STANDARD TERMS AND CONDITIONS
Last update: April 22, 2026
These Standard Terms and Conditions ("Terms") are published by Finray Technologies Ltd, a company incorporated under the laws of Cyprus (registration number HE 445903) with registered office at 115 Griva Digeni, Trident Centre, Limassol, Cyprus, 3101 ("Finray" or "Vendor"). These Terms govern all access to and use of the XZiel platform and associated services by any customer ("Customer") who executes an Order Form referencing these Terms. By executing an Order Form the Customer agrees to be bound by these Terms, the Acceptable Use Policy, and the additional documents referenced herein or in the Order Form.
These Terms are available at: https://xziel.com/legal/STC
PART A – MASTER AGREEMENT
DEFINITIONS
In these Terms the following words and expressions have the meanings set out below:"Acceptable Use Policy (AUP)" means Finray's policy governing permitted and prohibited uses of the Platform, published at https://xziel.com/legal/AUP and incorporated into these Terms by reference.
"Agreement" means these Terms together with the applicable Order Form, the AUP, and any addenda or supplemental schedules incorporated by reference in the Order Form.
"API" means the application programming interface(s) through which Customer systems interact programmatically with the Platform.
"API Call" means a single programmatic request to the Platform API that returns a response, whether sourced from Finray-owned or Third-Party Service components.
"Authorised User" means an individual employee, contractor, or agent of Customer granted access to the Platform in accordance with the Agreement.
"Business Day" means any day (other than Saturday, Sunday, or a public holiday) on which banks are open in Cyprus and in the jurisdiction of Customer's registered office.
“Business Hour” means the hours from 09:00 to 17:00 on any day other than a Saturday, Sunday, or public holiday Cyprus, calculated by reference to Eastern European Time (EET) or Eastern European Summer Time (EEST), as applicable.
"Confidential Information" means all information disclosed by one party ("Disclosing Party") to the other ("Receiving Party") that is marked confidential or that a reasonable person would treat as confidential given its nature and the circumstances of disclosure, including the terms of the Order Form and technical documentation.
"Customer" means the person so named in the Order Form.
"Customer Data" means all data, content, and information (including Personal Data) submitted to or processed through the Platform by or on behalf of Customer.
“Data Controller” has the meaning given by GDPR.
“Data Processor” has the meaning given by GDPR.
"Data Protection Law" means all applicable laws and regulations relating to the processing of Personal Data including (where applicable): EU GDPR (Regulation (EU) 2016/679); the Swiss Federal Act on Data Protection (revFADP, effective 1 September 2023) and its Ordinance (ADPO); the UK GDPR and the Data Protection Act 2018; and any implementing legislation, guidance, or amendment under any of the foregoing.
“Data Subject Request” means a request made by a data subject to exercise any rights of data subjects under Data Protection Legislation.
"Effective Date" means the date specified in the Order Form, or, if not specified, the date on which Finray countersigns the Order Form.
"Fee(s)" means the Subscription Fee, Implementation Fee, Overage Charges, and any other amounts payable by Customer as specified in the Order Form.
"Force Majeure Event" means any circumstance beyond a party's reasonable control, including acts of God, governmental action, war, terrorism, pandemic, earthquake, flood, fire, or failure of third-party telecommunications infrastructure.
"Implementation Services" means onboarding, integration, configuration, training, and go-live support services agreed between the parties in writing.
"Intellectual Property Rights" means all patents, copyright, database rights, trade marks, trade names, domain names, design rights, know-how, trade secrets, and all other intellectual property rights (registered or unregistered) in any jurisdiction.
"Named User" means an Authorised User assigned a dedicated user seat within a Third-Party Service as specified in the Order Form.
"Order Form" means the customer-specific commercial document signed by both parties that incorporates these Terms and sets out the subscription scope, platform modules, Third-Party Services, pricing, and commercial conditions applicable to Customer's subscription.
"Overage Charges" means additional fees payable when Customer's usage exceeds the API Call volumes, Named User counts, or other metered entitlements specified in the Order Form.
"Personal Data" has the meaning given by GDPR.
"Platform" means the XZiel software-as-a-service platform operated by Finray, comprising the Finray-owned modules, integrated third-party components, APIs, rule engines, dashboards, and case management capabilities described in the Order Form, together with any updates or new releases provided during the Subscription Term.
