General Terms and Conditions of Sale (GTCS)

Preamble

DIV PROTOCOL SAS - Société par actions simplifiée (SAS) with share capital of EUR 105.10 Paris RCS – 939 283 164 Registered office: 200 rue de la Croix-Nivert, 75015 Paris, France Contact: contact@divprotocol.com DIV PROTOCOL SAS is a French company specialising in the provision of a SaaS (Software as a Service) solution for secure storage, sharing and end-to-end encryption of professional data, exclusively for businesses and professionals (B2B). The Service is accessible via the platform www.divprotocol.com and is based on a secure infrastructure hosted exclusively in France and in the European Union by OVH SAS. These General Terms and Conditions of Sale (hereinafter the “GTCS”) constitute the sole contractual basis governing the commercial relationship between DIV PROTOCOL and its Clients. Any subscription to the Service entails full and unreserved acceptance of these GTCS.

Article 1 – Definitions

For the purposes of these GTCS, the following terms shall have the meanings assigned to them below:

• “Client”: any legal entity or natural person acting in a professional capacity who has subscribed to a DIV PROTOCOL Service plan;
• “User”: any natural person holding an account on the Platform, acting on behalf of the Client;
• “Platform”: the web application accessible at www.divprotocol.com and all associated interfaces;
• “Service”: all the functionalities offered by DIV PROTOCOL under the plan subscribed to by the Client;
• “Client Data”: all files, documents and content uploaded, stored or processed by the Client and its Users on the Platform;
• “Personal Data”: any information relating to an identified or identifiable natural person, within the meaning of Regulation (EU) 2016/679 (GDPR);
• “Commitment Period”: the firm and irrevocable twelve (12) calendar-month period commencing on the subscription date, irrespective of the billing frequency chosen by the Client;
• “Billing Frequency”: the frequency at which amounts due are payable – monthly (in twelfths) or annual (in a single instalment) – without affecting the Commitment Period;
• “Parties”: DIV PROTOCOL and the Client collectively;
• “Agreement”: these GTCS, the plan subscribed to by the Client, and any ancillary document expressly agreed between the Parties.

Article 2 – Purpose

These GTCS set out the conditions under which DIV PROTOCOL SAS (hereinafter the “Service Provider”) provides the Client with access to the Service, and the respective rights and obligations of the Parties. Any subscription to the Service implies unconditional acceptance of these GTCS, to the exclusion of any other document, and in particular the Client’s general purchasing conditions.

Article 3 – Scope and acceptance

These GTCS apply to all orders, subscriptions or uses of the Service made by the Client, regardless of the plan chosen. They take precedence over any other contractual document from the Client. DIV PROTOCOL reserves the right to modify these GTCS at any time. Any modification will be notified to the Client by email at least thirty (30) days before it takes effect. Continued use of the Service after the new GTCS come into force constitutes acceptance of those GTCS.

Article 4 – Contractual commitment – Mandatory 12-month term

4.1 – Principle of the mandatory annual commitment Regardless of the billing frequency chosen by the Client – whether monthly or annual – every subscription to the DIV PROTOCOL Service is entered into for a firm and irrevocable Commitment Period of twelve (12) calendar months from the subscription date (hereinafter the “Effective Date”). The choice of monthly billing does not confer upon the Client any right to early termination before the expiry of the Commitment Period. It constitutes solely a method of staggered payment of the amounts due under the Agreement, without affecting the binding nature of the commitment. By expressly acknowledging this clause at the time of subscription, the Client waives any claim that monthly billing creates a month-to-month or “no commitment” arrangement. 4.2 – Consequences of early termination In the event of termination of the Agreement by the Client prior to the expiry of the Commitment Period, for any reason other than those set out in Article 7.3, the Client shall be immediately and unconditionally liable for the full payment of all instalments remaining due until the end of the current Commitment Period, namely all monthly instalments not yet fallen due in the case of monthly billing, or the balance of the current annual period in the case of annual billing. These amounts shall constitute a penalty clause (clause pénale) within the meaning of Articles 1231-5 et seq. of the French Civil Code, representing a lump-sum and irrebuttable assessment of the Service Provider’s loss. The Service Provider nevertheless reserves the right to seek additional damages if its actual loss exceeds this lump-sum amount. 4.3 – Renewal Upon expiry of each Commitment Period, the Agreement is automatically renewed for a further successive period of twelve (12) months at the pricing and conditions in force at the time of renewal, unless notice of non-renewal is sent by either Party by email with acknowledgement of receipt at least sixty (60) days before the expiry date. 4.4 – Pre-contractual disclosure In accordance with the general principles of contract law, the Client acknowledges that it has been informed, prior to subscription, of the binding nature of the 12-month commitment, irrespective of the billing frequency. This information is expressly stated in the quotation or commercial proposal accepted by the Client.

