B2B & API Terms of Service

1. Definitions & Scope

1.1 Definitions

In these B2B Terms, the following terms have the meanings set forth below:

• "API" means the Zelfium application programming interfaces, including SymbolMAG API, Libra API, and Affinia API, through which Customer accesses the Services programmatically.
• "Assessment Data" means the raw responses provided by End Users to the 77 Likert-scale questions, together with associated response-time metadata.
• "Authorized User" means an individual employee or contractor of Customer who is authorized by Customer to access the Services under Customer's account.
• "Confidential Information" means any information disclosed by either party that is designated as confidential or that, given the nature of the information or the circumstances of disclosure, should reasonably be considered confidential, including trade secrets, business plans, algorithms, scoring methodologies, and unpublished API specifications.
• "Consequential Decision" means any decision that materially affects an individual's access to or terms of employment, insurance, credit, education, housing, or public services.
• "Customer" means the legal entity that executes an Order Form or otherwise agrees to these B2B Terms.
• "Deployment Purpose Declaration" means the written statement submitted by Customer during onboarding that describes the specific use case(s) for which Customer intends to use the Services, including the categories of End Users, the types of decisions informed by assessment results, and the jurisdictions in which the Services will be deployed.
• "End User" means any natural person whose personality is assessed through the Services at Customer's direction, including job applicants, employees, students, and consumers.
• "High-Risk Use Case" means any use of the Services that falls within Annex III of the EU AI Act, including but not limited to: (a) employment, workers management, and access to self-employment (Annex III, point 4); (b) access to and enjoyment of essential private and public services and benefits (Annex III, point 5); and (c) education and vocational training (Annex III, point 3).
• "Order Form" means a mutually executed document that references these B2B Terms and specifies the Services, fees, term, and other commercial details.
• "Profile Data" means the personality profile generated from Assessment Data, comprising 8 main scales, 16 subscales, and 41 components, together with any narrative descriptions, scores, or visualizations derived therefrom.
• "Responsible Person" means the individual designated by Customer who has the competence, training, and authority to review, validate, and override AI-generated recommendations before any Consequential Decision is made.
• "SymbolMAG" means Zelfium's proprietary personality assessment methodology, including its psychometric models, scoring algorithms, question design, normative data, and factor structures.

1.2 Scope

These B2B Terms apply exclusively to business-to-business access to the Zelfium APIs. Individual consumer use of Zelfium products is governed by the consumer Terms of Service. Where Customer integrates the Services into its own products or platforms, Customer is solely responsible for ensuring that its own terms of service and privacy notices comply with applicable law.

2. Eligibility & Onboarding

2.1 Eligibility

The Services are available only to legal entities that (a) are duly organized and validly existing under the laws of their jurisdiction of incorporation, (b) have the legal capacity to enter into binding agreements, and (c) are not subject to sanctions administered by the United Nations, the European Union, the United States, or Japan.

2.2 Deployment Purpose Declaration

Before API credentials are issued, Customer must submit a completed Deployment Purpose Declaration that specifies:

• The specific products or services into which the API will be integrated;
• The categories of End Users who will be assessed (e.g., job applicants, employees, consumers, students);
• The types of decisions that will be informed, in whole or in part, by assessment results;
• The jurisdictions in which the Services will be deployed; and
• Whether any intended use constitutes a High-Risk Use Case under the EU AI Act or analogous legislation in any applicable jurisdiction.

2.3 Risk Classification

Based on the Deployment Purpose Declaration, Zelfium will classify Customer's intended use as either:

• Limited-Risk: Personal development, team dynamics, coaching, career exploration (advisory only), relationship compatibility insights, and similar non-consequential use cases; or
• High-Risk: Any use case that constitutes or contributes to a Consequential Decision, including employment screening, insurance underwriting, credit assessments, and educational placement.

High-Risk classification triggers enhanced obligations under Sections 7, 8, and 9 of these B2B Terms. Customer acknowledges that Zelfium's risk classification does not relieve Customer of its independent obligation to assess and comply with all applicable regulatory requirements.

2.4 Obligation to Update

Customer must promptly notify Zelfium in writing if its intended use of the Services changes in any material respect from the Deployment Purpose Declaration. Any expansion into a High-Risk Use Case without prior written approval from Zelfium constitutes a material breach of these B2B Terms.

