Xpometer Terms and Conditions of Use

1. Definitions

“Agreement” means these Terms and Conditions, together with any Order Form(s) and incorporated policies/agreements.

“Applicable Law” means all laws, regulations and codes applicable to a party’s performance, including data protection and export control laws.

“Affiliate” means an entity that is directly or indirectly owned, operated, or controlled by the Client entity.

“Authorized Users” means Client’s employees or contractors authorized by Client to use the Platform in accordance with this Agreement.

“Client” means the business or entity, or individual having entered into the Agreement for the use of Services.

“Client Data” means any data or content (including personal data) that Client or its Users submit to the Platform or Site forms.

“Company” means Xpometer or its Affiliate, as set forth on the applicable Order Form.

“Confidential Information” means any non-public, proprietary, or confidential information disclosed by one party (the "Disclosing Party") to the other party (the "Receiving Party"), whether orally, in writing, or in any other form, including but not limited to: (a) technical data, trade secrets, know-how, research, product plans, products, services, customers, customer lists, markets, software, developments, inventions, processes, formulas, technology, designs, drawings, engineering, hardware configuration information, marketing, finances, or other business information; (b) for Client, Client Data and any information about Client's business operations, users, or use of the Services; and (c) for Company, the Platform, Documentation, underlying technology, algorithms, source code, and business information. Confidential Information does not include information that: (i) is or becomes generally available to the public other than through breach of this Agreement; (ii) was known by the Receiving Party prior to disclosure; (iii) is independently developed by the Receiving Party without use of or reference to Confidential Information; or (iv) is rightfully received by the Receiving Party from a third party without restriction.

“Documentation” means user guides and other materials made available by Company.

“DPA” means the Data Processing Addendum accessible via https://xpometer.com/terms referenced in §10 when Client Data includes personal data.

“Platform” means Company’s hosted software-as-a-service platform, including underlying technology and Documentation.

“Subject(s)” means individual(s) or entities(s) for which Output is requested by the Client through the Platform.

“Site” means xpometer.com and its subdomains (including any login portals and web properties controlled by Company).

“Services” means the Platform and related professional/technical support and the Site to the extent it provides informational or account access features.

“Subscription Term” means the term of subscription to the Services, as further set-out in the Order Form and §14.1.

“Order Form” means the ordering document (including online checkout) executed by the Client and the Company specifying the subscription plan, quantities of Subjects, fees, and other details.

“Output” means reports, scores, alerts, and recommendations generated by the Platform for Client for a Subject.

“Usage Data” means aggregated and/or de-identified data derived from use of the Services (e.g., feature usage, performance metrics) that does not identify Client or an individual.

2. Service Description

The Platform provides an exposure‑management and digital risk analysis tool. It collects and analyses open‑source and commercially licensed data (e.g., news, social media, forums, breach/leak reports) and, using proprietary AI models, third-party large language models (“LLMs”), and expert methodologies, generates risk scores, alerts and recommendations to support security decision‑making (“Outputs”). The Platform is delivered via secure cloud hosting managed by the Company. The Site provides marketing information, documentation, and account access to the Platform. Outputs are intended to assist the Client in decision-making, and the Client acknowledges that AI-generated Outputs are intended to supplement, not replace, human judgment and expertise.

3. Access & License (Platform)

3.1 Grant.

Subject to timely payment of fees, the Company grants the Client a limited, non‑exclusive, non‑transferable, revocable license to access and use the Platform during the Subscription Term for the Client’s internal business purposes, in accordance with this Agreement and the Documentation. The permitted purpose is to use the Services for risk reduction and protective intelligence.

3.2 Restrictions.

Except as expressly permitted in writing, the Client shall not (a) rent, resell, sublicense or provide the Platform to any third party; (b) copy, modify, or create derivative works of the Platform; (c) reverse engineer, decompile or otherwise attempt to derive source code or AI models; (d) access the Platform to build a competing product or service; (e) remove proprietary notices; or (f) attempt to train, fine-tune, or extract training data from the Platform's AI models.

3.3 Users.

Access is limited to Authorized Users. The Client is permitted to change a Subject once during each Subscription Term without any additional fees. Client is responsible for all use of its accounts and for maintaining the confidentiality of credentials.

