Terms of Service

1. Acceptance of Terms

By creating an account, accessing, or using Certivo's electronic signature platform (the "Service"), you agree to comply with and be bound by these Terms of Service. These Terms constitute a legally binding agreement between you ("User," "you," or "your") and Certivo ("Certivo," "we," "us," or "our").

If you are using the Service on behalf of an organization, you represent and warrant that you have the authority to bind that organization to these Terms, and "you" refers to both you individually and the organization.

2. Description of Service

Certivo provides a cloud-based electronic signature platform designed for FDA 21 CFR Part 11 compliance, specifically for clinical research, life sciences, and regulated industries. The Service includes:

• Electronic signature workflows with full audit trails
• Document management and storage
• Two-factor authentication (2FA) for signature events
• Compliance with FDA 21 CFR Part 11 and ESIGN Act regulations
• Digital logs and templates
• Automated workflow features
• Long-term data retention (25 years for compliant records)

3. Account Registration and Eligibility

3.1 Eligibility

You must be at least 18 years old and capable of forming a binding contract to use the Service. By using the Service, you represent that you meet these requirements.

3.2 Account Security

You are responsible for:

• Maintaining the confidentiality of your account credentials
• All activities that occur under your account
• Immediately notifying us of any unauthorized use
• Ensuring your account information is accurate and up-to-date

3.3 Organization Accounts

Organization administrators are responsible for managing team member access, roles, and permissions. You agree to ensure that all users within your organization comply with these Terms.

4. Subscription Plans and Pricing

4.1 Trial Period

4.2 Paid Subscription Plans

Certivo offers multiple subscription tiers with varying features, user limits, document volumes, and storage capacities. Current pricing, plan details, and feature comparisons are available on our Pricing Page.

All pricing is in USD. Plans may be billed monthly or annually as selected at checkout. Pricing is subject to change with 30 days' advance notice to existing subscribers.

4.3 Payment Terms

• Subscription fees are charged in advance (monthly or annually based on your billing cycle)
• Payment is processed through Stripe, our third-party payment processor
• You authorize us to charge your payment method on file for recurring payments
• Failed payments may result in service suspension after a grace period
• No refunds for partial billing periods or unused features, except as required by law

4.4 Plan Limits

Each plan includes a set number of users, transactions, and storage as specified on our Pricing Page. If you reach your plan limits, you will need to upgrade to a higher tier to continue creating new transactions or adding users.

5. Acceptable Use

5.1 Permitted Use

You may use the Service for lawful business purposes, including:

• Obtaining legally binding electronic signatures
• Managing clinical trial documentation (paid plans only)
• Maintaining FDA 21 CFR Part 11 compliance
• Workflow automation for document approvals

5.2 Prohibited Conduct

You agree NOT to:

• Upload real patient data, PHI, or production clinical data during trial periods
• Use the Service for any illegal or fraudulent purpose
• Attempt to gain unauthorized access to our systems
• Reverse engineer, decompile, or disassemble the Service
• Remove or modify any proprietary notices
• Use the Service to send spam or unsolicited communications
• Violate any applicable laws or regulations
• Impersonate another person or entity
• Share your account credentials with unauthorized users
• Use automated scripts, bots, or scrapers to access the Service without prior written consent
• Conduct load testing, stress testing, or penetration testing without prior written authorization
• Publish benchmarking results or performance comparisons of the Service without prior written consent
• Sublicense, resell, or redistribute access to the Service to third parties
• Use the Service to develop a competing product or service

6. Data Ownership and Usage

6.1 Your Data

You retain all ownership rights to the content you upload to the Service ("Your Data"). By using the Service, you grant us a limited license to process, store, and transmit Your Data solely to provide the Service.

6.2 Data Security

We implement security measures designed to protect Your Data, including:

• Infrastructure hosted on Amazon Web Services (AWS), which maintains SOC 2 Type II, ISO 27001, and HIPAA compliance certifications
• AES-256 encryption at rest using AWS server-side encryption (SSE)
• TLS 1.2+ encryption for all data in transit
• Role-based access control with granular permissions
• Audit logging for all security-relevant actions
• Multi-factor authentication support

For more information about our security practices, please visit our Security Page.

6.3 Data Retention

• Paid Subscriptions: Data retained indefinitely (or as required by applicable regulations such as FDA 21 CFR Part 11, which mandates retention for the life of the device or 25 years)
• Trial Accounts: Data retained for 60 days after trial expiration, then permanently deleted
• Canceled Accounts: Data available for export for 60 days after cancellation

6.4 Data Export

You may export Your Data at any time through the Service interface. We provide export functionality in common formats (PDF, CSV, JSON).

6.5 Security Breach Notification

In the event of a confirmed security breach that results in unauthorized access to, disclosure of, or loss of Your Data, Certivo will:

• Notify affected customers without unreasonable delay, and in no event later than 72 hours after Certivo becomes aware of the breach
• Provide a description of the nature of the breach, the categories and approximate number of records affected, and the likely consequences
• Describe the measures taken or proposed to address the breach and mitigate its effects
• Designate a contact point for further information
• Cooperate with your breach response efforts and any applicable regulatory investigations

Notification obligations under this section are in addition to any obligations Certivo may have under applicable data protection laws, HIPAA, or your BAA or DPA with Certivo.

7. Compliance and Regulatory Requirements

7.1 FDA 21 CFR Part 11 Compliance

Certivo is designed to meet FDA 21 CFR Part 11 requirements for electronic records and electronic signatures:

• Comprehensive audit trails capturing all user actions
• Two-factor authentication (2FA) for signature events
• Unique user identification and authentication
• Meaning of signature recorded (name, date, purpose)
• Tamper-evident records with cryptographic hashing
• System validation documentation (IQ/OQ/PQ) available to customers

7.2 Your Compliance Obligations

While Certivo provides compliant infrastructure, you remain responsible for:

• Ensuring users are properly trained on electronic signature procedures
• Maintaining Standard Operating Procedures (SOPs) for system use
• Conducting periodic user audits
• Maintaining appropriate data backup procedures
• Compliance with all applicable regulations in your jurisdiction

7.3 Electronic Signature Legal Validity

While Certivo is designed to facilitate legally binding electronic signatures under the ESIGN Act and other applicable laws, the legal validity and enforceability of electronic signatures may vary by jurisdiction, document type, and regulatory context. Certain documents may not be legally executable via electronic signature in some jurisdictions, including but not limited to:

• Wills, codicils, and testamentary trusts
• Family law documents (adoption, divorce, custody)
• Specific government filings requiring wet-ink signatures
• Informed Consent Forms (ICFs) in jurisdictions or study protocols that require wet-ink signatures
• Court orders and official judicial documents

Certivo does not provide legal advice. You are solely responsible for determining whether electronic signatures are appropriate and legally enforceable for your specific use case, jurisdiction, and regulatory requirements. We recommend consulting qualified legal counsel regarding the enforceability of electronic signatures for your intended use.

8. HIPAA and Protected Health Information

8.1 Applicability

If you are a Covered Entity or Business Associate as defined under the Health Insurance Portability and Accountability Act of 1996, as amended ("HIPAA"), and your use of the Service involves creating, receiving, maintaining, or transmitting Protected Health Information ("PHI"), you must execute a separate Business Associate Agreement ("BAA") with Certivo before uploading any documents that contain PHI to the Service.

8.2 BAA Requirement

You agree NOT to upload, store, or transmit any PHI through the Service until a BAA has been fully executed between you and Certivo. Certivo shall not be liable for any HIPAA violations resulting from your use of the Service without a valid BAA in place.

8.3 HIPAA Compliance

When a BAA is in effect, Certivo will:

• Implement administrative, physical, and technical safeguards as required by the HIPAA Security Rule
• Report security incidents and breaches of unsecured PHI in accordance with HIPAA requirements
• Ensure that any subcontractors who handle PHI agree to equivalent restrictions and conditions
• Make its practices and records available to the U.S. Department of Health and Human Services as required
• Return or destroy PHI upon termination of the BAA, as directed by you

To discuss BAA requirements, contact us at compliance@certivo.io.

9. Data Processing and International Data Transfers

9.1 Data Controller and Processor Roles

For purposes of the EU General Data Protection Regulation ("GDPR"), UK GDPR, and applicable data protection laws: you are the Data Controller of any personal data you upload to the Service, and Certivo acts as the Data Processor, processing personal data solely on your behalf and in accordance with your documented instructions.

9.2 Data Processing Agreement

If you process personal data of individuals located in the European Economic Area ("EEA"), United Kingdom, or Switzerland, a Data Processing Agreement ("DPA") governs our processing of that data. Our DPA, which incorporates the EU Standard Contractual Clauses where applicable, is available at certivo.io/legal/dpa and forms part of these Terms when executed.

9.3 Certivo's Processor Obligations

As a Data Processor, Certivo will:

• Process personal data only on your documented instructions, unless required by applicable law
• Ensure that personnel authorized to process personal data are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures
• Assist you in responding to data subject access requests
• Delete or return all personal data upon termination of the Service, at your election
• Make available all information necessary to demonstrate compliance with applicable data protection obligations

9.4 International Data Transfers

Your Data is stored and processed in the United States. If you transfer personal data from the EEA, UK, or Switzerland to the United States through the Service, such transfers are governed by appropriate safeguards, including the EU Standard Contractual Clauses or other applicable transfer mechanisms. By using the Service, you consent to the transfer of data to the United States.

9.5 Subprocessors

Certivo uses third-party subprocessors to assist in providing the Service. A current list of subprocessors is available at certivo.io/subprocessors. We will notify you at least 30 days before adding or replacing a subprocessor. If you object to a new subprocessor, you may terminate the affected Service by providing written notice within 30 days of our notification.

10. Confidentiality

10.1 Definition

"Confidential Information" means any non-public information disclosed by either party to the other in connection with the Service, including Your Data, business plans, technical data, product plans, pricing, and security configurations. Confidential Information does not include information that is: (a) publicly available through no fault of the receiving party; (b) independently developed without use of the disclosing party's Confidential Information; or (c) rightfully received from a third party without restriction.

10.2 Obligations

Each party agrees to: (a) protect the other party's Confidential Information using at least the same degree of care it uses for its own confidential information, and no less than reasonable care; (b) use Confidential Information only to fulfill its obligations under these Terms; and (c) not disclose Confidential Information to third parties except to employees, contractors, or agents who need to know and are bound by equivalent confidentiality obligations.

10.3 Compelled Disclosure

A party may disclose Confidential Information if required by law, regulation, or court order, provided it gives the other party prompt written notice (to the extent legally permitted) and cooperates with efforts to limit the scope of disclosure.

11. Intellectual Property

11.1 Certivo's IP

The Service, including all software, designs, text, graphics, and other content, is owned by Certivo and protected by intellectual property laws. You receive a limited, non-exclusive, non-transferable license to use the Service.

11.2 Feedback

Any feedback, suggestions, or ideas you provide about the Service become the property of Certivo, and we may use them without compensation or attribution.

12. Service Level Agreement and Warranties

12.1 Uptime Commitment

For paid subscription plans, Certivo commits to a monthly uptime of 99.9% for the core Service ("Uptime Commitment"), measured as the percentage of total minutes in a calendar month during which the Service is available, excluding scheduled maintenance.

12.2 Scheduled Maintenance

Scheduled maintenance windows will be communicated at least 48 hours in advance via email and in-app notification. Scheduled maintenance periods are excluded from uptime calculations.

12.3 Service Credits

If Certivo fails to meet the Uptime Commitment in a given calendar month, you may request service credits as follows:

• 99.0% – 99.9% uptime: 10% credit of that month's subscription fee
• 95.0% – 98.9% uptime: 25% credit of that month's subscription fee
• Below 95.0% uptime: 50% credit of that month's subscription fee

Service credits must be requested within 30 days of the end of the affected month. Credits are applied to future invoices and do not exceed 50% of the monthly fee. Service credits are your sole and exclusive remedy for any failure to meet the Uptime Commitment.

12.4 Disclaimer of Warranties

TO THE MAXIMUM EXTENT PERMITTED BY LAW, CERTIVO DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. WE DO NOT WARRANT THAT THE SERVICE WILL BE ERROR-FREE OR THAT DEFECTS WILL BE CORRECTED.

13. Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY LAW, CERTIVO SHALL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, OR ANY LOSS OF PROFITS OR REVENUES, WHETHER INCURRED DIRECTLY OR INDIRECTLY, OR ANY LOSS OF DATA, USE, GOODWILL, OR OTHER INTANGIBLE LOSSES, REGARDLESS OF THE THEORY OF LIABILITY.

CERTIVO'S TOTAL AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THESE TERMS SHALL NOT EXCEED THE TOTAL AMOUNT YOU PAID TO CERTIVO IN THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE CLAIM.

The limitations in this section apply to all claims, whether based on warranty, contract, tort (including negligence), strict liability, or any other legal theory, and whether or not Certivo has been advised of the possibility of such damages.

14. Indemnification

You agree to indemnify and hold harmless Certivo, its affiliates, and their respective officers, directors, employees, and agents from any claims, losses, damages, liabilities, and expenses (including legal fees) arising from:

• Your use of the Service
• Your violation of these Terms
• Your violation of any applicable laws or regulations
• Your Data or any content you upload
• Your infringement of any third-party rights

15. Term and Termination

15.1 Term

These Terms remain in effect while you use the Service. Paid subscriptions continue until canceled.

15.2 Cancellation

You may cancel your subscription at any time through your account settings. Cancellations take effect at the end of the current billing period. No refunds for partial months.

15.3 Termination by Certivo

We may suspend or terminate your account if:

• You violate these Terms
• Your payment fails after notice
• We are required to do so by law
• Continuing to provide the Service creates a security risk or liability

15.4 Effect of Termination

Upon termination:

• Your access to the Service will cease
• You have 60 days to export Your Data
• After 60 days, we may permanently delete Your Data (except as required by law for paid accounts)
• Outstanding fees remain due and payable

16. Privacy

Our Privacy Policy (available at certivo.io/privacy) describes how we collect, use, and protect your personal information. By using the Service, you consent to our privacy practices.

17. Third-Party Services

The Service may integrate with or contain links to third-party services, including but not limited to payment processors, cloud infrastructure providers, and authentication services. Your use of any third-party service is subject to that third party's terms and privacy policies. Certivo is not responsible for the availability, accuracy, or practices of any third-party service.

Certivo disclaims all liability for any loss or damage arising from your use of third-party services, including any data shared with third parties through integrations you enable.

18. Export Controls and International Use

The Service is operated from the United States. You are responsible for compliance with all applicable export control laws and regulations, including the U.S. Export Administration Regulations (EAR) and sanctions programs administered by the Office of Foreign Assets Control (OFAC).

You represent and warrant that:

• You are not located in, or a national or resident of, any country subject to comprehensive U.S. sanctions
• You are not listed on any U.S. government restricted party list
• You will not use the Service in violation of any applicable export control laws or sanctions
• You will not upload export-controlled data without prior written authorization from Certivo

19. Anti-Corruption

Each party agrees to comply with all applicable anti-corruption and anti-bribery laws, including the U.S. Foreign Corrupt Practices Act (FCPA) and the UK Bribery Act 2010. Neither party shall make, offer, or authorize any payment or transfer of value, directly or indirectly, to any government official, political party, or any other person for the purpose of obtaining or retaining business or securing an improper advantage in connection with the Service.

20. Service Modifications

Certivo reserves the right to modify, update, or discontinue any feature or functionality of the Service at any time. For material changes that reduce core functionality included in your current subscription plan, we will provide at least 30 days' prior written notice. If such a change materially diminishes the value of your subscription, you may terminate your subscription and receive a pro-rated refund for the remaining prepaid period.

21. Changes to Terms

We may modify these Terms at any time. Changes will be effective upon posting to our website. Material changes will be communicated via email or in-app notification at least 30 days before taking effect. Continued use of the Service after changes constitutes acceptance.

22. Governing Law and Dispute Resolution

22.1 Governing Law

These Terms are governed by the laws of the State of Delaware, United States, without regard to conflict of law provisions.

22.2 Arbitration

Any dispute arising from or relating to these Terms or the Service shall be resolved through final and binding arbitration administered by the American Arbitration Association ("AAA") under its Commercial Arbitration Rules. The arbitration shall be conducted by a single arbitrator in Wilmington, Delaware. The arbitrator's decision shall be final and binding, and judgment may be entered in any court of competent jurisdiction.

Notwithstanding the foregoing:

• Either party may seek injunctive or other equitable relief in any court of competent jurisdiction to protect its intellectual property rights or Confidential Information
• Claims within the jurisdiction of a small claims court may be brought in such court in lieu of arbitration
• Each party shall bear its own costs and attorneys' fees, unless the arbitrator determines otherwise

22.3 Arbitration Opt-Out

You may opt out of the arbitration provision by sending written notice to legal@certivo.io within 30 days of first accepting these Terms. If you opt out, disputes will be resolved in the state or federal courts located in Wilmington, Delaware, and both parties consent to the exclusive jurisdiction of those courts.

22.4 Class Action Waiver

YOU AGREE THAT DISPUTES WILL BE RESOLVED ON AN INDIVIDUAL BASIS ONLY, AND NOT AS A CLASS ACTION OR OTHER REPRESENTATIVE PROCEEDING. THE ARBITRATOR MAY NOT CONSOLIDATE OR JOIN THE CLAIMS OF OTHER PERSONS OR PARTIES WHO MAY BE SIMILARLY SITUATED.

23. Miscellaneous

23.1 Entire Agreement

These Terms, together with our Privacy Policy, DPA (if applicable), and BAA (if applicable), constitute the entire agreement between you and Certivo regarding the Service.

23.2 Severability

If any provision is found unenforceable, the remaining provisions will remain in effect.

23.3 No Waiver

Failure to enforce any right or provision does not constitute a waiver of that right or provision.

23.4 Assignment

You may not assign these Terms without our prior written consent. We may assign these Terms in connection with a merger, acquisition, or sale of assets.

23.5 Force Majeure

We are not liable for delays or failures due to circumstances beyond our reasonable control (e.g., natural disasters, war, labor disputes, internet failures).

23.6 Accessibility

Certivo is committed to accessibility and is actively working toward compliance with Web Content Accessibility Guidelines (WCAG) 2.1 Level AA. We continuously improve the accessibility of our Service based on user feedback and evolving best practices. If you experience accessibility barriers or have suggestions for improvement, please contact us at accessibility@certivo.io.

23.7 Survival

The following sections shall survive any termination or expiration of these Terms: Section 6 (Data Ownership and Usage), Section 10 (Confidentiality), Section 11 (Intellectual Property), Section 12 (Service Level Agreement and Warranties), Section 13 (Limitation of Liability), Section 14 (Indemnification), Section 16 (Privacy), Section 22 (Governing Law and Dispute Resolution), and this Section 23 (Miscellaneous), as well as any other provisions that by their nature should survive termination.

24. Contact Information

For questions about these Terms, contact us at: