Terms of service

LEGAL REVIEW REQUIRED — DRAFT ONLY. This document was generated as a starting point and has NOT been reviewed by qualified legal counsel. It must be reviewed and approved by a licensed attorney before publication. Legal entity details have been populated; all other content must be verified by qualified legal counsel before publication. Do not publish without legal review.

Effective date: March 2026

Last updated: March 2026

These Terms of Service ("Terms") govern your access to and use of the ORBAT platform and related services (collectively, the "Service") provided by ORBAT HQ PTY LTD ("ORBAT," "we," "us," or "our"). By accessing or using the Service, you agree to be bound by these Terms.

1. Acceptance and agreement

1.1 How you accept these Terms

You accept these Terms by: (a) clicking an "I agree," "Accept," or similar button when creating an account or placing an order; (b) using the Service in any way; or (c) authorizing any user under your account to use the Service.

1.2 Authority to bind your organization

The Service is designed for business use. By accepting these Terms, you represent and warrant that: (a) you are at least 18 years of age; (b) you have the legal authority to bind the organization on whose behalf you are accepting these Terms (the "Customer"); and (c) these Terms constitute a binding legal obligation of that organization. If you do not have such authority, you must not use the Service.

1.3 The subscribing organization is the Customer

These Terms apply to the organization that subscribes to the Service, not to individual authorized users. The Customer is responsible for ensuring that all users under its account comply with these Terms.

2. Service description

2.1 What ORBAT does

ORBAT is a Continuous Cyber Supply Chain Intelligence (CSCI) SaaS platform. The Service autonomously discovers, crawls, scores, and maps third-party supplier relationships and sub-processors, giving organizations a real-time view of their cyber supply chain exposure.

2.2 Public sources only

ORBAT's intelligence engine operates exclusively on publicly available web content — including sub-processor disclosure pages, privacy policies, data processing agreements, job listings, press releases, and DNS records. ORBAT does not access, process, or store your confidential data or your suppliers' confidential data. The Service does not conduct any unauthorized access to computer systems.

2.3 Inferred relationships — not verified facts

All relationships discovered by the Service are inferred from publicly available evidence and assigned a confidence score. Discovered relationships are not verified facts. They represent ORBAT's probabilistic assessment based on available public evidence at the time of the crawl. Confidence scores are indicative, not definitive. Customers are responsible for independently validating any discovered relationship before relying on it for business decisions, regulatory submissions, or legal purposes.

2.4 "Claimed by vendor" attributes

Where the Service displays attributes derived from a vendor's own published materials (such as security certifications, compliance attestations, or sub-processor lists), those attributes are labeled "Claimed by vendor — not independently verified by ORBAT." ORBAT makes no representation as to the accuracy, completeness, or currency of vendor-claimed attributes.

2.5 Service modifications

ORBAT reserves the right to modify, update, or discontinue features of the Service at any time. We will provide reasonable notice of material changes that reduce functionality.

3. Subscription plans, pricing, and billing

3.1 Available plans

ORBAT offers the following subscription plans:

| Plan | Monthly price | Annual price (billed annually) |

|---|---|---|

| Starter | $59/month | $49/month |

| Professional | $179/month | $149/month |

| Enterprise | Custom — annual contract | Custom — annual contract |

Plan features, supplier limits, chain depth limits, and user seat limits are as described on the pricing page at orbathq.com/pricing and may be updated from time to time with notice per Section 3.7.

3.2 Free trial

ORBAT offers a 14-day free trial on Starter and Professional plans. No credit card is required to start a trial. Trial accounts are subject to the following limitations: (a) export functionality is disabled; (b) Incident Mode is disabled; (c) the Risk Alert Center is disabled; and (d) supply chain graph nodes beyond the first tier are visible but obfuscated — supplier names, domains, and evidence sources for second-tier nodes and beyond are hidden. Trial access is provided once per organization. ORBAT reserves the right to deny trial access to organizations that have previously held a trial under a different account or domain.

3.3 Trial to paid conversion

At day 12 of the trial, ORBAT will send a reminder email with a link to enter payment details. If payment details are not entered by the end of the 14-day trial period, the account will enter a read-only state: existing graph data remains accessible, but new crawls are paused and exports are disabled. Trial account data is retained for 30 days after trial expiry, after which it is permanently deleted.

