Skip to main content

Terms and Conditions

Download PDF

Last updated: May 29, 2026

Purpose Of These Terms

These Terms and Conditions form the core master agreement for the use of Firmfact.

They apply to the B2B SaaS services provided by Dutchcode B.V. trading as Firmfact to business customers using the Firmfact platform for spend management, contract management, document processing, and related workflows.

Definitions

For these Terms:

  • Agreement means the contract package between Customer Organization and Dutchcode B.V. trading as Firmfact, consisting of these Terms, any applicable Data Processing Agreement (including its appendices and any incorporated transfer annexes), any applicable Service Level Agreement, any executed Order Form or Subscription Agreement, and any negotiated addendum expressly incorporated into the parties' contract. The Privacy Notice is notice of controller-side processing unless a clause is expressly elevated in an Order Form or negotiated addendum.
  • Affiliate means an entity that controls, is controlled by, or is under common control with a party.
  • Customer Organization means the legal entity that enters into the Agreement.
  • Account means a tenant-scoped instance of the Service associated with a Customer Organization, including its Account Data, settings, users, usage records, billing scope, and service scope.
  • Account Audit Trail means the customer-accessible history of actions, access activity, and related records made available through the Service for a specific Account.
  • Account Data means data, files, documents, records, prompts, configurations, and other content submitted to or processed through the Service for a specific Account on Customer Organization's behalf.
  • Demo Account means a non-production Account provided on an AS-IS basis for evaluation, configuration, testing, training, or demonstration. Unless expressly stated otherwise in an Order Form, Demo Accounts are excluded from uptime commitments, service credits, recovery objectives, and support response or resolution commitments.
  • Documentation means user guides, implementation materials, and technical information that we make available for the Service.
  • DPA means the Data Processing Agreement that forms part of the Agreement whenever Dutchcode B.V. trading as Firmfact acts as processor for Account Data containing personal data.
  • Enterprise Plan means a Paid Plan marketed as Enterprise, with the usage limits, included features, support entitlements, SLA eligibility, and commercial scope stated in the accepted workflow, Subscription Agreement, or Order Form. Enterprise capacity may scale from the published floor through unlimited tracked users at the top slider step, with entitlements and pricing stated in the accepted workflow.
  • Enterprise Services means the enterprise assurance workflow, regulated-outsourcing support, diligence support, scoped control review availability, and related enterprise-only commitments made available for Enterprise Plan or where expressly included in an Order Form.
  • Free Tier means the default no-fee plan made available for limited use of the Service.
  • Internal Security Logs means provider-side security, abuse-prevention, infrastructure, access, and diagnostic logs maintained by Firmfact for internal operational, legal, or security purposes. Internal Security Logs are not part of the standard customer export package unless expressly stated otherwise in an Order Form.
  • MCP means the Model Context Protocol interface exposed by the Service for structured, tool-based access by AI assistants and agents. MCP access is subject to the scope, rate limits, authentication requirements, and acceptable-use restrictions of the selected plan or Order Form, and is treated as part of API and MCP access wherever that phrase is used in these Terms.
  • Order Form means a written order, subscription agreement, or similar commercial ordering document between the parties.
  • Paid Plan means any non-free plan for the Service that is billed according to the selected commitment term and invoice cadence unless otherwise stated in an Order Form.
  • Professional Plan means a Paid Plan marketed as Professional, with the usage limits, included features, support entitlements, SLA eligibility, and commercial scope stated in the accepted workflow, Subscription Agreement, or Order Form.
  • Privacy Notice means the privacy notice published for Firmfact that explains controller-side processing and request routing. It is acknowledged as part of the legal package, but it does not by itself create independent contractual remedies unless a specific provision is expressly incorporated into the Agreement.
  • Production Account means the Account designated for ordinary operational use of the Service.
  • Service means the Firmfact platform, APIs, support channels, and related hosted services that we make available to Customer Organization.
  • SLA means the Service Level Agreement, but only where the applicable plan or Order Form expressly states that the applicable Subscription is SLA-eligible.
  • Support Coverage Window means the hours and days during which support response targets apply for the relevant plan, as stated in the SLA, Subscription Agreement, or Order Form.
  • Subscription means the commercial plan, billing settings, usage entitlements, and applicable service commitments for a specific Account, as identified in the applicable Subscription Agreement, Order Form, or documented billing workflow.
  • Subscription Agreement means the in-product or written subscription agreement or order record used to capture plan selection, billing details, assent, and related evidence for a Paid Plan.
  • Trial means a temporary evaluation period for a paid feature or plan.
  • User Account means the credentials and profile assigned to an individual authorized to access an Account.
  • User means an individual authorized by Customer Organization to access or use the Service under a User Account.

Contract Formation And Acceptance

The Agreement may be formed through one or more documented acceptance events, including clickwrap at signup, clickwrap at first Account creation, an in-product subscription agreement workflow, upgrade flow acceptance, feature enablement, an executed Order Form, or another documented acceptance workflow made available by us.

