffectLog's Confidential Information. 10.2 Obligations: The Receiving Party agrees to: (a) use Confidential Information solely to exercise its rights and perform its obligations under these Terms; (b) protect Confidential Information using at least the same degree of care that it uses to protect its own confidential information of comparable sensitivity, and in no event less than reasonable care; (c) not disclose Confidential Information to any third party without the prior written consent of the Disclosing Party, except to its own employees, officers, contractors, and professional advisers who: (i) have a genuine need to know; and (ii) are bound by written confidentiality obligations no less protective than those in this Section 10. 10.3 Exclusions: Confidential Information does not include information that: (a) is or becomes publicly available other than through a breach by the Receiving Party; (b) was in the Receiving Party's possession prior to disclosure, as evidenced by written records predating disclosure; (c) is independently developed by the Receiving Party without use of or reference to Confidential Information; or (d) is received from a third party who has the right to disclose it without restriction. 10.4 Required disclosures: The Receiving Party may disclose Confidential Information where required by applicable law, regulation, or court order, provided that: (a) the Receiving Party gives the Disclosing Party as much advance notice as legally permissible; (b) cooperates reasonably with the Disclosing Party's efforts to seek a protective order or other appropriate relief; and (c) discloses only the minimum amount of Confidential Information required. 10.5 Survival: This Section 10 survives termination or expiry of these Terms for a period of five (5) years, except in respect of information that constitutes a trade secret under applicable law, which shall be protected for as long as it remains a trade secret. 10.6 Injunctive relief: The parties acknowledge that a breach of this Section 10 may cause irreparable harm for which damages would be an inadequate remedy, and that injunctive or other equitable relief may be sought without the obligation to post a bond.

11.1 The Service may integrate with, or permit you to connect, third-party software, services, and platforms (collectively, "Third-Party Services"). Such Third-Party Services are governed exclusively by their own terms of service and privacy policies. AffectLog is not responsible for and makes no representations or warranties regarding: the availability, accuracy, security, or fitness for purpose of any Third-Party Service; or the terms on which Third-Party Services process personal data. 11.2 You access Third-Party Services at your own risk. AffectLog shall have no liability for any loss or damage arising from your use of any Third-Party Service in connection with the Service. 11.3 AffectLog does not endorse any Third-Party Service by virtue of making an integration available. The availability of a Third-Party Service integration does not constitute a representation that the Third-Party Service meets any particular standard or is suitable for any particular regulatory purpose. 11.4 You are responsible for ensuring that your use of Third-Party Services in conjunction with the Service complies with all applicable law, including data protection law.

12.1 Availability target: AffectLog targets 99.5% monthly uptime for the Service, excluding: (a) scheduled maintenance; (b) emergency maintenance; (c) Force Majeure Events (Section 17); and (d) outages attributable to Third-Party Services, your own infrastructure, or internet connectivity issues outside our reasonable control. This target is aspirational and does not constitute a contractual guarantee or SLA unless separately agreed in a signed Order Form. 12.2 Scheduled maintenance: AffectLog will endeavour to carry out scheduled maintenance outside peak hours and will provide at least 48 hours' advance notice via the Platform or email. Access to the Service may be temporarily unavailable or degraded during scheduled maintenance. 12.3 Emergency maintenance: AffectLog may conduct emergency maintenance at any time without advance notice where required to protect the security, stability, or integrity of the Service. We will provide notice as soon as practicable. 12.4 Status page: The current Service status and incident history are published at status.affectlog.com (or equivalent). We encourage you to subscribe to status notifications. 12.5 Support: Standard support is provided by email at [email protected] during business hours (Monday–Friday, 09:00–18:00 Central European Time, excluding public holidays in France). Response times are best-effort; AffectLog provides no guaranteed response time or resolution time under the standard support terms. Priority and enterprise support, including defined SLAs, are available under enterprise plans. 12.6 No SLA guarantee: No binding SLA applies unless expressly set out in a signed Order Form. AffectLog's sole obligation in the event of downtime exceeding our availability target is to use commercially reasonable efforts to restore the Service.