3.4 Auto-renewal

Monthly and annual subscriptions auto-renew at the end of each billing period unless cancelled before the renewal date. By providing payment details, you authorize ORBAT to charge the applicable subscription fee to your payment method on a recurring basis.

3.5 Cancellation and refund policy

Monthly plans: You may cancel at any time. Cancellation takes effect at the end of the current billing period. No prorated refund is issued for the unused portion of the current billing period. Access continues until the end of the period.

Annual plans: You may cancel an annual plan for a prorated refund within 30 days of the subscription start date or annual renewal date. After 30 days, annual plans are non-refundable and run to the end of the contracted term. Where ORBAT materially reduces the functionality of the Service, a prorated refund may be available at ORBAT's discretion.

Enterprise contracts: Cancellation terms are defined in the applicable Master Services Agreement (MSA).

On cancellation or termination: your data remains accessible for export for 30 days following the end of your access period, after which it is permanently deleted.

3.6 Payment processing

All payments are processed by Stripe, Inc. ORBAT does not store payment card numbers. By subscribing, you agree to Stripe's terms of service and authorize Stripe to process payments on behalf of ORBAT.

3.7 Price changes

ORBAT will provide at least 30 days' notice before implementing price increases. Notice will be given by email to the account owner. Continued use of the Service after the effective date of a price change constitutes acceptance of the new pricing.

3.8 Taxes

Subscription fees are exclusive of all applicable taxes, levies, or duties, including sales tax and value added tax (VAT). You are responsible for paying all such taxes associated with your subscription.

4. Acceptable use

4.1 Authorized users only

You may only permit employees, contractors, and agents of the Customer who have agreed to maintain confidentiality obligations consistent with these Terms to access the Service ("Authorized Users"). You are responsible for all actions taken under your account by Authorized Users.

4.2 Prohibited uses

You must not, and must not permit any Authorized User to:

(a) Resell or redistribute intelligence output. Resell, sublicense, or redistribute any intelligence data, discovered relationships, confidence scores, or evidence sources produced by the Service to any third party, whether for commercial gain or otherwise, without ORBAT's prior written consent.

(b) Abuse the Service infrastructure. Scrape, harvest, or systematically extract data from the Service by automated means beyond normal product use; reverse engineer or attempt to extract the underlying crawl algorithms or confidence scoring model; circumvent rate limits, access controls, or tenant isolation measures; or use the Service to probe, attack, or test vulnerabilities in ORBAT's infrastructure.

(c) Use for illegal purposes. Use the Service for any purpose that violates applicable law, including but not limited to: unauthorized surveillance, discrimination based on protected characteristics, harassment, anti-competitive intelligence gathering in violation of applicable competition law, or any activity that violates another party's intellectual property or privacy rights.

(d) Submit unlawful data. Upload supplier lists or other data to the Service that you do not have the lawful right to process. By uploading data to ORBAT, you represent that you have obtained all necessary consents and have a lawful basis for processing that data.

(e) Misrepresent discovered intelligence. Present discovered relationships or confidence scores as verified facts, legal opinions, or independent security assessments without clearly attributing them as inferred intelligence from ORBAT with the applicable confidence score.

4.3 Compliance with applicable law

You are solely responsible for ensuring your use of the Service complies with all applicable laws and regulations in your jurisdiction, including data protection laws, sector-specific regulations (such as DORA, NIS2, HIPAA, and CMMC), and export control laws.

5. Data and privacy

5.1 What ORBAT processes

In providing the Service, ORBAT processes the following data on your behalf:

• Account data: organization name, user names, work email addresses, and password hashes (never in plaintext).
• Supplier data: organization names and domains submitted by you via CSV upload or manual entry.
• Discovered intelligence: supplier relationships, sub-processor relationships, confidence scores, and evidence source URLs derived from publicly available web content.
• Crawl log data: URLs attempted, HTTP status codes, parse results, error reasons, and timestamps — maintained for audit and SOC2 compliance purposes.
• Usage data: feature usage events, session timestamps, and IP addresses.

5.2 What ORBAT does not process

ORBAT does not process: (a) payment card numbers (processed directly by Stripe); (b) personal data of your suppliers' employees; (c) health data, financial account data, or government identification numbers; (d) personal data of your own customers; or (e) any data from systems that ORBAT does not have lawful authority to access.

