Last Updated: September 2025

These Terms and Conditions of Use (the Agreement) govern the Customer’s access to and use of the Software. By accepting these terms, the Customer agrees to be bound by the Agreement.

1. Definitions and Interpretation

1.1 The definitions and rules of interpretation in this clause apply in these terms and conditions:

Agreement: the agreement between ECOHEDGE and the Customer for the sale and purchase of Software in accordance with these terms and conditions.

AI Services: the artificial intelligence and machine learning features integrated into the Software, including but not limited to automated transaction categorisation, emissions calculations, report generation, and data insights powered by third-party AI providers.

API Integrations: connections to third-party services including but not limited to Xero, QuickBooks, Nango, and other accounting or business software platforms.

Business Day: a day other than a Saturday, Sunday or public holiday in England when banks in London are open for business.

Business Unit: a distinct operational division, department, or location within the Customer's organisation that can be separately tracked within the Software.

Confidential Information: information that is proprietary or confidential and is either clearly labelled as such or identified as Confidential Information in clause 10.5 or clause 10.6.

Customer: the person or firm who subscribes to use the Software in accordance with these terms and conditions.

Customer Data: the data inputted by the Customer and its Users for the purpose of using the Software, including but not limited to accounting data, transaction records, supplier information, emissions data, and business unit information.

Data Protection Laws: in each case to the extent applicable to the parties and as amended, superseded, replaced or updated from time to time: (i) GDPR; (ii) the UK GDPR; (iii) the Data Protection Act 2018; (iv) the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR); and (v) any other applicable data protection and privacy laws.

Demo Data: sample data and reports provided by ECOHEDGE for demonstration purposes during trial periods or for new users.

ECOHEDGE: ECOHEDGE LTD., a company registered in England and Wales with company number 9392547 and with a registered office at 71–75 Shelton Street, Covent Garden, London, England WC2H 9JQ.

ECOHEDGE Generic Data: anonymised and aggregated datasets derived from Customer Data, owned by ECOHEDGE, as detailed in clause 4.5.

EEA Standard Contractual Clauses or SCCs: the standard contractual clauses approved by the European Commission as a valid mechanism for the transfer of Personal Data originating from the European Economic Area to a third country from time to time in force (including Module 2 and Module 3, as applicable).

Effective Date: the date these terms and conditions are accepted by the Customer.

Fees: the fees for the use of the Software, as set out at www.ecohedge.com/pricing and as updated from time to time at www.ecohedge.com/pricing.

GDPR: Regulation (EU) 2016/679 (General Data Protection Regulation).

Intellectual Property Rights: any current and future intellectual property rights and interests including patents, utility models, designs, design rights, copyright (including rights in software), decryption rights, database rights, trade marks, rights pursuant to passing off, service marks, business and trade names, domain names, know-how, topography rights, inventions, rights in confidential information (including technical and commercial trade secrets) and image rights, and rights of a similar or corresponding character in any part of the world, in each case whether registered or not and including any application for registration and renewals or extensions of such rights in any country in the world.

Normal Business Hours: 9:00–17:00 local UK time on each Business Day.

Personal Data, Process/Processing, Controller, Processor, Data Subject: have the meanings given in the Data Protection Laws.

Software: the online software platform available via www.app.ecohedge.com provided by ECOHEDGE to the Customer, including all AI Services, API Integrations, and related features.

Software Privacy Policy: ECOHEDGE’s privacy policy, available at www.ecohedge.com/privacy (as updated from time to time).

Subscription Term: the period commencing on the Effective Date and ending on the date the Agreement terminates in accordance with clauses 13 or 14.1.

Subscription Tier: the level of service subscribed to by the Customer (e.g., Demo, Starter, Growth, Enterprise), each with different features and limitations as described at www.ecohedge.com/pricing.

Support Services Policy: ECOHEDGE's policy for providing support in relation to the Software as made available at www.ecohedge.com/technical-support or such other website address as may be notified to the Customer from time to time.

Third-Party Services: external services integrated with or accessible through the Software, including but not limited to Auth0, Stripe, SendGrid, Nango, OpenAI, Xero, QuickBooks, and other accounting or business platforms.

UK Addendum: the addendum to the EEA SCCs approved by the UK Information Commissioner’s Office (ICO) as a valid mechanism for the transfer of Personal Data originating from the UK to a third country.

