Agents are live! Build no-code automation for your best work. Get free trial →

Terms of Use

Last updated on 27 February 2026

These Terms of Use together with any Service Order and the Fair Use Policy or other document included by reference form a legally binding agreement solely between nexos.ai which is owned and operated by spectra tech, UAB, a company incorporated under the laws of Lithuania with its registered address at Švitrigailos g. 36, Vilnius, Lithuania and its Affiliates ("we", "our" or "us") and the organization subscribing for the Product ("Customer" or “Company”, or “You”), represented by its authorized representative ("Administrator"). By accepting these Terms of Use, the Administrator represents and warrants that they have the proper authority to legally bind their organization (the Company) to compliance with these Terms of Use, including the responsibility for ensuring compliance by all Users granted access by the organization.If you are an individual accessing nexos.ai for personal purposes without authorization from your organization, you must immediately discontinue use of the Product. These Terms of Use and nexos.ai are exclusively for the use of organizations.These Terms of Use do not create a direct contractual relationship between nexos.ai and Users. Company acknowledges and agrees that it is solely responsible for ensuring that all Users accessing and using the Product through its account comply at all times with these Terms. If you are an individual User accessing this Product, these Terms are legally binding on your Company, not you personally. If you have questions or concerns regarding your access to, or use of, the Product, please contact your Company directly.

1. Definitions

The following terms shall have the meaning specified below:Affiliate” means any entity that, directly or indirectly, Controls, is Controlled by, or is under common Control with a party.Confidential Information” means all nonpublic information, including, but not limited to, trade secrets, computer programs, technical drawings, algorithms, formulas, processes, ideas, inventions (patentable or not), other technical or business information, physical samples, financial, business, sales information including pricing, know-how, terms of agreements, negotiations or proposals, all data, and such other information disclosed in whatever form and (i) which is known or should reasonably be known by the receiving party to be confidential; (ii) under circumstances by which the receiving party should reasonably understand such information is to be treated as confidential, whether or not marked by the disclosing party as confidential. Confidential Information may not be used, published, or redistributed by the receiving party without the prior written consent of the disclosing party. Company Data” or “You” means an entity listed on an Service Order or being represented by its Administrator who accepts these Terms of Use in the online registration or purchase process.Company Data” means non-public data, information (including but not limited to Personal Data) and any material, content, phrases, and entries submitted to the Product (collectively “Input”).Control” means the ownership of or the power to vote, more than (50%) of the voting stock, shares, interest, or other equity interests of the relevant entity.Effective Date” means the date these Terms of Use take effect, which is the date indicated in the applicable Service Order, or, if the Product was purchased online without a separate Service Order, the date the Administrator, on behalf of the Company, accepts these Terms of Use in the online registration or purchase process.Intellectual Property Rights” means patents, rights to inventions, copyright and related rights, trademarks, trade names, domain names, trade dress, rights in get-up, rights in goodwill or to sue for passing off, rights in designs, rights in computer software (source or object code), database rights, rights in confidential information (including know-how and trade secrets) and any other intellectual property rights, in each case whether registered or unregistered and including all applications (or rights to apply) for, and renewals or extensions of, such rights and all similar or equivalent rights or forms of protection which may now or in the future subsist in any part of the world.Personal data” means any information relating to an identified or identifiable natural person (a "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person as defined in GDPR.Product” or “nexos.ai” means the Product as described in Schedule A to these Terms of Use (Product Description) or as available to You, including all applicable Product services provided by us to You under these Terms of Use or as designated on the applicable Service Order(s).Restricted Person” means any person or entity that is (i) designated on any restricted party list implemented under Trade Controls, or otherwise subject to Trade Controls restrictions including on the basis of being owned or controlled (directly or indirectly) by or acting for or on behalf of one or more designated persons or entities; or (ii) located or ordinarily resident in, or organized in or operating from, Cuba, Iran, North Korea, Syria, or a sanctioned region of Ukraine (currently, Crimea, Donetsk, Kherson, Luhansk, or Zaporizhzhia), Belarus, Russia, or any country or territory not listed expressly herein that is subject to comprehensive country-wide or territory-wide sanctions (each an “Embargoed Jurisdiction”), or is acting on behalf or at the direction of any government of or person located or ordinarily resident in, or organized within or operating from, any Embargoed Jurisdiction.Service Order” means any agreed Service Order(s) if such is applicable.Term” means the initial term of the subscription period specified in the Service Order and any renewal Term. If such Term is not specified then the default Term shall be month to month with autorenewal for the same period as the expiring Term on nexos.ai then current pricing. For trials shall be 7 days from Effective Date unless other terms are separately agreed, however can be cancelled anytime at Company’s discretion.Trade Controls” means applicable laws, regulations, and orders imposed by the EU, EU Member States, United States, the UK, or the UN Security Council related to export controls or economic or financial sanctions; and measures prohibiting or restricting participation in, or agreement to participate in, governmental boycotts that are not sanctioned by the relevant authorities in any of the foregoing or any other competent jurisdictions.Users” means all Your authorized users of the Product (such as employees or other members of staff of Company and/or Affiliates) for which You are responsible.Working Day’’ means any calendar day save for weekends and public holidays in the Netherlands.

2. Access to the Product

2.1. Subject to the terms and conditions of these Terms of Use, Company is granted access to the Product during the Term and we hereby grant Company a limited, non-exclusive, non-transferrable, revocable license during the Term, without rights to sublicense, to in the Territory access, install and use the Product and any related add-ons or updates, which may be made available to Company in connection with access to and use of the Product.2.2. Access to the Product is restricted to Users only. Access to the Product may not be passed, shared or otherwise made available to other individuals including third parties.2.3. Company is responsible for compliance with the provisions of the Service Order and these Terms of Use by all its Users. Company is also responsible for determining whether the Product is suitable for specific uses in light of any regulations or restrictions Company might be subject to.2.4. Company is solely responsible for obtaining the authorizations, licenses and consents, if and as required by any applicable law, to submit Company Data to the Product and that the use of the Product by Company will not violate any applicable law, any third-party Intellectual Property Rights, license terms that apply to open-source software, all applicable Data Protection Legislation, publicity, or other rights. If the Company integrates API keys for external third-party services contracted by the Company into the Product, the Company represents and warrants that it holds all necessary rights, licenses, and permissions, including any required sublicensing rights, to allow such third-party APIs to be accessed and used via the Product. The Company shall remain solely responsible and liable for its use of any third-party services and for compliance with the applicable third-party terms.2.5. Notwithstanding anything to the contrary in the Service Order and these Terms of Use, we expressly disclaim any and all liability related to or arising from Company’s use of information, guidance or any other output obtained through the Product. Company acknowledges and agrees that it is its own sole responsibility to assess, verify, and ensure the appropriateness, accuracy, and suitability of output obtained from the Product for its specific applications, Products, or processes.

