Terms of Service

"Applicable EU Regulations" means: Regulation (EU) 2016/679 (GDPR); Regulation (EU) 2024/1689 (EU AI Act); Directive (EU) 2022/2555 (NIS2); Regulation (EU) 2022/2554 (DORA); Regulation (EU) 2024/2847 (Cyber Resilience Act); Regulation (EU) 2022/868 (Data Governance Act); Regulation (EU) 2023/2854 (EU Data Act); Regulation (EU) 2022/2065 (Digital Services Act); Directive 2002/58/EC (ePrivacy Directive); and any implementing regulations, delegated acts, and amendments thereto.

"Client Data" means all data, information, documents, and materials submitted to the Platform by or on behalf of the Client or its Authorised Users.

"Competent Regulatory Authority" means any national or EU-level supervisory, enforcement, or regulatory body with jurisdiction over the Client's obligations under any Applicable EU Regulation, including Data Protection Authorities, National Competent Authorities under NIS2, Market Surveillance Authorities under the EU AI Act, and financial supervisory authorities under DORA.

"DPA" means the Data Processing Agreement incorporated by reference in Clause 10, available on request from [email protected] and provided to every Client during onboarding.

"Force Majeure Event" has the meaning given in Clause 13.1.

"Methodology" means Kortave's proprietary regulatory mapping frameworks, algorithms, gap-analysis logic, scoring models, and compliance structuring approaches embedded in or underlying the Platform, including all improvements and derivatives.

"Output" means any document, report, gap analysis, risk register, technical file, policy template, or other artefact generated by the Platform using Client Data or other inputs, including Records of Processing Activities (GDPR Art. 30), Data Protection Impact Assessments (GDPR Art. 35), AI Act Annex IV Technical Documentation, NIS2 Art. 21 security measure documentation, DORA Art. 5–6 governance frameworks, and related deliverables.

"Paddle" means Paddle.com Market Limited, acting as Merchant of Record for Kortave's subscription payments.

"Regulatory Change Event" has the meaning given in Clause 13.4.

"Subscription Fees" means the fees payable for access to the Platform under the applicable subscription plan.

"Third-Party Services" means third-party software, infrastructure, and services relied upon by the Platform, including Paddle, Cloudflare, and Nuremberg-based hosting infrastructure.

Nature of the Service. The Platform is an information society service [Directive (EU) 2015/1535, Art. 1(1)(b); Directive 2000/31/EC, Art. 2(a)] providing: (a) automated generation of compliance documentation artefacts in formats prescribed by or appropriate to Applicable EU Regulations, based on information supplied by the Client ("regulatory technical implementation services"); (b) compliance documentation tooling — structured templates, guided data-capture workflows, and automated document assembly designed to facilitate the Client's own internal compliance programme; (c) automated regulatory mapping and gap analysis — systematic comparison of the Client's disclosed operational profile against published regulatory requirements; and (d) regulatory framework reference services based on published EU legislative texts, official guidance, and regulatory authority publications.

What the Service is not. The Service is not, and must not be characterised as: (a) legal advice, a legal opinion, a legal determination, or legal representation — Kortave is not a law firm, regulated legal services provider, or legal professional within the meaning of Directive 2006/123/EC (Services Directive) or any national bar association regulation; no solicitor-client, attorney-client, or equivalent advisory relationship arises; (b) a compliance guarantee or assurance — Platform Outputs are technical artefacts that facilitate the Client's own compliance programme and do not constitute, and are not warranted to be, evidence of compliance; (c) a substitute for qualified legal or regulatory counsel — complex, novel, or jurisdiction-specific compliance matters require the advice of qualified lawyers, and the Service does not substitute for such advice.

Regulatory authority determination. The sole and exclusive legal determination of whether the Client satisfies the requirements of any Applicable EU Regulation rests with the Competent Regulatory Authority having jurisdiction over the relevant matter — not with Kortave, not with any Output, and not with these Terms. Where a Competent Regulatory Authority reaches a conclusion that differs from the assessment reflected in any Output, such divergence does not constitute a defect, breach, or failure of the Service.