UK GDPR: has the meaning given in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018.

UK IDTA: the UK International Data Transfer Agreement approved by the ICO as a valid mechanism for the transfer of Personal Data originating from the UK to a third country.

Users: the Customer’s own users of the Software, including administrators, team members, and any other person that the Customer allows to access the Software under the terms of this Agreement.

Virus: any thing or device (including any software, code, file or programme) that may: prevent, impair or otherwise adversely affect the operation of any computer software, hardware or network, any telecommunications service, equipment or network or any other service or device; prevent, impair or otherwise adversely affect access to or the operation of any programme or data (whether by re‑arranging, altering or erasing the programme or data in whole or part or otherwise); or adversely affect the user experience, including worms, trojan horses, viruses and other similar things or devices.

Vulnerability: a weakness in the computational logic (for example, code) found in software and hardware components that, when exploited, results in a negative impact to confidentiality, integrity, or availability.

1.2 Interpretation. Headings are for convenience only and do not affect interpretation. References to statutes include modifications, re-enactments and subordinate legislation. References to “including” are deemed to be followed by “without limitation”.

2. Licence

2.1 Subject to the Customer paying the Fees for its selected Subscription Tier, the restrictions set out in this clause 2 and the other terms and conditions of this Agreement, ECOHEDGE grants to the Customer a non‑exclusive, non‑transferable right, without the right to grant sublicences, to permit the Customer to use the Software during the Subscription Term solely for the Customer's internal business operations.

2.2 The Customer’s use of the Software is limited by its Subscription Tier, which may include restrictions on: (a) number of Users; (b) number of Business Units; (c) number of reports generated; (d) access to AI Services; (e) access to API Integrations; (f) data retention periods; and (g) export capabilities.

2.3 Account security. The Customer shall procure that each User keeps secure authentication credentials for use of the Software and enables multi‑factor authentication (MFA) where available. ECOHEDGE recommends alignment with UK NCSC guidance (encouraging strong, unique passphrases and MFA) instead of mandatory periodic password rotation. SSO may be used where supported.

2.4 The Customer shall not (and shall ensure Users shall not) access, store, distribute or transmit any Viruses, or any material that: (a) is unlawful, harmful, threatening, defamatory, obscene, infringing, harassing or racially or ethnically offensive; (b) facilitates illegal activity; (c) depicts sexually explicit images; (d) promotes unlawful violence; (e) is discriminatory based on a protected characteristic; or (f) is otherwise illegal or causes damage or injury to any person or property. ECOHEDGE may, without liability, disable access to any material that breaches this clause.

2.5 The Customer shall not: (a) except as may be allowed by applicable law or expressly permitted under this Agreement, attempt to copy, modify, duplicate, create derivative works from, frame, mirror, republish, download, display, transmit or distribute all or any portion of the Software; (b) de‑compile, reverse compile, disassemble, reverse engineer or otherwise reduce to human‑perceivable form all or any part of the Software; (c) access the Software to build a product or service in competition with the Software; (d) subject to clause 20.1, license, sell, rent, lease, transfer, assign, distribute, display, disclose, or otherwise commercially exploit, or make the Software available to any third party except for sharing reports as permitted under clause 9.3; (e) attempt to obtain, or assist third parties in obtaining, access to the Software, other than as provided under this clause 2; (f) introduce or permit the introduction of any Virus or Vulnerability into ECOHEDGE’s systems; or (g) abuse or manipulate the AI Services to generate false, misleading or fraudulent emissions data or reports, including greenwashing claims.

2.6 The Customer shall use all reasonable endeavours to prevent unauthorised access to or use of the Software and promptly notify ECOHEDGE of any such unauthorised access or use.

3. Software and AI Services

3.1 ECOHEDGE shall, during the Subscription Term, provide the Software to the Customer on and subject to this Agreement.

3.2 ECOHEDGE shall use commercially reasonable endeavours to make the Software available 24×7, except for: (a) scheduled maintenance (for which ECOHEDGE shall give reasonable notice); (b) unscheduled maintenance performed outside Normal Business Hours; and (c) interruptions caused by Third‑Party Services or the public internet.

