Terms of Service

Effective date: March 10, 2026

Last updated: March 10, 2026

Version: 1.0

These Terms of Service ("Terms") govern access to and use of Momenta's websites, cloud-hosted applications, APIs, and any related software components that Momenta may make available for installation in Customer environments solely if explicitly set out in an Order Form or SOW (collectively, the "Services") by the entity accepting these Terms ("Customer") and its authorized users.

1.1 Binding agreement. By accessing or using the Services, Customer agrees to these Terms. The individual accepting these Terms represents they are authorized to bind Customer.

1.2 Order of precedence. If Customer signs an order form, statement of work, or separate written agreement (including a Master Services Agreement, "MSA") with Momenta, that document controls to the extent it conflicts with these Terms. If a Data Processing Addendum ("DPA") applies, it governs processing of Customer Personal Data.

1.3 Updates. Momenta may update these Terms from time to time. Updated Terms will be posted on the website and will apply prospectively as permitted by law. Material changes will be effective upon posting or as otherwise stated.

2.1 Description. Momenta provides deepfake detection and phishing simulation capabilities delivered via web interfaces and/or APIs.

2.2 Changes. Momenta may modify the Services to improve security, performance, or functionality, or to comply with law. Momenta will use commercially reasonable efforts to avoid material degradation of core functionality during an active paid term.

2.3 Beta/preview features. Some features may be offered as beta, preview, or evaluation features ("Beta Features"). Beta Features are provided "as is," may change or be discontinued, and may not be supported or subject to the same security/availability commitments as generally available features.

2.4 Self-Hosted / On-Prem Deployments. If Customer purchases a self-hosted or on-premises deployment of any portion of the Services ("Self-Hosted Deployment"), such Self-Hosted Deployment is provided only as expressly described in the applicable Order Form/SOW and documentation. Customer is responsible for (i) installing, configuring, hosting, and operating the Self-Hosted Deployment in Customer's environment, (ii) implementing and maintaining appropriate security controls, and (iii) ensuring the environment meets any stated technical and security prerequisites. Any support, maintenance, update, and availability commitments for a Self-Hosted Deployment will be as stated in the applicable Order Form/SOW.

3.1 Account responsibility. Customer is responsible for: (i) maintaining the confidentiality of credentials and API keys; (ii) ensuring only authorized users access the Services; and (iii) all activities under Customer accounts.

3.2 Security measures. Customer will use reasonable security practices, including: strong authentication (and enabling MFA where available), protecting API keys (no hard-coding in public repositories), and promptly removing access for departed users.

3.3 Incident notice. Customer must promptly notify Momenta of any suspected unauthorized access, credential compromise, or security incident related to Customer's use of the Services.

3.4 Suspension. Momenta may suspend or limit access to the Services to protect the Services, Customer, or others; to address suspected abuse or security risk; or if required by law. Momenta will use reasonable efforts to notify Customer and restore access once the issue is resolved.

3.5 Customer environment security (Self-Hosted). For any Self-Hosted Deployment, Customer is solely responsible for the security, backups, access controls, network configuration, patching of Customer-managed infrastructure, and compliance of Customer's environment. Momenta is not responsible for incidents arising from Customer's environment, except to the extent caused by Momenta's gross negligence or willful misconduct or as otherwise expressly agreed in writing.

Customer will not (and will not allow any user or third party to):

• violate any applicable law or regulation;
• use the Services for unlawful, harmful, or deceptive activities (including fraud, impersonation, or distributing malware);
• probe, scan, or test the vulnerability of the Services except as expressly authorized by Momenta;
• interfere with or disrupt the Services (including rate-limit evasion, denial-of-service attempts, or bypassing access controls);
• reverse engineer, decompile, or attempt to derive source code, models, or underlying components except where prohibited by law;
• use the Services to build or improve competing products via systematic extraction, scraping, or model/distillation attempts (except as expressly permitted in writing); or
• infringe or misappropriate intellectual property, privacy, or other rights.

5.1 Customer content. Customer may submit data/content to the Services ("Customer Content"). Customer retains ownership of Customer Content.

5.2 Customer responsibilities. Customer represents and warrants it has all rights, permissions, and legal bases required to provide Customer Content to Momenta and to instruct Momenta to process it, including providing required notices and obtaining consents where required.

5.3 Sensitive data. Customer will not submit special category data (e.g., health data, biometric identifiers, political opinions) or regulated data (e.g., payment card data subject to PCI DSS) unless explicitly agreed in writing and covered by appropriate safeguards and contract terms.

5.4 Processing of personal data. If Momenta processes personal data on behalf of Customer, the parties will enter into (or these Terms will incorporate) a DPA governing such processing.

6.1 Momenta IP. Momenta and its licensors own all rights in the Services, including software, models, workflows, documentation, and any improvements ("Momenta IP"). No rights are granted except as expressly stated.

