1. Purpose
Set out the legally binding terms that govern access to and use of Karbon Digital Ltd. websites, products, services, and related offerings (including Docufy.ai and associated portals, Application Programming Interfaces (APIs), Model Context Protocols (MCPs), integrations, support channels, and professional services, where referenced). These Terms are intended for publication on Karbon Digital websites and establish baseline rights, responsibilities, acceptable use requirements, privacy and data handling expectations, security obligations, and commercial/legal conditions for customers, users, and visitors across jurisdictions.
These Terms apply to worldwide access to and use of Karbon Digital products and services by enterprise customers, individual users, administrators, contractors, and website visitors, including trial, paid, beta, evaluation, and support use cases. The Terms address intelligent data processing workflows, including processing of customer-submitted documents that may contain personal information, confidential information, regulated records, and other sensitive content in encrypted or unencrypted form, subject to applicable law and contractual controls.
3. Terms of Use
3.1 Acceptance and Agreement Structure
These Terms of Use ("Terms") govern access to and use of Karbon Digital Ltd. websites, software, platforms, APIs, products, and services, including Docufy.ai (collectively, the "Services"), provided by Karbon Digital Ltd. ("Karbon Digital", "we", "us", or "our").
By accessing our websites, creating an account, executing an order form or statement of work, clicking to accept, or otherwise using any Service, you ("Customer", "you", or "User") agree to these Terms. If you use the Services on behalf of an organization, you represent and warrant that you have authority to bind that organization, and "Customer" includes that organization.
If an executed order form, statement of work, master services agreement, Data Processing Addendum (DPA), or other signed agreement conflicts with these Terms, the signed agreement controls to the extent of the conflict for the applicable Services.
3.2 Definitions
"Customer Content" means documents, files, images, data, prompts, metadata, records, and other content submitted to, uploaded to, transmitted through, or otherwise made available to the Services by or on behalf of Customer, including content that may contain Personal Data or confidential information in encrypted or unencrypted form.
"Output" means results generated or returned by the Services, including classifications, summaries, extracted fields, mappings, alerts, risk indicators, workflow actions, recommendations, reports, and other machine-assisted or automated responses.
"Personal Data" (or equivalent term such as personal information) means information relating to an identified or identifiable individual, as defined under applicable privacy and data protection laws.
"Subprocessor" means a third-party service provider engaged by Karbon Digital to process Customer Content, Personal Data, or service telemetry on Karbon Digital's behalf for the purpose of providing, securing, maintaining, or supporting the Services.
3.3 Service Description and AI Limitations
Docufy.ai and related Karbon Digital Services are intelligent document processing and workflow orchestration offerings that may use multimodal large language models, semantic classification pipelines, rules engines, and adaptive automation to support regulatory compliance, governance reporting, enterprise risk management, and related business processes.
The Services generate probabilistic outputs and may produce incomplete, inaccurate, or inconsistent results. The Services and Outputs are not legal, tax, accounting, medical, or other professional advice. Customer remains solely responsible for validating Outputs, applying human review and internal controls, making regulatory or legal determinations, and deciding whether and how to use any Output in production, reporting, or decision-making workflows.
3.4 Eligibility, Accounts, and Authorized Users
Customer is responsible for all activity occurring under its accounts, tenant(s), and Authorized Users, and for ensuring that Authorized Users comply with these Terms, applicable law, and Customer's internal policies.
Customer must maintain accurate account and billing information, implement appropriate credential management (including strong authentication and role-based access), promptly revoke access when no longer authorized, and notify Karbon Digital without undue delay of suspected unauthorized access, credential compromise, or misuse.
3.5 Acceptable Use and Prohibited Activities
Customer will not, and will not permit any User or third party to: (a) use the Services in violation of law or regulation; (b) upload malware, malicious code, or harmful content; (c) probe, scan, or test vulnerabilities except through an approved program; (d) interfere with, disrupt, or degrade the Services; (e) bypass access controls, rate limits, or security mechanisms; (f) reverse engineer, decompile, or derive source code except where non-waivable law permits; (g) use the Services to develop or benchmark a competing product except as expressly authorized; (h) submit content without rights or authority to process it; (i) use the Services for unlawful surveillance, discriminatory profiling, or prohibited high-risk automated decisioning that produces legal or similarly significant effects without an expressly approved and contractually scoped program with documented governance and human oversight; or (j) use the Services in a manner that could compromise confidentiality, integrity, or availability of Customer Content or the Services.