3. Permitted Use Cases

3.1 Approved Use Cases

The following use cases are approved for all Customers without additional requirements beyond these B2B Terms:

• Personal development and self-awareness tools
• Team dynamics analysis and organizational development
• Executive coaching and leadership development programs
• Career exploration and pathing in an advisory, non-binding capacity
• Relationship and interpersonal compatibility insights (Affinia API)
• Academic research (with appropriate ethical review)

3.2 Restricted Use Cases

The following use cases require prior written approval from Zelfium, execution of supplemental terms, and implementation of enhanced controls as specified in Sections 7, 8, and 9:

• Employment screening and selection: Use of assessment results as one factor among multiple criteria in hiring decisions, provided that mandatory human oversight is implemented
• Insurance underwriting: Use of personality assessments as a supplementary data point in risk evaluation, subject to applicable insurance regulations
• Educational placement: Use of assessments to inform academic program recommendations or student support services
• Workforce management: Use of assessments to inform team composition, role assignment, or professional development planning for existing employees

3.3 Prohibited Use Cases

The following uses are strictly prohibited under all circumstances, and any such use constitutes a material breach entitling Zelfium to immediately terminate this Agreement:

• Sole-basis decision-making: Using assessment results as the sole or determinative basis for any hiring, termination, promotion, demotion, or other employment decision
• Automated denial of benefits: Using assessment results to automatically deny, restrict, or set pricing for insurance coverage, credit, loans, housing, or public services without human review
• Discriminatory profiling: Using assessment results to profile, categorize, or discriminate against individuals on the basis of race, ethnicity, gender, sexual orientation, religion, disability, national origin, age, or any other protected characteristic
• Law enforcement and criminal justice: Use of the Services by law enforcement agencies for criminal profiling, risk assessment in bail or sentencing decisions, or predictive policing
• Social scoring: Using assessment results to generate a social trustworthiness score or comparable general-purpose rating of natural persons
• Manipulation: Using personality profiles to manipulate, exploit, or deceive End Users or to target individuals based on psychological vulnerabilities
• Surveillance: Continuous or covert personality monitoring of individuals without their informed consent
• Military and weapons systems: Integration of the Services into any weapons system, military targeting, or defense intelligence application

4. API Access & Credentials

4.1 API Keys

Upon successful onboarding and risk classification, Zelfium will issue API credentials ("API Keys") to Customer. API Keys are confidential, non-transferable, and must be treated as Confidential Information. Customer shall:

• Store API Keys securely using industry-standard secret management practices (e.g., environment variables, hardware security modules, or dedicated secret managers);
• Never embed API Keys in client-side code, public repositories, or unencrypted storage;
• Restrict access to API Keys to Authorized Users on a need-to-know basis; and
• Immediately notify Zelfium of any suspected or actual unauthorized access to or use of API Keys.

4.2 Rate Limits

The Services are subject to rate limits as specified in the applicable Order Form and API documentation. Zelfium reserves the right to throttle or temporarily suspend API access if Customer exceeds rate limits or if continued access threatens system stability or performance for other customers.

4.3 API Versioning & Deprecation

Zelfium will provide at least ninety (90) days' prior written notice before deprecating any API version. During the deprecation period, the deprecated version will continue to function. Zelfium will provide migration guides and reasonable technical support to facilitate Customer's transition to the successor version. In exceptional circumstances involving critical security vulnerabilities, Zelfium may shorten the deprecation period with as much notice as is reasonably practicable.

4.4 Customer Responsibilities

Customer is solely responsible for (a) the security of its own systems and infrastructure that interact with the Services, (b) all activity that occurs under its API Keys, and (c) ensuring that its Authorized Users comply with these B2B Terms.

5. Data Processing

5.1 Controller-Processor Relationship

For the purposes of the EU General Data Protection Regulation ("GDPR"), the UK GDPR, and Japan's Act on the Protection of Personal Information ("APPI"):

• Customer is the data controller (or "business operator handling personal information" under APPI) with respect to End User personal data submitted through the Services;
• Zelfium is the data processor (or "trustee" under APPI) and processes End User personal data solely on Customer's documented instructions and for the purposes described in the Deployment Purpose Declaration.

5.2 Data Processing Agreement

The parties' respective obligations regarding the processing of personal data are set forth in the Data Processing Agreement ("DPA"), which is incorporated into these B2B Terms by reference. In the event of a conflict between these B2B Terms and the DPA regarding data processing, the DPA shall prevail.

5.3 Purpose Limitation

Assessment Data and Profile Data shall be processed exclusively for the purposes declared in the Deployment Purpose Declaration. Zelfium will not process End User data for any purpose other than providing the Services to Customer, unless required by applicable law.

5.4 Sub-Processors

Zelfium engages the following categories of sub-processors in the delivery of the Services:

Zelfium will provide Customer with at least thirty (30) days' prior notice before engaging any new sub-processor or materially changing the scope of an existing sub-processor's processing activities. Customer may object to a new sub-processor in accordance with the DPA.

