Legal
Terms of Service
The commercial terms that govern your use of the Atitic platform.
Effective: [to be set – legal.terms_effective_date] · Version 1.0
1. Parties, contracting entity, and definitions
These Terms of Service (the "Terms") govern your use of the Atitic platform. They form a binding agreement between [COMPANY_LEGAL_NAME], a company incorporated in Lithuania, registration number [REGISTRATION_NO], VAT ID [VAT_ID], registered address [REGISTERED_ADDRESS] ("Atitic", "we", "us") and the organisation identified in the order form or self-service signup that accepts these Terms ("Customer", "you").
"Service" means the software-as-a-service platform provided by Atitic for governance, risk, and compliance (GRC) workflows, together with any documentation, API, and support offered under these Terms. "Customer Data" means all information, records, documents, and other content that you or your Authorised Users upload to, or generate through, the Service. "Authorised User" means an individual to whom you provide access under your subscription.
2. The Service – purpose and scope
The Service helps organisations plan, evidence, and audit their compliance posture against European regulatory frameworks including, without limitation, GDPR, NIS2, and DORA. The Service is provided on an "as-a-service" basis: Atitic hosts, operates, and maintains the software, and you use it to manage your own compliance programme. The Service is not legal advice. Nothing produced by the Service, including framework catalogues, guidance text, AI-generated proposals, or generated reports, constitutes legal or regulatory advice; you remain solely responsible for your compliance decisions.
Atitic may update, modify, add, or discontinue features of the Service at any time, provided that no such change will materially and adversely reduce the core functionality of a paid tier during a subscription period without offering you a pro-rata refund or migration path.
3. Accounts, access, and acceptable use
You are responsible for the actions of your Authorised Users and for keeping account credentials secure. You must not, and must not permit any Authorised User to: (a) use the Service in violation of applicable law; (b) attempt to gain unauthorised access to the Service, other tenants' data, or the underlying infrastructure; (c) reverse-engineer, decompile, or circumvent technical protection measures; (d) resell or sublicense access without Atitic's written consent; (e) use the Service to send unsolicited communications; (f) upload malicious code; or (g) use the Service to process personal data of individuals for whom you do not have a lawful basis.
4. Customer data and content
You retain all rights, title, and interest in Customer Data. You grant Atitic a limited, worldwide, non-exclusive licence to host, process, transmit, and display Customer Data solely to operate and provide the Service to you, and to comply with your instructions under the Data Processing Addendum (Section 11).
You represent that you have all rights and legal bases required to upload Customer Data to the Service and that Customer Data does not infringe the rights of any third party.
5. Fees, trial, taxes, and refunds
Fees are set out on the pricing page or in your order form. Unless otherwise agreed, fees are billed monthly or annually in advance via Stripe. New customers may start a 14-day free trial without a payment method; if the trial email is not verified within 7 days, the workspace is suspended. All fees are stated exclusive of VAT and other applicable taxes, which are added at the applicable rate. Fees paid are non-refundable except where required by mandatory law or expressly stated in these Terms. Payment deferrals of up to 30 days may be granted on request; see the pricing FAQ.
6. Term, renewal, and termination
The subscription runs for the period selected at signup (monthly or annual) and renews automatically for successive periods unless either party cancels before the current period ends. Either party may terminate for material breach if the breach remains uncured for 30 days after written notice. Atitic may suspend the Service immediately if your use poses a security risk, violates Section 3, or is required by law. Suspended accounts remain accessible for data export in accordance with Section 7.
7. Data export on termination
Following termination or expiry, Atitic retains Customer Data for 30 days during which you may export it self-service using the built-in Portability Report (PDF + XLSX + JSON) and the object-storage keys for uploaded evidence. After the 30-day retention window, Atitic will delete Customer Data from primary systems within a further 30 days, and from backups on the standard backup rotation (see Section 10). Deletion certificates are available on written request.