3.4 Affiliates.

The Client’s Affiliates may use the Platform under Client’s Order Form provided Client remains responsible for their compliance and payment of any additional fees.

3.5 Compliance.

The Company reserves the right to, and the Client shall facilitate an audit of the client’s use of the Services for compliance purposes. In case of that the Company believes that the Client is misusing the Platform, and in breach of section 3 or 4 of this Agreement, the Company reserves the right to suspend or, in some cases terminate, the Client’s access to the Services.

4. Acceptable Use (Platform & Site)

Client shall use the Services only in compliance with Applicable Law and shall not, directly or indirectly:

1. use the Services for stalking, harassment, unlawful surveillance, targeting, discrimination, or any other unlawful purpose;
2. target individuals or groups in violation of anti‑discrimination, human rights or employment laws;
3. infringe or misappropriate third‑party rights, including intellectual property and privacy;
4. use the AI features to process sensitive personal data or to make automated decisions about individuals without appropriate safeguards and human oversight;
5. attempt to bypass technical or usage limits;
6. upload malicious code; or
7. scrape, crawl, harvest, or bulk‑download the Site.

5. Site Content & Website Use

5.1 Informational content.

Content on the Site (e.g., blog posts, whitepapers, examples) is for general information and may reference public sources; it does not constitute advice.

5.2 IP & license.

All Site content is owned by the Company or its licensors. The Company grants visitors a limited license to view and share publicly available pages for non‑commercial, informational purposes with attribution; all other rights are reserved. Logos, trademarks, and brand assets may not be used without permission.

5.3 Third‑party links.

The Site may link to third‑party sites; the Company is not responsible for their content or policies.

5.4 User submissions.

Information submitted via Site forms (contact/demo/support) is treated as Client Data and processed per §10 and the Privacy Policy.

6. Third‑Party Content & Services

The Platform may index, reference, or link to third‑party content and services. The Company does not control such content/services and provides no warranties for them. The Client’s use of third‑party offerings is subject to the third party’s terms.

7. Fees & Payment

7.1 Fees.

Fees are as stated on the Order Form and are non‑cancellable and non‑refundable except as expressly provided in this Agreement.

7.2 Invoicing & Payment.

Unless otherwise stated, fees are invoiced annually in advance and due within thirty (30) days of invoice. Late amounts may accrue interest at the lesser of 1.5% per month or the maximum permitted by law and may result in suspension after prior notice.

7.3 Price Changes.

Company may adjust fees for renewals by giving at least thirty (30) days’ prior notice before the end of the then‑current Subscription Term.

8. Intellectual Property; Feedback; Usage Data

8.1 Ownership.

The Company and its licensors own all rights, title and interest in and to the Site, Platform and Documentation. No rights are granted other than as expressly set out herein.

8.2 Client Data.

The Client retains all rights in Client Data. The Client grants The Company a non‑exclusive license to host, process, transmit, display and otherwise use Client Data to provide and improve the Services, to provide support, to ensure security, and as otherwise permitted in the DPA.

8.3 Feedback.

If Client provides feedback or suggestions, Company may use them without restriction or obligation.

8.4 Outputs Ownership.

Subject to Applicable Law, and as between the Parties, all intellectual property rights in and to the Outputs generated by the Platform through the use of Client Data shall vest in and be owned by the Client. Such ownership shall be subject to (i) any third-party intellectual property rights subsisting in the Outputs and (ii) the restrictions set forth in this Agreement.

8.5 Usage/De‑identified Data.

Company may collect and use Usage Data and de‑identified/aggregated data (including from open sources, Client Data and Outputs) to operate, analyse, and improve its Services and for benchmarking and security purposes, provided it does not identify Client or an individual.

9. Service Levels & Support

The Company will use commercially reasonable efforts to make the Platform available and to provide support during business hours specified in the Documentation. Planned maintenance will be notified in advance where practicable. Service levels and response targets may be agreed separately in a Service Level Agreement ("SLA") between the parties.

10. Data Protection, Security & Confidentiality

10.1 Roles.

For Client Data that is personal data, the Client is the controller and Company is the processor (each as defined by Applicable Law).

