Terms of Service

LEGAFLOW

Compliance Platform for Content Creator Agencies

TERMS OF SERVICE

Global β€” Applicable to All Users

Version 1.0

Effective Date: 15 April 2026 | Last Updated: 15 April 2026

PUBLISHER OMAZEO SP. Z O.O. Plac Bankowy 2, 00-095 Warszawa, Poland KRS: 0000879770 | NIP: 7842524687 | REGON: 387980205 Share capital: 20,000 PLN (fully paid-up)

Preamble

These Terms of Service (the "Terms") constitute a binding legal agreement between OMAZEO SP. Z O.O., a limited liability company incorporated under the laws of the Republic of Poland, with its registered office at Plac Bankowy 2, 00-095 Warszawa, Poland, registered with the Polish National Court Register (KRS) under number 0000879770, bearing tax identification number NIP 7842524687, statistical number REGON 387980205, and having a share capital of twenty thousand Polish zΕ‚oty (20,000 PLN), fully paid-up (the "Company", "LegaFlow", "we", "us", or "our"), and any natural or legal person who accesses, registers for, or uses the Platform defined below ("you", "User", and together with the Company, the "Parties").

These Terms are drafted in the English language. The Parties expressly acknowledge that they have reviewed and understood the Terms in full before accepting them. By clicking to accept, by creating an account, by accessing any part of the Platform, or by using any feature of the Platform, the User is deemed to have read, understood, accepted, and agreed to be bound by these Terms in their entirety, together with any document expressly incorporated by reference (including, without limitation, the Privacy Policy, the Cookie Policy, the Data Processing Agreement, and any applicable Order Form). If the User does not accept all of these Terms without reservation, the User must immediately cease accessing and using the Platform.

The Platform and the services provided thereunder are expressly reserved for business users (Agencies acting in the course of their professional activity) and for the Content Creators they manage. These Terms apply in full to both categories of Users, subject to the role differentiation set out below: the Agency is the subscriber and contracting party of the Company and is solely responsible for payment of fees; the Content Creator is an end-user enrolled on the Platform by an Agency, who accepts these Terms solely to the extent necessary to access and use the Platform as an enrolled user (including identity and age verification, Survey participation, data-protection acknowledgements, and compliance with the Acceptable Use Policy). The Platform is not directed at consumers within the meaning of Directive 2011/83/EU on consumer rights or any equivalent national legislation. Any occasional access by a natural person acting outside of a professional capacity does not alter the business-to-business nature of the contractual relationship between the Company and the Agency.

1. Definitions and Interpretation

1.1. Definitions

For the purposes of these Terms, the capitalized terms below have the following meanings. Defined terms used in the singular shall include the plural, and vice versa, unless the context otherwise requires.

"Acceptable Use Policy" means the rules of conduct set out in Section 10 of these Terms.

"Administrator" means a Company representative authorized by the Company to access detailed data on the Platform for the purposes of platform operation, safety investigations, and critical escalation management.

"Agency" means a legal entity or duly registered sole proprietor that manages Content Creators on third-party monetization platforms and has registered an Agency account on the Platform.

"Claim" means, for the purposes of Section 9, a lawsuit or court-case formally filed against an Agency by a Content Creator, alleging exploitation, coercion, forced labor, human trafficking, or comparable violation of the Content Creator's rights in connection with the Agency's management activities, to the exclusion of any administrative, regulatory, criminal, or arbitral proceeding.

"Compliance Report" means a document generated by the Platform summarizing Survey data, risk indicators, audit trail metadata, and other compliance-related information.

"Content Creator" or "Model" means a natural person, aged eighteen (18) years or more, who produces digital content on third-party monetization platforms and who has been invited by an Agency to participate in the LegaFlow compliance process.

"Corrective Action Plan" or "CAP" means a set of remedial actions issued in writing by the Company to an Agency in response to compliance alerts, with specific deadlines for completion.

"Covered Matter" means a Claim that the Company has, in its sole discretion, formally accepted for funding under the Legal Defense Assistance Program in accordance with Section 9.

"Global Annual Budget" means the aggregate amount fixed by the Company in its sole discretion for each calendar year as the maximum total expenditure the Company may devote to all Covered Matters globally during that year.

"Legal Defense Assistance" or "LDA" or "Program" means the discretionary commercial program described in Section 9 of these Terms.

"Order Form" means any written or electronic ordering document signed by or otherwise accepted by an Agency and the Company, setting out the specific commercial terms of the Agency's Subscription.

"Partner Network" or "Partner Law Firm" means the network of independent law firms and duly licensed attorneys with which the Company has entered into commercial partnership agreements for the purpose of the Program.

"Platform" means the LegaFlow compliance platform, including all associated websites, web applications, mobile applications, APIs, dashboards, reports, integrations, and ancillary services operated by the Company.

"Risk Score" means the numerical indicator (zero to one hundred) calculated algorithmically by the Platform on the basis of Survey responses.

"Subscription" means the paid service plan agreed individually between an Agency and the Company, as documented in an Order Form or online checkout confirmation.

"Survey" means a structured questionnaire administered through the Platform to Content Creators for the collection of self-reported compliance data.

"Survey Hash" means the unique SHA-256 cryptographic hash generated for each completed Survey.

"User" means any natural or legal person that accesses or uses the Platform.

"Waiting Period" means the twelve (12) month qualifying period defined in Section 9.6.1, during which the Program is not available to the Agency.

1.2. Interpretation

In these Terms: (i) headings are for convenience only and shall not affect interpretation; (ii) references to "including", "includes" or "in particular" shall be deemed to be followed by the words "without limitation"; (iii) references to statutes include any amendment, consolidation, or re-enactment thereof; (iv) references to days are to calendar days unless stated as business days; (v) references to currency are to the Euro (EUR) unless expressly stated otherwise; (vi) the expression "in writing" includes email and any durable medium that satisfies applicable law; and (vii) where any right is expressed to be at the Company's "sole discretion" or "absolute discretion", the Company is entitled to exercise or decline to exercise that right without giving reasons, subject only to mandatory law.

2. Acceptance of Terms and Contracting Party

2.1. Acceptance. The User accepts these Terms by any of the following actions, each of which constitutes unconditional acceptance: (i) clicking "I agree", "Accept", or an equivalent button during onboarding; (ii) creating or logging into an account on the Platform; (iii) accessing, browsing, or otherwise using any feature of the Platform; (iv) entering into an Order Form or other commercial agreement referencing these Terms; or (v) making any payment for a Subscription.

2.2. Binding on Legal Entities. Where a natural person accepts these Terms on behalf of a legal entity, such natural person represents and warrants that they are duly authorized to bind the legal entity, that they have obtained all internal approvals required to do so, and that the legal entity shall be bound by these Terms as a User and, where applicable, as an Agency.

2.3. Capacity and Sanctions. By accepting these Terms, the User represents and warrants that: (i) they are at least eighteen (18) years of age; (ii) they have full legal capacity to enter into a binding contract; (iii) they are not subject to any court order or legal incapacity preventing the conclusion of this agreement; (iv) they are not located in, organized under the laws of, or ordinarily resident in any country or territory subject to comprehensive sanctions administered by the European Union, OFAC, the United Kingdom, or the United Nations, and are not otherwise identified on any applicable sanctions list.

2.4. Non-Acceptance. If the User does not accept these Terms, the User shall not access or use the Platform. Continued access or use without acceptance constitutes unauthorized access and entitles the Company to terminate access, pursue all available remedies, and claim damages.

3. Nature, Description, and Non-Regulated Status of the Platform

3.1. Nature of the Platform

LegaFlow is a proprietary technology solution operated as software-as-a-service (SaaS) by the Company. The Platform consists of a closed-ecosystem compliance-management suite expressly and exclusively designed for business users, namely Agencies managing Content Creators on third-party monetization platforms. The Platform automates the deployment of structured compliance questionnaires designed by the Company in collaboration with a panel of external legal practitioners, collects and analyses the responses of enrolled Content Creators, computes algorithmic risk indicators (the Risk Score), aggregates such indicators into Agency-level dashboards operating on a strict privacy-by-design principle, produces exportable PDF Compliance Reports, maintains tamper-evident append-only audit trails secured by SHA-256 cryptographic hashes, delivers automated notifications and compliance alerts, and β€” as an ancillary discretionary benefit described in Section 9 β€” administers the Legal Defense Assistance Program.

The Platform is a software product. The Company is a software publisher. The Platform is made available to Agencies on a subscription basis pursuant to an Order Form or online checkout. The Platform is not a legal-consultation service, not a regulated financial product, not an insurance product, and not a certification scheme.

3.2. Non-Regulated Status

The Company and the Platform do not constitute, and must not be construed as, any of the following, in any jurisdiction worldwide: (i) a law firm, an attorney, a legal advisor, a paralegal, a solicitor, a barrister, a counsel at law, or any other regulated legal profession, within the meaning of β€” and without limitation β€” the Polish Act on Advocacy of 26 May 1982, the Polish Act on Legal Advisers of 6 July 1982, the rules of any State Bar in the United States, the Legal Services Act 2007 of England and Wales, the UAE Federal Law No. 23 of 1991 on the Regulation of the Legal Profession, or any equivalent law of any jurisdiction; (ii) an insurance undertaking, a reinsurance undertaking, a mutual insurance institution, a protection and indemnity club, a surplus-lines carrier, a captive insurer, or any other risk-pooling or risk-transfer mechanism, within the meaning of β€” and without limitation β€” Directive 2009/138/EC (Solvency II), the Polish Insurance and Reinsurance Activity Act of 11 September 2015, any United States state insurance code, the UK Financial Services and Markets Act 2000, the UAE Federal Decree-Law No. 48 of 2023 regulating insurance activities, or any equivalent law of any jurisdiction; (iii) an insurance or reinsurance intermediary, an ancillary insurance intermediary, an insurance broker, a producer, an agent, or a managing general agent, within the meaning of β€” and without limitation β€” Directive (EU) 2016/97 (IDD), the Polish Act on Distribution of Insurance of 15 December 2017, United States state insurance-intermediary laws, the UK Insurance Distribution Regulations, or any equivalent law; (iv) a payment institution, an electronic-money institution, a credit institution, an investment firm, a money-services business, or a crypto-asset service provider; (v) a credit-rating agency within the meaning of Regulation (EC) No 1060/2009; (vi) a certification body accredited under any scheme (ISO, EN, ENISA, IAF, or otherwise), or an entity entitled to issue legally binding certificates of compliance; or (vii) a tax advisor, an accountant, an auditor, or any other regulated advisory profession.

Accordingly, in every jurisdiction in which the Platform is made available: the Company does not provide legal advice, does not render legal opinions, does not draft legal instruments adapted to any specific situation, does not represent any User before any court, tribunal, or public authority, does not underwrite or pool risk, does not issue binding compliance certifications, does not provide investment, tax, or financial advice, and does not substitute for the services of licensed professionals. Each Agency is solely responsible for obtaining and paying for its own independent legal counsel, its own professional liability insurance, its own tax advice, and its own regulatory filings, at all times and in each jurisdiction in which it operates. References in the Platform's marketing materials, dashboards, or reports to terms such as "compliance", "protection", "coverage", "monitoring", "defense", or similar expressions describe software features and discretionary programs operated by the Company; such references are not, and must not be interpreted as, warranties of legal compliance, insurance coverage, indemnity, or professional advice.

