Terms of Service

These Terms of Service ("Terms") govern access to and use of Audit Sphere AI (the "Service"), operated by Applied Synergy Plus Consulting LLP ("we", "us"). By creating an account, accessing the Service, or uploading any content, you ("Customer") agree to these Terms on behalf of yourself and your organisation. If you do not agree, do not use the Service.

We implement administrative, physical and technical safeguards designed to protect Customer Data, aligned to ISO/IEC 27001, SOC 2 Type II control objectives and NIST CSF. • Encryption in transit: TLS 1.2+ for all client and inter-service traffic. • Encryption at rest: AES-256 for database storage, object storage and backups. • Tenant isolation: Row-Level Security (RLS) enforced at the database layer; every query is scoped to the authenticated user's organisation. • Access control: Role-based access (admin, CAE, auditor, viewer) with least-privilege principles and per-organisation role scoping. • Key management: Service-managed keys rotated on a defined schedule; service-role credentials never exposed to client code. • Audit logging: Authentication events, role changes, evidence access, and AI prompts are time-stamped and retained in an immutable activity log. • Vulnerability management: Continuous dependency scanning, automated security linting on every database migration, and periodic penetration testing. • Backups: Encrypted point-in-time recovery with geographically redundant storage. • Incident response: Customers will be notified of any confirmed Personal Data breach without undue delay and in any event within seventy-two (72) hours of confirmation, in line with GDPR Art. 33–34 and the Nigeria Data Protection Act 2023.

All Customer Data — including audit workpapers, evidence, findings, hotline reports, risk assessments, organisation profiles, and any document, file or text submitted to the Service or to the embedded AI assistant "Alice" — is treated as the Customer's Confidential Information. We will: • Use Confidential Information solely to provide and improve the Service for the Customer; • Limit access to personnel and sub-processors with a strict need-to-know; • Bind all personnel and sub-processors to confidentiality obligations no less protective than those in these Terms; • Not disclose Confidential Information to any third party except as required by law and, where legally permitted, after notice to the Customer. Hotline / whistleblower submissions receive heightened confidentiality protection: reporter identity (when provided) is encrypted, access is restricted to designated case handlers in the Customer's organisation, and is never used to train any model.

We process Personal Data as Processor on behalf of the Customer (Controller) in accordance with the EU GDPR, UK GDPR, the Nigeria Data Protection Act 2023 (NDPA), and other applicable data-protection laws. • Sub-processors: A current list is available on request. Customers will be notified of material changes. • International transfers: Where Personal Data leaves the EEA / UK / Nigeria, transfers rely on Standard Contractual Clauses or an adequacy decision. • Data subject rights: Customers can fulfil access and erasure requests through the in-app Privacy page (Right to Access / Right to Erasure / Data Portability — Arts. 15, 17, 20 GDPR; s.34 NDPA). • Retention: Customer Data is retained while the account is active and for up to thirty (30) days after termination, after which it is permanently deleted, except where longer retention is required by law. • AI processing: Prompts and context sent to the embedded AI assistant ("Alice") are processed transiently to generate responses. Customer Data is never used to train foundation models.

The Service is designed and operated to support Customers' obligations under, and is itself aligned to, the following frameworks and regulations: IIA Global Internal Audit Standards 2025, COSO Internal Control – Integrated Framework, COSO ERM, COBIT 2019, ISO/IEC 27001:2022, NIST CSF 2.0, SOC 1, SOC 2, Sarbanes-Oxley (SOX), GDPR, UK GDPR, NDPA 2023, Basel III operational risk, ESG reporting frameworks, and AML / CFT guidance issued by major financial-services regulators. Alignment to a framework does not constitute certification of the Customer's own compliance posture; the Customer remains responsible for its own controls, attestations and reporting.

Customer will not, and will not permit any user to: (a) reverse engineer or attempt to extract the source code or model weights of the Service; (b) upload malware or content that infringes third-party rights; (c) use the Service to process Personal Data unlawfully; (d) attempt to access another tenant's data; (e) use the Service in violation of export-control laws or sanctions; or (f) misrepresent AI-generated output as human attestation without appropriate human review.

The Service, including all software, models, prompts, templates, documentation and trademarks, is and remains the property of Applied Synergy Plus Consulting LLP or its licensors. Customer retains all rights, title and interest in and to Customer Data. Customer grants us a limited, non-exclusive licence to host, process and display Customer Data solely as necessary to provide the Service.

The Service is provided "as is". AI-generated content (including risk assessments, findings, plan suggestions and policy drafts) is decision-support output and must be reviewed by a qualified human auditor before reliance for audit, regulatory, or assurance purposes. We disclaim all implied warranties to the maximum extent permitted by law.

To the maximum extent permitted by law, neither party's aggregate liability arising out of or related to these Terms will exceed the fees paid by Customer for the Service in the twelve (12) months preceding the event giving rise to liability. Neither party will be liable for indirect, incidental, consequential, special or punitive damages.

Either party may terminate for material breach not cured within thirty (30) days of written notice. Upon termination, Customer may export its data via the in-app Privacy page for up to thirty (30) days, after which Customer Data will be permanently deleted.

These Terms are governed by the laws of the Commonwealth of Pennsylvania, USA, without regard to its conflict-of-laws principles. The parties consent to the exclusive jurisdiction of the state and federal courts located in Pennsylvania for any dispute arising hereunder.

Questions regarding these Terms, data protection, or security should be directed to: Applied Synergy Plus Consulting LLP Pennsylvania, USA rarmah@appliedsynergyplusconsulting.com