5.5 Data Retention

Assessment Data is retained for the period specified in the applicable Order Form or DPA. In the absence of a specified period, Assessment Data is retained for ninety (90) days after processing and then automatically deleted. Profile Data is retained for the duration of the Agreement unless earlier deletion is requested by Customer or required by applicable law.

5.6 Cross-Border Transfers

Where End User personal data originates in the European Economic Area, the United Kingdom, or Japan and is transferred to sub-processors located in third countries, Zelfium ensures that appropriate safeguards are in place, including Standard Contractual Clauses (EU Commission Decision 2021/914) or other legally recognized transfer mechanisms.

6. End-User Rights Pass-Through

6.1 Transparency Obligation

Customer must provide End Users with clear, conspicuous, and intelligible disclosure before any assessment is conducted. Such disclosure must include, at a minimum:

• That the End User will be subject to an AI-powered personality assessment;
• The specific purpose for which the assessment results will be used;
• Whether assessment results will inform any Consequential Decision;
• How the End User can exercise their data subject rights; and
• Contact information for both Customer (as controller) and Zelfium (as processor).

6.2 Facilitating Data Subject Rights

Customer must implement processes to facilitate End Users' exercise of their rights under applicable data protection law, including the right of access, rectification, erasure, data portability, restriction of processing, and objection. Customer shall respond to data subject requests within the timeframes required by applicable law (e.g., one month under GDPR, two weeks under APPI).

6.3 Direct Access to Zelfium

Customer shall not prevent, impede, or discourage End Users from exercising their rights directly against Zelfium. If Zelfium receives a data subject request from an End User whose data was submitted by Customer, Zelfium will (a) promptly notify Customer, (b) provide reasonable cooperation to Customer in responding to the request, and (c) not respond directly to the End User without Customer's authorization, except where required by applicable law.

6.4 Consent Management

Where End User consent is required as the legal basis for processing (including under EU AI Act Article 26(10) for High-Risk Use Cases), Customer is solely responsible for obtaining, recording, and managing such consent. Customer warrants that all consents obtained are freely given, specific, informed, and unambiguous.

7. EU AI Act Deployer Obligations (Art. 26)

This Section 7 applies when Customer deploys any Zelfium API for a High-Risk Use Case, including but not limited to employment-related decisions under Annex III, point 4 of the EU AI Act. Customer acknowledges and agrees that deployment of the Libra API for employment screening, recruitment, or workforce management constitutes use of a high-risk AI system, and Customer assumes all obligations of a "deployer" under Article 26 of the EU AI Act.

7.1 Fundamental Rights Impact Assessment

Before commencing any High-Risk deployment, Customer must conduct and document a Fundamental Rights Impact Assessment ("FRIA") in accordance with Article 27 of the EU AI Act. The FRIA must:

• Describe the deployer's processes in which the AI system will be used;
• Describe the period of time within which, and the frequency with which, the AI system is intended to be used;
• Identify the categories of natural persons and groups likely to be affected;
• Assess the specific risks of harm to the identified categories of persons, having regard to information provided by the AI system provider (Zelfium);
• Describe the implementation of human oversight measures; and
• Describe the measures to be taken where identified risks materialize.

Customer must submit a copy of the completed FRIA to Zelfium before API access is activated for any High-Risk Use Case, and must update the FRIA at least annually or whenever there is a material change in deployment circumstances.

7.2 Human Oversight

Customer must implement human oversight measures in accordance with the instructions for use provided by Zelfium and Article 26(2) of the EU AI Act. At a minimum, Customer must:

• Designate a Responsible Person (or persons) with the competence, training, and authority required by Article 26(2);
• Ensure that the Responsible Person reviews every AI-generated recommendation before a Consequential Decision is made;
• Ensure that the Responsible Person has the ability and authority to override or disregard the AI system's output;
• Ensure that the Responsible Person is not subject to automation bias and understands the capabilities and limitations of the AI system; and
• Document each instance where the Responsible Person overrides an AI-generated recommendation.

7.3 Transparency to Affected Individuals

In accordance with Article 26(7) of the EU AI Act, Customer must inform all individuals who are subject to AI assessment that they are interacting with or being assessed by an AI system. This notification must be provided before the assessment begins and must include:

• The fact that an AI system is being used to assess them;
• A description of what the AI system evaluates;
• The purpose for which the assessment will be used; and
• The individual's right to an explanation of the AI system's output and their right to object.

7.4 Logging & Record-Keeping

Customer must maintain logs of the AI system's operation for a minimum period of six (6) months, or such longer period as required by Article 26(6) of the EU AI Act or applicable national implementing legislation. Logs must be maintained in a format that allows for auditing by competent supervisory authorities.