3.3. Core Functionalities

The Platform provides the following core functionalities, the exact scope of which may vary depending on the Subscription plan selected in the Order Form:

3.4. Technical Environment

The Platform is hosted within the European Union on infrastructure provided by one or more reputable EU-based cloud providers. Data at rest is encrypted using AES-256. Data in transit is protected by TLS 1.3. The Company implements role-based access control, immutable append-only audit logging, multi-factor authentication for administrator accounts, and periodic penetration testing.

3.5. Evolution of the Platform

The Platform evolves continuously. The Company reserves the right, at any time and at its sole discretion, to add, modify, improve, or discontinue features, provided that any material reduction of paid functionalities during the term of a prepaid Subscription shall entitle the affected Agency to either continue with the modified Platform or terminate the Subscription with a pro-rata refund of the unused prepaid period.

3.6. Third-Party Platforms

The Platform is designed to support Agencies managing Content Creators on third-party monetization platforms. The Company is not affiliated with, endorsed by, or sponsored by any such third-party platform. Any reference to such platforms is nominative and informational only. The Company has no control over and no responsibility for third-party platforms.

3.7. No Public User-Generated Content

The Platform does not host, distribute, moderate, index, or make publicly available any content created by Content Creators. The Platform processes structured Survey responses and administrative data in a strictly private, access-controlled environment. The Platform is not an "online platform" within the meaning of Article 3(i) of Regulation (EU) 2022/2065 (Digital Services Act).

4. Eligibility and Onboarding

4.1. Agency Eligibility β€” Professional Status Required

The Platform is made available exclusively to Agencies that are duly established professional operators. To register as, and to remain, an Agency on the Platform, the User must at all times satisfy the following cumulative conditions: (i) be a duly registered legal entity (such as a limited liability company, joint-stock company, partnership, or equivalent), or a duly registered sole trader (in Poland: jednoosobowa dziaΕ‚alnoΕ›Δ‡ gospodarcza; in France: entreprise individuelle or micro-entreprise; in the United States: a registered LLC, corporation, or sole proprietorship with a valid EIN; in the United Kingdom: a company registered with Companies House or a self-employed person registered for HMRC self-assessment; and, more generally, any individual or entity that holds, in its jurisdiction of establishment, the formal registration or status required to carry on a commercial activity as a professional); (ii) hold all licences, permits, registrations, and authorisations required under applicable law to manage Content Creators operating on third-party adult-content monetization platforms; (iii) not be subject to insolvency, bankruptcy, restructuring, liquidation, or similar proceedings; (iv) not be owned, controlled, or beneficially held by any person subject to sanctions administered by the European Union, the United Nations, the United States Office of Foreign Assets Control (OFAC), the United Kingdom, or any other applicable sanctions regime; and (v) successfully complete the Company's Know-Your-Business (KYB) verification process, which may include production of corporate registration documents, proof of ultimate beneficial ownership, proof of address, declarations of authorised representatives, tax-residency confirmations, and any other information the Company may reasonably request.

Any person or entity that does not satisfy the eligibility conditions in this Section 4.1 β€” including, in particular, any individual or group managing Content Creators without holding the formal registration required to carry on a commercial activity as a professional in their jurisdiction β€” is not eligible for an Agency account. The Company may, at any time, request evidence of registration and may immediately suspend or terminate any Agency account where the required evidence is not produced within ten (10) business days.

4.2. Content Creator Eligibility β€” End-User Enrolment

The Content Creator is not a subscriber of the Platform and does not pay the Company any fees. The Content Creator is enrolled as an end-user by an Agency that is itself a subscriber. Accordingly, no professional-status or business-registration requirement applies to the Content Creator in connection with their use of the Platform; any requirement to register as a professional under applicable local law arises, if at all, from the Content Creator's own content-production activity and is a matter solely between the Content Creator and the Agency and the relevant authorities, in which the Company takes no part.

Each Content Creator must nevertheless: (i) be a natural person aged at least eighteen (18) years at the date of enrolment, and aged at least the age of legal majority in their country of habitual residence where higher; (ii) hold full legal capacity; (iii) successfully complete the Know-Your-Customer (KYC) identity and age verification process operated by Veriff OÜ or a successor provider (see Section 4.4); (iv) provide accurate and current personal information; (v) not be subject to sanctions; and (vi) accept these Terms and the Privacy Policy.

4.3. Right to Refuse

The Company reserves the right, at its sole discretion, to refuse registration, suspend access, or terminate any account where eligibility requirements are not or are no longer met, where registration information is incorrect, where a User is engaged in prohibited activities under Section 10, or where continued access would expose the Company or other Users to legal or reputational risk.

4.4. KYB and KYC Verification

The Company operates two parallel identity-assurance processes:

"KYB" (Know-Your-Business) applies to Agencies. It consists of the collection and documentary verification of the Agency's legal identity, registration, beneficial ownership, and legal representatives, and may be performed by the Company directly or through a specialised third-party provider. KYB is mandatory at onboarding and may be refreshed periodically or upon specific triggers (change of control, renewed regulatory request, suspicious-activity alert).

"KYC" (Know-Your-Customer) applies to Content Creators. It is performed on behalf of the Agency (the Agency being the party with a direct professional relationship with the Content Creator) through the Veriff biometric identity-verification service, and consists of document authentication, liveness detection, age verification, and, where applicable, sanctions screening. The Content Creator cannot use the Platform until KYC has been successfully completed. Failure of KYC results in automatic refusal of enrolment, without recourse.

4.5. One Account Per Entity

Unless expressly authorised by the Company in writing, each Agency may hold only one active account. Circumvention through parallel entities, shell companies, or corporate structures designed to defeat eligibility limits, invoicing caps, or the Legal Defense Assistance Program aggregate cap constitutes a material breach of these Terms and entitles the Company to terminate all related accounts with immediate effect and without refund.

5. Account Registration and Security

5.1. Agency Registration

5.1.1. To register, the Agency must provide accurate legal business name, tax identification number, registered address, country of operation, authorized representative's full name, professional email, telephone number, and any additional KYB information requested.

5.1.2. Agency accounts are subject to verification and discretionary approval by the Company. The Company may reject any application without providing reasons.

5.2. Content Creator Registration

5.2.1. Content Creators are invited via email by a registered Agency. The Content Creator then creates an independent account with personal credentials, completes identity verification, accepts these Terms and the Privacy Policy, and completes the onboarding Survey.

5.2.2. The Content Creator's account is fully independent from the Agency account. Credentials, Survey responses, emergency reports, and personal data of the Content Creator are not accessible to the Agency under any circumstances.

5.3. Security Obligations

5.3.1. The User is solely responsible for maintaining the confidentiality of credentials. The User shall not disclose, share, rent, or transfer credentials to any third party.

5.3.2. The User shall implement reasonable security measures on devices used to access the Platform, including up-to-date operating systems, anti-malware software, strong passwords, and multi-factor authentication where offered.

5.3.3. The User shall immediately notify the Company at contact@legaflow.io (subject line: "Security Incident") of any suspected or actual unauthorized access. Until such notice is received, the User is deemed responsible for all actions performed through the account.

5.3.4. The Platform implements automatic session termination, rate limiting, bot detection, and other automated security measures which may be updated from time to time without prior notice.

5.4. Accuracy and Ongoing Update

The User represents that all information provided is accurate, complete, and current. The User undertakes to update such information without delay upon any change. The Company may request, at any time, supporting documentation to verify accuracy, and may suspend access pending receipt. Providing false, misleading, or materially incomplete information is a material breach of these Terms.

5.5. Identity Verification

All Content Creators must successfully pass the identity and age verification process operated by Veriff OÜ or a successor provider. Any attempt to bypass, spoof, or otherwise defeat identity verification is a material breach and may result in criminal referral.

6. Representations and Warranties of the User

6.1. Representations of All Users

Each User represents and warrants to the Company, on an ongoing basis from acceptance of these Terms and throughout the use of the Platform, that:

6.2. Additional Representations of the Agency

Each Agency additionally represents and warrants, on an ongoing basis throughout the term of the Subscription, that:

6.3. Additional Representations of the Content Creator

Each Content Creator additionally represents and warrants that:

6.4. Continuing Nature

The representations and warranties in this Section 6 are deemed repeated at each use of the Platform and at each renewal of a Subscription. Any breach of a representation or warranty is a material breach entitling the Company to immediate suspension, termination, and any other remedy available at law.

7. Survey Integrity and Evidentiary Value

TAMPER-EVIDENT SURVEY HASH TECHNOLOGY Each completed Survey is assigned a unique SHA-256 cryptographic hash generated over the full set of responses, the submission timestamp (UTC), the originating IP address, the user-agent, and selected metadata. The Survey Hash serves as a tamper-evident digital fingerprint of the submission. Survey Hashes are stored in an append-only audit log that cannot be altered, rewritten, or deleted, including by the Company.

7.1. Hashing methodology. Each completed Survey generates a unique SHA-256 hash encompassing the full response set, the UTC timestamp, the originating IP address, the user-agent string, the estimated geolocation, time-per-question metrics, and overall completion time.

7.2. Immutability. Survey Hashes are stored in an append-only audit log. The Company commits not to modify, delete, or retroactively alter Survey Hashes or their associated metadata. The Company implements technical controls designed to prevent tampering by any party, including Company personnel.

7.3. Retention. Survey responses, Survey Hashes, and associated metadata are retained for a period of five (5) years from the date of completion, for evidentiary and compliance purposes aligned with the general limitation period for civil claims under Polish and EU law.

7.4. Legal process. Survey responses and associated metadata may be disclosed pursuant to a valid court order, subpoena, letter of request, mutual legal assistance request, or other binding legal process issued by a court or competent authority. The Company will comply with such orders in accordance with applicable law and will notify affected Users where legally permitted and operationally feasible, providing them with a reasonable opportunity to contest or narrow the scope.

7.5. No truth guarantee. The Company does not verify, validate, or guarantee the truthfulness, accuracy, or completeness of any Survey response. Survey responses reflect solely the self-reported declarations of the responding Content Creator at the time of submission. The Platform does not conduct fact-finding, interviewing, or field verification.

7.6. Evidentiary value determined by the competent forum. Whether Survey data, Survey Hashes, or any other Platform output will be admitted, given evidentiary weight, or held sufficient in any legal proceeding is determined exclusively by the competent court, tribunal, or authority. The Company makes no representation or guarantee as to admissibility, authenticity, probative value, or sufficiency, whether in Poland, in the European Union, or in any other jurisdiction.

8. Subscription Fees, Payment, and Taxes

8.1. Subscription Pricing

The Platform is provided on a paid subscription basis. Pricing is agreed individually with each Agency, based on the Agency's size, number of Content Creators, selected modules, volume commitments, and scope of services, and is documented in the applicable Order Form or online checkout confirmation. Content Creators are not charged for access to the Platform.

8.2. Payment Methods and Payment Processor

Accepted payment methods are (i) credit and debit cards and (ii) SEPA direct debit (where supported), in each case processed exclusively through Stripe Payments Europe, Ltd. (for EEA Agencies) and Stripe, Inc. (for U.S. Agencies) or their successors (together, "Stripe"). Cryptocurrency payments may be accepted where expressly agreed in writing, through the Company's approved crypto-payment processor. By providing payment information, the Agency authorises the Company to charge the payment method for all fees due under the applicable Order Form. The Agency undertakes to keep its payment information accurate and up to date. Full payment-card data is never stored by the Company; it is tokenised directly by Stripe. All fees are denominated in Euros (EUR) unless otherwise agreed in the Order Form. The Company may enable or disable payment methods at any time without prior notice.