3.6 Customer Content, Ownership, and License
As between the parties, Customer retains all right, title, and interest in and to Customer Content, subject to the rights granted in these Terms. Karbon Digital and its licensors retain all right, title, and interest in and to the Services, including software, models, algorithms, prompts/templates, workflows, documentation, usage analytics (to the extent not Customer Content), and all related intellectual property rights.
Customer grants Karbon Digital a limited, non-exclusive, worldwide, revocable (subject to operational necessity), and royalty-free license to host, copy, process, transmit, display, and otherwise use Customer Content solely as necessary to provide, secure, maintain, support, and improve service operations for Customer, including generating Outputs, troubleshooting incidents, preventing abuse, and meeting legal obligations. Karbon Digital will not use Customer Content to train general-purpose models except as expressly authorized in writing by Customer and permitted by applicable law.
3.7 Data Protection, Privacy, and Cross-Border Transfers
Each party will comply with applicable privacy and data protection laws in connection with its respective activities under these Terms, which may include, where applicable, the EU General Data Protection Regulation (GDPR), UK GDPR, PIPEDA, U.S. state privacy laws, Brazil's LGPD, Japan's APPI, and other jurisdiction-specific requirements.
Where Karbon Digital processes Personal Data on behalf of Customer, the parties may execute a DPA or equivalent data processing terms addressing roles (for example controller/processor or business/service provider), processing instructions, technical and organizational measures, subprocessors, cross-border transfer mechanisms, audit and cooperation rights, breach notification support, and assistance with data subject rights requests. Customer is responsible for determining whether Customer Content should be encrypted before upload and for implementing any customer-managed encryption controls made available in the applicable Service configuration.
Customer acknowledges that use of the Services may involve access, processing, storage, or support operations in jurisdictions outside Customer's home jurisdiction. Where required by law, Karbon Digital will implement lawful transfer mechanisms and safeguards (for example, Standard Contractual Clauses, UK addendum/IDTA, adequacy decisions, or other recognized mechanisms), and Customer remains responsible for obtaining required notices, consents, and lawful bases for its submission and processing of Customer Content.
3.7A Marketing Communications and Consent
Karbon Digital may send marketing, promotional, educational, and event-related communications regarding its Services to prospective customers, existing customers, account holders, administrators, Authorized Users, and other individuals who have opted in or where otherwise permitted by applicable law. For new customers or new users, Karbon Digital will obtain affirmative consent for marketing communications where required by law. For existing customers or existing users, Karbon Digital may send communications related to similar products or services, prior transactions, prior inquiries, or an existing business relationship where permitted by law. Consent to marketing communications is voluntary and is not required to purchase or use the Services. Recipients may unsubscribe or withdraw consent at any time using the unsubscribe mechanism, communication preference center, or contact details provided by Karbon Digital. Withdrawal of consent does not apply to non-marketing communications required for account administration, billing, support, security, privacy, legal compliance, or operation of the Services. Karbon Digital will process personal information used for marketing communications in accordance with applicable law and its Privacy Notice and may maintain records of consent and unsubscribe status for compliance purposes.
3.8 Security
Karbon Digital will maintain an information security program reasonably appropriate to the nature of the Services and the risks presented, including administrative, technical, and physical safeguards designed to protect Customer Content and Personal Data against unauthorized access, acquisition, use, disclosure, alteration, or destruction. Such measures may include encryption in transit (for example TLS), encryption at rest, logging and monitoring, access controls, vulnerability management, and incident response processes.
Customer is responsible for secure configuration and use of the Services, including least-privilege access, data classification, secure endpoint and browser practices, reviewing Outputs before use, and ensuring Customer does not submit information that Customer is not authorized or legally permitted to process. If Customer submits unencrypted documents containing Personal Data or sensitive information, Customer assumes responsibility for that submission choice unless otherwise agreed in writing.