3. Acceptable Use

3.1. Company represents and warrants that the administrator signing, registering or otherwise accepting these Terms of Use and / or using the Product with administrator rights on behalf of the Company (Administrator) has been duly authorized to enter into these Terms of Use and legally bind the Company and act for the Company. 3.2. Company is solely and fully liable for Company Data and any and all activity that takes place on its Product account. We shall have no responsibility or liability whatsoever for Company Data and other materials and copyrightable materials such as, but not limited to, literary works, text, images, photos, videos, and any other materials, which may have been submitted to the Product by Users.3.3. We are not responsible for the way Company uses the Product. We reserve the right to immediately terminate, without notice, the use of the Product by Company in the event of detection of fraudulent, illegal or, according to us, Company’s use of the Product in a manner that is not compliant with the Fair Use Policy. Company ensures that its Users will not use the Product to transmit or store any content or communication or engage in or encourage any activity that is illegal, harmful, deceptive, unsolicited, violating others’ rights or otherwise poses a threat to the public or infringes any copyright, patent, trademark, trade secret, or other Intellectual Property Rights of others.3.4. Company ensures that its Users shall not use the Product in a manner that may reasonably be considered detrimental to us in any way, or causes the Product to become unavailable or impaired, including but not limited to: (i) interference with the Product or any third-party applications or networks that are linked to the Product or disruption of the Product’s integrity, security and performance, including, without limitation, by submitting data or content that may contain malware or other harmful components; or (ii) reverse engineering or (attempted) hacking of the Product or attempting to gain unauthorized access to the Product (or any portion thereof), or related systems, networks, or data of us.3.5. Company acknowledges that a number of factors outside of our control may arise and impact the quality of the Product and the access and/use of the Product, including, without limitation, actions of third parties, force majeure, fires, strikes, accidents, pandemic, and technical conditions beyond the control of us, e.g. the internet. The hardware, software, and technical infrastructure used by Company can also influence the use of the Product. We shall use reasonable efforts to address issues related to delays or defaults in access to the Product.3.6. You and Your Users shall only use the Product in accordance with the Product fair use policy as described on Fair Use Policy. We may update the Fair Use Policy from time to time by publishing a new version on https://nexos.ai/fair-use-policy.

4. Third Party Services; Third-Party Components

4.1. The Product uses and/or includes third party software, files, large language models (LLM’s) and components that may also be subject to open source and other third-party license terms (“Third-Party Components”). Company acknowledges that the use of such Third-Party Components may be subject to separate terms and is responsible for ensuring its use of the Product complies with any applicable third-party license terms. We are not the author, owner or licensor of such Third-Party Components, and we make no warranties or representations, express or implied, as to the quality, capabilities, operations, performance or suitability of Third-Party Components and we are not liable for any Third-Party Components. Under no circumstances shall the Product or any portion thereof (except for the Third-Party Components contained therein) be deemed to be “open source” or “publicly available” software.4.2. Purchase Through Authorized Partners. You may purchase the Services through authorized partners, such as distributors or resellers (“Authorized Partner”). If a Company purchased the Services through an Authorized Partner, then (a) payment obligations related thereto shall be between the Company and the Authorized Partner and not us, (b) Company will have no direct payment obligations to us, (c) Company’s use of the Services is subject to these Terms. We may terminate these Terms (including the Company’s right to use the Services) if: (1) the Company breaches any of its payment obligations to the Authorized Partner relating to these Terms, (2) we do not receive payment for Company’s use of the Services from the Authorized Partner, and/or (3) in other cases established in these Terms. Any terms agreed between Company and the Authorized Partner that are in addition to or inconsistent with these Terms are solely between Company and the Authorized Partner. No agreement between Company and an Authorized Partner is binding on us, nor will it have any force or effect with respect to the use of the Services.

5. Confidentiality

5.1. Each party (i) shall treat as confidential all Confidential Information of the other party, (ii) shall not use such Confidential Information except to exercise its rights and perform its obligations under these Terms of Use, (iii) shall not disclose such Confidential Information to any third party (other than employees, any employees of any affiliates, and professional advisers with a need to know, in all cases provided such employees and advisers are bound by confidentiality terms no less protective than the terms in these Terms of Use), and (iv) shall use at least the same degree of care it uses to prevent the disclosure of its own Confidential Information of similar importance. Each party shall promptly notify the other of any misuse or unauthorized disclosure of the other party's Confidential Information. The recipient may disclose Confidential Information pursuant to an order or requirement of a court, administrative agency, or other governmental body, provided that recipient provides prompt, advance written notice thereof to discloser to enable discloser to seek a protective order or other similar relief.5.2. All Confidential Information related to the Product shall remain the sole and exclusive property of us, and no license or other right to such Confidential Information or our Intellectual Property Rights is granted or implied hereby to the receiving party.

6. Beta Services

6.1. We may at our own discretion make available to Company services or features of the Product identified as alpha, beta, preview, early access, evaluation, preliminary, or a similar description, that are still under development and may not be fully functional or error-free (“Beta Services”). Company understands that the use of Beta Services is at its own risk, services levels are not applicable, and no warranties are provided regarding performance, functionality, or fitness for a particular purpose. We shall to the fullest extent permitted by applicable law not be liable for any damages, losses, or costs arising from the use of the Beta Services, including but not limited to direct, indirect, incidental, or consequential damages.

7. Fees and Payment

7.1. We shall invoice Fees on a monthly basis unless agreed otherwise. All Fees due and payable to us shall be paid to the bank account indicated by us and shall be paid and received by us in cleared funds within thirty (30) days following the invoice date. Company explicitly agrees that we may email invoices to Company in PDF format to a Company provided email address and shall be deemed received by Company the same day. Company shall pay all Fees due to us under the Service Order without any set-off, counterclaim and/or any other deductions or withholding of monies.7.2. We reserve the right to increase Fees in our discretion for any renewal or extension of the Term. To the extent Fees are set by Third-Party Components, we have the right to increase such Fees as the Third-Party Components fees are increased. An example of this could be token fees of LLMs.7.3. Notwithstanding any other rights of us, in the event of late payment by Company, we shall be entitled to interest on the amount owing but unpaid at an annual rate equal to one and half percent (1.5%) per month compounded daily (or the highest interest rate permitted by applicable law) from the date due until paid in full.7.4. The Fees are exclusive of all taxes. Company agrees to pay and/or reimburse us all amounts (whether fees, charges or otherwise) payable to us without set off and without deduction for any taxes (“Deduction”). All such taxes (exclusive of any taxes based upon our income) shall be assumed by and paid for by Company, regardless of whether such taxes are included in any invoice sent to Company by us. Accordingly, if Company is at any time required by any applicable law to make a Deduction from any payment or reimbursement due to us, then the amount due by Company to us shall be increased by such amount as will result, notwithstanding the making of such Deduction, in our receipt ultimately on the due date for payment of the amount that we would have received if Company had not been required to make such Deduction.7.5. If Company is required by law to make any withholding from any sum payable to us, Company shall send notice to us at least thirty (30) days prior to the payment due date, detailing the payment amount due. Company shall provide us with a copy of the completed certificate of withholding and/or any other document issued by the relevant tax authority demonstrating any payment of withholding taxes, within thirty (30) days after making such payment. Company shall not make any withholding for liabilities arising from acts or omissions including, without limitation, late or incorrect withholding amounts.

