Skip to content
secruna
Get a Demo
Legal

Terms of service

The terms under which Secruna provides its AI inventory and compliance platform to enterprise customers. Read alongside the Data Processing Addendum and the Subprocessors list.

1. Acceptance

By accessing or using the Secruna platform (the “Service”), or by signing an order form referencing these Terms, you (the “Customer”) agree to be bound by these Terms of Service (the “Terms”) and the documents referenced from them, including the Privacy Policy, the Data Processing Addendum and the published Subprocessors list. If you are entering into these Terms on behalf of an organisation, you represent that you have the authority to bind that organisation.

2. Definitions

  • Customer — the legal entity that has subscribed to the Service.
  • User — an individual authorised by the Customer to access the Service under the Customer’s tenant.
  • Tenant — the isolated logical environment within the Service allocated to the Customer, including its data, configuration and audit log.
  • Service — the Secruna AI inventory and compliance platform, including its connectors, classification engine, audit log, evidence-pack generator and APIs.
  • Documentation — the user guides, API references and policies that Secruna publishes for the Service.
  • Customer Data — any data the Customer or its Users submit to, or generate through, the Service.

3. The Service

The Service helps organisations build and maintain an inventory of AI systems, classify them against the EU AI Act, and produce audit-grade evidence packs for the technical file required by Article 11. Secruna may modify or update the Service from time to time; we will not materially reduce its functionality during a paid subscription term without notice.

The Service is not a substitute for qualified legal advice on the EU AI Act or any other regulation. Classification suggestions, risk scoring and evidence-pack templates are tools to accelerate compliance work; final determinations remain the Customer’s responsibility, made by competent professionals.

4. Accounts and Users

The Customer is responsible for maintaining the security of its account and for the actions of its Users. We strongly recommend that Users authenticate via single sign-on with multi-factor authentication. The Customer must promptly notify us at security@secruna.com of any actual or suspected unauthorised access.

5. Acceptable use

The Customer and its Users shall not:

  • Reverse-engineer, decompile or attempt to extract the source code of the Service, except to the extent such restriction is prohibited by applicable law.
  • Resell, sublicense or commercially redistribute the Service to third parties without a written agreement.
  • Use the Service to scrape, mirror or otherwise harvest data from systems the Customer is not authorised to access.
  • Conduct security testing, penetration testing or vulnerability scanning against the Service without prior written permission.
  • Use the Service to violate any applicable law, infringe third-party rights or process special category personal data outside the agreed configuration.
  • Interfere with or disrupt the integrity or performance of the Service or the data of other customers.

6. Customer obligations

The Customer shall:

  • Provide accurate, complete information when configuring connectors and identifying AI systems.
  • Maintain credentials and API keys securely and rotate them in line with the Customer’s own policies.
  • Comply with the Customer’s own obligations as a data Controller under GDPR and any other applicable data protection law.
  • Ensure that its Users have been informed of, and are bound by, terms at least as protective as these Terms.

7. Sub-processors

Secruna engages sub-processors to deliver the Service. The current list, the categories of data each processes, and the contractual basis (Standard Contractual Clauses where applicable) are published at /subprocessors. We provide 30 days’ advance notice before adding or replacing a sub-processor handling Customer Data, by email to the Customer’s designated contact and on the Subprocessors page. The Customer may object on reasonable data-protection grounds within that window; if we cannot accommodate the objection, the Customer may terminate the affected service for cause without penalty.

8. Confidentiality

Each party will protect the other’s Confidential Information with the same degree of care it uses for its own confidential information of like importance, and in any event no less than reasonable care. Confidential Information may be used solely to perform under these Terms and disclosed only to personnel and advisers with a need to know who are bound by confidentiality obligations. Confidentiality obligations survive termination for five years, except that trade secrets remain protected for as long as they qualify as such.

9. Intellectual property

Customer Data belongs to the Customer. The Customer grants Secruna a limited, non-exclusive licence to process Customer Data solely as necessary to provide the Service.

The Service and all underlying technology, including any improvements, feedback or insights derived from aggregated and de-identified usage patterns across customers, remain the exclusive property of Secruna. Aggregated and de-identified data may not be reverse-attributed to any individual customer.

10. Fees and payment

Fees, billing frequency and payment terms are set out in the order form. Unless otherwise agreed, fees are payable within 30 days of invoice. Late payment may attract statutory interest. Fees are exclusive of VAT and other applicable taxes.

11. Term and termination

The Service is provided for the term set out in the order form, with annual renewal as the default. Either party may terminate for material breach if the breach is not cured within 30 days’ written notice. Either party may terminate immediately on written notice if the other becomes insolvent or enters liquidation.

On termination, all Customer Data and audit log entries scoped to the Customer’s tenant are deleted within 30 days, save for what we are required to retain by law. Backups expire on the standard point-in-time-restore window of 35 days. Sub-processors are notified to delete derived data per their respective contracts. See the DPA, clause 11, for the binding deletion language.

12. Warranties and disclaimers

Secruna warrants that the Service will materially conform to the Documentation and will be provided with reasonable skill and care. Except as expressly stated, the Service is provided “as is” and Secruna disclaims all other warranties, including any implied warranties of merchantability, fitness for a particular purpose and non-infringement, to the maximum extent permitted by law.

13. Liability cap

To the maximum extent permitted by applicable law, each party’s aggregate liability arising out of or relating to these Terms, whether in contract, tort or otherwise, shall not exceed the lesser of (a) the fees paid by the Customer to Secruna in the 12 months preceding the event giving rise to the claim, or (b) €100,000. The cap may be raised by signed written amendment.

Neither party is liable for indirect, special, consequential or punitive damages, including lost profits, lost revenue or lost data, even if advised of the possibility. Nothing in this clause limits liability for death or personal injury caused by negligence, fraud, or any other liability that cannot be limited by law.

14. Indemnification

Each party shall indemnify and hold the other harmless from third-party claims arising from the indemnifying party’s breach of these Terms, gross negligence or wilful misconduct. Indemnification is subject to prompt written notice of the claim, control of defence by the indemnifying party, and reasonable cooperation by the indemnified party.

15. Governing law and jurisdiction

These Terms are governed by the laws of [TBD — typically the EU member state where Secruna is registered], excluding its conflict-of-laws principles and the UN Convention on Contracts for the International Sale of Goods. The parties submit to the exclusive jurisdiction of the courts of [TBD — pending counsel review].

16. Changes to these Terms

We may update these Terms from time to time. Material changes will be notified by email to the Customer’s designated contact at least 30 days before they take effect. Continued use of the Service after that date constitutes acceptance of the updated Terms. If the Customer objects to a material change, the Customer may terminate the affected subscription for cause without penalty during the notice window.

17. Miscellaneous

These Terms, together with the order form, the Privacy Policy, the DPA and the Subprocessors list, form the entire agreement between the parties on this subject and supersede any prior or contemporaneous agreements. If any provision is held unenforceable, the remainder remains in full force and effect. Neither party may assign these Terms without the other’s written consent, except to an affiliate or in connection with a merger or sale of substantially all assets.

18. Contact

Legal: legal@secruna.com.