Terms of Service

2. Service Description

2.1 The Veriom Platform

Veriom provides Architectural Root Cause Intelligence — identifying the structural decisions and architectural weaknesses that generate classes of vulnerabilities across the Software Development Lifecycle (SDLC). Rather than surfacing individual findings, the Service traces symptoms back to the underlying control failures and architectural patterns that produce them.

The Service includes:

• Read-only integration with code repositories, cloud platforms, containers, CI/CD pipelines, and related systems

• Architectural risk analysis and root cause identification

• Detection of control failures across code, infrastructure, and runtime

• Compliance monitoring and automated reporting

• AI-generated architectural insights and remediation guidance

• Managed services (if subscribed)

2.2 Read-Only Access

The Service operates on a read-only basis. We do not modify, delete, or alter your code, configurations, or infrastructure. We analyse and provide architectural insights; implementation of any recommendation remains with you.

2.3 Service Changes

We may modify the Service at any time. Material reductions in core functionality will be communicated with reasonable advance notice.

3. Accounts and Access

3.1 Account Registration

You must provide accurate, complete information and maintain account security. You're responsible for all activities under your account and must notify us immediately of unauthorised use.

3.2 Credentials

You're responsible for:

• Maintaining confidentiality of passwords, API keys, and tokens

• Implementing appropriate access controls

• Enabling multi-factor authentication where available

• Revoking compromised credentials immediately

3.3 Organisational Accounts

For organisational accounts, the account holder represents and binds the organisation. The organisation is responsible for managing user access and is liable for all user actions.

4. Acceptable Use

4.1 Permitted Use

You may use the Service only for lawful purposes, in compliance with these Terms, and consistent with applicable laws and regulations.

4.2 Prohibited Activities

You agree NOT to:

• Access systems you don't own or aren't authorised to monitor

• Reverse engineer, decompile, or derive source code from the Service

• Introduce malware, viruses, or harmful code

• Attempt to bypass security measures or access controls

• Probe, scan, or test vulnerabilities

• Use automated tools except through approved APIs

• Resell, sublicense, or provide the Service to third parties

• Develop competing products using the Service

• Remove proprietary notices or circumvent usage limits

• Violate privacy rights or data protection laws

• Process illegal, harmful, or offensive content

• Infringe intellectual property rights

• Engage in fraudulent or deceptive practices

4.3 Compliance Responsibility

You're solely responsible for ensuring your use complies with:

• Data protection laws (GDPR, CCPA, etc.)

• Industry regulations (HIPAA, PCI DSS, SOX, DORA, etc.)

• Export controls and sanctions

• Employment laws applicable to monitoring

4.4 Your Security Responsibility

You remain responsible for securing your own infrastructure. Veriom identifies architectural weaknesses and control failures and provides remediation guidance, but implementation is at your discretion and risk. We're not responsible for any existing vulnerabilities or incidents in your systems, or for any vulnerabilities introduced by your own implementations.

5. API Access and Integrations

5.1 Authentication

API access requires valid authentication credentials. You must:

• Store credentials securely

• Rotate credentials regularly

• Revoke compromised credentials immediately

5.2 Integration Permissions

When connecting third-party systems:

• You must have proper authorisation

• You're responsible for configuring appropriate access scopes

• You must comply with third-party terms

• You authorise Veriom to access data necessary for Service delivery

5.3 Usage Limits

We may impose reasonable limits on API calls, data ingestion, and platform usage. We'll notify you if you approach or exceed limits.

5.4 Integration Data

You represent that you have lawful rights to data accessed through integrations and grant us necessary processing rights as described in our Data Protection Policy.

6. Data and Privacy

6.1 Customer Data Ownership

You retain all rights to your data ("Customer Data"). You grant us a non-exclusive licence to process Customer Data solely to provide the Service.

6.2 Scope of Data Collection

The Service operates on metadata, configurations, and code patterns — not production data, customer records, or business content. Specifically:

What we collect:

• File structures, dependency manifests, and configuration files from code repositories

• Git metadata (commits, branches) for historical analysis

• Cloud resource configurations, IAM policies, network settings, and service configurations

• Container image metadata, package inventories, and configuration

• CI/CD workflow definitions, build configurations, and pipeline metadata

• Runtime metadata such as process execution patterns, network connection metadata, and configuration changes

• API schemas, authentication configurations, and endpoint definitions

What we do not collect:

• Proprietary business logic or application source code in persistent form

• Customer data, database contents, or data stored in your resources

• Production traffic, application runtime data, or customer workloads

• Build artifacts or compiled binaries

• Packet contents, request/response payloads, or file contents

• Secrets (these are detected and flagged but not stored)

6.3 Ephemeral Analysis

Where source code or similar material must be inspected to produce findings, analysis is performed in an ephemeral environment and the underlying content is deleted immediately after processing. Only findings, metadata, and configuration snapshots are retained.