13.1 AffectLog warrants that it will: (a) provide the Service with reasonable skill, care, and technical competence in accordance with industry standards; (b) implement and maintain reasonable technical and organisational security measures appropriate to the risk of processing; and (c) comply with all laws and regulations applicable to AffectLog as a service provider. 13.2 DISCLAIMER OF ALL OTHER WARRANTIES: EXCEPT AS EXPRESSLY STATED IN SECTION 13.1, THE SERVICE IS PROVIDED STRICTLY "AS IS" AND "AS AVAILABLE", WITHOUT ANY WARRANTY OF ANY KIND, EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE. TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, AFFECTLOG EXPRESSLY DISCLAIMS ALL WARRANTIES, INCLUDING BUT NOT LIMITED TO: (a) FITNESS FOR A PARTICULAR PURPOSE OR USE CASE; (b) MERCHANTABILITY OR SATISFACTORY QUALITY; (c) NON-INFRINGEMENT OF THIRD-PARTY RIGHTS; (d) THAT THE SERVICE WILL OPERATE WITHOUT INTERRUPTION, ERROR, BUG, OR HARMFUL COMPONENT; (e) THAT OUTPUTS GENERATED BY THE SERVICE (INCLUDING AI-GENERATED CONTENT) WILL BE ACCURATE, COMPLETE, CURRENT, OR FIT FOR ANY SPECIFIC REGULATORY, LEGAL, OR BUSINESS PURPOSE; (f) THAT USE OF THE SERVICE WILL ENSURE COMPLIANCE WITH ANY APPLICABLE LAW, REGULATION, STANDARD, OR REGULATORY EXPECTATION; (g) THAT THE SERVICE WILL MEET YOUR SPECIFIC REQUIREMENTS OR EXPECTATIONS; OR (h) THAT DEFECTS WILL BE CORRECTED WITHIN ANY PARTICULAR TIMEFRAME. 13.3 AI-generated content disclaimer: AI-generated outputs are probabilistic and may contain hallucinations, errors, or outdated information. AffectLog makes no warranty regarding the accuracy, reliability, or appropriateness of AI-generated content for any specific purpose. 13.4 No warranty of regulatory compliance: AffectLog expressly disclaims any warranty that use of the Service will make your organisation compliant with any specific regulatory requirement, including but not limited to the EU AI Act, GDPR, UK GDPR, ISO 42001, NIST AI RMF, or any sector-specific regulation.

14.1 Indemnification by you: You agree to indemnify, defend, and hold harmless AffectLog and its officers, directors, employees, shareholders, contractors, agents, successors, and assigns (collectively, "AffectLog Parties") from and against any and all claims, demands, suits, proceedings, liabilities, judgements, penalties, fines, losses, damages, costs, and expenses (including reasonable legal fees) ("Losses") arising out of or relating to: (a) your breach of any provision of these Terms; (b) your violation of any applicable law or regulation in connection with your use of the Service; (c) Your Content, including any claim that Your Content: (i) infringes the Intellectual Property Rights, privacy rights, or other rights of any third party; (ii) contains false, defamatory, or misleading content; or (iii) was processed without a valid legal basis; (d) your violation of the rights of any individual, including their data protection rights; (e) any claim brought by a third party (including a data subject or regulatory authority) arising from your processing of their personal data through the Service without a valid legal basis, or in contravention of applicable data protection law; (f) your misrepresentation regarding your authority to bind your Organisation to these Terms; or (g) any wilful misconduct or gross negligence by you or any user of your Account. 14.2 AffectLog's rights in indemnified matters: AffectLog reserves the right, at its own expense, to assume exclusive control of the defence and settlement of any matter subject to indemnification under Section 14.1. You agree to cooperate fully with AffectLog in the defence of such matters and not to settle any such matter without AffectLog's prior written consent. 14.3 Indemnification by AffectLog: AffectLog will defend you against any third-party claim that the Service, as provided and used in accordance with these Terms, infringes any patent, copyright, trade mark, or trade secret of any third party, and will indemnify you against Losses finally awarded against you by a court of competent jurisdiction or agreed in a settlement approved by AffectLog. This obligation does not apply if the infringement claim arises from: (a) Your Content; (b) your modification of the Service; (c) use of the Service in combination with third-party software or services not approved by AffectLog; or (d) use of the Service in violation of these Terms.

