Platform Terms of Service

The terms on which AriaPLT™ is provided.

These Terms of Service ("ToS") govern the contractual relationship between SINAURA S.R.L. and the Customer subscribing to the AriaPLT™ platform, accessible at ariaplt.com.

Version 1.5 · Last updated: 16 May 2026 · Reference: Italian Civil Code · D.Lgs. 70/2003 · D.Lgs. 24/2023 · GDPR · EU AI Act · EU Data Act (Reg. 2023/2854) · NIS2 (Dir. 2022/2555) · Reg. (EU) 833/2014 and Reg. (EU) 269/2014 · Digital Content Directive 2019/770 · eIDAS (Reg. 910/2014).

THE AGREEMENT

These Terms of Service (the "ToS"), together with all exhibits, addenda and references incorporated herein — including without limitation the Master Services Agreement (the "MSA"), the Data Processing Agreement (the "DPA"), the Service Level Agreement (the "SLA"), the Acceptable Use Policy (the "AUP"), the Privacy Policy, the EU Data Act Addendum (where applicable), the DORA Addendum (where the Customer is a financial entity under DORA), any Additional Terms published at sinauragroup.com/en/legal/terms-of-service#additional-terms and any other addendum referenced from these ToS — and any Order Form executed by the Customer (all collectively defined herein as the "Agreement"), form a legally binding and enforceable agreement by and between SINAURA S.R.L. ("SINAURA") and the Customer, as such terms are defined below and detailed in the Order Form. SINAURA and the Customer may be referred to herein collectively as the "Parties" and individually as a "Party". The Agreement is effective as of the date on which the Customer accepts these ToS (the "Effective Date"), in any of the modalities set out under "Acceptance of these Terms" below.

ACCEPTANCE OF THESE TERMS

By (a) clicking "I agree" (or any similar button or check-box) at the time of registration to the Platform, (b) executing an MSA or Order Form referencing these Terms, (c) accessing or using the Platform via an Evaluation Account, Authorised User credentials or API key, or (d) otherwise interacting with the Platform on behalf of the Customer, the accepting person represents that they have the legal authority to bind the Customer (where acting on its behalf) and agrees to be bound by these Terms, by the Privacy Policy and the DPA referenced herein, by any Additional Terms published at sinauragroup.com/en/legal/terms-of-service#additional-terms, and by the SLA where signed. These Terms constitute a binding agreement between the Customer and SINAURA S.R.L. as of the date of such acceptance.

Modalities of acceptance and regime applicable to vexatious clauses

The evidentiary regime applicable to acceptance, and in particular to clauses qualifying as vexatious under Art. 1341 of the Italian Civil Code, varies depending on the commercial profile under which the Customer accesses the Platform:

(A) Enterprise Customers (custom / negotiated Subscription). Where the Customer enters into an Enterprise Subscription — i.e. a Subscription whose pricing, scope or technical conditions are individually negotiated between the Parties and reflected in a custom MSA or Order Form, rather than purchased under the published pricing at ariaplt.com#pricing — acceptance is perfected through execution of the MSA or Order Form by means of (i) handwritten signature or (ii) advanced or qualified electronic signature as defined under Reg. (EU) 910/2014 (eIDAS) and Italian D.Lgs. 82/2005, delivered through a recognised trust service provider. For Enterprise Customers, clauses qualifying as vexatious under Art. 1341 of the Italian Civil Code — namely Art. 10 (limitation of liability); Art. 11 (indemnification); Art. 12 (suspension, termination and switching); Art. 14 (export controls and sanctions); Art. 17 (governing law and jurisdiction); Art. 18 (unilateral amendments); Art. 19 (assignment by SINAURA); Art. 20 (anti-plagiarism remedies); Art. 21 (Customer-level NDA and Lockout) — require specific and separate written approval, obtained through dedicated, individually identified check-boxes (or initials) executed alongside the principal signature, with the same advanced or qualified electronic signature, in the MSA or Order Form.

(B) Standard Paying Customers (published pricing). Where the Customer purchases a Subscription at the standard pricing published at ariaplt.com#pricing, acceptance is perfected through click-through at registration or check-out. Clauses qualifying as vexatious under Art. 1341 of the Italian Civil Code — as listed under (A) above — are specifically approved by the Customer through a separate, dedicated check-box that lists such clauses individually, distinct from the general acceptance check-box, with retention of the technical record set out in Art. 21 (registering person's identifiers, version accepted, IP address, user-agent, cryptographic hash of the accepted text and of the specific approval).

(C) Evaluation Accounts. Where the Customer accesses the Platform under an Evaluation Account (demo, trial, free-tier or sandbox), acceptance is perfected through click-through at registration, with retention of the technical record set out in Art. 21. For Evaluation Accounts:

• (i) the Customer Lockout Period set out in Art. 21 applies only at the Customer-entity level and only with respect to contemporaneous business activity that competes with the Platform; no personal Lockout obligation, non-compete obligation or liquidated damages obligation attaches to the Authorised User as a natural person;
• (ii) Art. 18 (amendments) requires SINAURA to give Evaluation Customers no less than thirty (30) days' prior notice of material changes and the right to discontinue the evaluation at no cost;
• (iii) Art. 14 (export controls) and Art. 05 (AUP) apply in full;
• (iv) Art. 17 (governing law and jurisdiction) applies subject to the mandatory rules of jurisdiction available to consumers and to micro-enterprises under Italian law, where applicable.

(D) Authorised Users. Authorised Users accept the user-level obligations set out in Art. 21 (NDA at user level) through a separate, dedicated click-through at first access, and do not assume Customer-level obligations.

Where a translation of these ToS is provided into Italian, and the Customer is headquartered in Italy and the Agreement is governed by Italian law (see Art. 17 — EMEA Region), the Italian version of these ToS prevails over the English version with respect to clauses qualifying as vexatious under Art. 1341 of the Italian Civil Code and with respect to the information obligations under Artt. 12, 13 and 14 GDPR. The Italian version is published at sinauragroup.com/it/legal/terms-of-service and is updated concurrently with the English version.

01 · DEFINITIONS

02 · SERVICE DESCRIPTION

What AriaPLT™ offers

AriaPLT™ is an industrial AgenticAI platform addressed to companies in manufacturing, energy, oil & gas, utilities and transport. Provided on a Software-as-a-Service basis, the Platform offers:

• vertical AgenticAI agents for industrial processes (work orders, P&IDs, technical manuals, telemetry);
• vertical RAG integrations, ERP/CMMS/SCADA connectors and APIs;
• dashboards, audit trail, data export;
• technical documentation, SDK and support.

Specific features of each plan (rate limits, seats, enabled modules, SLA) are described in the Order Form signed by the Customer.

The intended use cases for which the Customer is authorised to deploy the Platform are set out in the Permitted Use Schedule and acknowledged in the Order Form. Use of the Platform for any use case not included in the Permitted Use Schedule requires SINAURA's prior written approval.

03 · ACCOUNT, ACCESS AND SECURITY

Access to the Platform requires creation of a dedicated workspace and named Authorised User accounts. Authorised Users must be of legal age and act within the scope of duties assigned by the Customer.

The Customer is responsible for the safekeeping of credentials, for proper role assignment (RBAC) and for any activity carried out via its accounts, whether authorised or not. MFA is mandatory for accounts with administrative privileges.

Credential compromise

In case of actual or suspected compromise of credentials or API keys, the Customer shall:

• (a) immediately revoke or rotate the affected credentials or API keys via the Platform's administrative interface;
• (b) notify SINAURA without undue delay at info@sinauragroup.com, including (where known) the affected accounts, the time-window of suspected compromise and any mitigation actions taken;
• (c) cooperate with SINAURA in any forensic or containment activity.