8. Warranties and disclaimers
Atitic warrants that it will provide the Service with reasonable care and skill and in substantial conformity with the documentation. Except as expressly stated, the Service is provided "as is" and Atitic disclaims all other warranties, whether express, implied, statutory or otherwise, including any warranty of merchantability, fitness for a particular purpose, non-infringement, or that the Service will be uninterrupted or error-free. Atitic does not warrant that use of the Service will result in a specific compliance outcome or regulatory finding.
9. Limitation of liability
Nothing in these Terms excludes or limits either party's liability for (a) death or personal injury caused by negligence, (b) fraud or fraudulent misrepresentation, (c) breach of Section 3 (acceptable use) or Section 15 (intellectual property), or (d) any other liability that cannot be excluded under applicable mandatory law.
Subject to the above:
- Neither party will be liable for any indirect, incidental, special, consequential, or punitive damages, or for any loss of profits, revenue, business, goodwill, or data (except to the extent such loss of data results from Atitic's failure to comply with Section 10).
- Atitic's aggregate liability arising out of or in connection with these Terms in any twelve (12) month period will not exceed the fees paid or payable by you to Atitic for the Service during the twelve (12) months preceding the event giving rise to the claim.
These limits apply to the maximum extent permitted by law and represent an agreed allocation of risk in exchange for the fees paid.
10. Security, hosting, and subprocessors
Hosting. The Service is hosted in the European Union. Compute and database run in a single EU region on infrastructure operated by Atitic on dedicated virtual machines in an EU datacenter. Customer Data does not leave the EU in the default deployment.
Encryption. Customer Data is encrypted in transit (TLS 1.2+ everywhere, including intra-cluster traffic). Data at rest in Postgres and in object storage is encrypted using industry-standard algorithms (AES-256 or equivalent). Secrets (integration tokens, IdP secrets, cloud credentials, DKIM keys) are stored in HashiCorp Vault with envelope encryption.
Tenant isolation. Atitic uses PostgreSQL row-level security (RLS) with a per-request tenant context. Every tenant-scoped table has RLS forced, so a coding error in one module cannot cross tenant boundaries. Object storage segregates tenant data by prefix and per-object ACL.
Backups. Postgres is backed up continuously by point-in-time WAL streaming plus daily base backups retained for 30 days. Object storage bytes are versioned and lifecycle-retained for the same window. Backups are encrypted and stored in an EU region separate from the primary.
Disaster recovery. Atitic targets a Recovery Time Objective (RTO) of 4 hours and a Recovery Point Objective (RPO) of 15 minutes for the production workload. DR procedures are documented and tested at least annually. Actual RTO/RPO for a specific incident depends on the failure mode and is measured post-mortem.
Access controls. The Service enforces role-based access control (RBAC) with granular per-module permissions (read/manage/approve). Every mutation is written to a tamper-evident audit log. Privileged staff access to production is limited to named engineers, requires MFA, is time-bounded, and every session is logged. Customers may enforce MFA on their own users and, on eligible plans, provision users via SCIM 2.0.
Independent testing. Atitic engages an independent third-party to perform a penetration test at least annually, and after material architectural changes. Executive-summary reports are available under NDA on request. Vulnerabilities are triaged against a CVSS-based SLA: critical within 72 hours, high within 14 days, medium within 60 days.
Subprocessors. The current list of subprocessors is maintained in the Data Processing Addendum. Atitic will notify you of new subprocessors at least 30 days in advance so you may object.
11. Data Processing Addendum
Where you upload personal data to the Service, Atitic processes that personal data as a processor on your behalf. A Data Processing Addendum (DPA) incorporating the terms of Article 28 GDPR is incorporated into these Terms by reference and is available at [DPA_URL – to be set in legal.dpa_url]. The DPA sets out the categories of personal data processed, the subprocessors used, cross-border transfer safeguards (none in the default EU-only deployment), and your right to audit. In the event of conflict between these Terms and the DPA, the DPA prevails on data-protection matters.