Free Tier users must accept the applicable legal package through clickwrap at signup or first Account creation. That acceptance covers these Terms and, where applicable, the DPA. The Privacy Notice is presented as notice of controller-side processing and acknowledgment of that notice forms part of the documented legal event. The SLA is not part of the Free Tier acceptance package unless an Order Form or explicit plan designation states otherwise.

For Paid Plans, including Professional Plan and Enterprise Plan, the DPA, including its appendices and any incorporated transfer annexes, and, where applicable, the SLA form part of the Agreement when accepted through clickwrap, an in-product subscription agreement workflow, upgrade flow, feature enablement, an Order Form, or another documented acceptance workflow. The Privacy Notice applies as controller-side notice and is acknowledged as part of the recorded legal package. Any negotiated or regulatory overlay applies only where an executed Order Form or addendum expressly says so.

Customer purchase orders, procurement portal terms, onboarding terms, click-throughs, supplier-registration forms, and similar customer-provided paper are administrative only and do not amend or supplement the Agreement unless expressly accepted in writing by an authorized signatory of Dutchcode B.V. trading as Firmfact.

The applicable legal package may be recorded through clickwrap, account creation, an in-product subscription agreement workflow, upgrade flow, feature enablement, Order Form, or another documented legal event. The recorded acceptance event may include the accepted document set, package hash, commercial selections, signatory details, timestamp, tenant and user identifiers, and assent text shown in the workflow. Generated PDFs and rendered snapshots are evidence artifacts of that documented legal event and do not by themselves constitute separate signature workflows.

Where we use an in-product subscription agreement workflow for a Paid Plan, the resulting acceptance record may include the accepted legal package version, document identifiers and package hash, selected plan, billing cadence, first invoice date, payment term, signatory details, timestamp, accepting user and tenant identifiers, IP address, and the assent text presented in the workflow. That acceptance record and the rendered contract bundle are evidence artifacts of the documented acceptance event.

Plan Structure

Unless otherwise stated in an Order Form:

  • new signups may receive a Production Account and a Demo Account where that onboarding path is made available;
  • all accounts start on the Free Tier by default;
  • paid plans are billed according to the selected commitment term and invoice cadence shown in the accepted workflow, Subscription Agreement, or Order Form; and
  • negotiated or regulatory overlays apply only where expressly incorporated through an Order Form or addendum.

A Customer Organization may maintain multiple Accounts. Unless expressly stated otherwise in writing, each Subscription applies only to the specific Account for which it was purchased or activated and does not automatically extend to any other Account of the same Customer Organization.

We offer the Service under the following plan categories: Free Tier, Professional Plan, Enterprise Plan, Trial, and Demo Account.

The selected plan determines the applicable usage limits, included features, support tier, support coverage window, SLA eligibility, SSO / OIDC availability, API and MCP access scope, enterprise assurance workflow, regulated-outsourcing support, and any other plan-specific commitments for the relevant Subscription.

Unless expressly stated otherwise in the accepted workflow, Subscription Agreement, or Order Form, no feature, support level, assurance right, or regulatory cooperation obligation applies across plans by implication.

Plan-Specific Entitlements.
Plan-specific entitlements are determined by the selected plan as recorded in the accepted workflow, Subscription Agreement, or Order Form. Numerical usage limits, included features, support tier, support coverage window, initial response targets, SLA eligibility, SSO / OIDC availability, API and MCP access, enterprise assurance rights, regulated-outsourcing support, and premium support or resilience commitments are plan-specific unless expressly stated otherwise.

Unless expressly included in an Order Form, the Professional Plan does not include Enterprise Services, regulated-outsourcing support, scoped audit or control-review access, or premium incident-response handling beyond the standard paid-plan SLA and support commitments.

The DPA may apply to any plan category where Dutchcode B.V. trading as Firmfact processes personal data on Customer Organization's behalf. The SLA does not apply to Free Tier, Demo Account, Trial, or Beta / Preview features unless expressly stated otherwise in the selected plan, accepted workflow, Subscription Agreement, or applicable Order Form.

Subscription Term, Renewal, Cancellation, And Changes

Free Tier access continues until terminated under these Terms or discontinued by Customer through the available cancellation workflow.

Paid Plans renew automatically for successive periods equal to the then-current Commitment Term unless Customer gives at least 30 days' prior notice of non-renewal through the designated in-product billing workflow or by written notice to legal@firmfact.com, unless an Order Form or Subscription Agreement states a different renewal term, notice deadline, or cancellation method. Customer may terminate a Subscription for convenience only effective at the end of the then-current Commitment Term, unless the accepted workflow, Subscription Agreement, or applicable Order Form expressly provides an earlier termination right. Billing cadence does not shorten the Commitment Term. Merely stopping use of the Service does not itself stop billing.

Deleting a User Account, disabling a User, or removing a User from an Account does not by itself cancel a Paid Plan, terminate the Agreement, delete an Account, or trigger deletion of retained legal, billing, audit, or backup records.