3.9 Subprocessors and Third-Party Services
Karbon Digital may use Subprocessors and infrastructure providers to deliver, host, maintain, secure, support, and improve the Services. Where required by applicable law or contract, Karbon Digital will make Subprocessor information available and will remain responsible for Subprocessor performance to the extent required under these Terms and applicable agreements.
If Customer elects to use integrations, connectors, or third-party services with the Services, Customer's use of those third-party services is governed by the applicable third-party terms and privacy notices. Karbon Digital is not responsible for third-party products or services that Customer chooses to use and that are outside Karbon Digital's reasonable control.
3.10 Feedback, Product Improvement, and Model Training
If Customer provides suggestions, enhancement requests, comments, or other feedback regarding the Services, Customer grants Karbon Digital a non-exclusive, worldwide, perpetual, irrevocable, transferable, sublicensable, and royalty-free right to use that feedback to develop, improve, and support the Services, provided the feedback does not intentionally include Customer Content or Personal Data.
Karbon Digital will not use Customer Content, including documents containing Personal Data, to train or fine-tune general-purpose models for unrelated customers unless Customer has provided explicit written authorization, the intended use is described in contract documentation, and such use is permitted by applicable law.
3.11 Compliance with Laws, Export Controls, and Sanctions
Customer will comply with all applicable laws, regulations, and industry requirements in its use of the Services, including laws relating to privacy, data protection, records management, intellectual property, anti-corruption, accessibility, and sector-specific obligations applicable to Customer's operations.
Customer will not use, access, export, re-export, transfer, or permit access to the Services in violation of applicable export control, trade compliance, or sanctions laws, including applicable restrictions of Canada, the United States, the United Kingdom, the European Union, and other relevant jurisdictions. Customer represents that it is not a prohibited or sanctioned party and is not located in a comprehensively sanctioned jurisdiction, except as authorized by law.
3.12 Fees, Payment, and Taxes
Fees, charges, billing terms, and payment schedules (if any) are specified in the applicable order form, subscription plan, statement of work, or pricing page. Unless otherwise expressly stated, fees are due in the stated currency, non-cancelable for the committed term, and non-refundable except where required by law or expressly provided in writing.
Customer is responsible for all applicable taxes, duties, levies, and similar governmental charges arising from its purchase or use of the Services, excluding taxes based on Karbon Digital's net income, property, or payroll. If withholding is required by law, Customer will provide documentation and cooperate in good faith.
3.13 Confidentiality
Each party (the "Receiving Party") may receive Confidential Information of the other party (the "Disclosing Party") in connection with the Services. The Receiving Party will use the Disclosing Party's Confidential Information only as necessary to exercise rights or perform obligations under these Terms and will protect it using at least reasonable care, and no less than the care used to protect its own confidential information of a similar nature.
Confidential Information does not include information that: (a) is or becomes public through no fault of the Receiving Party; (b) was known to the Receiving Party without restriction before disclosure; (c) is rightfully received from a third party without breach of any duty; or (d) is independently developed without use of the Disclosing Party's Confidential Information. The Receiving Party may disclose Confidential Information to the extent required by law, subpoena, or court order, subject to legally permitted notice.
3.14 Warranty Disclaimer
THE SERVICES AND OUTPUTS ARE PROVIDED "AS IS" AND "AS AVAILABLE." TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, KARBON DIGITAL DISCLAIMS ALL WARRANTIES AND CONDITIONS, EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NON-INFRINGEMENT, AND ANY WARRANTIES ARISING FROM COURSE OF DEALING OR USAGE OF TRADE.
WITHOUT LIMITING THE FOREGOING, KARBON DIGITAL DOES NOT WARRANT THAT THE SERVICES OR OUTPUTS WILL BE UNINTERRUPTED, ERROR-FREE, SECURE, OR FREE OF HARMFUL COMPONENTS, OR THAT OUTPUTS WILL SATISFY CUSTOMER'S LEGAL, REGULATORY, OR BUSINESS REQUIREMENTS. CUSTOMER IS RESPONSIBLE FOR INDEPENDENT REVIEW, TESTING, AND VALIDATION.