12. AI features
The Service includes optional AI features (Ask Atitic, AI-suggested evidence proposals, and similar). AI features are powered by Google Gemini accessed via Google's direct API. When you use AI features, prompts and relevant Customer Data snippets are sent to the model provider solely to generate the response and are returned only to your workspace. Atitic does not use Customer Data to train any AI model, and Atitic's contract with the model provider prohibits training on API traffic. Model outputs are proposals only; a human in your organisation must accept, edit, or reject each proposal before it takes effect. AI features can be disabled at the tenant level.
13. Regulatory catalogues
The Service ships framework catalogues (GDPR, NIS2, DORA, and others) as structured content. Catalogues are drafted in-house by Atitic and subject to periodic legal review; the currently displayed version identifier and last-review date appear in the framework detail page. Catalogues are provided for operational convenience and do not constitute legal advice. Atitic will update catalogues to reflect material regulatory changes within a reasonable time after publication of the underlying source; you remain responsible for confirming that a given catalogue version is fit for your specific circumstances.
14. API, portability, and audit logs
The Service exposes a REST API covering the same entities that appear in the product UI (framework programs, policies, evidence, risks, RoPA, DPIA, breaches, DSAR, tasks, audit log). API credentials are issued from the platform admin area; requests are rate-limited and logged. On termination, and at any time during the subscription, you may export the full state of your workspace in machine-readable form using the Portability Report (JSON, XLSX, PDF). The Portability Report explicitly includes the relationships between requirements and their linked evidence, policies, risks, tasks, DPIAs, processing activities, breaches, assets, ICT contracts, and ICT services, together with the tamper-evident audit log, so your compliance state remains reconstructable outside the Service.
15. Intellectual property
Atitic and its licensors own all rights, title, and interest in and to the Service, including the software, framework catalogues (as-shipped), documentation, and any improvements or derivatives. You own your Customer Data and any content you produce inside the Service (policies you author, evidence records, and so on). Nothing in these Terms transfers ownership of either party's pre-existing IP to the other. Feedback and suggestions you provide are non-confidential and Atitic may use them freely.
16. Confidentiality
Each party will treat the other's Confidential Information as confidential and will not disclose it to third parties, except: (a) to its personnel, subprocessors, or professional advisors bound by equivalent obligations; (b) as required by law, provided that the receiving party gives prompt notice where legally permitted; or (c) with the disclosing party's written consent. Confidentiality obligations survive termination for three (3) years, except for trade secrets, which are protected for as long as they remain trade secrets.
17. Compliance with laws and sanctions
Both parties will comply with all applicable laws in performing their obligations. You represent that neither you nor any Authorised User is subject to EU or UN sanctions and that the Service will not be used to process data in violation of export-control or sanctions regimes.
18. Changes to these Terms
Atitic may amend these Terms from time to time. Material changes will be notified to the account owner by email or in-product notice at least 30 days before they take effect. Continued use of the Service after the effective date constitutes acceptance. If you do not accept a material change, you may terminate under Section 6 and export your data under Section 7 during the notice period.
19. General provisions
Governing law and jurisdiction. These Terms are governed by the laws of the Republic of Lithuania. The courts of Vilnius, Lithuania have exclusive jurisdiction over any dispute arising out of or in connection with these Terms, without prejudice to any statutory consumer-protection rights that cannot be varied by contract.
Force majeure. Neither party is liable for failure to perform caused by circumstances beyond its reasonable control (excluding payment obligations).
Assignment. Neither party may assign these Terms without the other party's consent, except that Atitic may assign these Terms to a successor in connection with a merger, acquisition, or sale of substantially all its assets.
Severability. If any provision is held unenforceable, the remainder of these Terms will continue in full force.
No waiver. Failure to enforce a right is not a waiver of that right.
Entire agreement. These Terms, together with the DPA, order form, and any documents referenced herein, form the entire agreement between the parties on the subject matter.
Notices. Legal notices to Atitic must be sent to [email protected]. Notices to you will be sent to the email on your account.
20. Contact
Questions about these Terms: [email protected].
Questions about data protection: [email protected].
Postal: [COMPANY_LEGAL_NAME], [REGISTERED_ADDRESS].