6.4 Storage and Isolation

Customer Data is held in dedicated, encrypted storage per organisation with complete tenant isolation. Data is encrypted at rest using AES-256 and in transit using TLS 1.3. Access is subject to strict role-based permissions and full audit logging. Default retention is configurable (typically 90 days for scan and runtime data; findings are retained for the duration of the subscription).

6.5 LLM Processing

Where the Service uses large language models to generate reports, insights, or remediation guidance, data is sanitised before being passed to the model. Sensitive material identified during collection does not reach the LLM. Where commercial LLM providers are used, we operate under zero-retention arrangements. Sovereign and self-hosted deployments may use customer-controlled models; specific terms for such deployments are set out in the applicable Order Form or deployment addendum.

6.6 Data Protection

Our processing of personal data is governed by our Data Protection Policy, which includes:

• Legal bases for processing

• Data subject rights procedures

• Security measures and safeguards

• Cross-border transfer mechanisms

• Retention and deletion procedures

For EU/UK customers subject to GDPR, our Data Processing Agreement applies.

6.7 Data Residency

You may select your data residency region (EU or US). Details are in our Data Residency and Controls Policy.

6.8 Data Portability

Upon request, we'll provide Customer Data in JSON or CSV format, subject to technical feasibility.

7. Intellectual Property

7.1 Veriom IP

The Service, including all software, algorithms, AI models, architectural analysis methodology, interfaces, and documentation, is owned by Veriom and protected by intellectual property laws.

7.2 Limited Licence

Subject to compliance with these Terms, we grant you a limited, non-exclusive, non-transferable, revocable licence to use the Service for internal business purposes.

7.3 Restrictions

You may not copy, modify, create derivatives, rent, lease, sell, sublicense, or remove proprietary markings from the Service.

7.4 Feedback

If you provide suggestions or feedback, you grant us a perpetual, royalty-free licence to use it without obligation to you.

7.5 Aggregated Data

We may create anonymised, aggregated data from Service usage for improving the Service, benchmarking, and research. This data won't identify you.

8. Fees and Payment

8.1 Subscription Fees

Fees are specified in your Order Form or subscription plan based on service tier, users, monitored systems, and additional features.

8.2 Payment Terms

• Fees are payable in advance (monthly or annually)

• Payment due within 30 days of invoice

• Fees are non-refundable except as expressly stated

• Fees exclude applicable taxes (your responsibility)

8.3 Late Payment

Late payments may incur 1.5% monthly interest (or maximum permitted by law), service suspension after 15 days, and collection costs.

8.4 Fee Changes

We may modify fees with 30 days' notice for month-to-month subscriptions or at renewal for annual subscriptions.

9. Confidentiality

9.1 Confidential Information

Each party agrees to protect the other's Confidential Information (non-public information that should reasonably be considered confidential) using at least the same care as for its own confidential information.

9.2 Exceptions

Obligations don't apply to information that: (i) was publicly known without breach, (ii) was rightfully received from a third party, (iii) was independently developed, or (iv) must be disclosed by law.

10. Warranties and Disclaimers

10.1 Mutual Warranties

Each party warrants it has authority to enter this agreement and will comply with applicable laws.

10.2 Veriom Warranties

We warrant the Service will perform substantially as documented and we'll provide it using commercially reasonable care.

10.3 DISCLAIMER

EXCEPT AS EXPRESSLY PROVIDED, THE SERVICE IS PROVIDED "AS IS" WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, UNINTERRUPTED OPERATION, ACCURACY OF RESULTS, OR SECURITY.

We're not responsible for third-party systems, accuracy of data from integrated systems, or results of implementing (or not implementing) architectural or remediation recommendations.

11. Limitation of Liability

11.1 Consequential Damages

NEITHER PARTY IS LIABLE FOR INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, INCLUDING LOSS OF PROFITS, REVENUE, DATA, BUSINESS OPPORTUNITIES, BUSINESS INTERRUPTION, OR GOODWILL, EVEN IF ADVISED OF THEIR POSSIBILITY.

11.2 Liability Cap

VERIOM'S TOTAL LIABILITY WILL NOT EXCEED THE GREATER OF: (A) FEES PAID IN THE 12 MONTHS PRECEDING THE CLAIM, OR (B) £10,000 GBP.

