Effective as of November 2025

Introduction

This Terms of Subscription sets out the conditions under which Secrato provides access to, or installation of, its Governance, Risk and Compliance (GRC) software platform and related services. By subscribing to, deploying, or using the Services, the Customer agrees to be bound by these Terms. These Terms govern both cloud-based (“Software-as-a-Service”) and on-premise use of Secrato’s offerings.

1. The Services – Scope and Access

1.1 Provision of Services
Secrato provides access to, or installation of, its Governance, Risk and Compliance (GRC) software platform and related services (the “Services”) as described in Secrato’s Documentation or order form. “Documentation” means the user guides, technical specifications, service descriptions, or other materials published or provided by Secrato describing the functionality, use, and configuration of the Services, whether in digital or written form.

1.2 Access and Use
The Customer receives access credentials or installation rights to use the Services during the applicable Subscription Term, in accordance with these Terms and any reasonable technical limits or usage conditions described in the Documentation.

1.3 APIs and Integrations
Where the Services include APIs or integrations, use must remain within Secrato’s technical and security constraints. Secrato may suspend API or integration access in cases of abuse or risk to system integrity.

1.4 Acceptable Use
Customer shall not: (a) use the Services unlawfully; (b) circumvent security or access unauthorised areas; (c) reverse engineer, decompile or disassemble the Services; (d) introduce malware or harmful code; (e) share credentials or use the Services as a service bureau; (f) scrape, extract or benchmark the Services to develop a competing service; or (g) infringe third-party rights. Secrato may suspend the Services for breach of this clause.

1.5 Trials
Where Secrato provides trial or evaluation access, such access is provided free of charge and “as is” for the stated period. The Customer must export any data before the trial ends; Secrato may delete trial data thereafter.

1.6 Beta Features
Pre-release features identified as beta, preview or early access are for evaluation only, are not part of the Services, are provided “as is” without support or warranties, and may be withdrawn at any time.

1.7 Compliance and Suspension
Secrato may suspend access or support if required to comply with applicable export-control or trade-sanctions laws, or if the Customer’s use appears unlawful, fraudulent, or harmful to the Services or others.

2. Fees and Payment – Billing and Renewals

2.1 Fees
Subscription Fees are set out in the applicable order form or online purchase flow. All prices are exclusive of VAT and other applicable taxes, which remain the Customer’s responsibility.

2.2 Payment
Unless otherwise agreed, Fees are payable in advance via the stored payment method. By subscribing, the Customer authorises Secrato to automatically bill the payment method on file for renewals or add-ons.

2.3 Non-payment; Suspension
Overdue amounts accrue statutory interest from the due date until payment. If any amount remains unpaid 15 days after the due date, Secrato may suspend the Services on notice until paid in full, without prejudice to recovery of interest and costs.

2.4 Billing Disputes
Any billing dispute must be raised within 30 days of invoice. Both parties will cooperate in good faith to resolve disputes promptly; undisputed amounts remain payable.

2.5 Price Adjustments
Secrato may adjust pricing upon renewal with 45 days’ prior notice.

2.6 Currency
Payments are made in the currency stated on the invoice. The Customer bears any exchange or bank-processing costs.

2.7 Marketplace or Reseller Billing
Where Services are purchased through an authorised reseller or cloud marketplace, billing and any credits or refunds may be managed by that channel; these Terms otherwise govern the Services.

2.8 Fees Non-refundable
Except as expressly stated in these Terms, Fees are non-cancellable and non-refundable.

2.9 Taxes
Fees are exclusive of all taxes, levies and duties (including VAT and withholding), which are payable by the Customer, excluding taxes on Secrato’s net income.

3. Term and Termination – Duration and Data Export

3.1 Term
The Subscription Term begins on the effective date stated in the order form and continues until terminated in accordance with these Terms.

