End User Agreement

“Authorized Users” means Client's employees, agents, and contractors authorized to access the Platform under this Agreement, up to the number specified in the Subscription Order.

“Client Data” means all data, information, and materials uploaded to, processed by, or generated through the Platform by or on behalf of Client, including but not limited to AI system inventories, security configurations, policy documents, organizational data, and assessment inputs.

“Documentation” means the user guides, help files, API documentation, and technical specifications made available by DeepLayer in connection with the Platform.

“Output” means any reports, scores, dashboards, visualizations, assessments, or other results generated by the Platform based on Client Data, including AI Corporate Scan reports, maturity scores, and benchmark comparisons.

“Platform” means the DeepLayer software-as-a-service platform, including but not limited to: (a) the AI Corporate Scan assessment and scoring engine; (b) the DeepLayer AI Maturity Index dashboard; (c) the client portal accessible via DeepLayer.cloud; (d) automated security posture scanning tools; (e) governance policy template libraries; (f) regulatory compliance tracking modules; and (g) such additional tools and features as DeepLayer may make available from time to time.

“Subscription Order” means a document executed by both parties (or an online subscription process completed by Client) specifying the Platform tier, number of Authorized Users, subscription term, and applicable fees.

“Subscription Term” means the period during which Client has the right to access the Platform, as specified in the Subscription Order.

2.1 Grant. Subject to Client's compliance with this Agreement and timely payment of fees, DeepLayer grants Client during the Subscription Term a non-exclusive, non-transferable, non-sublicensable, limited right to: (a) access and use the Platform solely for Client's internal business purposes; (b) permit Authorized Users to access the Platform using assigned credentials; (c) upload Client Data to the Platform; and (d) generate, view, download, and use Output for Client's internal purposes. All rights not expressly granted are reserved by DeepLayer.

2.2 Account Security. Client is responsible for maintaining the confidentiality of all account credentials and for all activity occurring under Client's accounts. Client shall: (a) ensure each Authorized User has a unique login; (b) not share or transfer credentials between individuals; (c) notify DeepLayer immediately of any unauthorized access; and (d) not permit access by any person who is not an Authorized User.

2.3 Platform Tiers. The specific features, tools, and functionality available to Client depend on the Platform tier specified in the Subscription Order. DeepLayer may offer different tiers (e.g., Essentials, Professional, Enterprise) with varying levels of access, storage, user limits, and assessment capabilities. The applicable tier and its inclusions are set forth in the Subscription Order.

3.1 Prohibited Conduct. Client shall not, and shall ensure that Authorized Users do not: (a) reverse engineer, decompile, disassemble, or attempt to derive the source code of the Platform; (b) copy, modify, adapt, or create derivative works of the Platform or any component thereof; (c) sublicense, distribute, rent, lease, sell, or otherwise make the Platform available to third parties; (d) use the Platform to provide services to third parties (including as a service bureau, outsourcing, or managed service offering); (e) remove, alter, or obscure any proprietary notices on the Platform; (f) send or store material containing viruses, worms, Trojan horses, or other malicious code; (g) interfere with or disrupt the integrity or performance of the Platform or attempt to gain unauthorized access to related systems or networks; or (h) access the Platform for competitive analysis, benchmarking, or to build a competing product or service.

3.2 AI-Specific Restrictions. Client shall not: (a) deliberately manipulate, falsify, or fabricate assessment inputs to artificially influence scoring outcomes or maturity ratings; (b) use AI-generated or synthetic data as assessment inputs without prior written disclosure to DeepLayer; (c) attempt to reverse-engineer the scoring algorithms, weightings, or methodology underlying the DeepLayer AI Maturity Index; (d) systematically extract or scrape data from the Platform for purposes of replicating its functionality; or (e) use Output to make public claims about Client's AI maturity or compliance status in a manner that implies DeepLayer certification or endorsement, unless expressly authorized in writing.

3.3 Acceptable Use. Client shall use the Platform in compliance with all applicable laws and regulations and in accordance with the Acceptable Use Policy set forth in Appendix A. DeepLayer reserves the right to suspend access upon reasonable belief that Client is in violation of this Section 3.

4.1 Technical Requirements. Client is responsible for providing all equipment, software, and internet connectivity necessary to access the Platform. DeepLayer shall specify minimum browser and system requirements in the Documentation.

4.2 Data Accuracy. Client is solely responsible for the accuracy, completeness, legality, and appropriateness of all Client Data. The quality of Output is directly dependent on the quality of Client Data provided. DeepLayer shall not be liable for any inaccuracy in Output resulting from incomplete, inaccurate, or outdated Client Data.

4.3 Compliance with Laws. Client shall comply with all applicable laws, including data protection laws, in connection with its use of the Platform. Client shall not upload personal data to the Platform except as permitted under applicable data protection laws and in accordance with Section 8 of this Agreement.

4.4 Third-Party Integrations. To the extent the Platform integrates with or accesses third-party services (e.g., cloud providers, identity management systems, security tools), Client is responsible for obtaining all required licenses, consents, and authorizations for such access.