“Processing Instruction” means any documented directions provided by the Customer to the Processor regarding the manner, scope, and purposes of processing Personal Data under the Agreement, submitted via the Platform and/or API, notified in writing to Finray by Client's Authorised Users, and updated from time to time in accordance with the terms of this Agreement
"Standard Contractual Clauses (SCCs)" means the standard contractual clauses for controller-to-processor transfers adopted by the European Commission by Implementing Decision (EU) 2021/914, Module Two.
“Scheduled maintenance” means any work notified in advance to the Customer (as provided in the SLA) to be carried out by the Vendor or on its behalf that may cause the Services to be temporarily suspended;
"Subscription Fee" means the fee payable for access to the Platform as specified in the Order Form.
"Subscription Term" means the initial period and any renewal period(s) as specified in the Order Form.
"Third-Party Service" means any service, data feed, API, or software provided by a third-party vendor (including TRM Labs Inc. and OpenSanctions) accessible through or integrated into the Platform as described in the Order Form.
"Usage Data" means anonymised or aggregated operational data derived from Customer's use of the Platform that does not identify Customer or any individual.
GRANT OF RIGHTS AND ACCESS
2.1 License. Subject to payment of all Fees and compliance with these Terms, Finray grants Customer a non-exclusive, non-transferable, limited-in-time, non-sublicensable licence to access and use the Platform during the Subscription Term solely for Customer's internal compliance and transaction risk management operations.
2.2 Authorised Users. Customer may permit Authorised Users to access the Platform up to the user count specified in the Order Form. Customer is responsible for all acts and omissions of its Authorised Users as if they were Customer's own.
2.3 Named Users. Access to Third-Party Services through the Platform is subject to Named User limits in the Order Form. Customer must not permit more individuals to access a Third-Party Service than the number of Named Users purchased.
2.4 API Access. Finray grants Customer access to the Platform API within the API Call limits specified in the Order Form. Customer must not circumvent rate limits or usage controls.
2.5 Restrictions. Customer must not: (a) copy, modify, or create derivative works of the Platform; (b) reverse engineer or attempt to derive source code; (c) sublicense, sell, or transfer Platform access rights; (d) use the Platform to build a competing product; (e) share login credentials between Authorised Users or Named Users; or (f) use the Platform in violation of any applicable law or the AUP.
2.6. Platform update: Finray retains the right to modify and update the Platform from time to time, provided that its intended purpose and core characteristics remain unchanged.
2.7 Reservation. Finray reserves all rights not expressly granted. No implied licence arises under these Terms.
ORDERING AND PURCHASE ORDERS
3.1 Order Forms. Each subscription is governed by a signed Order Form. In the event of conflict, the Order Form prevails on commercial terms; these Terms prevail on all other matters.
3.2 Customer Purchase Orders. Customer purchase orders submitted for internal administrative or accounts-payable purposes are for administration only. Any terms or conditions printed on or attached to a Customer purchase order have no legal effect and do not amend, modify, or supplement the Agreement, unless expressly accepted in a signed written amendment by Finray.
3.3 Provisioning. Finray shall provision Platform access within the timeframe specified in the Order Form, or within ten (10) Business Days of the date of payment of the Subscription fee if no timeframe is specified.
FINRAY'S OBLIGATIONS
4.1 Service Delivery. Finray shall use commercially reasonable efforts to make the Platform available in accordance with Part C of these Terms (SLA).
4.2 Updates. Finray may update or modify the Platform at any time. Finray shall provide reasonable prior notice of material changes that may adversely affect Customer's use.
4.3 Security. Finray shall maintain the technical and organisational security measures described in Part B of these Terms.
4.4 Support. Finray shall provide technical support in accordance with Part C of these Terms.
4.5 Subcontractors. Finray may engage subcontractors, remaining responsible for their performance.
CUSTOMER OBLIGATIONS
5.1 Responsibility. Customer is solely responsible for: (a) the accuracy and legality of Customer Data; (b) configuring the Platform appropriately for its regulated use case; (c) maintaining security of Authorised User credentials; (d) compliance with all applicable laws, regulations, and regulatory guidance including AML/CFT, sanctions, and data protection; and (e) ensuring that final compliance, legal, and regulatory decisions are made by qualified human personnel and not delegated solely to the Platform.