SINAURA may proactively freeze affected accounts upon credible indication of compromise and shall promptly notify the Customer.

Federated identity (SSO)

Where supported by the Order Form, the Customer may federate Authorised User identity through SAML 2.0 or OpenID Connect against an Identity Provider operated by or for the Customer. Federated authentication does not relieve the Customer from the obligations set out in this Article in relation to identity governance, deprovisioning and access logging.

Prohibitions on credentials, accounts and API keys

Unless expressly authorised in writing by SINAURA, the Customer and Authorised Users shall not:

• share named credentials between Authorised Users or with third parties;
• create multiple or fictitious accounts to circumvent rate limits, quotas or pricing tiers;
• sell, lease, sub-license, transfer or otherwise commercialise accounts, named credentials or API keys;
• use API keys outside the systems and integrations declared by the Customer.

SINAURA may suspend access immediately in cases of suspected compromise, breach of these ToS, or order of competent authorities.

04 · SUBSCRIPTION, FEES AND BILLING

Pricing

Pricing for the Customer's use of the Platform is published at ariaplt.com#pricing unless otherwise agreed in a written ordering document executed by the Customer and SINAURA (each, an "Order Form").

Payments

Except as otherwise set forth in the applicable Order Form, the Customer shall pay all fees due hereunder for its use of the Platform (the "Fees") within thirty (30) days from the date of the invoice. Where the Customer has an active account with a registered payment method, Fees are automatically charged on a monthly basis as provided in the Order Form or other order confirmation. All amounts paid by the Customer are non-refundable, non-cancellable and non-creditable, save where (i) otherwise required by mandatory law, or (ii) the Subscription is terminated by the Customer for cause materially attributable to SINAURA, in which case the Customer is entitled to a pro-rata refund of Fees prepaid for the unused period.

Payments are processed via bank transfer or through authorised third-party payment sub-processors.

Taxes

Fees are exclusive of all Taxes. The Customer is responsible for settling any applicable taxes, fee levies, duties or similar governmental charges (collectively, "Taxes") that may be levied on top of the Fees and must pay SINAURA under this Agreement without any deductions related to Taxes. If SINAURA is required to collect or pay any Taxes, they will be invoiced to the Customer unless the Customer promptly provides a valid tax-exemption certificate. If the Customer is obligated by law to withhold Taxes from any payments under these Terms, the Customer agrees to gross up the payment amount to ensure that SINAURA receives the full agreed-upon Fees, and is solely responsible for remitting the withheld amounts to the relevant authorities.

VAT is applied according to the place-of-supply rules: reverse charge for intra-EU B2B customers (Art. 7-ter D.P.R. 633/1972 / Art. 196 Dir. 2006/112/EC); not subject to VAT for extra-EU customers under the relevant exemption.

Invoicing

Invoices are issued in compliance with Italian tax law, through the Italian electronic invoicing system (Sistema di Interscambio – SDI).

Late payment

In case of late payment, statutory interest under D.Lgs. 231/2002 applies automatically from the day following the due date, without need of formal notice, in addition to the recovery costs provided therein. In case of non-payment after due notice, SINAURA may suspend access and terminate the contract pursuant to Art. 1456 of the Italian Civil Code.

Payment disputes

In the event of a good-faith dispute as to an invoice, the Customer must (a) pay all undisputed Fees on time and (b) notify SINAURA in writing at info@sinauragroup.com within thirty (30) days from issuance of the invoice, with sufficient detail to explain the basis of the dispute. The Parties shall use reasonable efforts to resolve the dispute within thirty (30) days from such notice; failing which, the dispute resolution mechanism of Art. 17 applies.

Price changes at renewal

Save where otherwise agreed in the Order Form, SINAURA may revise the Fees applicable to subsequent renewal periods by giving the Customer at least sixty (60) days' prior written notice before the renewal date, and no more frequently than once per calendar year. Where the increase exceeds the cumulative European HICP variation since the last revision, the Customer is entitled to terminate the Subscription with effect from the renewal date by written notice given within thirty (30) days of receipt of SINAURA's notice. Until termination takes effect, the existing fees continue to apply.

05 · ACCEPTABLE USE POLICY

Permitted uses

• Use of the Platform for internal industrial purposes of the Customer within the limits of the Subscription and of the Permitted Use Schedule;
• Upload of business data and documents to the Customer's workspaces;
• Integration with the Customer's ERP/CMMS/SCADA systems via official connectors;
• Export and portability of Customer Data in supported formats.

Prohibited uses

It is strictly prohibited — and constitutes grounds for immediate suspension and legal action — to use the Platform for:

• unlawful, fraudulent, defamatory activities or activities harmful to third-party rights;
• any use prohibited by Art. 5 of the EU AI Act (Reg. 2024/1689), including social scoring, manipulative or exploitative AI, untargeted scraping of facial images, real-time remote biometric identification in publicly accessible spaces, emotion recognition in workplace or educational settings, and predictive policing;
• integration of Output into systems made available to natural persons without compliance with the transparency and disclosure obligations of Art. 50 of the EU AI Act, including labelling of AI-generated content and disclosure of interaction with an AI system;
• safety-critical, life-critical or business-critical workflows in which the Output is acted upon without adequate human-in-the-loop supervision by competent personnel of the Customer;
• unauthorised access attempts, reverse engineering, mass scraping, port scanning, or penetration testing not agreed with SINAURA;
• uploading malware or harmful code;
• uploading special categories of personal data under Art. 9 GDPR, or personal data relating to criminal convictions and offences under Art. 10 GDPR, without prior written agreement and DPIA;
• circumventing rate or quota limits, or security controls (MFA, RBAC, tenant segregation);
• training generalist AI models or developing AI products competing with the Platform using Output, agent behaviour, prompts or any other content obtained from the Platform;
• training generalist AI models on SINAURA™ content, trademarks or intellectual property;
• reselling, sub-licensing or making the Platform or parts thereof available to third parties without written authorisation;
• plagiarising, cloning, replicating, imitating or reverse-designing — in whole or in part — the Platform, its agents, agent prompts, system instructions, workflows, RAG pipelines, ontologies, knowledge bases, connectors, APIs, SDK, user interface, look-and-feel, navigation patterns, dashboards, naming conventions, documentation or any other proprietary or distinctive component, regardless of the technical means used;
• using the Platform, its Outputs or any information obtained through use of the Platform (including during demo, trial, free tier or paid Subscription) to design, develop, train, benchmark or launch a competing or substantially similar product, service, agent, model or interface;
• registering trademarks, domain names, trade dress, designs or copyrights that are identical, confusingly similar or evocative of AriaPLT™ or Sinaura™ assets, in any jurisdiction worldwide.

Without prejudice to the specific obligations and remedies set out in Art. 20 (Anti-Plagiarism) and Art. 21 (NDA and Lockout).

06 · INTELLECTUAL PROPERTY AND LICENCE

What belongs to whom

The Platform, the source code, the agents, the proprietary models, the documentation, the knowledge bases, the ontologies and the trademarks AriaPLT™, SINAURA™ and Sinaura Group™ are the exclusive property of SINAURA S.R.L. and/or its respective licensors. SINAURA holds sui generis database rights pursuant to Directive 96/9/EC on all proprietary databases, ontologies and knowledge bases embedded in the Platform.

For the duration of the Subscription, SINAURA grants the Customer a non-exclusive, non-transferable, non-sub-licensable licence, limited to internal use of the Platform by its Authorised Users. All rights, title and interest in and to the Platform not expressly granted to the Customer under these ToS are reserved by SINAURA and its licensors.