3.3 The Customer acknowledges that the AI Services: (a) use machine learning models that may produce varying results; (b) require sufficient quality and quantity of input data to function effectively; (c) may not achieve 100% accuracy in categorisation or calculations; (d) should be reviewed and verified by the Customer before reliance; (e) may be updated or improved over time, affecting outputs; (f) are dependent on third‑party AI providers (including OpenAI) whose services may be interrupted or modified; and (g) are not intended to be used to make decisions based solely on automated processing that produce legal effects concerning individuals or similarly significantly affect them. The Customer shall ensure appropriate human review before relying on outputs in such contexts.

3.4 In consideration of the relevant Fees, ECOHEDGE shall provide support during Normal Business Hours in accordance with the Support Services Policy then in effect.

4. Data Protection

4.1 Each party shall comply with applicable requirements of the Data Protection Laws. This clause 4 is in addition to, and does not replace, a party’s obligations under the Data Protection Laws.

4.2 Roles of the parties. The Customer is Controller of Customer Data uploaded or ingested via the Software. ECOHEDGE acts as Processor for such Customer Data. For ECOHEDGE’s own business operations (e.g., billing, security logs, service analytics, account management, and direct marketing), ECOHEDGE acts as Controller. Schedule 1 sets out the subject matter, nature and purpose of processing by ECOHEDGE, the duration of processing, the types of Personal Data, categories of Data Subject and the obligations and rights of the Customer as Controller.

4.3 The Customer acknowledges and agrees that: (a) Customer Data may be processed by the AI Services for categorisation and analysis; (b) accounting data imported via API Integrations will be processed according to this Agreement; (c) anonymised usage patterns may be used to improve the Software and AI Services; and (d) Demo Data provided by ECOHEDGE contains no real Personal Data.

4.4 Where ECOHEDGE acts as Processor, it shall:

4.4.1 Documented instructions. Process Personal Data only on the documented instructions of the Customer and only to the extent required to fulfil the purpose, and promptly inform the Customer if, in its opinion, an instruction infringes Data Protection Laws (without obligation to provide legal advice).

4.4.2 Security. Implement and maintain appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful processing and against accidental loss, destruction or damage, as further described in Annex A (Technical and Organisational Measures).

4.4.3 Sub‑processors. The Customer provides a general authorisation for ECOHEDGE to engage the following categories of sub‑processors: (i) providers of API services or API aggregators (including Nango); (ii) AI and machine learning service providers (including OpenAI); (iii) authentication service providers (including Auth0); (iv) payment processors (including Stripe); (v) email service providers (including SendGrid); (vi) cloud hosting and storage providers (including Vercel and Supabase); and (vii) accounting software providers (including Xero and QuickBooks). ECOHEDGE shall: (a) notify the Customer in writing at least 30 days before appointing or replacing any sub‑processor; (b) allow the Customer to object on reasonable data protection grounds within 14 days of such notification; (c) ensure equivalent data protection obligations are imposed on all sub‑processors through written contracts; and (d) where an objection cannot be resolved within 30 days, permit the Customer to terminate the affected Services (in whole or part) without penalty with a pro‑rata refund of Fees paid in advance for the terminated portion.

4.4.4 Confidentiality. Ensure that persons authorised to process Personal Data are subject to binding confidentiality obligations.

4.4.5 International transfers. Where Personal Data is transferred outside the UK/EEA, implement appropriate safeguards, including use of the EEA SCCs (Module 2/3, as applicable) and/or the UK Addendum or UK IDTA, together with a documented transfer risk assessment where required by law. Where available, ECOHEDGE may rely on adequacy decisions (including the EU‑US Data Privacy Framework and the UK‑US data bridge) for eligible transfers. ECOHEDGE shall ensure that AI and other sub‑processors do not use Customer Personal Data to train or improve their foundation models unless expressly instructed by the Customer and supported by a valid transfer mechanism.

4.4.6 Assistance. Taking into account the nature of the Processing and the information available, assist the Customer in responding to Data Subject requests and in meeting obligations under Data Protection Laws (including security, Personal Data Breach notifications, DPIAs and consultations with supervisory authorities). ECOHEDGE shall acknowledge requests within 3 Business Days (urgent DSAR deadlines) and otherwise within 5 Business Days.

4.4.7 Return and deletion. On termination of this Agreement, make Customer Data available for export for at least 60 days in a commonly used, machine‑readable format (e.g., CSV/JSON plus basic documentation). After that period, delete or anonymise Customer Data unless retention is required by law.

