Gataca Studio | Terms of service

PLEASE READ THESE TERMS CAREFULLY BEFORE STARTING TO USE GATACA STUDIO

Gataca Labs S.L. and its affiliates (referred to as "Gataca" or "we", "our" or "us") is a cybersecurity company incorporated under the laws of Spain that provides decentralized digital identity technology through our software applications, including but not limited to our cloud-based identity platform that facilitates the issuance and verification of identity credentials ("Gataca Studio"), as well as the various product extensions available through Gataca Studio for enhanced functionalities.

The terms "you", "your", and "Client" refer to you either as a legal entity or as the legal representative of the entity.

These specific Terms of Service ("Terms" or the "Agreement") is a legal agreement between your organization and Gataca for the use of Gataca Studio, herein referred to as the "Service".

The Service includes graphics, photographs, artwork, images, screen shots, text, digital files, trademarks, logos, product names, slogans, other materials, and third-party content (the "Content") provided by Gataca or its licensors.

These Terms include by reference the following additional terms and policies which shall constitute a part of this Agreement:

• Gataca's Legal Notice and Privacy Policy.
• Any purchase order provided by Gataca for subscription to the Service and entered into via a signed order form (the "Order").
• Additional terms and conditions, which may include those from third parties.

YOU MUST REPRESENT A LEGAL ENTITY TO USE OUR SERVICE. YOU REPRESENT THAT YOU HAVE THE AUTHORITY TO BIND YOUR ORGANIZATION TO THIS AGREEMENT.

Subject to the foregoing and (i) by clicking “I Agree,” indicating acceptance electronically; (ii) by signing an Order; or (iii) by accessing or using our Service; you agree to a complete and unreserved acceptance of all the terms and conditions included in these Terms.

These Terms supersede all other prior agreements, understandings or promises made between you and Gataca orally or in writing in relation to the subject matter of these Terms.

These Terms shall always take precedence over the general contracting and/or any other conditions provided by you and/or used in the activity of your organization.

Specific terms specified in Orders and agreed upon by Gataca shall prevail over conflicting provisions with these Terms.

"Subscription" means a non-exclusive, non-transferable, non-sublicensable, revocable access and use the Service. No other right of use, alteration, exploitation, reproduction, distribution or public communication of the Service and/or its Content other than those expressly provided for herein is hereby conferred on you. Gataca reserves all other rights in the Service.

"Subscription Tier" defines the level of access to the Service’s features and functionalities.

"Subscription Term" means the initial subscription term and if applicable any renewal subscription term.

You may contract a Subscription for a selected Subscription Tier and a Subscription Term directly on our Website or agreed via an Order. You are only granted the right to use the Service according to the specific conditions of your Subscription Tier and Term.

The Subscription and these Terms will automatically renew upon the initial Subscription Term unless otherwise specified in an Order, or notified by you via the Service or by sending an email to legal@gataca.io.

Restrictions. You shall not, directly or indirectly:

• attempt to discover the source code, object code or underlying structure, ideas, know-how or algorithms relevant to the Service or any software, documentation or data related to the Service;
• attempt to reverse-engineer the Service in order to find limitations or vulnerabilities;
• attempt to gain unauthorized access to this Service or to any server, computer or database related to the Service.;
• launch or facilitate, whether intentionally or unintentionally, any activity that adversely impacts the availability, reliability, or stability of the Service;
• modify, translate, or create derivative works based on the Service or its Content;
• interfere with any license key mechanism in the Service or otherwise circumvent mechanisms in the Service intended to limit the authorized use;
• use the Services for competitive analysis or to build competitive products;
• rent, lease, distribute, sell, sublicense, transfer, or provide access to the Services to a third party;
• remove any proprietary notices or labels;
• use the Service for purposes other than those intended or otherwise for the benefit of a third party;
• create false identities, attestations, or other attempt to use the Website for nefarious purposes;
• attempt to solicit information from individuals without their explicit consent or under false pretenses;

Failure to comply with this clause may lead to the commission of offenses punishable by the applicable regulations. We will report any such breach to the relevant authorities and will cooperate with them to discover the identity of the attacker.

Responsibilities. You will use the Service only in compliance with these Terms, then in effect and all applicable laws and regulations. You shall also be responsible for maintaining the security of your account, passwords (including but not limited to Authorized User passwords), API keys, and files, and for all uses of your account.

5.1 Clients

You are granted the role of “Client” once you accept these Terms to access the Service, including by means of a free or trial Subscription Tier.

Clients must complete a client registration form with Gataca in order to use our Service, where information of the legal entity and contact information will be requested. The registration information must be accurate, current and complete. During the Subscription Term, Clients shall keep the organization data updated so that Gataca may send notices, statements and other information for the purpose of providing the Service.

In the event that the information does not conform to reality or there are suspicions of untruthful, inaccurate or incomplete information, Gataca reserves the right to suspend this Agreement. You will be offered the opportunity to clarify the issues raised by Gataca to confirm or correct the information provided within 3 calendar days. If you do not respond to Gataca's request, Gataca reserves the right to terminate this Agreement.

5.2 Authorized Users

Clients may designate "Authorized Users" to configure, manage and administer the Service. The Client is responsible for the compliance of all Authorized Users with these Terms, including what the Authorized Users do with the Client Data (as defined in clause 6), and for all expenses incurred by the Authorized Users. Authorized Users must belong to the Client's organization.

