Terms of Service

These Terms of Service ("Terms") constitute a legally binding agreement between you (whether as an individual, company, or legal entity) and Authect FZCO ("we," "our," or "us") regarding your use of our services and website at authect.com.

Authect FZCO is registered as Trade License 70505 under the International Free Zone Authority (IFZA), Dubai. Our registered office is at Building A1, Dubai Digital Park, Dubai Silicon Oasis, Dubai, UAE. Director: Pranas Mickevicius. Contact: +971 50 246 5223, info@authect.com.

By accessing our website or services, you acknowledge that you have read, understood, and agree to these Terms and our Privacy Policy. If you do not agree, you must cease using our services immediately.

Last updated: November 17, 2025

When We Are Data Controller

We control data for our own purposes: website analytics, sales/marketing, client relationship management, billing, and business operations. You have data subject rights directly against us per our Privacy Policy.

When We Are Data Processor

When you determine purposes/means of processing, we act as your processor (development, CRM, marketing campaigns, AI chatbots, cloud hosting, data migration).

**Joint Controllers:** If we jointly determine purposes/means, we'll enter an agreement defining respective responsibilities, breach notification, and data subject rights handling.

We offer technology services including AI & Automation, Application Development, Website Development, Blockchain & Cryptocurrency, Business Automation, Digital Marketing, Cybersecurity, Digital Legal Solutions, Cloud Infrastructure, Digital Transformation Consulting, and Enterprise Workspace (self-hosted secure messaging).

When we process your end-user data in providing these services, we typically act as processor and you remain the controller responsible for GDPR/UAE law compliance. For marketing services involving your customer lists, you must ensure lawful basis for communications.

When acting as processor, we may use sub-processors with your authorization (specific or general). General authorization includes 30-day advance notice of changes with your right to object.

**Current Sub-Processors:** AWS, Google Cloud, Microsoft Azure (hosting), SendGrid, Mailgun (email), Cloudflare (CDN), Stripe, PayPal (payments), Google Analytics (when deployed for you).

Sub-processors are bound to equivalent obligations. We remain fully liable for their performance (GDPR Art. 28(4)). If you object to a new sub-processor and we can't resolve concerns, you may terminate affected services without penalty. Sub-processor list available at privacy@authect.com.

**Information & Access:** Provide accurate, timely information. Grant necessary system access. Respond to feedback requests within agreed timelines. Designate authorized decision-makers.

**Content & Materials:** Provide required content in agreed formats. Ensure you own rights or have licenses. Review and approve deliverables on time. Notify us immediately of errors.

**Compliance & Legal:** Comply with all applicable laws. Obtain necessary licenses/permits. Follow platform policies (Google, Facebook, etc.). Ensure legal basis for marketing to your customers. Indemnify us against claims from your content/practices.

**Payment & Communication:** Pay within agreed terms (typically 14-30 days). Maintain valid payment info. Cover third-party service costs when specified. Respond to communications within 2 business days. Participate in meetings and provide clear feedback.

Data Subject Rights Assistance (GDPR Art. 28(3)(e))

Included: Up to 5 requests/year of standard complexity. Fees apply for excessive/complex requests. We can't assist with legal determinations, data subject communications, or identity verification - those remain your responsibility as controller.

If we receive a direct request for data we process on your behalf, we'll notify you within 48 hours and redirect them to you.

Audit Rights (GDPR Art. 28(3)(h))

You may audit our processing annually at no charge, or more frequently for breaches, compliance requirements, or authority requests. 30-day advance notice required. We'll cooperate fully, provide access to personnel/systems/docs, and remediate findings.

Alternative to audit: We may provide SOC 2 reports, ISO 27001 certification, or security assessments. If these adequately address your needs, you may accept them in lieu of audit.

Supervisory authorities may audit us regarding your data - we'll cooperate and notify you.

**When We Are Processor:** We notify you within 24 hours of discovering a breach affecting data we process for you, providing all info for your notification obligations. We implement immediate containment/remediation and cooperate fully with your response.

**When We Are Controller:** UAE: TDRA notification within 72 hours if required. EU: Supervisory authority within 72 hours (Art. 33). Affected individuals without undue delay if high risk (Art. 34).

**Breach Notifications Include:** Nature, affected data subjects/records, likely consequences, measures taken, contact point (dpo@authect.com), recommended actions, timeline.

**Your Obligations (as Controller):** Assess if authority notification required, notify within 72 hours if needed, notify affected individuals if high risk, document decisions, maintain records. We provide all necessary assistance.

Upon Termination (GDPR Art. 28(3)(g)):

We delete or return all personal data per your choice, unless law requires retention. Return formats: Original, CSV/JSON/XML, database dumps, API access, or encrypted media. Process: You specify format/method 30 days before termination → we prepare and deliver → you confirm → we delete.

**Deletion:** Production systems: 30 days. Backups: 90 days. Methods: DoD 5220.22-M (3-pass minimum), certified destruction of physical media. Certification provided upon request. Sub-processors also delete per same standards/timeline.

**Legal Retention Exceptions:** 7-year UAE tax records or other legal requirements. We'll inform you of retention requirement/basis, limit to minimum necessary, secure and restrict processing, delete once requirement ends.

**Costs:** Standard return in common formats: Included. Custom formats/expedited/multiple copies: Reasonable fees may apply. Deletion certification: No charge.

**Pricing:** Quoted in USD or AED per your agreement. Custom quotes based on scope/complexity. Invoices per agreed schedule, delivered via email (PDF). Late payment interest: 1.5%/month or UAE maximum, whichever less.

**Methods:** Bank transfer (preferred), credit/debit cards (Visa/MC/Amex), PayPal (international), cryptocurrency (case-by-case).