8.3. Taxes and Value-Added Tax (VAT)

8.3.1. General Principle. All Subscription fees are exclusive of applicable taxes, duties, and levies. The Agency is responsible for all value-added tax (VAT), goods and services tax (GST), sales tax, withholding tax, digital-services tax, and other indirect taxes imposed on the fees, except for taxes assessed on the Company's net income.

8.3.2. Agencies Established in Poland. Where the Agency is established in Poland, the Company is required to charge and collect Polish VAT at the applicable standard rate (currently twenty-three percent (23%)) in addition to the Subscription fees, in accordance with the Polish Act on the Tax on Goods and Services of 11 March 2004 (Ustawa o podatku od towarΓ³w i usΕ‚ug).

8.3.3. Agencies Established in the European Union (outside Poland) β€” Reverse Charge. Where the Agency is established in another Member State of the European Union and provides a valid VAT identification number that the Company can verify through the VAT Information Exchange System (VIES), the supply is treated as a B2B intra-Community supply of services with the place of supply in the Member State of the Agency pursuant to Article 44 of Council Directive 2006/112/EC (VAT Directive). The reverse-charge mechanism under Article 196 of the VAT Directive applies: the Company invoices without Polish VAT, and the Agency is responsible for self-assessing VAT at the rate applicable in its own Member State. Where the Agency fails to provide a valid VAT identification number, the Company reserves the right to charge Polish VAT at the standard rate.

8.3.4. Agencies Established Outside the European Union β€” Export of Services. Where the Agency is established outside the European Union, the supply is treated as an export of electronically supplied services with the place of supply in the country of the Agency, outside the territorial scope of Polish VAT, pursuant to Articles 28b and 28l of the Polish Act on the Tax on Goods and Services. The Company invoices without VAT. The Agency is solely responsible for any local VAT, GST, sales tax, digital-services tax, use tax, withholding tax, or other indirect tax in its own jurisdiction, including (without limitation) U.S. state sales and use taxes where applicable, UAE VAT (5%) where the Agency is established in the UAE and the Company crosses the applicable registration threshold, UK VAT under the reverse-charge rules, and Swiss VAT under the Swiss reverse-charge regime.

8.3.5. Non-Resident VAT Registrations. Where applicable law obliges the Company to register for VAT, GST, or a comparable tax in a jurisdiction other than Poland and to collect and remit such tax on supplies to Agencies established in that jurisdiction, the Company will do so and will add the applicable tax to the invoice. The Company retains sole discretion over the timing and modalities of any such registration.

8.3.6. Agency Duty to Provide Accurate Information. The Agency warrants the accuracy of its tax identification number, place of establishment, and other tax-relevant information, and undertakes to notify the Company promptly of any change. The Agency shall indemnify and hold the Company harmless against any VAT, interest, or penalty assessed against the Company as a result of the Agency's failure to provide accurate information or to self-assess tax where required.

8.3.7. Withholding Taxes. Where applicable law requires the Agency to withhold any tax from payments to the Company, the Agency shall gross up such payments so that the Company receives the full amount otherwise due, unless the Agency provides, within thirty (30) days of the relevant payment, a valid tax certificate enabling the Company to obtain a refund or credit in its own jurisdiction.

8.3.8. Backup. Where applicable law requires the Company to collect and remit a tax notwithstanding the foregoing, such tax shall be added to the invoice and paid by the Agency.

8.4. Invoicing and Payment Terms

8.4.1. Subscriptions are invoiced in advance according to the payment schedule set out in the applicable Order Form (monthly, quarterly, or annually). Invoices are due within fourteen (14) days from the invoice date unless otherwise stated in the Order Form.

8.4.2. Late payments accrue interest at the maximum rate permitted by applicable law (in Poland, the statutory default interest rate applicable to commercial transactions), calculated from the due date until full payment is received, together with a flat compensation of forty euros (€40) under Article 10 of the Polish Anti-Payment-Gridlock Act of 8 March 2013 transposing Directive 2011/7/EU.

8.4.3. Failure to pay within fourteen (14) days of the due date entitles the Company to suspend access to the Platform, without prejudice to any other remedy. Failure to cure within thirty (30) additional days entitles the Company to terminate the Subscription for material breach, without any refund of amounts already paid.

8.5. Price Changes

The Company may modify Subscription pricing at any time. For existing Subscriptions, changes take effect only at the beginning of the next renewal period, upon no less than thirty (30) days' prior written notice sent to the Agency's registered email address. The Agency may terminate the Subscription before the effective date at no penalty if it does not wish to accept the new pricing. Continued use after the effective date constitutes acceptance.

8.6. No Refunds

Except as expressly provided in Sections 3.3 (Reduction of Paid Functionalities) or 22.3 (Termination for Cause by the Agency), or as required by mandatory applicable law, all fees paid are non-refundable. Pro-rata refunds are not granted for partial periods of service.

8.7. No Consumer Withdrawal Right

The Platform is provided exclusively to business Users acting in the course of their professional activity. Statutory withdrawal rights conferred on consumers by Directive 2011/83/EU on consumer rights, by Article 27 of the Polish Consumer Rights Act of 30 May 2014, or by any equivalent legislation, do not apply to Agencies. Agencies accept that they are not consumers within the meaning of those laws and irrevocably waive any right they might otherwise have to unilateral withdrawal from their Subscription outside the terms of the applicable Order Form.

8.8. Suspension for Non-Payment

The Company reserves the right to suspend or restrict access to the Platform in case of non-payment, without prior notice beyond the grace period set out in Section 8.4.3. The Company also reserves the right to withhold delivery of Compliance Reports, PDF exports, and other documents until all outstanding amounts have been paid in full.

9. Legal Defense Assistance Program

THIS IS NOT INSURANCE β€” READ CAREFULLY BEFORE RELYING ON THE PROGRAM The Legal Defense Assistance Program ("LDA" or "Program") described in this Section 9 is a discretionary commercial benefit offered as an ancillary, non-essential feature of a paid Subscription. The Program is not an insurance policy, not an insurance contract, not a surety, not a guarantee of payment, not a contractual indemnification undertaking, and not any form of insurance product β€” whether as a standalone product or as an ancillary product β€” within the meaning of any applicable insurance law in any jurisdiction worldwide, including (without limitation) Directive 2009/138/EC (Solvency II), the Polish Act on Insurance and Reinsurance Activity of 11 September 2015, the UK Financial Services and Markets Act 2000, any United States state insurance code, the UAE Federal Decree-Law No. 48 of 2023 regulating insurance activities, the Swiss Insurance Supervision Act, and any equivalent law. The Company does not underwrite risk, does not pool or mutualize risk across Users, and does not charge a premium for the Program; no identifiable portion of the Subscription fee is allocated to the Program. The Program is funded exclusively from a discretionary Global Annual Budget set by the Company and may be modified, suspended, exhausted, reduced, or terminated at the Company's sole discretion, at any time, without prior individual notice and without compensation. Nothing in this Section 9 shall be interpreted as creating an insurance contract, an insurable interest, or any binding obligation on the Company to provide funding in any particular case. The marketing materials published on the Company's website referencing an indicative maximum figure of "up to €200,000" describe the Company's current internal aggregate spending cap per Agency per calendar year (see Section 9.3). Any such representation is subject in full to the eligibility conditions (Section 9.5), the twelve (12) month qualifying period (Section 9.6), the exclusions (Section 9.7), and the procedural requirements (Section 9.8) set out herein. No Agency acquires any right, entitlement, or legitimate expectation to any specific funding amount. All decisions under the Program are made at the Company's sole discretion, are final, and are not subject to appeal, mediation, or arbitration, save for judicial review on the sole ground of manifestly arbitrary decision where required by mandatory law.

9.1. Purpose of the Program

9.1.1. The Program is a commercial customer-support feature under which the Company may, at its sole and absolute discretion, pay the professional fees of a Partner Law Firm engaged to defend an eligible Agency in a Covered Matter, up to the maximum discretionary amounts set out in Section 9.3 and subject to the availability of the Global Annual Budget set out in Section 9.4.

9.1.2. The Program is offered on a take-it-or-leave-it basis as an ancillary benefit of the Subscription. No separate fee, premium, surcharge, contribution, or subscription tier is charged or allocated to the Program. The Agency does not have the right to opt out of the Program or to receive any rebate, discount, or compensation in lieu of the Program.

9.1.3. The Program is supplementary to, and does not replace or limit, any rights the Agency may have under its own professional liability insurance, general liability insurance, directors-and-officers insurance, or any other insurance policy. Agencies are strongly encouraged, and in some jurisdictions required, to maintain their own insurance coverage.

9.2. Scope β€” What the Program May Cover

9.2.1. Subject to eligibility under Section 9.5 and 9.6, to the exclusions under Section 9.7, and to the procedural requirements under Section 9.8, the Company may, at its sole discretion, allocate funds from the Global Annual Budget to pay the following categories of costs in a Covered Matter:

9.2.2. All disbursements under the Program are made directly by the Company to the Partner Law Firm or to the relevant third party. No amount is paid or payable to the Agency under the Program.

9.2.3. The Company has the sole and absolute right to select, instruct, approve, and replace the Partner Law Firm engaged to handle a Covered Matter. The Agency may not engage any lawyer at the Company's expense without the Company's prior written approval. Costs of attorneys not engaged by the Company are not covered under any circumstances.

9.3. Aggregate Maximum Discretionary Cap per Agency

9.3.1. Aggregate Annual Cap per Agency. The maximum aggregate amount that the Company may, in its sole discretion, disburse under the Program in respect of all Covered Matters concerning a single Agency during any given calendar year shall not exceed two hundred thousand euros (€200,000). This figure is a GLOBAL CEILING applicable to that Agency for the entire calendar year, across all Covered Matters combined. It is NOT a per-matter cap, NOT a per-Content-Creator cap, and does NOT reset upon opening a new Covered Matter. Once the cumulative disbursements made by the Company under the Program in respect of an Agency during a calendar year have reached two hundred thousand euros (€200,000), no further disbursement may be made under the Program for that Agency during the same calendar year, irrespective of the number, nature, or severity of pending or new Covered Matters, irrespective of the status of those matters, and irrespective of any other consideration.

9.3.2. Nature of the Cap. The €200,000 figure represents an internal spending cap on the Company's side. It does not constitute: (i) a guaranteed amount; (ii) a contractual right of the Agency to any minimum or specific sum; (iii) an insurance sum insured; (iv) any undertaking of indemnity; or (v) any reserve set aside or accrued for the benefit of the Agency. The Company retains sole discretion to allocate any lesser amount, no amount at all, or to cease allocation at any point in accordance with this Section 9.

9.3.3. No Reserve, No Accrual, No Carry-Over. The Company does not set aside, reserve, or earmark any amount against the cap in Section 9.3.1, whether by Agency, by Content Creator, by Claim type, or otherwise. Amounts not spent in a given calendar year do not carry over, accrue, or otherwise inure to any User's benefit in subsequent years.