4.4.8 Personal Data Breach. Notify the Customer without undue delay and in any event within 48 hours after becoming aware of a Personal Data Breach, and provide updates including: (a) the nature of the breach; (b) categories/approximate number of Data Subjects and records concerned; (c) likely consequences; and (d) measures taken or proposed to address the breach.

4.4.9 Records and audits. Maintain records necessary to demonstrate compliance with Article 28 UK GDPR/GDPR and make available all information necessary to demonstrate such compliance. Allow for and contribute to reasonable audits or inspections by the Customer or its mandated auditor no more than once in any 12‑month period (except following a Personal Data Breach or at the request of a supervisory authority), on reasonable notice and during Normal Business Hours.

4.4.10 Data location transparency. Upon request, provide a current list of principal data storage/processing locations and sub‑processors.

4.5 ECOHEDGE Generic Data. ECOHEDGE may create anonymised and aggregated datasets derived from Customer Data ("ECOHEDGE Generic Data"), provided that such datasets are anonymised in accordance with ICO guidance on anonymisation, pseudonymisation and PETs (or successor guidance) so that individuals are not identifiable by ECOHEDGE or any third party using all means reasonably likely to be used. ECOHEDGE shall not attempt to re‑identify individuals and shall contractually prohibit re‑identification by recipients. ECOHEDGE owns all rights in ECOHEDGE Generic Data, which may be used for benchmarking, product improvement and industry insights, including: (a) emissions patterns and trends; (b) categorisation accuracy metrics; (c) common supplier emissions profiles; and (d) industry benchmarks and comparisons.

4.6 Excluded datasets. The Services are not intended for the Processing of Special Category Data or children’s data. The Customer shall not provide such data without ECOHEDGE’s prior written agreement and a signed addendum specifying additional safeguards.

4.7 Marketing (PECR). Where ECOHEDGE acts as Controller for direct electronic marketing, it shall comply with PECR and only send marketing communications where a valid lawful basis exists; each message will include a clear opt‑out mechanism.

5. Third‑Party Providers and API Integrations

5.1 The Customer acknowledges that the Software integrates with and relies upon various Third‑Party Services, including without limitation: (a) Nango for accounting software connections; (b) OpenAI for AI‑powered categorisation; (c) Stripe for payment processing; (d) Auth0 for authentication; and (e) Xero and QuickBooks for accounting data.

5.2 The Customer agrees that: (a) use of API Integrations may require separate accounts with third‑party providers; (b) ECOHEDGE is not responsible for the availability or accuracy of Third‑Party Services; (c) third‑party terms and conditions apply to the use of their services; (d) API rate limits or restrictions may affect functionality; and (e) changes to third‑party APIs may require updates to the Software.

5.3 ECOHEDGE makes no representation, warranty or commitment and shall have no liability or obligation whatsoever in relation to: (a) the accuracy of data imported from third‑party systems; (b) interruptions caused by Third‑Party Services; (c) changes to third‑party pricing or features; or (d) data loss occurring within Third‑Party Services.

6. ECOHEDGE’s Obligations

6.1 ECOHEDGE undertakes that the Software shall conform substantially in accordance with its accompanying specification and/or description for the relevant Subscription Tier.

6.2 ECOHEDGE: (a) does not warrant that the Customer’s use of the Software will be uninterrupted or error‑free; (b) does not warrant that the Software will meet all of the Customer’s requirements; (c) does not warrant that the AI Services will achieve 100% accuracy in categorisation; (d) does not warrant that all carbon emissions sources will be identified; (e) does not warrant that Third‑Party Services will remain available or unchanged; and (f) is not responsible for delays or failures resulting from Third‑Party Services or internet connectivity.

6.3 ECOHEDGE warrants that it has and will maintain all necessary licences, consents and permissions necessary for the performance of its obligations under the Agreement.

7. Customer’s Obligations

7.1 The Customer shall: (a) provide accurate and complete information for the Software to function effectively; (b) review and verify AI‑generated categorisations and calculations; (c) maintain appropriate access credentials for API Integrations; (d) comply with all applicable laws and regulations; (e) ensure Users comply with this Agreement; (f) not exceed the limits of its Subscription Tier; (g) maintain independent backups of all Customer Data; (h) promptly install updates and follow security recommendations; and (i) promptly respond to ECOHEDGE’s reasonable requests for information or cooperation necessary to comply with Data Protection Laws.