8. Refunds

8.1. Refund Policy. We value our customers' satisfaction. While we understand that there may be circumstances under which You may feel compelled to request a refund, we seek customers’ full satisfaction with our Services and we would like to troubleshoot an issue that you experience first. Many service issues can be quickly addressed by our customer support team, ensuring Your optimal use of our services. If You're still dissatisfied, this refund procedure outlines our commitment to clarity and fairness while protecting our business interests.8.2. Eligibility for a Refund. Company is eligible to claim a refund under the following conditions: A refund request is made within 14 (fourteen) calendar days of your initial purchase date for our Services. Initial purchase means the first-time purchase and the earliest created order for a Company; Refunds will not be provided for any additional services, features, add-ons, or renewals purchased during the Term or used consumption fees. Refunds will not be provided when trial was provided to You.8.3. Refund Process. To request a refund, please follow these steps: Send a message to our chat support within the Product; Provide your refund request and a detailed reason for the refund. Our team will review your request and respond with instructions on how to proceed. Refunds will be processed back to the original method of payment, subject to any currency exchange fluctuations, fees, or deductions as required by the payment provider, all of which shall be borne by the Company.8.4. Exceptions to Refunds. Refunds shall not be provided in the following situations: If your account was suspended or terminated due to a violation of our Terms of Use; For payments made using cryptocurrency, prepaid cards, or gift cards; For the Services purchased through Authorized Partners. We are not responsible for and do not control the refund policies of Authorized Partners. Any refund requests for such purchases should be directed to the Authorized Partner from which the Service was purchased in accordance with their refund policies; If a refund was already issued for the Company. In such case, any subsequent purchases of the Services shall not be eligible for another refund.8.5. Discounts and Refunds. To the extent the Company has received any price reduction, promotional benefit or other discount in connection with the purchased Product services, the Company shall reimburse or forfeit the value of such discount in the event of a Refund. Unless otherwise expressly specified, Product services purchased at full monetary value shall be deemed consumed prior to any Product services provided at a discount or free of charge. Any Refund shall apply only to the unused portion of Product services purchased at full monetary value.

9. Service Levels

9.1. The parties agree that the provisions of the Service Level Agreement attached as Schedule C shall govern the availability of the Product pursuant to these Terms of Use, except as otherwise set forth below with respect to Free Services.9.2. You acknowledge and agree that any parts of the Product provided by nexos.ai free of charge (“Free Services”) are provided “AS IS” and on an “AS AVAILABLE” basis without any warranties of any kind. We expressly disclaim all warranties, whether express, implied, statutory, or otherwise, including but not limited to warranties or merchantability, fitness for a particular purpose, suitability, accuracy, completeness, continuous availability, non-infringement, or freedom from defects or errors. Without limiting the foregoing, we specifically do not warrant or guarantee that Free Services will be uninterrupted, error-free, reliable, accurate, secure, or timely, nor do we make any warranties or representations regarding the results to be obtained from the use of the Free Services. You assume all risk with respect to Your access to and use of Free Services. Schedule C (Service Level Agreement) shall not apply to the Free Services.

10. Data Protection

10.1. The parties agree that the provisions of the Data Processing Agreement attached as Schedule D shall govern the processing of the Personal Data in connection with Company’s use of the Product pursuant to these Terms of Use.

11. Intellectual Property

11.1. Company acknowledges and agrees that we (or our licensors) are and shall continue to be the sole owner of all Intellectual Property Rights in and to the Product, and any modifications, improvements and/or derivatives thereof (“Improvements”). To the extent, if any, that ownership in such Improvements does not automatically vest in us (or our licensors), Company agrees to transfer and assign, and hereby does transfer and assign to us all rights, titles and interests which Company may have in and to such Improvements, and further agrees that it shall take all reasonable actions to confirm or effect such transfer.11.2. Company shall not: modify or create derivative works of the Product; reverse engineer, reverse assemble, reverse compile, decompile, translate, engage in model extraction or stealing attacks, or otherwise attempt to discover the source code or underlying components of models, algorithms, and systems of the Product to the extent such restrictions are not contrary to applicable mandatory law; use the Product to develop solutions that compete with the Product; and try to extract data from the Product in any way other than specifically permitted under these Terms of Use;11.3. Company exclusively owns and reserves all rights, titles, and interest to Company Data, subject to our worldwide, non-exclusive and royalty-free right to process, disclose and transfer Company Data only as necessary to maintain and improve the Product and/or otherwise permitted by the Terms of Use. Company hereby grants us a limited worldwide license to use any Company Data and corresponding Intellectual Property which its Users submit to the Product as may be necessary and which is required to run and optimize the Product.11.4. The Parties agree that we may use Company Data and corresponding Intellectual Property and/or information about the use of the Product to provide support, maintain and improve, including optimization of infrastructure and the algorithms that are used in the software, provided such use does not result in direct identification of the Company or any individual, unless we must use the Company Data in a manner that does identify the Company or any individual for example to provide support. Where the Product enables Company to access third-party LLMs or models that may use inputs for training, re-training, or fine-tuning, such use is subject to the respective third-party terms. We provide Company with controls to enable or disable the use of such models within the Product. The Company is solely responsible for its choice to use models that may incorporate inputs into training.11.5. Any Intellectual Property which might be created by Company with the help of the Product, without any human intervention from us, which results in Intellectual Property Rights, would be owned (subject to the limitations of Intellectual Property Rights in respect of AI generated content) by Company.