Customer Input and Output

As between the Parties, the Customer retains all right, title and interest in and to Input and Customer Data. Subject to payment of the applicable fees and to compliance with these ToS, SINAURA assigns to the Customer, to the maximum extent permitted by law, all right, title and interest that SINAURA may have in and to the Output generated for the Customer from its Input and Customer Data. SINAURA does not claim rights over such data and does not use it to train generalist models intended for or shared with other customers. The Parties acknowledge that, under EU and Italian copyright law, content generated entirely by AI systems without sufficient human creative contribution may not qualify for copyright protection; the assignment above operates to the maximum extent of any right, title or interest that may subsist.

Licence granted by the Customer to SINAURA — IP-protectable content only

The Customer grants SINAURA a non-exclusive, worldwide, royalty-free licence — sub-licensable solely to the Sub-processors listed in Annex 3 of the DPA — to host, store, transmit, process and display the copyrightable, database-right-protectable or otherwise IP-protectable elements of the Input and Customer Data, solely as strictly necessary to provide the Platform and the related services during the Subscription term. This licence terminates upon termination of the Subscription, save for the retention and deletion obligations set out in Annex 4 of the DPA and for statutory retention obligations under applicable law.

No licence is granted under this clause in respect of Personal Data contained in Input or Customer Data. The processing of Personal Data is governed exclusively by the DPA pursuant to Art. 28 GDPR, on the basis of the controller-processor relationship therein defined; no proprietary or licence-based claim is asserted or implied by SINAURA on such Personal Data, and the Customer remains, vis-à-vis the data subjects, the controller of such Personal Data unless a different qualification is expressly agreed in the DPA.

Output similarity

Due to the statistical nature of the underlying AI models, Output generated for the Customer may be similar or identical to Output generated for other customers from comparable Input. SINAURA does not warrant uniqueness or originality of Output and the Customer remains responsible for verifying suitability and non-infringement of third-party rights before relying on or publishing Output.

AI Act transparency (Art. 50 Reg. 2024/1689)

Where the Customer integrates Output into systems, products or services made available to natural persons, the Customer shall implement the transparency and disclosure obligations required by Art. 50 of the EU AI Act, including labelling of AI-generated content and disclosure of interaction with an AI system, as applicable. SINAURA disclaims any liability arising from the Customer's failure to comply with such transparency obligations.

High-risk AI systems (Art. 6 and Annex III AI Act)

The Permitted Use Schedule identifies the use cases for which the Platform is intended to be used and expressly excludes use cases that would qualify the deployment as a high-risk AI system under Art. 6 and Annex III of the EU AI Act, unless such use case is specifically activated under a dedicated written addendum executed by the Parties (the "High-Risk AI Addendum").

Where, notwithstanding the Permitted Use Schedule, the Customer integrates Outputs into AI systems classified as high-risk under Art. 6 and Annex III of the EU AI Act, the Customer assumes the obligations of deployer (or, where applicable, provider) under such Regulation, including risk management, conformity assessment, human oversight, post-market monitoring and reporting. SINAURA's role is limited to providing the underlying Platform and does not constitute, on its own, deployment of a high-risk AI system, provided that SINAURA has not configured, marketed or otherwise made available the Platform with a specific intended purpose falling within Annex III. Where such intended purpose is specifically activated through the High-Risk AI Addendum, the Parties shall allocate the obligations of provider and deployer in accordance with Art. 25 of the AI Act.

At the time of activation of any module, the Customer attests to the intended use case and acknowledges its qualification under the Permitted Use Schedule.

Interoperability — mandatory user rights

The prohibitions on reverse engineering set out in these ToS shall not affect the mandatory rights of the Customer under Art. 6 of Directive 2009/24/EC and Art. 64-quater of Italian Law 633/1941, where strictly necessary to achieve interoperability of the Platform with other independently created programs, provided that the statutory conditions are met and that information so obtained is not used for any other purpose.

Text and data mining — reservation of rights

SINAURA expressly reserves, pursuant to Art. 4(3) of Directive (EU) 2019/790 and Art. 70-quater of Italian Law 633/1941, all rights of text and data mining on the Platform, its documentation, models, Outputs and on all SINAURA™ content, in any form of expression. The corresponding machine-readable opt-out is implemented through robots.txt, TDM Reservation Protocol (TDMRep) metadata and HTTP headers at the domains operated by SINAURA.

Third-party and open-source components

The Platform may include third-party and open-source components licensed under their respective licences, which prevail over these ToS solely as to such components. The notice file listing such components and their licences is available at sinauragroup.com/en/legal/terms-of-service#third-party-and-open-source-components

Feedback

Suggestions, reports or feedback provided by the Customer may be used by SINAURA to improve the Platform without compensation, on a perpetual, irrevocable, royalty-free basis. SINAURA shall use such feedback only after applying robust anonymisation techniques consistent with the EDPB guidance on anonymisation in force at the time, such that no Personal Data of the Customer's Authorised Users or end-users may be inferred from the feedback as used. Where the feedback contains Personal Data that cannot be anonymised, SINAURA shall either obtain a separate lawful basis or refrain from such use.

07 · CONFIDENTIALITY

Mutual non-disclosure obligations

The Parties exchange confidential information during the relationship (prices, roadmap, trade secrets, technical data, configurations). Each Party undertakes to protect it. The confidentiality obligations set out in this Article apply at the contractual level of the relationship between SINAURA and the Customer, and are without prejudice to — and supplementary to — the user-level confidentiality undertaking set out in Art. 21 (NDA and Lockout Agreement).

(1) Confidential Information means any technical, commercial, financial, industrial or organisational information communicated by one Party to the other in any form, including prices, source code, configurations, end-customer data, roadmap, trade secrets and know-how.

(2) Obligations — each Party shall: (a) treat the other Party's Confidential Information with the same care as its own; (b) use it only for the performance of the contract; (c) disclose it only to its employees/contractors bound by an equivalent obligation; (d) not disclose it to third parties without prior written consent.

(3) Exclusions — information is not Confidential Information if: (a) it is publicly known without breach by the receiving Party; (b) it was known to the receiving Party prior to disclosure without obligation of confidentiality; (c) it was developed independently; (d) its disclosure is required by law or competent authority, subject to prior notice; (e) its disclosure is required for whistleblowing purposes under D.Lgs. 24/2023 or for the exercise of rights vis-à-vis supervisory authorities, judicial authorities or employee representative bodies.

(4) Duration — the obligation under this Art. 07 lasts ten (10) years from termination of the contract, aligned with the duration of the user-level NDA under Art. 21. For trade secrets under Art. 98 of the Italian IP Code, the obligation is unlimited in time.

Confidentiality of personal data is further governed by §3.2 of the DPA (confidentiality of personnel authorised to process the data).

08 · PERSONAL DATA PROTECTION

The processing of personal data under this contract is governed by the Data Processing Agreement (DPA) pursuant to Art. 28 GDPR, signed together with these ToS, including its Annexes (TOMs, data categories, sub-processors, T0–T15–T30 deletion procedure).

Allocation of roles

For Personal Data contained in Customer Data and Input, SINAURA acts as processor on behalf of the Customer (the controller), in accordance with the DPA.

For Personal Data collected and processed by SINAURA in its own name and for its own purposes — including (a) data of Authorised Users created at account registration, (b) billing and accounting data, (c) telemetry data collected for the purposes of service security, fraud prevention, capacity planning and quality of service — SINAURA acts as independent controller and processes such data on the legal bases identified in the public Privacy Policy.

Legal bases relied upon

Where SINAURA acts as independent controller, the legal bases relied upon are: performance of the contract (Art. 6(1)(b) GDPR) for account, billing and service-delivery data; legitimate interest (Art. 6(1)(f) GDPR) for security telemetry, fraud prevention and quality-of-service analytics; and compliance with legal obligations (Art. 6(1)(c) GDPR) for accounting, tax, anti-money-laundering and statutory retention. The relevant legitimate interest assessments (LIA) are documented in SINAURA's accountability records.

