Terms of Service

These Terms of Service (the "Terms") form a legal agreement between RiskWatch International ("RiskWatch", "we", "us") and the organization identified on an Order Form ("Customer", "you"). You accept these Terms by signing an Order Form that references them, by clicking an in-product acceptance control, or by accessing or using the Service. If you are accepting on behalf of an organization, you represent that you have authority to bind that organization.

If you do not agree to these Terms, do not sign an Order Form and do not use the Service.

• Service means the hosted RiskWatch software-as-a-service platform, including the modules, framework libraries, integrations, and documentation made available to Customer.
• Order Form means the ordering document signed by Customer and RiskWatch that specifies the subscribed modules, fees, term, and any program-specific terms.
• Authorised Users means employees, contractors, and agents of Customer that Customer authorises to access the Service under named user accounts.
• Customer Content means data, files, evidence, control responses, assessments, configurations, and other information submitted to or generated within the Service by Customer or Authorised Users.
• Confidential Information means non-public information disclosed by one party to the other that is identified as confidential or that a reasonable person would understand to be confidential, including the Service, Customer Content, pricing, and security documentation.
• DPA means the Data Processing Addendum between Customer and RiskWatch that governs the processing of personal data, referenced at /privacy-notice/ and available on request.

RiskWatch provides the Service as a hosted multi-tenant SaaS platform. The Service includes the modules and framework libraries identified on the Order Form, configuration tooling, role-based access, audit trails, reporting, and the support tier selected on the Order Form. Specific frameworks, regions, integrations, and feature flags available to Customer are defined by the Order Form and the in-product documentation.

RiskWatch may improve, modify, or add features to the Service in the ordinary course. Materially adverse changes to a committed feature during a subscription term will be subject to Section 14.

Customer purchases the Service on an annual subscription basis unless the Order Form specifies a different term. Fees are set out in the Order Form and are non-cancellable and non-refundable except where required by law or expressly stated in these Terms.

Unless the Order Form states otherwise, fees are invoiced annually in advance and are due Net 30 from the invoice date. Overdue amounts accrue interest at the lesser of 1.5% per month or the maximum rate permitted by law [review with legal]. Customer is responsible for all applicable taxes other than taxes on RiskWatch's net income.

RiskWatch may suspend the Service for non-payment after providing written notice and a reasonable opportunity to cure.

Customer is responsible for:

• Managing Authorised User accounts, including provisioning, de-provisioning, and password and MFA hygiene.
• Ensuring Authorised Users comply with these Terms and any acceptable-use policy referenced in the documentation.
• The accuracy, legality, and quality of Customer Content submitted to the Service.
• Not reselling, sublicensing, or making the Service available to any third party other than Authorised Users.
• Not reverse engineering, decompiling, or attempting to derive source code from the Service, except to the extent expressly permitted by applicable law.
• Not performing security testing, penetration testing, vulnerability scanning, or load testing of the Service without RiskWatch's prior written permission.
• Not using the Service to send spam, host malicious code, or violate the rights of any third party.

As between the parties, Customer retains all rights, title, and interest in and to Customer Content. Customer grants RiskWatch a limited, non-exclusive license to host, process, transmit, and display Customer Content solely to provide and support the Service.

RiskWatch processes personal data within Customer Content as a processor on Customer's behalf, in accordance with the Data Processing Addendum, which is incorporated into these Terms by reference. The current DPA is available at /privacy-notice/ or by writing to legal@riskwatch.com. Where required, the parties will execute the DPA as a separate signed document.

RiskWatch will provide the Service in accordance with these Terms and the Order Form. Specifically, RiskWatch will:

• Use commercially reasonable efforts to make the production Service available 99.5% of each calendar month, excluding planned maintenance and events outside RiskWatch's reasonable control [review with legal].
• Maintain administrative, technical, and physical safeguards for the Service consistent with the controls published on the RiskWatch trust center, including SOC 2 Type II and ISO 27001:2022 alignment.
• Provide technical support consistent with the support tier identified on the Order Form, during the hours and through the channels stated there.