12. Indemnity

12.1. We shall indemnify Company against third party claims that the use of the Product (excluding output) as specified in, and fully in accordance with these Terms of Use, infringes any Intellectual Property Right of such third party ("Intellectual Property Infringement Claim"), provided that Company: (i) gives notice to us of any Intellectual Property Infringement Claim promptly after becoming aware of it; (ii) gives us sole control over the conduct of the defense to any claim or action in respect of any Intellectual Property Infringement Claim and does not, at any time, admit liability or otherwise attempt to settle or compromise said Claim or action except upon the express instructions of us; and (iii) acts in accordance with the reasonable instructions of us and gives to us such assistance as it shall reasonably require in respect of the conduct of the defense (including, without prejudice to the generality of the foregoing, the filing of all pleadings and other court process and the provision of all relevant documents and available information).12.2. In addition to the foregoing, in the event that the use of the Product for any activity contemplated under these Terms of Use is recognized by us or by a final and unappealable order of a competent court as infringing any Intellectual Property Right belonging to a third party, we shall at our option: (i) use reasonable efforts to modify the Product, if this is reasonably possible from both a technical and economic perspective; or (ii) procure for Company a license to continue using the Product or the infringing component thereof, on reasonable terms and conditions corresponding to standard industry practice in this field.12.3. In the event that the parties reasonably agree that it is not practicable (including, without limitation, for technical and/or economic reasons) to accomplish either of the aforesaid alternatives as mentioned in Clause 11.2 (i) and (ii), then Company may terminate the Service Order by written notice to us. Such termination shall be without prejudice to the rights of either party accrued as at the date of termination.12.4. Our obligations under this Clause 11 shall not apply in the event that the Intellectual Property Infringement Claim is based on and/or attributable to: (i) any unauthorised use of the Product or any component thereof by Company; (ii) the combination of the Product or any component thereof with (a) software and/or hardware which was not supplied by us pursuant to the Service Order and these Terms of Use, or (b) with Company Data, where the combination gives rise to the infringement; (iii) where applicable, Company's failure to install the most recent update(s) and/or upgrade(s) to the Product; and/or (iv) an Intellectual Property Right in which Company and/or any of its affiliates has a direct or indirect interest, whether by virtue of ownership, license or otherwise.12.5. The foregoing provisions of this Clause 11 state our entire liability with regard to the Intellectual Property Infringement Claims, subject always to the provisions of Clause 13 of these Terms of Use.

13. Trade Controls

13.1. Company represents and warrants that in its activities with respect to the Service Order and these Terms of Use, it, including its Affiliates, officers, employees, and other agents, shall comply with Trade Controls, and that it shall not cause us, directly or indirectly, to be in violation of, or to be exposed to penalties, sanctions, or other adverse consequences under, Trade Controls.13.2. Company represents and warrants that it and its Affiliates, officers, employees, and other agents, are not Restricted Persons and that, in their activities, they shall not cause or permit, directly or indirectly, any export, reexport, transfer (including in-country transfer), retransfer, disclosure, or provision of commodities, software, technology, source code, or services to or for the benefit of a Restricted Person.13.3. Company represents and warrants that in its use of the Product, it, including its Affiliates, officers, employees, and other agents, shall not upload or otherwise transfer to us or seek provision from us of any technical data, technology, software, or code that are subject to applicable Trade Controls, including but not limited to items or services controlled under military or dual-use export control regulations.13.4. Company represents and warrants that in its use of the Product, it, including its Affiliates, officers, employees, and other agents, shall not use the Product for, nor use any information or other items received through its use of the Product for, any military or military-intelligence end use or for any other prohibited end use or end user under Trade Controls.

14. Liability

14.1. Subject to Clause 13.4, our total aggregate liability (whether contractual, in tort or otherwise) in respect of all claims arising under or in connection with the Service Order and these Terms of Use shall be for direct losses only and shall not exceed the amount of fees paid to us by Company under the respective Service Order during the twelve (12) months period immediately preceding the date when such liability arises, or EUR 1.000 (one thousand euro), whichever is higher.14.2. In no event shall we be liable under the Service Order and these Terms of Use for any consequential damages resulting from the use of the Product, including but not limited to, damages for loss of profits, goodwill, use, business, revenues, data or other intangible losses.14.3. In no event shall we be liable for damages or fines imposed by any regulator or court on Company for a breach by Company of any applicable Data Protection Legislation, as a result of Company's use of the Product unless and solely to the extent resulting from our breach of applicable Data Protection Legislation or the terms of the Data Processing Agreement attached as Schedule D.14.4. We do not exclude or limit our liability to Company for damages arising from our management's willful intent or gross negligence.

15. Term and Termination

15.1. These Terms of Use shall enter into force upon the Effective Date and shall continue for the Term. The Terms of Use will automatically renew for the same time period as the expiring Term: for subscriptions with a fixed term, the Company may terminate by providing us with at least 30 days’ prior written notice before the end of the then-current Term (email notice is sufficient). To the extent Company has been granted any term and/or renewal related discount, any such discount will have to be reimbursed if these Terms of Use terminate before the end of the period over which such discount has been calculated. for month-to-month subscriptions, the Company may terminate these Terms of Use at any time by cancelling the nexos.ai subscription via the platform. The subscription will remain active until the end of the current billing period, and no refunds will be provided for any unused portion of the period. If the subscription is not cancelled, it will automatically renew at the pricing in effect on nexos.ai at the time of renewal.15.2. These Terms of Use or any Service Order thereunder may be terminated by written notice to the other party: (i) by any party in the event of a material breach of these Terms of Use or a Service Order by the other party which remains uncured for a period of thirty (30) days after receipt of written notice of such breach is provided to the breaching party, provided that the cure period for a failure to pay amounts due shall be ten (10) days; (ii) as may be set forth in the applicable Service Order or other appendices to these Terms of Use; and/or (iii) immediately upon written notice to the other party, in the event the other party (a) makes an assignment for the benefit of creditors; (b) files a voluntary bankruptcy petition; (c) acquiesces to any involuntary bankruptcy petition; (d) is adjudicated bankrupt; or (e) ceases to do business.15.3. Notwithstanding any provision of these Terms of Use, we may suspend its performance of its obligations under the Service Order and/or Terms of Use or terminate the Service Order and/or Terms of Use with immediate effect without obligations or adverse consequences to us if Company has breached any provisions of Clause 12 or if we determine that to perform any of its obligations under the Service Order and/or Terms of Use constitutes or could constitute a violation of or conflict with, or expose it to sanctions, penalties, or other adverse consequences under, any Trade Controls, including if Company becomes a Restricted Person.15.4. Upon the expiration or termination of these Terms of Use: (i) all Service Orders shall terminate; (ii) Company shall immediately cease using the Product, and shall, at our option, delete the Product and/or return all items received under the Service Order and/or these Terms of Use to us; (iii) all licenses granted by us hereunder shall terminate with immediate effect, and (iv) Company shall immediately pay all obligations that have accrued prior to the effective date of termination.15.5. In the event of termination due to Company’s breach of these Terms of Use and/or applicable Service Order, Company agrees that all Fees that would otherwise be due by Company for the remainder of the Term shall be accelerated and due and payable to us immediately.