Transparency and information to data subjects

The information required under Artt. 12, 13 and 14 GDPR is provided in the applicable Privacy Policy available at sinauragroup.com/en/legal/platform-privacy-policy. The Customer undertakes to ensure that its own data subjects (Authorised Users, end-customers, employees) are informed of the processing carried out through the Platform by means of the Customer's own privacy notices.

International transfers

Where Personal Data are transferred outside the European Economic Area, SINAURA relies on the safeguards set out in Chapter V of the GDPR, including (i) the European Commission's adequacy decisions, including the EU-US Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795) for participating Sub-processors, (ii) the 2021 Standard Contractual Clauses (Decision (EU) 2021/914), or (iii) Binding Corporate Rules, supplemented where necessary by transfer impact assessments (TIA) and supplementary measures consistent with EDPB Recommendations 01/2020 and 02/2020. The current list of Sub-processors, the destination countries and the applicable safeguards are published at sinauragroup.com/en/legal/dpa#annex-3-authorised-sub-processors and detailed in Annex 3 of the DPA.

Processing of website visitors

Processing of data of visitors to the website ariaplt.com is governed by the public Privacy Policy available at sinauragroup.com/en/legal/website-privacy-policy.

Data Protection Officer

For privacy and data-protection matters under this Agreement, data subjects and Customers may address their requests in the exercise of their rights under Artt. 15 to 22 GDPR to info@sinauragroup.com or, where a certified channel is required, to sinaurasrl@legalmail.it.

09 · WARRANTIES AND DISCLAIMERS

Service provided "as is"

SINAURA undertakes to provide the Platform with the diligence of a good professional, in compliance with industry practice and — where signed — with the agreed SLAs.

To the extent permitted by law and except as otherwise provided in the Order Form, the Platform is provided "as is" and "as available". In particular, SINAURA does not warrant that:

• the Platform is continuously available, error-free or fully immune from vulnerabilities;
• outputs of AriaPLT™ agents are accurate, complete or fit for critical decision-making purposes without adequate human supervision (human-in-the-loop);
• the Platform is compatible with any hardware/software/browser/third-party integration chosen by the Customer.

The above disclaimers do not apply to liability for wilful misconduct or gross negligence, which remains unaffected pursuant to Art. 1229 of the Italian Civil Code.

Cybersecurity warranty (NIS2 alignment)

Notwithstanding the "as is" disclaimer, SINAURA warrants to maintain, throughout the Subscription, the technical and organisational measures set out in Annex 1 of the DPA (TOMs) and to operate in alignment with Directive (EU) 2022/2555 (NIS2), as applicable to SINAURA in its role as ICT service provider. This warranty does not extend to vulnerabilities or incidents whose primary cause is attributable to Customer-side environments, configurations or integrations, or to the Customer's failure to apply Mandatory Updates as defined in Art. 15.

Beta / Labs features

Features expressly identified as "Beta", "Labs", "Preview" or "Experimental" are provided exclusively for evaluation purposes, on an "as is" basis, without any SLA, warranty or commitment of continued availability. Activation of Beta / Labs features requires explicit opt-in by an administrative Authorised User of the Customer, with on-screen acknowledgement of the experimental nature. The Customer shall not rely on Beta / Labs features for production, safety-critical or business-critical workflows. SINAURA's liability for Beta / Labs features is limited to wilful misconduct and gross negligence pursuant to Art. 1229 of the Italian Civil Code; outside such cases, SINAURA disclaims any liability arising from such use. SINAURA may modify, suspend or discontinue Beta / Labs features at any time without notice.

10 · LIMITATION OF LIABILITY

Liability cap

To the extent permitted by law, SINAURA's total liability towards the Customer — on any ground (contractual, non-contractual, indemnification, breach of warranty) related to the use of the Platform — is limited, per calendar year, to the amount of fees actually paid by the Customer to SINAURA in the twelve (12) months preceding the event giving rise to the damage.

In any case, save for wilful misconduct or gross negligence, SINAURA shall not be liable for indirect, consequential damages, loss of profit, loss of opportunity, loss of clients, or loss of data caused by Customer configurations.

The above limitations do not apply: (a) to wilful misconduct or gross negligence; (b) to personal injury; (c) to wilful breaches of confidentiality or intellectual property; (d) to cases mandatory under law, including joint liability under Art. 82 GDPR.

Sector-specific override (DORA / NIS2)

Where the Customer is a financial entity subject to Reg. (EU) 2022/2554 (DORA) or an essential/important entity subject to Directive (EU) 2022/2555 (NIS2) and to D.Lgs. 138/2024, the liability cap and the exclusion of indirect damages set out in this Article may be modified, with respect to events directly attributable to SINAURA's failure to comply with the cybersecurity, incident-management or third-party-risk obligations applicable to the Customer's sector, in the DORA Addendum or in a specific sector addendum executed by the Parties. In the absence of such addendum, the provisions of this Article apply.

Safety-critical use cases

The Customer acknowledges that use of the Platform outside the Permitted Use Schedule, or in safety-critical workflows without adequate human-in-the-loop supervision, falls outside SINAURA's reasonable foreseeability of damages and is not covered by SINAURA's liability hereunder.

11 · INDEMNIFICATION

(1) SINAURA shall hold the Customer harmless from third-party claims alleging that the Platform, when used in compliance with these ToS, infringes third-party intellectual property rights protected within the European Union, within the liability cap set out in Art. 10.

(2) The Customer shall hold SINAURA harmless from third-party claims arising from: (a) upload of unlawful content to the Platform; (b) use of the Platform in breach of these ToS or of law; (c) infringement of third-party rights attributable to Customer Data, prompts or configurations; (d) failure to comply with transparency obligations under Art. 50 of the EU AI Act in respect of Output integrated into the Customer's products or services.

Defence procedure

(3) The Party seeking indemnification ("Indemnified Party") shall: (a) promptly notify the other Party of the claim in writing, in any case within fifteen (15) business days from receipt of formal notification, save where delay does not materially prejudice the defence; (b) grant the indemnifying Party ("Indemnifying Party") sole control of the defence and settlement, provided that any settlement that imposes non-monetary obligations on the Indemnified Party requires its prior written consent; (c) provide reasonable cooperation at the Indemnifying Party's expense; (d) take reasonable steps to mitigate damages.

Alternative remedies for IP infringement

(4) If the Platform is found, or in SINAURA's reasonable opinion is likely to be found, to infringe third-party intellectual property rights, SINAURA may, at its discretion and at its expense: (a) modify the Platform so that it ceases to infringe while preserving substantially equivalent functionality; (b) obtain a licence enabling continued use; or (c) terminate the affected portion of the Subscription and refund the pro-rata portion of fees prepaid for the unused period. Such remedies constitute the Customer's sole and exclusive remedy for IP infringement, without prejudice to mandatory provisions of law.

12 · TERM, SUSPENSION AND TERMINATION

The term of the contract is set out in the Order Form, with tacit renewal unless written notice of termination is given 60 days in advance.

SINAURA may suspend access in case of: (a) breach of the AUP; (b) non-payment; (c) serious and documented security risk to the Platform or other customers; (d) order of competent authority. In case (c), SINAURA shall give the Customer the opportunity to be heard within a reasonable time-frame compatible with the urgency of the risk.

Upon termination, the T0–T15–T30 procedure applies for the return and deletion of data (Annex 4 of the DPA).

Switching and portability (EU Data Act, Reg. 2023/2854)

In accordance with the EU Data Act, the Customer is entitled, both during and at the end of the Subscription, to switch to another provider of equivalent service or to an on-premise solution. To that end, SINAURA shall:

• make available export tools and APIs to retrieve Customer Data, configurations and exportable digital assets in structured, commonly used and machine-readable formats (CSV, JSON, PDF, where applicable in the original format of receipt);
• support the switching process upon written request from the Customer, with completion of the data extraction within thirty (30) days of the agreed switching date, subject to the technical feasibility of the requested transfer;
• progressively withdraw any switching charges in compliance with the timetable set out in the EU Data Act, with full removal of such charges by 12 January 2027.