Each party may receive Confidential Information of the other. The receiving party will: (a) use Confidential Information only to perform under these Terms; (b) protect it using at least the same care it uses to protect its own confidential information of similar type, and in no event less than reasonable care; and (c) limit access to employees and contractors with a need to know who are bound by confidentiality obligations no less protective than those in this Section.

Confidential Information does not include information that is or becomes public through no fault of the receiver, was known without restriction before receipt, is independently developed without use of the discloser's information, or is rightfully received from a third party without restriction. The confidentiality obligations survive termination for three years, except that trade secrets remain protected for so long as they qualify as trade secrets under applicable law [review with legal].

RiskWatch warrants that the Service will perform materially in accordance with the published documentation during the subscription term. Customer's exclusive remedy and RiskWatch's sole liability for breach of this warranty is for RiskWatch to use commercially reasonable efforts to correct the non-conformity, or, if RiskWatch cannot do so within a reasonable period, terminate the affected portion of the Service and refund any pre-paid, unused fees for that portion.

EXCEPT FOR THE EXPRESS WARRANTY IN THIS SECTION, THE SERVICE IS PROVIDED "AS IS" AND RISKWATCH DISCLAIMS ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. RISKWATCH DOES NOT WARRANT THAT THE SERVICE WILL BE UNINTERRUPTED OR ERROR-FREE.

By RiskWatch.RiskWatch will defend Customer against any third-party claim alleging that the Service, as provided and used in accordance with these Terms, infringes that third party's intellectual property rights, and will pay damages finally awarded by a court of competent jurisdiction or amounts agreed in a settlement approved by RiskWatch. RiskWatch's obligation does not apply to claims arising from: (a) use of the Service in combination with items not provided by RiskWatch where the combination causes the infringement; (b) modifications to the Service not made by RiskWatch; or (c) Customer Content.

By Customer.Customer will defend RiskWatch against any third-party claim arising from (a) Customer Content, (b) Customer's use of the Service in violation of these Terms or applicable law, or (c) infringement by Customer Content of any third-party right, and will pay damages finally awarded or amounts agreed in a settlement approved by Customer.

The indemnified party must promptly notify the indemnifying party of the claim, give the indemnifying party sole control of the defense and settlement (subject to the indemnified party's reasonable approval of any settlement that imposes obligations on it), and provide reasonable cooperation at the indemnifying party's expense.

EXCEPT FOR (a) A PARTY'S GROSS NEGLIGENCE OR WILFUL MISCONDUCT, (b) BREACH OF SECTION 8 (CONFIDENTIALITY), (c) CUSTOMER'S PAYMENT OBLIGATIONS, OR (d) AMOUNTS PAYABLE UNDER SECTION 10 (INDEMNIFICATION), EACH PARTY'S TOTAL AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THESE TERMS IS LIMITED TO THE FEES PAID OR PAYABLE BY CUSTOMER UNDER THE APPLICABLE ORDER FORM IN THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO THE CLAIM [review with legal].

IN NO EVENT WILL EITHER PARTY BE LIABLE TO THE OTHER FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, OR FOR LOST PROFITS, REVENUE, OR DATA, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THESE LIMITATIONS APPLY TO THE MAXIMUM EXTENT PERMITTED BY LAW.

These Terms take effect on the effective date of the first Order Form between the parties and continue until all Order Forms have expired or been terminated. Each Order Form has the initial term stated on it and renews automatically for successive terms of equal length unless either party gives written notice of non-renewal at least sixty (60) days before the end of the then-current term [review with legal].

Either party may terminate an Order Form for material breach by the other party that remains uncured thirty (30) days after written notice of the breach [review with legal]. Either party may terminate immediately on written notice if the other party becomes insolvent, makes an assignment for the benefit of creditors, or becomes the subject of a bankruptcy proceeding that is not dismissed within sixty (60) days.

