Terms of Service.

These terms become binding when you (a) create a CertiFlow account, (b) start a free trial, or (c) start a paid subscription — whichever happens first. If you are accepting on behalf of an organisation, you confirm you have authority to bind that organisation.

If you do not accept these terms, do not create an account, do not start a trial, and do not subscribe.

CertiFlow is a software-as-a-service platform for compliance evidence management. It provides framework mapping, AI-assisted evidence drafting, a tamper-evident audit log, an external auditor view, and a public Trust Center. Specific features and limits depend on the tier you subscribe to as published on /pricing.

We aim for high availability and respond to incidents promptly. Live operational status is published at /status. Formal service-level commitments apply only at Assurance and Governance tiers, defined in the relevant Order Form.

You agree to (a) provide accurate registration information, (b) keep your password and any keys derived from your master passphrase confidential, (c) enable multi-factor authentication where offered, and (d) notify us promptly if you suspect a credential compromise.

Because evidence on CertiFlow is held under Zero-Knowledge Encryption, we cannot recover your decryption key for you. If you lose your master passphrase and have not securely stored a recovery kit, your encrypted evidence is unrecoverable. Please treat your passphrase and recovery kit with appropriate care.

Billing. Annual subscriptions are billed in advance on signup and on each renewal date. Framework modules added mid-year are pro-rated to the renewal date.

Renewals. Subscriptions renew automatically on the anniversary of signup unless cancelled in writing at least 30 days before renewal.

Refunds. Pro-rated refunds are available within 14 days of a renewal charge if you contact sales@certiflow.com with the reason. Trials are free; no refund applies because no payment was taken.

Late payment. Invoices unpaid 30 days after the due date may result in suspension of access until cleared. Audit-log read access and evidence export remain available throughout suspension so you do not lose your compliance posture.

Everything you upload, write, or generate on CertiFlow remains yours. We do not claim any ownership of your evidence, your control descriptions, your generated audit text, or your metadata. You grant us a limited, revocable licence to host, process, transmit, display, and back up your content solely for the purpose of delivering the service.

Because your evidence is held under Zero-Knowledge Encryption, we receive ciphertext only. We are technically incapable of reading your evidence content, training models on it, or repurposing it.

CertiFlow trademarks, source code, public documentation, and the platform itself remain ours.

You agree not to:

• Use the service in violation of applicable law or regulation
• Attempt to break authentication, RLS, encryption, or the tamper-evident audit chain
• Upload malware, child sexual abuse material, or content that infringes a third-party right
• Reverse-engineer the platform except where permitted by law
• Use the service to send spam, conduct denial-of-service attacks, or scrape data from other tenants
• Resell or sublicense the platform without a written reseller agreement (see partners@certiflow.com for the partner programme)

Security researchers acting in good faith under our security disclosure policy are explicitly excluded from the “attempt to break” clause for the duration of the disclosure.

By you. Cancel at any time via the in-app settings or by emailing sales@certiflow.com. Cancellation takes effect at the end of the current paid period. You retain access to evidence export tools for 30 days after cancellation.

By us. We may suspend or terminate accounts that violate Section 06 (Acceptable use), or that have been unpaid for 60+ days. We will provide written notice and a reasonable opportunity to cure where the law allows.

After termination. Account data is retained for 90 days post-closure to allow re-activation, then deleted from production. Audit-log entries are retained per the compliance-frame retention period applicable to your industry. See the Privacy notice for full retention detail.

Audit outcome. CertiFlow assists with compliance evidence collection and presentation. We do not guarantee that you will pass any specific audit; the audit outcome depends on the underlying quality of your controls, your auditor’s judgement, and factors outside our control.

AI-generated content. The AI evidence engine produces draft text intended to be reviewed by you before submission to an auditor. Generated text should be reviewed for factual accuracy, terminology, and applicability to your specific environment. You remain responsible for what you submit.

Service availability. Except for SLA commitments at Assurance and Governance tiers, the service is provided “as available” with no uptime guarantee. Live status is published at /status.

To the extent permitted by law, our aggregate liability arising from or related to the service is limited to the fees you paid for the service in the 12 months preceding the event giving rise to liability. We are not liable for indirect, incidental, special, consequential, or punitive damages including lost profits, lost revenue, lost data, or business interruption.

This limitation does not apply to (a) liability for death or personal injury caused by negligence, (b) fraud or fraudulent misrepresentation, or (c) any other liability that cannot be excluded under Swiss law.

You agree to indemnify us against third-party claims arising from your content or your use of the service in violation of these terms. We agree to indemnify you against third-party claims that the CertiFlow platform itself (excluding your content and any modifications) infringes a third party’s intellectual property rights, subject to the liability cap in Section 09.

These terms are governed by Swiss substantive law, excluding its conflict-of-laws rules and excluding the United Nations Convention on Contracts for the International Sale of Goods (CISG).

Any dispute arising from these terms or the service shall be submitted to the exclusive jurisdiction of the courts of Geneva, Switzerland. For Assurance and Governance tier customers, the Order Form may specify an alternative venue or arbitration mechanism.