5.1 Availability Target. DeepLayer shall use commercially reasonable efforts to make the Platform available at least 99.5% of the time during each calendar month, excluding scheduled maintenance and force majeure events. Specific availability commitments and service credits, if any, are set forth in the Service Level Agreement attached as Appendix B.

5.2 Maintenance. DeepLayer reserves the right to perform scheduled maintenance outside business hours (Monday–Friday, 08:00–18:00 CET). DeepLayer will provide at least 48 hours' notice for planned maintenance, except in emergencies.

5.3 Support. DeepLayer shall provide technical support in accordance with the support level specified in the Subscription Order. Standard support includes email-based assistance during business hours. Enhanced support tiers may include priority response times, dedicated support contacts, and extended hours.

5.4 Updates. DeepLayer may update, enhance, or modify the Platform from time to time. DeepLayer shall use reasonable efforts to ensure backward compatibility and will provide reasonable notice of material changes to functionality. DeepLayer reserves the right to discontinue features with 90 days' notice.

6.1 Subscription Fees. Client shall pay the subscription fees specified in the Subscription Order. Fees are non-refundable except as expressly provided in this Agreement. All fees are exclusive of VAT and other applicable taxes.

6.2 Payment. Fees shall be invoiced annually in advance unless otherwise specified. All invoices are due within thirty (30) days of the invoice date. Late payments shall accrue interest at 1.5% per month or the maximum rate permitted by applicable law, whichever is lower.

6.3 Suspension for Non-Payment. If any invoice remains unpaid for more than fifteen (15) days after the due date, DeepLayer may suspend Client's access to the Platform upon written notice. Suspension does not relieve Client of its payment obligations.

6.4 Fee Adjustments. DeepLayer may adjust subscription fees upon renewal by providing at least sixty (60) days' written notice prior to the start of the renewal term.

7.1 DeepLayer IP. DeepLayer and its licensors retain all right, title, and interest in and to the Platform, the DeepLayer AI Maturity Index, all scoring algorithms and methodologies, the Documentation, and all modifications, enhancements, and derivative works thereof, including all intellectual property rights therein. No license or right is granted except as expressly set forth in this Agreement.

7.2 Client Data. Client retains all right, title, and interest in and to Client Data. Client grants DeepLayer a non-exclusive, worldwide license to host, process, transmit, and display Client Data solely as necessary to provide and improve the Platform.

7.3 Output. Client may use Output for its internal business purposes, including sharing with its board of directors, senior management, auditors, legal advisors, and regulators under appropriate confidentiality obligations. Client acknowledges that the methodologies, scoring models, and analytical frameworks embedded in Output remain DeepLayer IP.

7.4 Aggregated Data. DeepLayer may compile anonymized and aggregated data derived from Client Data and usage patterns (“Aggregated Data”) for benchmarking, product development, and research purposes, provided such data does not identify Client or any individual. DeepLayer owns all Aggregated Data.

7.5 Feedback. Any suggestions, ideas, or feedback provided by Client regarding the Platform (“Feedback”) may be freely used by DeepLayer without obligation to Client.

8.1 GDPR Compliance. To the extent DeepLayer processes personal data on behalf of Client through the Platform, DeepLayer shall act as a processor under Article 4(8) GDPR and comply with Articles 28 and 32 GDPR. The Data Processing Addendum (Appendix C) forms an integral part of this Agreement.

8.2 Security. DeepLayer shall implement and maintain appropriate technical and organizational security measures, including: encryption of data in transit (TLS 1.2+) and at rest (AES-256); role-based access controls; regular penetration testing and vulnerability assessments; SOC 2 Type II certification (or equivalent) within 18 months of Platform launch; and documented incident response procedures.

8.3 Data Location. Client Data shall be stored and processed within the European Economic Area unless the Subscription Order specifies otherwise. Any transfer outside the EEA shall comply with Chapter V GDPR.

8.4 Data Retention and Portability. Upon termination or expiration, Client may export Client Data and Output through the Platform for thirty (30) days following the effective date. After such period, DeepLayer shall delete all Client Data within thirty (30) days, except where retention is required by law. DeepLayer shall certify deletion upon request.

8.5 Sub-processors. DeepLayer may engage sub-processors to provide infrastructure and hosting services. A current list of sub-processors is maintained at DeepLayer.cloud/legal/sub-processors. DeepLayer shall notify Client of any new sub-processor at least thirty (30) days in advance.

9.1 Nature of AI Output. Client acknowledges that portions of the Platform utilize artificial intelligence and machine learning technologies. Output generated by such tools: (a) may contain inaccuracies, omissions, or biases inherent in AI models; (b) represents algorithmic assessments based on available data, not guarantees of accuracy or completeness; (c) is not a substitute for professional judgment, and Client should independently verify critical findings before acting upon them; and (d) reflects conditions at the time of generation and may become outdated as circumstances change.

9.2 No Certification or Endorsement. Use of the Platform and receipt of Output does not constitute certification, accreditation, or endorsement by DeepLayer of Client's AI governance, security posture, or regulatory compliance status.