**Refunds:** Deposits non-refundable except if we cancel. Completed/in-progress work non-refundable. Requests within 14 days. Processing: 14-30 business days.

**Late Payments:** Grace: 5 business days. Late fee: 50 AED or 1.5% (whichever greater). Suspension: 15 days overdue. Collections: 30 days overdue (you pay collection costs).

**You Own (upon full payment):** Final deliverables, custom code, content/copy, design files, custom configurations created specifically for you.

**We Own:** Pre-existing code/templates/frameworks, methodologies/processes, general knowledge/skills, reusable components, internal tools.

**Third-Party:** Open source (MIT/GPL/Apache), third-party APIs/services, stock assets - all subject to their licenses. You maintain necessary licenses post-project.

**License:** We grant you perpetual, worldwide license to use deliverables for intended purpose, including modification/maintenance. No resale/redistribution of our frameworks/methodologies.

**Portfolio:** We may showcase your project (screenshots/descriptions). Name/logo use subject to your approval. Removal upon request.

**Confidential:** Business plans/strategies/financials, customer data/databases, proprietary code/algorithms, trade secrets, marketing plans, anything marked "Confidential."

**Our Obligations:** Maintain strict confidentiality, use only for service delivery, implement security measures, limit access to need-to-know personnel.

**Exceptions:** Publicly available (not through our breach), already possessed, independently developed, required by law (we'll notify when permitted), explicitly authorized in writing.

**Data Protection:** Per our Privacy Policy. GDPR compliance for EU clients. UAE Federal Law No. 45/2021 compliance. DPAs available upon request. SCCs for international transfers.

**Breach Notification:** Within 24 hours (if processor - so you can meet 72hr obligation). Within 72 hours (if controller).

**Our Warranties:** Professional workmanlike service, necessary skills/qualifications, substantial conformance to specs, non-infringement, legal compliance. Warranty: 30 days from delivery (covers workmanship defects, not new features or third-party modifications).

**Your Warranties:** Authority to enter agreement, content doesn't infringe rights, have necessary licenses, accurate info, legal compliance, lawful basis for data shared (when we're processor).

**Disclaimer:** Services "as is." No implied warranties of merchantability/fitness. No guarantee of specific results (traffic, rankings, ROI, etc.).

**Liability Cap:** Under 10,000 AED: fees paid for specific service. Over 10,000 AED: lesser of fees paid in 12 months or 50,000 AED.

**Excluded Damages:** Indirect, incidental, consequential damages. Loss of profits/revenue/opportunities/savings/data (except gross negligence)/goodwill. Costs of substitute services. Damages from your misuse or third-party services.

**Exceptions:** Gross negligence, fraud, death/injury, violations unlimitable under UAE law, confidentiality breach (capped at 2x contract value).

**Indemnification:** You indemnify us for claims from your content/materials, law violations, deliverable misuse, customer claims, breaches, data protection violations. Includes attorney fees.

**Claims:** Must be brought within 1 year. Written notice required.

**Duration:** One-time: Until completion. Monthly: Month-to-month. Annual: 12 months, auto-renewal (30 days notice to cancel). Retainers: Per agreement.

**Termination:** Client: 7 days (one-time), 30 days (monthly), early fee may apply (annual - typically 25% remaining value). Us: Immediate for non-payment (30+ days overdue), breach, illegal use, abuse, false info, material breach of controller obligations.

**Upon Termination:** Services cease, final invoice for completed work, deliverables for paid work, system access revoked, data returned/deleted per "Data Return & Deletion" section. No refund of prepaid fees unless agreed.

**Transition:** 30 days reasonable assistance (billed at standard rate unless included). We provide docs/credentials and cooperate with new provider.

**Survival:** Payment obligations, IP rights, confidentiality, data return/deletion, liability limits, indemnification, dispute resolution.

**Informal Resolution:** 30-day good-faith negotiation with senior management before legal action. Written notice required describing issue/desired resolution.

**Mediation:** In Dubai, UAE. Mediator by mutual agreement or DIFC appointment. Costs shared equally.

**Arbitration (International Clients):** DIFC-LCIA Rules. Seat: Dubai International Financial Centre. English language. Final and binding.

**Litigation (UAE Clients):** Dubai Courts exclusive jurisdiction. DIFC Courts for financial/commercial disputes.

**Injunctive Relief:** Either party may seek court relief for confidentiality breach, IP infringement, immediate harm, or urgent matters without mediation/arbitration.

**Governing Law:** UAE primarily. UAE Federal Law No. 45/2021 for data. IFZA/Dubai requirements. GDPR for EU clients.

**Entire Agreement:** These Terms + service agreement + DPA (if applicable) constitute entire agreement. Amendments in writing, signed by both parties.

**Severability:** Invalid provisions modified to minimum extent to make valid. Remainder stays in effect.

**Assignment:** You: Need our consent. Us: May assign to affiliates/successors/in M&A. Assignment doesn't affect processor obligations.

**Force Majeure:** Not liable for circumstances beyond control (disasters, pandemics, war, government actions, outages, strikes). Suspended during event. Either party may terminate if persists 90+ days.

**Notices:** To us: Building A1, Dubai Digital Park, Dubai Silicon Oasis, Dubai, UAE or legal@authect.com (dpo@authect.com for data matters). To you: Address in your agreement.

**Independent Contractors:** No partnership/joint venture/agency. No authority to bind each other.

**Changes:** We may modify with 30 days notice. Material changes communicated via email. Continued use = acceptance. Right to terminate within 30 days if you disagree (no early termination fees). Data processing changes may require explicit acceptance.