15.1 AGGREGATE LIABILITY CAP: TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, AFFECTLOG'S TOTAL AGGREGATE LIABILITY TO YOU FOR ALL CLAIMS ARISING OUT OF OR RELATED TO THESE TERMS OR THE SERVICE — WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE OR BREACH OF STATUTORY DUTY), MISREPRESENTATION, RESTITUTION, OR OTHERWISE — SHALL NOT EXCEED THE GREATER OF: (a) THE TOTAL FEES PAID BY YOU TO AFFECTLOG IN THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE CLAIM; OR (b) ONE HUNDRED EUROS (€100). 15.2 EXCLUSION OF CONSEQUENTIAL AND INDIRECT LOSS: IN NO EVENT SHALL AFFECTLOG BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY: (a) LOSS OF PROFITS, REVENUE, OR ANTICIPATED SAVINGS; (b) LOSS OF BUSINESS, CONTRACTS, OR COMMERCIAL OPPORTUNITIES; (c) LOSS OF GOODWILL OR REPUTATION; (d) LOSS OF OR CORRUPTION OF DATA OR INFORMATION; (e) BUSINESS INTERRUPTION OR DOWNTIME; (f) REGULATORY FINES, PENALTIES, SANCTIONS, OR ENFORCEMENT COSTS (INCLUDING FINES IMPOSED BY DATA PROTECTION SUPERVISORY AUTHORITIES); (g) COST OF PROCURING SUBSTITUTE SERVICES; (h) INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR PUNITIVE DAMAGES; EVEN IF AFFECTLOG HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES AND WHETHER ARISING IN CONTRACT, TORT, STATUTE, OR OTHERWISE. 15.3 EXCEPTIONS — NOTHING IN THESE TERMS LIMITS OR EXCLUDES AFFECTLOG'S LIABILITY FOR: (a) death or personal injury caused by AffectLog's negligence; (b) fraud or fraudulent misrepresentation by AffectLog; (c) wilful misconduct or gross negligence by AffectLog; (d) any liability that cannot be limited or excluded under applicable law. 15.4 ESSENTIAL BARGAIN: THE PARTIES ACKNOWLEDGE THAT THE LIABILITY LIMITATIONS SET OUT IN THIS SECTION 15 REFLECT A REASONABLE ALLOCATION OF RISK AND ARE AN ESSENTIAL ELEMENT OF THE BASIS OF THE BARGAIN BETWEEN THE PARTIES. AFFECTLOG WOULD NOT HAVE ENTERED INTO THESE TERMS OR PROVIDED THE SERVICE WITHOUT THESE LIMITATIONS. 15.5 Multiple claims: The liability cap in Section 15.1 applies to all claims in aggregate, not on a per-claim basis.

16.1 AffectLog is designed to assist organisations with AI governance and compliance documentation. The Service does not itself constitute an AI system under Annex I of the EU AI Act except to the extent that specific features (such as automated scoring or risk classification) may fall within the definition. Where applicable, AffectLog maintains appropriate documentation for any AI system feature and makes this available to users on request. 16.2 You are responsible for assessing whether your use of the Service, or any AI system documented or managed through the Service, falls within the scope of applicable AI regulation (including the EU AI Act, sector-specific AI rules, and equivalent national legislation) and for taking all required compliance steps. 16.3 You represent and warrant that you will not use the Service to document, validate, or certify an AI system in any manner that is prohibited under applicable AI regulation, including systems that are prohibited under Article 5 of the EU AI Act (e.g., systems using subliminal manipulation, social scoring, or real-time biometric identification in publicly accessible spaces, except as permitted by law). 16.4 AffectLog may, at its sole discretion, refuse to provide services in connection with AI systems that are prohibited, restricted, or that AffectLog reasonably believes pose unacceptable legal, reputational, or ethical risk.

17.1 AffectLog will not be in breach of these Terms or otherwise liable for any failure or delay in the performance of its obligations under these Terms to the extent that such failure or delay is caused by a Force Majeure Event. 17.2 "Force Majeure Event" means any circumstance beyond AffectLog's reasonable control, including but not limited to: acts of God or nature; pandemic, epidemic, or public health emergency; war, armed conflict, terrorism, or civil unrest; governmental action, regulatory action, or change in law; failure of third-party internet infrastructure, telecommunications networks, or cloud providers; power failure or outage; trade embargo or sanctions; cyberattack, distributed denial-of-service attack, or other security incident of external origin; or labour disputes or strikes. 17.3 AffectLog will: (a) notify you as soon as reasonably practicable of the Force Majeure Event and its likely duration; (b) use commercially reasonable efforts to mitigate the effects of the Force Majeure Event and to perform its obligations despite the event; and (c) resume full performance as soon as the Force Majeure Event ceases. 17.4 If a Force Majeure Event continues for more than 60 days and materially prevents AffectLog from delivering core Service functionality, either party may terminate these Terms on 14 days' written notice.

