User Agreement for iTrack

Provider:

Comsure Technology Limited, a company registered in Jersey with Registration Number 104136, registered on 1st October 2009, Business Type: RC, Registered Office: Tower House, La Route Es Nouaux, St Helier, Jersey JE2 4ZJ, Business Address: No 1 Bond Street Chambers, St Helier, Jersey, Channel Islands, JE2 3NP (hereinafter referred to as “Provider” or “We”).

User:

The individual or entity accepting these terms (hereinafter referred to as “User” or “YOU”), a regulated financial services entity. Your acceptance of this Agreement, whether by clicking an acceptance button, signing up for the Service, or using the Service, constitutes your agreement to be bound by these terms. If you are accepting on behalf of an organisation, you represent that you have the authority to bind that organisation to these terms.

2.1. Licence Grant

Subject to YOUR compliance with this Agreement, Provider grants YOU a non-exclusive, non-transferable, revocable licence to access and use the Service solely for YOUR internal business purposes in conducting AML/CTF/CPF client risk assessments, in accordance with applicable regulations for regulated financial services worldwide.

2.2. Service Modifications

The Service is provided on a software-as-a-service (SaaS) basis via the internet. Provider reserves the right to update or modify the Service at any time. Material Changes are defined as changes that remove or substantially reduce core functionality relied upon for AML/CTF/CPF compliance, such as risk assessment calculations, reporting capabilities, or data access. For Material Changes, Provider will provide YOU with at least 90 days' advance written notice and offer reasonable alternatives or transition assistance. Non-material changes (e.g., UI improvements, performance enhancements, security updates, new features) may be implemented without prior notice. For deprecated features, Provider will provide at least 180 days' notice before removal and, where feasible, offer migration paths or alternative solutions.

2.3. Usage Restrictions

YOU may not: (a) reverse engineer, decompile, or disassemble the Service; (b) sublicense, rent, or resell the Service; (c) use the Service for unlawful purposes or in violation of any applicable law; (d) interfere with the Service's operation; or (e) violate our Acceptable Use Policy. Usage limits (including number of users, storage capacity, API calls, and assessment volume) are defined based on YOUR subscription tier as detailed on our Pricing page.

2.4. Service Level Agreement (SLA)

2.5. Beta and Experimental Features

From time to time, Provider may offer access to beta, pilot, or experimental features (“Beta Features”). Beta Features are provided “as is” without warranties and may be unstable, incomplete, or subject to change or discontinuation without notice. Beta Features are not subject to the SLA in Section 2.4 unless explicitly stated otherwise. Provider may collect additional feedback and usage data for Beta Features to improve the Service. YOU agree that YOUR use of Beta Features is at YOUR own risk.

2.6. Regulatory Changes

Provider will make commercially reasonable efforts to update the Service to reflect changes in applicable AML/CTF/CPF regulations and data protection laws that affect the core functionality of the Service (e.g., changes to FATF recommendations, JFSC guidance, UK MLRs). Provider will communicate significant regulatory updates that may affect YOUR use of the Service via email and in-app notifications. However, YOU remain solely responsible for ensuring YOUR own compliance with all applicable laws and regulations. If regulatory changes materially increase Provider's costs of delivering the Service, Provider may adjust fees with 90 days' notice.

2.7. Training and Documentation

Provider will provide YOU with access to:

• Documentation: Comprehensive user guides, API documentation, and best practice resources accessible via the Service and our website.
• Training Videos: On-demand video tutorials covering key Service features and workflows.
• Trainer-Led Sessions: Optional live training sessions and workshops available as a paid add-on. Pricing and scheduling for trainer-led sessions will be communicated separately upon request.

