Terms of Service
Product: Exceptao (compliance platform, Exceptions module and related modules)
Operator: METAMORFOZIS GLETSCHMANN SPÓŁKA JAWNA, ul. gen. Stanisława Maczka 9/14, 78-100 Kołobrzeg, Poland (KRS 0001193277, NIP 6711868606, REGON 542678656) — imprint
Effective date: DRAFT
1. Scope and acceptance
These Terms of Service ("Terms") govern access to and use of the Exceptao platform and all modules operated under it (collectively, "the Service"), including but not limited to the Exceptions module, the Risk Register module, the NIS2 Schools module, and associated APIs, under the brands Exceptao, paraKSCol, and CyberZgodność EDU.
By creating a tenant account, accepting an invitation to an existing tenant, clicking an "I agree" button, or accessing the Service in any way, you agree to be bound by these Terms on behalf of yourself and, where applicable, the legal entity you represent ("Customer" or "Tenant").
If you do not agree to these Terms in full, you must not use the Service.
These Terms form a legally binding contract. Please read them carefully before proceeding.
2. Definitions
| Term | Meaning |
|---|---|
| Operator | The legal entity that operates the Service; registered details published at /legal/imprint. |
| Tenant | A Customer organisation provisioned with a subdomain and account on the Service. |
| User | A natural person who holds an account within a Tenant. |
| Tenant Admin | A User granted the tenant_admin role within a Tenant. |
| Service Data | All data uploaded, generated, or processed within the Service by or on behalf of a Tenant, including exception records, incident reports, audit log entries, risk entries, and evidence files. |
| Module | A distinct product capability (Exceptions, Risk Register, NIS2 Schools, etc.) enabled via the Tenant's subscription. |
| Order Form | A written or electronic document specifying the subscription tier, modules, price, and term agreed between the Operator and the Tenant. |
| DPA | The Data Processing Agreement governing the Operator's processing of personal data on the Tenant's behalf, published at /legal/dpa. |
| AUP | The Acceptable Use Policy governing permitted and prohibited uses of the Service, published at /legal/aup. |
3. Service description
The Service is a multi-tenant, cloud-hosted governance, risk, and compliance (GRC) platform. Core capabilities include:
- Policy-exception lifecycle management with configurable, data-driven workflow
- Risk register and treatment-plan tracking
- NIS2 / KSC compliance operations (NIS2 Schools module), including 24h / 72h / 30d incident reporting cadence
- Tamper-evident audit log with SHA-256 hash chain, per-tenant, verifiable at
GET /api/audit/verify - Role-based access control (RBAC) with custom tenant-defined roles
- OIDC SSO, SAML 2.0 SSO, and WebAuthn passkey authentication
- Encrypted backups across two independent storage providers
- Audit-pack export for auditor and regulatory inspection use
The exact capabilities available to a Tenant depend on the Modules enabled in the Tenant's subscription as specified in the applicable Order Form.
The Operator may update, enhance, or modify the Service from time to time. The Operator will not remove material functionality on which a Tenant materially relies without providing at least 90 days' written notice.
4. Account registration and eligibility
4.1 Age and capacity. You must be at least 18 years old and legally capable of entering a binding agreement to create a Tenant account or accept these Terms on behalf of an organisation.
4.2 Organisational accounts. If you are accepting these Terms on behalf of a legal entity, you represent and warrant that you have authority to bind that entity.
4.3 Accurate information. You must provide accurate, current, and complete information at registration and must keep your registration information up to date.
4.4 Account security. You are responsible for maintaining the confidentiality of your login credentials. Notify the Operator promptly at security@exceptao.com if you suspect unauthorised access.
4.5 Refusal of access. The Operator reserves the right to refuse or revoke access at its reasonable discretion, providing written notice without undue delay.
5. Subscription, fees, and billing
5.1 Subscription tiers. Available tiers (currently: Starter, Professional, Enterprise) are described in the Order Form. The Operator will provide at least 30 days' notice of changes that materially reduce capability for existing subscribers.
5.2 Security features are not gated by tier. Mandatory MFA, full audit log, audit chain verification, basic audit reports, RBAC, encryption at rest and in transit, and at least one OIDC IdP configuration are available to all Tenants at no additional charge.
5.3 Fees and payment terms.
- (a) Fees are as set out in the Order Form.
- (b) Unless otherwise agreed, all fees are due annually in advance.
- (c) Invoices are issued in EUR.
- (d) Overdue invoices accrue interest at the statutory rate under Polish law from the due date.
- (e) Disputed charges must be raised in writing to
legal@exceptao.comwithin 30 days of the invoice date.