7.2 The Customer acknowledges that: (a) the quality of AI Services depends on the quality and completeness of input data; (b) emissions calculations are estimates based on available data and methodologies; and (c) the Software is a tool to assist with carbon accounting, not a guarantee of compliance.

8. Charges and Payment

8.1 The Customer shall pay the Fees according to its selected Subscription Tier as detailed at www.ecohedge.com/pricing.

8.2 Subscription Tiers include: (a) Demo/Trial: limited free trial with restricted features; (b) Starter: basic features (may include pay‑per‑report model); (c) Growth: advanced features with increased limits; and (d) Enterprise: custom pricing and features.

8.3 All payments are due in advance and processed via Stripe or other designated payment processors.

8.4 Fees are exclusive of VAT and other applicable taxes.

8.5 If payment is not received within 3 days after the due date: (a) ECOHEDGE may suspend access to the Software; and (b) interest shall accrue at 4% over the Bank of England base lending rate.

8.6 ECOHEDGE may vary the Fees with 30 days’ written notice.

9. Intellectual Property Rights

9.1 The Customer acknowledges and agrees that ECOHEDGE and/or its licensors own all Intellectual Property Rights in: (a) the Software; (b) AI models and algorithms; (c) ECOHEDGE Generic Data; and (d) Demo Data and templates. Except as expressly stated, this Agreement does not grant the Customer any rights to, or in, any Intellectual Property Rights or any other rights or licences in respect of the Software.

9.2 The Customer grants to ECOHEDGE a licence to use Customer Data as necessary to: (a) provide the Software and AI Services; (b) generate anonymised aggregate data; (c) improve AI models using only anonymised data; and (d) provide support services.

9.3 ECOHEDGE grants to the Customer a perpetual, royalty‑free, non‑exclusive licence to use reports generated through the Software for the Customer’s internal and external business purposes, provided that any reproduction includes the statement “Powered by EcoHedge.”

9.4 The Customer grants ECOHEDGE an irrevocable, royalty‑free right to use any feedback to improve its products and services.

10. Confidentiality

10.1 Each party undertakes that it shall not at any time during the Agreement, and for a period of five (5) years after termination, disclose to any person any Confidential Information of the other party, except as permitted by this clause.

10.2 Each party may disclose the other party’s Confidential Information: (a) to its employees, officers, representatives, contractors, advisers or sub‑processors who need to know such information for the purposes of exercising the party’s rights or carrying out its obligations under or in connection with this Agreement, provided that they comply with confidentiality obligations no less protective; and (b) as may be required by law, a court of competent jurisdiction or any governmental or regulatory authority.

10.3 Neither party shall use the other party’s Confidential Information for any purpose other than to exercise its rights and perform its obligations under or in connection with this Agreement.

10.4 This clause does not limit confidentiality obligations in Data Protection Laws.

11. Indemnity

11.1 IP Indemnity by ECOHEDGE. ECOHEDGE shall defend the Customer against any claim that the Customer’s use of the Software in accordance with this Agreement infringes any third‑party Intellectual Property Rights and shall indemnify the Customer against any damages, reasonable legal fees and costs awarded as a result of such claim, subject to: (a) the Customer promptly notifying ECOHEDGE in writing of the claim; (b) ECOHEDGE being given sole authority to defend or settle the claim; and (c) the Customer providing reasonable cooperation at ECOHEDGE’s expense.

11.2 Indemnity by Customer. The Customer shall indemnify ECOHEDGE from and against all claims, liabilities, damages, costs and expenses arising from: (a) the Customer’s use of the Software in breach of this Agreement; (b) inaccurate or incomplete Customer Data; (c) misuse of AI Services to generate false or misleading reports; and (d) breach of third‑party terms when using API Integrations.

12. Limitation of Liability

12.1 Nothing in this Agreement limits any liability which cannot legally be limited, including liability for death or personal injury caused by negligence, fraud or fraudulent misrepresentation.

12.2 ECOHEDGE shall not be liable for: (a) errors in AI categorisation or calculations; (b) decisions made based on Software outputs; (c) failures of Third‑Party Services; (d) loss of data stored with third parties; or (e) regulatory non‑compliance resulting from use of the Software.