Deleting a User Account, deleting an Account, cancelling a Subscription, exporting Account Data, and restoring Account Data are distinct actions. A User Account deletion does not by itself delete an Account or cancel a Subscription. Cancelling a Subscription does not by itself delete all retained records where retention is permitted or required under the Agreement or applicable law.

Unless the accepted billing workflow, Subscription Agreement, or Order Form states otherwise:

  • usage is measured during the applicable billing month;
  • invoices are issued according to the selected plan cadence recorded in the accepted billing workflow, Subscription Agreement, or Order Form;
  • payment is due within 30 days of invoice date (Net 30);
  • fees are non-refundable except where required by applicable law or expressly stated in an Order Form;
  • fees are exclusive of VAT and other applicable taxes, which Customer must pay unless Customer provides a valid exemption or reverse-charge basis;
  • we may change pricing or usage metrics on at least 30 days' prior notice for prospective billing periods;
  • unless an Order Form states otherwise, any recurring subscription price increase for a standard plan will not exceed the lower of the then-current Consumer Price Index for all households as published by Statistics Netherlands (CBS) and 5% in any 12-month period;
  • any pricing change applies only from the next renewal or billing period after the notice period has expired; and
  • we may generally modify, replace, or deprecate Service features in the ordinary course of operating the Service. Where commercially reasonable, we will provide prior notice for changes that materially affect Customer's use of the Service. During a paid subscription term, however, we will not materially reduce core contracted functionality unless we provide substantially equivalent replacement functionality or Customer has the termination right described below.

If we make a material adverse change to the Service, pricing model, or usage metric that materially reduces Customer's contracted functionality or materially increases Customer's recurring charges, or if we materially reduce core contracted functionality during a paid subscription term without providing substantially equivalent replacement functionality, we will provide at least 30 days' prior notice. Customer may terminate the affected subscription by written notice given before the change takes effect. Unless Customer expressly agrees earlier or the change is required by law, the change will apply no earlier than the next renewal or billing period after the notice period has expired, and we will not charge the changed price for any period after a valid termination takes effect.

Any negotiated pricing cap, indexation method, renewal pricing commitment, or other commercial override stated in an Order Form controls over this section.

If the accepted billing workflow, Subscription Agreement, or Order Form specifies the billing frequency, invoice timing, payment term, discount, tax treatment, or first invoice date for the selected plan, those accepted commercial terms control over any default billing language in these Terms.

Reminder features, notice-tracking dashboards, renewal summaries, and similar workflow tools are administrative convenience features only. Customer remains responsible for monitoring its own notice deadlines, renewal decisions, cancellation actions, and other contractual milestones unless the parties expressly agree otherwise in writing.

Billing And Payment

Customer must provide accurate billing, tax, and contact details and keep them current.

For paid usage, invoices may be issued through our invoicing and accounting providers. Charges are based on the applicable plan, measured usage, and any relevant Order Form. Customer must notify us of billing disputes in good faith within 60 days after invoice date.

Customer may not withhold, set off, or suspend payment obligations under the Agreement except to the extent required by applicable law or expressly stated in an Order Form. A good-faith billing dispute does not relieve Customer of the obligation to pay any undisputed amount when due.

Undisputed overdue amounts accrue statutory commercial interest under Dutch law (including the statutory commercial interest rate under Article 6:119a of the Dutch Civil Code, as applicable) from the due date until paid. Customer must also reimburse reasonable collection costs, including reasonable third-party recovery costs, incurred in collecting undisputed overdue amounts.

If an undisputed invoice remains unpaid after the due date, we may issue notice of non-payment and require cure within 10 days. During that 10-day cure period, we may place the Service in read-only mode or otherwise limit functionality while preserving commercially reasonable export capability for up to 30 days, unless doing so would create a security or legal risk. If the overdue amounts remain unresolved after that 10-day cure period, we may suspend access and, if the breach continues, terminate the affected Service or the Agreement.

Unless an Order Form states otherwise, usage limits and commercial caps shown in the selected plan or Order Form are enforceable service limits. If Customer exceeds a purchased limit, we may:

  • notify Customer and require purchase of additional capacity or an upgraded plan;
  • invoice the excess usage at the applicable contracted or published overage rate where one exists;
  • if Customer's usage exceeds its allocated monthly limits by more than 20%, immediately suspend API access or the affected feature until Customer upgrades its plan or pays the applicable overage invoices; or
  • temporarily throttle, restrict, or suspend the affected feature after reasonable notice where no overage mechanism applies or where overuse creates service, security, or commercial risk.