Coverage. Coverage of a regulatory framework means the Platform generates structured documentation and gap analyses referencing that framework. Coverage does not mean that use of the Platform guarantees or implies compliance with any instrument.

General warranties. The Client represents and warrants, on a continuing basis, that: (a) all Client Data submitted to the Platform is accurate, complete, current, and not misleading; the Client has not knowingly omitted information material to the generation of an accurate Output; (b) the Client has full legal authority to enter into and perform its obligations under these Terms; (c) the Client has all rights, permissions, and consents necessary to submit Client Data to the Platform; (d) the Client will comply with all Applicable EU Regulations in connection with its use of the Service.

Output review obligation. The Client warrants and irrevocably agrees that: (a) it will independently review every Output before deploying, implementing, filing, or relying upon it, using personnel with appropriate regulatory knowledge; (b) it will not submit any Output to a Competent Regulatory Authority or deploy any Output as the basis for a compliance representation without first exercising its own independent judgement as to its adequacy and accuracy; (c) it acknowledges that Output quality is contingent upon the accuracy and completeness of Client Data — where Client Data is inaccurate, incomplete, or outdated, the Output will reflect those deficiencies, and sole responsibility for that consequence rests with the Client; (d) where any Output is identified as inaccurate or inadequate, the Client will refrain from using it until corrected.

Client's own regulatory obligations. The Client acknowledges and agrees that: (a) its obligations under Applicable EU Regulations — including without limitation GDPR Art. 24 (controller accountability), NIS2 Art. 20–21 (management body accountability for cybersecurity measures), DORA Art. 5–6 (ICT risk management framework governance by the management body), EU AI Act Art. 16–17 (provider quality management and technical documentation obligations), and GDPR Art. 5(2) (data protection accountability principle) — are non-delegable legal obligations of the Client that remain with the Client at all times, regardless of any use of the Service; (b) no contractual, operational, or delegatory act in connection with the Agreement transfers, novates, or otherwise shifts any regulatory obligation to Kortave; (c) the Client is solely responsible for all representations made to Competent Regulatory Authorities, regardless of whether any such representation was informed by an Output.

Legal counsel. The Client acknowledges that Kortave expressly recommends obtaining qualified legal advice from a licensed practitioner before relying on Platform Outputs in any regulatory proceeding, supervisory audit, or formal compliance declaration. This recommendation reflects the structural limits of technology-assisted compliance tooling, not a deficiency of the Service.

Notification of changes. The Client shall promptly notify Kortave and update Client Data if any previously submitted information becomes materially inaccurate or outdated.

Licence. Subject to these Terms and timely payment of Subscription Fees, Kortave grants the Client a limited, non-exclusive, non-transferable, revocable licence to access and use the Platform solely for the Client's own internal compliance governance purposes during the subscription term.

Restrictions. The Client must not: (a) resell, sublicense, or provide commercial third-party access to the Platform or Outputs without prior written consent; (b) reverse-engineer, decompile, or extract the Platform's source code, algorithms, or Methodology; (c) use the Platform to generate compliance documentation for third parties on a commercial advisory basis without Kortave's written consent; (d) upload Client Data that infringes third-party intellectual property or is otherwise unlawful; (e) use the Platform or any Output to make deliberately misleading representations to any Competent Regulatory Authority.

Kortave may modify Platform features from time to time. Where a modification would materially reduce core functionality, Kortave will provide the Client with not less than thirty (30) days' advance notice, during which the Client may terminate without penalty.

Fees. Subscription Fees are as published on the Platform at the time of order. All fees are stated exclusive of value added tax (VAT), which is applied in accordance with applicable Hungarian and EU VAT legislation.

Merchant of Record. Payment is processed by Paddle as Merchant of Record. Kortave is not a party to the payment transaction between the Client and Paddle. Kortave has no liability for payment failures, chargebacks, or data handling by Paddle.