The functional equivalence of Customer Data once migrated to another provider remains under the Customer's responsibility and the third-party provider's capabilities. SINAURA gives no warranty of compatibility with destination environments.

Where the Customer is a financial entity subject to DORA, the additional exit-strategy provisions set out in the DORA Addendum apply and prevail with respect to such Customer.

Survival

The following provisions survive the termination of this contract, for the duration necessary to give them effect: Art. 06 (intellectual property), Art. 07 (confidentiality), Art. 10 (limitation of liability), Art. 11 (indemnification), Art. 14 (export controls and sanctions), Art. 17 (governing law and jurisdiction), Art. 20 (anti-plagiarism), Art. 21 (NDA and Lockout Agreement), §3.8 of the DPA (return and deletion), as well as any further provision which by its nature is intended to survive.

13 · FORCE MAJEURE

Neither Party shall be liable for non-performance or delay due to force majeure events (natural events, acts of authority, war, general strikes, large-scale cyber attacks) lasting more than 30 days, subject to timely notice. The affected Party shall use reasonable efforts to mitigate the impact and resume performance as soon as the force majeure event ceases.

Cloud infrastructure provider unavailability qualifies as a force majeure event under this Article only where (i) the unavailability could not reasonably have been foreseen at the time the relevant arrangement was put in place, (ii) SINAURA has activated the redundancy and exit measures envisaged in its operational resilience plan and in the DPA's TOMs, and (iii) the unavailability persists notwithstanding such measures. Otherwise, such unavailability is governed by Art. 09 and Art. 10 and, where applicable, by the DORA Addendum.

14 · EXPORT CONTROLS, SANCTIONS AND ANTI-CORRUPTION

(1) The Customer agrees to comply with all applicable export control, economic sanctions and trade compliance laws and regulations, including those of the European Union (Reg. (EU) 2021/821 on dual-use; Reg. (EU) 833/2014 and Reg. (EU) 269/2014 on restrictive measures in view of the situation in Ukraine; Reg. (EU) 765/2006 on restrictive measures in view of the situation in Belarus), the United Nations Security Council, the United States and, where applicable, of any other jurisdiction in which the Customer operates. The Customer represents and warrants that:

• neither the Customer, nor any of its Authorised Users, Affiliates or beneficial owners are located in, organised under the laws of, or controlled by any country, territory, entity or person subject to comprehensive sanctions or embargoes by the European Union, the United States or the United Nations Security Council (including, as of the version date of these Terms: Cuba, Iran, North Korea, Syria, and the Crimea, Donetsk and Luhansk regions of Ukraine);
• neither the Customer, nor any of its Authorised Users, Affiliates or beneficial owners are listed on any applicable government denied-party, restricted-party or sanctions list, including those maintained by the U.S. Office of Foreign Assets Control (OFAC), the U.S. Department of Commerce, the European Union or the United Nations Security Council;
• the Customer will not use, re-export, transfer or disclose the Platform, Output or any technical data in violation of any applicable export control or sanctions laws or regulations, including the U.S. Export Administration Regulations (EAR) and the International Traffic in Arms Regulations (ITAR);
• the Customer will not permit any third party to use the Platform or Output in violation of such laws;
• the Customer will obtain all necessary governmental authorisations, licences or approvals required to export, re-export or transfer the Platform, Output or technical data;
• the Customer will not use information governed by any of the foregoing as Input without first obtaining all necessary governmental authorisations.

(2) The Customer further warrants compliance with applicable anti-corruption laws, including Italian D.Lgs. 231/2001, the UK Bribery Act and, where applicable, the U.S. Foreign Corrupt Practices Act (FCPA).

(3) The above warranties are deemed repeated at each Subscription renewal. The Customer shall promptly notify SINAURA of any change in its sanctions or export-control status. SINAURA may suspend or terminate the Subscription with immediate effect if the use of the Platform would place SINAURA in breach of applicable export control, sanctions or anti-corruption regulations.

15 · UPDATES TO THE PLATFORM

(1) Mandatory Updates — SINAURA may release updates that are strictly necessary to: (a) remediate security vulnerabilities classified as Critical or High under CVSS v3.1 or any successor scoring standard, (b) comply with a binding legal or regulatory requirement that has entered into force or is about to enter into force, or (c) prevent imminent material interruption of the Platform's availability or integrity ("Mandatory Updates"). The Customer is required to accept Mandatory Updates and to ensure that Authorised Users and integrated systems remain compatible. SINAURA is not liable for impairments resulting from the Customer's failure to deploy such updates, save where the failure is attributable to SINAURA.

(2) Non-mandatory updates — SINAURA may release further updates introducing new functionalities or improvements. Where a non-mandatory update materially and adversely affects the Customer's use of the Platform, the Customer may, within thirty (30) days of release, request reversion to the previous version where technically feasible, or terminate the affected portion of the Subscription with pro-rata refund of fees prepaid for the unused period.

(3) Notice — SINAURA shall give reasonable prior notice of significant updates, including their nature, impact and any required Customer action.

16 · MOBILE ACCESS AND ENTERPRISE DEVICE DISTRIBUTION

Web-first access

AriaPLT™ is delivered as a web-based Software-as-a-Service platform accessible through any modern desktop or mobile browser at ariaplt.com. There is no requirement to install any client-side software for standard use.

No public app-store distribution

SINAURA does not distribute AriaPLT™ mobile applications through public consumer app marketplaces such as the Apple App Store or the Google Play Store. Accordingly, no third-party-beneficiary rights, app-store maintenance obligations or platform-imposed warranties arising from such marketplaces apply to AriaPLT™.

Enterprise mobile distribution

Where mobile native components are made available to the Customer, they are distributed exclusively through enterprise-managed channels such as Apple Business Manager, Apple Custom Apps, Managed Google Play, Microsoft Intune or other Mobile Device Management (MDM) frameworks operated by the Customer's IT organisation. Such distribution is governed by:

• the enrolment terms of the relevant enterprise distribution programme between the Customer and the device-platform provider;
• the Customer's own MDM policy, including device compliance, encryption, remote-wipe and access-control requirements;
• these ToS, which govern the use of the AriaPLT™ functionality regardless of the form factor of access.

The Customer is responsible for the security configuration of mobile devices used to access the Platform, including operating-system patching, screen-lock, biometric authentication, certificate-based VPN where required by the Customer's policy, and timely removal of the AriaPLT™ component upon termination of access rights.

Mobile-specific data

Use of the Platform on a mobile device may generate additional telemetry (device model, OS version, application version, crash diagnostics) processed under the Privacy Policy on the legal basis of legitimate interest in service security and quality. No advertising identifiers or third-party SDKs for behavioural advertising are integrated into the AriaPLT™ mobile components.

17 · GOVERNING LAW, MEDIATION AND JURISDICTION

The governing law and venue applicable to these Terms depend on the jurisdiction in which the Customer is headquartered at the time of acceptance of these Terms. Where the Customer is composed of multiple Affiliates in different regions, the region applicable to the contracting entity prevails.

Americas Region

If the Customer is headquartered in North America, Central America or South America, these Terms and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with these Terms or their subject matter or formation shall be governed by and construed in accordance with the laws of the State of New York, USA, excluding its conflict-of-laws rules. The Parties consent to the exclusive jurisdiction of the federal and state courts located in the Borough of Manhattan, New York County, New York, USA. Each Party hereby waives, to the maximum extent permitted by applicable law, any right to a jury trial in any such proceeding.