You shall not allow each single Authorized User account to be used by more than one individual Authorized User unless it has been reassigned in its entirety to another Authorized User, in which case the prior Authorized User shall no longer have any right to access or use the Service.

5.3 End Users

Taking into account the object and purpose of the Service (i.e. issue and verify identity credentials), Clients may integrate the Service with their own systems. Client’s own customers/users that view and interact with the Service via such systems are considered "End Users".

Subject to compliance with these Terms, Clients may grant End Users limited rights to interact with the Service according to the purpose of the Service.

Clients may not allow End Users administrator, configuration or similar use of our Service.

Clients may not charge End Users a specific fee for the use of our Service, but may charge a general fee for its own offerings.

Clients are solely responsible for its own products, support offerings and relationships with these End Users. Gataca has no direct or indirect warranty, indemnification or other liability or obligation of any kind to these End Users.

6.1 DIDs

When setting up an account with Gataca, you acknowledge and consent to the creation of decentralized identifiers (“DIDs”) on your organization’s behalf.

Gataca may publish DIDs and associated public cryptographic keys on one of the supported blockchain networks to serve as onchain identifiers. You understand and accept that information on blockchain networks cannot be deleted due to the immutability property of such technologies.

6.2 Cryptographic keys

Gataca Studio creates on your behalf one or more cryptographic key pairs for each DID. Cryptographic key pairs are composed of one or more public key and associated private keys. The public keys will be linked to your DIDs and published on a designated blockchain network.

The private keys will be used by Gataca Studio to execute signing and encryption or decryption activities within the Service. You agree to keep your private keys confidential and to not share them with anyone else.

6.3 Verifiable Credentials

With Gataca Studio you can issue or verify personal information to/from End Users in electronic format, following the Verifiable Credentials data model ("Verifiable Credentials"). Issued and verified Verifiable Credentials are stored in your Gataca Studio account.

Gataca makes no representation or warranty regarding the veracity or accuracy of Credentials issued by you, by End Users or by other third parties.

You are responsible for complying with the terms and conditions that these third parties may impose on their issued Verifiable Credentials and you agree not hold Gataca liable for any infringement of such terms and conditions.

6.4 Client Data

Your DIDs, your cryptographic key pairs, Verifiable Credentials licitly obtained from End Users and stored in your Gataca Studio account, Verifiable Credentials licitly issued by you or to you, your backup files, and any other data, included but not limited to legal representatives and Authorized User’s Personal Data, billing, and legal entity data, that you provide to us are referred to here as "Client Data". Where Client Data includes Personal Data, clause 11 below (Data Protection) of these Terms will apply.

YOU ACKNOWLEDGE AND ACCEPT THAT YOU ARE SOLELY RESPONSIBLE FOR THE LEGALITY, RELIABILITY, INTEGRITY, ACCURACY AND QUALITY OF YOUR CLIENT DATA.

You own your Client Data. You grant Gataca, its Affiliates and applicable contractors a worldwide, limited-term license to host, copy, transmit and display Client Data, as reasonably necessary for Gataca to provide you with the Service in accordance with these Terms. Subject to the limited licenses granted herein, Gataca acquires no right, title or interest in any Client Data.

You have the ability to delete all your Client Data from your Gataca Studio account via the Service interface. Client Data shall be deleted upon the termination of the Subscription Term on request and in accordance with any applicable data retention requirements.

You agree to pay fees in accordance with the rates listed in our Website, accessible via the Gataca Studio interface, or set forth in an Order. All amounts are non-refundable, non-cancellable, and non-creditable. Payment is required in advance and is a condition for the activation of the Service, unless otherwise stated in an Order.

If we agree that you pay in installments and fail to do so, Gataca may suspend or terminate the service without liability, without prejudice to our right to claim the outstanding amounts. Payment must be made within 15 days of the due date.

Gataca reserves the right to increase Service fees listed at our Website, on Gataca Studio interface, or upon Order renewal. Gataca will notify you at least 30 days prior to the date the change goes into effect as provided in clause 13.

You shall be responsible for and shall pay all taxes imposed on or with respect to your Subscription.

You are responsible for covering any extra costs, fines, or penalties that we may face from a government or regulatory body due to your violation of these Terms while using the Service.

8.1 Support services

Gataca offers service support via a support system accessible through Gataca Studio Interface (“Support System”). Authorized Users may raise the following support requests via our Support System, or any other channel made available by Gataca to you:

• Incidences. Request for resolution of system errors or malfunctions
• Technical doubts. Request for IT help on topics related to the Service
• Service requests. Request for configuration changes, new feature suggestions, or any other modification to the Service or to the Client’s account

A Gataca technical team member will be assigned to each ticket, who will provide a response to your inquiry. In case of Technical Incidences, the assigned team member will classify the incidence based on the following severity levels.

• Level 1 (L1) Application down: Production application down or major malfunction affecting business and high number of users
• Level 2 (L2) Serious Degradation: Serious degradation of application performance or functionality
• Level 3 (L3) Moderate Impact: Application issue that has a moderate impact to the business
• Level 4 (L4) Low Impact: Issue with limited business impact

8.2 Standard Support

Unless otherwise stated in an Order, you Subscription Tier includes standard service support ("Standard Support").