Renewal. Subscriptions renew automatically at the end of each billing cycle unless cancelled in accordance with Clause 11. Continued access constitutes acceptance of then-current fees.

Non-payment. Kortave may suspend access where fees remain unpaid for fourteen (14) calendar days following the due date.

No refunds. All Subscription Fees are non-refundable except as expressly required by applicable mandatory consumer protection law or as otherwise provided in these Terms.

Fee changes. Kortave may adjust Subscription Fees on thirty (30) days' written notice, effective from the next billing cycle.

Kortave's retained rights. All intellectual property rights in the Platform, its underlying software, the Methodology, documentation, and all Kortave-proprietary template content remain with Kortave. These Terms do not grant the Client any ownership interest in the Platform or Methodology.

Assignment of client-specific Output content. Upon full payment of applicable Subscription Fees, Kortave assigns to the Client all intellectual property rights in the client-specific content of each Output — being the portions unique to the Client by virtue of Client Data provided — for the Client's own internal compliance purposes. Kortave retains all rights in the template structure, regulatory framework text, standard language, and the Methodology from which Outputs are generated.

Aggregated data licence. The Client grants Kortave a non-exclusive, royalty-free, perpetual licence to use anonymised and aggregated Output-derived data — irreversibly stripped of all identifiers linking it to the Client or any natural person — for service improvement, Methodology development, and internal analytics. This licence does not constitute authorisation to process Personal Data, which is governed exclusively by the DPA.

Client Data ownership. The Client retains all rights in Client Data. The Client grants Kortave a limited, non-exclusive licence to process Client Data solely for the purpose of providing the Service.

IP non-infringement. Kortave represents that, to the best of its knowledge, the Platform and the standard content embedded in Outputs do not knowingly infringe the intellectual property rights of any third party.

Warranty disclaimer. THE PLATFORM AND ALL OUTPUTS ARE PROVIDED "AS IS" AND "AS AVAILABLE." TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, KORTAVE EXPRESSLY DISCLAIMS ALL WARRANTIES — EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE — INCLUDING ANY IMPLIED WARRANTIES OF: (a) merchantability or satisfactory quality; (b) fitness for a particular purpose, including fitness for the purpose of achieving regulatory compliance, satisfying a Competent Regulatory Authority, or passing a conformity assessment; (c) accuracy, completeness, or currency of any Output; (d) uninterrupted or error-free service.

No warranty as to regulatory outcomes. Kortave makes no representation, warranty, guarantee, or assurance — whether express, implied, or arising from conduct — that: (a) any Output will be accepted by, will satisfy the requirements of, or will be regarded as sufficient by any Competent Regulatory Authority; (b) use of the Platform will result in regulatory compliance, avoidance of enforcement, or mitigation of sanctions; (c) the Platform reflects the most current interpretation of any regulatory requirement at any given moment — regulatory guidance evolves, and the Client must verify Output currency at the time of implementation; (d) gap analyses generated by the Platform are exhaustive or will identify every area of potential non-compliance.

Specific liability carve-outs — no liability for the following losses in any circumstances: (a) Client Data inaccuracy — any Output deficiency arising from Client Data that is inaccurate, incomplete, outdated, or misleading at the time of submission, or from the Client's failure to update Client Data following a material change in operations; (b) Client implementation failure — any adverse consequence arising from the Client's failure to implement, incorrect implementation of, or failure to review any Output before deployment; (c) regulatory authority action — any fine, penalty, sanction, enforcement order, or supervisory measure imposed on the Client by any Competent Regulatory Authority, whether arising from use of the Service, deployment of any Output, or otherwise; (d) third-party service failures — any failure, outage, data loss, or security incident attributable to Third-Party Services including Paddle and Cloudflare; (e) regulatory change — any Output that becomes inaccurate or non-compliant as a result of a Regulatory Change Event occurring after generation.