5.2 Cooperation. Customer shall provide Finray with reasonable cooperation and information required to deliver the Platform and any agreed services.
5.3 Acceptable Use. Customer shall use the Platform in accordance with the AUP. Customer shall promptly notify Finray of any suspected security breach or unauthorised use.
5.4 Non-Reliance. The Platform is a decision-support tool. Platform outputs do not constitute legal or regulatory advice. Customer retains full responsibility for all final compliance, sanctions, and regulatory decisions and must not rely on Platform outputs as a substitute for qualified human judgement.
5.5 Regulatory Licences. Customer is responsible for obtaining and maintaining all licences, permits, and authorisations required for its business operations and for its use of the Platform.
THIRD-PARTY SERVICES
6.1 Nature. Certain Platform features depend on or integrate Third-Party Services (including TRM Labs Inc. and OpenSanctions). Third-Party Services are described in the Order Form and subject to the pass-through terms set out therein.
6.2 No Finray Warranty. Finray does not own or control Third-Party Services and makes no representation or warranty regarding the accuracy, completeness, availability, or legal sufficiency of Third-Party Service data or outputs. Customer's reliance on Third-Party Service outputs is at Customer's own risk.
6.3 Pass-Through Obligations. Customer's access to Third-Party Services is subject to the relevant provider's acceptable use policies and standard terms and conditions as communicated to Customer. Customer must not use Third-Party Services in violation of those restrictions.
6.4 Customer Acceptance of Third-Party Terms. By executing the Order Form, Customer acknowledges that it has reviewed the standard terms and conditions of each Third-Party Service listed therein (via the URLs set out in the Order Form) and accepts the obligations applicable to end users of those services.
6.5 Third-Party Changes. Finray shall use reasonable efforts to notify Customer of material changes to Third-Party Services that may affect Customer's use of the Platform.
FEES, PAYMENT, AND TAXES
7.1 Fees. Customer shall pay all Fees specified in the Order Form. Fees are non-refundable except as expressly provided in these Terms or required by applicable law.
7.2 Invoicing. Finray shall invoice in accordance with the billing schedule in the Order Form. Where no schedule is specified, Finray invoices annually in advance.
7.3 Payment Terms. Customer shall pay each invoice within fifteen (15) days of the invoice date unless a different term is agreed in the Order Form.
7.4 Overages. Overage Charges are calculated monthly on actual usage and invoiced within fifteen (15) Business Days following each calendar month-end.
7.5 Late Payment. Undisputed amounts not paid by the due date accrue interest at 1.5% per month (or the maximum permitted by law, if lower) from the due date until actual payment.
7.6 Disputed Invoices. Customer must notify Finray in writing of any good-faith invoice dispute within fourteen (14) days of the invoice date, identifying the disputed amount and grounds. The parties shall resolve disputes in good faith within thirty (30) days.
7.7 Taxes. All Fees exclude VAT, GST, withholding tax, and other applicable taxes. Customer is responsible for all applicable taxes. Where Finray must collect and remit taxes by law, Finray shall add them to the invoice.
7.8 Fee Adjustments on Renewal. Finray may adjust Subscription Fees on renewal with not less than sixty (60) days' written notice before the end of the then-current Subscription Term.
INTELLECTUAL PROPERTY
8.1 Finray IP. Finray retains all Intellectual Property Rights in the Platform, underlying software, algorithms, rule sets, documentation, and Usage Data. No IP is transferred to Customer under these Terms.
8.2 Customer IP. Customer retains all IP in Customer Data. Customer grants Finray a limited, non-exclusive, royalty-free licence to use Customer Data solely as necessary to provide the Platform and perform Finray's obligations.
8.3 Feedback. Finray may freely use any suggestions or feedback provided by Customer regarding the Platform without restriction or obligation.
8.4 Third-Party IP. Nothing in these Terms grants Customer any rights in Third-Party Service IP beyond the access rights described in the Order Form.
CONFIDENTIALITY
9.1 Obligations. Each party shall: (a) keep the other's Confidential Information strictly confidential; (b) not disclose it to any third party without prior written consent; and (c) use it only for the purposes of performing or exercising rights under these Terms.