16. General

16.1. If any term or provision of these Terms of Use is invalid, illegal, or unenforceable in any jurisdiction, such invalidity, illegality, or unenforceability shall not affect any other term or provision of these Terms of Use or invalidate or render unenforceable such term or provision in any other jurisdiction.16.2. We may, at our discretion, modify or update these Terms of Use from time to time. Any such modifications shall become effective upon notice to the Company or upon publication on our website, whichever happens earlier. Continued use of the Product after such modifications constitutes acceptance of the updated Terms of Use.16.3. We may assign this Service Order and/or these Terms of Use to any Affiliate at our discretion. Company may not assign this Service Order and/or these Terms of Use without our prior written consent, which shall not be unreasonably withheld.16.4. The Service Order and/or these Terms of Use and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the laws of the Netherlands. Applicability of the United Nations Convention on Contracts for the International Sale of Goods 1980 is hereby expressly excluded.16.5. Any claims, disputes, disagreements or other matters in question arising out of or relating to the Service Order and these Terms of Use shall be primarily resolved amicably by mediation within thirty (30) days of the receipt of a notice by one party to the other of the existence of a claim, despite or disagreement. In the event a dispute cannot be resolved amicably, the parties irrevocably agree that the Chamber for International Commercial Matters (Netherlands Commercial Court or NCC) of the court of Amsterdam, the Netherlands shall have the exclusive jurisdiction to settle any dispute or claim that arises out of, or in connection with, the Service Order and/or these Terms of Use or its subject matter or formation (including non-contractual disputes or claims). Such proceedings shall be in the English language.

17. Annexes:

17.1. Schedule A – Product Description17.2. Schedule B – API Access (applicable only if API is provided)17.3. Schedule C – Service Level Agreement17.4. Schedule D – Data Processing AgreementAnnex 1: Details of Processing of Personal DataAnnex 2: Technical and Organisational Measures

Schedule A – Product Description

nexos.ai Product Description

1. Overview of the Product

nexos.ai is a software-as-a-service (SaaS) platform that enables users to access and interact with a variety of third-party AI models through a unified interface. The platform facilitates the routing of user requests to supported models, supports usage tracking, and includes access control and configuration options.

2. Functional Components

As of the Effective Date, the Product includes the following functional components:
  • Model Access Integration: Enables users to submit requests to supported third-party AI models via a unified interface. Model providers may include, without limitation, OpenAI, Anthropic, Google, and Meta.
  • Routing and Load Distribution: Supports the routing of user requests across different AI models based on configurable parameters, which may include provider, availability, or usage thresholds.
  • Monitoring and Logs (Observability): Captures certain metadata associated with user activity on the platform, which may include request timestamps, selected model endpoints, and usage volume. Some metrics may be made available to users through the interface or programmatically.
  • Input and Output Rules (Guardrails): Allows for the configuration of certain rules or filters relating to the inputs submitted by users and/or outputs generated by the models.
  • Team and Access Management: Provides features for assigning roles, permissions, and access policies (including single sign-on (SSO)) to users within an organization or team structure.
  • Cost Management: Allows Customers to configure and monitor budget thresholds at the organization and team level. Thresholds may be used to support internal cost control.

3. Service Tiers

The Product may be offered under multiple service tiers or subscription plans, each with its own scope of functionality, usage limits, or access to third-party services. The specific features available under each tier are defined separately and are subject to change.

4. Beta Features / Limited Access

From time to time, certain features may be made available as beta, preview, or limited-access offerings. Such features are provided without warranty, may be incomplete or unstable, and may be modified or withdrawn without prior notice.

5. Product Modifications

The Product is subject to continuous development and improvement. nexos.ai reserves the right to add, modify, or remove features at its discretion.

Schedule B – API Access (applicable only if API is provided)

1. Definitions

In addition to the definitions set forth in the main body of the Terms of Use, the following definitions apply to this Schedule B – API Access:API” means the application programming interface for the Product provided by us to Company, as more fully described in the API Documentation.Documentation” means any written or electronic documentation related to the API provided by us to Company.

2. Access to the API

2.1. We agree to provide You, on the terms and conditions of these Terms of Use, with access to the API for the purpose of enabling You to access the Product as specified in the Service Order, or, if the Product is purchased online without a separate Service Order, as specified in the online purchase process and the Documentation (“Purpose”).2.2. You agree to use the API solely in connection with the Product and for the Purpose only. You also agree to the following limitations. You will not: (a) access or use the APIs in violation of any applicable law, regulation and policies, including but not limited to our Fair Use Policy; (b) access the API in any manner that (i) compromises, breaks or circumvents any of our technical processes or security measures associated with the Product, (ii) poses a security vulnerability to other customers or users of the Products, or (iii) tests the vulnerability of our systems or networks.2.3. You acknowledge and agree that we may modify or discontinue the API at any time in its sole discretion.

3. License to Use the API

3.1. We grant You a non-exclusive, non-transferable, revocable license for the Term to use the API for the Purpose only and any related purposes determined in the Service Order or Terms of Use.3.2. You agree not to copy, modify, distribute, sell, or lease the API or any portion thereof, or to use the API to develop a competing Product or service to the Product.

4. Transparency and privacy

4.1. If You use the API in the context of offering Products and services to individuals outside Your organization, like users, consumers or other individuals You must maintain a user agreement and privacy policy for Your application, which is prominently identified or located where users download or access Your application. Your privacy policy must meet applicable legal standards and describe the collection, use, storage and sharing of data in clear, understandable and accurate terms. If the API project involves uses such as conversational AI and chatbots, such interactions must disclose to users that they are interacting with an AI system. Accordingly, these requirements apply if the use of the API requires the processing of Personal Data of users within Your organization.4.2. In the event that we will have access to and/or otherwise process Personal Data being Your external users or customers, as part of the provision of the API for the Purpose, we will be considered a data processor within the meaning of the GDPR and the processing of such Personal Data shall be subject to the provisions of Schedule D – Data Processing Agreement. Each Service Order or when the Product is purchased online without a separate Service Order, the online purchase documentation or associated product description, shall specify the required details of processing of Personal Data that is necessary in connection with these Terms of Use.

5. Documentation

5.1. We will give You access to Documentation related to the API.5.2. You agree to use the Documentation solely in connection with your use of the API in accordance with the Purpose.

6. Intellectual Property

6.1. The API and Documentation are Intellectual Property Rights of us (or our licensors).6.2. You acknowledge and agree You acquire no rights in the API or Documentation other than the limited license granted in this Schedule B.6.3. You agree to use the API and Documentation only as authorized by us.