11.3 Exceptions

Limitations don't apply to: (i) your breach of acceptable use or IP provisions, (ii) violation of laws, (iii) indemnification obligations, (iv) gross negligence or willful misconduct, or (v) liability that cannot be limited by law.

11.4 Basis of Bargain

These limitations are fundamental to our agreement and reflect the allocation of risk and fees.

12. Indemnification

12.1 Your Indemnification

You'll indemnify Veriom from claims arising from: (i) your violation of these Terms, (ii) violation of laws, (iii) infringement of third-party IP rights, (iv) Customer Data, (v) your systems or infrastructure, or (vi) failure to comply with data protection laws.

12.2 Veriom Indemnification

We'll indemnify you from claims that the Service infringes third-party IP rights, provided you notify us promptly and give us control of defence. If infringement occurs, we may: (i) obtain continued use rights, (ii) modify the Service, (iii) replace it, or (iv) terminate and refund prepaid fees.

12.3 Process

The indemnified party must provide prompt notice, grant sole control of defence, provide cooperation, and not settle without consent.

13. Term and Termination

13.1 Term and Renewal

Subscriptions begin on the start date and automatically renew unless terminated.

13.2 Termination

By You:

• Month-to-month: 30 days' notice

• Annual: may choose not to renew (non-cancelable)

By Us: 90 days' notice (with pro-rata refund)

For Cause: Either party may terminate immediately if the other materially breaches and doesn't cure within 30 days.

We may suspend immediately if you breach acceptable use, pose security risks, payment is >15 days late, or we suspect fraud.

13.3 Effect of Termination

Upon termination:

• Your access terminates immediately

• Customer Data retained for 90 days for export, then deleted

• No refunds except as stated

• Sections 6 (Data Rights), 7 (IP), 9 (Confidentiality), 10-12 (Warranties, Liability, Indemnification), and 15-16 (Dispute Resolution, General) survive

13.4 Data Export

Export your data before termination. We'll provide reasonable assistance but aren't obligated to maintain data beyond 90 days.

14. Compliance

14.1 Export Controls

You represent you're not located in embargoed countries, listed on restricted parties lists, or prohibited from receiving the Service. You won't use the Service in violation of export laws.

14.2 Regulatory Compliance

Each party will comply with applicable laws including data protection regulations (GDPR, CCPA), industry regulations (HIPAA, PCI DSS, SOX, DORA), and export controls.

14.3 Changes in Law

If law changes require material Service modifications, we'll notify you. You may terminate if changes materially adversely affect your rights.

15. Third-Party Services

The Service integrates with third-party platforms you authorise. We're not responsible for third-party availability, functionality, security, or data breaches. Third-party services are subject to their own terms. A list of subprocessors is available at [link].

16. Changes to Terms

We may modify these Terms by posting updates and notifying you via email. Material changes are effective 30 days after notice; non-material changes are effective immediately. Continued use constitutes acceptance. If material changes substantially reduce your rights, you may terminate within 30 days for a pro-rata refund.

17. Dispute Resolution

17.1 Informal Resolution

Parties agree to attempt good-faith negotiations for 30 days before formal proceedings.

17.2 Governing Law and Jurisdiction

EU Customers: England and Wales law; London courts

US Customers: Delaware law; Delaware courts

17.3 Class Action Waiver

DISPUTES WILL BE RESOLVED INDIVIDUALLY. YOU WAIVE ANY RIGHT TO CLASS ACTIONS OR REPRESENTATIVE PROCEEDINGS.

17.4 Injunctive Relief

Either party may seek injunctive relief for IP or confidentiality breaches without waiting for informal resolution.

18. General Provisions

18.1 Assignment

You may not assign these Terms without our consent. We may assign to affiliates or in connection with mergers/acquisitions.

18.2 Entire Agreement

These Terms and referenced policies constitute the entire agreement and supersede all prior communications.

18.3 Severability

If any provision is invalid, the remaining provisions continue in effect, and the invalid provision will be modified to reflect the parties' intent.

18.4 Waiver

Failure to enforce any provision doesn't constitute waiver. Waivers must be in writing.

18.5 Force Majeure

Neither party is liable for failures due to causes beyond reasonable control (natural disasters, war, pandemics, internet failures, etc.).

18.6 Independent Contractors

Parties are independent contractors. These Terms don't create partnerships, joint ventures, or employment relationships.

18.7 Notices

To You: Email to your account address

To Us: legal@veriom.io

18.8 Publicity

We may identify you as a customer in marketing unless you opt out at marketing@veriom.io.

18.9 Language

The English version of these Terms prevails over any translations.

19. Contact Information

General Inquiries: support@veriom.io

Legal Department: legal@veriom.io

Security Team: security@veriom.io