5.3 Tenant isolation

All Customer data is processed and stored in a dedicated tenant-isolated environment. ORBAT's data architecture enforces four independent layers of tenant isolation: API gateway-level JWT validation, application-level tenant context enforcement, PostgreSQL row-level security on all tenant-scoped tables, and storage-layer path isolation. No other ORBAT customer can access your data.

5.4 Global vendor graph

Where you have opted in to the Global Vendor Graph contribution feature (enabled by default, opt-out available in account settings), ORBAT may incorporate anonymized vendor-to-sub-processor relationship data discovered from vendors' own public websites into ORBAT's shared Global Vendor Graph. The following applies:

• Never contributed: the fact that your organization uses a particular vendor; any data that identifies your organization; your supplier list; any customer-specific configuration.
• May be contributed: vendor-to-sub-processor relationships extracted from the vendor's own public website (e.g., their sub-processor disclosure page), without any association with your tenancy.
• Opt-out is available at any time in account settings without affecting service quality.

5.5 Data retention

| Data type | Retention period |

|---|---|

| Trial account data | 30 days after trial expiry |

| Active subscription data | Duration of subscription + 30 days after termination |

| Billing records | 7 years (legal and accounting requirement) |

| Security and audit logs | 12 months |

| Backup snapshots | 30-day rolling window |

Customers may export their data at any time while the account is active. ORBAT will provide a 30-day post-termination export window before final deletion.

5.6 Data processing agreement (DPA)

A standard Data Processing Agreement is available on request at privacy@orbathq.com and is included by default in all Enterprise MSAs. The DPA governs ORBAT's processing of personal data on your behalf in accordance with applicable data protection law, including GDPR.

5.7 Privacy policy

ORBAT's Privacy Policy at orbathq.com/legal/privacy-policy describes how ORBAT collects and uses personal data of account users and website visitors. The Privacy Policy is incorporated into these Terms by reference.

6. Intellectual property

6.1 ORBAT intellectual property

ORBAT owns all right, title, and interest in and to: the ORBAT platform, software, algorithms, confidence scoring models, brand, trademarks, and documentation. These Terms do not transfer any ORBAT intellectual property to you. Your right to use the Service is a limited, non-exclusive, non-transferable license for the duration of your subscription.

6.2 Customer data ownership

You retain all ownership of: (a) your supplier lists and configurations submitted to ORBAT; and (b) any data you upload or create within the Service. ORBAT does not claim ownership of your data.

6.3 Discovered intelligence — license to Customer

Intelligence output produced by the Service (discovered relationships, confidence scores, and evidence sources) is licensed to you for internal business use only during the term of your subscription. You may not: resell, sublicense, or commercially distribute discovered intelligence to third parties; or use it to build a competing product or service.

6.4 Feedback

If you provide ORBAT with feedback, suggestions, or ideas about the Service, you grant ORBAT a perpetual, irrevocable, royalty-free license to use that feedback to improve the Service without obligation to you.

6.5 Aggregated and anonymized data

Subject to Section 5.4, you grant ORBAT the right to use aggregated, anonymized discovery data (vendor-to-sub-processor relationships derived from public sources, with no customer identification) to maintain and improve the Global Vendor Graph. This right survives termination with respect to data already incorporated into the Global Vendor Graph in anonymized form.

7. Confidentiality

7.1 Mutual obligations

Each party agrees to: (a) keep the other party's Confidential Information strictly confidential; (b) not disclose Confidential Information to any third party without the disclosing party's prior written consent; and (c) use Confidential Information only for the purposes of performing its obligations or exercising its rights under these Terms.

7.2 ORBAT's Confidential Information

ORBAT's Confidential Information includes: pricing not publicly listed (including Enterprise contract terms), product roadmap, security architecture, source code, and technical documentation provided under NDA.

7.3 Customer's Confidential Information

Customer's Confidential Information includes: supplier lists, internal configurations, and any business information designated as confidential.

7.4 Exceptions

Confidentiality obligations do not apply to information that: (a) is or becomes publicly known through no fault of the receiving party; (b) was already known to the receiving party before disclosure; (c) is independently developed without use of Confidential Information; or (d) is required to be disclosed by law or valid legal process, provided the receiving party gives reasonable prior notice where legally permitted.