7. Termination

7.1. Any breach of this Schedule B – API Access by You will be deemed a material breach of Clause 14 of the Terms of Use Clause 14.7.2. Upon termination of this Schedule B or Terms of Use – API Access and/or the Service Order, You shall immediately cease all use of the API and Documentation and shall return or destroy all copies of the Documentation.

Schedule C – Service Level Agreement

1. Definitions

In addition to the definitions set forth in the main body of the Terms of Use, the following definitions apply to this Schedule C – Service Level Agreement:Availability” means the period of time for which the product is deemed fully available and usable, calculated per month.Availability Commitment” is expressed as a percentage (%) and calculated as follows: (total minutes in a calendar month – total minutes of Downtime in a calendar month) / (total minutes in the same calendar month) x 100.Downtime” means the period of time for which the product has no Availability, calculated per calendar month, excluding Downtime Exclusions.Downtime Exclusions” means any performance issues directly or indirectly caused by or related to (i) Beta Services, (ii) faulty equipment of Company or other third parties (other than third party equipment within our direct control); (iii) factors outside of our reasonable control, including any force majeure event or Internet access or related problems beyond the demarcation point of us; (iv) voluntary actions or inactions of Company or any third party; (v) any Scheduled Maintenance; (vi) our suspension, termination, or refusal of access of parts of the Product, in each case to the extent permitted by the Agreement.Scheduled Maintenance” means any pre-planned maintenance for which We provide notice to Company at least two (2) days in advance.Support Hours” means 9:00 – 17:00 on a Working Day.Support Request” means a notification on the product Support channel during Support Hours by Users of the occurrence of an error or to request technical support in relation to the Services. If a request is logged outside of the Support Hours, it will be deemed received at the start of the Support Hours the next Working Day.Working Day” means any calendar day save for weekends and public holidays in the Netherlands.

2. Service Levels

2.1. We will use commercially reasonable efforts to maintain an Availability Commitment of 99.9%.2.2. In the event the product does not meet the Availability Commitment, Company will receive a Service Credit toward the following month’s fees as Company's sole and exclusive remedy. To request a Service Credit, Company must notify us within 30 days after the month in which the Service Credit was earned.
Availability Commitment Service Credit Percentage
< 99.9% and ≥ 99.0% 10%
< 99.0% 20%
2.3. A “Service Credit” shall be equal to (x) the Service Credit Percentage, as set out in the table below, multiplied by (y) Fees (excl. fees for the Third-Party Components, e.g. token fees of LLMs) paid for by Company in the relevant month for the services that failed to meet the Availability Commitment in such month.2.4. We will provide support services during the Support Hours and will use best commercial efforts to respond during such Support Hours within the timeframes set forth below as measured from receipt of the Support Request.
Severity Response Time
Severity 1 Within 1 hour
Severity 2 Within 2 hours
Severity 3 Within 1 Working Day
Severity levels shall be proposed by Company when placing the relevant Support Request and verified and determined by us, acting reasonably and in good faith, in accordance with the following criteria:Severity 1: the product is non-operational and this has a material adverse impact on Company’s business operations, and there is no workaround available.Severity 2: the product fails to function properly and such failure has a material adverse impact on Company's business operations, although the product remains substantially operational and/or there is a workaround available.Severity 3: Company has a general inquiry or request regarding the product.

Schedule D – Data Processing Agreement

This Data Processing Agreement ("DPA") governs spectra tech, UAB as the Processor to process Personal Data of the Company as Controller in relation to the Personal Data provided by the Controller through nexos.ai API or any nexos.ai services for businesses. This processing is conducted under the Terms of Use. If and to the extent language in this DPA conflicts with the Terms of Use the conflicting terms in this DPA shall control.

1. Definitions

1.1. All definitions of the Terms of Use apply for the purposes of this DPA and unless otherwise defined in this DPA, additional terms used in this DPA that are given a particular meaning in Data Protection Legislation (as applicable) shall be interpreted in accordance with such meaning or the meaning of equivalent terms, such as “process/processing”, “data subject”, “(data) processor”/“provider”, “(data) controller”/“business”, “personal data/ personally identifiable) information”, “(personal) data breach”, “data protection impact assessment”, etc.;
Authorised Subprocessors” means (a) those Subprocessors set out in Annex III (Authorised Subprocessors); and (b) any additional Subprocessors notified to the Controller in accordance with Clause 6 of this DPA.Data Protection Legislation” means all applicable data protection and privacy legislation in force from time to time in the European Union, including but not limited to the General Data Protection Regulation (EU) 2016/679 (‘GDPR’) and any other national laws or regulations implementing or supplementing the GDPR.EEA” means the European Economic Area;Product” means the Product as described in the Terms of Use, including all applicable Product services provided by us to You under the Terms of Use and/or as designated on the applicable Service Order(s);Standard Contractual Clauses” means the standard contractual clauses for the transfer of personal data to recipients established in third countries, as approved by the European Commission in Implementing Decision 2021/914, or any set of clauses approved by the European Commission which amends, replaces or supersedes these;Subprocessor” means any data processor (including any third party and any Processor Affiliate) appointed by Processor to process Personal Data on behalf of the Controller;Supervisory Authority” means any regulatory authority responsible for the enforcement of Data Protection Legislation;

2. Processing of the Personal Data

2.1. Processor shall process Personal Data only (i) on Controller’s behalf for the purpose of providing and supporting the Product, (ii) in compliance with the documented instructions as set forth in the Terms of Use and (iii) if the processing is required by EU or Member State law to which Processor is subject, in which case Processor shall to the extent permitted by such law inform the Controller of that legal requirement before processing that Personal Data.2.2. The details of the processing operations, in particular the categories of Personal Data and the purposes of processing for which the Personal Data is processed on behalf of the Controller, are specified in Annex I of this DPA (Details of Processing of Personal Data). Processor shall immediately inform the Controller if, in its opinion, an instruction from the Controller infringes Data Protection Legislation.

3. Obligations of Controller

3.1. Controller shall comply with all requirements in applicable Data Protection Legislation.3.2. Controller represents, warrants and covenants that it has and shall maintain throughout the term all necessary rights, consents and authorizations to provide the Personal Data to Processor and to authorize Processor to use, disclose, retain and otherwise process Personal Data as contemplated by this DPA, the Terms of Use and/or other written instructions provided to Processor.3.3. Without prejudice to Processor’s security obligations in Clause 4 of this DPA, Controller acknowledges and agrees that it, rather than Processor, is responsible for certain configurations and design decisions for the services and that Controller, and not Processor, is responsible for implementing those configurations and design decisions in a secure manner that complies with applicable Data Protection Legislations.