APAC Region

If the Customer is headquartered in East Asia, South-East Asia, South Asia, Oceania or any country immediately proximate thereto (including, without limitation, China, Japan, South Korea, Singapore, Thailand, Vietnam, India, Pakistan, Bangladesh, Indonesia, the Philippines, Malaysia, Australia and New Zealand), these Terms and any dispute or claim arising out of or in connection with these Terms shall be governed by and construed in accordance with the laws of the Republic of Singapore, excluding its conflict-of-laws rules. Any such dispute shall be referred to and finally resolved by arbitration administered by the Singapore International Arbitration Centre (SIAC) under the SIAC Rules in force at the time of the request, by a sole arbitrator, with seat in Singapore and proceedings conducted in English. Notwithstanding the foregoing, either Party may seek urgent injunctive or precautionary relief before the competent courts of the Republic of Singapore.

EMEA Region and Rest of World

If the Customer is headquartered in Europe, the Middle East, Africa or in any country not assigned to the regions above, these Terms shall be governed by and construed in accordance with the laws of the Italian Republic, supplemented by relevant European Union law. Before initiating judicial proceedings, the Parties shall attempt to resolve any dispute through mediation pursuant to D.Lgs. 28/2010, before the Mediation Body of the Milan Chamber of Commerce. Mediation shall not preclude the right of either Party to seek urgent and precautionary measures before the competent court. Save for mandatory jurisdiction rules, the Court of Milan shall have exclusive jurisdiction over any dispute that is not settled through mediation.

General

AriaPLT™ is a B2B platform; consumer fora apply only in the residual cases mandated by law. The United Nations Convention on Contracts for the International Sale of Goods (CISG) does not apply to these Terms. Nothing in this Article limits the right of either Party to enforce a judgment or arbitral award rendered under the applicable regional regime before any court of competent jurisdiction worldwide.

18 · AMENDMENTS TO THE TERMS OF SERVICE

SINAURA may amend these ToS or any Additional Terms to reflect regulatory, product or market evolution.

For the purposes of this Article, "material amendment" means any change that adversely affects in a non-negligible manner: (a) the Customer's rights or remedies hereunder, (b) the scope of the Platform or of the Subscription, (c) the Fees or the pricing structure beyond the renewal-notice regime of Art. 04, (d) the categories of Sub-processors, the categories of Personal Data processed or the destination countries of any international transfer, or (e) the technical and organisational measures protecting the Customer Data.

Material amendments are notified to the Customer with at least sixty (60) days' prior notice for Paying Customers and thirty (30) days' prior notice for Evaluation Accounts, via email to the administrative address and via update of sinauragroup.com/en/legal/terms-of-service.

In case of amendments materially affecting the Customer's rights, the Customer may withdraw from the contract without penalty within the same notice period. Such withdrawal shall not trigger any switching charge, and the Customer is entitled to the switching and portability assistance set out in Art. 12 (EU Data Act) at no cost. Non-material amendments take effect upon publication, without prejudice to the duties of good faith under Art. 1375 of the Italian Civil Code.

19 · MISCELLANEOUS

Order of precedence

The agreement between the Parties consists of the documents listed below. In case of conflict, they prevail in the following order: (i) the MSA / Order Form for commercial terms and special conditions specifically negotiated; (ii) the DPA for matters of personal data processing; (iii) these ToS; (iv) any Additional Terms; (v) the SLA, where signed, for service levels; (vi) the Privacy Policy and other policies/documentation.

Notices

Formal notices shall be sent via certified email (sinaurasrl@legalmail.it) or to the email and postal addresses indicated in the Order Form, with any non-certified courtesy copy sent to info@sinauragroup.com. Notices to the Customer may be sent to the email address or physical address provided at registration or otherwise associated with the Customer's account, or via in-product notification. Notices sent via certified email are deemed received on the date of the delivery receipt; notices sent via registered mail are deemed received five (5) business days after dispatch; notices via ordinary email are deemed received on the next business day, provided that delivery is technically successful.

Language

These ToS are drafted in English. Where a translation is provided for the Customer's convenience, the English version prevails in case of discrepancy, save where the Customer is headquartered in Italy and the Agreement is governed by Italian law (EMEA Region) — in such case, the Italian version published at sinauragroup.com/it/legal/terms-of-service prevails with respect to clauses qualifying as vexatious under Art. 1341 of the Italian Civil Code and with respect to the information obligations under Artt. 12, 13 and 14 GDPR.

Independent contractors

Nothing in these ToS creates a partnership, joint venture, agency, franchise or employment relationship between the Parties. Each Party acts as an independent contractor. Neither Party has the power to bind the other or to incur obligations on the other Party's behalf without the other Party's prior written consent.

No third-party rights

There are no third-party beneficiaries to these Terms. No person other than the Parties (and their permitted assignees) shall have any rights under these Terms. This Article is without prejudice to the rights of data subjects under the GDPR, which are exercised directly under the applicable law.

Waiver

Failure or delay by either Party to enforce any right under these ToS does not constitute a waiver of that right or of any other right. Any waiver must be in writing to be effective and shall not be deemed a waiver of any subsequent right or remedy.

Assignment

The Customer may not assign the contract, nor subcontract its obligations, without SINAURA's prior written consent, except to companies of its group. SINAURA may assign the contract, or subcontract its obligations, to an Affiliate or to a successor in interest as part of a corporate reorganisation, merger or sale of business, provided that the assignee assumes the same obligations. SINAURA shall notify the Customer of any such assignment with at least thirty (30) days' prior notice. Where the assignee is (i) a direct competitor of the Customer, (ii) a person or entity subject to sanctions or located in a country subject to comprehensive embargoes, or (iii) a person whose use of the Platform would materially impair the Customer's compliance with sector-specific obligations under DORA or NIS2, the Customer is entitled to terminate the contract within thirty (30) days of receipt of the notice, with pro-rata refund of fees prepaid for the unused period and entitlement to the switching assistance under Art. 12. Where SINAURA subcontracts any of its obligations to a third party, SINAURA remains responsible for the acts and omissions of such third party.

Marketing reference

Neither Party may use the other Party's name, logos or marks without the other Party's written pre-approval in each case (email sufficient), on websites, media, social-media accounts, marketing materials or other public statements, save as expressly authorised in the Order Form.

Support

SINAURA is solely responsible for providing the support described in the documentation made available by SINAURA or in any Order Form.

Insurance

SINAURA maintains professional liability and cyber insurance with reputable carriers, with coverage commensurate with the nature of the services. Certificates of insurance are made available upon reasonable Customer request, under confidentiality.

DORA addendum (financial entities)

Where the Customer is a financial entity subject to Regulation (EU) 2022/2554 (DORA), the Parties shall enter into an additional addendum addressing ICT third-party risk management, exit strategy, sub-outsourcing, audit rights and incident reporting as required by DORA. Such DORA Addendum may also modify the liability cap of Art. 10 and the force majeure provisions of Art. 13 to the extent strictly necessary to ensure the Customer's compliance with DORA.

Severability

The invalidity of one clause does not affect the validity of the remaining clauses, which remain in force. The Parties shall replace any invalid clause with a valid one that most closely reflects the original economic intent.

Entire agreement

The documents listed in the Order of precedence clause constitute the entire agreement between the Parties and supersede all prior oral or written agreements. Any statements or comments made between the Customer and any SINAURA employee or representative are expressly excluded from these Terms absent a separate written agreement.

20 · ANTI-PLAGIARISM, ANTI-CLONING AND LOOK-AND-FEEL PROTECTION

Scope of protection

The Platform — including its software, AgenticAI agents, models, prompts, system instructions, workflows, RAG pipelines, vector indexing strategies, embeddings, knowledge bases, ontologies, taxonomies, dashboards, user interface, user experience, look-and-feel, trade dress, naming conventions, branding, marketing collateral, technical documentation, SDKs, APIs, connectors, deployment topology, pricing logic, onboarding flows, the technical documentation drawn up pursuant to Art. 11 and Annex IV of Reg. (EU) 2024/1689 (EU AI Act) and any other proprietary or distinctive element — is the result of substantial investment, know-how, trade secrets and creative effort of SINAURA S.R.L. and is protected, cumulatively and not alternatively, by copyright, sui generis database rights, design rights, trademark rights, trade secret protection and unfair competition rules.

Prohibited acts (non-exhaustive list)

The Customer, its Authorised Users, its Affiliates, contractors and any third party acting on its behalf shall not, directly or indirectly, in whole or in part, with or without modifications, in any jurisdiction worldwide:

• copy, reproduce, plagiarise, clone, mirror, fork or substantially imitate the Platform or any of its components;
• recreate or develop a product, service, agent, model, application, interface or extension that is identical or substantially similar to the Platform or any of its parts, including by combining publicly available technologies in a way that reproduces the distinctive arrangement, sequence or organisation of the Platform;
• replicate, imitate or evoke the user interface, look-and-feel, layout, colour palette, iconography, micro-interactions, animations, navigation logic, dashboards, naming conventions or trade dress of the Platform;
• copy, paraphrase, fine-tune, distil or reverse-prompt the agent prompts, system instructions, role definitions, chain-of-thought patterns, orchestration logic, tool-use schemas or persona configurations of the AgenticAI agents;
• replicate the structure, schema, taxonomy, ontology, embedding strategy or content of SINAURA's knowledge bases, RAG indexes or proprietary datasets;
• replicate the API surface, endpoint naming, request/response schemas, SDK structure, CLI commands or connector design of the Platform;
• replicate the architecture of tenant segregation, the security workflow, the audit-trail design or the DR/backup topology described in SINAURA's documentation;
• copy, translate, adapt or republish — in any form or medium — the technical documentation, user guides, onboarding materials, marketing collateral or training materials of the Platform;
• register, file or use trademarks, service marks, logos, domain names, social-media handles, designs or copyrights that are identical or confusingly similar to AriaPLT™, SINAURA™, Sinaura Group™ or any other distinctive sign of SINAURA, in any jurisdiction worldwide;
• assist, finance, instruct, contract or otherwise enable any third party to perform any of the foregoing acts.

The interoperability carve-out set out in Art. 06 (Interoperability — mandatory user rights) applies as a limit to this Article only to the extent strictly necessary to achieve interoperability under the statutory conditions of Art. 6 Dir. 2009/24/EC.

Applicable legal framework

The above prohibitions are enforceable cumulatively under, inter alia:

• Italian law: L. 633/1941 (Copyright Act, Arts. 1, 2(8), 64-bis–64-quater, 102-bis); D.Lgs. 30/2005 (Industrial Property Code, Arts. 7-28 trademarks, 31-44 designs, 98-99 trade secrets); D.Lgs. 63/2018 (implementation of the Trade Secrets Directive); Civil Code Arts. 2598-2601 (unfair competition) and Arts. 2043, 2049 (tort liability);
• European Union law: Directive 2009/24/EC (computer programs); Directive 96/9/EC (databases); Directive 2001/29/EC (InfoSoc); Directive (EU) 2019/790 (DSM); Directive (EU) 2016/943 (trade secrets); Regulation (EU) 2017/1001 (EU trade mark); Council Regulation (EC) 6/2002 (Community designs); Directive 2005/29/EC (unfair commercial practices); Regulation (EU) 2024/1689 (AI Act);
• International treaties: the Berne Convention, the Paris Convention, the TRIPS Agreement, the WIPO Copyright Treaty (WCT) and the WIPO Performances and Phonograms Treaty (WPPT), as implemented in any country where the Customer operates;
• United States: 17 U.S.C. (Copyright Act), the Defend Trade Secrets Act of 2016 (18 U.S.C. § 1836), the Computer Fraud and Abuse Act (18 U.S.C. § 1030), the Lanham Act (15 U.S.C. § 1051 et seq.) and applicable state unfair-competition and trade-dress laws;
• United Kingdom: Copyright, Designs and Patents Act 1988; Trade Secrets (Enforcement, etc.) Regulations 2018; Trade Marks Act 1994;
• People's Republic of China: Copyright Law of the PRC (as amended in 2020), Anti-Unfair Competition Law, Trademark Law, Patent Law;
• India: Copyright Act 1957, Trade Marks Act 1999, Designs Act 2000, Information Technology Act 2000;
• Switzerland, Japan, Brazil, Canada, Australia, UAE and any other country: equivalent national statutes implementing the Berne / Paris / TRIPS framework.

The Customer expressly acknowledges that these prohibitions operate worldwide and that SINAURA is entitled to seek protection and enforcement under any applicable national or international legal regime.

Remedies and enforcement

In addition to the general remedies set out in these ToS:

• SINAURA is entitled to seek urgent injunctive, precautionary and seizure remedies (including descrizione and sequestro under Arts. 128-131 D.Lgs. 30/2005, and equivalent measures in other jurisdictions) without need to prove irreparable harm, the Parties expressly acknowledging that breach of these obligations causes irreparable harm by nature;
• SINAURA may claim compensation for actual damages, lost profits, unjust enrichment and the disgorgement of the infringer's profits, cumulatively where permitted by applicable law;
• the Customer shall, at SINAURA's request, immediately cease the infringing activity, withdraw any infringing product or material from the market, destroy or transfer to SINAURA any infringing copies, prompts, datasets or derivatives, and provide written certification of compliance;
• the obligations of this Article survive termination of the Subscription for an unlimited period for trade secrets (Art. 98 D.Lgs. 30/2005) and for the maximum term of protection granted by applicable law for other intellectual property rights.

21 · NDA AND LOCKOUT AGREEMENT

Acceptance and scope

This Article comprises two distinct layers of obligations, accepted separately at different moments:

Layer A — User-level NDA (click-through at Authorised User registration): every natural person who registers an account on the Platform — whether as an Authorised User under a paid Subscription or as a user of an Evaluation Account — accepts the confidentiality obligations set out in Section "User Confidential Information" and "Confidentiality obligations" below, by ticking the dedicated check-box on the registration form.

Layer B — Customer-level NDA and Lockout: the Customer-entity accepts the confidentiality and Lockout obligations set out in Sections "Customer-level Lockout — non-replication and non-development" and "Liquidated damages" below, with the modality matching its commercial profile:

• for Enterprise Customers (acceptance modality (A) of Section "Acceptance of these Terms"), Layer B is accepted by the Customer-entity through specific and separate written approval — handwritten signature or advanced/qualified electronic signature pursuant to Reg. (EU) 910/2014 (eIDAS) and Art. 20 of D.Lgs. 82/2005 — executed alongside the principal signature on the MSA or Order Form;
• for Standard Paying Customers (acceptance modality (B)) and Evaluation Customers (acceptance modality (C)), Layer B is accepted by the Customer-entity through a dedicated, individually identified check-box at registration or check-out, separate from the general acceptance check-box, with retention of the technical record set out in the Section "Click-through acceptance — evidentiary value" below.

No personal Lockout obligation, non-compete obligation or liquidated damages obligation under this Article attaches to the Authorised User as a natural person. The natural-person Authorised User is bound only by the confidentiality obligations set out under Layer A. Any obligation of non-competition that would, by its nature, qualify as a patto di non concorrenza under Art. 2125 of the Italian Civil Code is expressly excluded.