3.2 Contract Formation
Acceptance occurs upon (i) signature of an order form, (ii) electronic acceptance through Secrato’s platform, or (iii) activation or installation of the software, whichever occurs first.

3.3 Renewal
Unless otherwise stated, subscriptions renew automatically for successive terms equal to the initial term. Either party may give written notice of non-renewal at least 30 days before the end of the current term. Renewal terms will be clearly communicated prior to renewal.

3.4 Termination for Cause
Either party may terminate immediately on written notice if the other materially breaches these Terms and fails to remedy the breach within 30 days of notice.

3.5 Effect of Termination
Upon termination, access to or support for the Services will cease. The Customer may export its data within 30 days of termination by requesting a standard data export. After that period, Secrato will delete Customer Data from active systems. If the Customer terminates for Secrato’s uncured material breach, Secrato will refund any prepaid, unused Fees on a pro-rata basis. Sections intended to survive termination remain in effect.

3.6 Insolvency
Either party may terminate immediately if the other enters insolvency, administration, liquidation or analogous proceedings.

4. Ownership and Intellectual Property – Rights and Usage

4.1 Secrato Intellectual Property
All intellectual property rights in the Services, Documentation and underlying technology remain the exclusive property of Secrato and its licensors. No rights are granted except those expressly stated.

4.2 Customer Data
The Customer retains ownership of all data uploaded to or generated within the Services. “Customer Data” means data uploaded to, or generated within, the Services by or on behalf of the Customer.”

4.3 Aggregated Insights
Secrato may generate anonymised or aggregated data derived from Customer Data, provided such data cannot identify any individual or organisation. Such insights may be used to improve the Services and develop industry benchmarks, excluding any Customer Confidential Information.

4.4 Feedback
The Customer grants Secrato a worldwide, royalty-free, irrevocable licence to use feedback and suggestions to develop and improve the Services.

4.5 Usage Data
Secrato may collect and use usage and telemetry data to operate, secure and improve the Services; any external sharing will be aggregated or anonymised.

5. Confidentiality – Protection of Shared Information

5.1 Obligations
Each party must protect the other’s Confidential Information using administrative, technical and organisational safeguards that are no less protective than those used for its own confidential data.

5.2 Permitted Disclosure
Confidential Information may be shared with employees, contractors or advisers bound by confidentiality obligations, or where disclosure is required by law.

5.3 Return or Destruction
Upon request or termination, each party will delete or return the other’s Confidential Information, except for archival copies retained for legal defence or compliance obligations. Any retained copies will be destroyed within 12 months unless otherwise required by law.

6. Data Security and Privacy – Handling of Personal Data

6.1 Privacy Policy
Secrato processes personal data in accordance with its Privacy Policy, which forms an integral part of these Terms.

6.2 Customer Data as Controller
Where Secrato processes personal data on behalf of the Customer, such processing will be governed by a separate Data Processing Agreement (DPA) to be executed between the parties.

6.3 Cross-Border Transfers
Secrato implements appropriate safeguards for transfers of personal data outside the European Economic Area, including the use of EU Standard Contractual Clauses where required.

6.4 Audit and Inspection
Customer audit rights, where applicable, will be as set out in the DPA.

6.5 AI Features (if enabled)
Where AI features are enabled, Secrato will not use Customer Data to train general-purpose models. Outputs may be inaccurate or incomplete; the Customer remains responsible for validation and reliance.

7. Warranties and Disclaimers – Scope of Responsibility

7.1 Service Warranty
Secrato warrants that the Services will operate substantially in accordance with the Documentation under normal use or installation and that they will be performed with reasonable skill and care.

7.2 Disclaimer
Except as expressly provided in these Terms, the Services are provided “as is” without warranty of any kind. The Customer acknowledges that the Services assist with, but do not guarantee, legal or regulatory compliance.