9.2 Permitted Disclosure. A party may disclose Confidential Information to its employees, directors, professional advisers, or contractors who need it for purposes of these Terms, provided they are bound by equivalent confidentiality obligations.
9.3 Exceptions. Confidentiality obligations do not apply to information that: (a) is or becomes publicly available other than through breach of these Terms; (b) was rightfully known to the Receiving Party before disclosure; (c) is independently developed without reference to the Disclosing Party's Confidential Information; or (d) must be disclosed pursuant to mandatory law or regulation, subject to prompt prior written notice where legally permissible.
9.4 Duration. Confidentiality obligations survive termination for five (5) years, except for trade secrets which are protected for as long as they remain trade secrets.
WARRANTIES
10.1 Finray Warranties. Finray warrants that: (a) the Platform will perform materially in accordance with the Order Form during the Subscription Term; (b) Finray has the right and authority to enter into and perform these Terms; (c) Finray will maintain ISO/IEC 27001:2022 certification during the Subscription Term; and (d) Implementation Services will be performed with reasonable skill and care.
10.2 Customer Warranties. Customer warrants that: (a) it has the right and authority to enter into and perform these Terms; (b) Customer Data does not infringe third-party Intellectual Property Rights; and (c) Customer's use of the Platform complies with all applicable laws.
10.3 Disclaimer. SAVE AS SET OUT IN CLAUSE 10.1, THE PLATFORM AND THIRD-PARTY SERVICES ARE PROVIDED "AS IS" AND "AS AVAILABLE". FINRAY DISCLAIMS ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, OR THAT THE PLATFORM WILL DETECT ALL SUSPICIOUS TRANSACTIONS, SANCTIONS MATCHES, OR COMPLIANCE RISKS.
INDEMNIFICATION
11.1 Finray Indemnity. Finray shall defend, indemnify, and hold Customer harmless against any third-party claim that the Platform (as provided and used in accordance with these Terms) infringes a third-party IP right, and shall pay damages finally awarded by a court. This indemnity does not apply if: (a) the claim arises from Customer's modification of the Platform; (b) the claim arises from use in combination with Customer Data or third-party products not provided by Finray; or (c) Customer fails to give Finray prompt (5 business days) written notice of the claim.
11.2 Customer Indemnity. Customer shall defend, indemnify, and hold Finray harmless against any third-party claim arising from: (a) Customer's breach of these Terms or the AUP and/or Third-Party Service providers terms and conditions or acceptance use policies indicated in the Order Form; (b) Customer Data infringing third-party rights; (c) Customer's violation of applicable law; or (d) final compliance or regulatory decisions made by Customer based on Platform outputs.
11.3 Process. The indemnified party shall: (a) promptly notify the indemnifying party; (b) give sole control of the defence and settlement to the indemnifying party; and (c) provide reasonable cooperation at the indemnifying party's expense.
LIMITATION OF LIABILITY
12.1 Exclusion of Consequential Loss. TO THE MAXIMUM EXTENT PERMITTED BY LAW, NEITHER PARTY SHALL BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE LOSS OR DAMAGE, INCLUDING LOSS OF PROFIT, LOSS OF REVENUE, LOSS OF DATA, LOSS OF GOODWILL, OR BUSINESS INTERRUPTION, REGARDLESS OF THE THEORY OF LIABILITY AND WHETHER OR NOT ADVISED OF THE POSSIBILITY OF SUCH LOSS.
12.2 Aggregate Cap. EACH PARTY'S TOTAL AGGREGATE LIABILITY UNDER OR IN CONNECTION WITH THESE TERMS, WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE), BREACH OF STATUTORY DUTY, OR OTHERWISE, SHALL NOT EXCEED THE TOTAL FEES PAID OR PAYABLE BY CUSTOMER IN THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE CLAIM.
12.3 Carve-Outs. Clauses 12.1 and 12.2 do not apply to: (a) death or personal injury caused by negligence; (b) fraud or fraudulent misrepresentation; (c) wilful misconduct; (d) Customer's obligation to pay Fees; (e) Finray's IP indemnity under Clause 11.1; or (f) any liability that cannot be excluded or limited by applicable law.
12.4 Third-Party Services. Finray shall have no liability for losses arising from unavailability, inaccuracy, or discontinuation of a Third-Party Service, except where Finray has expressly committed a service level for that Third-Party Service in the Order Form.
SUSPENSION
13.1 Non-Payment. Finray may suspend Customer's access if any undisputed Fee remains unpaid fifteen (15) days after a written overdue notice. Access shall be restored promptly on receipt of outstanding amounts.
13.2 Breach. Finray may suspend Customer's access immediately if Finray reasonably believes Customer's use: (a) poses a material security risk; (b) violates the AUP or the Third-Party Service terms and conditions or acceptance use policies indicated in the Order Form; (c) breaches applicable law; or (d) could cause harm to Finray, other customers, or third parties. Finray shall notify Customer without undue delay.
13.3 Third-Party Service Suspension. Finray may suspend access to the Platfrom or a Third-Party Service if the provider requires it or if Customer's use violates the provider's terms.
TERM AND TERMINATION
14.1 Term. These Terms commence on the Effective Date and continue until the expiry or termination of all active Order Forms.
14.2 Order Form Renewal. Each Order Form auto-renews for successive equal periods unless either party gives sixty (60) days' written notice of non-renewal before the end of the then-current Subscription Term.
14.3 Termination for Breach. Either party may terminate on written notice if the other commits a material breach and (where capable of remedy) fails to remedy it within thirty (30) days of written notice specifying the breach.
14.4 Termination for Insolvency. Either party may terminate immediately on written notice if the other becomes insolvent, makes an assignment for creditors, or enters administration, receivership, or liquidation.
14.5 Effect of Termination. On termination or expiry: (a) all licences cease; (b) Customer immediately ceases all Platform use; (c) each party returns or destroys the other's Confidential Information; and (d) accrued payment obligations survive.
DATA RETURN AND EXIT
15.1 Export Window. For thirty (30) days following termination ("Exit Window"), Finray shall make Customer Data available for export in a standard machine-readable format (JSON) on written request.
15.2 Deletion. Following the Exit Window, Finray shall delete Customer Data in accordance with Part D (DPA) and its data retention policy, unless retention is required by law.
15.3 Migration Assistance. Finray shall provide reasonable exit assistance at its then-current professional services rates, agreed in a separate written scope.
15.4 Third-Party Accounts. Finray shall use reasonable efforts to assist Customer in transferring Third-Party Service accounts on termination, subject to the relevant provider's consent.
AUDIT RIGHTS
16.1 Finray Audit. No more than once per calendar year, on thirty (30) days' written notice, Finray may audit Customer's Platform use to verify compliance. Finray bears audit costs unless a material underpayment is found.
16.2 Customer and Regulatory Audit. Customer (and, where applicable, Customer's auditors or regulators) shall have the audit rights described in the Regulated Customer Addendum if that document is incorporated into the Order Form.
FORCE MAJEURE
17.1 Neither party shall be liable for delay or failure to perform any non-payment obligation under these Terms to the extent caused by a Force Majeure Event. The affected party shall notify the other as soon as reasonably practicable and use reasonable efforts to mitigate. If a Force Majeure Event continues for more than sixty (60) consecutive days, the unaffected party may terminate the relevant Order Form on written notice.
GENERAL
18.1 Governing Law. These Terms and any dispute or claim arising from or in connection with them (including non-contractual disputes or claims) shall be governed by the laws of Cyprus, without regard to conflicts of law principles.
18.2 Dispute Resolution. Disputes shall be escalated first to senior management for good-faith negotiation (30 days). If unresolved, they shall be submitted to binding arbitration under LCIA Rules, with the seat of arbitration in London and the language of proceedings in English.
18.3 Entire Agreement. These Terms and the applicable Order Form and all documents referenced in the Order Formconstitute the entire agreement between the parties on their subject matter and supersede all prior agreements and representations.
18.4 Amendments. Finray may amend these Terms from time to time by publishing an updated version on its website. Finray shall provide reasonable prior notice of any material changes. The updated Terms shall become effective on the date specified in the notice. If the other party does not agree to the amended Terms, it may terminate the agreement prior to the effective date. Continued use of the services after the effective date constitutes acceptance of the amended Terms.
18.5 Assignment. Neither party may assign these Terms without prior written consent, except that Finray may assign in connection with a merger, acquisition, or sale of all or substantially all of its assets on reasonable prior notice to Customer.
18.6 Waiver. A waiver is effective only if given in writing and shall not be deemed a waiver of any subsequent breach.
18.7 Severability. If any provision is held invalid or unenforceable, the remaining provisions continue in full force.
18.8 Notices. Notices shall be in writing and delivered by email with confirmation of delivery (except for legal proceedings), to the addresses in the Order Form.
18.9 Relationship. The parties are independent contractors. No partnership, joint venture, employment, or agency relationship is created.
18.10 Anti-Bribery. Each party warrants compliance with all applicable anti-bribery and anti-corruption legislation.
ORDER OF PRECEDENCE
19.1 In the event of conflict, the following order of precedence applies (highest first):
Order Form (including incorporated product, commercial and third-party terms)
Regulated Customer Addendum (if incorporated in the Order Form)
Part D – Data Processing Addendum
Part C – Service Levels and Support
Part B – Information Security
Part A – Master Agreement
Acceptable Use Policy
Customer Purchase Order (administrative purposes only – no legal effect on Agreement terms)
PART B – INFORMATION SECURITY
Finray operates an Information Security Management System (ISMS) certified to ISO/IEC 27001:2022 (certificate No. 215646 issued by NQA, UKAS accredited, expiration date 31/10/2028). The controls below apply to all Customer Data processed through the Platform.
Finray operates a highly resilient infrastructure on Amazon Web Services, designed to ensure continuous service availability, reduce downtime, and limit the potential for data loss.
Security Governance
Finray maintains a designated Data Protection Officer and a formal security function. The ISMS encompasses policies, procedures, risk assessments, and controls covering all aspects of Platform operation. Security policies are reviewed annually and after material changes to the threat landscape.
Data Protection Officer details:
Access Control
All Platform access requires individual authentication. Shared accounts are prohibited.
Multi-factor authentication (MFA) is mandatory for all administrative and privileged access, remote access via VPN, and direct access to systems holding Customer Data.
Role-based access control (RBAC) with least-privilege principles. Access rights are reviewed quarterly.
All access to Customer Data by Finray personnel requires prior written authorisation and is logged. Logs retained for a minimum of eighteen (18) months.
Employee access revoked within two (2) Business Days of termination or role change.
Cryptography
Data at rest: AES-256 encryption. Keys managed in a dedicated Key Management Service (KMS). Keys rotated at least annually.
Data in transit: TLS 1.2 minimum; TLS 1.3 preferred. SSLv3, TLS 1.0, and TLS 1.1 are disabled.
Database-level encryption enabled for all production data stores.
Network and Infrastructure Security
Hosting on Amazon Web Services ensures continuous use of industry-leading security capabilities.
Production environments isolated from development and staging via dedicated VPCs and network segmentation.
Web application firewalls (WAF) and next-generation firewalls (NGFW) protect Platform endpoints.
Infrastructure deployed in redundant configurations within the EU/EEA (primary), or as specified in the Order Form.
Vulnerability and Patch Management
Automated vulnerability scanning of application code performed for each code commit.
Annual penetration tests by a reputable provider. Executive summaries available to Customer on request under NDA.
Security Monitoring and Logging
All system access logged (user identity, timestamp, action, source IP, outcome).
Log retention: minimum 12 months online; 18 months archived.
Physical Security
Platform hosted in data centres maintaining ISO 27001 or SOC 2 Type II certification, with physical access controls, CCTV, 24/7 security staff, and environmental controls.
Backup and Disaster Recovery
Production databases backed up daily. Backups encrypted and stored in a geographically separate location.
Backup restoration tested quarterly. RTO and RPO as specified in Part C.
Documented BCP and DRP reviewed and tested annually.
Security Incident Management
P1 (Critical): initial response within 1 business hour; Customer notification within 4 business hours; updates every 4 business hours until resolved.
P2 (High): initial response within 4 business hours; Customer notification within 24 hours; daily updates.
P3/P4: addressed per change management process; Customer notified within 72 hours where Personal Data is involved.
Post-incident report for P1 and P2 incidents provided within fifteen (15) Business Days of resolution.
Human Resources Security
Background checks on all personnel with access to Customer Data, subject to applicable law.
Mandatory information security awareness training at onboarding and annually thereafter.
PART C – SERVICE LEVELS AND SUPPORT
Availability Commitment
1.1 Finray commits to Platform availability ("Uptime") of not less than 99.5% per calendar month for the Production Environment.
1.2 Availability is measured as: ((Total minutes in month – Downtime minutes) / Total minutes in month) × 100. "Downtime" excludes: Scheduled Maintenance; unavailability caused by Customer's own systems or actions; Force Majeure Events; Third-Party Service unavailability where no specific SLA pass-through applies; and DDoS attacks directed at Platform infrastructure.
1.3 Sandbox environments are provided on a best-efforts basis and are not subject to the Availability Commitment.
Service Credits
Where Finray fails to meet the Availability Commitment, Customer is entitled to Service Credits calculated as a percentage of the monthly Subscription Fee:
2.1 Service Credits must be claimed within thirty (30) days of the month-end in which the SLA breach occurred. Credits are applied against the next invoice; not refundable in cash. Service Credits are Customer's sole remedy for Availability Commitment failures. Maximum credits in any month: 20% of the monthly Subscription Fee.
2.2 If Finray fails to achieve 97.99% availability for three (3) or more consecutive calendar months, Customer may terminate the affected Order Form on thirty (30) days' written notice and receive a pro-rated refund of pre-paid Fees for the unexpired Subscription Term.
Scheduled Maintenance
3.1 Finray shall give not less than seventy-two (72) hours' advance notice for maintenance expected to cause unavailability via the Platform status page and email to Customer's named contacts. Emergency maintenance may occur outside the standard window with minimum two (2) hours' notice.
Incident Priority and Response
4.1 Post-incident reports for P1 and P2 incidents delivered within fifteen (15) Business Days of resolution.
Support Channels
Business Continuity and Recovery Objectives
6.1. Production databases are backed up daily and retained for a minimum of thirty (30) days (unless otherwise agreed in writing in the Order Form) in an encrypted, geographically separate location. Finray tests disaster recovery capability at least annually.
6.2 Supporting provisions:
Finray maintains automated backup procedures for all production data, performed at least daily, with incremental backups aligned to the RPO target.
All backups are encrypted in transit and at rest and stored in geographically separate locations to ensure resilience against localized failures.
Finray implements disaster recovery procedures designed to meet the stated RTO and RPO targets under normal operating conditions.
Disaster recovery capability is tested at least annually, including restoration of systems and validation of data integrity.
Access to backup systems and recovery processes is restricted and controlled in accordance with Finray’s information security policies.
PART D – DATA PROCESSING ADDENDUM
This Part D governs Finray's processing of Personal Data on Customer's behalf in connection with the Platform and applies to all active Order Forms. In the event of conflict between this Part D and any other Part of these Terms, this Part D prevails with respect to data protection matters.
Roles
1.1 Customer is the Controller (or equivalent) of Personal Data included in Customer Data. Finray acts as the Processor (or equivalent) and processes such Personal Data only on Customer's Processing Instructions, as set out in this Part D and the Order Form, unless required otherwise by applicable law.
1.2 Where Finray processes Personal Data for its own purposes (e.g., to manage the contractual relationship with Customer), Finray acts as Controller for that processing, governed by Finray's privacy policy at https://finray.tech/privacy-policy
Processing Details
Processor Obligations
3.1 Finray shall process Personal Data only on Customer's Processing Instructions. Where applicable law requires processing beyond Customer's instructions, Finray shall notify Customer before such processing (unless prohibited by law).
3.2 Finray shall ensure that persons authorised to process Personal Data are subject to appropriate confidentiality obligations.
3.3 Finray shall implement and maintain the technical and organisational measures described in Part B.
3.4 Finray shall assist Customer to fulfil Data Subject rights requests (access, rectification, erasure, restriction, portability, objection) within the timeframes required by applicable Data Protection Law.
3.5 Finray shall notify Customer without undue delay, and in any event within fourty-eight (48) hours of becoming aware, of any Personal Data breach. Notification shall include: nature of the breach; categories and approximate number of affected Data Subjects and records; likely consequences; and measures taken or proposed.
3.6 Finray shall assist Customer with any data protection impact assessment required under applicable Data Protection Law, to the extent Finray has relevant information.
Controller Obligations
4.1 Customer warrants that all personal data supplied to Finray under this Agreement complies fully with applicable Data Protection Legislation, including requirements relating to its collection, storage, and processing. This includes ensuring that appropriate fair processing notices have been provided and that all necessary consents have been obtained from the relevant data subjects. Customer acknowledges that Finray is not obligated under this clause to verify, review, or monitor the accuracy, content, or the Customer’s use of any personal data. Accordingly, Vendor accepts no liability or responsibility, whether direct or indirect, arising from the accuracy, content, or the Customer’s use of such personal data.
4.2. Customer shall ensure that its clients, or any other individuals it intends to screen using the Platform, are informed that their Personal Data may be shared with third-party providers for the Customer’s legal and compliance purposes.
4.3 Customer shall only provide Finray with personal data that is reasonably necessary for the provision of the Services.
Sub-Processors
5.1 Customer provides general written authorisation for Finray to engage Sub-Processors. Current Sub-Processors are listed at https://xziel.com/subprocessors.
5.2 Finray shall give Customer not less than thirty (30) days' prior notice before adding a new Sub-Processor or materially changing an existing one. Customer may object on reasonable data protection grounds within fourteen (14) days. If unresolved within thirty (30) days, Customer may terminate the relevant Order Form on written notice with a pro-rated refund of pre-paid Fees.
5.3 Finray shall impose data protection obligations on each Sub-Processor no less protective than those in this Part D and remains liable for Sub-Processor performance.
5.4 Notwithstanding the above, certain third parties listed as Sub-Processors in clause D.5.1 may, depending on the factual and contractual arrangements in place with the Customer, qualify as independent processors of Personal Data under Data Protection Law. Such classification shall apply where the Customer maintains a direct contractual relationship with the relevant third party and such third party processes Personal Data under the Customer’s instructions rather than solely on behalf of Finray, as well as other criteria set forth by the Data Protection Law. In such cases, Finray’s obligations under this Part D.5 shall apply only to the extent that Finray acts as a processor in relation to such third party, and not where the third party operates as an independent separate processor directly engaged by the Customer.
International Transfers
6.1 EEA Transfers. For transfers of EEA Personal Data to Finray in a country lacking EU adequacy recognition, the Standard Contractual Clauses (Module 2: Controller to Processor) are incorporated into this Part D. Annex I details are as set out in this Part D; Annex II technical measures are as set out in Part B.
6.2 UK Transfers. For UK Personal Data transfers, the ICO International Data Transfer Addendum (IDTA v B1.0) is incorporated, with completion tables as set out in the Order Form.
6.3 Swiss Transfers. For transfers of Swiss Personal Data: (a) references to GDPR in this Part D and the SCCs shall be read as references to the revFADP to the extent applicable; (b) references to the EU or EEA shall include Switzerland; (c) references to the European Data Protection Board shall be read as including the Swiss FDPIC; and (d) Finray shall notify the FDPIC of data breaches where required by the revFADP.
6.4 Subject to the Customer’s prior written consent, Finray may transfer personal data to any country, provided that such transfers (where required under Data Protection Legislation) are implemented in accordance with this Section D.6 and in full compliance with applicable Data Protection Legislation. For the purposes of this clause 4.6.1, the Customer is deemed to have provided written consent for transfers to the processing locations of Sub-Processors appointed pursuant to clause D.5.1 of this Agreement.
Audit and Information Rights
7.1 Finray shall provide Customer with information reasonably necessary to demonstrate compliance with this Part D and shall assist with audits of Finray's data processing activities: (a) no more than once per calendar year unless required by a supervisory authority; (b) on not less than thirty (30) days' prior written notice; (c) during normal business hours with minimum disruption; and (d) at Customer's cost; e) ensuring that all information obtained or generated by the Customer or its auditor in connection to such requests are kept strictly confidential.
Return and Deletion
8.1 On termination or expiry, Finray shall, at Customer's election, return all Personal Data in standard machine-readable format within the Exit Window, or delete and confirm deletion in writing. Finray may retain Personal Data to the extent required by applicable law, notifying Customer of any such retention.