4. Security

4.1. Processor will maintain reasonable and appropriate organizational and technical security measures as required in GDPR, including those measures described in Annex II to this DPA (including with respect to personnel, facilities, hardware and software, storage and networks, access controls, monitoring and logging, vulnerability and breach detection, incident response, and encryption) to protect against unauthorized or accidental access, loss, alteration, disclosure or destruction of Personal Data and to protect the rights of the subjects of that Personal Data;4.2. Processor shall take appropriate steps to confirm that Processor personnel are protecting the security, privacy and confidentiality of Personal Data consistent with the requirements of this DPA.

5. Subprocessing

5.1. As of the Effective Date, the Controller authorizes the Processor to engage the Subprocessors listed at https://nexos.ai/legal/subprocessors-list/, which constitutes Annex III (Authorised Subprocessors).5.2. The Processor shall maintain an up-to-date list of Subprocessors on its website at https://nexos.ai/legal/subprocessors-list/. The Processor provides a subscription option for Controllers to receive notifications of changes. Controllers are responsible for subscribing to updates if they wish to receive notifications; otherwise, updates shall be deemed effective upon publication.5.3. If Controller wishes to object to the use of such Subprocessor, Controller may notify Processor within five (5) days of the earlier of (i) the Controller’s receipt of a notification email or (ii) the Processor’s publication of the updated Subprocessor List, on reasonable grounds relating to the protection of Personal Data. In such case, the Processor shall have the right to cure the objection through one of the following options: (i) Processor will cancel its plans to use the Subprocessor with regards to processing Company Data or will offer an alternative to provide its Product or services without such Subprocessor, (ii) Processor will take the corrective steps requested by the Controller in the objection notice and proceed to use the Subprocessor, (iii) Processor may cease to provide, or Controller may agree not to use whether temporarily or permanently, the particular aspect or feature of the Product that would involve the use of such Subprocessor or (iv) Controller may cease providing Personal Data to Processor for processing involving such Subprocessor. If none of these options are commercially feasible, in Processor’s reasonable judgement, and the objection(s) have not been resolved to the satisfaction of the parties within thirty (30) days of Processor’s receipt of Company’s objection notice, then either party may terminate the Product that cannot be provided without the use of the new Subprocessor.
5.4. With respect to each Subprocessor, Processor shall:5.4.1. provide the Controller with details of the processing to be undertaken by each Subprocessor;5.4.2. enter into a contract which imposes on the Subprocessor, in substance, similar data protection obligations as the ones imposed on the Processor in accordance with the Terms of Use; and5.4.3. Processor is liable for the acts and omissions of its Subprocessors to the same extent Processor would be liable under the terms of this DPA if it performed such acts or omissions itself and inform the Controller of any such failure by a Subprocessor.

6. Data Subject Rights and Law Enforcement Requests

6.1. Processor shall promptly, and in any case within ten (10) working days, notify the Controller if it receives a request from a data subject whose Personal Data is processed by Processor on behalf of the Controller and shall provide full details of that request. The Processor shall not respond to the request itself, unless specifically authorised do so by the Controller.6.2. To the extent the Controller, in its use of the Product, does not have the ability to address a data subject request, the Processor shall, upon Controller’s request, provide commercially reasonable efforts to assist Controller in responding to such data subject request, to the extent the response to such data subject request is required under Data Protection Legislation.6.3. Taking into account the nature of the processing, Processor shall make commercially reasonable efforts to co-operate as requested by the Controller to enable the Controller to comply with any assessment, enquiry, notice or investigation under any Data Protection Legislation in respect of Personal Data or this DPA.6.4. The Processor agrees to promptly notify the Controller if it receives a legally binding request from a public authority, including judicial authorities for the disclosure of Personal Data or if it becomes aware of any direct access by public authorities to such Personal Data. The notification will include all information available to the Processor about the request or access. If the Processor is prohibited from notifying the Controller under applicable laws, the Processor agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. If the Processor concludes that there are reasonable grounds to consider that the request is unlawful it will pursue possibilities of appeal and/or seek interim measures, so as to, where feasible, only fulfil the request after the competent judicial authority has decided on its merits. In any case, the Processor undertakes to narrowly interpret all such valid requests, providing only the minimum amount of information required.

7. Incident Management

7.1. In the event of a personal data breach, the Processor shall use reasonable efforts to cooperate with and assist the Controller in complying with the Controller’s obligations under the applicable Data Protection Legislation, taking into account the nature of processing and the information available to the Processor.
7.2. Processor shall notify the Controller within forty-eight (48) hours of becoming aware of a personal data breach in relation to the Personal Data, providing the Controller with sufficient information which allows the Controller to meet any obligations to report a personal data breach under the Data Protection Legislation. Such notification shall at a minimum:7.2.1. describe the nature of the data breach, the categories and numbers of data subjects affected, and the categories and numbers of Personal Data records concerned;7.2.2. communicate the name and contact details of Processor's relevant contact from whom more information may be obtained;7.2.3. describe the likely consequences of the data breach; and7.2.4. describe the measures taken or proposed to be taken to address the data breach and to mitigate harm or adverse impacts to the data subjects whose Personal Data has been compromised.
7.3. The parties agree to coordinate and cooperate in good faith on developing the content of any related public statements or any required notices directed to affected data subjects. Processor shall not inform any third party without first obtaining the Controller’s prior written consent, unless notification is required by EU or Member State law to which Processor is subject, in which case Processor shall to the extent permitted by such law inform the Controller of that legal requirement, provide a copy of the proposed notification and consider any comments made by the Controller before notifying the personal data breach.

8. Data Protection Impact Assessment and Prior Consultation

8.1. Processor shall provide commercially reasonable assistance to the Controller with any data protection impact assessments, supervisory authority prior consultations or similar assessments, where such are required under Data Protection Legislation, taking into account the information available to the Processor and the nature of its processing of Personal Data.

9. Deletion of Personal Data

9.1. Processor shall delete Personal Data from its systems upon termination or expiry of the Agreement within maximum of 90 days, unless applicable law requires the Processor to retain copies. In such cases, the Processor will isolate and protect that Personal Data from any further processing except to the extent required by applicable laws. This remains without prejudice to the Processor’s right to process non-personal data related to the use of the Product. This period may not be applicable for all subprocessors.