Accounts, Access, And Customer Dependencies

Customer is responsible for:

  • Users' compliance with the Agreement;
  • maintaining accurate account information;
  • provisioning and deprovisioning Users within Customer-controlled Accounts;
  • assigning appropriate roles, permissions, and Account access scope for Customer Organization's internal control environment;
  • protecting credentials and access methods;
  • maintaining password hygiene where password authentication is used and managing Customer-controlled MFA, SSO, and identity-provider settings correctly;
  • providing timely, accurate, and complete information, materials, approvals, and decisions reasonably required for onboarding, support, integrations, security reviews, migration work, or other agreed services;
  • designating personnel with appropriate authority and knowledge to make operational, technical, security, and commercial decisions on Customer's behalf;
  • configuring integrations, identity providers, and security settings correctly;
  • obtaining and maintaining cooperation, permissions, and access from Customer-managed third parties, systems, and providers where needed for the Service or any agreed project work; and
  • validating that Customer's use of the Service is lawful and appropriate for Customer's business.

Firmfact is not responsible for failures, delays, degraded performance, or access issues caused by Customer misconfiguration, Customer-managed identity providers, Customer-side role assignment or access-control choices, Customer-side integrations, unsupported third-party dependencies, misuse, abuse, or breaches of the acceptable use restrictions.

Customer administrators control user provisioning, deprovisioning, role assignment, and Account access scope within Customer-controlled Accounts. Firmfact is entitled to rely on authorized Account administrator instructions and Customer Organization configuration choices for those purposes, and Customer Organization remains responsible for ensuring assigned roles and access rights are appropriate for its own governance, segregation-of-duties, and regulated-environment requirements.

Where SSO / OIDC-based sign-in is included in the applicable plan or Order Form, Customer remains responsible for the availability, configuration, and security of Customer's own identity provider. If the SLA applies to Customer, only Firmfact-operated SSO / OIDC endpoints are covered to the extent expressly stated in the SLA.

If Customer delays or fails to provide required information, approvals, access, dependencies, or third-party cooperation, any resulting delay, degradation, or inability to perform is excused to the extent caused by that failure. Timelines may be extended, milestones may shift, and additional work caused by the delay or deficiency may be charged at the applicable contracted or then-current rates.

Acceptable Use

Customer and its Users must not:

  • use the Service in violation of applicable law or regulation;
  • upload or transmit unlawful, infringing, fraudulent, or malicious material;
  • interfere with, disrupt, probe, or attempt to gain unauthorized access to the Service or related systems;
  • reverse engineer, decompile, or attempt to derive source code except to the extent such restriction is prohibited by law;
  • scrape, spider, mine, bulk extract, harvest, or index the Service, Documentation, or other non-public materials made available by us, whether manually or by automated means, except through expressly authorized APIs or export tools;
  • use the Service, Documentation, or other non-public materials made available by us to create datasets, benchmarking corpora, or training material for machine learning or AI models, except as expressly permitted in writing;
  • use the Service to build or benchmark a competing service without our prior written consent;
  • publish Service performance, security, or benchmark testing results without our prior written consent, unless disclosure is required by applicable law or to a regulator, supervisory authority, external auditor, or professional adviser acting under confidentiality obligations;
  • resell, sublicense, timeshare, or provide access to unauthorized third parties except as expressly permitted by the Agreement;
  • use the Service in a manner that creates security risk, service abuse, or operational instability.

We may suspend or restrict access where reasonably necessary to prevent security harm, investigate abuse, respond to legal requirements, or enforce these Terms.

Account Data, License, And Data Rights

Customer Organization retains all right, title, and interest in and to Account Data.

Customer Organization grants us a non-exclusive, worldwide, limited-term right to host, store, copy, back up, transmit, process, index, secure, support, maintain, troubleshoot, and otherwise use Account Data only as necessary to provide, secure, support, maintain, and operate the Service and to perform our obligations under the Agreement.

We may use de-identified and aggregated data derived from Customer Organization's use of the Service for internal service improvement, reliability, capacity planning, security, and operational analytics, provided that such data does not identify Customer Organization or any individual and cannot reasonably be re-identified. We will not publicly identify Customer Organization or use such data for public comparative benchmarking against Customer Organization without Customer Organization's express written consent.

AI Features And Processing Boundaries

If Customer uses AI-assisted features in the Service:

  • Customer Organization retains ownership of Account Data submitted as prompts, documents, or other AI inputs;
  • Customer owns Customer-specific outputs generated for Customer through the Service to the extent permitted by applicable law and the rights of relevant third-party model providers, subject to our ownership of the Service itself;
  • Customer remains responsible for reviewing outputs before relying on them for business, legal, operational, or compliance decisions;
  • we may process Account Data through AI-related subprocessors strictly to provide the requested feature;
  • we will not train third-party or general-purpose AI models on Account Data unless expressly agreed in writing.

AI-generated outputs are provided to assist workflows and may contain errors, omissions, or incomplete inferences. Customer must apply appropriate human review before acting on them.

EU AI Act posture. In relation to the AI-assisted features made available through the Service, Dutchcode B.V. acts as a deployer of AI systems under Regulation (EU) 2024/1689 (the EU AI Act) and not as a provider of general-purpose AI models. Foundation-model provider obligations, including the transparency and systemic-risk obligations applicable to general-purpose AI model providers, rest with the relevant upstream subprocessor (for example, the provider of the underlying large language model). The Service is not designed for, and Customer shall not use the Service for, any practice prohibited under Article 5 of the EU AI Act. Where Customer's own use of the Service for a specific workflow would qualify as a high-risk AI system under Annex III of the EU AI Act, Customer remains responsible for the corresponding deployer obligations that attach to that use.