12.3 Cap on liability. Subject to clause 12.1, ECOHEDGE’s total aggregate liability arising out of or in connection with this Agreement (whether in contract, tort (including negligence), breach of statutory duty or otherwise) in any 12‑month period shall not exceed the total Fees paid or payable by the Customer in that period.

12.4 Neither party shall be liable for any indirect or consequential loss, or for any loss of profits, revenue, business, goodwill or anticipated savings (in each case whether direct or indirect), except that this exclusion shall not apply to the indemnities in clause 11 or to breaches of confidentiality.

13. Term and Renewal

13.1 The Agreement commences on the Effective Date and continues according to the Subscription Tier: (a) Demo/Trial: automatically terminates after the trial period; (b) Paid tiers: continue on a monthly or annual basis as selected.

13.2 Renewals are automatic unless cancelled in accordance with the applicable notice period set out at the point of purchase or in the Customer’s account settings.

14. Suspension and Termination

14.1 ECOHEDGE may suspend or terminate the Agreement immediately by written notice if the Customer is in material breach of clauses 2, 7, 8, 9 or 10, or repeatedly breaches this Agreement.

14.2 On termination: (a) access to the Software ceases immediately; (b) Customer Data will be retained for 60 days to allow for export, after which ECOHEDGE shall securely delete or anonymise the data unless otherwise required by law; (c) reports remain accessible for download during the 60‑day retention period; (d) API connections are severed; and (e) outstanding Fees become immediately due.

15. Force Majeure

Neither party shall have any liability for delay or failure in performing its obligations caused by a Force Majeure Event (being events beyond a party’s reasonable control), provided that the affected party uses reasonable endeavours to mitigate the effect.

16. Variation

No variation of this Agreement shall be effective unless it is in writing and signed by the parties (or their authorised representatives). Policy URLs referenced herein may be updated from time to time; material changes will be notified to the Customer.

17. Waiver

No failure or delay by a party to exercise any right or remedy provided under this Agreement or by law shall constitute a waiver of that or any other right or remedy.

18. Severance

If any provision of this Agreement is determined to be invalid, illegal or unenforceable, it shall be deemed deleted and the remainder shall continue in full force and effect.

19. Entire Agreement

This Agreement constitutes the entire agreement between the parties and supersedes all prior negotiations, understandings and agreements relating to its subject matter. Each party acknowledges that it has not relied upon any statement or representation not expressly set out in this Agreement.

20. Assignment

Neither party may assign, transfer or otherwise deal with any of its rights or obligations under this Agreement without the prior written consent of the other party, such consent not to be unreasonably withheld or delayed; provided that ECOHEDGE may assign to an affiliate or as part of a bona fide corporate reorganisation, merger or sale of assets.

21. Third‑Party Rights

A person who is not a party to this Agreement shall not have any rights to enforce any of its terms under the Contracts (Rights of Third Parties) Act 1999.

22. Notices

22.1 Notices under this Agreement shall be in writing and delivered by hand, by pre‑paid first‑class post or by email to the address set out below (or as updated by notice).

22.2 To ECOHEDGE:

ECOHEDGE LTD.
71–75 Shelton Street, Covent Garden
London, England WC2H 9JQ
Email (all purposes, including legal and privacy): support@ecohedge.com

22.3 To the Customer: to the postal or email address set out in the Customer’s account or order form.

22.4 Email notices are deemed received at the time of transmission if sent during Business Days within 09:00–17:00 UK time, otherwise on the next Business Day.

23. Anti‑Bribery and Modern Slavery

Each party shall comply with applicable anti‑bribery, corruption and modern slavery laws and maintain appropriate policies and procedures.

24. Governing Law and Jurisdiction

This Agreement and any dispute or claim arising out of or in connection with it shall be governed by and construed in accordance with the laws of England and Wales. The parties irrevocably submit to the exclusive jurisdiction of the English courts.

Schedule 1 – Processing, Personal Data and Data Subjects

1. Subject matter of processing
   Provision of the Software including AI Services, API Integrations and carbon accounting functionality.
2. Duration of processing
   The Subscription Term plus any retention period required by law and the 60‑day export window post‑termination.
3. Nature of processing
   • