Preamble

DIV PROTOCOL SAS is a French company specializing in providing a SaaS (Software as a Service) solution for secure storage, sharing and end-to-end encryption of professional data, exclusively for businesses and professionals (B2B). The Service is accessible via the platform at www.divprotocol.com and relies on a secure infrastructure hosted exclusively in France and the European Union by OVH SAS. These General Terms and Conditions of Sale (hereinafter "GTC-S") constitute the sole contractual framework governing commercial relations between DIV PROTOCOL and its Clients. Any subscription to the Service implies full, complete and unreserved acceptance of these GTC-S.

I. Definitions

For the purposes of these GTC-S, the following terms shall have the meanings assigned to them below:

• "Client": any legal entity or natural person acting in a professional capacity who has subscribed to a DIV PROTOCOL Service offer;
• "User": any natural person holding an account on the Platform, acting on behalf of the Client;
• "Platform": the web application accessible at www.divprotocol.com and all associated interfaces;
• "Service": all functionalities provided by DIV PROTOCOL under the offer subscribed to by the Client;
• "Client Data": all files, documents and content uploaded, stored or processed by the Client and its Users on the Platform;
• "Personal Data": any information relating to an identified or identifiable natural person, within the meaning of Regulation (EU) 2016/679 (GDPR);
• "Parties": refers jointly to DIV PROTOCOL and the Client;
• "Agreement": refers to these GTC-S, the offer subscribed to by the Client, and any ancillary document expressly agreed upon between the Parties.

II. Purpose

These GTC-S define the conditions under which DIV PROTOCOL SAS (hereinafter "the Provider") grants the Client access to the Service, as well as the respective rights and obligations of the Parties. Any subscription to the Service implies unreserved acceptance of these GTC-S, to the exclusion of any other document, including the Client's general terms of purchase.

III. Scope and acceptance

These GTC-S apply to any order, subscription or use of the Service by the Client, regardless of the offer selected. They prevail over any other contractual document from the Client. DIV PROTOCOL reserves the right to modify these GTC-S at any time. Any modification shall be notified to the Client by email at least thirty (30) days before coming into effect. Continued use of the Service after the new GTC-S come into effect constitutes acceptance thereof. In case of refusal, the Client may terminate their subscription under the conditions set out in Article VII.

IV. Service description

The DIV PROTOCOL Service is a secure document management platform comprising the following functionalities:

• Secure storage with end-to-end encryption (E2E): files are encrypted client-side before any transfer to servers, ensuring that only authorized Users can access content in clear text;
• Resumable file uploads (chunked/resumable uploads): fragment-based uploading allowing resumption in case of interruption;
• Three sharing modes: internal sharing (between Users of the same organization), secure external sharing (with OTP code verification sent by email), and public link sharing;
• Collaborative document editing: integration of the OnlyOffice office suite enabling real-time editing of text documents, spreadsheets and presentations directly from the Platform;
• Granular permission management: assignment of distinct rights per User and per resource (READ, WRITE, DELETE, DOWNLOAD, SHARE, MANAGE_ROLE);
• Audit and traceability: audit log recording over 28 types of actions (login, upload, download, sharing, permission changes, deletion, etc.);
• Versioning: preservation of file version history with restoration capability;
• Recycle bin: reversible deletion before permanent deletion;
• Search: search engine indexing file names;
• Personal and team projects: file and folder organization by projects with collaborative management;
• Dashboard and administration: administration interface enabling User management, permissions, quotas and organization settings management.

DIV PROTOCOL reserves the right to evolve the Service functionalities to improve quality and security, without altering the essential characteristics of the offer subscribed to by the Client.

V. Offers and storage quotas

The Service is offered under various commercial plans, the characteristics of which (storage volume, number of Users, included functionalities) are defined by quote, based on the Client's expressed needs. The storage quota varies according to the subscribed plan. The Client is informed of their quota at the time of subscription. In case of quota exceedance, DIV PROTOCOL will inform the Client and may restrict certain functionalities (notably the upload of new files) until regularization. The Client may request an increase in their storage quota or a plan upgrade at any time by contacting DIV PROTOCOL.

VI. Pricing and payment

Service pricing is established by quote, based on the plan, storage volume and number of Users requested by the Client. No fixed pricing is published; each commercial proposal is customized. Unless otherwise stated in the quote, prices are expressed in euros excluding taxes (excl. VAT). The applicable VAT will be added at the rate in force. Payments are made by credit card via the secure payment platform Stripe. Billing occurs on the subscription date, then on a recurring basis according to the chosen periodicity (monthly or annual). In case of payment failure, the Provider will send a reminder to the Client. Failing regularization within fifteen (15) days, the Provider may suspend access to the Service. After thirty (30) days of non-payment, the Provider may terminate the Agreement as of right. Any period commenced is due in full and does not give rise to any refund, unless otherwise provided by applicable law.

VII. Duration, renewal and termination

The Agreement is concluded for the duration corresponding to the subscription periodicity (monthly or annual), renewable by tacit renewal. The Client may terminate their subscription at any time from their administration dashboard on the Platform. Termination takes effect at the end of the current period. No pro rata temporis refund is due for the remaining period. DIV PROTOCOL may terminate the Agreement as of right in case of: — serious breach by the Client of contractual obligations not remedied within fifteen (15) days of formal notice by email; — persistent non-payment beyond thirty (30) days; — use of the Service in violation of applicable law. Upon termination, the Client has thirty (30) days to retrieve their Client Data. After this period, DIV PROTOCOL will proceed with permanent data deletion, unless legally required to retain it.

VIII. Service levels (SLA)

DIV PROTOCOL commits to ensuring Service availability of 99.5% on a monthly basis, calculated as follows: Availability rate = ((Total month time – Downtime) / Total month time) × 100 The following are excluded from the availability calculation: — scheduled maintenance operations, notified to the Client at least 48 hours in advance; — interruptions resulting from force majeure; — interruptions attributable to the Client or third parties; — interruptions related to hosting providers. Scheduled maintenance windows are planned outside business hours (between 10:00 PM and 6:00 AM, Paris time) where possible. In case of SLA non-compliance observed over a calendar month, the Client may request a credit proportional to the excess downtime, up to a maximum of 30% of the monthly subscription amount.

IX. DIV PROTOCOL obligations

DIV PROTOCOL undertakes to:

• provide the Service in accordance with these GTC-S and current best practices in information security;
• ensure Service availability under the conditions defined in Article VIII;
• implement appropriate technical and organizational measures to protect Client Data against unauthorized access, loss or alteration;
• promptly inform the Client of any security incident likely to affect their data;
• notify the Client at least 48 hours in advance of any scheduled maintenance operation;
• not access Client Data in clear text, in accordance with the Service's end-to-end encryption architecture, except under mandatory legal obligation;
• provide technical support within the timeframes and according to the terms of the subscribed offer.

X. Client obligations

The Client undertakes to:

• use the Service in compliance with applicable laws and regulations, including intellectual property law, personal data protection law and cybercrime legislation;
• guarantee the lawfulness of all content stored, shared and processed via the Platform;
• maintain the confidentiality of its Users' login credentials and immediately inform DIV PROTOCOL of any unauthorized use;
• not compromise the security, integrity or availability of the Service (intrusion attempts, malicious code injection, unauthorized load testing, etc.);
• maintain its own backups of critical data, the Service not being a substitute for a backup solution;
• ensure that its Users comply with these GTC-S and the applicable Terms of Use;
• pay invoices within the agreed timeframes.

XI. Security and encryption

DIV PROTOCOL implements professional-grade security architecture comprising the following measures: End-to-end encryption (E2E): files are encrypted client-side before any transfer to servers. Encryption keys are derived and managed client-side. The Provider has no access to decryption keys. Encryption at rest: data stored on servers is encrypted at rest. Encryption in transit: all communications between client and servers are encrypted in transit. Zero-knowledge architecture (nuance): file content is inaccessible to the Provider. However, certain metadata necessary for Service operation (file names, directory structure, sizes, modification dates, audit logs) is accessible server-side to enable indexing, search and administration. Enhanced authentication: support for two-factor authentication (2FA) via email, TOTP authenticator app, and backup codes. Magic links are also available. Data isolation: each Client's data is logically isolated within the infrastructure.

XII. Traceability and blockchain technologies

DIV PROTOCOL is developing a traceability module based on blockchain technology, enabling the anchoring of digital fingerprints (hashes) of files and audit events on an immutable distributed ledger. This feature is currently being deployed and does not constitute, as of the date hereof, a firm contractual commitment. The Client will be informed of its effective availability by notification on the Platform. Once activated, blockchain traceability will enable: — proving the existence of a file at a given point in time (certified timestamp); — verifying file integrity (absence of modification); — establishing digital evidence with enhanced evidentiary value. No file content is stored on the blockchain. Only cryptographic hashes and audit metadata are recorded.

XIII. Personal data and GDPR

In the performance of the Agreement, DIV PROTOCOL processes Personal Data on behalf of the Client, in its capacity as data processor within the meaning of Article 28 of the GDPR. DIV PROTOCOL undertakes to: — process Personal Data only on documented instructions from the Client and solely for the purpose of performing the Service; — ensure that persons authorized to process data are subject to a confidentiality obligation; — implement appropriate technical and organizational measures in accordance with Article 32 of the GDPR; — not subcontract processing without the Client's prior written authorization; — assist the Client in meeting its obligations under Articles 32 to 36 of the GDPR; — delete or return data upon termination of the service, as chosen by the Client; — make available to the Client all information necessary to demonstrate compliance with obligations and contribute to audits. Details of Personal Data processing are described in the Privacy Policy accessible on the Platform.

XIV. Confidentiality

Each Party undertakes to treat as confidential all information exchanged in the course of the Agreement, whether of a technical, commercial, financial or strategic nature. This confidentiality obligation applies for the entire duration of the Agreement and continues for a period of five (5) years after its termination. Excluded from this obligation is information: — in the public domain at the time of its communication; — the disclosure of which is required by a judicial or administrative authority; — that the receiving party can prove it knew prior to its communication.

XV. Intellectual property

DIV PROTOCOL is and remains the holder of all intellectual property rights relating to the Platform, the Service, software, source code, algorithms, technical architecture, design, trademarks, logos and associated documentation. The Agreement does not confer upon the Client any intellectual property rights over the Service. The Client benefits solely from a non-exclusive, non-transferable right of use, for the duration of the Agreement and within the limits of the subscribed offer. Client Data uploaded to the Platform remains the exclusive property of the Client. DIV PROTOCOL claims no rights over such data.

XVI. Liability and limitations

DIV PROTOCOL undertakes to perform its obligations with diligence and in accordance with professional standards. The Provider's liability is an obligation of means. DIV PROTOCOL shall not be held liable for: — damages resulting from use of the Service not in compliance with the GTC-S or documentation; — data loss attributable to the Client or third parties; — indirect damages, including but not limited to: loss of revenue, data loss, reputational damage, loss of opportunity, commercial prejudice; — interruptions resulting from force majeure or hosting provider failures. In any event, DIV PROTOCOL's total and cumulative liability under the Agreement is capped at the total amount actually paid by the Client during the twelve (12) months preceding the event giving rise to the damage. This limitation does not apply in cases of gross negligence, willful misconduct, or personal injury.

XVII. Force majeure

Neither Party may be held liable for failure to perform or delay in performing its contractual obligations when such failure results from a force majeure event within the meaning of Article 1218 of the French Civil Code. The following are notably considered force majeure events: natural disasters, fires, strikes, telecommunications network failures, large-scale cyberattacks, governmental or regulatory decisions preventing performance of the Agreement. The affected Party shall inform the other Party as soon as possible. If the force majeure event continues for more than sixty (60) days, either Party may terminate the Agreement as of right without indemnity.

XVIII. Applicable law and jurisdiction

These GTC-S are governed by French law. In case of any dispute relating to the interpretation, performance or termination hereof, the Parties shall endeavor to find an amicable solution within thirty (30) days. Failing amicable resolution, exclusive jurisdiction is attributed to the Commercial Court of Paris, notwithstanding plurality of defendants or warranty claims. Contact: contact@divprotocol.com