Privacy Notice, DPA, And SLA

Customer's use of the Service is also subject to the Privacy Notice as notice of controller-side processing.

If Customer uses the Service to process personal data for which Dutchcode B.V. acts as processor, the DPA applies automatically and forms part of the Agreement regardless of plan tier.

The SLA applies only to a paid Subscription expressly designated as SLA-eligible in the selected plan, accepted workflow, Subscription Agreement, or applicable Order Form. Free Tier, Trial, Demo Account, and Beta / Preview features are excluded unless expressly stated otherwise. Where the SLA applies, service credits are Customer's sole and exclusive monetary remedy for failure to meet the uptime commitment.

Only the Agreement and any executed addenda create binding contractual commitments. Security questionnaires, policy suites, architecture diagrams, business continuity summaries, accessibility statements, automated scan outputs, and similar diligence materials are informational only and do not create or expand contractual commitments unless an Order Form or addendum expressly incorporates them.

Security, Operational Resilience, And DORA

We maintain security and operational resilience measures appropriate to the nature of the Service.

For Enterprise Plan customers, and for other customers only to the extent expressly stated in an Order Form, we will provide the enterprise assurance and regulated-outsourcing cooperation described in this section. Those commitments are part of Enterprise Services and do not apply to other plans by implication.

If the parties execute a negotiated or regulatory addendum, that addendum governs the matters it expressly addresses and prevails over this section to the extent of any inconsistency.

For Enterprise Plan customers, and for other customers only where expressly stated in an Order Form, we will provide the baseline operational-resilience and regulated-outsourcing cooperation reasonably necessary for Customer's compliance as it relates to the Service. This baseline includes notice without undue delay after confirmation of a material operational or security incident materially affecting the Service, reasonable follow-up updates during active mitigation, reasonable advance notice of material subcontracting changes and material hosting or delivery-structure changes relevant to Customer's regulated-outsourcing obligations except where a shorter timeline is required for urgent security, legal, or operational reasons, and reasonable cooperation with Customer's outsourcing register, concentration-risk review, business continuity review, and exit planning requirements as they relate to the Service. Personal data breach notifications remain governed by the DPA. Customer-specific templates, bespoke questionnaires, regulator-directed projects, and work beyond this baseline remain subject to an Order Form, addendum, or change order.

We may implement planned maintenance, emergency maintenance, and reasonable changes to security measures, infrastructure, hosting architecture, APIs, anti-abuse controls, technical operations, and compliance controls where necessary to maintain security, legal compliance, performance, resilience, or operability. Where commercially reasonable, we will provide prior notice for planned maintenance or material changes. The material-adverse-change provisions of these Terms and any applicable SLA or Order Form continue to govern where a change materially reduces contracted functionality.

On reasonable request, we may satisfy ordinary security assurance requests through our then-current evidence package, questionnaires, and reasonable remote review discussions in the first instance. Enterprise Plan customers may request one scoped audit or control review in any 12-month period where legally required, reasonably necessary for Customer's regulated outsourcing compliance, or where the evidence package is materially insufficient for the requested review. Any such audit must be conducted by an independent, confidentiality-bound, non-competitor auditor on reasonable prior notice, during normal business operations, and in a manner that minimizes disruption and protects the security of the Service and other customers. Nothing in this section prevents a broader review by a regulator or competent authority where applicable law requires it, subject to reasonable confidentiality, security, privilege, and operational protections. Customer must bear audit costs unless the audit identifies a material non-compliance with an express contractual commitment.

This section governs commercial security assurance, diligence support, and scoped control-review access under the Agreement. Any audit, information, or assistance rights that apply under the DPA remain governed by the DPA and are not reduced by plan tier.

We do not make commitments in these Terms regarding certifications, formal attestations, manual penetration testing, or audit rights beyond what is expressly stated in the Agreement or supported by our current evidence package.

Confidentiality

Each party receiving Confidential Information from the other party must:

  • use it only for the purposes of the Agreement;
  • protect it using reasonable technical, organizational, and contractual safeguards;
  • disclose it only to personnel, contractors, professional advisers, and Affiliates who need to know it and are bound by appropriate confidentiality obligations.

Confidential Information includes Account Data, business plans, pricing, security materials, technical documentation, and other non-public information designated as confidential or that a reasonable business person would understand to be confidential.

Confidential Information does not include information that the receiving party can demonstrate:

  • is or becomes public through no breach of the Agreement;
  • was lawfully known to the receiving party without confidentiality restriction before disclosure;
  • is lawfully received from a third party without confidentiality restriction;
  • is independently developed without use of the disclosing party's Confidential Information.

These confidentiality obligations survive for 5 years after termination, except that Account Data and trade secrets remain protected for so long as they remain confidential under applicable law.