2.8. API and Webhook Access

Subject to YOUR subscription tier, Provider grants YOU access to our application programming interfaces (APIs) and webhooks to integrate the Service with YOUR systems. API and webhook usage is subject to:

• Rate Limits: API call limits are defined by YOUR subscription tier (see Pricing page). Exceeding rate limits may result in throttling or temporary suspension of API access.
• Authentication: YOU must secure API keys and authentication tokens. YOU are responsible for all API usage under YOUR account.
• Compliance: API usage must comply with this Agreement and our Acceptable Use Policy.
• Availability: API and webhook functionality is subject to the SLA in Section 2.4.

Provider reserves the right to modify or deprecate API endpoints with at least 180 days' notice and will provide migration guidance for deprecated endpoints.

3.1. General Responsibilities

YOU are responsible for: (a) ensuring the accuracy and legality of User Data; (b) obtaining all necessary consents for processing Personal Data; (c) maintaining the security of YOUR account credentials; and (d) complying with all applicable laws, including those related to AML/CTF/CPF and data protection.

3.2. Permitted Use

YOU represent that YOU are a regulated financial services entity and will use the Service only for legitimate risk assessment purposes as outlined in our Acceptable Use Policy.

3.3. Fees and Payment

3.4. Sanctions and Export Controls

YOU warrant compliance with Jersey export controls, sanctions, and counter-proliferation laws (e.g., under the Sanctions and Asset-Freezing (Jersey) Law 2019 and related orders), including screening for dual-use items and prohibited entities. YOU will promptly notify Provider of any suspected sanctions issues. Provider may suspend the Service immediately if violations are suspected, pending investigation.

4.1. Subject Matter, Duration, Nature, and Purpose

Provider will process User Data solely to provide the Service for AML/CTF/CPF client risk assessments, for the duration of this Agreement or until terminated.

4.2. Type of Personal Data and Categories of Data Subjects

Personal Data may include names, contact details, financial information, identification documents, and risk profiles of YOUR clients (data subjects), as inputted by YOU.

4.3. Obligations and Rights of the Controller (YOU)

YOU retain all rights to User Data and instruct Provider on its processing. YOU are responsible for ensuring lawful bases for processing and warrant that all processing instructions are based on a lawful basis under Schedule 2 of the Data Protection (Jersey) Law 2018, such as contractual necessity or legitimate interests. That processing of any special category data complies with Part 2 of Schedule 2 and will provide evidence upon request.

4.4. Processing Instructions

Provider will process User Data only on YOUR documented instructions (including those in this Agreement) and in accordance with the data protection principles under Article 8(1), including lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, and integrity, unless required by law, in which case Provider will inform YOU beforehand unless prohibited.

4.5. Confidentiality

Provider ensures that confidentiality obligations bind all personnel authorised to process User Data.

4.6. Security Measures and Data Location

4.7. Subprocessors

Provider may engage subprocessors (including IONOS UK for hosting, Stripe for payment processing, MailChimp and Brevo for email services, and Google Analytics for anonymised usage analytics) only with YOUR prior general written consent (which is granted by YOUR acceptance of this Agreement). Provider will maintain a current list of subprocessors on our website and will inform YOU of any changes (additions or replacements) at least 30 days in advance via email. YOU may object to a new subprocessor within 15 days of notification on reasonable grounds related to data protection. If YOU object, Provider will either not engage that subprocessor or work with YOU to find an alternative solution. Provider will impose equivalent data protection obligations on all subprocessors and remains liable for subprocessors' compliance.

4.8. Assistance with Data Subject Rights

Provider will assist YOU in fulfilling requests from data subjects (e.g., access, rectification, erasure, restriction, objection) under Part 6 of the Data Protection Law, at YOUR cost if beyond standard support. Assistance will be provided within 4 weeks, with an extension of up to 8 weeks for complex requests, as per Article 27.

4.9. Compliance Assistance

Provider will assist YOU with data protection impact assessments, breach notifications (under Article 20), and security obligations (Article 21), considering the nature of processing.