9.3.4. Interaction with the Global Annual Budget. The per-Agency aggregate cap in Section 9.3.1 operates subject in all cases to the availability of the Global Annual Budget in Section 9.4. If the Global Annual Budget is exhausted during a given calendar year, no further disbursement may be made to any Agency irrespective of whether that Agency has reached its individual aggregate cap.

9.3.5. Consistency with Marketing Materials. Any marketing, promotional, or commercial representation of the Program β€” including statements as to the maximum amount, deductible, qualifying period, or eligibility β€” must be read together with these Terms. In the event of any discrepancy between marketing materials and these Terms, these Terms prevail. The Agency acknowledges having read and understood these Terms before entering into the Subscription.

9.4. Global Annual Budget β€” First-Come, First-Served

9.4.1. The Company maintains a single Global Annual Budget, the amount of which is set at the Company's sole discretion for each calendar year. The Global Annual Budget may be adjusted upward or downward, reduced to zero, or eliminated at any time, without prior notice and without compensation.

9.4.2. The Global Annual Budget is allocated across all Covered Matters on a first-come, first-served basis, evaluated in the chronological order in which complete eligibility documentation is received by the Company.

9.4.3. Once the Global Annual Budget for a calendar year is exhausted, no further allocations shall be made under the Program until the Company, at its sole discretion, allocates additional budget or until the start of the following calendar year. The Company is under no obligation to allocate additional budget.

9.4.4. The Company bears no liability toward any Agency whose request cannot be funded because the Global Annual Budget has been exhausted, reduced, or suspended, or because the Program has been modified or terminated.

9.5. Eligibility Conditions

The Program is available only to an Agency that satisfies, continuously and cumulatively, all of the following eligibility conditions (each a "Condition") at the date the Claim is filed, at the date notice is given to the Company, during the entire period covered by the Claim, and throughout the handling of the Covered Matter:

9.6. Waiting Period and Retroactivity Exclusion

9.6.1. Waiting Period. No Covered Matter may be funded in respect of any Claim filed, threatened, or reasonably foreseeable before expiry of the twelve (12) month Waiting Period set out in Condition 2 of Section 9.5. The Waiting Period operates as an absolute bar to any funding disbursement in respect of such Claims. The Waiting Period is neither reducible nor waivable by the Company, save where the Company expressly agrees to a reduction in writing signed by an authorised representative of the Company, in which case the reduced period shall apply only to the specific Agency and Covered Matter identified in the writing.

9.6.2. Retroactivity Exclusion. No Covered Matter may be funded in respect of events, conduct, or circumstances that occurred or began before the commencement of the Agency's Subscription. The Program does not apply retroactively to the period preceding the first day of the Agency's first paid Subscription.

9.7. Exclusions β€” What the Program Never Covers

For the avoidance of doubt and in addition to the Waiting Period and Retroactivity Exclusion, the Program does not and shall not cover, fund, reimburse, or otherwise apply to any of the following, whether direct, indirect, or consequential:

9.8. Procedure for Requesting Coverage Under the Program

9.8.1. Notice. The Agency shall notify the Company in writing at contact@legaflow.io of any Claim within fourteen (14) calendar days of becoming aware of it, or, where the delay is unavoidable, immediately thereafter. The notice shall include: (i) a description of the Claim and of the claimant; (ii) copies of all pleadings, correspondence, and other documents received in connection with the Claim; (iii) identification of every Content Creator potentially implicated; (iv) a brief description of the Agency's defense strategy (if any has been formed); and (v) an express acknowledgment and acceptance of this Section 9, including Section 9.3 (caps), Section 9.4 (Global Annual Budget), and Section 9.8.3 (no admission).

9.8.2. Evaluation. The Company shall evaluate the request for eligibility within thirty (30) business days of receiving a complete file. The Company may request additional information, in which case the evaluation clock restarts. The Company shall communicate its decision β€” acceptance, rejection, or conditional acceptance β€” in writing. Acceptance of the request does not constitute a waiver of any exclusion or of any right to withdraw.

9.8.3. Conduct of the Defense. From the date of acceptance, the Partner Law Firm engaged by the Company shall have sole conduct of the defense. The Agency undertakes to (i) follow the instructions of the Partner Law Firm within the scope of its mandate, (ii) provide all documents, information, and witnesses required, (iii) preserve and not destroy any evidence, (iv) not make any admission of liability, (v) not make any settlement offer or accept any settlement proposal, and (vi) not issue any public statement in relation to the Claim β€” in each case without the prior written consent of the Company. The Company reserves the right to approve or refuse any settlement proposed by the Partner Law Firm, at its sole discretion.

9.8.4. Independent Counsel. Nothing in the Program prevents the Agency from engaging, at its own expense, independent counsel alongside the Partner Law Firm. Such independent counsel shall not, however, bind the Company or be paid by the Company.

9.9. Company's Sole Discretion β€” No Right of Appeal

9.9.1. The Company's decisions under the Program β€” including the decision to accept or reject a request, the selection of the Partner Law Firm, the amount allocated to a Covered Matter, the approval or refusal of a settlement, the withdrawal of funding, and any other decision β€” are made at the Company's sole and absolute discretion.

9.9.2. Those decisions are final and binding on the Agency. No right of appeal, mediation, or arbitration lies against any decision under the Program, save for judicial review on the sole ground of manifestly arbitrary decision where required by mandatory law. The Agency expressly waives any claim grounded in alleged breach of the Program or alleged entitlement to funding.

9.10. Attorney-Client Relationship

9.10.1. Where the Program is accepted in a Covered Matter, the Partner Law Firm is engaged directly by the Company, which becomes the payer. The attorney-client relationship, with its attendant fiduciary and ethical duties, runs between the Partner Law Firm and the Agency (and not between the Partner Law Firm and the Company) in accordance with applicable bar rules.

9.10.2. The Agency authorizes the Partner Law Firm to share with the Company: (i) status updates on the proceedings; (ii) copies of billing statements; and (iii) any other information reasonably required by the Company to monitor the Covered Matter and to exercise its rights under this Section 9. The Agency waives any claim of privilege against the Company to the limited extent necessary for the foregoing.

9.10.3. Where a conflict of interest arises between the Agency and the Company, the Partner Law Firm's professional duty runs to the Agency, and the Company may withdraw from the Covered Matter under Section 9.11, whereupon the Agency becomes solely responsible for further fees incurred.

9.11. Withdrawal of the Program

9.11.1. The Company may withdraw from the Program at any time β€” including mid-proceedings β€” with immediate effect upon written notice to the Agency, if: (i) any Condition in Section 9.5 ceases to be met; (ii) any exclusion in Section 9.7 applies; (iii) the Global Annual Budget is exhausted, reduced, or suspended; (iv) the Company reasonably determines that continued funding is inappropriate (for example because the Agency has made an unauthorized admission, has engaged in fraud, has failed to cooperate, or has materially breached these Terms); or (v) the Subscription is terminated for any reason.

9.11.2. Upon withdrawal, the Agency is solely responsible for any fees incurred after the effective date of withdrawal, including the continuing fees of the Partner Law Firm (whose engagement can then be terminated or continued directly between the Agency and the Partner Law Firm).

9.12. Clawback and Reimbursement

9.12.1. Clawback. If, after the Company has made any disbursement under the Program, it becomes apparent that any Condition was not met, that any exclusion applied, that the Agency made a material misrepresentation, or that the Agency breached these Terms, the Company may demand immediate full reimbursement of all amounts paid under the Program in respect of that Covered Matter, together with interest at the statutory commercial rate.

9.12.2. Reimbursement. Where the Agency recovers any cost, fee, damages, or other amount from any third party (including its own insurer) in respect of a Covered Matter that was funded in whole or in part under the Program, the Agency shall promptly reimburse the Company the lesser of (i) the amount recovered from that third party or (ii) the amount funded by the Company under the Program in respect of the Covered Matter.

9.12.3. Set-Off. The Company may set off any clawback or reimbursement amount against future Subscription fees or any other amount due to the Agency.

9.13. Subrogation

9.13.1. To the extent the Company has made any payment under the Program in respect of a Covered Matter, the Agency is deemed to have assigned to the Company, by way of conventional subrogation, all of its rights of recovery against any third party (including, where applicable, its own insurer) in respect of the costs and fees funded by the Company, up to the amount funded.

9.13.2. The Agency shall execute all documents and take all reasonable actions requested by the Company to give effect to this subrogation, at the Company's cost.

9.14. Annual Re-Qualification

9.14.1. Eligibility under the Program is re-assessed at the start of each calendar year. The Company may, at its sole discretion, require the Agency to submit updated KYB documents, proof of insurance, compliance certifications, or other documents in order to confirm ongoing eligibility.

9.14.2. Failure to provide such updated documents within thirty (30) days of request may result in suspension of eligibility.

9.15. Program Modification and Termination

9.15.1. The Company may modify the terms of the Program β€” including the categories of Covered Matters, the caps, the exclusions, the Global Annual Budget, and the procedure β€” at any time, upon no less than thirty (30) days' prior written notice to Agencies. Any Claim notice given before the effective date of the modification is assessed under the terms in force at the date of notice; any Claim notice given on or after the effective date is assessed under the modified terms.

9.15.2. The Company may terminate the Program in its entirety at any time, upon no less than sixty (60) days' prior written notice. Termination has prospective effect only. Any Covered Matter already accepted at the date of termination continues to be handled to completion, subject to all other provisions of this Section 9 (including Sections 9.11, 9.12, and 9.13).

9.16. No Class or Collective Action

9.16.1. The Program does not create any shared risk pool, mutual undertaking, class, collective, representative, or group. Each decision under the Program is individual and self-contained.

9.16.2. Agencies have no right to claim against the Global Annual Budget collectively, in any class or representative capacity, or in any action purporting to be brought on behalf of other Agencies or of the Agency community at large.

9.17. No Third-Party Rights

9.17.1. The Program is for the benefit of the Agency only. Content Creators, claimants, third parties, and insurers have no rights under the Program, and no right of direct action lies against the Company.

9.17.2. The existence, terms, and application of the Program are confidential as between the Company and the Agency, and the Agency shall not publicly invoke, advertise, or misrepresent the Program.

9.18. Interaction with Insurance

9.18.1. The Agency remains solely responsible for maintaining adequate insurance cover. The Program is not, and is not intended as, a substitute for professional liability insurance, general liability insurance, or any other insurance.

9.18.2. Where the Agency has insurance cover that applies to a Claim, the insurance cover is primary, and the Program is strictly excess β€” the Company's funding under the Program, if any, shall only apply to costs that are not covered and not recoverable under the Agency's insurance.

10. Acceptable Use Policy

10.1. General Obligations

All Users agree, in addition to any other obligation arising under these Terms, to:

10.2. Absolutely Prohibited Conduct

STRICT PROHIBITIONS β€” IMMEDIATE ACCOUNT TERMINATION The following prohibitions are material and non-negotiable. Any breach triggers immediate suspension and termination without prior notice, permanent exclusion from the Program with clawback of all prior disbursements, retention and disclosure of relevant data to the competent authorities, and pursuit of any available remedy at law, including damages and criminal complaint.