5.4 Free trials. On expiry, the Service reverts to read-only mode. Service Data is retained for 30 days post-trial then deleted.
5.5 Fair-use caps. Sustained overage triggers a conversation about upgrading; the Operator will not automatically suspend access without at least 14 days' written notice.
5.6 Taxes. All fees are exclusive of VAT and other applicable taxes. The Tenant is responsible for all applicable taxes in its jurisdiction.
5.7 Price changes. Price changes will be communicated in writing at least 60 days before the renewal date.
6. Acceptable use
Use of the Service is governed by the AUP at /legal/aup, incorporated by reference. Key prohibitions include:
- Using the Service for any unlawful purpose
- Attempting to breach tenant isolation or circumvent Postgres Row-Level Security
- Conducting automated vulnerability scanning or penetration testing without prior written agreement
- Exfiltrating audit log data without a lawful basis
- Impersonating another Tenant, User, or the Operator
- Distributing malware via evidence uploads or other Service inputs
7. Tenant data and Service Data
7.1 Customer ownership. Service Data belongs to the Tenant. The Operator claims no ownership over Tenant data.
7.2 Licence to operate. The Tenant grants the Operator a limited, non-exclusive licence to process Service Data solely to operate and maintain the Service, provide support, comply with legal obligations, and enforce these Terms.
7.3 Aggregated analytics. The Operator may derive aggregated, anonymised statistics and use them for product improvement. Such statistics will not identify any individual Tenant or User.
7.4 Data export. Tenants may export Service Data at any time. On subscription termination, Service Data is retained for 30 days then permanently deleted. Extended retention may be agreed in writing.
7.5 Pseudonymisation of audit rows. Upon a verified right-to-erasure request under GDPR Art. 17, PII fields in audit log rows are replaced with stable pseudonymous tombstones (actor_tombstone_<uuid>). The audit hash chain is preserved. Legal basis: legitimate interest in audit integrity (GDPR Art. 6(1)(f)).
7.6 Tenant responsibility for content. The Tenant is solely responsible for the accuracy, legality, and appropriateness of all Service Data.
8. Data protection
8.1 Processing of personal data is governed by the DPA at /legal/dpa, incorporated into these Terms. In the event of conflict, the DPA prevails on data protection matters.
8.2 The Operator's privacy practices as data controller are described in the Privacy Policy at /legal/privacy.
8.3 The Tenant, as data controller, is responsible for ensuring it has a lawful basis for all personal data processed via the Service.
9. Security
9.1 The Operator implements the technical and organisational measures described in the Security Whitepaper at /legal/security, including Postgres Row-Level Security, tamper-evident audit logging, AES-equivalent encryption at rest, TLS 1.3 in transit, mandatory MFA, and encrypted backups across two independent providers.
9.2 The Operator will: (a) respond to disclosed vulnerabilities per severity SLAs in the Security Whitepaper; (b) notify the Tenant of any personal data breach within 72 hours; (c) cooperate with reasonable security review requests per DPA audit rights.
9.3 The Tenant is responsible for the security of its own Users' credentials and must enforce MFA for all Users.
10. Uptime and service levels
10.1 Starter and Professional. The Operator will use commercially reasonable efforts to maintain availability. No contractual SLA applies unless agreed in an Order Form.
10.2 Enterprise. The Operator uses commercially reasonable efforts to maximise availability; no specific uptime percentage is guaranteed unless a contractual SLA is separately agreed in the Order Form.
10.3 Maintenance. Scheduled maintenance will be announced at least 48 hours in advance where practicable. Emergency maintenance may be performed without prior notice where necessary to protect security or stability.
10.4 Exclusions. Downtime caused by factors outside the Operator's reasonable control is excluded from SLA calculations.
11. Intellectual property
11.1 The Operator and its licensors retain all IP rights in the Service. Nothing in these Terms transfers Operator IP rights to the Tenant.
11.2 The Tenant retains all IP rights in its Service Data.
11.3 Feedback. The Tenant grants the Operator a perpetual, irrevocable, royalty-free licence to use feedback to improve the Service.
11.4 Restrictions. The Tenant must not copy, modify, reverse-engineer, or sublicense any part of the Service.
12. Confidentiality
12.1 Each party agrees to keep the other's Confidential Information strictly confidential, not disclose it to third parties without prior written consent, and use it only for the purposes of these Terms.
12.2 Confidential Information means any non-public information designated as confidential or reasonably understood to be confidential given the circumstances of disclosure.
12.3 The confidentiality obligation does not apply to information that is publicly available, was rightfully known before disclosure, was independently developed, or is required to be disclosed by law.