Article 5 – Description of the Service

The DIV PROTOCOL Service is a secure document management platform including, in particular, the following functionalities:

• Secure storage with end-to-end encryption (E2E): files are encrypted client-side before any transfer to the servers;
• Chunked/resumable upload;
• Three sharing modes: internal, secure external (OTP), and public link;
• Collaborative document editing via OnlyOffice (text, spreadsheets, presentations);
• Granular permission management: READ, WRITE, DELETE, DOWNLOAD, SHARE, MANAGE_ROLE;
• Audit log recording more than 28 action types;
• File versioning and history with restoration;
• Recycle bin and reversible deletion;
• Search engine;
• Personal and team projects;
• Dashboard and administration interface.

DIV PROTOCOL reserves the right to evolve the Service’s functionalities in order to improve their quality and security, without altering the essential characteristics of the subscribed plan.

Article 6 – Pricing and payment

6.1 – Pricing Service pricing is established on a personalised quotation basis, depending on the plan, storage volume and number of Users required by the Client. Unless otherwise stated in the quotation, prices are expressed in euros exclusive of tax (ex-VAT); applicable VAT will be added at the rate in force at the invoicing date. 6.2 – Billing frequency and commitment At the time of subscription, the Client chooses one of the following two billing methods, without this choice affecting the 12-month Commitment Period as defined in Article 4:

• Monthly billing: amounts due are payable in twelfths, on the first day of each subscription anniversary month. All twelve monthly instalments remain due until the expiry of the Commitment Period, notwithstanding any early termination by the Client;
• Annual billing: the full amount due for 12 months is payable in advance on the subscription date, then on each anniversary date. Any applicable pricing advantage for annual billing is indicated in the quotation.

6.3 – Payment methods Payments are made by credit card via the secure payment platform Stripe. Invoicing occurs on the subscription date, then on a recurring basis according to the frequency chosen. 6.4 – Default in payment In the event of a payment failure, the Service Provider will send the Client a reminder. If the situation is not rectified within fifteen (15) days, the Service Provider may suspend access to the Service without prejudice to the amounts remaining due for the entire Commitment Period. After thirty (30) days of non-payment, the Service Provider may terminate the Agreement by right. Termination for non-payment does not release the Client from its obligation to pay the remaining instalments until the end of the Commitment Period. Any amount unpaid at its due date shall automatically bear late-payment interest at the European Central Bank’s reference rate increased by ten (10) percentage points, together with a flat-rate recovery fee of forty euros (EUR 40).

Article 7 – Term, renewal and termination

7.1 – Firm term In accordance with Article 4, the Agreement is entered into for a firm Commitment Period of twelve (12) months, regardless of the billing frequency chosen. No early termination may be effected by the Client during this period, except in the cases exhaustively listed in Article 7.3. 7.2 – Tacit renewal Upon expiry of each Commitment Period, the Agreement is automatically renewed for a further period of twelve (12) months at the pricing conditions in force, unless notice of non-renewal is transmitted by email with acknowledgement of receipt at least sixty (60) days before the expiry date. 7.3 – Early termination by the Client The Client may terminate the Agreement before the expiry of the Commitment Period solely in the following cases:

• Serious and unremedied breach by DIV PROTOCOL of its essential obligations (availability, security, confidentiality), established after formal notice remaining without effect for thirty (30) days;
• Force majeure event lasting more than sixty (60) days, as defined in Article 14;
• Judicial liquidation or court-ordered reorganisation of DIV PROTOCOL resulting in the permanent cessation of the Service.

Outside these cases, any early termination by the Client entails the immediate payability of all remaining instalments until the end of the Commitment Period, in accordance with Article 4.2. 7.4 – Termination by DIV PROTOCOL DIV PROTOCOL may terminate the Agreement by right in the event of: a serious and persistent breach by the Client of its contractual obligations unremedied within fifteen (15) days of formal notice; persistent non-payment beyond thirty (30) days; use of the Service in violation of applicable legislation. 7.5 – Effects of termination Upon termination of the Agreement, for whatever reason, the Client has thirty (30) days to retrieve its Client Data. After this period, DIV PROTOCOL will proceed with the permanent deletion of the data, unless there is a legal obligation to retain it.

Article 8 – Service Level Agreement (SLA)

DIV PROTOCOL undertakes to ensure Service availability of 99.5% on a monthly basis. The following are excluded from the availability calculation: scheduled maintenance operations notified at least 48 hours in advance; interruptions resulting from force majeure; interruptions attributable to the Client or third parties. In the event of SLA non-compliance noted in a calendar month, the Client may request a proportional credit for the excess downtime, up to 30% of the monthly subscription amount.

Article 9 – Obligations of DIV PROTOCOL

Under the Agreement, DIV PROTOCOL undertakes to:

• Provide the Service in accordance with these GTCS and current professional standards in information security;
• Ensure Service availability under the conditions defined in Article 8;
• Implement appropriate technical and organisational measures to protect Client Data;
• Inform the Client without delay of any security incident likely to affect its data;
• Not access Client Data in plaintext, in accordance with the end-to-end encryption architecture, except under mandatory legal obligation.

Article 10 – Obligations of the Client

The Client undertakes to:

• Use the Service in compliance with applicable laws and regulations;
• Ensure the lawfulness of all content stored, shared and processed via the Platform;
• Maintain the confidentiality of its Users’ login credentials;
• Not compromise the security, integrity or availability of the Service;
• Pay invoices within agreed deadlines, including for the full Commitment Period.

Article 11 – Security and encryption

DIV PROTOCOL implements a professional-grade security architecture comprising: client-side end-to-end encryption (the decryption keys are never accessible to the Service Provider); encryption at rest and in transit; two-factor authentication (2FA); logical isolation of each Client’s data. Certain metadata necessary for the operation of the Service (file names, directory structure, sizes, dates, audit logs) are accessible server-side to enable indexing and administration.

Article 12 – Personal data and GDPR

In connection with the performance of the Agreement, DIV PROTOCOL processes Personal Data on behalf of the Client, acting as data processor within the meaning of Article 28 of the GDPR. DIV PROTOCOL undertakes to process Personal Data solely on the Client’s documented instructions, to implement appropriate measures in accordance with Article 32 of the GDPR, and to delete or return data at the end of the service.

Article 13 – Confidentiality

Each Party undertakes to treat as confidential all information exchanged in the context of the Agreement, whether of a technical, commercial, financial or strategic nature. This confidentiality obligation applies throughout the term of the Agreement and continues for five (5) years after its termination.

Article 14 – Force majeure

Neither Party shall be held liable for non-performance or delay in performing its contractual obligations where such non-performance results from a force majeure event within the meaning of Article 1218 of the French Civil Code. If the force majeure event lasts more than sixty (60) days, either Party may terminate the Agreement by right without compensation, including during the Commitment Period.

Article 15 – Liability and limitations

The total and cumulative liability of DIV PROTOCOL under the Agreement is capped at the total amount of sums actually paid by the Client during the twelve (12) months preceding the event giving rise to the loss. This limitation does not apply in cases of gross negligence, fraud, or personal injury.

Article 16 – Intellectual property

DIV PROTOCOL is and remains the sole owner of all intellectual property rights in the Platform, the Service, the software, the source code and associated documentation. The Agreement grants the Client only a non-exclusive, non-transferable, non-assignable right of use for the duration of the Agreement. Client Data remains the exclusive property of the Client.

Article 17 – Governing law and jurisdiction

These GTCS are governed by French law. In the event of a dispute, the Parties will endeavour to find an amicable solution within thirty (30) days. Failing this, exclusive jurisdiction is conferred upon the Commercial Court of Paris (Tribunal de Commerce de Paris). Contact: contact@divprotocol.com