Exclusion of indirect loss. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, KORTAVE SHALL NOT BE LIABLE FOR: (a) loss of profits, revenue, or anticipated savings; (b) loss of business, contracts, or commercial opportunities; (c) loss of goodwill or reputation; (d) loss or corruption of data; (e) indirect, incidental, special, consequential, or punitive loss or damage; (f) regulatory fines, penalties, or sanctions imposed on the Client; (g) third-party claims brought against the Client — in each case whether arising in contract, tort (including negligence), breach of statutory duty, or otherwise, and whether or not Kortave had been advised of the possibility of such loss.

Aggregate liability cap. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, KORTAVE'S TOTAL AGGREGATE LIABILITY TO THE CLIENT FOR ALL CLAIMS UNDER OR IN CONNECTION WITH THE AGREEMENT — WHETHER IN CONTRACT, TORT, OR OTHERWISE — SHALL NOT EXCEED THE TOTAL SUBSCRIPTION FEES ACTUALLY PAID BY THE CLIENT IN THE THREE (3) CALENDAR MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE CLAIM.

Time bar. ANY CLAIM BY THE CLIENT ARISING OUT OF OR IN CONNECTION WITH THE AGREEMENT MUST BE BROUGHT WITHIN TWELVE (12) MONTHS OF THE DATE ON WHICH THE CLIENT FIRST BECAME AWARE — OR OUGHT REASONABLY TO HAVE BECOME AWARE — OF THE FACTS GIVING RISE TO THE CLAIM. CLAIMS BROUGHT AFTER THIS PERIOD ARE ABSOLUTELY TIME-BARRED.

Risk allocation acknowledgement. The Client acknowledges that the fee levels charged for the Service reflect the allocation of risk expressed in this Clause 7, and that these limitations are a fundamental element of the basis of the bargain. Without such limitations, Kortave would not be in a position to provide the Service at the stated subscription levels.

Unreduced liability. Nothing in these Terms limits or excludes liability for: (a) death or personal injury caused by Kortave's negligence; (b) fraud or fraudulent misrepresentation; (c) any other liability that cannot lawfully be limited under applicable Hungarian law or mandatory EU law; or (d) Kortave's wilful misconduct.

Scope of indemnification. The Client shall indemnify, defend, and hold harmless Kortave and its officers, directors, employees, contractors, agents, successors, and assigns (each an "Indemnified Party") from and against any and all third-party claims, demands, suits, proceedings, liabilities, damages, losses, costs, and expenses (including reasonable legal fees) ("Claims") arising out of or relating to: (a) the Client's use of the Service or any Output; (b) any regulatory proceeding, enforcement action, supervisory investigation, audit, or sanction brought or threatened against the Client by any Competent Regulatory Authority; (c) the Client's breach of any representation, warranty, or obligation under these Terms; (d) Client Data, including any claim that Client Data infringes or misappropriates the rights of a third party; (e) the Client's non-compliance or alleged non-compliance with any Applicable EU Regulation, whether arising before, during, or after the term of the Agreement.

Regulatory proceedings. Without limiting Clause 8.1, the Client expressly acknowledges that Kortave shall bear no liability — whether in contract, tort, under statute, or otherwise — for any fine, penalty, administrative sanction, enforcement order, remediation cost, or regulatory settlement imposed on or incurred by the Client in connection with any Competent Regulatory Authority proceeding, irrespective of whether such proceedings relate to matters addressed by the Service, Outputs generated by the Platform, or the Client's overall compliance programme.

Indemnification procedure. The Indemnified Party shall: (a) promptly notify the Client in writing of any Claim for which indemnification is sought; (b) grant the Client sole control of the defence and settlement of such Claim, provided that the Client shall not settle any Claim that imposes any obligation, restriction, or liability on an Indemnified Party without prior written consent; and (c) provide reasonable cooperation and assistance, at the Client's expense. Failure to provide timely notice shall not release the Client from its indemnification obligations except to the extent the Client is materially prejudiced by such failure.