7.5 Incident Reporting

Customer must report to Zelfium any serious incident arising from the use of the Services, including any incident involving harm to health, safety, or fundamental rights of natural persons, within twenty-four (24) hours of becoming aware of such incident. Zelfium will cooperate with Customer in reporting such incidents to the relevant market surveillance authority in accordance with Article 26(5) of the EU AI Act.

7.6 Zelfium's Provider Obligations

As the provider of the AI system, Zelfium will make available to Customer:

• Technical documentation describing the AI system's intended purpose, capabilities, and limitations;
• Instructions for use, including recommended human oversight measures;
• Risk assessment documentation relevant to Customer's FRIA;
• Information about the system's performance, including known biases and accuracy metrics; and
• Reasonable cooperation in Customer's compliance with deployer obligations under the EU AI Act.

8. Prohibited Discriminatory Use

8.1 Non-Discrimination Warranty

Customer represents and warrants that it will not use assessment results generated by any Zelfium API as the sole, primary, or determinative basis for any Consequential Decision affecting any natural person. Assessment results must be used only as one factor among multiple independent criteria, and must never override or substitute for qualified human judgment.

8.2 Annual Disparate Impact Audit

If Customer uses any Zelfium API for a Restricted Use Case (Section 3.2), Customer must conduct an annual disparate impact analysis in accordance with the following standards:

• EEOC Four-Fifths Rule: The selection rate for any protected group must be at least 80% (four-fifths) of the selection rate for the group with the highest selection rate, as defined in the Uniform Guidelines on Employee Selection Procedures (29 CFR Part 1607);
• EU Non-Discrimination Standards: Analysis must cover all protected characteristics under EU anti-discrimination directives (Directives 2000/43/EC and 2000/78/EC), including race, ethnicity, religion, disability, age, sexual orientation, and gender;
• Statistical Significance: Where sample sizes are sufficient, Customer must apply appropriate statistical tests (e.g., chi-square, Fisher's exact test) to determine whether observed disparities are statistically significant; and
• Intersectional Analysis: Where data permits, Customer must analyze potential disparate impact at the intersection of multiple protected characteristics.

8.3 Audit Reporting

Customer must make the results of each annual disparate impact audit available to Zelfium within thirty (30) days of completion, upon written request. Zelfium will treat audit results as Customer's Confidential Information.

8.4 Remediation

If any disparate impact audit reveals that the use of assessment results has a discriminatory effect on any protected group:

• Customer must notify Zelfium within seven (7) days of the finding;
• Customer must implement mitigation measures within thirty (30) days, which may include adjusting decision-making criteria, increasing human oversight, or modifying the weight assigned to assessment results; and
• If Customer fails to implement effective mitigation within the thirty (30) day period, Customer must immediately cease using the Services for the affected use case.

8.5 Zelfium's Audit Right

Zelfium reserves the right to audit Customer's use of the Services for compliance with this Section 8. Such audit may be conducted by Zelfium or by an independent third-party auditor selected by Zelfium. Audits will be conducted during normal business hours, with reasonable prior notice, and no more than once per twelve (12) month period (except in response to a credible allegation of non-compliance). Customer must cooperate fully with any such audit.

9. Human Oversight Requirements

9.1 Mandatory Human Review

All Consequential Decisions informed by assessment results from any Zelfium API must involve qualified human review. Automated decision-making that produces legal effects or similarly significantly affects individuals without meaningful human intervention is prohibited.

9.2 Responsible Person Designation

Customer must designate at least one Responsible Person for each High-Risk Use Case. The Responsible Person must:

• Possess relevant professional qualifications (e.g., HR certification, psychology credentials, or equivalent domain expertise);
• Complete Zelfium's deployer training program, covering the capabilities, limitations, and known biases of the AI system;
• Have the organizational authority to approve, reject, or modify AI-generated recommendations;
• Not be subject to incentive structures that penalize overriding AI recommendations; and
• Be identified to Zelfium by name and role in the Deployment Purpose Declaration.

9.3 Mandatory Review Points

Human review by the Responsible Person is required before any of the following actions are taken in reliance on assessment results:

• Hiring, rejection, or shortlisting of a job candidate;
• Termination, demotion, or material change in employment conditions;
• Denial, restriction, or pricing of insurance coverage;
• Denial or modification of credit or lending terms;
• Educational placement or program eligibility decisions; and
• Any other decision that materially affects an individual's rights, opportunities, or access to services.

9.4 Override Documentation

Customer must maintain a written record of each instance where the Responsible Person overrides, modifies, or rejects an AI-generated recommendation. Records must include the date, the identity of the Responsible Person, the AI system's recommendation, the final decision, and the rationale for any deviation. Records must be retained for a minimum of three (3) years.

9.5 Training & Competence

Customer must ensure that all Authorized Users who interact with assessment results in connection with Consequential Decisions receive appropriate training on AI literacy, the limitations of personality assessments, and the risks of automation bias. Zelfium will provide training materials and, upon request, conduct training sessions at commercially reasonable rates.

10. Intellectual Property

10.1 Zelfium IP

Zelfium and its licensors retain all right, title, and interest in and to the Services, including all intellectual property rights therein. The SymbolMAG methodology, including its psychometric models, scoring algorithms, question design, normative data, and factor structures, constitutes Zelfium's trade secret and proprietary information. Nothing in these B2B Terms grants Customer any right, title, or interest in the Services except the limited license expressly set forth herein.

10.2 Three-Tier Information Classification

Zelfium classifies SymbolMAG-related information into three tiers:

• Public: Scale names (8 main scales), subscale names (16 subscales), component names (41 components), and general methodology descriptions available in published documentation. May be referenced in Customer's public-facing materials.
• Restricted: Scoring algorithms, question weighting, normative data, and statistical parameters. Shared with Customer only under a separate non-disclosure agreement and solely to the extent necessary for Customer's authorized use.
• Confidential: Raw factor loadings, proprietary psychometric models, validation study data, and internal research methodologies. Never disclosed to Customer under any circumstances.

10.3 License Grant

Subject to Customer's compliance with these B2B Terms, Zelfium grants Customer a limited, non-exclusive, non-transferable, non-sublicensable, revocable license to access and use the Services during the term of the Agreement solely for the purposes described in the Deployment Purpose Declaration.

10.4 Restrictions

Customer shall not:

• Reverse engineer, decompile, disassemble, or otherwise attempt to derive the source code, algorithms, or underlying methodology of the Services;
• Develop, train, or calibrate any competing personality assessment, psychometric instrument, or derivative assessment tool using the Services, Assessment Data, Profile Data, or any information obtained through the Services;
• Remove, obscure, or alter any intellectual property notices or proprietary legends in the Services;
• Sublicense, resell, or redistribute the Services or API access to any third party without Zelfium's prior written consent; or
• Use the Services to build a product or service that competes with or substitutes for any Zelfium product or service.

10.5 Customer Data

As between the parties, Customer retains all right, title, and interest in and to Customer's data, including Assessment Data and any data submitted to the Services by Customer or its End Users. Customer grants Zelfium a limited, non-exclusive license to process such data solely for the purpose of providing the Services.

10.6 Feedback

If Customer provides suggestions, feature requests, or other feedback regarding the Services ("Feedback"), Zelfium may use such Feedback without restriction or obligation. Customer hereby assigns to Zelfium all right, title, and interest in any Feedback.

11. Confidentiality

11.1 Obligations

Each party (the "Receiving Party") agrees to (a) hold the other party's (the "Disclosing Party") Confidential Information in strict confidence, (b) not disclose Confidential Information to any third party except as expressly permitted herein, and (c) use Confidential Information only for the purposes of exercising rights or performing obligations under these B2B Terms. The Receiving Party may disclose Confidential Information to its employees, contractors, and professional advisors who have a need-to-know and who are bound by confidentiality obligations at least as protective as those set forth herein.

11.2 Exceptions

Confidential Information does not include information that:

• Is or becomes publicly available through no fault of the Receiving Party;
• Was rightfully in the Receiving Party's possession before disclosure by the Disclosing Party;
• Is independently developed by the Receiving Party without reference to the Disclosing Party's Confidential Information; or
• Is rightfully received from a third party without restriction on disclosure.

11.3 Compelled Disclosure

If the Receiving Party is compelled by law, regulation, or legal process to disclose Confidential Information, it must (a) provide prompt written notice to the Disclosing Party (to the extent legally permitted), (b) cooperate with the Disclosing Party's efforts to obtain a protective order, and (c) disclose only the minimum amount of Confidential Information required.

11.4 Survival

The confidentiality obligations set forth in this Section 11 shall survive termination or expiration of these B2B Terms for a period of three (3) years, provided that obligations with respect to trade secrets (including SymbolMAG Confidential-tier information) shall survive for so long as such information qualifies as a trade secret under applicable law.

12. Fees & Payment

12.1 Fee Structure

Fees for the Services are set forth in the applicable Order Form and may include:

• Subscription fees: Recurring monthly or annual fees for platform access and included API call volumes;
• Usage-based fees: Per-assessment fees for API calls exceeding the included volume; and
• Professional services fees: Fees for onboarding support, training, custom integrations, and other professional services as agreed in the Order Form.