10.2 DPA.

The DPA is incorporated by reference and governs Company’s processing of personal data on the Client’s behalf, including subprocessor commitments, international transfer mechanisms, and breach notification.

10.3 Privacy & cookies.

Processing of personal data via the Site is described in Company’s Privacy Policy and Cookie Notice available on xpometer.com.

10.4 Security.

Company maintains appropriate technical and organisational measures to protect Client Data, as described in the DPA.

10.5 Data Location & Transfers.

Company may process Client Data in jurisdictions where it or its subprocessors operate, subject to the obligations and safeguards in the DPA.

10.6 Confidential Information.

10.6.1 Each party agrees to: (a) hold Confidential Information in strict confidence; (b) not disclose Confidential Information to third parties without prior written consent, except to employees, contractors, and advisors who need to know and who are bound by confidentiality obligations at least as restrictive as those herein; (c) use Confidential Information solely for the purposes of this Agreement; and (d) take reasonable precautions to protect Confidential Information, using at least the same degree of care used to protect its own confidential information, but in no event less than reasonable care.

10.6.2 The Receiving Party may disclose Confidential Information if required by law or court order, provided it gives the Disclosing Party prompt written notice and cooperates in any effort to seek a protective order.

10.6.3 This §10.6 survives termination of this Agreement for five (5) years.

10.7 Data Export/Deletion During the Subscription Term and for thirty (30) days thereafter, the Client may export Client Data and Outputs via the Platform. After that period, the Company will delete or de‑identify Client Data, except for backups retained for limited periods or where retention is required by law.

11. Warranties & Disclaimers

11.1 Limited Warranty.

The Company warrants that during the Subscription Term the Platform will perform materially in accordance with the Documentation. The Client’s sole remedy for breach of this warranty is, at Company’s option, (a) repair or replacement of the non‑conforming functionality; or (b) termination and a pro‑rata refund of prepaid fees for the affected period.

11.2 Client Warranties.

The Client warrants that it has all necessary rights, permissions, and authority to provide Client Data, to request Outputs, and to use the Services in compliance with Applicable Law, including Applicable Data Protection Law. By requesting Outputs concerning any individual or entity, the Client represents and warrants that it has a lawful basis and all required authorizations to do so, including, where applicable, legitimate interest and transparency obligations. Where specific consent from a data subject is required, the Client represents and warrants that such consent has been validly obtained and that all notices mandated under Applicable Data Protection Law have been provided. The Client shall be solely responsible for the accuracy, quality, and legality of Client Data, for the methods by which such data has been acquired, and for obtaining and maintaining all necessary usage rights in respect of such data. The Company may suspend access to the Services immediately in the event of a breach of this section, where necessary to prevent harm or mitigate legal risk, provided that prompt notice of such suspension is given to the Client.

11.3 General Disclaimers.

The Services and Outputs are PROVIDED FOR decision‑support PURPOSES only. Given the nature of digital information, THE COMPANY DOES NOT WARRANT OR REPRESENT THAT ALL RELEVANT DATA WILL BE DISCOVERED OR THAT SERVICES OR OUTPUTS WILL BE COMPLETE, ACCURATE, CURRENT, ORIGINAL, OR FIT FOR ANY PARTICULAR PURPOSE. THE CLIENT ACKNOWLEDGES THAT OUTPUTS MAY BE INCOMPLETE, OUTDATED, INACCURATE, RESTRICTED, INTENTIONALLY OBSCURED, OR OTHERWISE UNRELIABLE, AND THE COMPANY ACCEPTS NO LIABILITY OR RESPONSIBILITY ARISING FROM THE CLIENT’S USE OF OR RELIANCE ON SUCH OUTPUTS. ALL OUTPUTS REQUIRE HUMAN REVIEW, VERIFICATION, AND INDEPENDENT JUDGMENT, AND THE CLIENT ACKNOWLEDGES THAT USE OF AI-POWERED SERVICES IS AT ITS OWN RISK.

Neither Party nor its licensors makes any warranty of any kind, whether express, implied, statutory or otherwise, and each Party and its licensors specifically disclaims all implied warranties, including any implied warranty of merchantability, title, or non-infringement, to the maximum extent permitted by Applicable Law.

Except as expressly stated, the Services are provided “as is” and “as available” AND The Company does not warrant that the Services will be error-free or uninterrupted or will meet Client's requirements or expectations.

12. Indemnities

12.1 IP Indemnity by the Company.

The Company will defend and indemnify the Client against third‑party claims alleging that the Client’s authorized use of the Platform infringes such third party’s intellectual property rights, and will pay direct damages and reasonable legal fees finally awarded or agreed in settlement, as set out in Section 12.3 below. The Company’s obligations do not apply to claims arising from (a) Client Data or third‑party content; (b) use of the Platform in combination with items not provided by the Company; (c) modifications not made by the Company; or (d) use in breach of the Agreement. Notwithstanding the foregoing, if an infringement claim arises or if the Company reasonably determines that use of the Platform is likely to be enjoined, the Company may, at its expense, (i) procure the right for Client to continue using the Platform; (ii) replace or modify the Platform to be non‑infringing; or (iii) terminate the affected services and refund prepaid fees for the unused portion. THIS SECTION SETS FORTH COMPANY’S SOLE LIABILITY AND CLIENT’S SOLE AND EXCLUSIVE REMEDY WITH RESPECT TO ANY CLAIM THAT THE PLATFORM INFRINGES THE INTELLECTUAL PROPERTY OF A THIRD PARTY.

12.2 Indemnity by the Client.

The Client will defend, indemnify and hold harmless the Company against any claim brought by a third party against the Company, including all damages, liabilities, costs, and reasonable attorneys' fees finally awarded or agreed to in settlement, to the extent such claim: (a) relates to Client Data (provided the Company processes such Client Data in accordance with this Agreement); (b) results from the combination of the Subscription Services with any products or services not provided by the Company; (c) results from Client’s unlawful use of the Services, including unlawful surveillance or discrimination; (c) relates to Outputs generated or processed at the Client’s request; or (e) arises from Client's breach of §3.3, §4 or §11.2.

12.3 Indemnification Procedure.

The obligations of a party required to provide indemnification under this Section 12 (the “Indemnifying Party”) are conditioned upon the party entitled to receive indemnification (the “Indemnified Party”): (a) providing the Indemnifying Party with prompt written notice of the lawsuit or action (any failure to provide notice will limit the Indemnifying Party’s obligations to the extent such failure materially impaired the Indemnifying Party’s ability to effectively defend or settle the lawsuit or action); (b) giving the Indemnifying Party sole control of the defense of the lawsuit or action and any related settlement negotiations; and (c) providing to the Indemnifying Party, at the Indemnifying Party’s expense, all assistance, information and authority reasonably required to effectively defend or settle the lawsuit or action. In addition to the foregoing, the Indemnified Party may participate in the defense using separate counsel at its own expense. The Indemnifying Party may not enter into any settlement without the Indemnified Party’s prior written consent, which shall not be unreasonably withheld, provided that such consent shall be deemed to be given if the Indemnified Party is advised of the proposed settlement but fails to respond within thirty (30) days of receipt of such notification.

13. Limitation of Liability

13.1 Types of Damages.

To the maximum extent permitted by law, neither party will be liable for any indirect, incidental, special, consequential or punitive damages, or for loss of profits, revenues, business, goodwill, or data, even if advised of the possibility.

13.2 Cap.

Each party’s aggregate liability arising out of or related to this Agreement shall not exceed the total fees paid or payable by the Client to Company under the Order Form giving rise to the claim in the twelve (12) months preceding the first event giving rise to liability.

13.3 Carve‑outs.

The limitations in this §13 do not apply to (a) payment obligations; (b) unauthorized use or infringement/misappropriation of the other party’s IP; (c) breach of confidentiality; (d) the Client’s indemnity in §12.2 or Client's breach of §3.3, §4 or §11.2; or (e) liability that cannot be excluded by law (e.g., fraud, willful misconduct, death or personal injury caused by negligence).