The Platform may not be used, directly or indirectly, in any way that relates to, facilitates, conceals, or depends upon any of the following conduct:

10.3. Agency-Specific Acceptable Use

In addition to the general obligations in Sections 10.1 and 10.2, each Agency undertakes specifically to:

10.4. Content Creator-Specific Acceptable Use

Each Content Creator undertakes specifically to:

10.5. Serious Harm Reporting Protocol

10.5.1. Where the Platform or the Company becomes aware, through any source, of a credible report or reasonable suspicion of serious harm β€” including trafficking, coercion, sexual exploitation, involvement of a minor, or imminent physical danger β€” the Company reserves the right, and in many jurisdictions is legally obligated, to notify competent authorities without delay.

10.5.2. Competent authorities may include, without limitation, the French PHAROS reporting platform (Plateforme d'Harmonisation, d'Analyse, de Recoupement et d'Orientation des Signalements), the Polish Police, Europol, the U.S. National Center for Missing and Exploited Children (NCMEC), Interpol, and local emergency services in the relevant jurisdiction.

10.5.3. Where permitted by law and where it is safe and operationally feasible to do so, the Company will notify the affected Content Creator of the report and will provide contact information for support organizations.

10.6. Consequences of Breach

Breach of this Section 10 entitles the Company, at its sole discretion, to any or all of: (i) immediate suspension of the account, without prior notice; (ii) immediate termination of the Subscription; (iii) immediate exclusion from the Program, with clawback of any prior disbursement; (iv) notification to law enforcement or regulatory authorities; (v) retention and disclosure of data to such authorities; (vi) pursuit of civil, criminal, or administrative remedies; (vii) blacklisting of the User (and, in the case of Agencies, of its directors, officers, and ultimate beneficial owners) from future accounts. None of these remedies is exclusive.

11. Agency Operational Covenants

In addition to the representations and warranties in Section 6, each Agency covenants, for the entire duration of its Subscription and for two (2) years thereafter (or such longer period as may be required by law or by the handling of a Covered Matter), that:

12. Intellectual Property

12.1. Ownership by the Company

12.1.1. The Platform and all of its components β€” including, without limitation, the software, source and object code, architecture, design, text, graphics, logos, photographs, videos, audio, databases, algorithms (including Risk Score methodology), Survey templates and frameworks, Compliance Report formats, dashboards, trademarks (registered and unregistered), service marks, trade names, domain names, know-how, and all associated intellectual property rights (the "Company IP") β€” are and shall remain the exclusive property of the Company or of its licensors.

12.1.2. "LegaFlow" is a commercial name of the Company. The LegaFlow logo, wordmark, and associated distinctive signs are protected trademarks. Any unauthorized use is prohibited and will be prosecuted to the fullest extent of the law.

12.1.3. Nothing in these Terms transfers, assigns, or grants any ownership right in the Company IP to any User.

12.2. Limited License

Subject to the User's compliance with these Terms and payment of all applicable fees, the Company grants each User a limited, non-exclusive, non-transferable, non-sublicensable, revocable license to access and use the Platform solely for its intended compliance documentation purposes during the term of the Subscription. This license is immediately revoked upon termination of the Subscription, in accordance with Section 22.

12.3. User Data

12.3.1. The User retains ownership of the data it submits to the Platform ("User Data"). By submitting User Data, the User grants the Company a worldwide, royalty-free, non-exclusive, sublicensable license to host, process, transmit, display, use, analyze, aggregate, de-identify, and otherwise use the User Data solely as necessary to: (i) provide the Platform; (ii) perform the Company's obligations under these Terms; (iii) comply with legal obligations; (iv) enforce these Terms; and (v) develop, in aggregated and de-identified form, statistical insights and product improvements.

12.3.2. The license granted in Section 12.3.1 survives termination to the extent necessary for the Company to comply with legal retention obligations, to defend legal claims, and to retain aggregated and de-identified data for statistical purposes.

12.4. Feedback

If the User provides feedback, suggestions, or ideas relating to the Platform, the User grants the Company an irrevocable, perpetual, worldwide, royalty-free, sublicensable license to use them for any purpose, without restriction or compensation.

12.5. Prohibited Acts

The User shall not, and shall not permit any third party to:

13. Privacy and Data Protection

13.1. Privacy Policy. The processing of Personal Data through the Platform is governed by the Privacy Policy, available at https://www.legaflow.io/privacy, which is incorporated into these Terms by reference and which the User expressly accepts by accepting these Terms.

13.2. Privacy by Design. The Platform implements a privacy-by-design architecture. Agencies do not have access to individual Survey responses or individual Risk Scores. Agencies receive only aggregated, color-coded compliance indicators. This restriction is a non-negotiable structural feature of the Platform.

13.3. Security. Personal Data at rest is encrypted with AES-256; Personal Data in transit is encrypted with TLS 1.3. Primary data storage is within the European Union. The Platform maintains an immutable append-only audit log of all User interactions for five (5) years.

13.4. Automated Decision-Making. Risk Scores are algorithmic indicators. They are not used by the Company to take decisions producing legal or similarly significant effects on any individual User without meaningful human review. The only automated outputs visible to Agencies are aggregated compliance indicators. Content Creators have the right to request human review of any risk-related output by writing to dpo@legaflow.io.

13.5. Data Processing Agreement. Where the Company acts as a Processor within the meaning of Article 4(8) of Regulation (EU) 2016/679 (GDPR) on behalf of an Agency (the Controller), the processing of Personal Data is governed by the Data Processing Agreement (the "DPA") set out in Exhibit A to these Terms. The DPA forms an integral and inseparable part of these Terms. By accepting these Terms, the Agency also accepts, enters into, and becomes bound by the DPA with the Company, with effect from the same date. An Agency that is required by its own internal compliance policies to obtain a separately signed copy of the DPA may request one by writing to contact@legaflow.io; the separately signed copy shall reflect the same content as Exhibit A and shall not create any additional obligations beyond those set out therein.

13.6. International Transfers. Where Personal Data is transferred outside the European Economic Area, the Company relies on appropriate safeguards in accordance with Articles 44 to 49 GDPR, including Standard Contractual Clauses and supplementary measures, as further described in the Privacy Policy.

14. Confidentiality

14.1. Definition. "Confidential Information" means any non-public information disclosed by one Party to the other Party in connection with the Platform, whether orally, in writing, electronically, or otherwise, that is marked as confidential or that, by its nature, a reasonable person would understand to be confidential, including the Company's software, algorithms, Risk Score methodology, Survey templates, pricing, business plans, and the terms of any Order Form.

14.2. Obligations. Each Party shall: (i) use Confidential Information of the other Party only for the purposes of these Terms; (ii) protect Confidential Information with at least the same degree of care it applies to its own Confidential Information of a similar nature, and in no event less than reasonable care; (iii) disclose Confidential Information only to those of its employees, contractors, and advisors who have a genuine need to know and who are bound by confidentiality obligations no less stringent than those in this Section; and (iv) not disclose Confidential Information to any third party without prior written consent.

14.3. Survey Response Confidentiality. Survey responses submitted by Content Creators are treated as strictly confidential. Agencies receive only aggregated, anonymized compliance indicators. Individual Survey responses may only be disclosed (i) to Administrators in accordance with Section 13, (ii) pursuant to valid legal process under Section 7.4, or (iii) to Partner Law Firms in accordance with Section 9.

14.4. Exceptions. Confidentiality obligations do not apply to information that: (i) is or becomes public through no breach of these Terms; (ii) was rightfully known to the receiving Party before disclosure; (iii) is rightfully received from a third party without confidentiality obligation; (iv) is independently developed without use of the Confidential Information; or (v) is required to be disclosed by law or court order, in which case the disclosing Party shall give prior notice where legally permitted.

14.5. Duration. Confidentiality obligations survive termination of these Terms for a period of five (5) years, save that obligations in respect of trade secrets survive for as long as the information in question qualifies as a trade secret under applicable law.

15. Service Level and Availability

15.1. Target Availability. The Company targets a monthly availability of ninety-nine point five percent (99.5%) for the production Platform, measured on a calendar-month basis, excluding: (i) scheduled maintenance notified in accordance with Section 15.2; (ii) downtime caused by User error, by the User's network or devices, or by the User's third-party dependencies; (iii) downtime caused by distributed denial-of-service attacks or by any other cause outside the Company's reasonable control; and (iv) force majeure events.

15.2. Scheduled Maintenance. The Company shall use commercially reasonable efforts to perform scheduled maintenance during off-peak hours (22:00 to 06:00 UTC) and to provide at least forty-eight (48) hours' prior notice of maintenance likely to cause service interruption.

15.3. No SLA Credits. Unless a written enterprise SLA has been separately executed with the Agency, service-level commitments, including availability credits, do not give rise to any credit, refund, rebate, or other remedy, and the availability target in Section 15.1 is a commercially reasonable effort only.

16. Disclaimers and Warranty Exclusions

16.1. GENERAL DISCLAIMER.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE PLATFORM, THE SURVEY CONTENT, THE RISK SCORES, THE COMPLIANCE REPORTS, AND ANY OTHER OUTPUT OF THE PLATFORM ARE PROVIDED "AS IS" AND "AS AVAILABLE", WITHOUT WARRANTY OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING ANY WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, ACCURACY, COMPLETENESS, CURRENCY, UNINTERRUPTED OPERATION, OR SECURITY.

16.2. NO COMPLIANCE GUARANTEE.

WITHOUT LIMITATION, THE COMPANY DOES NOT WARRANT THAT: (A) THE PLATFORM WILL BE UNINTERRUPTED, TIMELY, SECURE, OR ERROR-FREE; (B) RISK SCORES OR COMPLIANCE INDICATORS WILL BE ACCURATE, COMPLETE, OR REFLECT ACTUAL LEGAL COMPLIANCE; (C) THE PLATFORM WILL MEET THE REQUIREMENTS OF ANY SPECIFIC LAW OR REGULATION IN ANY SPECIFIC JURISDICTION; (D) SURVEY RESPONSES WILL BE TRUTHFUL, ACCURATE, OR COMPLETE; (E) ANY DEFECT WILL BE CORRECTED; OR (F) ANY OUTPUT OF THE PLATFORM WILL BE ADMISSIBLE IN COURT, GIVEN EVIDENTIARY WEIGHT, OR SUFFICIENT TO ESTABLISH COMPLIANCE OR LIABILITY.

16.3. NOT A SUBSTITUTE FOR PROFESSIONAL ADVICE.

The Platform does not provide, and is not a substitute for, legal, tax, accounting, insurance, or other professional advice. The Company is not a law firm and does not provide legal advice. Agencies and Content Creators are strongly advised to engage qualified professionals before taking any action that may have legal, tax, or financial consequences. Any reliance placed on Platform output is at the User's own risk.

16.4. THIRD-PARTY SERVICES.

The Platform relies on third-party services (including Veriff for identity verification, Stripe for payment processing, and cloud infrastructure providers). The Company makes no warranty in respect of such third-party services and shall not be liable for their availability, accuracy, or performance beyond the Company's contractual obligations in respect of subprocessor management under the Privacy Policy.