3.15 Limitation of Liability
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT WILL KARBON DIGITAL OR ITS AFFILIATES, LICENSORS, OR SUPPLIERS BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, CONSEQUENTIAL, OR PUNITIVE DAMAGES, OR FOR ANY LOSS OF PROFITS, REVENUE, BUSINESS OPPORTUNITY, DATA, OR GOODWILL, ARISING OUT OF OR RELATED TO THE SERVICES, OUTPUTS, OR THESE TERMS, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, KARBON DIGITAL'S AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THESE TERMS WILL NOT EXCEED THE TOTAL FEES PAID OR PAYABLE BY CUSTOMER TO KARBON DIGITAL FOR THE APPLICABLE SERVICES DURING THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO THE CLAIM (OR, FOR FREE OR TRIAL SERVICES, CAD 1,000), EXCEPT TO THE EXTENT LIABILITY CANNOT BE LIMITED OR EXCLUDED BY LAW.
3.16 Indemnification
Customer will defend, indemnify, and hold harmless Karbon Digital and its officers, directors, employees, and agents from and against third-party claims, liabilities, damages, judgments, losses, and reasonable costs (including legal fees) arising out of or related to: (a) Customer Content; (b) Customer's or any User's use of the Services in violation of these Terms or applicable law; (c) Customer's failure to obtain required rights, notices, or consents; or (d) Customer's reliance on or distribution of Outputs without appropriate human review and controls, except to the extent caused by Karbon Digital's gross negligence or willful misconduct.
Karbon Digital will defend and indemnify Customer from third-party claims alleging that the Services (excluding Customer Content, Customer configurations, and third-party services) infringe a third party's intellectual property rights, and will pay finally awarded damages and reasonable settlement amounts approved by Karbon Digital, provided Customer promptly notifies Karbon Digital, allows Karbon Digital to control the defense and settlement, and reasonably cooperates. Karbon Digital may modify, replace, or suspend the affected Services if an infringement claim is likely.
3.17 Term, Suspension, and Termination
These Terms begin on the earlier of the date Customer first accepts them or first uses the Services and continue until the applicable subscription, order, or use is terminated. Either party may terminate for material breach if the breach remains uncured after written notice and a reasonable cure period, or immediately where required by law.
Karbon Digital may suspend or limit access to the Services immediately, with or without prior notice where reasonably necessary, for security incidents, suspected fraud or misuse, non-payment, legal compliance, or risk to the Services or other customers. Karbon Digital will use reasonable efforts to provide notice and restore access when the issue is resolved, where practicable.
3.18 Data Return and Deletion
Upon expiration or termination, Customer may request export or retrieval of available Customer Content and Outputs for a limited post-termination period, subject to technical feasibility, security requirements, and applicable fees or plan limitations.
Karbon Digital will delete, return, or de-identify Customer Content within a commercially reasonable period after termination in accordance with applicable law, documented retention schedules, and contractual commitments, except where retention is required for legal, regulatory, security, fraud prevention, backup integrity, or legitimate business recordkeeping purposes, in which case access will be restricted and the retained data protected.
3.19 Governing Law and Dispute Resolution
Unless otherwise specified in an executed agreement, these Terms are governed by the laws of the Province of Ontario and the federal laws of Canada applicable therein, without regard to conflict of law principles. Mandatory consumer protection or non-waivable local law provisions may apply where required by law.
Subject to applicable law and any agreed alternative dispute process in an executed agreement, the parties submit to the exclusive jurisdiction and venue of the courts located in Ontario, Canada, for disputes arising out of or relating to these Terms.
3.20 Changes to Terms
Karbon Digital may modify these Terms from time to time to reflect changes in the Services, legal requirements, security practices, or business operations. Updated Terms will be posted on the applicable website or communicated through the Services, and the revised effective date will be indicated.
Material changes will apply prospectively and, where required by law, only after notice or consent. Continued access to or use of the Services after the effective date of updated Terms constitutes acceptance of the updated Terms, except where a different process is required under an executed agreement or applicable law.
