Legal Agreement

Terms and Conditions

Last Updated: September 2025

These Terms and Conditions of Use (the "Agreement") govern the Customer's access to and use of the Software provided by EcoHedge Ltd.

Definitions Licence Data Protection IP Rights Charges Liability Termination Marketing

By accepting these terms, the Customer agrees to be bound by this Agreement. These Terms and Conditions govern the Customer's access to and use of the Software provided by ECOHEDGE LTD., a company registered in England and Wales with company number 9392547.

1. Definitions and Interpretation

1.1 The definitions and rules of interpretation in this clause apply in these terms and conditions:

AgreementThe agreement between ECOHEDGE and the Customer for the sale and purchase of Software in accordance with these terms and conditions.

AI ServicesThe artificial intelligence and machine learning features integrated into the Software, including automated transaction categorisation, emissions calculations, report generation, and data insights powered by third-party AI providers.

API IntegrationsConnections to third-party services including Xero, QuickBooks, Nango, and other accounting or business software platforms.

Business DayA day other than a Saturday, Sunday or public holiday in England when banks in London are open for business.

Business UnitA distinct operational division, department, or location within the Customer's organisation that can be separately tracked within the Software.

Confidential InformationInformation that is proprietary or confidential and is either clearly labelled as such or identified as Confidential Information in clause 10.5 or clause 10.6.

CustomerThe person or firm who subscribes to use the Software in accordance with these terms and conditions.

Customer DataThe data inputted by the Customer and its Users for the purpose of using the Software, including accounting data, transaction records, supplier information, emissions data, and business unit information.

Customer MarksThe Customer's name, logo, trademarks, and brand elements.

Data Protection LawsGDPR, UK GDPR, the Data Protection Act 2018, PECR, and any other applicable data protection and privacy laws, as amended from time to time.

Demo DataSample data and reports provided by ECOHEDGE for demonstration purposes during trial periods or for new users.

ECOHEDGEECOHEDGE LTD., a company registered in England and Wales with company number 9392547 and with a registered office at 71-75 Shelton Street, Covent Garden, London, England WC2H 9JQ.

ECOHEDGE Generic DataAnonymised and aggregated datasets derived from Customer Data, owned by ECOHEDGE, as detailed in clause 4.5.

EEA Standard Contractual Clauses (SCCs)The standard contractual clauses approved by the European Commission for the transfer of Personal Data to third countries.

Effective DateThe date these terms and conditions are accepted by the Customer.

FeesThe fees for the use of the Software, as set out and updated from time to time at ecohedge.com/pricing.

GDPRRegulation (EU) 2016/679 (General Data Protection Regulation).

Intellectual Property RightsAny current and future intellectual property rights including patents, designs, copyright, database rights, trade marks, know-how, and rights of a similar character in any part of the world.

Normal Business Hours9:00-17:00 local UK time on each Business Day.

Personal Data, Process/Processing, Controller, Processor, Data SubjectHave the meanings given in the Data Protection Laws.

SoftwareThe online software platform available via app.ecohedge.ai provided by ECOHEDGE to the Customer, including all AI Services, API Integrations, and related features.

Software Privacy PolicyECOHEDGE's privacy policy, available at ecohedge.com/privacy (as updated from time to time).

Subscription TermThe period commencing on the Effective Date and ending on the date the Agreement terminates in accordance with clauses 13 or 14.1.

Subscription TierThe level of service subscribed to by the Customer (e.g., Demo, Starter, Growth, Enterprise), each with different features and limitations.

Support Services PolicyECOHEDGE's policy for providing support as made available at ecohedge.com/technical-support.

Third-Party ServicesExternal services integrated with or accessible through the Software, including Auth0, Stripe, SendGrid, Nango, OpenAI, Xero, QuickBooks, and other platforms.

UK AddendumThe addendum to the EEA SCCs approved by the UK ICO for transfers of Personal Data from the UK to third countries.

UK GDPRHas the meaning given in section 3(10) of the Data Protection Act 2018.

UK IDTAThe UK International Data Transfer Agreement approved by the ICO for transfers of Personal Data from the UK to third countries.

UsersThe Customer's own users of the Software, including administrators, team members, and any other person the Customer allows to access the Software.

VirusAny thing or device (including software, code, file or programme) that may prevent, impair or adversely affect the operation of any computer software, hardware or network.

VulnerabilityA weakness in computational logic found in software or hardware components that, when exploited, results in a negative impact to confidentiality, integrity, or availability.

1.2 Interpretation: Headings are for convenience only and do not affect interpretation. References to statutes include modifications, re-enactments and subordinate legislation. References to "including" are deemed to be followed by "without limitation".

Schedule 1: Processing, Personal Data and Data Subjects

Subject matter of processing

Provision of the Software including AI Services, API Integrations and carbon accounting functionality.

Duration of processing

The Subscription Term plus any retention period required by law and the 60-day export window post-termination.

Nature of processing

Automated categorisation of financial transactions using AI
Import and analysis of accounting data via API Integrations
Generation of carbon emissions reports
Storage and processing of business unit and supplier data
User authentication, access management and service analytics

Purpose of processing

Providing carbon accounting and reporting services
Improving categorisation accuracy and service quality
Generating industry benchmarks and insights using anonymised data
Providing technical support and security

Types of Personal Data

User account information (name, email, role)
Supplier and contractor contact details contained within accounting records
Transaction metadata that may include personal information
Usage logs and support tickets

Exclusions: Payment card primary account numbers (PAN), government ID images and biometric identifiers are not intended to be processed unless expressly agreed in writing and subject to additional safeguards (e.g., PCI DSS where applicable).

Categories of Data Subject

Customer employees and Users
Suppliers and contractors present in accounting data
Support requesters
Business unit managers

Controller obligations and rights

As set out in the Data Protection Laws and this Agreement. The Customer shall ensure it has a valid lawful basis and appropriate transparency for all Customer Data provided to ECOHEDGE.

Processing instructions

ECOHEDGE shall act strictly in accordance with the Customer's documented instructions, unless required by law to process Personal Data otherwise, in which case ECOHEDGE shall inform the Customer (unless legally prohibited).

Annex A: Technical and Organisational Measures (TOMs)

ECOHEDGE implements the following baseline TOMs and shall not materially reduce them during the Subscription Term:

1. Encryption

TLS 1.2+ for data in transit; AES-256 (or functionally equivalent) for data at rest. Separate encryption domains per environment; key management with restricted access and rotation.

2. Access Control

Role-based access control, least privilege, SSO where feasible, quarterly access reviews, joiner-mover-leaver process.

3. Secure Development

Secure SDLC with code review, dependency management, SAST/DAST, supply-chain scanning; secrets management; IaC controls.

4. Vulnerability Management

Formal programme with SLAs: critical vulnerabilities remediated within 72 hours, high within 7 days, medium within 30 days; emergency patching process.

5. Logging and Monitoring

Centralised logging, time synchronisation, alerting for suspicious activities, retention aligned to legal and operational needs.

6. Network Security

Segmentation, firewalls/WAF, hardening standards, DDoS protections, least-exposed services principle.

7. Data Segregation

Logical tenant isolation and safeguards against cross-tenant data access.

8. Backups and Disaster Recovery

Encrypted daily backups; periodic restore testing; defined RPO/RTO; documented business continuity and disaster recovery plans.

9. Incident Response

24×7 on-call rotation, runbooks, tabletop exercises, defined escalation paths and communication plans.

10. Supplier Risk Management

Security and privacy due diligence for sub-processors; annual reassessment; contractual controls aligned with Article 28.

11. Penetration Testing

At least annually by an independent, suitably qualified provider (e.g., CREST/TIGER); executive summary available to Customers under NDA.

12. Data Deletion and Media Sanitisation

Secure deletion aligned to NIST SP 800-88 (or equivalent) standards; documented retention schedules; verifiable deletion on request and post-termination.

Customer Responsibilities

The Customer is responsible for securing its endpoints, accounts, and client-side connectors/agents, including timely patching and MFA enforcement.

Contact Information

EcoHedge Ltd

71-75 Shelton Street, Covent Garden

London, England WC2H 9JQ

Email (general, legal, privacy, and support): support@ecohedge.com

Terms and Conditions

1. Definitions and Interpretation

2. Licence

3. Software and AI Services

4. Data Protection

5. Third-Party Providers and API Integrations

6. ECOHEDGE's Obligations

7. Customer's Obligations

8. Charges and Payment

9. Intellectual Property Rights

10. Confidentiality

11. Indemnity

12. Limitation of Liability

13. Term and Renewal

14. Suspension and Termination

15. Force Majeure

16. Variation

17. Waiver

18. Severance

19. Entire Agreement

20. Assignment

21. Third-Party Rights

22. Notices

23. Anti-Bribery and Modern Slavery

24. Governing Law and Jurisdiction

25. Marketing and Publicity