8. Indemnification – Allocation of Liability

8.1 By Secrato
Secrato will defend and indemnify the Customer against third-party claims alleging that the Services infringe intellectual property rights, provided the Customer gives prompt notice and full cooperation. Secrato may (i) procure the right to continue use, (ii) replace or modify the Services to be non-infringing, or (iii) terminate affected Services and provide a pro-rata refund of prepaid, unused Fees for the remaining term if the preceding options are not commercially reasonable.

8.2 By the Customer
The Customer will indemnify Secrato against claims arising from Customer Data or use of the Services in breach of law or these Terms.

8.3 Mitigation
Each party must take reasonable steps to mitigate any loss or damage subject to indemnification.

8.4 Relation to Liability Limits
Indemnities are subject to the limitations set out in Section 9, unless expressly stated otherwise.

9. Limitation of Liability – Caps and Exclusions

9.1 Cap
Except for liability that cannot be limited by law, each party’s total aggregate liability arising from these Terms is limited to the Fees paid by the Customer in the 12 months preceding the claim.

9.2 Enhanced Cap
For claims arising from breaches of confidentiality or verified Security Incidents involving personal data, Secrato’s liability cap will equal twice the Fees paid in the 12 months preceding the claim.

9.3 Exclusions
Neither party is liable for indirect, consequential or punitive damages, loss of profits, or loss of data, except where such exclusion is prohibited by law.

9.4 Time Limit
No claim may be brought more than 12 months after the event giving rise to the claim.

10. General Provisions – Governing Law and Notices

10.1 Governing Law and Jurisdiction
These Terms are governed by the laws of Belgium, to the exclusion of its conflict-of-law rules. The courts of Antwerp (Division Sint-Niklaas) have exclusive jurisdiction.

10.2 Anti-Corruption and Trade Compliance
Each party will comply with applicable anti-bribery, anti-corruption and trade-sanctions laws.

10.3 Publicity
Secrato may use the Customer’s name or logo in customer lists or marketing materials only with prior written consent, which may be withdrawn at any time.

10.4 Electronic Signatures
Electronic acceptance of these Terms (including through online click-through or electronic signature) constitutes a valid and binding agreement under the eIDAS Regulation.

10.5 Entire Agreement; Order of Precedence
These Terms and any active order forms constitute the entire agreement regarding the Services and supersede prior understandings. In the event of conflict, the order form prevails over these Terms. Customer purchase orders or portal terms do not apply unless expressly agreed in writing.

10.6 Amendments
Secrato may modify these Terms with 45 days’ written notice. Continued use of the Services after the effective date of the amendment constitutes acceptance.

10.7 Notices
Notices must be sent by email to the contacts designated in the order form and, for legal notices, also by recognised courier to the registered address. Email notices are deemed delivered on sending; courier notices on receipt.

10.8 Contact Details
For contractual communications and notices:
            SECRATO
            18, Van Landeghemstraat
             Sint-Niklaas, Belgium
             Email: legal@secrato.io
For privacy matters, contact Secrato’s Data Protection SPOC at privacy@secrato.io.

10.9 Assignment
Either party may assign these Terms to an affiliate or in connection with a merger, change of control, or sale of substantially all assets, with notice; otherwise, prior written consent is required.

10.10 Severability
If any provision is held invalid, it shall be modified to achieve its intent to the maximum extent permitted; the remainder remains in force.

10.11 Relationship; Third-Party Beneficiaries
The parties are independent contractors. No partnership, agency, fiduciary or employment relationship is created. No third-party beneficiaries.

10.12 Third-Party Products and Services
Integrations and third-party products or services are subject to their own terms. Secrato is not responsible for their acts, omissions or outputs.

10.13 Force Majeure
Except for payment obligations, neither party is liable for delay or failure caused by events beyond reasonable control.

10.14 Waiver
Failure to enforce any provision is not a waiver. Any waiver must be in writing and signed.

10.15 Export Controls
Each party will comply with applicable export control and sanctions laws and will not make the Services available in breach of such laws.