17. Limitation of Liability

17.1. EXCLUSION OF INDIRECT DAMAGES.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL THE COMPANY, ITS AFFILIATES, DIRECTORS, OFFICERS, EMPLOYEES, CONTRACTORS, OR AGENTS BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS, LOST REVENUE, LOST BUSINESS, LOST OPPORTUNITY, LOST GOODWILL, LOST OR CORRUPTED DATA, REPUTATIONAL HARM, OR BUSINESS INTERRUPTION, ARISING OUT OF OR RELATING TO THESE TERMS, THE PLATFORM, OR THE PROGRAM, REGARDLESS OF THE LEGAL THEORY (CONTRACT, TORT, STRICT LIABILITY, OR OTHERWISE), AND EVEN IF THE COMPANY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

17.2. AGGREGATE CAP.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE COMPANY'S AGGREGATE LIABILITY ARISING OUT OF OR RELATING TO THESE TERMS, THE PLATFORM, OR THE PROGRAM, FOR ANY AND ALL CLAIMS COMBINED, WHETHER IN CONTRACT, TORT, OR OTHERWISE, SHALL NOT EXCEED THE LESSER OF: (A) THE TOTAL FEES ACTUALLY PAID BY THE AFFECTED USER TO THE COMPANY DURING THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE CLAIM; OR (B) FIFTY THOUSAND EUROS (€50,000). ANY AMOUNT PAID BY THE COMPANY UNDER THE PROGRAM IS SEPARATE FROM, AND DOES NOT REDUCE OR EXHAUST, THIS AGGREGATE CAP.

17.3. Basis of the Bargain

The User acknowledges that the disclaimers and limitations in Sections 16 and 17 are an essential basis of the bargain, reflect the allocation of risk between the Parties, and are taken into account in the pricing of the Platform. Without these disclaimers and limitations, the Platform would not be provided at its current prices.

17.4. Mandatory Law Carve-Out

Nothing in these Terms excludes or limits liability to the extent that such exclusion or limitation is prohibited by applicable mandatory law. In particular, nothing in these Terms excludes or limits liability for: (i) death or personal injury caused by negligence; (ii) fraud or fraudulent misrepresentation; (iii) willful misconduct; (iv) any liability that cannot lawfully be excluded or limited in the applicable jurisdiction.

18. Indemnification

18.1. Indemnification by the User. The User shall indemnify, defend, and hold harmless the Company, its Affiliates, directors, officers, employees, contractors, and agents (the "Indemnified Parties") from and against any and all third-party claims, demands, actions, proceedings, liabilities, damages, losses, judgments, fines, penalties, and expenses (including reasonable attorneys' fees and court costs) ("Losses") arising out of or related to:

18.2. Control of Defense. The Company may, at its sole option, assume exclusive control of the defense and settlement of any matter subject to indemnification, at the User's expense. The User may not settle any such matter without the Company's prior written consent. The User shall cooperate fully with the Indemnified Parties in the defense.

18.3. No Limitation of Cap. The User's indemnification obligations under this Section 18 are not subject to the aggregate liability cap in Section 17.2.

19. Audit Rights

19.1. Audit. The Company, or a qualified independent third party appointed by the Company and bound by confidentiality, shall have the right to audit the Agency's compliance with these Terms, with the Acceptable Use Policy, and with the eligibility Conditions of the Program, at the Company's own expense (unless the audit reveals a material breach, in which case the Agency shall bear reasonable audit costs).

19.2. Scope. The audit may include, without limitation, review of KYB documentation, written contracts with Content Creators, proof of insurance, proof of compliance with applicable law, records of responses to compliance alerts, interviews with the Agency's representatives, and any other relevant records.

19.3. Cooperation. The Agency shall cooperate with the audit, provide reasonable access to records and representatives during normal business hours, and respond to audit requests within fifteen (15) business days.

19.4. Frequency. Audits shall be conducted no more than once per calendar year, except (i) where the Company has reasonable grounds to suspect a breach, (ii) in the context of a Covered Matter, or (iii) where required by law, in which cases audits may be conducted as often as necessary.

19.5. Confidentiality of Audit. Audit findings are confidential and are used solely for the purposes of these Terms and the Program.

20. Term, Suspension, and Termination

20.1. Term

These Terms commence on the date of acceptance and continue until terminated in accordance with this Section 20.

20.2. Termination by the User

20.2.1. Agency. The Agency may terminate its Subscription for convenience at the end of the current billing cycle by giving written notice to contact@legaflow.io no later than thirty (30) days before the end of the billing cycle. Subscriptions with a fixed minimum term (as set out in the Order Form) may be terminated only upon expiry of that minimum term, subject to Section 20.3.

20.2.2. Content Creator. A Content Creator may terminate their account at any time through the Platform or by written notice to contact@legaflow.io, with immediate effect, subject to the legally required retention of certain data under the Privacy Policy.

20.3. Termination for Cause by the Agency

The Agency may terminate its Subscription for material breach by the Company upon thirty (30) days' prior written notice, where the Company has failed to cure such material breach within that notice period. In case of termination for cause by the Agency under this Section, the Agency is entitled to a pro-rata refund of the unused prepaid period.

20.4. Suspension and Termination by the Company

The Company may suspend or terminate access to the Platform, at its sole discretion, immediately and without prior notice, where:

20.5. Effect of Suspension

During suspension, the User's access is blocked, but these Terms continue to apply, data is retained in accordance with the Privacy Policy, and fees continue to accrue. Suspension does not, of itself, trigger termination, but continued suspension for more than sixty (60) days entitles the Company to terminate.

20.6. Consequences of Termination

Upon termination for any reason:

20.7. Survival

Sections 1 (Definitions), 6.4 (Continuing Nature), 7 (Survey Integrity), 9.12 (Clawback), 9.13 (Subrogation), 12 (Intellectual Property), 13 (Privacy), 14 (Confidentiality), 16 (Disclaimers), 17 (Limitation of Liability), 18 (Indemnification), 20.6 (Consequences of Termination), 21 (Governing Law), 22 (Dispute Resolution), and any other provision that by its nature is intended to survive, shall survive termination.

21. Governing Law

21.1. Governing Law. These Terms, and any non-contractual obligation arising out of or in connection with them, are governed by, and shall be construed in accordance with, the laws of the Republic of Poland, excluding its conflict-of-laws rules and excluding the United Nations Convention on Contracts for the International Sale of Goods (CISG).

21.2. B2B Nature of the Contract. The Parties acknowledge and agree that these Terms are concluded between business entities acting in the course of their professional activity. The Platform is not directed at consumers and is not designed for, marketed to, or made available to consumers. Consumer-protection laws that presuppose a consumer Party are not intended to apply to this contractual relationship. Any mandatory statutory protection that applies notwithstanding the above shall apply only to the minimum extent required by law and shall not alter the B2B nature of these Terms.

21.3. International Users. For Users located outside the European Economic Area, these Terms remain governed by Polish law unless prohibited by mandatory local law, in which case the applicable mandatory rules of the User's country apply to the minimum extent required.

22. Dispute Resolution

22.1. Good-Faith Negotiation

Before initiating any formal proceeding, the Parties agree to attempt in good faith to resolve any dispute through direct negotiation for a period of thirty (30) days, starting from written notice of the dispute sent to contact@legaflow.io.

22.2. Mediation (Optional)

The Parties may, by mutual written agreement, refer any unresolved dispute to a mediator of their joint choice before initiating formal proceedings. Mediation is not a mandatory pre-condition to litigation or arbitration; it is offered solely for the efficient resolution of commercial disputes between business Parties.

22.3. Arbitration (Business Users β€” Optional Opt-In)

For disputes between the Company and a business User where both Parties expressly agree in writing, any unresolved dispute may be finally settled by arbitration under the Rules of the Court of Arbitration at the Polish Chamber of Commerce in Warsaw, by one or three arbitrators appointed in accordance with said rules, seat Warsaw, language English. In the absence of such express written agreement, Section 22.4 applies.

22.4. Exclusive Jurisdiction

Subject to Section 22.3, the courts of Warsaw, Poland have exclusive jurisdiction over any dispute arising out of or related to these Terms. The Company retains the right to bring proceedings in any court of competent jurisdiction where the User is domiciled, where the User's assets are located, or where enforcement of a judgment is required.

22.5. Waiver of Class Action

To the extent permitted by applicable law, disputes shall be resolved on an individual basis and not as a class, collective, representative, or group action. Given that the Platform is reserved for business Users acting in the course of their professional activity, consumer-protection restrictions on class-action waivers are not intended to apply; this Section 22.5 nonetheless does not apply where expressly prohibited by mandatory law.

22.6. Injunctive Relief

Notwithstanding the foregoing, either Party may seek injunctive, provisional, or other equitable relief in any court of competent jurisdiction to protect its intellectual property, confidential information, or other rights that would not be adequately protected by monetary damages.

22.7. Limitation Period

Any claim arising out of or related to these Terms must be brought within the shorter of (i) the statutory limitation period applicable under the governing law and (ii) two (2) years from the date the claim first arose, except where mandatory law requires a longer period.

23. Jurisdiction-Specific Provisions

The Company does business globally. The following Sections address non-regulated-status confirmations in certain jurisdictions, without creating any additional rights in favour of any User beyond those that arise under mandatory law.

23.1. Poland (Primary Jurisdiction)

As the Company's place of incorporation, Polish law is the primary law governing these Terms. The Company confirms that it is not a regulated entity under the Polish Act on Insurance and Reinsurance Activity of 11 September 2015, the Polish Act on Distribution of Insurance of 15 December 2017, the Polish Act on Advocacy of 26 May 1982, the Polish Act on Legal Advisers of 6 July 1982, the Polish Act on Payment Services of 19 August 2011, or any other regulatory regime conferring a protected professional status. The Platform is a software product made available on a subscription basis.

23.2. European Union

The Platform is designed for use by business Users in the course of their professional activity. The Platform is not a hosting service within the meaning of Article 3(g) of Regulation (EU) 2022/2065 (Digital Services Act); the Platform does not make user-generated content publicly available and is not an online platform, online search engine, very large online platform, or very large online search engine within the meaning of that Regulation. The Company is not an insurance undertaking within the meaning of Directive 2009/138/EC (Solvency II), not an insurance intermediary within the meaning of Directive (EU) 2016/97 (IDD), not a payment institution within the meaning of Directive (EU) 2015/2366 (PSD2), and not a crypto-asset service provider within the meaning of Regulation (EU) 2023/1114 (MiCA).

23.3. Other Jurisdictions β€” United States

For Users located in the United States, the Legal Defense Assistance Program is not insurance under any U.S. state insurance code. The Program is a discretionary contractual benefit offered by the Company to qualifying business Users. The Program does not involve the pooling of risk, the payment of a premium for coverage, the underwriting of risk, or any of the other elements that characterise an insurance contract under applicable U.S. state law. Arbitration under Section 22.3 applies only where both Parties expressly agree in writing. For California-based business Users, additional information regarding the Processing of Personal Information is disclosed in the Privacy Policy.

23.4. Other Jurisdictions β€” United Kingdom

For Users located in the United Kingdom, references to the GDPR in these Terms shall be read as also referring to the UK GDPR and the Data Protection Act 2018 where applicable. The Program is not a contract of insurance within the meaning of the Financial Services and Markets Act 2000 or the regulated-activities order made thereunder.

23.5. Other Jurisdictions β€” General

Where the law of any other jurisdiction applies on a mandatory basis to these Terms, the Company will comply with such mandatory law but is not otherwise subject to country-specific regulated-profession regimes unless expressly confirmed in writing. Users are responsible for determining their own regulatory position in their jurisdiction of establishment.