Nature of Outputs. Every Output is a technical implementation artefact — a structured document or analysis generated by software on the basis of information supplied by the Client. Outputs are designed to assist the Client in structuring its compliance programme. They are not: (a) legal opinions or legal advice; (b) compliance certifications or audit assurances; (c) representations that the Client is compliant with any law; or (d) substitutes for qualified professional judgement.

No regulatory relationship. The Agreement does not create any relationship between Kortave and any Competent Regulatory Authority. Kortave makes no representation that it has consulted with, received guidance from, or has any special standing before any Competent Regulatory Authority. Any regulatory framework descriptions, obligation summaries, or article references in Outputs are derived from publicly available sources and are presented for technical implementation reference only.

Changes in regulatory interpretation. The Client expressly acknowledges that regulatory guidance and supervisory interpretations of Applicable EU Regulations evolve continuously — including through EDPB guidelines [GDPR Art. 70], ENISA technical guidance [NIS2 Art. 18], EBA guidelines [DORA Art. 17], AI Office guidance [EU AI Act Art. 3(46)], and national supervisory authority decisions. Kortave does not warrant that Platform logic will reflect all such developments in real time. The Client is responsible for monitoring applicable regulatory developments.

Roles. For the purposes of GDPR, Kortave acts as data processor [GDPR Art. 4(8)] in respect of any Personal Data contained in Client Data, and the Client acts as data controller [GDPR Art. 4(7)]. Kortave processes such Personal Data only on the Client's documented instructions and for the purpose of providing the Service.

Data Processing Agreement. The terms of Kortave's DPA, available on request from [email protected], provided during onboarding, and incorporated into these Terms by reference, constitute the written contract required by Article 28(3) GDPR. [GDPR Art. 28(3)] The DPA governs: the subject matter, duration, nature, and purpose of the processing; the type of Personal Data and categories of data subjects; and the obligations and rights of the controller. In the event of conflict between the DPA and these Terms in relation to Personal Data processing, the DPA prevails.

Controller processing. In respect of Personal Data processed for Kortave's own operational purposes — including account management, billing, security logging, and platform analytics — Kortave acts as an independent data controller. This processing is governed by the Privacy Policy at kortave.eu/privacy.

Security. Kortave implements appropriate technical and organisational security measures consistent with GDPR Art. 32, including: data-in-transit encryption (TLS 1.2+); access controls; audit logging; and regular security review. Infrastructure is hosted in Nuremberg, Germany (EEA), applying data protection by design and by default [GDPR Art. 25].

Term. These Terms commence on account activation and continue until the subscription is terminated in accordance with this Clause 11.

Termination by Client. The Client may cancel at any time through the account dashboard. Cancellation takes effect at the end of the current billing period. No pro-rata refunds are provided except where required by mandatory consumer protection law.

Termination by Kortave for cause. Kortave may suspend or terminate access immediately on written notice if: (a) the Client materially breaches these Terms and fails to remedy within fourteen (14) days of written notice; (b) the Client uses the Platform for any unlawful purpose; (c) required by order of a court, Regulatory Authority, or competent body; or (d) non-payment as set out in Clause 5.4.

Effect of termination. On termination: (a) the Client's access to the Platform ceases; (b) the Client may request export of Client Data and Outputs within thirty (30) days, after which Kortave will delete or anonymise Client Data in accordance with the DPA; (c) Clauses 2, 3, 6, 7, 8, 9, 12, and 13 survive termination indefinitely.

Force Majeure Event. Neither party shall be in breach of, or liable for delay or failure in performance of, the Agreement to the extent caused by a Force Majeure Event — meaning any event beyond the affected party's reasonable control, including: acts of God; war, terrorism, or civil disorder; governmental or regulatory action; widespread internet or infrastructure failure attributable to third-party network operators; pandemic or epidemic; or cyber-attacks attributable to state or state-sponsored actors.