4.10. End of Processing and Data Deletion

Upon termination of this Agreement, Provider will, at YOUR choice:

• Data Export: Provide YOUR User Data in CSV or PDF format within 30 days of termination request.
• Data Deletion: Securely delete all User Data within 90 days of termination, except where retention is required by law (e.g., for financial records, regulatory obligations, or ongoing legal proceedings).

Provider will provide written confirmation of data deletion upon completion. Data held in backup systems will be deleted in accordance with Provider's standard backup retention schedule (maximum 12 months).

4.11. Audits and Inspections

Provider will make available information to demonstrate compliance and allow audits by YOU or YOUR auditor, at YOUR expense, with reasonable notice (minimum 30 days), limited to once per year unless reasonable grounds exist for more frequent audits (e.g., suspected data breach, regulatory requirement). Audits may be conducted remotely or, if necessary, on-site during business hours with minimal disruption to Provider's operations. Provider will notify YOU if it believes an instruction violates the Data Protection Law.

4.12. Breach Notification

Provider will notify YOU without undue delay (and in any event within 72 hours) of becoming aware of any Personal Data breach affecting User Data. Notification will include available information about the nature of the breach, affected data categories, likely consequences, and mitigation measures taken or proposed. Provider will cooperate with YOU in investigating and mitigating the breach and will assist YOU in notifying the Jersey Office of the Information Commissioner or data subjects if required under Article 20.

4.13. Cross-Border Transfers

User Data is primarily processed and stored in the United Kingdom. If User Data must be transferred outside of Jersey or the UK (e.g., for subprocessor services), Provider will ensure that appropriate safeguards are in place under Part 8 of the Data Protection Law, including:

• Standard contractual clauses approved by the Jersey Office of the Information Commissioner
• Transfers to countries with adequacy decisions
• Binding corporate rules
• Other mechanisms permitted under Article 67

Provider will not transfer data to countries without adequate protection without YOUR prior consent. YOU acknowledge that User Data may be subject to varying data protection laws in different jurisdictions.

4.14. Records

Provider will maintain records of processing activities as required by Article 23 of the Data Protection Law and will make such records available to YOU or the Jersey Office of the Information Commissioner upon request.

4.15. Privacy Policy

Processing is also governed by Provider's Privacy Policy, which details data handling practices and is incorporated herein. For YOUR own personal data as a user of the Service (as distinct from User Data processed on YOUR behalf), please refer to the Privacy Policy.

4.16. Data Retention Periods

5.1. Ownership

Provider owns all rights, title, and interest in and to the Service, including all software, algorithms, methodologies, know-how, and derivatives. YOU own all rights to User Data. Nothing in this Agreement transfers ownership of intellectual property from one party to the other.

5.2. Confidentiality Obligations

Each party will protect the other's Confidential Information using at least the same degree of care as it uses to protect its own confidential information, but in no event less than reasonable care. Confidential Information may be disclosed only to employees, contractors, and advisors who need to know it and who are bound by confidentiality obligations at least as protective as those in this Agreement. Provider may use anonymised, aggregated data (from which all identifying information has been removed) to improve the Service, conduct research, and generate industry insights.

5.3. Required Disclosures

Disclosure of Confidential Information may occur if required by law, court order, or regulatory authority, provided the disclosing party gives prior written notice to the other party where legally permissible, allowing the other party an opportunity to seek protective measures. Provider may share data with regulators and law enforcement for AML/CTF/CPF compliance purposes, including under the Sanctions and Asset-Freezing (Jersey) Law 2019, and YOU consent to such sharing where required by law.

6.1. Term

This Agreement commences on the Effective Date (the date YOU accept this Agreement or first access the Service). It continues for a minimum initial term of one year, with opportunities for multi-year packages (up to three years) as specified on the Pricing page or in a separate engagement letter. The Agreement auto-renews annually unless either party provides written notice of non-renewal at least 30 days before the end of the then-current term.

6.2. Termination for Cause

Either party may terminate this Agreement for material breach by the other party, provided that:

• The non-breaching party provides written notice of the breach
• The breaching party has 30 days to cure the breach (or such shorter period as may be reasonable for serious breaches such as security violations)
• If the breach is not cured within the cure period, the non-breaching party may terminate immediately upon written notice

Either party may terminate immediately without a cure period for insolvency, bankruptcy, regulatory violations, or persistent breaches of the Acceptable Use Policy.

6.3. Effects of Termination

Upon termination:

• YOUR access to the Service ceases immediately
• All outstanding fees become immediately due and payable
• Data handling follows Section 4.10
• Post-Termination Support: Provider may offer optional transition assistance for up to 30 days after termination at an hourly rate to be determined at the time, covering activities such as data migration support, documentation handover, and knowledge transfer. Such support must be requested within 7 days of termination.

Surviving provisions include: Sections 4 (Data Protection - to the extent necessary for data return/deletion), 5 (IP and Confidentiality), 7.2 (Disclaimers), 8 (Liability), 9 (Indemnification), 11 (Miscellaneous including Governing Law), and any provisions that by their nature should survive.

7.1. Limited Warranty

Provider warrants that: (a) the Service will perform substantially in accordance with its documentation; (b) Provider will comply with applicable Data Protection Law in processing User Data; and (c) Provider will use industry-standard efforts to ensure the Service is free from viruses and malicious code. Defect Notification Period: YOU must report any defects or non-conformities in writing to Provider within 30 days of discovery. Provider's sole obligation for breach of this warranty is to use commercially reasonable efforts to correct the reported defect or, if Provider cannot correct it within a reasonable time, to refund a pro-rata portion of fees for the affected period.

8.1. Liability Cap

EXCEPT FOR THE EXCLUDED CLAIMS LISTED IN THIS SECTION, NEITHER PARTY'S AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT WILL EXCEED THE TOTAL FEES PAID BY YOU TO PROVIDER IN THE 12 MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO LIABILITY.

Excluded Claims (Uncapped Liability): The liability cap does not apply to:

• YOUR indemnification obligations under Section 9
• Either party's gross negligence or wilful misconduct
• Breaches of data protection obligations under Section 4
• Breaches of confidentiality obligations under Section 5
• Death or personal injury caused by negligence
• Fraud or fraudulent misrepresentation
• Any liability that cannot be excluded or limited under applicable law

8.2. Exclusion of Consequential Damages

EXCEPT FOR THE EXCLUDED CLAIMS ABOVE, IN NO EVENT WILL EITHER PARTY BE LIABLE FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, OR PUNITIVE DAMAGES (INCLUDING LOSS OF PROFITS, REVENUE, DATA, BUSINESS OPPORTUNITIES, OR GOODWILL) ARISING OUT OF OR RELATED TO THIS AGREEMENT, WHETHER BASED ON CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, OR ANY OTHER LEGAL THEORY, EVEN IF THE PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

8.3. Insurance Coverage

Provider maintains cyber liability insurance with coverage of at least £1,000,000 (one million pounds sterling) to cover potential liabilities arising from data breaches, cyber incidents, and related claims. This insurance is maintained as an additional safeguard and does not alter or expand the liability limitations set forth in this Section 8.

9.1. User Indemnification

YOU agree to indemnify, defend (at Provider's option), and hold harmless Provider and its officers, directors, employees, and agents from and against any and all claims, liabilities, damages, losses, costs, and expenses (including reasonable attorneys' fees) arising from or related to: (a) YOUR User Data; (b) YOUR use or misuse of the Service; (c) YOUR violation of this Agreement or applicable laws; or (d) YOUR violation of any third-party rights.

9.2. Provider Indemnification

Provider agrees to indemnify, defend (at YOUR option), and hold harmless YOU and YOUR officers, directors, employees, and agents from and against any and all claims, liabilities, damages, losses, costs, and expenses (including reasonable attorneys' fees) arising from third-party claims that the Service infringes or misappropriates any third-party intellectual property rights (patents, copyrights, trademarks, or trade secrets), provided that: (a) YOU promptly notify Provider in writing of the claim; (b) YOU give Provider sole control of the defense and settlement (except Provider may not settle in a way that admits YOUR liability or imposes obligations on YOU without YOUR consent); and (c) YOU reasonably cooperate with Provider's defense.

If the Service becomes, or in Provider's opinion is likely to become, the subject of an infringement claim, Provider may, at its option: (i) obtain the right for YOU to continue using the Service; (ii) replace or modify the Service to make it non-infringing; or (iii) terminate this Agreement and refund pro-rata prepaid fees for the unused portion of the term.

9.3. Sole Remedy

This Section 9 states each party's sole and exclusive remedy and the other party's entire liability for indemnifiable claims.

11.1. Governing Law and Jurisdiction

This Agreement is governed by and construed in accordance with the laws of Jersey, without regard to its conflict of law principles. The parties irrevocably submit to the exclusive jurisdiction of the courts of Jersey for any dispute arising out of or related to this Agreement.

11.2. Entire Agreement and Amendments

This Agreement (including the Privacy Policy, Acceptable Use Policy, and any referenced appendices or engagement letters) constitutes the entire agreement between the parties and supersedes all prior or contemporaneous agreements, representations, or understandings, whether written or oral. Amendments must be in writing and signed by both parties, except that Provider may update this Agreement by providing at least 30 days' notice via email or in-app notification. YOUR continued use of the Service after the effective date of changes constitutes acceptance of the updated Agreement.

11.3. Severability

If any provision of this Agreement is held to be invalid, illegal, or unenforceable by a court of competent jurisdiction, the remaining provisions will remain in full force and effect, and the invalid provision will be modified to the minimum extent necessary to make it enforceable while preserving the parties' intent.

11.4. Assignment

Neither party may assign or transfer this Agreement, in whole or in part, without the other party's prior written consent (not to be unreasonably withheld), except that either party may assign this Agreement without consent in connection with a merger, acquisition, corporate reorganisation, or sale of all or substantially all of its assets, provided the assignee agrees in writing to be bound by this Agreement. Any attempted assignment in violation of this Section is void. This Agreement binds and benefits the parties' permitted successors and assigns.

11.5. Notices

All notices, requests, consents, and other communications under this Agreement must be in writing and will be deemed given: (a) when delivered personally; (b) when sent by email (with confirmation of transmission) to the email address on record; (c) one business day after deposit with a nationally recognised overnight courier; or (d) three business days after mailing by certified or registered mail, return receipt requested.

Notices to Provider must be sent to:

Notices to YOU will be sent to the email address associated with YOUR account. It is YOUR responsibility to keep YOUR contact information current.

11.6. Electronic Execution

This Agreement may be executed electronically via secure platforms compliant with applicable laws (e.g., DocuSign, electronic acceptance buttons, or click-wrap acceptance). Electronic signatures and records of electronic acceptance have the same legal effect and validity as original signatures and paper documents under applicable law, including the Electronic Communications (Jersey) Law 2000.

11.7. Waiver

No waiver of any provision of this Agreement will be effective unless in writing and signed by the party against whom the waiver is sought to be enforced. No failure or delay by either party in exercising any right or remedy will constitute a waiver of that right or remedy. A waiver of any breach does not waive any other breach.

11.8. Independent Contractors

The parties are independent contractors. This Agreement does not create a partnership, joint venture, agency, employment, or franchise relationship. Neither party has the authority to bind the other or to incur obligations on the other's behalf without prior written consent.

11.9. Third-Party Beneficiaries

This Agreement is for the sole benefit of the parties and does not confer any rights upon any third party, except that Provider's officers, directors, employees, and agents are intended third-party beneficiaries of Section 9.1 (User Indemnification).