18.1 Term: These Terms commence on the Effective Date and continue in force until terminated by either party in accordance with this Section 18. 18.2 Termination by you: You may terminate these Terms at any time by closing your Account through the Platform's account settings. Closure of your Account during a paid Subscription period does not entitle you to a refund except as stated in Section 6.8. 18.3 Termination by AffectLog — with notice: AffectLog may terminate these Terms or suspend your Account by giving written notice: (a) with 30 days' notice, if AffectLog ceases to provide the Service generally to all customers; (b) with 14 days' notice, if you materially breach these Terms (other than the Acceptable Use Policy) and fail to remedy the breach within 7 days of written notice from AffectLog. 18.4 Termination by AffectLog — immediate: AffectLog may terminate or suspend your Account immediately and without prior notice if: (a) you violate any provision of the Acceptable Use Policy (Section 5); (b) you fail to pay any outstanding fees within 14 days of payment being due; (c) you become insolvent, enter administration, receivership, or liquidation, or make an assignment for the benefit of creditors; (d) your use of the Service creates, in AffectLog's reasonable determination, an immediate security risk or legal risk to AffectLog or other users; (e) we are required to do so by applicable law, regulatory order, or court order. 18.5 Effect of termination: Upon termination of these Terms for any reason: (a) your licence to use the Service terminates immediately; (b) all outstanding fees become immediately due and payable; (c) Your Content will be retained for 90 days following the termination date, during which you may export it using the Platform's export functionality. After 90 days, Your Content will be permanently deleted in accordance with our Privacy Policy; (d) each party must, upon request, promptly return or securely destroy all Confidential Information of the other party in its possession; (e) each party's accrued rights and obligations at the date of termination are unaffected. 18.6 Surviving provisions: The following Sections survive termination of these Terms indefinitely or for the period stated: Section 1 (Definitions), Section 3.2–3.4 (Disclaimers), Section 8 (Intellectual Property), Section 9 (Data Processing), Section 10 (Confidentiality), Section 13 (Warranties and Disclaimers), Section 14 (Indemnification), Section 15 (Limitation of Liability), Section 18.5–18.6 (Effects and Survival), Section 19 (Governing Law), Section 20 (Dispute Resolution), and Section 21 (General Provisions).

19.1 These Terms and any dispute, controversy, or claim arising out of or in connection with these Terms, including any dispute regarding their existence, validity, interpretation, performance, breach, or termination (whether contractual or non-contractual), shall be governed by and construed in accordance with the laws of France, excluding its conflict-of-law provisions and the United Nations Convention on Contracts for the International Sale of Goods (CISG). 19.2 Subject to Section 20 (Dispute Resolution), each party irrevocably submits to the exclusive jurisdiction of the courts of Paris, France to determine any dispute or claim (whether contractual or non-contractual) arising out of or in connection with these Terms. 19.3 Nothing in Section 19.2 prevents AffectLog from applying to any court of competent jurisdiction for urgent injunctive or interim relief to protect its Intellectual Property Rights, Confidential Information, or other proprietary rights. 19.4 Consumer protection: If you are a natural person acting outside the course of any business or profession (a consumer), and the mandatory consumer protection laws of your country of habitual residence provide you with stronger protections than these Terms, those mandatory protections shall apply in addition to, and shall prevail over, these Terms to the extent of any inconsistency.

20.1 Informal resolution: Before initiating formal legal proceedings, each party agrees to attempt to resolve any dispute in good faith through the following escalating process: Step 1: Written notice of the dispute submitted to the other party's designated contact ([email protected] for AffectLog; the email address on your Account for you). Step 2: Within 14 days, good-faith discussion between the day-to-day operational contacts of each party. Step 3: If unresolved within 30 days of Step 2, escalation to senior management of each party. Step 4: If unresolved after a further 15 days, either party may initiate formal proceedings under Section 19. 20.2 Preserved rights: Nothing in Section 20.1 prevents either party from seeking urgent injunctive or other equitable relief from a court of competent jurisdiction at any time where necessary to prevent irreparable harm. 20.3 CLASS ACTION WAIVER: TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, EACH PARTY AGREES THAT ANY CLAIM ARISING OUT OF OR RELATED TO THESE TERMS OR THE SERVICE SHALL BE BROUGHT SOLELY IN THAT PARTY'S INDIVIDUAL CAPACITY, AND NOT AS A PLAINTIFF, CLASS MEMBER, OR PARTICIPANT IN ANY PURPORTED CLASS ACTION, COLLECTIVE ACTION, REPRESENTATIVE ACTION, OR CONSOLIDATED PROCEEDING. No court or arbitrator shall have authority to consolidate proceedings or to certify a class in any proceedings involving these Terms. 20.4 Time limit: Any claim arising out of or related to these Terms must be commenced within 2 years of the date on which the aggrieved party knew or reasonably should have known of the facts giving rise to the claim. Claims not brought within this period are permanently barred.