Notification. The affected party will notify the other party as soon as reasonably practicable, use commercially reasonable efforts to mitigate, and resume performance as soon as practicable. If a Force Majeure Event continues for more than sixty (60) consecutive days, either party may terminate on thirty (30) days' written notice without penalty.

Regulatory Change Event. A "Regulatory Change Event" means any of the following occurring after the effective date of these Terms: (a) the entry into force, amendment, or repeal of any EU Regulation, Directive, implementing act, or delegated act materially affecting the compliance requirements addressed by the Service; (b) the publication of official guidance, supervisory opinions, or standards by the EDPB, ENISA, EBA, ESMA, the AI Office, or any Competent Regulatory Authority that materially alters prevailing regulatory interpretation; (c) a judgment of the Court of Justice of the European Union or a national court that materially changes the applicable legal framework.

Kortave's response to regulatory change. Upon a Regulatory Change Event: (a) Kortave shall have a reasonable adaptation period — no less than sixty (60) days — to update the Service; (b) Kortave shall not be in breach during such period solely by reason of the Service not yet reflecting the change; (c) Outputs generated before a Regulatory Change Event are not retrospectively invalidated — the Client is responsible for updating and re-reviewing such Outputs. Kortave will use commercially reasonable efforts to notify Clients of material changes via in-platform notices or email.

Third-party platform dependencies. The Service depends in part on Third-Party Services. Kortave is not liable for any failure, outage, or interruption caused by Third-Party Services. The availability of Third-Party Services is subject to those providers' own terms, which Kortave cannot guarantee.

Governing law. These Terms are governed by and construed in accordance with the laws of Hungary, including Act V of 2013 (Polgári Törvénykönyv — Hungarian Civil Code) for contractual matters, without regard to conflict-of-law provisions. Where mandatory provisions of EU law apply directly — including GDPR, and applicable consumer protection directives — those provisions take precedence to the extent of any conflict.

Jurisdiction. The parties submit to the exclusive jurisdiction of the competent courts of Hungary for the resolution of any dispute arising out of or in connection with these Terms, subject to Clause 13.3.

Consumer rights. Where the Client is a natural person acting outside their trade, business, or profession ("consumer"), nothing in these Terms limits rights under mandatory Hungarian consumer protection law or applicable EU consumer protection directives, including the right to bring proceedings before the courts of the consumer's Member State of habitual residence.

Online Dispute Resolution. Consumers in the EU may use the European Commission's Online Dispute Resolution platform at https://ec.europa.eu/consumers/odr/ to resolve disputes.

Pre-litigation negotiation. Before commencing formal proceedings, the parties agree to attempt in good faith to resolve any dispute through direct negotiation for not less than thirty (30) days from written notice.

Entire agreement. These Terms (Version 2.2), together with the DPA, the Privacy Policy at kortave.eu/privacy, and any applicable order confirmation, constitute the entire agreement between the parties with respect to the subject matter hereof and supersede all prior and contemporaneous understandings, representations, and agreements. No prior oral or written representation shall have contractual effect unless expressly incorporated herein.

Amendments. Kortave may update these Terms by publishing a revised version at kortave.eu/terms. For Clients with active subscriptions, material changes take effect thirty (30) days after email notice. Continued use after that date constitutes acceptance.

Severability. If any provision is held invalid or unenforceable, it shall be modified to the minimum extent necessary to make it valid and enforceable; remaining provisions continue in full force.

Waiver. No failure or delay in exercising any right operates as a waiver. No single or partial exercise precludes any further exercise.

Assignment. The Client may not assign these Terms without Kortave's prior written consent. Kortave may assign these Terms in connection with a merger, acquisition, or sale of substantially all of its assets, on notice to the Client.

Electronic execution. This Agreement may be accepted electronically. Electronic acceptance records are legally binding pursuant to Regulation (EU) No 910/2014 (eIDAS).

No partnership. Nothing in these Terms creates a partnership, joint venture, agency, or employment relationship between the parties.

Language. These Terms are in English. In the event of any conflict between the English text and any translation provided for convenience, the English text prevails.