10. Compliance and Audit Rights

10.1. The Processor shall deal promptly and adequately with inquiries from the Controller about the processing of Personal Data in accordance with this DPA.10.2. The Processor shall make available to the Controller on request all information reasonably necessary to demonstrate compliance with this DPA and the obligations that stem directly from the GDPR. Controller will take into account the relevant certifications held by the Processor.10.3. If such relevant certifications are not sufficient to demonstrate compliance with the processing of Personal Data under this DPA, Company may, upon reasonable notice and appropriate confidentiality agreements, request that Processor cooperate with assessments, audits, or other steps performed by or on behalf of Company. These assessments, audits, or other steps shall be conducted at Company’s sole expense and in a manner that is minimally disruptive to Processor’s business, and are necessary to confirm that Processor is processing Company Data in a manner consistent with this DPA. The results of any such assessments, audits or other steps, as well as the summaries of third-party audits or certification reports, shall be the confidential Information of the Processor.

11. International Data Transfers

11.1. The Processor will process the Personal Data provided by the Controller in the EEA, unless otherwise selected by the Controller. To the extent that the Processor transfers Personal Data to Subprocessors in third countries without an adequacy decision issued by the European Commission under article 45 GDPR, Processor is only able to transfer the data in accordance with chapter V of the GDPR, including the use of the Standard Contractual Clauses or other appropriate safeguards as required. Upon request the Processor shall provide a copy therefore to the Controller.

12. Miscellaneous

12.1. Subject to Clause 12.3, the parties agree that this DPA shall terminate automatically upon termination of the Terms of Use.
12.2. The Controller shall be entitled to terminate this DPA insofar as it concerns processing of Personal Data if:12.2.1. the Processor is in substantial or persistent breach of this DPA or its obligations under Data Protection Legislation; or12.2.2. the Processor fails to comply with a binding decision of a competent court or the competent supervisory authority/ies regarding its obligations pursuant to this DPA or Data Protection Legislation.
12.3. Any obligation imposed on Processor under this DPA in relation to the processing of Personal Data shall survive any termination or expiration of this DPA.12.4. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties' intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

ANNEX 1: DETAILS OF PROCESSING OF PERSONAL DATA

This Annex 1 includes certain details of the processing of Personal Data as required by Article 28(3) GDPR.

Subject matter

Personal data is processed for the purposes of making the service available, maintaining or improving it.The performance of the services described in the Terms of Use to which this exhibit is attached.

Duration of the processing of personal data

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis) - continuous basis.During the Term.

Processing purpose

Personal Data is processed for the purposes of making the Product available, and maintaining or improving it in accordance with this DPA, including performance optimization, support and diagnostics.

Data subjects

Users of the Service.

Personal data categories

Name, contact information, demographic information, or other information provided by the user of the Company in unstructured data.Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.No sensitive data is intended to be processed unless the user of the Company includes it unexpectedly in unstructured data.

ANNEX 2: TECHNICAL AND ORGANISATIONAL MEASURES

Overview of the technical and organisational measures of Product:

Corporate Identity, Authentication, and Authorization Control

Processor maintains industry best practices for authenticating and authorizing internal employee and service access, including the following measures:
  • Single sign-on (SSO) to authenticate to third-party services used in the delivery of the Product. Role Based Access Controls (RBAC) are used when provisioning internal access to the Product;
  • Mandatory multi-factor authentication is used for authenticating to identity provider;
  • Unique login identifiers are assigned to each user;
  • Periodic access audits designed to ensure access levels are appropriate for the roles each user performs;
  • Established procedures for promptly revoking access rights upon employee separation;
  • Established procedures for reporting and revoking compromised credentials (such as passwords and API keys); and
  • Established password reset procedures, including procedures designed to verify the identity of a user prior to a new, replacement, or temporary password.

Customer Identity, Authentication, and Authorization Controls

nexos.ai maintains industry best practices for authenticating and authorizing customers to the Product, including the following measures:1. Support for both third-party identity access management (e.g., Single Sign-On) and direct username/password authentication, depending on Customer configuration;2. Secure storage of authentication credentials where applicable, including the use of hashing and other security measures to protect user-provided passwords;3. Logically separating Personal Data organization account using unique identifiers. Within an organization account, unique user accounts are supported.4. Cloud Infrastructure and Network Security. nexos.ai maintains industry best practices for securing and operating its cloud infrastructure, including the following measures:
  • Separate production and non-production environments;
  • Primary backend resources are deployed behind a VPN.
  • The Product is routinely audited for security vulnerabilities.
  • Network security policies and firewalls are configured for least-privilege access against a pre-established set of permissible traffic flows. Non-permitted traffic flows are blocked; and
  • Product logs are monitored for security and availability.

Data Access Control

nexos.ai maintains industry best practices for preventing authorized users from accessing data beyond their authorized access rights and for preventing the unauthorized input, reading, copying, removal, modification, or disclosure of data. Such measures include the following:
  • Employee access to the Product follows the principle of least privilege. Only employees whose job function involves supporting the delivery of Product are credentialed to the Product environment; and Company Data submitted to the Product is only used in accordance with the terms of the DPA, Agreement, and any other applicable contractual agreements in place with Customer.

Disclosure control

nexos.ai uses industry best practices to prevent unauthorized access, alteration, or removal of data during transfer, and to secure and log all transfers. Measures include: (i) Encryption of data in transit, (ii) Audit trails for data access requests, (iii) Full-disk encryption and device management controls on corporate workstations.

Availability Control

nexos.ai ensures service functionality through:
  • System restoration capabilities such as backups and recovery mechanisms;
  • Monitoring and alerting for system faults and performance issues;
  • Implementation of security solutions, including anti-malware protection and basic intrusion detection where appropriate.

Segregation Control

nexos.ai separates data processing for different purposes through:
  • Logical segregation of Company Data;
  • Role-based access restrictions;
  • Segregation of business information system functions and environments.

Risk Management

nexos.ai manages cybersecurity risks with:
  • Risk assessment and prioritization activities;
  • Security testing and issue remediation processes;
  • A vulnerability management process appropriate to its size and risk exposure.

Personnel

nexos.ai vets, trains, and manages personnel with: Background checks (where legally permissible) and annual and supplemental security training.

Physical Access Control

nexos.ai prevents unauthorized physical access with:
  • Locked doors and gates;
  • 24-hour security guard staffing and video surveillance;
  • Access control systems utilizing key cards, mobile credentials, and secure authentication methods;
  • Visitor protocols and logging of facility entries/exits.

Third Party Risk Management

nexos.ai manages third-party security risks through:
  • Written contracts with security safeguards;
  • Formal vendor security assessments.

Security Incident Response

nexos.ai has a plan for responding to security incidents, including:
  • Aggregating system logs for detection and response;
  • Notifying Customer of Personal Data Breaches in accordance with the DPA.

Security Evaluations

nexos.ai conducts regular security and vulnerability testing to evaluate the effectiveness of key controls, ensure alignment with industry standards and internal policies, and maintain compliance with applicable legal, regulatory, and contractual obligations regarding the security of Personal Data and the integrity of its information systems.