21.1 Entire agreement: These Terms, together with the Privacy Policy, the DPA, and any signed Order Form, constitute the entire agreement between you and AffectLog with respect to the Service and supersede all prior and contemporaneous agreements, representations, warranties, understandings, and negotiations, whether oral or written, relating to the subject matter hereof. 21.2 Amendment: AffectLog may update these Terms from time to time. We will notify registered users by email at least 14 days before material changes take effect. The revised Terms will be posted at affectlog.com/terms with an updated version number and effective date. Continued use of the Service after the effective date of any change constitutes your acceptance of the updated Terms. If you do not accept a change, you must stop using the Service before the effective date. 21.3 Severability: If any provision of these Terms is held to be invalid, illegal, or unenforceable by a court of competent jurisdiction, such provision shall be modified to the minimum extent necessary to make it valid and enforceable (or removed if it cannot be made valid), and the remaining provisions of these Terms shall continue in full force and effect. 21.4 No waiver: No failure or delay by either party in exercising any right, power, or remedy under these Terms shall operate as a waiver thereof, nor shall any single or partial exercise of any right, power, or remedy preclude any other or further exercise thereof or the exercise of any other right, power, or remedy. A waiver is only effective if made in writing and signed by an authorised representative of the waiving party. 21.5 Assignment: You may not assign, transfer, delegate, or novate any of your rights or obligations under these Terms — whether by operation of law, merger, change of control, or otherwise — without AffectLog's prior written consent. AffectLog may freely assign these Terms in connection with a merger, acquisition, corporate reorganisation, or sale of all or substantially all of its assets or business to which these Terms relate, upon notice to you. 21.6 Notices: Legal notices to AffectLog must be sent by email to [email protected] with a confirming copy by recorded post to our registered address. Notices to you will be sent to the email address associated with your Account and are deemed received 24 hours after sending. It is your responsibility to keep your email address up to date. 21.7 No third-party beneficiaries: These Terms are for the sole benefit of the parties and their permitted successors and assigns. Nothing in these Terms creates any rights in any third party, including any data subject, employee, or contractor. 21.8 Relationship of parties: The parties are independent contractors. Nothing in these Terms creates any agency, partnership, joint venture, employment, franchise, or fiduciary relationship between the parties. 21.9 Export compliance: You agree to comply with all applicable export control and sanctions laws, including the EU dual-use export control regulations, the U.S. Export Administration Regulations (EAR), the International Traffic in Arms Regulations (ITAR), and the sanctions programmes administered by OFAC, OFSI, and equivalent authorities. You represent that you are not subject to any such sanctions or export restrictions. 21.10 Anti-bribery and corruption: Each party agrees to comply with all applicable anti-bribery and anti-corruption laws, including the UK Bribery Act 2010, the U.S. Foreign Corrupt Practices Act (FCPA), and equivalent legislation. Each party represents that it has not offered, paid, promised, or authorised any bribe, kickback, or improper payment in connection with these Terms. 21.11 Publicity: Neither party will issue any press release or make any public statement regarding the existence or content of these Terms or the commercial relationship between the parties without the other party's prior written consent, except as required by applicable law or regulatory disclosure obligation. 21.12 Headings: Section headings are for reference only and shall not affect the interpretation of these Terms. 21.13 Language: These Terms are executed in the English language. If these Terms are translated into any other language, the English version shall prevail in the event of any inconsistency.

For all legal and contractual enquiries under these Terms: Legal: [email protected] Billing: [email protected] Security: [email protected] Privacy / DPO: [email protected] General: [email protected] Response time: within 2 business days for general enquiries; formal legal notices will receive a substantive response within 10 business days. Provena by AffectLog — AI Governance & Evidence Platform affectlog.com