14. Term, Renewal, Suspension & Termination

14.1 Term & Renewal.

Each Subscription Term is as stated in the Order Form and renews for successive terms of the same length unless a party gives notice of non‑renewal at least ninety (90) days before the end of the then‑current term. If there is a trial period, the Subscription Term will start at the end of the trial period, unless the Services are terminated during the trial period.

14.2 Termination for Cause.

Either party may terminate this Agreement upon written notice if the other party materially breaches and fails to cure within thirty (30) days after notice. Company may terminate immediately for non‑payment that remains uncured after notice.

14.3 Suspension.

Company may suspend access immediately for security risks, legal compliance, or material breaches, and will restore access once the issue is remedied.

14.4 Effect of Termination.

Upon termination, the Client’s access ceases. §8.3, §8.4, §9, §10.6, §11.3, §12, §13, §14.4, §16–§20 survive. Data export/deletion is handled per §10.6.

15. Changes to Services and Terms

The Company may make non‑material changes to the Services and this Agreement at any time. Material changes that adversely affect the Client’s rights (including fee increases other than per §7.3) will take effect on the next renewal unless required by law or for security/privacy reasons. The Company will provide at least thirty (30) days’ prior notice of material changes. Continued use after the effective date constitutes acceptance.

16. Compliance; Export; Anti‑Corruption

The Client represents that neither it nor its beneficial owners are listed on sanctions/restricted party lists. The Client shall not use the Services in violation of export, sanctions, or national security laws. Each party shall comply with anti‑bribery/anti‑corruption laws (e.g., UK Bribery Act, FCPA).

17. Governing Law & Dispute Resolution

17.1 Regional application.

If Client’s contracting address is in the EU/EEA, the United Kingdom, or Switzerland, the Europe Regional Terms (Annex A) apply and govern law, venue, and dispute rules. If Client’s contracting address is in the United States or its territories, the United States Regional Terms (Annex B) apply. In all other cases Annex A shall apply.

17.2 Injunctive relief.

Nothing prevents either party from seeking urgent injunctive or equitable relief in any competent court.

17.3 Order of precedence.

Where the Regional Terms conflict with this §17, the applicable Regional Terms control.

18. Publicity

The Company may not identify the Client as a customer (name and logo) in marketing materials or on its website, provided such use has not been specifically agreed between the Company and the Client.

19. Assignment; Subcontracting; Force Majeure

The Client may not assign this Agreement without the Company’s consent, except to an Affiliate or in connection with a merger, reorganization, or sale of substantially all assets (with notice). The Company may assign freely. The Company may use subcontractors (including sub‑processors) and remains responsible for their performance. Neither party is liable for delays or failures due to events beyond its reasonable control (force majeure).

20. Notices; Miscellaneous

20.1 Notices.

Legal notices must be in writing and sent to the addresses below (or updated by notice). Email is sufficient for routine notices; legal or breach notices require email and delivery to a physical address.

The Company: The address in the Order Form. Email: legal@xpometer.com, Attn: Legal

Client: The address and email in the Order Form.

20.2 Entire Agreement; Order of Precedence.

This Agreement constitutes the entire agreement and supersedes prior agreements on the subject. In case of conflict, the Order Form prevails, then the DPA (for data processing matters), then these Terms, then the Documentation.

20.3 Severability & Waiver.

If any provision is unenforceable, the remainder remains in effect. Failure to enforce is not a waiver.

20.4 No Third‑Party Beneficiaries.

There are no third‑party beneficiaries.

20.5 Interpretation.

“Including” means “including without limitation”. Headings are for convenience only.

21. Regional Terms (Annexes)

Annex A — Europe (EU/EEA, UK, Switzerland)

A1. Governing law & forum. This Agreement is governed by Maltese law. Disputes are finally settled by Maltese courts. Nothing limits a party’s right to injunctive relief.

A2. Data protection (GDPR/UK GDPR/Swiss FADP).

1. The DPA is incorporated and governs the Company’s processing as a processor on the Client’s behalf (the Client as controller).
2. Client responsibilities: The Client is responsible for having a lawful basis, transparency notices, and valid instructions for any analysis of individuals; the Client must not rely solely on automated decisions where prohibited by Applicable Law, including but not limited to Article 22 of the GDPR. The Client acknowledges that when using AI Services, it must, in particular: (i) implement appropriate human oversight measures for AI-generated outputs; (ii) maintain transparency with end-users about the use of AI technologies; (iii) ensure compliance with AI-specific regulations in applicable jurisdictions; and (iv) implement appropriate safeguards when using AI Services for decisions affecting individuals.