Standard Support is available via our Support System, from Monday to Friday from 9am to 5pm as per local time in Spain excluding public holidays.

8.3 Premium Support

Gataca offers premium support ("Premium Support") for clients that need guaranteed support delivery times.

Premium Support can be contracted by means of an Order and includes:

• A designated Client Success Team
• Service Level Agreements

Gataca will designate an individual to serve as your Solutions Architect to guide you during the initial configuration phase, and a Client Success Manager that will act as single point of contact througout the Term (the “Client Success Team”). We may designate a new Client Success Team, upon notice to you. You will submit all requests through the Authorized Users, and the Client Success Team will rely and act upon each Authorized Users’ instructions.

Premium Support guarantee the following service levels:

Initial Response Time means the amount of time taken for an agent to provide an initial response to a Client support request.

Resolution Time means the amount of time between when a Client first creates the support request and when such ticket is marked as “resolved”.

Availability means the percentage of time in a given monthly subscription period that the Service is available and accessible for use.

Service levels will be measured averaging the time across all the requests in a monthly subscription period.

We agree to credit you an amount equal to 5% of total monthly service fees (or the equivalent monthly fee for annual subscriptions) if performance metrics for incidence management or service availability are not met on a given month.

Premium Support is available via our Support System in two modalities:

• 8x5 Premium Support: support services will be available Monday to Friday from 9am to 5pm as per local time in Spain excluding public holidays.
• 24x7 Premium Support: support services will be available twenty-four hours a day, seven days a week, including weekends and public holidays.

9.1 Security

You acknowledge that cryptography and blockchain technologies are continuously evolving fields, which may pose risks to the Service and its Contents due to advancements in decryption, quantum computing, or security vulnerabilities.

Gataca takes security very seriously. Gataca will strive for maximum levels of protection for the Service, by continuously updating the code underlying the Service and incorporating new security measures that account for the risks of such technical advances.

While Gataca is committed to implementing robust security measures and regularly updating the Service's code to mitigate these risks, we cannot guarantee absolute security. By using the Service or accessing its Contents, you accept these inherent risks.

You agree to keep your device's operating system and other computing systems of Authorized Users up to date. Gataca is not liable for damages resulting from viruses or unauthorized use of your computer systems in connection with the Service and its Contents. You also agree to promptly report any security breaches or unauthorized use of the Service to Gataca.

9.2 Downtime

We strive to provide uninterrupted access to our service. There may be occasions where the Service may be unavailable due to scheduled maintenance, upgrades, or circumstances beyond our control such as internet outages, force majeure events, or hardware failures. We will make reasonable efforts to minimize any downtime and to promptly restore the Service to full functionality.

In the event of planned maintenance or upgrades, we will endeavor to provide advance notice to you via email or through the Service. You understand and acknowledge that the Service is subject to modifications by Gataca and that such modifications may require you to upgrade your hardware, software or integrations in order to use the Service.

10.1 Warranties

We represent and warrant that the Service will operate in accordance with applicable documentation and will materially conform to any specifications contained therein. Except for our warranties set forth in this section, the Service is provided “As Is”. Gataca’s sole obligation, and your sole and exclusive remedy, in the event of any failure by us to comply with this section will be for us to recreate the affected Service or refund to you the fees you paid for the affected Service in accordance with the provisions of this clause.

To receive any warranty remedy, you must report any claimed breach of this warranty in writing to Gataca promptly, and in any event within ten (10) days after the first date of the non-conformance is identified by or becomes known to you. Gataca shall use commercially reasonable efforts to remedy the non-conformance through correction or reperformance of the affected Service without undue delay, at no additional charge to you. If Gataca is unable to correct the non-conformance, Gataca shall refund, on a pro-rata basis from the date Gataca received the written notice of the non-conformance, the amounts pre-paid by you that are attributable to the non-conforming portion of the Service.

Without limiting our express warranties and obligations hereunder, and to the extent permitted by Law, we hereby disclaim any and all other warranties, expressed or implied, including but not limited to warranties of merchantability, non-infringement, fitness for a particular purpose, safe, on-time, uninterrupted, virus free and error-free operation and warranties related to third-party equipment, material, services, or software, including that the Service will operate in combination with any other hardware, software, system or data. You may have other statutory rights, but the duration of statutorily required warranties, if any, will be limited to the shortest period permitted by law.

You represent and warrant that you have provided adequate notices and obtained the necessary permissions and consents to provide Client Data to us for use and disclosure pursuant to the Data Processing Agreement.

You represent and warrant that, when using the Service to access third-party services, including any blockchain ledger or other identity network, public or private, that you are acting in compliance with all the relevant service’s terms and agreements, and that you are authorized to do so.

10.2 Liabilities

Under no circumstances will Gataca be liable to you, with the exceptions contemplated in the legislation in force, for any indirect, special, incidental, consequential or punitive damages, including but not limited to damages that may be due to the lack of availability, security, continuity or quality of the functioning of the Service and the Content or the non-fulfilment of the expectation of usefulness that you may have attributed to the Service and the Content, such us lost profits, lost sales or business, work stoppage, computer failure or malfunction, or lost data.

Gataca’s aggregate liability arising out of or related to these Terms for any direct damages, costs, or liabilities will not exceed the amount actually paid to Gataca under these Terms in the twelve (12) months immediately preceding the claim. This section shall not limit your liability arising from your breach of these terms or your indemnification obligations pursuant to these terms.