9.3 Human Oversight. Client agrees that Output should be reviewed by appropriately qualified personnel before being used as the basis for material business, compliance, or security decisions. DeepLayer shall not be liable for decisions made by Client based solely on automated Output without human review.

9.4 Model Improvements. DeepLayer may update the AI models, scoring algorithms, and analytical methodologies underlying the Platform to improve accuracy and functionality. Such updates may cause Output to differ from prior assessments even if Client Data has not changed. DeepLayer shall document material methodology changes in release notes.

10.1 Mutual Obligations. Each party shall hold in confidence all non-public information disclosed by the other party that is designated as confidential or reasonably should be understood to be confidential (“Confidential Information”). The Receiving Party shall use such information solely for the purposes of this Agreement and protect it with no less than reasonable care.

10.2 Scope. DeepLayer's Confidential Information includes the Platform (including source code, algorithms, and architecture), pricing, and business plans. Client's Confidential Information includes Client Data and Output.

10.3 Exceptions. Standard exceptions apply: publicly available information, prior knowledge, independent development, and lawful third-party receipt. Disclosures required by law or regulation are permitted with prompt notice.

10.4 Duration. Obligations survive termination for five (5) years; trade secret obligations continue indefinitely.

11.1 DeepLayer Warranties. DeepLayer warrants that: (a) the Platform will substantially conform to the Documentation during the Subscription Term; (b) DeepLayer will not knowingly introduce malicious code into the Platform; and (c) DeepLayer has authority to enter into this Agreement and grant the rights herein.

11.2 Disclaimer. EXCEPT AS SET FORTH IN SECTION 11.1, THE PLATFORM AND ALL OUTPUT ARE PROVIDED “AS IS.” DEEPLAYER DISCLAIMS ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. DEEPLAYER DOES NOT WARRANT THAT THE PLATFORM WILL BE ERROR-FREE, UNINTERRUPTED, OR THAT ALL OUTPUT WILL BE ACCURATE OR COMPLETE.

12.1 By DeepLayer. DeepLayer shall defend and indemnify Client against third-party claims alleging that Client's authorized use of the Platform infringes such third party's intellectual property rights, subject to Client providing prompt notice and reasonable cooperation.

12.2 By Client. Client shall defend and indemnify DeepLayer against third-party claims arising from: (a) Client Data; (b) Client's use of the Platform in violation of this Agreement or applicable law; or (c) Client's breach of this Agreement.

13.1 Exclusion. NEITHER PARTY SHALL BE LIABLE FOR INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES, INCLUDING LOSS OF PROFITS, DATA, OR BUSINESS OPPORTUNITIES.

13.2 Cap. EACH PARTY'S TOTAL AGGREGATE LIABILITY SHALL NOT EXCEED THE FEES PAID OR PAYABLE BY CLIENT DURING THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO THE CLAIM.

13.3 Exceptions. These limitations do not apply to: (a) indemnification obligations; (b) breach of confidentiality; (c) Client's payment obligations; or (d) willful misconduct or gross negligence.

14.1 Subscription Term. The initial Subscription Term is specified in the Subscription Order. Unless either party provides written notice of non-renewal at least sixty (60) days before the end of the then-current term, the Subscription Term shall automatically renew for successive periods of equal length.

14.2 Termination for Cause. Either party may terminate upon material breach with thirty (30) days' written notice and opportunity to cure, or immediately upon insolvency of the other party.

14.3 Effect. Upon termination: (a) Client's access to the Platform ceases; (b) Client may export data per Section 8.4; (c) each party returns or destroys Confidential Information; and (d) Sections 7, 8.4, 9, 10, 11.2, 12, 13, and 15 survive.

15.1 Governing Law. This Agreement is governed by the laws of the Netherlands. Disputes shall be submitted exclusively to the competent courts of Amsterdam. The UN Convention on Contracts for the International Sale of Goods is excluded. If the Subscription Order specifies “US Law Elected,” the Agreement is instead governed by Delaware law with exclusive jurisdiction in Wilmington, Delaware.

15.2 Amendment. DeepLayer may update this Agreement by posting a revised version at DeepLayer.cloud/legal/eua and providing thirty (30) days' notice. Continued use after the notice period constitutes acceptance. For Enterprise tier clients, material amendments require written consent.

15.3 Assignment. Neither party may assign without prior written consent, except DeepLayer may assign to an affiliate or successor in a merger or acquisition.

15.4 Force Majeure. Neither party is liable for delays caused by events beyond reasonable control. Payment obligations are excluded.

15.5 Severability. Invalid provisions shall not affect the remaining Agreement.

15.6 Entire Agreement. This Agreement, together with Subscription Orders and Appendices, constitutes the entire agreement regarding use of the Platform. For advisory and consulting services, a separate Terms of Service agreement applies.

15.7 Notices. DeepLayer may provide notices via email or Platform notification. Client notices shall be sent to legal@deeplayer.cloud or by registered mail.

15.8 Marketing. DeepLayer may reference Client as a user of the Platform in marketing materials unless Client opts out in writing.