24. Force Majeure

24.1. Definition. "Force Majeure" means any event beyond the reasonable control of the affected Party, including, without limitation: acts of God, natural disasters, fire, flood, earthquake, epidemic, pandemic, or public health emergency; war, terrorism, civil unrest, riot, revolution, or sabotage; governmental action, court order, embargo, sanctions, or other legal prohibition; labor dispute, strike, or lockout; failure of third-party infrastructure (including cloud infrastructure, internet backbone, payment networks, or identity verification providers); distributed denial-of-service attacks or other cyber-incidents affecting the Platform; or any similar event.

24.2. Suspension of Obligations. Neither Party is liable for any delay or failure to perform its obligations under these Terms (other than payment obligations) resulting from Force Majeure, provided that the affected Party notifies the other Party without delay and uses reasonable efforts to resume performance.

24.3. Prolonged Force Majeure. Where Force Majeure continues for more than sixty (60) consecutive days, either Party may terminate these Terms by written notice, without liability except for accrued obligations prior to the Force Majeure event.

25. Notices

25.1. To the Company. All notices to the Company must be sent in writing to: OMAZEO SP. Z O.O., Plac Bankowy 2, 00-095 Warszawa, Poland, or by email to contact@legaflow.io. Notices take effect upon receipt.

25.2. To the User. Notices to the User may be sent by email to the address registered on the User's account or by in-Platform notification. Notices to the User by email take effect on the day of sending.

25.3. Language. All notices shall be in English.

26. Assignment

26.1. By the User. The User shall not assign, transfer, sublicense, or otherwise delegate its rights or obligations under these Terms without the Company's prior written consent, which shall not be unreasonably withheld. Any purported assignment without consent is void.

26.2. By the Company. The Company may freely assign, transfer, sublicense, or otherwise delegate its rights or obligations under these Terms, in whole or in part, without consent, including in connection with a merger, acquisition, corporate reorganization, sale of assets, or change of control.

27. Amendment

27.1. The Company may modify these Terms at any time. Material changes will be communicated by email to the Agency's registered email address and/or through the Platform at least thirty (30) days before the effective date.

27.2. If the User does not agree with the modification, the User may terminate the Subscription before the effective date at no penalty and, in case of prepayment, will be refunded the unused prepaid period.

27.3. Continued use of the Platform after the effective date constitutes acceptance of the modified Terms.

28. Entire Agreement

These Terms, together with the Privacy Policy, the Cookie Policy, the Data Processing Agreement (where applicable), any Order Form, and any individually signed service agreement, constitute the entire agreement between the Parties regarding the Platform, and supersede all prior or contemporaneous communications, proposals, representations, or agreements, whether oral or written. No pre-contractual statement not expressly included in these Terms or in an Order Form shall bind either Party.

29. Severability and Interpretation

29.1. Severability. If any provision of these Terms is held invalid, illegal, or unenforceable by a court of competent jurisdiction, the remaining provisions shall continue in full force and effect, and the invalid provision shall be replaced by a valid provision that achieves, to the maximum extent possible, the original economic and legal intent.

29.2. No Waiver. No failure or delay in exercising any right, power, or privilege under these Terms shall operate as a waiver, and no single or partial exercise shall preclude any other or further exercise. Waivers must be in writing and signed by the waiving Party to be effective.

29.3. Language. These Terms are drafted in the English language. Any translation is for convenience only. In case of conflict between the English version and any translation, the English version prevails, except where mandatory local law requires otherwise.

29.4. Headings. Headings are for convenience only and shall not affect interpretation.

29.5. Independent Contractors. The Parties are independent contractors. Nothing in these Terms creates any agency, partnership, joint venture, employment, or franchise relationship.

29.6. No Third-Party Beneficiaries. Except as expressly provided herein (notably with respect to the Indemnified Parties under Section 18), no person other than the Parties has any right to enforce these Terms.

29.7. Electronic Contracting. The User expressly agrees that these Terms are validly concluded by electronic means and that electronic acceptance (click-through) has the same legal force as a handwritten signature, to the extent permitted by applicable law.

29.8. Counterparts. If these Terms are executed in counterparts, each counterpart is an original, and all counterparts together constitute one agreement.

30. Miscellaneous

30.1. Cumulative Remedies. The rights and remedies of the Company under these Terms are cumulative and in addition to any other rights and remedies available at law or in equity.

30.2. No Admission. Nothing in these Terms, in the Program, in any communication, or in any refusal of funding shall be deemed an admission of fault, liability, or responsibility by the Company.

30.3. Currency and Payment Obligations. All payment obligations are payable in the currency specified in the invoice or Order Form, without deduction or set-off, and irrespective of any claim by the User.

30.4. Export Control. The Platform is subject to applicable export-control laws and regulations. The User shall not access, use, or download the Platform in violation of any such law.

30.5. Benchmarking. The User shall not publicly disclose performance benchmarks, feature comparisons, or similar evaluations of the Platform without the Company's prior written consent.

30.6. Marketing Reference. The Company may publicly refer to an Agency as a customer, including by displaying the Agency's name and logo on the Company's website and in marketing materials, unless the Agency opts out in writing. Marketing reference rights do not extend to disclosure of Confidential Information.

31. Contact

For all questions relating to these Terms:

β€” End of Terms of Service β€”

EXHIBIT A

Data Processing Agreement (Article 28 GDPR)

between OMAZEO SP. Z O.O. (Processor) and the Agency (Controller)

This Data Processing Agreement (the "DPA") forms Exhibit A to, and an integral part of, the Terms of Service (the "Terms") between OMAZEO SP. Z O.O., a Polish limited liability company with registered office at Plac Bankowy 2, 00-095 Warszawa, Poland, KRS 0000879770, NIP 7842524687, REGON 387980205, share capital 20,000 PLN (the "Processor", "LegaFlow", "Company", "we"), and each Agency that accepts the Terms (the "Controller", "Agency", "you"). The Processor and the Controller are together referred to as the "Parties" and individually as a "Party".

This DPA governs the Processing of Personal Data by the Processor on behalf of the Controller, in accordance with Article 28 of Regulation (EU) 2016/679 of 27 April 2016 (the General Data Protection Regulation, "GDPR"), with Article 28 of the UK GDPR where applicable, with the Polish Act on the Protection of Personal Data of 10 May 2018, and with any other data-protection law that applies by virtue of the Controller's establishment or activity (together, "Data-Protection Law").

Capitalised terms not defined in this DPA have the meaning given to them in the Terms or, failing that, in the GDPR. In the event of any conflict between this DPA and the Terms, this DPA prevails in respect of the Processing of Personal Data.

1. Scope and Roles

1.1. Scope. This DPA applies exclusively to the Processing activities in which the Processor acts as processor on behalf of the Controller, as listed in Section 2 below. It does not apply to Processing activities in respect of which the Processor acts as controller (account and billing data of the Controller's users, website analytics, sales prospecting, the Company's own legal-compliance Processing, and the discretionary Legal Defense Assistance Program), which are governed by the LegaFlow Privacy Policy. Nor does it apply to joint-controller Processing activities, which are governed by the Joint-Controller Arrangement incorporated by reference below (Section 9).

1.2. Roles. In respect of Personal Data that is the subject of this DPA: (a) the Agency is the Controller within the meaning of Article 4(7) GDPR; (b) OMAZEO is the Processor within the meaning of Article 4(8) GDPR; (c) OMAZEO's approved sub-processors are Sub-processors within the meaning of Article 28(2) to (4) GDPR.

1.3. Controller's Responsibility. The Controller acknowledges that it remains responsible for the lawfulness of the Processing it carries out and, in particular, for: (a) the existence of a valid legal basis under Article 6 GDPR (and, where applicable, Article 9 GDPR) for each Processing activity it instructs; (b) the completeness and accuracy of the information it provides to Data Subjects under Articles 13 and 14 GDPR; (c) the collection of any required consents; (d) the response to Data-Subject requests in accordance with Articles 15 to 22 GDPR (with the Processor's assistance as set out in Section 8 below); (e) the decision to transfer Personal Data outside the European Economic Area and the instruction to the Processor to do so; (f) the maintenance of its own Article 30 GDPR records of processing activities; and (g) the notification of Personal-Data breaches to competent supervisory authorities and Data Subjects where the Controller is required to do so.

2. Subject Matter, Duration, Nature, and Purpose of Processing

ItemDescription
Subject matterProcessing of Personal Data relating to Content Creators and to the Controller's business in connection with the provision of the LegaFlow platform.
DurationDuration of the Controller's Subscription, plus any retention period required by law or expressly provided in the Terms.
Nature of ProcessingCollection, storage, structuring, retrieval, consultation, analysis, transmission, restriction, erasure, and destruction of Personal Data through a SaaS platform, for the purpose of compliance monitoring, consent documentation, and reporting.
Purpose(i) Deployment of structured compliance questionnaires to Content Creators enrolled by the Controller; (ii) production of algorithmic risk indicators (Risk Score); (iii) production of aggregated Agency-level dashboards and downloadable PDF Compliance Reports; (iv) maintenance of tamper-evident audit trails; (v) contract analysis and storage on behalf of the Controller; (vi) provision of related customer support, in each case in accordance with the Terms.
Categories of Personal DataIdentification data (names, dates of birth, nationality, ID documents, biometric data collected by Veriff); contact data; engagement data; contract data uploaded by the Controller; Survey responses (which may include Special Categories under Article 9 GDPR, in particular data concerning sex life, mental-health indicators, and biometric data); derived data (Risk Score, alerts, review states); audit-log metadata.
Categories of Data Subjects(i) Content Creators enrolled by the Controller; (ii) the Controller's users (administrators, managers) accessing the platform; (iii) third parties identified in documents uploaded or communications sent by the Controller (e.g., counterparties named in Creator contracts).
Nature of Processing activitiesMixed automated and manual Processing carried out by the Processor and its Sub-processors on computer systems hosted within the European Economic Area.

3. Processor's Obligations

3.1. Processing on Documented Instructions

The Processor shall Process Personal Data only on the documented instructions of the Controller, including with regard to international transfers, unless required to Process by Union or Polish law applicable to the Processor, in which case the Processor shall inform the Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest. The Controller's initial instructions are set out in the Terms and in this DPA; further instructions may be given in writing (including by email) through the platform's messaging channel or via contact@legaflow.io. The Processor shall immediately inform the Controller if, in the Processor's opinion, an instruction infringes Data-Protection Law.

3.2. Confidentiality

The Processor shall ensure that persons authorised to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Personal Data within the Processor is restricted to personnel who need such access to perform their tasks, under role-based access controls.

3.3. Security of Processing

The Processor shall implement and maintain the technical and organisational measures described in Appendix 2 to this DPA, which are designed to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of Processing, and the risks to the rights and freedoms of natural persons, in accordance with Article 32 GDPR. The Processor reviews and updates these measures from time to time; updates that do not materially reduce the overall level of security do not require the Controller's prior approval.

3.4. Assistance to the Controller

Taking into account the nature of the Processing, the Processor shall assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to Data-Subject requests under Articles 15 to 22 GDPR. Taking into account the nature of the Processing and the information available to the Processor, the Processor shall also assist the Controller in ensuring compliance with the obligations set out in Articles 32 to 36 GDPR (security, breach notification, DPIA, prior consultation). Assistance described in this Section 3.4 is provided at no additional cost for routine requests (fewer than five (5) per calendar quarter); additional requests may be charged at the Processor's standard professional rates.

3.5. Deletion or Return of Data

At the Controller's choice, the Processor shall delete or return all Personal Data to the Controller after the end of the provision of services relating to Processing, and shall delete existing copies unless Union or Polish law requires storage. Deletion or return shall be completed within sixty (60) days from the termination or expiry of the Subscription, unless a longer period is required to satisfy legal retention obligations (in which case the Processor shall retain the Personal Data only for the duration of such obligation, shall not Process it for any other purpose, and shall delete it upon expiry of the obligation).

3.6. Information Made Available

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations set out in Article 28 GDPR, and shall allow for and contribute to audits as set out in Section 10 below.

4. Sub-Processors

4.1. General Authorisation

The Controller grants the Processor a general authorisation to engage Sub-processors for the Processing activities described in this DPA, subject to the conditions set out in this Section 4.

4.2. Current Sub-Processors

The Sub-processors engaged by the Processor at the date of acceptance of this DPA are listed in Appendix 1. An up-to-date list is published at legaflow.io/subprocessors.

4.3. New Sub-Processors

The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors by publishing an updated list at legaflow.io/subprocessors and, where the Controller has subscribed to notifications, by sending an email to the Controller, in each case no less than thirty (30) days before the engagement of the new Sub-processor takes effect. The Controller may object to a new Sub-processor on reasonable data-protection grounds by notifying the Processor in writing before the effective date of the engagement. If the Parties cannot reach a resolution in good faith within fifteen (15) days of the objection, the Controller may, as its sole and exclusive remedy, terminate the affected Subscription without penalty, in which case fees paid in advance for the remainder of the current term shall be refunded on a pro-rata basis.

4.4. Sub-Processor Agreements

The Processor shall impose on each Sub-processor, by way of a written contract, data-protection obligations substantively equivalent to those set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the Processing will meet the requirements of the GDPR. The Processor remains fully liable to the Controller for the performance of the Sub-processors' obligations.

5. International Transfers

5.1. Principle. Personal Data is primarily Processed within the European Economic Area. Transfers outside the EEA take place only where a lawful transfer mechanism under Chapter V GDPR is in place.

5.2. Transfer Mechanism. Where Personal Data is transferred by the Processor (or by a Sub-processor acting on the Processor's behalf) to a third country that is not the subject of an adequacy decision, the transfer is governed by the European Commission Standard Contractual Clauses (Implementing Decision (EU) 2021/914), Module 2 (Controller to Processor) or Module 3 (Processor to Sub-processor) as appropriate, supplemented by the supplementary technical and organisational measures described in Appendix 2 and, where applicable, by the UK International Data Transfer Agreement (IDTA) or by the UK Addendum to the EU SCCs.

5.3. Controller Mandate. The Controller hereby authorises the Processor, acting on behalf of the Controller, to enter into the Standard Contractual Clauses or equivalent transfer mechanisms with each Sub-processor that Processes Personal Data outside the EEA, and to document such entry in the Processor's records.

6. Data-Subject Requests

6.1. Routing. Data-Subject requests received directly by the Processor and relating to Personal Data Processed on behalf of the Controller are, as a rule, forwarded to the Controller without undue delay, and in any event within five (5) business days of receipt. The Processor does not respond substantively to such requests, except upon the Controller's documented instruction or where a direct response is required by Data-Protection Law.

6.2. Assistance. The Processor shall provide the Controller with reasonable assistance, through the platform's export, edit, and deletion features and through support at contact@legaflow.io, to enable the Controller to respond to Data-Subject requests within the timeframes set by Articles 12(3) and 15 to 22 GDPR.

7. Personal-Data Breaches

7.1. Notification to the Controller. The Processor shall notify the Controller of any Personal-Data breach affecting Personal Data Processed on behalf of the Controller without undue delay after becoming aware of it, and in any event within seventy-two (72) hours. The notification shall, to the extent available at the time, include: (a) the nature of the breach, including where possible the categories and approximate number of Data Subjects and records concerned; (b) the name and contact details of the Processor's Data Protection Officer or other contact point; (c) the likely consequences of the breach; (d) the measures taken or proposed to address the breach and to mitigate its possible adverse effects. The Processor will supplement the initial notification with further information as it becomes available, without undue delay.

7.2. Obligations of the Controller. The Controller is responsible, to the extent required by Data-Protection Law, for the notification of the breach to the competent supervisory authority and, where appropriate, to the affected Data Subjects. The Processor shall provide reasonable assistance to enable such notification.

7.3. No Acknowledgement of Liability. Notification of a breach by the Processor does not constitute an acknowledgement of any fault or liability by the Processor.

8. Data Protection Impact Assessments and Prior Consultation

The Processor shall provide reasonable assistance to the Controller, upon written request, in respect of (a) Data Protection Impact Assessments under Article 35 GDPR, and (b) prior consultation of supervisory authorities under Article 36 GDPR, to the extent that such assistance concerns Processing activities covered by this DPA and is reasonably available to the Processor given the nature of the Processing and the information available to it.

9. Joint-Controller Arrangement (Incorporated by Reference)

In respect of (i) identity verification of Content Creators through Veriff, and (ii) Survey design, deployment frequency, and the algorithmic parameters that produce the Risk Score, the Parties act as Joint Controllers within the meaning of Article 26 GDPR. The essence of the Joint-Controller Arrangement applicable to such Processing is set out in Section 2.2 of the LegaFlow Privacy Policy and is incorporated into this DPA by reference. In summary: the Controller (Agency) is responsible for informing the Content Creators and for collecting their consent at the point of enrolment and in the context of periodic Surveys; the Processor is responsible for the design of the verification and survey methodology, for the secure operation of the associated features, and for publishing the transparent information required by Article 13 GDPR on the LegaFlow side. Data Subjects may exercise their rights vis-Γ -vis either Party.

10. Audits

10.1. Principle. The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR, and shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, in accordance with the remainder of this Section 10.

10.2. Audit Reports. As a first step, the Controller shall accept the provision by the Processor of up-to-date audit reports, certifications (e.g., ISO 27001, SOC 2 Type II when available), and security documentation, which the Processor shall provide on reasonable request. If such documentation is insufficient to demonstrate compliance in respect of a specific, reasoned concern, the Controller may request an on-site audit under Section 10.3.

10.3. On-Site Audits. On-site audits may be conducted no more than once per calendar year (save where a Personal-Data breach or a reasoned order of a supervisory authority justifies a further audit), upon at least thirty (30) days' prior written notice, during the Processor's business hours, in a manner that does not unreasonably interfere with the Processor's operations, subject to confidentiality undertakings signed by the auditor, and at the Controller's cost. The auditor may not be a competitor of the Processor. The audit shall be limited to information reasonably necessary to verify compliance with this DPA; it shall not extend to information relating to other customers of the Processor, to the Processor's commercial or pricing data, to source code, or to Processor confidential information not relevant to Data-Protection Law compliance.

11. Liability

The Parties' liability under this DPA is subject to the limitations of liability set out in Section 17 of the Terms, which are expressly incorporated by reference. Nothing in this DPA increases or extends the Parties' respective liabilities beyond what is provided in the Terms, except to the extent required by mandatory Data-Protection Law. In particular, each Party is liable for administrative fines imposed on it directly by a supervisory authority under Article 83 GDPR. The Controller indemnifies and holds the Processor harmless against any claim, fine, or damages resulting from (a) the Controller's breach of its own obligations under Data-Protection Law, (b) any Processing instruction given by the Controller in violation of Data-Protection Law, or (c) the Controller's failure to collect required consents or to provide required information to Data Subjects.

12. Term and Termination

This DPA enters into effect upon the Controller's acceptance of the Terms and continues for the duration of the Subscription. It terminates automatically upon the termination or expiry of the Subscription, subject to the survival of the obligations under Sections 3.2 (Confidentiality), 3.5 (Deletion or Return), 7 (Personal-Data Breaches in respect of Processing that took place before termination), 10 (Audits, to the extent of the one-year post-termination period), and 11 (Liability).

13. Governing Law and Jurisdiction

This DPA is governed by Polish law, without regard to conflict-of-laws rules. The Parties submit to the exclusive jurisdiction of the competent courts of Warsaw, Poland, in accordance with Section 22.4 of the Terms, save that each Party retains its right to seek injunctive relief in any court of competent jurisdiction.

14. Order of Precedence

In the event of any conflict between this DPA, the Terms, and any other document between the Parties, the following order of precedence applies, from highest to lowest: (a) the European Commission Standard Contractual Clauses (where applicable); (b) this DPA; (c) the Terms; (d) any Order Form; (e) any other document signed between the Parties.

15. Miscellaneous

15.1. No Independent Fee. No separate fee is payable for this DPA. The Subscription fees payable under the Terms include remuneration for the Processing described herein.

15.2. Amendments. The Processor may amend this DPA from time to time to reflect changes in Data-Protection Law, in the Processor's technical or organisational measures, or in the Sub-processor list. Material amendments are notified to the Controller by email and published on the LegaFlow website at least thirty (30) days before they take effect. Continued use of the Platform after the effective date of an amendment constitutes acceptance of the amended DPA by the Controller.

15.3. Severability. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect, and the invalid or unenforceable provision shall be replaced by a valid and enforceable provision that reflects the Parties' original intent as closely as possible.

Appendix 1 to the DPA β€” List of Sub-Processors

The Sub-processors engaged by the Processor at the effective date of this DPA are:

Sub-processorPurposeLocation of ProcessingTransfer Mechanism
Veriff OÜKYC identity verification, age confirmation, sanctions screening of Content CreatorsEstonia (EU)EU β€” no additional mechanism
Stripe Payments Europe, Ltd. / Stripe, Inc.Payment processing, tokenisation, billing, fraud detectionIreland (EU), United StatesEU SCCs + Supplementary Measures
Supabase Inc. (65 Chulia Street #38-02/03, OCBC Centre, Singapore 049513)Managed PostgreSQL database, authentication, object storageEuropean Economic Area (EU region)EU SCCs where applicable
Vercel Inc. (440 N Barranca Ave #4133, Covina, CA 91723, United States)Frontend hosting, edge compute, content deliveryGlobal edge network with EU data residency optionEU SCCs + Supplementary Measures
ResendTransactional and notification emailEUEU region; SCCs for any US fallback
Cloudflare, Inc.DDoS protection, CDN, bot managementGlobal edge networkEU SCCs + Supplementary Measures

An up-to-date list is maintained at legaflow.io/subprocessors. New additions are notified at least thirty (30) days in advance.

Appendix 2 to the DPA β€” Technical and Organisational Measures

The Processor has implemented and maintains the following technical and organisational measures designed to ensure a level of security appropriate to the risk presented by the Processing, within the meaning of Article 32 GDPR. These measures are supplementary to those required by the European Commission Standard Contractual Clauses and are applied in addition to them for international transfers.

A. Encryption

B. Access Control

C. Integrity and Auditability

D. Availability and Resilience

E. Security Testing and Software Lifecycle

F. Personnel

G. Incident Response

H. Sub-Processor and Vendor Management

I. Data-Minimisation and Privacy by Design

J. Transparency

These measures are reviewed at least annually and updated as necessary to maintain an appropriate level of security in the light of the state of the art, the costs of implementation, and the nature, scope, context, purposes, and risks of the Processing.

β€” End of Exhibit A (Data Processing Agreement) β€”