User Confidential Information

For the purposes of this Article, "User Confidential Information" means any information made accessible — visually, orally, in writing, by inspection of the Platform, by interaction with the agents, or by any other means — to the registering person before, during or after access to the Platform, including without limitation:

• the structure, architecture, source code, models, prompts, agent behaviour, workflows, orchestration logic, RAG pipelines, embedding strategies, ontologies and knowledge bases of the Platform;
• the user interface, look-and-feel, dashboards, micro-interactions, design tokens and trade dress of the Platform;
• the APIs, SDKs, CLIs, connectors, endpoint schemas, request/response formats and integration patterns;
• the documentation, onboarding materials, demos, technical white-papers, roadmap, pricing logic, commercial conditions and any non-public information about the Platform or SINAURA;
• any insight, observation or know-how derived from access to or use of the Platform.

The Platform itself, irrespective of any specific labelling, is to be treated as User Confidential Information by default. The definition of "User Confidential Information" in this Article is distinct from, and supplementary to, the definition of "Confidential Information" at the contractual level in Art. 07.

Confidentiality obligations (Layer A — applies to natural-person users)

The registering person undertakes to:

• treat User Confidential Information with at least the same degree of care used for its own confidential information, and in any case with no less than reasonable care;
• use User Confidential Information solely for the purpose of evaluating or using the Platform under the applicable Subscription or Evaluation Account, and for no other purpose;
• not disclose, publish, transmit, post, screenshot, screen-record, stream or otherwise make User Confidential Information accessible to any third party without SINAURA's prior written consent;
• not export, copy, dump or download User Confidential Information outside the permitted channels of the Platform;
• inform employees and contractors of these obligations and ensure they are bound by equivalent confidentiality undertakings.

Customer-level Lockout — non-replication and non-development (Layer B — applies to the Customer-entity)

For the entire period of access to the Platform and for the "Lockout Period" thereafter, the Customer-entity and any Affiliate shall not, directly or indirectly, in any jurisdiction worldwide:

• design, develop, fund, commission, manufacture, market, launch, distribute or operate any product, service, agent, model, application, dataset, prompt library, interface or extension that is identical or substantially similar to the Platform or to any of its components, as defined in Art. 20;
• participate in, advise, assist in or instruct any third party engaged by the Customer-entity in the activities described above with respect to the Platform;
• file applications for patents, designs, trademarks, domain names or copyrights covering subject matter derived from, evocative of or substantially similar to the Platform or any User Confidential Information accessed by the Customer-entity or its personnel by reason of the Subscription;
• use User Confidential Information accessed by reason of the Subscription to inform or accelerate competitive product development, benchmarking, marketing positioning or recruiting against SINAURA.

The Lockout Period is twelve (12) months for Evaluation Accounts at the Customer-entity level and twenty-four (24) months for Customer-entities under a paid Subscription, in each case calculated from the date of termination of the access. The Lockout Period is justified by the substantial investment, the trade secrets and the proprietary know-how to which the Customer-entity has been given access through the Subscription, and is without prejudice to the unlimited-time protection of trade secrets under Art. 98 D.Lgs. 30/2005 and equivalent foreign laws.

This Lockout obligation is binding upon the Customer-entity as a legal person and does not attach as a personal obligation to its individual personnel or to its Authorised Users.

Permitted exceptions

The confidentiality obligations under Layer A and the Lockout obligation under Layer B do not apply to information that the registering person or the Customer-entity (as applicable) can demonstrate, by contemporaneous written records, was:

• (i) publicly available without breach of this Agreement;
• (ii) lawfully known prior to disclosure without obligation of confidentiality;
• (iii) independently developed without use of or reference to User Confidential Information;
• (iv) required to be disclosed by law or competent authority, subject to prior written notice to SINAURA where legally permitted;
• (v) disclosed for whistleblowing purposes in accordance with D.Lgs. 24/2023 implementing Directive (EU) 2019/1937, or to supervisory authorities (including, but not limited to, the Italian Data Protection Authority, the Agenzia per la Cybersicurezza Nazionale, Banca d'Italia, CONSOB, EBA, ESMA, EIOPA, the European Commission, AGCOM, AGCM, the Italian Tax Police);
• (vi) disclosed to judicial authorities, public prosecutors, the labour inspectorate or any other authority in the exercise of its statutory functions;
• (vii) disclosed to trade unions, works councils or employee representative bodies in the lawful exercise of their statutory functions.

No retaliation, contractual or otherwise, shall be permitted against any natural person who has lawfully invoked the exceptions under (v), (vi) or (vii).

Click-through acceptance — evidentiary value (Layer A)

Acceptance under Layer A is recorded and time-stamped at registration, with retention of: (i) the registering person's identifiers; (ii) the version of this Agreement accepted; (iii) the IP address and user-agent used; (iv) the cryptographic hash of the accepted text. Such record constitutes admissible evidence of consent and binding acceptance pursuant to Arts. 20 and 21 of D.Lgs. 82/2005 (Italian Digital Administration Code), Reg. (EU) 910/2014 (eIDAS) and equivalent legislation in other jurisdictions.

Specific approval of vexatious clauses (Layer B)

The clauses of this Article that qualify as vexatious under Art. 1341 of the Italian Civil Code — in particular the Customer-level Lockout obligation and the liquidated damages — are specifically approved by the Customer-entity through the modality matching its commercial profile, as set out in the Section "Modalities of acceptance and regime applicable to vexatious clauses": (a) for Enterprise Customers, through separate written approval (handwritten or advanced/qualified electronic signature) alongside the MSA or Order Form; (b) for Standard Paying Customers and Evaluation Customers, through a separate, dedicated check-box at registration or check-out, distinct from the general acceptance check-box, with retention of the technical record pursuant to Arts. 20 and 21 of D.Lgs. 82/2005 and Reg. (EU) 910/2014 (eIDAS).

Liquidated damages (applies to the Customer-entity under Layer B)

Breach of Layer B by the Customer-entity entitles SINAURA to: (i) immediate suspension and termination of the account and of any related Subscription, without refund; (ii) the remedies set out in Art. 20; (iii) liquidated damages — without prejudice to compensation for greater actual damages — calibrated on the nature of the breach:

• twenty-five thousand euros (EUR 25,000) per breach for purely confidentiality violations not resulting in commercial competing use;
• one hundred thousand euros (EUR 100,000) per breach for use of User Confidential Information to develop, launch or market a competing or substantially similar product, service, agent, model or interface;
• or, where greater, the fees received by SINAURA from the Customer-entity and its Affiliates in the 24 months preceding the breach.

The Parties expressly acknowledge that the above amounts are proportionate to the value of the protected interests (substantial R&D investment, trade secrets, reputational and competitive harm). The right of the court to reduce the liquidated damages pursuant to Art. 1384 of the Italian Civil Code is hereby expressly preserved. Any prior wording purporting to waive such right is of no effect.

Survival

The confidentiality obligations under Layer A survive for ten (10) years after termination of the account at user level. The Customer-level confidentiality obligations under Layer B survive for ten (10) years after termination of the contract. The Customer-level Lockout obligations survive for the duration of the Lockout Period defined above. The obligations relating to trade secrets survive indefinitely.

22 · CONTACTING SINAURA

Should the Customer have any questions, comments or feedback regarding these ToS or the Platform, SINAURA may be reached at:

23 · APPLICABLE ADDENDUMS AND EXHIBITS

The following documents are incorporated by reference into these ToS and form an integral part of the Agreement. They prevail over these ToS in the order set out in Art. 19 (Order of precedence).

The documents and pages above are kept current by SINAURA. Changes to the sub-processor list are notified to the Customer at least 30 days in advance under DPA §5(1). Material changes to the other documents are notified under Art. 18 (Amendments to the Terms of Service) of these ToS.

© 2026 SINAURA S.R.L. · AriaPLT™ and Sinaura™ are registered trademarks of SINAURA S.R.L · Version 1.5 · Last updated: 16 May 2026