This Master Subscription Agreement is accepted through an ACTServ GRC Subscription Engagement Letter and Order Form that expressly incorporates these online terms.
Agreement and incorporated documents
This ACTServ GRC Master Subscription Agreement (“MSA”) is entered into between ACTServ Technology Ltd, a company incorporated in Cyprus with registered address at 232 Strovolou Avenue, 2nd Floor, 2048 Nicosia, Cyprus (“ACTServ”), and the legal entity identified in an Engagement Letter or Order Form that expressly references this MSA (“Customer”). ACTServ and Customer are each a “Party” and together the “Parties”.
This MSA becomes effective on the effective date of the first Engagement Letter and Order Form executed by the Parties. The MSA includes the online documents expressly incorporated below and any customer-specific schedules identified in the applicable Engagement Letter.
In this MSA: “Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with a Party; “Business Day” means a day other than a Saturday, Sunday or public holiday in the Republic of Cyprus; and “Business Hours” means 09:00 to 17:00 Cyprus time on Business Days.
- ACTServ GRC Service Level Agreement.
- ACTServ GRC Support Policy.
- ACTServ GRC Data Processing Agreement.
- ACTServ GRC Subprocessor Schedule.
- ACTServ GRC DORA ICT Third-Party Services Terms, where applicable.
Services and support
“Services” means the ACTServ GRC software-as-a-service platform, subscribed modules, integrations, support and any professional services stated in an Engagement Letter.
The Platform supports governance, risk, compliance, audit, evidence, policy, regulatory and third-party-risk workflows. The Platform is a management tool and does not constitute legal advice, regulatory advice, an audit opinion, certification or a guarantee of compliance.
Support is provided according to the Support Policy and availability is measured according to the Service Level Agreement.
Orders, term, Fees and payment
Each Engagement Letter and Order Form identifies the subscribed Services, permitted entities or tenants, Fees, Subscription Term, billing frequency and any special terms.
Unless otherwise stated in the Order Form, the Initial Subscription Term is thirty-six (36) months and automatically renews for successive twelve-month periods unless either Party provides written non-renewal notice at least thirty (30) days before the end of the then-current term.
Fees are payable monthly or annually in advance, as stated in the Order Form. Monthly billing is a payment frequency only and does not create a month-to-month subscription or a right to terminate for convenience during the committed Subscription Term.
Fees are non-cancellable and non-refundable except where expressly stated. ACTServ may suspend Services for overdue undisputed Fees after reasonable written notice and an opportunity to cure. Overdue undisputed amounts may accrue interest at the statutory rate applicable to commercial transactions in the Republic of Cyprus.
If Customer disputes an invoice in good faith, Customer must notify ACTServ in writing within thirty (30) days of the invoice date, and the Parties will cooperate to resolve the dispute promptly. Amounts not disputed within that period are deemed accepted.
ACTServ may adjust Fees with effect from the start of a renewal period by giving written notice at least sixty (60) days before the renewal date. Fee adjustments do not apply during the then-current committed Subscription Term unless expressly stated in the Order Form.
Fees exclude VAT and other applicable taxes, which are payable by Customer, except taxes based on ACTServ’s net income.
Access rights and Authorised Users
Subject to payment and compliance with this MSA, ACTServ grants Customer a limited, non-exclusive, non-transferable and non-sublicensable right during the Subscription Term to access and use the Services for Customer’s internal business purposes.
Customer controls its Authorised Users and is responsible for user invitations, role assignment, prompt deprovisioning and activities performed using its accounts. Accounts may not be shared. Multi-factor authentication is mandatory for registered Platform users.
External evidence upload recipients may use valid, time-limited upload links without becoming registered users. Such links permit only the limited upload operation for which they were issued and do not provide access to the Customer tenant.
Customer responsibilities and acceptable use
Customer is responsible for the accuracy, quality, legality and appropriateness of Customer Data and for ensuring that it has all necessary rights, permissions and lawful bases to process it through the Services.
- Customer must not upload passwords, unrestricted authentication secrets, private cryptographic keys, malware, unlawful content or personal data that is not reasonably required for the configured GRC purpose.
- Customer must not reverse engineer, copy, resell, sublicense, disrupt, scrape or circumvent security. Customer must not use the Services to develop a competing product or service and must not permit access to the Services by or on behalf of a competitor of ACTServ.
- Penetration testing or security testing of the Services requires ACTServ’s prior written authorisation and agreed rules of engagement.
Third-party integrations
Customer may authorise supported integrations with Customer-controlled or third-party systems. Customer determines the connected systems and scopes and authorises ACTServ to access and process information within the permissions granted for the configured GRC purpose.
Integrations are designed to collect only information reasonably necessary for the configured purpose. Read-only integrations do not permit ACTServ to modify the connected system unless a specific write capability is clearly identified and separately authorised.
ACTServ does not warrant the accuracy, completeness or continued availability of information supplied by third-party APIs. Customer may revoke integration permissions through the connected system. Revocation does not automatically delete information already lawfully collected and retained in the Platform.
Microsoft 365 email functionality uses an application configured in Customer’s Microsoft 365 tenant and is limited to authorised sending through the designated mailbox. Customer controls the Entra application, mailbox, Application Access Policy, recipients and revocation. The integration does not provide ACTServ with general mailbox-reading access.
Customer Data, privacy and usage information
Customer retains all right, title and interest in information submitted to or collected for Customer through the Services (“Customer Data”). Customer grants ACTServ a limited right to host, reproduce, transmit, back up and otherwise process Customer Data solely to provide, secure, support and improve the Services and comply with law.
ACTServ acts as Processor for Customer Data as described in the Data Processing Agreement and as independent Controller for its own account, billing, security, fraud-prevention and business-administration information.
ACTServ may use aggregated or irreversibly anonymised service and usage information that does not identify Customer or any individual to operate, secure and improve its products.
Security and access by ACTServ
ACTServ will maintain appropriate technical and organisational measures designed to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.
ACTServ personnel may access Customer tenants only on a need-to-know basis for support, administration, maintenance, security, incident response or agreed advisory services. Advisor access is role-based, time-limited and auditable where supported. Super-administrator access is restricted to authorised personnel and logged.
ACTServ maintains daily backups of the production backend and Customer Data with a rolling retention period of seven (7) days. Backups are intended for disaster recovery and do not guarantee restoration of individual records, files or tenant data.
Confidentiality
Each Receiving Party will protect the other Party’s non-public business, technical, security and financial information using at least reasonable care, use it only to perform or receive the Services, and disclose it only to personnel and contractors with a need to know and equivalent confidentiality duties.
Confidential Information excludes information lawfully known without restriction, independently developed, publicly available without breach or lawfully received from a third party. Legally compelled disclosure is permitted subject to notice where lawful.
Breach of this section may cause irreparable harm for which damages are an inadequate remedy. The Disclosing Party may seek injunctive or other equitable relief in addition to any other available remedy.
Intellectual property
ACTServ retains all intellectual-property rights in the Platform, software, architecture, APIs, workflows, generic templates, framework libraries, mappings, methodologies, documentation and improvements. Customer retains rights in Customer Data and customer-specific content.
ACTServ may use feedback without restriction provided it does not disclose Customer Confidential Information.
Availability, changes, beta features and trials
The monthly availability target is 99.6%, measured according to the Service Level Agreement. The availability target is a service objective and not a warranty. Service credits apply only where expressly stated in the Order Form.
ACTServ may update and improve the Platform provided it does not materially reduce the overall core functionality purchased during the current Subscription Term. Preview, beta and experimental features may be changed or withdrawn and are excluded from availability and support commitments unless stated otherwise.
Trial, proof-of-concept and other free-of-charge access is provided “as available” for evaluation purposes only, is excluded from the Service Level Agreement, the Support Policy and ACTServ’s indemnification obligations, and may be suspended or withdrawn at any time. Data submitted during a trial may be permanently deleted after the trial ends unless the Parties execute a paid Order Form for the same Services. ACTServ’s total aggregate liability in connection with free-of-charge services will not exceed one thousand euro (EUR 1,000).
Warranties and disclaimers
ACTServ warrants that it will provide the Services with reasonable skill and care and in material accordance with applicable documentation. Customer’s exclusive remedy for breach is re-performance or, if ACTServ cannot materially cure the breach, termination of the affected Service and a pro-rata refund of unused prepaid Fees.
Except as expressly stated, the Services are provided “as available”. ACTServ does not warrant uninterrupted or error-free operation, that all third-party information is accurate, or that use of the Platform will achieve certification, regulatory approval or compliance.
Indemnification
ACTServ will defend Customer against a third-party claim that the ACTServ-developed Platform infringes an intellectual-property right and will pay finally awarded damages or approved settlements, subject to prompt notice, sole control of defence and reasonable cooperation. ACTServ may modify, replace or procure continued use; if none is commercially reasonable, ACTServ may terminate the affected Service and refund unused prepaid Fees.
Customer will defend ACTServ against third-party claims arising from unlawful Customer Data, Customer’s lack of rights to Customer Data or Customer’s prohibited use of the Services.
Limitation of liability
To the maximum extent permitted by law, neither Party is liable for indirect, incidental, special, exemplary, punitive or consequential damages, or loss of profits, revenue, goodwill, opportunity or anticipated savings.
Except for the Enhanced Cap matters below, each Party’s total aggregate liability arising from this MSA and all Order Forms will not exceed the Fees paid under the affected Order Form during the twelve (12) months immediately preceding the first event giving rise to liability (“General Liability Cap”).
Liability arising from a Party’s breach of the Confidentiality section of this MSA, the Data Processing Agreement or the Security and access by ACTServ section of this MSA will not exceed two (2) times the General Liability Cap (“Enhanced Liability Cap”). No other statement or description in any document creates an information-security obligation subject to the Enhanced Liability Cap.
The caps do not limit Customer’s payment obligations, either Party’s indemnification obligations under the Indemnification section, either Party’s fraud or wilful misconduct, liability for death or personal injury caused by negligence, or liability that cannot lawfully be excluded or limited.
The Parties acknowledge that these limitations allocate risk and are reflected in the Fees.
Suspension
ACTServ may suspend affected access where reasonably necessary to address a security threat, unlawful use, material prohibited use or overdue undisputed Fees. ACTServ will use reasonable efforts to provide notice and limit suspension to the affected scope.
Termination, export and deletion
Either Party may terminate an affected Order Form for an uncured material breach after thirty (30) days’ written notice, or immediately where cure is impossible, insolvency occurs or law requires termination. Customer may terminate under the additional circumstances stated in the DORA Terms.
If an Order Form is terminated due to Customer’s uncured material breach, all committed Fees for the remainder of the Subscription Term become immediately due and payable, without limiting ACTServ’s other rights and remedies.
During the Subscription Term and for thirty (30) days after expiry or termination, Customer may use the Platform’s standard export functionality to export available Customer Data. Customer is responsible for initiating and completing exports. ACTServ is not required to perform exports on Customer’s behalf.
After the export window, ACTServ may delete Customer Data from active systems subject to legal retention duties and backup deletion cycles. Custom export, transformation, migration or transition services are chargeable at ACTServ’s then-current professional-services rates.
Subprocessors
Customer generally authorises the subprocessors listed in the Subprocessor Schedule. ACTServ remains responsible for its contractual obligations and will apply proportionate due diligence and monitoring.
ACTServ will provide at least thirty (30) days’ advance notice of a material change to a subprocessor supporting the Services, except where a shorter period is reasonably required by emergency, security, law or circumstances beyond reasonable control. Customer may submit a substantiated written objection within fifteen (15) days. The Parties will seek reasonable mitigation; where material risk cannot be mitigated, Customer may terminate the affected Service and receive a refund of unused prepaid Fees.
DORA
For a Customer subject to Regulation (EU) 2022/2554, the ACTServ GRC DORA ICT Third-Party Services Terms form part of this MSA. Customer is responsible for determining whether the Services support a critical or important function and recording that designation in the Engagement Letter.
ISO/IEC 27001
ACTServ Technology Ltd maintains an Information Security Management System certified to ISO/IEC 27001:2022 by the Cyprus Certification Company. The certified scope covers the provision of IT services, software development, IT audit and assurance, and cybersecurity consulting services. Certificate No. ISMS.26.007 is stated as valid until 14 April 2029, subject to continued certification and surveillance requirements.
Online terms and updates
The version effective on the date of an Order Form governs during that Subscription Term. ACTServ may update online documents, but material changes adversely affecting Customer’s rights will not apply during the current term unless required by law, necessary to address a material security risk or agreed in writing. The then-current published version may apply at renewal following reasonable notice.
General
The Services are provided solely for business purposes to business customers and are not offered to consumers.
The Parties are independent contractors, and this MSA does not create a partnership, joint venture, agency or employment relationship. There are no third-party beneficiaries under this MSA. Neither Party may assign this MSA without consent, except to an Affiliate or in connection with a merger, reorganisation or sale of substantially all relevant assets, provided the assignee assumes the obligations.
Notices must be in writing and may be given by email to the addresses stated in the Engagement Letter or Order Form. Email notice is deemed given on the Business Day of delivery. Neither Party is liable for delay caused by events beyond reasonable control, excluding payment obligations.
This MSA, incorporated documents and Order Forms constitute the entire agreement and supersede prior discussions relating to the Services. No terms contained in any Customer purchase order, procurement portal, vendor-onboarding process or other Customer-issued document form part of this MSA or any Order Form, and all such terms are rejected and have no effect, whether issued before or after this MSA, unless expressly accepted in a document signed by ACTServ.
If documents conflict, the order of precedence is: the Engagement Letter and Order Form; any customer-specific DORA schedule; the DORA Terms; the Data Processing Agreement (for data-protection matters); this MSA; the Service Level Agreement; the Support Policy.
If any provision of this MSA is held unenforceable, it will be modified to the minimum extent necessary and the remaining provisions will remain in effect. A Party’s failure to enforce a provision is not a waiver of that provision or of any other provision.
Provisions that by their nature should survive expiry or termination — including accrued payment obligations, confidentiality, intellectual property, indemnification, limitation of liability and governing law — survive expiry or termination of this MSA.
Each Party represents that it is not subject to sanctions administered by the United Nations, the European Union or the Republic of Cyprus. Customer must not use, or permit access to, the Services in violation of applicable sanctions or export-control laws.
ACTServ may identify Customer by name and logo as a customer of ACTServ in its marketing materials unless Customer objects in writing.
This MSA is governed by the laws of the Republic of Cyprus. The courts of the Republic of Cyprus have exclusive jurisdiction, without limiting either Party’s right to seek urgent injunctive relief in any competent court.