6.2 License to Customer. Subject to these Terms and payment of applicable fees, Momenta grants Customer a limited, non-exclusive, non-transferable, revocable license during the subscription term to access and use the Services for Customer's internal business purposes.

6.3 Feedback. If Customer provides suggestions or feedback, Momenta may use it without restriction or obligation, and without compensation to Customer.

6.4 No implied licenses. Except as expressly provided, all rights are reserved.

7.1 Confidential Information. "Confidential Information" means non-public information disclosed by a party that is marked confidential or should reasonably be understood to be confidential (including security documentation, product roadmaps, pricing, and Customer Content).

7.2 Obligations. The receiving party will protect Confidential Information with reasonable care, use it only to perform under these Terms, and disclose it only to personnel/contractors with a need to know and confidentiality obligations.

7.3 Exclusions. Confidential Information does not include information that is publicly available without breach, independently developed, or rightfully received from a third party without duty of confidentiality.

7.4 Compelled disclosure. If legally compelled, the receiving party may disclose Confidential Information and will provide notice where legally permitted.

8.1 Fees. Fees (if any) are stated in the order form or quote.

8.2 Taxes. Fees are exclusive of taxes. Customer is responsible for all applicable taxes except taxes based on Momenta's net income.

8.3 Late payments. Overdue amounts may accrue interest at 1.5% per month or the maximum allowed by law, whichever is less.

9.1 Limited warranty. During a paid subscription term, Momenta warrants that the Services will materially conform to applicable documentation under normal use. Customer must notify Momenta of any material nonconformity, and Momenta will use commercially reasonable efforts to correct it. If Momenta cannot correct the material nonconformity within 30 days after receiving notice, Customer's exclusive remedy is to terminate the affected Services and receive a pro-rated refund of prepaid, unused fees for the terminated portion.

9.2 Disclaimers. EXCEPT AS EXPRESSLY STATED, THE SERVICES ARE PROVIDED "AS IS" AND "AS AVAILABLE." MOMENTA DISCLAIMS ALL WARRANTIES, INCLUDING MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT, TO THE MAXIMUM EXTENT PERMITTED BY LAW.

9.3 No legal/medical/financial advice. The Services provide detection/simulation outputs that are informational. Customer remains responsible for decisions and actions taken based on outputs.

9.4 Security scope clarification. Any security documentation, audit reports, or certifications provided by Momenta (including those covering Momenta-managed environments) apply only to systems and controls operated by Momenta and within the applicable audit scope. They do not extend to Customer's environment for any Self-Hosted Deployment unless expressly agreed in writing.

TO THE MAXIMUM EXTENT PERMITTED BY LAW:

10.1 Exclusion of damages. Neither party will be liable for indirect, incidental, special, consequential, exemplary, or punitive damages, or for lost profits, revenue, goodwill, or data, even if advised of the possibility.

10.2 Liability cap. Each party's total aggregate liability arising out of or related to these Terms is limited to the fees paid by Customer to Momenta for the Services in the 12 months immediately preceding the event giving rise to the claim. If Customer is using the Services on a free, trial, or evaluation basis, Momenta's total aggregate liability is limited to US$100.

10.3 Excluded Claims. The cap does not apply to: (a) a party's gross negligence or willful misconduct; (b) Customer's payment obligations; (c) a party's breach of confidentiality; and (d) either party's indemnification obligations (to be confirmed by counsel).

11.1 By Customer. Customer will defend and indemnify Momenta from third-party claims arising from Customer Content, Customer's misuse of the Services, or Customer's violation of law.

11.2 By Momenta (IP indemnity). Momenta will defend and indemnify Customer from third-party claims alleging the Services infringe intellectual property rights, subject to standard exclusions (including Customer Content, misuse, modifications, and combination with non-Momenta products) and provided Customer promptly notifies Momenta and cooperates.

11.3 Infringement remedy. If a claim arises, Momenta may modify the Services to be non-infringing, obtain a license, or terminate the affected Services and provide a pro-rated refund of prepaid fees for the terminated portion.

12.1 Term. These Terms begin when accepted and continue until terminated.

12.2 Termination for breach. Either party may terminate for material breach not cured within 30 days after written notice. Momenta may terminate or suspend access immediately for illegal use, security risk, or repeated abuse. Momenta may terminate for non-payment if not cured within 10 days after notice.

12.3 Effect of termination. Upon termination, Customer must stop using the Services, all licenses granted to Customer end, and Customer data return/deletion will be handled per the DPA and applicable agreement terms.

12.4 Survival. Sections that by their nature should survive will survive, including IP, confidentiality, disclaimers, limitations of liability, and indemnification.

Customer will comply with all applicable laws, including export controls and sanctions. Customer represents it is not located in a prohibited jurisdiction and is not on a restricted party list.

Governing law: Delaware

Venue/jurisdiction: State or federal courts located in New Castle County, Delaware, and each party consents to personal jurisdiction and venue there.