If a receiving party is required by law, regulation, court order, or binding governmental request to disclose Confidential Information, it may do so only to the extent legally required and, where legally permitted, after giving the disclosing party prompt notice so the disclosing party may seek confidential treatment, a protective order, or other appropriate remedy.

Indemnities

We will defend Customer Organization against a third-party claim alleging that the Service, when used by Customer Organization in accordance with the Agreement, infringes that third party's intellectual property rights, and we will pay damages finally awarded or amounts agreed in settlement, subject to the Higher Cap. In addition, we may at our option: (A) procure the right for Customer Organization to continue using the Service; (B) modify or replace the Service to avoid infringement without material degradation in functionality; or (C) if neither (A) nor (B) is commercially practicable, terminate the affected Order or Subscription and refund the pro rata fees for the unused portion of the term. These are our sole and exclusive additional obligations for such a claim. This obligation does not apply to claims arising from Account Data, Customer Organization modifications, combinations not supplied by us, or use of the Service outside the Agreement.

Customer Organization will defend us against third-party claims to the extent caused by Customer Organization's unlawful use of the Service, Customer Organization's submission of Account Data or other materials without the necessary rights, or Customer Organization's instructions or content that infringe applicable law or third-party rights, and will pay damages finally awarded or amounts agreed in settlement by Customer Organization.

The party seeking indemnification must promptly notify the indemnifying party of the claim, provide reasonable cooperation, and allow the indemnifying party to control the defense and settlement, except that no settlement admitting fault or imposing ongoing obligations on the indemnified party may be entered without that party's prior written consent, not to be unreasonably withheld.

Change Orders And Extra Work

Unless expressly included in the applicable plan, SLA, or Order Form, implementation work, data migration, custom integrations, custom reporting, customer-specific remediation work, regulator questionnaires, expanded security reviews, enhanced transition assistance, and other non-standard or project-based services are outside standard subscription and support scope.

For the avoidance of doubt, information and cooperation we provide under these Terms to satisfy Enterprise Plan customers' legally required DORA or similar regulated-outsourcing incident-reporting, register-of-information, subcontracting, concentration-risk, or baseline exit-assistance obligations do not by themselves constitute a Change Order. Expanded, customer-specific, project-based, or questionnaire-format support beyond that statutory baseline remains outside standard scope unless expressly included in the applicable plan, SLA, Order Form, or addendum.

If Customer requests work outside the agreed scope, we may agree to perform it under a written change order, Order Form update, statement of work, or similar written instrument describing scope, assumptions, timing, dependencies, and fees. We are not required to begin such work until the parties agree that written instrument.

Out-of-scope requests, changes in assumptions, or Customer-caused delays may change pricing, timelines, sequencing, staffing, and delivery commitments for the affected work.

Support And Transition Assistance

Except as expressly stated in the applicable SLA or Order Form, support is provided by email and in-product channels during our normal business operations and on a commercially reasonable basis for the applicable plan.

If Customer terminates or elects not to renew the Service, we will provide standard offboarding support and export capabilities as described in the Agreement, including continued access to the standard export package during the applicable offboarding period, reasonable remote coordination for handover of completed standard export artifacts, and reasonable responses to transition-related questions about the standard export structure. Additional migration, transformation, validation, custom reporting, consulting, or post-termination assistance is outside standard scope unless expressly included in an Order Form or separately agreed in writing, in which case it may be provided at our then-current rates.

For regulated or otherwise negotiated customers, the parties may agree in an Order Form or addendum on additional transition assistance, exit cooperation, recovery commitments, or resilience obligations, including for DORA or similar regulated outsourcing requirements.

Data Export, Retention, And Deletion

Customer Organization may export Account Data using the available export tools or other agreed export mechanisms during the subscription term and during any applicable offboarding period. The standard in-product export package includes a machine-readable current-state snapshot of Account Data, the Account Audit Trail for the selected export scope, referenced files, and manifest/checksum metadata delivered through authenticated download flows, using the standard formats made available by the Service for the relevant data type, including CSV and JSON where supported. Unless expressly stated otherwise, the standard export package does not include Internal Security Logs or every provider-side record maintained by Firmfact.

Unless an Order Form states otherwise, Customer will have up to 180 days after termination or expiration to complete exports before ordinary deletion workflows are carried out.

If access is temporarily restricted for non-payment, we will use commercially reasonable efforts to preserve machine-readable export capability for up to 30 days, unless doing so would create a security or legal risk. Completed export artifacts may remain available for secure re-download during that period subject to retention settings, authentication, and any applicable legal or security constraints.

We may retain limited categories of data after termination where legally, operationally, or contractually required, including:

  • financial, billing, and tax records retained for the applicable Dutch statutory retention period;
  • Account Audit Trail records retained where legally or contractually required;
  • Internal Security Logs retained where legally, operationally, or contractually required;
  • backup data retained within the ordinary backup retention windows described elsewhere in the Agreement or supporting documentation.