A3. AI Services and Consumer Law.

1. AI Features and Warranties: The Company provides AI-powered features and functionalities that may utilize large language models ("LLMs") and other artificial intelligence technologies. The Company: (i) uses commercially reasonable efforts to validate and vet third-party LLM providers; (ii) implements appropriate controls and safeguards for algorithm training and fine-tuning; (iii) maintains documentation of its AI development and deployment processes; and (iv) conducts periodic assessments of AI output quality and bias detection.
2. AI Disclaimers: The Client acknowledges and agrees that: (i) AI Services may produce varying or unexpected Outputs; (ii) AI models may have inherent limitations, biases, or inaccuracies; (iii) The Company makes no guarantees regarding the specific Outputs or decisions generated by the AI Services; and (iv) The Client remains responsible for reviewing and validating AI-generated Outputs before use.
3. Consumer Law: The services are provided B2B only. Mandatory consumer rights (if applicable) remain unaffected and prevail to the extent they cannot be disclaimed.

A4. Export/sanctions. The Client and the Company will comply with EU and UK export control and sanctions regimes; the Client will not use the Services in jurisdictions or for end‑uses prohibited under such regimes.

Annex B — United States

B1. Governing law & dispute resolution. This Agreement is governed by Delaware law. Disputes are finally resolved by Delaware Rapid Arbitration Act (DRAA), by one arbitrator, in English. The parties waive jury trial to the extent permitted and agree to a class action waiver for arbitration and litigation, where enforceable. Nothing limits injunctive relief. THE CLIENT AND COMPANY MAY NOT BRING A CLAIM ARISING OUT OF THIS AGREEMENT, OR THE USE OR ATTEMPTED USE OF THE SERVICES, AS A PLAINTIFF OR CLASS MEMBER IN ANY PURPORTED CLASS OR REPRESENTATIVE PROCEEDING, AND FURTHER AGREE THAT THE ARBITRATOR MAY NOT CONSOLIDATE PROCEEDINGS OR CLAIMS OR OTHERWISE PRESIDE OVER ANY FORM OF REPRESENTATIVE OR CLASS PROCEEDING WITH RESPECT TO ANY CLAIM ARISING OUT OF THIS AGREEMENT OR THE USE OR ATTEMPTED USE OF THE SERVICES. Any award rendered by the arbitrator shall be final and binding upon the parties, and judgment on the award may be entered and enforced in any court of competent jurisdiction.

B2. US privacy (state laws). For Personal Information subject to Applicable US State Privacy Laws (including, for example, the California Consumer Privacy Act as amended by the CPRA and materially similar state privacy laws, each as updated from time to time), the Company acts as Service Provider/Processor and will: (a) process Personal Information solely to provide the Services and as permitted by the Client’s written instructions; (b) not sell or share Personal Information or use it for cross‑context behavioral advertising; (c) not combine Personal Information with other data except as allowed to provide/improve the Services or as permitted by law; (d) implement reasonable security measures; (e) delete or return Personal Information at the Client’s request or upon termination, subject to legal retention; (f) provide reasonable assistance with consumer requests and provide information reasonably necessary to demonstrate compliance; and (g) flow down these obligations to authorized subprocessors. The Client represents it has provided required notices and has a lawful basis for processing.

B3. Security & breach. The Company maintains administrative, technical, and physical safeguards reasonably designed to protect Personal Information; the Company will notify the Client of a security incident involving Personal Information without undue delay after becoming aware, consistent with applicable law.

B4. US Government end users (if applicable). The Platform and Documentation are “Commercial Computer Software” and “Commercial Computer Software Documentation.” Rights of the US Government end users are limited by FAR 12.212 and DFARS 227.7202 or successor regulations.

B5. Export/sanctions. The parties will comply with US export control and sanctions laws (including the EAR and OFAC regulations). The Client shall not use or provide access to the Services where prohibited.