12.4 The confidentiality obligation survives termination for 3 years, except for trade secrets which remain confidential indefinitely.
13. Warranties and disclaimers
13.1 Operator warranties. The Operator warrants that it has the right to provide the Service, will operate it in material compliance with the security commitments herein, and will process Tenant personal data only per the DPA.
13.2 Tenant warranties. The Tenant warrants it has authority to enter these Terms, has a lawful basis for all personal data uploaded, and will comply with all applicable laws.
13.3 Disclaimer. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, EXCEPT AS EXPRESSLY SET OUT IN THESE TERMS, THE OPERATOR PROVIDES THE SERVICE "AS IS" WITHOUT WARRANTY OF ANY KIND. THE OPERATOR DOES NOT WARRANT THAT THE SERVICE WILL BE UNINTERRUPTED, ERROR-FREE, OR FREE FROM SECURITY VULNERABILITIES.
14. Limitation of liability
14.1 Exclusion of indirect losses. To the maximum extent permitted by applicable law, neither party will be liable for any indirect, incidental, special, consequential, or punitive damages, or loss of profits, revenue, business, goodwill, or data.
14.2 Aggregate cap. The Operator's total aggregate liability in any 12-month period is limited to the total fees paid by the Tenant in that period.
14.3 Exceptions. Nothing in these Terms limits liability for: (a) death or personal injury caused by negligence; (b) fraud or fraudulent misrepresentation; (c) any liability that cannot be limited under applicable law; (d) wilful misconduct or gross negligence.
15. Indemnification
15.1 By the Tenant. The Tenant will indemnify the Operator against claims arising from the Tenant's or its Users' use of the Service in violation of these Terms or applicable law, or from Service Data uploaded.
15.2 By the Operator. The Operator will indemnify the Tenant against third-party claims that the Service, as provided and used in accordance with these Terms, infringes a third party's IP rights in the EU or Poland.
16. Term and termination
16.1 Term. Unless otherwise specified, subscriptions renew automatically for successive annual periods unless either party gives written notice of non-renewal at least 60 days before the end of the current period.
16.2 Termination for convenience. The Tenant may terminate by written notice to legal@exceptao.com. No refunds are issued for the unused portion of a prepaid period.
16.3 Termination for cause. Either party may terminate immediately if the other materially breaches these Terms and fails to remedy the breach within 30 days of written notice, or becomes insolvent.
16.4 Suspension. The Operator may suspend access for security, legal, or regulatory reasons, with notification without undue delay.
16.5 Effect of termination. Licences cease, access ends, Service Data is retained for 30 days then deleted, and surviving provisions remain in force.
17. Governing law and dispute resolution
17.1 Governing law. These Terms are governed by the laws of Poland, including the Polish Civil Code and applicable EU regulations.
17.2 Jurisdiction. Disputes shall be subject to the exclusive jurisdiction of the courts of [TO BE COMPLETED: specify city — Warsaw recommended], Poland.
17.3 Language. The English version governs for Exceptao-brand Tenants. The Polish version governs for paraKSCol and CyberZgodność EDU-brand Tenants.
18. Changes to these Terms
Material changes will be notified to Tenant Admins by email at least 30 days before taking effect, with a notice displayed in the Service dashboard. Continued use of the Service after the effective date constitutes acceptance.
19. Miscellaneous
19.1 Entire agreement. These Terms, together with any Order Form, the DPA, the AUP, and the Privacy Policy, constitute the entire agreement regarding the Service.
19.2 Severability. If any provision is found invalid, it shall be modified to the minimum extent necessary to make it enforceable.
19.3 No waiver. Failure to enforce any right at any time does not constitute a waiver.
19.4 Assignment. The Tenant may not assign its rights without the Operator's prior written consent.
19.5 Force majeure. Neither party will be in breach to the extent that performance is prevented by causes beyond its reasonable control.
19.6 Notices. Notices must be in writing delivered by email with confirmation. Notices to the Operator must be copied to legal@exceptao.com.
19.7 Relationship. The parties are independent contractors.
19.8 Third-party rights. These Terms do not confer any rights on any third party.
20. Contact
| Purpose | Contact |
|---|---|
| General enquiries | hello@exceptao.com |
| Legal / DPA / contract | legal@exceptao.com |
| Security disclosures | security@exceptao.com |
| Privacy / GDPR | privacy@exceptao.com |
| Billing | billing@exceptao.com |
| Polish public sector | kontakt@cyberzgodnosc.edu.pl / kontakt@parakscol.pl |