12.2 Payment Terms

Unless otherwise specified in the Order Form, all fees are due net thirty (30) days from the date of invoice. Payments are processed through Stripe. For enterprise customers with approved credit, payment may be made by wire transfer to Zelfium's designated bank account.

12.3 Late Payments

Overdue amounts bear interest at the lesser of one and one-half percent (1.5%) per month or the maximum rate permitted by applicable law. In addition, Customer shall reimburse Zelfium for all reasonable costs of collection, including attorneys' fees.

12.4 Taxes

All fees are exclusive of applicable taxes, duties, and levies. Customer is responsible for all taxes arising from these B2B Terms, except for taxes based on Zelfium's net income. If Zelfium is required to collect or remit taxes on Customer's behalf, Zelfium will invoice Customer for such taxes, and Customer will pay them in accordance with this Section 12.

12.5 Price Changes

Zelfium may adjust fees upon sixty (60) days' prior written notice. Fee changes take effect at the start of the next renewal term. If Customer does not agree to a fee increase, Customer may terminate the Agreement by providing written notice before the increased fees take effect.

12.6 Suspension for Non-Payment

If Customer's account is more than fifteen (15) days past due, Zelfium may suspend access to the Services upon ten (10) days' prior written notice to Customer. Suspension does not relieve Customer of its payment obligations.

13. Service Levels

13.1 Uptime Commitment

Zelfium will use commercially reasonable efforts to maintain monthly API availability of at least 99.5% ("Uptime Target"), measured as the percentage of total minutes in a calendar month during which the API is operational, excluding Scheduled Maintenance and Force Majeure Events.

13.2 Scheduled Maintenance

Zelfium will provide at least forty-eight (48) hours' prior notice of scheduled maintenance windows via email to Customer's designated technical contact and via the Zelfium status page. Scheduled maintenance will be performed during low-traffic periods (typically 02:00-06:00 JST) when practicable.

13.3 Service Credits

If monthly uptime falls below the Uptime Target, Customer may request service credits in accordance with the following schedule:

Service credits are Customer's sole and exclusive remedy for downtime. Credits must be requested within thirty (30) days of the downtime event. Total credits in any calendar month shall not exceed 25% of the monthly fees for that month.

13.4 Support

Standard support is available via email during business hours (09:00- 18:00 JST, Monday through Friday, excluding Japanese national holidays). Enterprise support plans with priority response times and dedicated technical contacts are available as specified in the Order Form.

14. Data Security

14.1 Security Measures

Zelfium implements and maintains administrative, technical, and physical security measures designed to protect the confidentiality, integrity, and availability of Customer data, including:

• Encryption in transit: All data transmitted between Customer's systems and the Services is encrypted using TLS 1.3 or higher;
• Encryption at rest: All data stored in Zelfium's infrastructure is encrypted using AES-256;
• Access controls: Role-based access control with principle of least privilege, multi-factor authentication for all administrative access;
• Audit logging: Comprehensive logging of access to and modifications of Customer data; and
• Vulnerability management: Regular security assessments, penetration testing, and prompt remediation of identified vulnerabilities.

14.2 Compliance Roadmap

Zelfium is committed to obtaining SOC 2 Type II certification. Until such certification is obtained, Zelfium will provide Customer, upon reasonable request, with a summary of its current security controls and the results of its most recent third-party security assessment.

14.3 Data Breach Notification

In the event of a security incident that results in unauthorized access to, disclosure of, or loss of Customer data ("Data Breach"), Zelfium will:

• Notify Customer in writing within twenty-four (24) hours of confirming the Data Breach;
• Provide a description of the nature of the breach, the categories and approximate number of records affected, and the measures taken or proposed to address the breach;
• Cooperate with Customer in investigating and remediating the breach; and
• Cooperate with Customer in notifying affected individuals and supervisory authorities as required by applicable law.

14.4 Customer Security Obligations

Customer is responsible for implementing appropriate security measures within its own environment, including securing API credentials, protecting End User data in transit and at rest within Customer's systems, and ensuring that Authorized Users follow secure practices.

15. Indemnification

15.1 Zelfium Indemnification

Zelfium will defend, indemnify, and hold harmless Customer and its officers, directors, employees, and agents from and against any third-party claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising from:

• A claim that Customer's authorized use of the Services infringes any third-party patent, copyright, trademark, or trade secret right; or
• A Data Breach caused by Zelfium's failure to comply with its security obligations under Section 14.