8. Security

8.1 ORBAT's security obligations

ORBAT implements the following security measures to protect Customer data:

• Encryption at rest: AES-256 on all managed database, cache, and object storage services.
• Encryption in transit: TLS 1.3 on all connections between clients and ORBAT services.
• Row-level security: all tenant-scoped data tables enforce PostgreSQL row-level security policies.
• Authentication: JWT RS256 with 15-minute access token TTL; access tokens stored in-memory only (never in localStorage); 30-day httpOnly refresh cookies with rotation.
• Network security: Kubernetes network policies, pod security standards (non-root, read-only filesystems), and mTLS between all internal services (Phase 3).
• Vulnerability management: OWASP Top 10 checks, dependency scanning, and DAST on all staging deployments.

8.2 Customer's security obligations

You are responsible for: (a) maintaining the security of all Authorized User credentials; (b) configuring user access permissions appropriately for your organization; (c) promptly revoking access of any Authorized User who leaves your organization or whose access should be restricted; and (d) not sharing account credentials between Authorized Users.

8.3 Security incident notification

In the event of a confirmed security breach affecting your data, ORBAT will notify you within 72 hours of becoming aware of the breach, consistent with GDPR Article 33 standards, regardless of whether GDPR applies to your organization. The notification will include: the nature of the breach, the categories of data affected, the likely consequences, and the measures taken or proposed to address the breach.

9. Service levels and uptime

9.1 Starter and Professional plans

No formal Service Level Agreement (SLA) is provided on Starter or Professional plans. ORBAT will use commercially reasonable efforts to maintain service availability. Intelligence crawls are asynchronous and are not subject to real-time delivery guarantees.

9.2 Enterprise plans

Enterprise SLA terms, including uptime commitments and response time guarantees, are defined in the applicable MSA.

9.3 Planned maintenance

ORBAT will provide at least 48 hours' notice of planned maintenance that is expected to cause service downtime, where operationally feasible. Emergency maintenance may be performed without advance notice.

9.4 Third-party service dependencies

ORBAT is not liable for service interruptions caused by third-party providers, including but not limited to: DigitalOcean (cloud infrastructure), Stripe (payment processing), SendGrid (email delivery), or Anthropic (AI inference). ORBAT will make reasonable efforts to maintain service continuity in the event of third-party outages.

10. Limitation of liability

10.1 Informational purposes only

Intelligence output produced by the Service — including discovered relationships, confidence scores, blast radius calculations, and risk alerts — is provided for informational purposes only. It does not constitute legal advice, regulatory guidance, a security audit, or a verified factual record. Customers are solely responsible for any business, security, legal, or regulatory decisions made in reliance on ORBAT's intelligence output.

10.2 ORBAT's specific non-liability

Without limiting Section 10.1, ORBAT is not liable for:

(a) Business decisions made based on discovered intelligence or confidence scores.

(b) Supplier relationships that ORBAT fails to discover, whether due to incomplete public web coverage, crawl limitations, or any other reason.

(c) Incorrect confidence scores or misclassification of relationship types.

(d) Actions taken (or not taken) in response to risk alerts, including delayed alerts or alerts triggered by incorrect data.

(e) Regulatory non-compliance arising from a Customer's reliance on ORBAT intelligence output as a substitute for required due diligence.

(f) Vendor-claimed attributes that prove to be inaccurate, outdated, or misleading.

10.3 Cap on liability

To the fullest extent permitted by applicable law, ORBAT's total cumulative liability to you for all claims arising under or related to these Terms or the Service — whether in contract, tort (including negligence), or otherwise — shall not exceed the total subscription fees paid by you to ORBAT in the 12 months immediately preceding the event giving rise to the claim.

10.4 Exclusion of consequential damages

To the fullest extent permitted by applicable law, neither party shall be liable to the other for any indirect, incidental, special, exemplary, consequential, or punitive damages — including lost profits, lost revenue, loss of data, business interruption, or cost of substitute services — even if advised of the possibility of such damages.

10.5 Exceptions

Nothing in these Terms limits or excludes either party's liability for: (a) death or personal injury caused by negligence; (b) fraud or fraudulent misrepresentation; or (c) any other liability that cannot be limited or excluded under applicable law.

