Epistemic Vault (Scale Edition) – Terms & Conditions

Effective date: [2025-12-20] Last updated: [2025-12-20] Service operator (“MiulusTek”, “we”, “us”): Miulustek Oy Registered address: Aitjärventie 696, 19260, Paaso Contact: [legal@miulustek.com]

These Terms & Conditions (“Terms”) govern access to and use of the Epistemic Vault – Scale Edition and related hosted services operated by MiulusTek (the “Service”). By creating an account, purchasing a plan, using our APIs/SDKs/CLI, or otherwise accessing the Service, you agree to these Terms.

> Important: Epistemic Vault is a cryptographic verification and provenance system. Verification is not “truth.” > Verification indicates cryptographic consistency of a media file with its recorded provenance, not that depicted events are real, lawful, ethical, or admissible in court.

1. Definitions

• “Account” means the account you create to access the Service.
• “API” means our application programming interfaces, including endpoints exposed by the Service.
• “Asset” means any photo, video, audio, or other file submitted to the Service.
• “Proof Bundle” means the cryptographic proof package produced by the Service (for example, a bundle containing a manifest, hash information, certificates, and a Vault receipt).
• “Receipt” or “Verification Receipt” means a Vault-signed acceptance record associated with an Asset.
• “Recorder” means the Epistemic Recorder mobile application(s) or any compatible capture client that embeds cryptographic manifests into captured media.
• “Trust Tier” means a device integrity classification (e.g., GOLD/SILVER/UNTRUSTED) derived from cryptographic and attestation signals.
• “You” means the person or entity using the Service. If you use the Service on behalf of an organization, you represent you have authority to bind that organization.

2. Acceptance & Changes

1. Acceptance. By using the Service, you accept these Terms.
2. Updates. We may update these Terms from time to time. If changes are material, we will provide reasonable notice (e.g., via the web portal or email). Continued use after the effective date of the updated Terms constitutes acceptance.

3. Eligibility & Account Security

1. Eligibility. You must be legally capable of entering into a binding agreement and must comply with all applicable laws and regulations.
2. Account security. You are responsible for safeguarding credentials, API keys, and tokens and for all activity under your Account. Notify us promptly if you suspect compromise.
3. Authorized users. You are responsible for ensuring your authorized users comply with these Terms.

4. The Service (What We Do)

The Service provides an ingestion and verification boundary for tamper-evident media. Depending on your plan and configuration, the Service may:

• Accept uploads of Assets via web portal, SDK, CLI, or API.
• Recompute file hashes and verify integrity (including chunk hashing and Merkle-chain reconstruction where applicable).
• Validate embedded signatures and related device identity materials when present.
• Evaluate device integrity and attestation signals and assign a Trust Tier according to policy.
• Generate Proof Bundles and Receipts that can be validated later, including offline in many cases.
• Optionally export provenance manifests (e.g., C2PA-related outputs) when enabled by policy.

Zero-trust principle: the Service does not rely on client-supplied hashes as authoritative; it recomputes verification inputs server-side as part of normal operation.

5. Verification Semantics (What “Verified” Means)

1. Cryptographic meaning. A “PASS” or “Verified” result indicates that, at verification time, the Service determined that:

- required hashes recompute correctly from the stored Asset bytes, - required signatures validate under the relevant public keys/certificates, - required structures (e.g., Merkle roots/chains, containers) reconstruct consistently, and - required policy checks (e.g., Trust Tier thresholds) were met for the configured policy.

1. Not truth, not legality, not admissibility. Verification does not guarantee:

- that depicted events are real or not staged, - that a recording was not coerced or contextually misleading, - that timestamps, GPS, or metadata reflect ground truth beyond device-reported signals, - that an Asset is lawful, ethical, or compliant with any policy, - that any Asset is admissible as evidence in any jurisdiction.

1. Temporal nature. Verification is a statement about cryptographic properties under a particular policy and trust-root set at the time of verification. Policies, trust roots, and attestation requirements may evolve.

6. Device Trust, Attestation, and Third-Party Dependencies

1. Third-party attestation. Some Trust Tier determinations may rely on third-party attestation mechanisms (for example, platform or ecosystem integrity services). Those systems are outside MiulusTek’s control.
2. No guarantee of availability or permanence. We do not guarantee attestation providers will be available, unchanged, or verifiable long-term.
3. Policy updates. We may update trust policies, root sets, and tier thresholds to respond to evolving threats. This may change how Assets are classified in the future.

7. Your Content, Ownership, and License

1. Ownership. You retain all right, title, and interest in and to your Assets.
2. License to operate. You grant MiulusTek a limited, worldwide, non-exclusive license to host, store, transmit, process, and analyze your Assets solely to provide and improve the Service (including verification, proof generation, retrieval, and customer support).
3. Restrictions. We will not sell your Assets or use them for advertising.
4. Responsibility. You represent you have all rights and permissions necessary to upload your Assets and related metadata, including permissions from any data subjects where required by law.

8. Proof Bundles, Receipts, and Outputs

1. What we produce. The Service may produce Proof Bundles and Receipts associated with an Asset.
2. Persistence of proofs. Once issued, a Receipt and Proof Bundle may remain cryptographically valid even if:

- your subscription ends, - the Asset is deleted from hot storage, or - a third party retains a copy of the Proof Bundle.

1. No revocation-by-deletion. Deleting an Asset from the Service does not retract or invalidate proofs already distributed to third parties.

9. Acceptable Use

You agree not to, and not to allow others to:

• Attempt to forge, manipulate, or counterfeit manifests, signatures, attestation artifacts, Proof Bundles, or Receipts.
• Attempt to “launder” fabricated provenance through the Service.
• Submit malware, exploit payloads, or data intended to disrupt the Service.
• Probe, scan, or test the vulnerability of the Service except as explicitly authorized in writing.
• Reverse engineer or circumvent security controls (except to the extent prohibited by law).
• Use the Service in ways that violate applicable laws, including privacy and surveillance laws.

We may suspend or terminate access for violations.

10. Plans, Fees, Billing, and Taxes

1. Fees. Fees are as shown at checkout or in an Order Form.
2. Billing. Subscriptions may renew automatically unless cancelled per the plan terms.
3. Overages and limits. Storage, bandwidth, API rate limits, and retention limits may apply.
4. Taxes. Fees are exclusive of taxes unless stated otherwise. You are responsible for applicable taxes.

11. Storage, Retention, and Deletion

1. Retention. Retention periods depend on plan and configuration. We may store Assets, Proof Bundles, and related metadata in different storage classes (e.g., hot vs archive).
2. Deletion. You may request deletion of Assets as supported by the Service. Deletion affects hosted copies but cannot remove third-party copies or invalidate already-issued proofs.
3. Legal holds. We may retain data as required by law or to comply with lawful process.

12. Security

1. Security measures. We implement administrative, technical, and organizational measures designed to protect the Service.
2. No absolute security. No system is perfectly secure. You acknowledge residual risk.
3. Your responsibilities. You are responsible for maintaining secure devices, networks, and credential handling on your side.

13. Privacy

1. Privacy notice. Our collection and processing of personal data is described in our Privacy Notice (published separately).
2. Data controller/processor. Depending on your usage, you may be the controller of personal data contained in Assets and metadata. MiulusTek may act as a processor where applicable.
3. Minimization. We design federation and ledger services to avoid storing media or unnecessary personal data where possible.

14. Intellectual Property

1. Our IP. The Service, software, APIs, and documentation are owned by MiulusTek and protected by intellectual property laws.
2. Your IP. You retain ownership of your Assets and your pre-existing IP.
3. Feedback. If you provide suggestions or feedback, you grant us a non-exclusive right to use it to improve the Service without obligation.

15. Disclaimers

THE SERVICE IS PROVIDED “AS IS” AND “AS AVAILABLE.” TO THE MAXIMUM EXTENT PERMITTED BY LAW, MIULUSTEK DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT.

WITHOUT LIMITING THE FOREGOING, MIULUSTEK DOES NOT WARRANT THAT:

• VERIFICATION RESULTS WILL SATISFY ANY PARTICULAR LEGAL OR EVIDENTIARY STANDARD,
• ANY ASSET IS TRUE, LAWFUL, ETHICAL, OR ADMISSIBLE,
• THIRD-PARTY ATTESTATION SYSTEMS WILL REMAIN AVAILABLE OR UNCHANGED.

16. Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY LAW:

1. MIULUSTEK WILL NOT BE LIABLE FOR INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, OR FOR LOST PROFITS, REVENUE, GOODWILL, OR DATA, EVEN IF ADVISED OF THE POSSIBILITY.
2. MIULUSTEK’S TOTAL LIABILITY ARISING OUT OF OR RELATING TO THE SERVICE WILL NOT EXCEED THE AMOUNTS PAID BY YOU TO MIULUSTEK FOR THE SERVICE IN THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO LIABILITY.

17. Indemnification

You will defend, indemnify, and hold harmless MiulusTek from and against any claims, damages, liabilities, and expenses (including reasonable attorneys’ fees) arising out of or related to:

• your Assets or your use of the Service,
• your violation of these Terms, or
• your violation of applicable laws or third-party rights.

18. Suspension & Termination

1. Suspension. We may suspend access immediately if we reasonably believe:

- your use poses a security risk, - you are violating Acceptable Use, or - continued provision would violate law.

1. Termination. Either party may terminate according to the plan terms or an applicable Order Form.
2. Effect. Upon termination, your access ends. Data handling follows your plan’s retention/deletion behavior, subject to legal holds.

19. Governing Law & Venue

These Terms are governed by the laws of Finland, excluding conflict-of-law principles. Venue for disputes will be Helsinki District Court unless otherwise required by law.

20. Contact

MiulusTek Legal & Compliance [legal@miulustek.com] Aitjärventie 696, 19260, Paaso