10.3 Indemnity

You agree to defend, indemnify, and hold Gataca harmless, including its Affiliates (as defined below), and all of its respective officers, agents, partners, and employees, from and against any loss, damage, liability, claim, or demand, including reasonable attorneys’ fees and expenses, made by any third party due to or arising out of: (1) your contributions to Client Data; (2) your use of the Service; (3) breach of these Terms; (4) any breach of your representations and warranties set forth in these Terms; (5) your violation of the rights of a third party, including but not limited to intellectual property rights; or (6) any harmful act toward any other End User or Client of the Service with whom you connected via the Service.

Notwithstanding the foregoing, Gataca reserves the right, at its own expense, to assume exclusive defense and control of any matter otherwise subject to indemnification by you and, in such case, you agree to cooperate with Gataca in the defense of such matter.

“Affiliates” means any entity or person that controls Gataca, is controlled by Gataca, or under common control with Gataca, such as a subsidiary, parent company, or employee.

Gataca shall indemnify you against any liability to third parties resulting from the Services' infringement of copyright or misappropriation of trade secrets, provided Gataca receives prompt notification of any claims, or proceedings related thereto within ten (10) days after you first becoming aware of the infringement claim. Additionally, Gataca must be given reasonable assistance and the opportunity to assume sole control over defense and settlement. Gataca will not be liable for any settlement not approved in writing. These obligations do not apply (i) if the alleged infringement concerns to a combination of the Service with other products or technology, (ii) where you continue alleged infringing activity after notice or informed of modifications to avoid infringement, or (iii) where your use of the Service does not strictly comply with these Terms or the applicable Law.

If the Service is held or believed by Gataca to be infringing, Gataca may, at its expense, (a) make the Service non-infringing by modification or replacement with similar features, (b) procure a license for you to continue using the Services, or (c) if not commercially feasible, terminate these Terms. In such a case, your sole remedy, apart from indemnification, will be a pro-rata refund of any prepaid, unused fees for the Service.

10.4 Force Majeure

Gataca will not be liable for any failure or delay in its performance under the terms of these Terms due to any cause beyond its reasonable control, including acts of war, acts of God, pandemia, labor shortages or disputes, governmental acts or failure or degradation of the Internet or telecommunications services. Gataca will give you prompt notice of such cause and will make commercially reasonable efforts to promptly correct such failure or delay in performance.

For the purpose of this Agreement, Gataca is a Data Controller for personal data of the representatives, employees, or other natural persons acting in the name or on behalf of the Client, including Authorized Users and singees of this Agreement and associated Orders. Gataca is also Data Controller for personal data of End Users using the Gataca Vouch extension contracted by Client.

For any other features of the Service, Gataca is Data Processor for personal data, including personal data provided by Client to End User using the Service, personal data received by Client from End Users using the Service, and personal data of Client representatives, employees, or other natural persons included in Verifiable Credentials that are stored in the Enterprise Wallet.

11.1 Personal Data processed by Gataca as a Data Controller.

In accordance with the applicable data protection regulations, Personal Data provided for the purpose of managing this Agreement, as well as, where appropriate, to comply with the regulatory obligations imposed by the applicable regulation during the term of this Agreement may be processed by Gataca as a Data Controller under the following provisions and those set forth in the Privacy Policy.

Once the term of the Agreement has ended, the data will be kept (as indicated by the regulations), for the sole purpose of complying with the required legal obligations and for the formulation, exercise or defense of claims, during the period of prescription of the actions derived from the contractual relationship.

In any case, the data subjects may exercise their rights to access, rectification, cancelation/erasure, objection, restriction and portability before the corresponding party by sending an email to . Likewise, if they consider that their personal data protection rights have been breached, they may lodge a complaint with the competent authority for matters concerning the protection of personal data.

11.2 Personal Data processed by Gataca as a Data Processor.

Where Gataca acts as a Data Processor regarding the Personal Data of End Users and Personal Data included in your Enterprise Wallet, that may be processed for the performance of the Service under these Terms, the Data Processing Terms included as Annex A of these Terms shall govern the applicable terms for collection, processing and controlling of Personal Data.

We may grant you a limited, non-exclusive, non-transferable, revocable license to use the Service solely for the purpose of evaluating its functionality and performance.

Your evaluation of the Service pursuant to this clause shall commence on the date of your acceptance of the Agreement or the Order, and continue for a period of fifteen (15 days, or as otherwise agreed to in writing between you and Gataca (the "Trial Term"). Notwithstanding the foregoing, we may in our sole discretion suspend or terminate your evaluation license and access to Gataca Studio at any time, for any or no reason, without advanced notice.

You shall not use the Service in any production environment or for any commercial purpose during the Trial Term. The Software may only be used in a test or development environment for the purpose of assessing its suitability for your needs.

You acknowledge that any data entered into the Service during the Trial Term may be deleted or lost upon the expiration of the Trial Term. You are solely responsible for maintaining backup copies of any data entered during this period.

The Service is provided "as-is" during the Trial Term without any warranties or representations of any kind. We shall have no liability for any harm or damage arising out of or in connection with your use of the Service during the Trial Term.

If your Subscription Tier includes access to the functionalities of Gataca Vouch, the specific provisions set forth in this clause 11 shall apply, along with the rest of the Terms of this Agreement.

13.1 Overview

Gataca Vouch is a specific extension within Gataca Studio that provides you with a standard OpenID Connect interface to verify the identity of your End Users requesting access to your Application (as defined below), while enabling users to provide their information through ID Wallets and verifiable credentials.

To use Gataca Vouch, you need to complete the required information in the Gataca Studio enabled extension, which may include, among others:

the URL of the website, mobile application, or the unique and unequivocal identifier of the digital platform where identity authentication is required “Application”; the links containing information related to the terms and conditions of your Application and its privacy policy. the scope of information used to verify the identity of an End User during the authentication process "Scope". Gataca Vouch allows you to configure various proprietary identity credentialing Scopes.

Gataca will ask the End Users to grant their consent to share their identity credentials from their ID Wallets in order to provide you with the information required according to the selected Scope.

13.2 Your responsibilities

You must evaluate whether the accuracy provided by a specific Scope is sufficient for your purposes in verifying End Users identity information.

You are responsible for your use of Gataca Vouch and all consequences that arise from it, especially if it involves actions that breach relevant laws, the rights of third parties, established best practices, or these Terms. This responsibility also covers the actions of Authorized Users.

13.3 Our responsabilities and liabilities

We are responsible for ensuring that the information provided to you for a selected Scope results from an authentication process conducted with the End User by requesting all necessary credentials and validating their authenticity.

However, we are not liable for (a) the accuracy, effectiveness, or completeness of the Scope’s implementation upon which you based your request for verifying personal data or obtaining details about the End User; (b) any mistakes you make when entering the required information in Gataca Vouch (this includes any damages, costs, losses, or penalties arising from such mistakes, including issues related to non-functioning links or errors in their content); and/or (c) for the actions and omissions of the End User.

13.4 Specifications on Personal Data processing

You understand that the selected Scope may include Personal Data.

We become the Controller of the End User’s Personal Data to the extent to which the End Users used the Gataca Vouch to share their Personal Data, and we will process their information in accordance with our Privacy Policy.

We will provide you the obtained personal data or anonymized information, as required by the scope configuration. Therefore, you will receive only the data necessary for fulfilmen of the selected Sope. And, in any case, this provision of Personal Data will be preceded by the consent of the End User that authorizes the transfer of their Personal Data.

If your Subscription Tier includes access to the functionalities of Enteprise Wallet, the specific provisions set forth in this clause 12 shall apply, along with the rest of the Terms of this Agreement.

14.1 Overview

Enteprise Wallet is a specific extension within Gataca Studio that provides you with a secure vault for importing, requesting, and storing Verifiable Credentials and attestations associated to your legal entity.

14.2 Your responsibilities

You are responsible for ensuring that access to the Enterprise Wallet and its content is restricted to the appropriate Authorized Users.

You are responsible for your use of the Enterprise Wallet and all consequences that arise from it, especially if it involves actions that breach relevant laws, the rights of third parties, established best practices, or these Terms. This responsibility also covers the actions of Authorized Users.

14.3 Liabilities

We are not liable for (a) the accuracy, effectiveness, or completeness of the Verifiable Credentials that are stored in the Enterprise Wallet, unless they are issued by Gataca; (b) any mistakes you make when uploading the required information in the Entperise Wallet (this includes any damages, costs, losses, or penalties arising from such mistakes, including issues related to non-functioning links or errors in their content); and/or (c) for the actions and omissions of the Authorized Users.

14.4 Specifications on Personal Data processing

Verifiable Credentials and Attestations stored in the Entperise Wallet may include Personal Data of Client representatives, employees, or any other natural person.

In this case, we become the Processor of the Personal Data and the applicable terms for collection, processing and controlling of Personal Data are governed by the Data Processing Terms included as Annex A of these Terms.

By accepting these Terms, you agree that Gataca may identify Client as a Gataca customer in its promotional materials, including Gataca’s Website. Gataca will promptly stop doing so upon Client’s written request.

We may revise these Terms from time to time to accommodate changes in the Service or its operation. If we do, those revised Terms will supersede prior versions. Unless we say otherwise, revisions will be effective upon the effective date indicated at the top of these Terms. We will strive to provide you advance electronic notice of any material revisions. For other revisions, we will update the effective date of these Terms at the top of the page.

Authorized users will receive notifications via email or the Gataca Studio interface regarding any changes or updates to the Terms. It is essential to regularly check for notifications to stay informed about any modifications to these Terms.

We reserve the right to make any functional, technical or technological modifications from time to time (i) to accommodate changes in the Service or its operation, (ii) to maintain or correct any possible malfunction or anomaly that has been detected during the use of the Service; (iii) to accommodate changes in the applicable Law, and/or (iv) whenever Gataca deemed useful or necessary, or simply for the achievement of better or new functionalities. Notwithstanding the foregoing, Gataca shall respect those functionalities necessary for you to use the Service with the least possible changes.

You exonerate us from any liability for damages of any nature, derived/produced to you or your clients as a consequence of the modifications, updates and other actions that Gataca may have carried out by virtue of this clause.

These Terms shall be applicable for the duration of Service Term or as otherwise agreed to by Gataca in writing, unless earlier terminated as set forth herein.

You may terminate these Terms and access to the Service upon expiration of the Subscription Term by notifying us via the Service or by sending an email to legal@gataca.io.

We may terminate these Terms and access to the Service upon expiration of the Subscription Term for any reason upon thirty (30) days written notice to you.

We may unilaterally suspend or terminate access to the Service and the Contents immediately if: (a) you commit any material breach of these Terms, including reference documents specified in section 2; (b) there is reason to believe the traffic created from your use of the Service or your use of the Service is fraudulent or negatively impacting the operating capability of the Service; (c) we determine, in our sole discretion, that providing the Service is prohibited by applicable Law, or it has become impractical for any legal or regulatory reason to provide the Service; or (d) subject to applicable Law, you become the subject of liquidation, bankruptcy, change of control, or any similar proceedings.

Gataca will, if possible, give notice of such circumstances (suspension or termination of access to the Contents) by including the information referred to through the means of communication it deems appropriate for its wider circulation.

17.1 Consequences of termination

Termination shall not relieve you of the obligation to pay any fees accrued or payable to Gataca for the entire duration of the Service Term that was active at the time of termination.

Effective immediately upon expiration of the Service Term or termination of these Terms: (a) all rights granted under these Terms will become void and revert to the granting party; (b) you shall cease use of the Service; and (c) neither party will have continuing rights to use any confidential information of the other, save to the extent required to discharge any and all obligations arising under these Terms.

Upon termination of these Terms, those provisions which by their very nature must remain in force shall survive, in particular the following clauses: 5 (Payment Terms), 9 (Data Protection) and 10 (Publicity Rights).

Termination of these Terms does not imply the termination of any document expressly referred to in section 2 above.

The Service and the Content are protected by copyright, trade secret, and other intellectual property laws.

Gataca shall remain the exclusive owner of any and all intellectual property rights, whether registered or not, owned, owned or licensed by Gataca. These Terms in no case implies the assignment, transfer, acquisition or license of the Gataca’s intellectual property over the Service, the Content, the software or any other information and documentation owned by Gataca. You are only authorized to use the Gataca’s intellectual property when you have an explicit and unequivocal permission, and only in the manner specified by Gataca in these Terms or Order and associated with the Service.

You shall not, and shall not permit any Authorized User or third party to decompile, reverse engineer, disassemble, or otherwise attempt to derive the source code, underlying algorithms, or structure of the Software; copy, reproduce, distribute, or publicly display the Content; or adapt, translate, or create derivative works based on the Software. Any unauthorized use, reproduction, or distribution of the Software constitutes a material breach of this Agreement and may result in immediate termination of Client's access to the Software, in addition to any other remedies available by law.

Any new intellectual property generated during the term of this Agreement and in connection with the Services, improvements, enhancements or modifications thereto, and all intellectual property rights related thereto, and/or Gataca technology shall, in any case, automatically and exclusively belong to Gataca.

Any ideas, questions, answers, suggestions, or comments ("Feedback") provided by you to us shall not be considered confidential or proprietary information. By providing us with Feedback, you authorize us to use it, along with any developments or derivatives thereof, determined at our sole discretion, without requiring additional permission from you or payment of compensation to you.

You agree that (i) by submitting unsolicited ideas to us or any of our representatives, you automatically forfeit your right to any intellectual property rights in these ideas; and (ii) unsolicited ideas submitted to us, our employees, or representatives automatically become the property of Gataca. You hereby assign all rights, title, and interest you have in such Feedback and ideas to Gataca, including all intellectual property rights therein.

If any provision of these Terms is found to be unenforceable or invalid, that provision will be limited or eliminated to the minimum extent necessary so that these Terms will otherwise remain in full force and effect and enforceable.

These Terms are not assignable, transferable, or sublicensable by you except with our prior written consent. We may transfer and assign any of our rights and obligations under these Terms without your consent.

No waiver of any term of these Terms shall be deemed a further or continuing waiver of such term or any other term, and any failure to assert any right or provision under these Terms shall not constitute a waiver of such term.

No agency, partnership, joint venture, or employment is created as a result of these Terms, and you do not have any authority of any kind to bind us in any respect whatsoever.

In any action or proceeding to enforce rights under these Terms, the prevailing party will be entitled to recover costs and attorneys’ fees.

There shall be no express or implied third-party beneficiaries capable of enforcing the terms of these Terms other than parties who execute these Terms.

All notices under these Terms will be in writing and will be deemed to have been duly given when received, if personally delivered; when receipt is electronically confirmed, if transmitted by email; and upon receipt, if sent by certified or registered mail, return receipt requested.

All the conditions included in this document are governed by Spanish law. Should any dispute arise, please try contacting our support team first to resolve the dispute before bringing a formal legal case.

You agree that all disputes, controversies or situations arising from these Terms that cannot be resolved through our support team shall be resolved by the Courts and Tribunals of the city of Madrid.

This Data Processing Agreement (“DPA”) governs Gataca’s processing of the Client Data provided by you to Gataca through Gataca Studio in any modality available to the Client (the “Service”), and is hereby incorporated into the Agreement.

1. Definitions

"Personal Data" means data about identified or identifiable natural persons according to Art. 4 of the GDPR.

"Data Controller" means a natural or legal person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal information are, or are to be, processed.

"Data Processor" means any natural or legal person who processes the data on behalf of a Data Controller.

"Data Sub-Processor" means any natural or legal person who processes the data on behalf of a Data Processor.

Gataca, acting as a DATA PROCESSOR, in the course of the performance of the activities and Service agreed to in the Agreement, may access to certain Personal Data of the Client, which acts as a DATA CONTROLLER, and in order to establish a sufficient level of protection for personal data and to comply with the provisions of the applicable regulations on the protection of personal data, including the provisions of the General Data Protection Regulation (EU) 2016/679 (hereinafter, "GDPR") and any other applicable data privacy and data protection laws (collectively, "Data Protection Laws") enter into this DPA.

For purposes of the Agreement and this DPA, (i) "Personal Data" has the meaning assigned to the term “personal data” or “personal information” under applicable Data Protection Laws; and (ii) "Client Personal Data" means Personal Data that you provide to Gataca and that Gataca processes on your behalf to provide the Services. Gataca will process Client Personal Data as Data Processor to provide or maintain the Service and for the purposes set forth in this DPA, the Agreement and/or in any other applicable agreements between you and Gataca, and especially by the provisions of the following clauses.

2. Purpose

The purpose of this DPA is to regulate the terms under which Gataca will process Client Personal Data under the Agreement.

This DPA is part of and subject to the terms of the Agreement. All capitalized terms outlined in this DPA have the same definitions as in the Agreement, unless specifically defined in this DPA.

3. Content and scope of application

Gataca will only process the Client Personal Data to provide the Services, to fulfill Gataca's obligations under the Agreement and this DPA and in compliance with the Client’s written instructions. For clarification purposes the Agreement and this DPA constitute the Client’s instructions to Gataca to process the Client Personal Data.

The details of the processing activities to be performed under this DPA are outlined in Exhibit A.

Gataca must document the processing operations carried out on behalf of the Client and keep a written record of the different categories of processing carried out as a result of the provision of the Service, in the terms required by law.

Any Gataca personnel who have access to Client Personal Data will be bound by appropriate confidentiality and data protection obligations applicable to Gataca under the Agreement and this DPA.

It is also expressly prohibited any form of transfer, communication, making available of Client Personal to third parties by Gataca without the express consent of the Client.

4. Compliance assistance

Gataca undertakes to support the Client in (i) carrying out prior consultations with the Supervisory Authority, (ii) carrying out impact assessments, where appropriate in both cases; and in (iii) providing information necessary to demonstrate compliance with the obligations set forth in this DPA and applicable Data Protection Laws.

If Gataca considers that any of the instructions received infringe the Data Protection Laws, Gataca shall immediately inform the Client.

5. Subcontracting

The Client authorises the subcontracting of any technological platform that may be necessary or convenient to perform the Service, provided that said platform complies with the provisions of the Data Protection Law and that it is a company with an excellent reputation in the market and the appropriate security measures. Gataca will ensure that the Sub-processor is subject to substantially similar data protection obligations as those set forth in this DPA regarding Personal Data and which satisfy the requirements of Data Protection Laws. Gataca will list its current Sub-processors for the Services in the Exhibit A. Gataca will remain liable for all acts or omissions of its Subcontractors or Sub-processors, and for any subcontracted obligations.

Gataca may add or remove Sub-processors from time to time. Gataca will inform the Client in advance of new Sub-processors for the applicable Services as described in the list of Sub-processors. If Client objects to a change, it will provide Gataca with notice of its objection to dpo@gataca.io including reasonable detail supporting the Client’s concerns within thirty (30) days of Gataca publishing the change. Gataca will then use commercially reasonable efforts to review and respond to Client’s objection within thirty (30) days of receipt of the Client’s objection. Gataca’s response to the Client’s objection will include, at a minimum, reasonable accommodations, if any, that the Client or Gataca can take to limit or prevent a new Sub-processor from acting as a processor of the Client Personal Data when the Client makes use of the Services. If Gataca does not respond to a Client’s objection as described above, or cannot reasonably accommodate Client’s objection, Client may terminate the Agreement by providing written notice to Gataca: (a) within thirty days of receipt of a Gataca response that does not comply with this Section; or (b) if Gataca fails to respond, within thirty days of the date Gataca’s response was due.

6. International personal data transfers

Client Personal Data is stored in servers located in the European Economic Area (EEA).

The Client agrees that Gataca`s Sub-processors may transfer, store, and process the Client Personal Data in locations other than the Client’s country. Gataca undertakes to establish as many safeguards as are required under Data Protection Laws for the lawful transfer of personal data to Third Countries, by means of the application of Binding Corporate Rules, Standard Contractual Clauses, or where the relevant transfer has been authorised by the competent supervisory authority or is necessary for the performance of the Agreement.

7. Security measures

Gataca shall respect confidentiality and adopt the technical and organisational measures corresponding to the category of data processed in order to guarantee the security of personal data and to prevent their alteration, loss, processing or unauthorised access, considering the state of technology, the nature of the data stored and the risks to which they are exposed, whether from human action or from the physical or natural environment.

Gataca represents that it has implemented and will maintain, throughout the Term, appropriate technical and organizational measures to ensure the security, confidentiality, integrity, and availability of the Personal Data. These measures shall be in compliance with all applicable data protection laws and industry standards, including but not limited to:

• Access controls to prevent unauthorized access to Personal Data;
• Encryption of Personal Data in transit and at rest;
• Regular testing, assessment, and evaluation of the effectiveness of the security measures;
• Measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
• Procedures for regular testing, assessment, and evaluation of the effectiveness of technical and organizational measures for ensuring the security of the processing.

Gataca further represents that it holds and will maintain, for the duration of this Agreement, the ISO/IEC 27001 (or equivalent) certification for Information Security Management Systems (ISMS).

8. Notification of security breaches

Gataca shall notify the Client, without undue delay, of any breach of security within 72 hours of Gataca becoming aware of it and by email, together with all relevant information in its possession that the Client requires to enable it to comply with the obligations set out in the GDPR or any other applicable privacy law.

A breach of security shall be understood to be any event that could lead to the accidental or unlawful destruction, loss or alteration of personal data transmitted, stored or otherwise processed, impossibility of access, communication or unauthorised access to such data that affects the Personal Data under the responsibility of the Data Controller.

Gataca will assist the Client in ensuring compliance with its obligations pursuant to GDPR or any other applicable law by providing relevant information which may include: (a) the nature of the security incident, including, where possible, the categories and approximate number of personal data records concerned; (b) the likely consequences of the security incident; (c) the measures taken or to be taken to address the security incident, including, where appropriate, the measures to mitigate its possible adverse effects; (d) the name and contact details of the contact from whom more information may be obtained; and (e) justifications for any delay in notification. Should it not be feasible for Gataca to provide all of the relevant information in its initial notification to the Client, Gataca will provide further relevant details without undue delay.

9. Effects on the duration of the contract

This DPA shall remain in force for as long as the data processing is carried out by Gataca or until the termination of the Agreement.

Once the contractual performance has been fulfilled or terminated, the Client Personal Data to which Gataca has access must be destroyed or returned to the Client, as well as any support or documents containing any Personal Data that are the object of the processing.

In the event that the Client chooses to return the data, it must be returned via secure systems that allow the confidentiality of the data to be preserved. If the Client opts for their destruction, Gataca must guarantee that this has been carried out confidentially and without it being possible to recover them.

10. Responsibilities

By analogy in the application of Article 82 of the GDPR, Gataca will only be liable for damages caused by processing when it has not complied with obligations specifically directed to Gataca or has acted outside or against the legal instructions of the Client. Likewise, Gataca will be exempt from liability if it proves that it is in no way responsible for the event that caused the damages.

In any event, Gataca shall not be liable to the Client for any loss of actual or anticipated income or profits, loss of contracts or for any special, indirect, or consequential losses or damages of any kind howsoever arising, breach of contract or otherwise, whether or not such loss or damage is foreseeable, foreseen or known. This shall not apply, however, if such liability is based on willful misconduct or gross negligence.

Gataca´s aggregate liability under or in connection with this DPA, whether arising from contract, under any indemnity or otherwise, will be limited to the contractual price set forth in the Agreement signed by and between the Parties for the provision of Services. This shall not apply, however, if such liability is based on willful misconduct or gross negligence.

The Client shall indemnify and hold harmless Gataca in case the Client infringes its obligations set forth in this DPA or established by the applicable Data Protection Law, and/or if an unlawful conduct results from the execution of the Instructions provided to Gataca by the Client, and which could not have been foreseen or prevented by Gataca.

11. Exercise of 'Habeas data' rights

When the data subjects exercise their rights to habeas data recognised by the Data Protection Law before the Client, the latter must record the request received and communicate it by e-mail to our Data Protection Officer at dpo@gataca.io. The communication must be made immediately, and in no case later than 7 working days following receipt of the request.

Likewise, Gataca shall inform the Client of any complaint or claim regarding the processing of Personal Data by any data subject. Gataca will provide the Client with information or tools that are reasonably designed to enable the Client to fulfill its obligations to respond to these requests through the functionality of the Services, taking into account the nature of the processing and insofar as this is possible.

Subject Matter of Processing

The provision of the Service.

Duration of Processing

The Subscription Term and any period thereafter, until Gataca fully deletes the Client Personal Data in accordance with legal retention requirements.

Categories of Data Subjects

The categories of data subjects will depend upon your use of the Service. Client Personal Data may concern

• Client representatives, Authorized Users, employees, or agents acting on behalf of the Client
• End Users
• Any other individual whose information is stored by the Client acting as controller pursuant to Article 30 of the GDPR

Types of Personal Data

The Personal Data that will be included in the Client Data will depend upon the Client’s use of the Service. Client Personal Data may consist of

• Identity data: first name, last name, and ID document details such as document number, issuance and expiry dates, gender, etc.;
• Contact data: telephone number, e-mail address, and mailing address;
• Profile data: employer, role, country, academic records, professional records, interests, and preferences;
• Correspondence data: feedback, form responses, survey responses, customer support requests, or otherwise corresponded with us;
• Ordering data: contracts, orders, and purchases you make through the Services;
• Payment data: billing details, your credit card number, bank account number and any other payment-related information.

Special Category Personal Data (i.e. Biometric Data):

• Face Images
• Identity Document Images

Nature and Purpose of Processing

To facilitate the provision of the Service by Gataca and ensure the Client's access to and receipt of said Service.

Authorized Sub-processors

• Amazon Web Services
• Daon
• Hubspot
• Holded

Location of Data and data transfer

Data location: EU

Transfer locations only for the purpose of technical support may include Serbia and USA, and shall only be transferred if necessary for a particular support issue and shall be deleted once the support issue is completed.