Deletion timing and retention exceptions in these Terms are intended to be read consistently with the Privacy Notice and DPA.

Beta And Preview Features

Beta, preview, pilot, or early-access features are provided AS-IS, may be changed or withdrawn at any time, and are excluded from SLA commitments unless expressly stated otherwise in an Order Form.

Intellectual Property

As between the parties, we retain all right, title, and interest in and to the Service, Documentation, software, know-how, models, interfaces, and all related intellectual property rights, except for Account Data and Customer Organization-owned materials.

If Customer provides feedback, suggestions, or improvement ideas, Customer grants us a non-exclusive, worldwide, perpetual, irrevocable, royalty-free right to use that feedback without restriction, provided we do not publicly identify Customer as the source without Customer's consent.

Except as expressly permitted in writing, Customer Organization may not use the Service, Documentation, or other non-public materials supplied by us to create derivative datasets, publish comparative benchmarks, or train or improve machine learning or AI systems intended for external use or to compete with the Service. This restriction does not reduce Customer Organization's ownership rights in Account Data or Customer Organization-specific outputs to the extent expressly granted elsewhere in the Agreement.

Warranties And Disclaimers

We warrant that we will provide the Service in a professional and workmanlike manner materially consistent with the Agreement.

During the applicable subscription term, the Service will materially conform to the Documentation in all material respects, subject to permitted changes under the Agreement.

We warrant that we have the right to provide the Service and to grant the rights expressly granted under the Agreement.

Except as expressly stated in the Agreement, the Service, Demo Accounts, Trials, Beta / Preview features, and related materials are provided AS IS and AS AVAILABLE. We disclaim all implied warranties, including implied warranties of merchantability, fitness for a particular purpose, and non-infringement, to the maximum extent permitted by law.

Liability

Nothing in the Agreement excludes or limits liability for:

  • fraud or fraudulent misrepresentation;
  • willful misconduct;
  • liabilities that cannot be excluded or limited under applicable law;
  • payment obligations (fees owed under the Agreement remain uncapped).

Subject to the paragraph above:

Cap basis. For the purposes of this section, fees means amounts paid or payable by Customer under the Agreement, excluding taxes, pass-through costs, and third-party charges. Unless an Order Form states otherwise, each cap in this section is the aggregate limit for all claims arising out of or in connection with the Agreement, measured by the fees paid or payable by Customer in the 12 months immediately preceding the event giving rise to the first claim for which the relevant cap is invoked. Each cap includes any costs and expenses, including reasonable attorneys' fees.

General Cap. Except as stated below, each party's aggregate liability arising out of or in connection with the Agreement is limited to the fees paid or payable by Customer in the 12‑month period (the General Cap), unless an Order Form states a different cap. For Free Tier, Demo-only, Trial, or other no-fee use, the General Cap is zero.

Neither party is liable for indirect, incidental, special, punitive, or consequential damages, or for loss of profits, revenue, goodwill, business opportunity, or anticipated savings, even if advised of the possibility of such damages.

Higher Cap. For breach of confidentiality, indemnification obligations under the Agreement, infringement or misappropriation of the other party's intellectual property rights, and a party's violation of applicable data protection law or failure to implement the security, privacy, breach-notification, or processor obligations expressly required by the Agreement, each party's aggregate liability is limited to 4x the fees paid or payable by Customer in the 12‑month period (the Higher Cap), unless an Order Form states a different cap or applicable law requires a higher or uncapped liability standard. For Free Tier, Demo-only, Trial, or other no-fee use, the Higher Cap is zero.

For clarity, unauthorized access to, disclosure of, loss of, or inability to restore Account Data, and any associated privacy, security, breach-notification, or processor-obligation failures, are treated as data protection / security matters for cap purposes and fall within the Higher Cap unless applicable law requires otherwise.

For clarity, contractual duties to notify, cooperate, and assist in relation to incidents, personal data breaches, operational resilience events, or regulatory matters do not by themselves create uncapped damages exposure unless such uncapped exposure is required by applicable law.

Insurance

We maintain commercially reasonable professional liability (errors and omissions) and general liability insurance appropriate for a B2B SaaS provider of our size and risk profile. On reasonable request, we will provide a certificate of insurance or other evidence of coverage. If Customer requires higher minimum limits or additional coverage types, the parties may agree those requirements in an Order Form, in which case we will maintain the agreed coverage during the applicable subscription term, subject to any express limitations stated in the Order Form; any such agreement may be subject to premium adjustment or commercial concession as the parties agree.

Suspension And Termination

We may suspend or terminate access if Customer materially breaches the Agreement, fails to pay undisputed fees, creates security risk, or uses the Service unlawfully or abusively.

Customer may terminate the Agreement by cancelling the applicable subscription or by written notice effective at the end of the then-current Commitment Term, unless the accepted workflow, Subscription Agreement, or applicable Order Form expressly provides an earlier termination right. Billing cadence does not shorten the Commitment Term.

Either party may terminate the Agreement for material breach if the other party does not cure that breach within 30 days after written notice. A payment breach may be cured within 10 days. A breach that cannot reasonably be cured may be terminated immediately.

Either party may also terminate the Agreement immediately by written notice if the other party becomes insolvent, enters liquidation, suspends payment of its debts, has a receiver, administrator, trustee, or similar officer appointed over all or a substantial part of its assets or business, or becomes subject to a comparable insolvency or bankruptcy proceeding, except to the extent restricted by applicable law, including any applicable moratorium, suspension-of-payments protection, or court-approved restructuring restriction under Dutch insolvency law.

For non-payment of undisputed fees, we may, after the due date and appropriate notice, require cure within 10 days, move the Service into read-only mode or otherwise limit functionality while preserving commercially reasonable export capability for up to 30 days where feasible, suspend access if the breach remains uncured, and terminate the affected Service or the Agreement if the payment breach continues after that 10-day cure period.

For other remediable breaches, the breach notice must describe the issue in reasonable detail so the receiving party can respond and cure it. Nothing in this section prevents a party from taking action reasonably necessary to address an immediate security threat, abuse, legal-compliance obligation, or operational-resilience risk during an otherwise applicable cure period.

Customer may also terminate the affected Service by written notice if:

  • we suffer a prolonged service failure, security failure, or material operational resilience failure that materially defeats the purpose of the Service for Customer; and
  • we do not restore or remediate the affected Service within a commercially reasonable period after notice, taking into account the severity of the issue and any agreed service commitments.

Termination or expiration does not relieve Customer of payment obligations accrued before the effective termination date.

Order Of Precedence

If there is any conflict among the documents forming the Agreement, the following order of precedence applies, highest first:

  1. any negotiated addendum expressly incorporated into the parties' contract, but only for the matters it expressly addresses;
  2. the applicable Order Form or Subscription Agreement, but only for commercial terms, plan-specific terms, and other matters it expressly addresses;
  3. the DPA, but only for data protection, privacy, data transfer, and processor obligations;
  4. the SLA, but only for service levels, support commitments, and service credits;
  5. these Terms;
  6. the Privacy Notice as notice and other referenced policies or diligence materials, unless expressly elevated in an Order Form or addendum.

Export Controls, Sanctions, And Anti-Bribery

Customer will not use the Service in violation of applicable export control, sanctions, anti-corruption, or anti-bribery laws. Each party will comply with applicable anti-bribery and anti-corruption laws in connection with the Agreement.

Assignment, Change Of Control, Publicity, And Force Majeure

Neither party may assign the Agreement without the other party's prior written consent, except that either party may assign the Agreement without consent to an Affiliate or in connection with a merger, acquisition, corporate reorganization, or sale of substantially all of its relevant assets, provided the assignee assumes the assigning party's obligations.

We may identify Customer as a customer of the Service, and use Customer's name and logo to refer to Customer in customer lists, on the Firmfact website, and in similar promotional materials, only where Customer has given prior written consent. Consent given through a documented in-product consent control, an Order Form provision, or written confirmation by an authorized Customer representative satisfies this requirement. Customer may withdraw this consent at any time through the in-product consent control or on reasonable prior written notice, after which we will cease new use of Customer's name and logo within a reasonable period, except for materials already in circulation that cannot reasonably be recalled.

Neither party is liable for delay or failure to perform caused by events beyond its reasonable control, excluding payment obligations.

Notices, Changes, Severability, And Waiver

Formal notices under the Agreement must be sent to the receiving party's designated notice email or physical address, unless an Order Form provides a different notice mechanism. Notices to Dutchcode B.V. trading as Firmfact must be sent to legal@firmfact.com with a copy to the physical address listed below. Non-renewal and convenience-termination notices may also be submitted through the designated in-product billing workflow where that workflow is made available for the relevant Subscription. A notice is effective when received through one of those permitted channels.

We may update the Terms and Conditions from time to time. For a paid subscription, the version accepted at the start of the then-current subscription term will remain in effect during that term, except for changes required by law or changes that do not materially reduce Customer's rights or increase Customer's obligations. We will provide at least 30 days' prior notice by email and/or in-product notice for material adverse changes, and any such change will apply no earlier than renewal unless Customer expressly agrees earlier. Non-material changes may be posted with an updated effective date.

If any provision of the Agreement is held unenforceable, the remaining provisions remain in effect to the fullest extent permitted by law.

A failure or delay in exercising a right under the Agreement does not waive that right.

Governing Law And Jurisdiction

The Agreement is governed by the laws of the Netherlands, excluding its conflict-of-laws rules.

The competent courts of 's-Hertogenbosch, the Netherlands have exclusive jurisdiction over disputes arising out of or in connection with the Agreement, unless applicable law requires otherwise.

Survival

The following provisions survive termination or expiration of the Agreement: payment obligations accrued before termination, confidentiality, intellectual property, warranties disclaimers, liability limits, retention and deletion obligations, order of precedence, governing law and jurisdiction, and any other provisions that by their nature should survive.

Contact

Questions about these Terms may be sent to: