Terms of Service

Kardu is a Governance, Risk & Compliance (GRC) software-as-a-service platform designed to help European small and medium-sized enterprises implement and maintain information security management frameworks including ISO 27001, NIS2, DORA, ENS, and GDPR.

Kardu does not provide legal, regulatory, or compliance advice. The Service provides tools to help you organise your compliance programme and document your controls. Compliance decisions and the accuracy of information entered into the platform remain entirely your responsibility. Kardu is not a substitute for qualified legal counsel or a certified auditor.

The Compliance Score displayed in the platform is a calculated indicator based on your inputs. It does not constitute a formal certification or attestation of compliance with any regulatory framework.

You are solely responsible for the accuracy, completeness, and legality of all information, evidence, and content you upload or enter into the Service (“Customer Data”). Kardu does not verify, audit, or validate the accuracy of your compliance evidence or control responses.

You represent and warrant that: (a) you have the authority to enter into these Terms on behalf of your organisation; (b) your use of the Service complies with all applicable laws and regulations; (c) Customer Data does not infringe any third-party intellectual property rights; and (d) you will maintain appropriate access credentials and immediately notify us of any unauthorised access.

You are responsible for managing user roles and access within your organisation's account. Kardu is not liable for actions taken by users you have granted access to.

You may not use the Service to:

• Violate any applicable law or regulation
• Upload malicious software, harmful code, or content that infringes third-party rights
• Attempt to gain unauthorised access to any part of the platform or other users' data
• Reverse engineer, decompile, or create derivative works from the Service
• Use the Service for benchmarking against competitive products without prior consent
• Resell or sublicense access to the Service without written authorisation

Kardu reserves the right to suspend or terminate accounts that violate these policies without prior notice.

Beta period: During the closed beta phase, the Service is provided free of charge by invitation. Beta access may be withdrawn at any time. No service level commitments apply during the beta.

Paid plans: Following the beta, paid subscription plans will be offered. Pricing, billing cycles, and included features will be communicated before charges begin. You will be required to provide valid payment information to continue using paid features.

Cancellation: You may cancel your subscription at any time via the Billing section of your account settings. Cancellation takes effect at the end of the current billing period. Kardu does not provide refunds for partial billing periods.

Price changes:We will provide at least 30 days' notice before increasing prices for existing customers.

Kardu and its licensors own all intellectual property rights in the Service, including the software, design, trademarks, and documentation. These Terms grant you a limited, non-exclusive, non-transferable licence to use the Service for your internal business purposes during the subscription term.

You retain all intellectual property rights in your Customer Data. By using the Service, you grant Kardu a limited licence to process and store your Customer Data solely to provide the Service.

To the fullest extent permitted by applicable law, Kardu shall not be liable for any indirect, incidental, special, consequential, or punitive damages, including loss of profits, data, or goodwill, arising from your use of the Service, even if advised of the possibility of such damages.

Kardu's total cumulative liability for any claims arising from these Terms shall not exceed the amounts paid by you for the Service in the twelve months preceding the claim.

Nothing in these Terms limits liability for fraud, gross negligence, or any matter that cannot be excluded by law.

Kardu processes personal data in accordance with our Privacy Policy and, where applicable, our Data Processing Agreement. All data is stored within the European Union (Frankfurt region).

These Terms are governed by the laws of Spain. Any disputes shall be subject to the exclusive jurisdiction of the courts of Barcelona, Spain, except where mandatory consumer protection laws in your country of residence require otherwise.

We may update these Terms from time to time. We will notify you of material changes by email or in-app notification at least 14 days before they take effect. Continued use of the Service after the effective date constitutes acceptance of the revised Terms.

For questions about these Terms, contact us at legal@kardu.eu.