Dataspike provides technology solutions designed to assist customers with identity verification (KYC), anti-money laundering checks (AML), sanctions screening, document verification, risk scoring, and related compliance functions. Dataspike provides technical tools only and does not act as a bank, financial institution, legal advisor, or regulatory authority. All compliance determinations and regulatory decisions remain solely the responsibility of the Customer.

The Customer represents and warrants that it:

• uses the Service strictly in accordance with applicable laws and regulations;
• has obtained all necessary rights, consents, and legal grounds to submit personal data to the Service;
• is solely responsible for its regulatory compliance obligations;
• will not use the Service for unlawful, fraudulent, or abusive purposes.

The Customer acknowledges that the Service does not guarantee compliance with any specific regulatory framework.

To the extent Dataspike processes personal data on behalf of the Customer, such processing shall be governed by the Data Processing Agreement ("DPA"), which forms an integral part of this Agreement and is available at dataspike.io/data-processing-agreement. By accessing or using the Service, the Customer agrees to the terms of the DPA. Where an enterprise Customer requires a separately executed DPA, the parties may enter into such agreement in writing, which shall supersede the standard DPA. Each party shall comply with its respective obligations under applicable data protection laws, including the EU GDPR and UK GDPR where applicable. Use of the Site is also subject to Dataspike's Cookie Policy, available at dataspike.io/cookie-policy.

Dataspike implements appropriate technical and organisational measures designed to protect the confidentiality, integrity, and availability of data processed through the Service, including access controls, continuous monitoring mechanisms, encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256), mandatory multi-factor authentication (2FA) for account access, and processing integrity controls to ensure that data is processed completely, accurately, and in a timely manner in accordance with Customer instructions. Dataspike maintains compliance with ISO/IEC 27001 and SOC 2 Type 2. Relevant certifications and audit reports may be made available to Customers upon request and subject to a confidentiality agreement. Dataspike maintains a Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP), reviewed and tested at least annually, to ensure the continued availability of the Service in the event of a significant disruption. The Customer is responsible for maintaining the security of its credentials, managing user access within its organisation, and promptly notifying Dataspike of any suspected unauthorised access or security incident. Dataspike shall not be liable for losses resulting from the Customer's failure to maintain appropriate account security.

Dataspike may engage subprocessors, including cloud infrastructure, content delivery, and data analysis providers, to support the provision of the Service. Dataspike shall ensure that such subprocessors are bound by confidentiality and data protection obligations consistent with applicable law. A current list of subprocessors is available at dataspike.io/subprocessor-policy. Dataspike shall provide at least thirty (30) days' advance written notice to Customers of any intended addition or replacement of a subprocessor, and Customers may object to such changes in accordance with the DPA.

The Service is provided on a prepaid (pay-as-you-go) or otherwise contractually agreed basis.

6.1 Pay-As-You-Go (Prepaid)

Customers may access the Service by prepaying a balance via credit or debit card through Dataspike's designated payment provider. The balance is deducted automatically as the Service is used, based on applicable per-transaction or per-verification rates published on the Dataspike website or dashboard. A minimum top-up amount may apply, as specified in the dashboard at the time of payment. If the Customer's prepaid balance reaches zero, access to the Service will be automatically suspended until the balance is replenished. Dataspike shall not be liable for any interruption to the Customer's operations resulting from insufficient balance. Prepaid balances are non-refundable, do not constitute real currency, are not redeemable for cash, and may expire upon termination of the Agreement.

6.2 Enterprise and Contractual Billing

Enterprise Customers operating under a separate agreement may be invoiced on a periodic basis as agreed in writing. All fees are payable in advance unless otherwise agreed. In the event of a disputed invoice, the Customer shall notify Dataspike in writing within fourteen (14) days of receipt, and the parties shall seek to resolve the dispute in good faith. Undisputed amounts remain payable by the due date.

6.3 General

All fees are exclusive of applicable taxes, including VAT. Where VAT or similar taxes apply, they shall be added to the invoice or checkout total and payable by the Customer in addition to the stated fees. Dataspike reserves the right to amend pricing upon reasonable prior written notice of at least thirty (30) days.

Dataspike provides service availability and support in accordance with the Dataspike Standard SaaS Support and Service Level Agreement ("SLA"), which is incorporated into this Agreement by reference and available upon request. Key commitments under the standard SLA include:

• Core products (Dashboard, DocVer API, AML API, Verification Widget): targeted monthly availability of 99.9%, measured per calendar month and excluding planned maintenance windows.
• Other products (experimental features and non-core services): targeted availability of 99.5% on a best-effort basis.
• Support hours: 07:00–20:00 UTC+3, Monday to Friday, via email.
• Critical issues (Level 3): initial response within 2 hours during support hours.

