Terms of Service

1. Acceptance of Terms

By accessing or using the OneComply platform ("Service"), you agree to be bound by these Terms of Service ("Terms"). If you are using the Service on behalf of an organization, you represent and warrant that you have authority to bind that organization to these Terms. If you do not agree, you must not use the Service.

2. Service Description

OneComply is a software-as-a-service (SaaS) platform designed to help EU financial entities achieve and maintain compliance with Regulation (EU) 2022/2554 (the Digital Operational Resilience Act, "DORA"). The Service includes:

• ICT third-party vendor risk management and assessment tools
• Compliance control mapping and gap analysis
• Incident management, deadline tracking, and external submission evidence workflows
• Policy document generation and lifecycle management
• Register of Information (ROI) source-data readiness and official package gap checks
• Evidence collection and audit preparation
• AI-powered contract analysis and compliance insights
• Auditor access management with read-only portals

The Service is provided as a tool to assist with compliance efforts. It does not constitute legal advice, and use of the Service does not guarantee regulatory compliance.

3. Account Registration and Access

To use the Service, you must create an account with accurate and complete information. You are responsible for maintaining the confidentiality of your account credentials and for all activities that occur under your account. You must notify us immediately of any unauthorized use of your account.

Organization administrators are responsible for managing user access, roles, and permissions within their organization. Access is granted on a per-seat basis according to your subscription plan.

4. User Obligations

When using the Service, you agree to:

• Comply with all applicable laws and regulations, including GDPR and DORA
• Not upload or transmit any malicious code, viruses, or harmful content
• Not attempt to access, probe, or test the vulnerability of the Service or its infrastructure
• Not reverse engineer, decompile, or disassemble any part of the Service
• Not use the Service in any manner that could impair, overburden, or damage the platform
• Not share account credentials or allow unauthorized third-party access
• Ensure that all data you upload complies with applicable data protection laws
• Maintain appropriate backups of your data as a business continuity measure

5. Subscription and Payment

The Service is offered under tiered subscription plans (Starter, Professional, Enterprise). Pricing, features, and limits for each plan are described on our pricing page and may be updated from time to time with 30 days notice.

• Subscriptions are billed monthly or annually, as selected at the time of purchase
• Payment is processed securely through Stripe. All prices are in EUR unless otherwise stated
• Free trials, if offered, convert to paid subscriptions unless cancelled before the trial ends
• Refunds are provided on a case-by-case basis at our discretion
• We reserve the right to suspend access for overdue payments after a 14-day grace period

6. Intellectual Property

Our IP: The Service, including its source code, design, documentation, algorithms, compliance frameworks, and AI models, is owned by OneComply S.A. and protected by intellectual property laws. Your subscription grants you a limited, non-exclusive, non-transferable license to use the Service during the subscription term.

Your Data:You retain full ownership of all data you upload to the Service ("Customer Data"). You grant us a limited license to process your Customer Data solely for the purpose of providing and improving the Service. We will not use your Customer Data for any purpose beyond what is necessary to deliver the Service.

Generated Content: Reports, policies, and analysis generated by the Service using your data are owned by you. However, the underlying templates, frameworks, and AI models used to generate such content remain our intellectual property.

7. Data Protection and GDPR Compliance

We are committed to GDPR compliance in all aspects of the Service:

• We act as a data processor for your Customer Data and as a data controller for account data
• A Data Processing Agreement (DPA) is available and forms part of these Terms for enterprise customers
• We implement appropriate technical and organizational security measures per GDPR Article 32
• We support your GDPR obligations through data export (Art. 20), deletion (Art. 17), and access (Art. 15) features
• Data is hosted in EU-region infrastructure and subject to EU data protection standards
• We notify you of data breaches without undue delay, and in any event within 72 hours, in accordance with GDPR Article 33

For full details on how we handle personal data, please refer to our Privacy Policy.

8. Service Availability and SLA

We use commercially reasonable efforts to maintain 99.9% uptime for the Service. Scheduled maintenance windows will be communicated at least 48 hours in advance. We are not liable for downtime caused by force majeure events, third-party service providers, or your own systems.

9. Limitation of Liability

To the maximum extent permitted by applicable law:

• The Service is provided "as is" and "as available" without warranties of any kind, whether express or implied, including implied warranties of merchantability, fitness for a particular purpose, or non-infringement.
• We do not warrant that the Service will meet your specific regulatory requirements or that it will be uninterrupted or error-free.
• Our total aggregate liability to you for any claims arising from or relating to these Terms or the Service shall not exceed the total fees paid by you in the 12 months preceding the claim.
• In no event shall we be liable for indirect, incidental, special, consequential, or punitive damages, including loss of profits, data, or business opportunities, even if advised of the possibility of such damages.
• Regulatory fines or penalties imposed on you by supervisory authorities are your sole responsibility. Our Service is a compliance tool, not a guarantee of compliance.

10. Indemnification

You agree to indemnify and hold harmless OneComply S.A., its officers, directors, employees, and agents from any claims, damages, liabilities, costs, and expenses (including reasonable legal fees) arising from your use of the Service, your violation of these Terms, or your violation of any applicable law or regulation.

11. Termination

Either party may terminate the subscription:

• By you: You may cancel your subscription at any time through your account settings. Cancellation takes effect at the end of the current billing period. No refund is provided for the remaining period.
• By us: We may suspend or terminate your access immediately if you breach these Terms, fail to pay fees after the grace period, or if required by law. We will provide reasonable notice where possible.
• Data after termination: Upon termination, you have 30 days to export your data using our data export feature. After this period, your data will be permanently deleted in accordance with our data retention policy.

12. Governing Law and Jurisdiction

These Terms shall be governed by and construed in accordance with the laws of the Grand Duchy of Luxembourg, without regard to its conflict of law principles. Any disputes arising from or relating to these Terms or the Service shall be subject to the exclusive jurisdiction of the courts of Luxembourg City.

Notwithstanding the foregoing, nothing in these Terms shall limit your rights under mandatory consumer protection laws of your jurisdiction, where applicable.

13. Modifications to Terms

We may modify these Terms from time to time. Material changes will be communicated to you via email or an in-app notification at least 30 days before taking effect. Your continued use of the Service after the effective date constitutes acceptance of the modified Terms. If you do not agree with the modifications, you must discontinue use of the Service before the effective date.

14. General Provisions

• Entire Agreement: These Terms, together with our Privacy Policy and any applicable DPA, constitute the entire agreement between you and OneComply S.A.
• Severability: If any provision of these Terms is held to be unenforceable, the remaining provisions shall remain in full force and effect.
• Waiver: Our failure to enforce any provision shall not constitute a waiver of that provision or any other provision.
• Assignment: You may not assign your rights or obligations under these Terms without our prior written consent. We may assign our rights and obligations in connection with a merger, acquisition, or sale of all or substantially all of our assets.
• Force Majeure: Neither party shall be liable for delays or failures in performance caused by events beyond reasonable control, including natural disasters, war, pandemics, government actions, or failures of third-party infrastructure.

15. Contact Information