15.2 Customer Indemnification

Customer will defend, indemnify, and hold harmless Zelfium and its officers, directors, employees, and agents from and against any third-party claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising from:

• Customer's discriminatory use of assessment results, including any use that violates Section 8 of these B2B Terms;
• Customer's misuse of Assessment Data or Profile Data, including any use beyond the scope of the Deployment Purpose Declaration;
• Customer's failure to comply with EU AI Act deployer obligations as set forth in Section 7;
• Customer's failure to implement mandatory human oversight as set forth in Section 9;
• Unauthorized use of the Services by Customer's Authorized Users or any person who gains access through Customer's credentials; or
• Customer's violation of applicable law in connection with its use of the Services.

15.3 Indemnification Procedure

The indemnified party must (a) provide prompt written notice to the indemnifying party of any claim for which indemnification is sought, (b) grant the indemnifying party sole control of the defense and settlement of such claim (provided that the indemnifying party may not settle any claim without the indemnified party's prior written consent if such settlement imposes obligations on the indemnified party or admits liability on its behalf), and (c) provide reasonable cooperation to the indemnifying party at the indemnifying party's expense. Failure to provide timely notice does not relieve the indemnifying party of its obligations except to the extent that the indemnifying party is materially prejudiced by such failure.

15.4 IP Infringement Remedy

If the Services become, or in Zelfium's reasonable opinion are likely to become, the subject of an infringement claim, Zelfium may, at its sole option and expense, (a) procure the right for Customer to continue using the Services, (b) modify the Services to make them non-infringing, or (c) if neither (a) nor (b) is commercially practicable, terminate the affected Order Form and refund any prepaid fees for the unused portion of the subscription term.

16. Limitation of Liability

16.1 General Cap

EXCEPT FOR THE CARVE-OUTS SET FORTH IN SECTION 16.3, NEITHER PARTY'S AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THESE B2B TERMS SHALL EXCEED THE TOTAL FEES PAID OR PAYABLE BY CUSTOMER TO ZELFIUM DURING THE TWELVE (12) MONTH PERIOD IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE CLAIM (THE "LIABILITY CAP").

16.2 Exclusion of Consequential Damages

EXCEPT FOR THE CARVE-OUTS SET FORTH IN SECTION 16.3, IN NO EVENT SHALL EITHER PARTY BE LIABLE TO THE OTHER PARTY FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, OR FOR ANY LOSS OF PROFITS, REVENUE, DATA, BUSINESS OPPORTUNITIES, OR GOODWILL, ARISING OUT OF OR RELATED TO THESE B2B TERMS, REGARDLESS OF THE THEORY OF LIABILITY (CONTRACT, TORT, STRICT LIABILITY, OR OTHERWISE) AND EVEN IF SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

16.3 Carve-Outs

The limitations set forth in Sections 16.1 and 16.2 do not apply to:

• Either party's willful misconduct or gross negligence;
• Zelfium's indemnification obligations under Section 15.1 (IP infringement and data breach);
• Customer's indemnification obligations under Section 15.2 (discriminatory use, EU AI Act non-compliance, and misuse);
• Customer's breach of Section 3.3 (Prohibited Use Cases);
• Either party's breach of Section 11 (Confidentiality); and
• Customer's payment obligations under Section 12.

16.4 Force Majeure

Neither party shall be liable for any failure or delay in performing its obligations (other than payment obligations) to the extent that such failure or delay results from circumstances beyond the party's reasonable control, including natural disasters, pandemic, war, terrorism, government actions, labor disputes, Internet or telecommunications failures, and cyberattacks ("Force Majeure Event"). The affected party must promptly notify the other party and use reasonable efforts to mitigate the impact. If a Force Majeure Event continues for more than sixty (60) days, either party may terminate the affected Order Form.

16.5 Essential Basis of the Bargain

Each party acknowledges that the limitations of liability set forth in this Section 16 are an essential element of the bargain between the parties and reflect an allocation of risk that is a material inducement for each party to enter into these B2B Terms. The limitations shall apply regardless of whether any limited remedy fails of its essential purpose.

17. Term & Termination

17.1 Term

The initial term of these B2B Terms commences on the effective date specified in the applicable Order Form and continues for one (1) year (the "Initial Term"). Following the Initial Term, these B2B Terms automatically renew for successive one (1) year periods (each, a "Renewal Term") unless either party provides written notice of non-renewal at least ninety (90) days before the end of the then-current term.

17.2 Termination for Convenience

Either party may terminate these B2B Terms for convenience by providing ninety (90) days' prior written notice to the other party. If Customer terminates for convenience during an active subscription term, no refund of prepaid fees shall be due unless otherwise specified in the Order Form.

17.3 Termination for Cause

Either party may terminate these B2B Terms for cause if the other party materially breaches these B2B Terms and fails to cure such breach within thirty (30) days after receiving written notice specifying the nature of the breach.

17.4 Immediate Termination

Zelfium may terminate these B2B Terms immediately, without cure period, upon written notice if:

• Customer uses the Services for any Prohibited Use Case (Section 3.3);
• Customer engages in discriminatory use of assessment results in violation of Section 8;
• Customer materially violates its EU AI Act deployer obligations under Section 7;
• Customer suffers a Data Breach involving End User data and fails to notify Zelfium within the required timeframe;
• Customer becomes subject to bankruptcy, insolvency, receivership, or similar proceedings; or
• Continued provision of the Services to Customer would, in Zelfium's reasonable judgment, expose Zelfium to material legal or regulatory liability.

17.5 Effect of Termination

Upon termination or expiration of these B2B Terms:

• All licenses granted to Customer immediately terminate;
• Customer must immediately cease all use of the Services and API Keys;
• Each party must return or destroy the other party's Confidential Information within thirty (30) days, and certify in writing that it has done so;
• Zelfium will make Customer's data available for export for thirty (30) days following the effective date of termination, after which Zelfium may delete such data; and
• Customer remains liable for all fees accrued prior to termination.

17.6 Surviving Provisions

The following provisions survive termination or expiration of these B2B Terms: Section 1 (Definitions), Section 8 (Prohibited Discriminatory Use), Section 10 (Intellectual Property), Section 11 (Confidentiality), Section 12 (Fees, to the extent of accrued obligations), Section 15 (Indemnification), Section 16 (Limitation of Liability), and Section 18 (General Provisions).

18. General Provisions

18.1 Governing Law

These B2B Terms and any dispute arising out of or in connection with them shall be governed by and construed in accordance with the laws of Japan, without regard to its conflict of laws principles.

18.2 Jurisdiction

The parties irrevocably submit to the exclusive jurisdiction of the Yokohama District Court (横浜地方裁判所) for any dispute arising out of or in connection with these B2B Terms. Notwithstanding the foregoing, either party may seek injunctive or other equitable relief in any court of competent jurisdiction to protect its intellectual property rights or Confidential Information.

18.3 Assignment

Neither party may assign or transfer these B2B Terms, in whole or in part, without the prior written consent of the other party, except that either party may assign these B2B Terms to an affiliate or in connection with a merger, acquisition, or sale of all or substantially all of its assets, provided that the assignee agrees in writing to be bound by these B2B Terms. Any attempted assignment in violation of this Section 18.3 shall be void.

18.4 Severability

If any provision of these B2B Terms is held to be invalid, illegal, or unenforceable, the remaining provisions shall continue in full force and effect. The parties agree to negotiate in good faith a replacement provision that reflects the original intent of the invalid provision to the maximum extent permitted by law.

18.5 Entire Agreement

These B2B Terms, together with all Order Forms, the DPA, the Privacy Policy, and the Acceptable Use Policy, constitute the entire agreement between the parties with respect to the subject matter hereof and supersede all prior and contemporaneous agreements, proposals, and representations, whether written or oral.

18.6 Amendment

Zelfium may amend these B2B Terms by providing sixty (60) days' prior written notice to Customer. Material amendments will be communicated via email to Customer's designated contact. If Customer does not agree with a material amendment, Customer may terminate these B2B Terms by providing written notice before the amendment takes effect. Continued use of the Services after the effective date of the amendment constitutes acceptance.

18.7 Notices

All notices required or permitted under these B2B Terms must be in writing and delivered by email to the designated contact addresses specified in the Order Form, or by registered mail or internationally recognized courier to the party's principal business address. Notices are deemed received upon confirmed delivery. Zelfium's notice address: legal@zelfium.com.

18.8 Independent Contractors

The parties are independent contractors. Nothing in these B2B Terms creates a partnership, joint venture, employment, franchise, or agency relationship between the parties. Neither party has the authority to bind the other or incur obligations on the other's behalf.

18.9 Waiver

The failure of either party to enforce any right or provision of these B2B Terms shall not constitute a waiver of such right or provision. Any waiver must be in writing and signed by the waiving party.

18.10 Cross-References

These B2B Terms should be read in conjunction with the following Zelfium legal documents:

• Privacy Policy — governs the collection, use, and disclosure of personal information
• Acceptable Use Policy — defines prohibited conduct across all Zelfium services
• AI & Assessment Disclaimer — describes the limitations and appropriate use of AI-generated assessments
• Cookie Policy — explains the use of cookies and similar technologies

Contact Information

For questions about these B2B Terms, please contact:

Zelfium Inc.
Legal Department
Email: legal@zelfium.com
1-22-11 Ginza, Chuo-ku, Tokyo, Japan