11. Termination

11.1 Termination by either party

Either party may terminate these Terms and the Customer's subscription with 30 days' written notice to the other party, subject to the refund terms in Section 3.5.

11.2 Termination by ORBAT for cause

ORBAT may suspend or terminate your access to the Service immediately and without prior notice if:

(a) You fail to pay any subscription fee when due and do not cure the failure within 10 days of written notice.

(b) You materially breach the Acceptable Use Policy in Section 4 or any other material provision of these Terms, and (where the breach is capable of remedy) fail to remedy it within 15 days of written notice.

(c) ORBAT reasonably believes your account is being used for fraudulent activity, illegal purposes, or to harm ORBAT's infrastructure, reputation, or other customers.

(d) You become insolvent, make an assignment for the benefit of creditors, or become subject to bankruptcy or liquidation proceedings.

11.3 Effect of termination

On termination or expiry of your subscription:

(a) Your license to use the Service ends immediately.

(b) ORBAT will provide a 30-day data export window during which you may export your data. After 30 days, all Customer data is permanently deleted.

(c) Each party must promptly return or destroy the other party's Confidential Information.

(d) Any outstanding payment obligations become immediately due.

11.4 Survival

The following provisions survive termination: Section 5.5 (data retention, subject to the deletion obligations in Section 11.3(b)); Section 6 (Intellectual Property); Section 7 (Confidentiality); Section 10 (Limitation of Liability); Section 12 (Governing Law and Disputes); and any other provisions that by their nature should survive.

12. Governing law and dispute resolution

12.1 Governing law

These Terms are governed by and construed in accordance with the laws of New South Wales, Australia, without regard to its conflict of law principles.

12.2 Informal resolution

Before initiating formal dispute resolution, each party agrees to attempt to resolve any dispute informally by sending written notice to the other party describing the dispute and the desired resolution. The parties will negotiate in good faith for a period of 30 days from receipt of such notice.

12.3 Jurisdiction

Any dispute not resolved by negotiation shall be subject to the exclusive jurisdiction of the courts of New South Wales, Australia.

12.4 Class action waiver

To the fullest extent permitted by applicable law, you waive any right to bring or participate in any class action lawsuit or collective action against ORBAT. All disputes must be brought in your individual capacity.

13. Changes to these Terms

13.1 Notice of material changes

ORBAT will provide at least 30 days' advance notice of any material changes to these Terms. Notice will be given by email to the account owner's registered email address and/or by a prominent notice within the Service.

13.2 Acceptance of revised Terms

Continued use of the Service after the effective date of revised Terms constitutes acceptance of the changes. If you do not agree to the revised Terms, you must cease using the Service and cancel your subscription before the effective date of the changes.

13.3 Non-material changes

ORBAT may make non-material changes to these Terms (such as correcting typographical errors, clarifying existing provisions, or updating sub-processor lists) without advance notice. Such changes will be reflected in the "Last updated" date at the top of this document.

14. General provisions

14.1 Entire agreement

These Terms, together with the Privacy Policy, any applicable DPA, and any Enterprise MSA, constitute the entire agreement between the parties with respect to the Service and supersede all prior or contemporaneous agreements, representations, and understandings.

14.2 Severability

If any provision of these Terms is found to be unenforceable, the remaining provisions will continue in full force. The unenforceable provision will be modified to the minimum extent necessary to make it enforceable, or severed if modification is not possible.

14.3 No waiver

ORBAT's failure to enforce any provision of these Terms will not constitute a waiver of its right to enforce that provision in the future.

14.4 Assignment

You may not assign or transfer these Terms, or any rights or obligations under them, without ORBAT's prior written consent. ORBAT may assign these Terms in connection with a merger, acquisition, or sale of all or substantially all of its assets.

14.5 Force majeure

Neither party will be liable for any failure or delay in performance resulting from causes beyond its reasonable control, including natural disasters, acts of government, cyberattacks on critical infrastructure, or failures of third-party internet or telecommunications services, provided the affected party gives prompt notice and uses reasonable efforts to mitigate the impact.

14.6 Notices

Legal notices to ORBAT must be sent to: legal@orbathq.com. Notices to you will be sent to the email address registered on your account.

*For questions about these Terms, contact legal@orbathq.com.*

*These Terms of Service were last updated in March 2026.*