On termination or expiration, Customer's right to access the Service ends. RiskWatch will make Customer Content available for export in a standard format for thirty (30) days after the effective date of termination, after which RiskWatch will delete Customer Content from active systems within a commercially reasonable period, subject to retention in backups for the period stated in the DPA and to any legal hold obligations.

Customer remains responsible for all fees accrued through the effective date of termination. Sections that by their nature are intended to survive termination, including Sections 6, 8, 9 (last sentence), 10, 11, 13, 15, 16, 18, 19, and 20, survive.

RiskWatch may update these Terms from time to time. For non-material changes, the updated Terms take effect when posted at this URL. For material changes that adversely affect Customer's rights, RiskWatch will provide at least sixty (60) days' advance notice by email to the billing contact on the Order Form, by in-product notification, or by posting at this URL [review with legal]. Continued use of the Service after the effective date of a material change constitutes acceptance of the updated Terms.

These Terms are governed by the laws of the State of Florida, United States, without regard to its conflict of laws rules [review with legal]. Subject to Section 16, the exclusive venue for any action arising out of or relating to these Terms is the state or federal courts located in Sarasota County, Florida, and the parties consent to the personal jurisdiction of those courts.

Where Customer is established in a jurisdiction whose mandatory consumer protection or data protection laws apply, those laws apply to the extent required and override any conflicting provision of this Section.

The parties will first try in good faith to resolve any dispute by negotiation between senior representatives for at least thirty (30) days after written notice of the dispute [review with legal]. If the dispute is not resolved within that period, it will be finally settled by binding arbitration administered by the American Arbitration Association under its Commercial Arbitration Rules, by a single arbitrator, seated in Sarasota, Florida, in English. Judgment on the award may be entered in any court of competent jurisdiction.

Notwithstanding the foregoing, either party may seek injunctive or other equitable relief in any court of competent jurisdiction to protect its intellectual property or Confidential Information.

Neither party is liable for delay or failure to perform obligations (other than payment obligations) caused by events beyond its reasonable control, including acts of God, war, terrorism, civil unrest, labor disputes, internet or utility outages, denial-of-service attacks, pandemics, or governmental action. The affected party will use reasonable efforts to mitigate the effect of the event and resume performance.

Notices under these Terms must be in writing and are effective on receipt. Notices to Customer go to the address or billing contact on the Order Form. Notices to RiskWatch go to:

Operational notices (renewal reminders, in-product changes, support communications) may be delivered by email or in-product notification.

Customer may not assign or transfer these Terms or any Order Form, in whole or in part, without RiskWatch's prior written consent, except that Customer may assign on written notice to a successor in connection with a merger, acquisition, or sale of substantially all of its assets, so long as the successor is not a competitor of RiskWatch and assumes all obligations under these Terms.

RiskWatch may assign these Terms in connection with a merger, acquisition, corporate reorganization, or sale of substantially all of its assets, on written notice to Customer. Any other purported assignment is void.

These Terms, together with the Order Form and the DPA, constitute the entire agreement between the parties regarding the Service and supersede all prior or contemporaneous proposals, agreements, and communications, written or oral, regarding the same subject matter. In the event of conflict, the order of precedence is (1) the Order Form, (2) the DPA, (3) these Terms.

If any provision of these Terms is held unenforceable, the remaining provisions remain in full force, and the unenforceable provision will be enforced to the maximum extent permitted by law. No waiver is effective unless in writing. The parties are independent contractors; nothing in these Terms creates an agency, partnership, or joint venture.

For questions about these Terms or to request a signed DPA:

RiskWatch International has been in business since 1993 and operates the RiskWatch risk and compliance management platform from Sarasota, Florida.

These Terms are effective as of May 14, 2026 and were last revised on May 14, 2026.