Planned maintenance shall be communicated in advance where reasonably practicable. Availability is not guaranteed during events outside Dataspike's reasonable control, including widespread infrastructure outages or force majeure events. Enterprise Customers may negotiate a separate SLA with customised uptime commitments, response times, and remedies. Such a separately executed SLA shall supersede the standard SLA to the extent of any conflict.

The Customer may, no more than once per calendar year and upon reasonable written notice of at least thirty (30) days, request:

• copies of Dataspike's current security certifications (including ISO 27001, SOC 2 Type 2); or
• completion of a reasonable security questionnaire.

Where a Customer requires an on-site audit or third-party audit, the parties shall agree the scope, timing, and cost in advance. Any audit shall be conducted with reasonable notice and shall not unreasonably disrupt Dataspike's operations.

All intellectual property rights in and to the Service, including software, models, databases, algorithms, documentation, and related materials, remain the exclusive property of Dataspike and its licensors. No ownership rights are transferred under this Agreement.

Each party shall maintain the confidentiality of non-public information disclosed in connection with the Service and shall not disclose such information except as required by law or regulatory authority. This obligation survives termination.

The Customer represents and warrants that neither the Customer nor its affiliates, officers, directors, beneficial owners, or controlling persons are subject to sanctions administered by the European Union, United States (including OFAC), United Kingdom, or any other applicable sanctions authority. The Customer shall not use the Service in connection with any sanctioned jurisdiction, individual, or entity in violation of applicable sanctions or export control laws. Dataspike reserves the right to suspend or terminate access where required to comply with sanctions or export control obligations.

Dataspike may disclose information relating to the Customer or use of the Service where required by applicable law, court order, or regulatory authority. Where legally permitted, Dataspike shall provide prior notice of such disclosure.

The Customer shall not misuse the Service, including by attempting to reverse engineer, bypass technical safeguards, overload infrastructure, or access the Service in a manner that compromises system integrity. Dataspike reserves the right to implement technical limitations, including rate limiting and access controls, to maintain service stability and security.

The Service is provided on an "as is" and "as available" basis. Dataspike does not warrant that the Service will be uninterrupted, error-free, or free from vulnerabilities, or that verification results will be complete, accurate, or legally sufficient for any specific compliance purpose. To the extent permitted by applicable law, Dataspike disclaims implied warranties of merchantability and fitness for a particular purpose. Dataspike does not exclude or limit any liability that cannot be excluded or limited under applicable law.

To the maximum extent permitted by law, Dataspike's total aggregate liability arising out of or in connection with this Agreement shall not exceed the total fees paid by the Customer to Dataspike during the twelve (12) months preceding the event giving rise to the claim. Under no circumstances shall Dataspike be liable for indirect, incidental, consequential, special, punitive, or exemplary damages, including loss of profits, revenue, data, goodwill, or business interruption. Nothing in this Agreement shall exclude liability that cannot be excluded under applicable law.

The Customer shall indemnify and hold harmless Dataspike from and against any claims, losses, liabilities, fines, penalties, or expenses arising from unlawful use of the Service, violation of applicable law, breach of this Agreement, or unlawful processing of personal data submitted by the Customer.

Dataspike may suspend or terminate access to the Service in the event of material breach, non-payment, legal requirement, security risk, or regulatory obligation. Upon termination, access shall cease immediately. Outstanding payment obligations remain payable.

Neither party shall be liable for failure or delay in performance caused by events beyond its reasonable control, including acts of government, war, terrorism, natural disasters, infrastructure failure, or internet disruption.

The Customer may not assign this Agreement without prior written consent. Dataspike may assign this Agreement in connection with a merger, acquisition, or corporate restructuring.

Provisions relating to confidentiality, intellectual property, limitation of liability, indemnification, governing law, and any other provisions that by their nature should survive termination shall survive termination of this Agreement.

This Agreement shall be governed by and construed in accordance with the laws of the Republic of Cyprus. Any dispute shall be subject to the exclusive jurisdiction of the courts of Cyprus.

Dataspike may update these Terms from time to time. Updated versions become effective upon publication. Where changes are material, Dataspike shall provide reasonable advance notice to active Customers. Continued use of the Service following the effective date constitutes acceptance of the updated Terms.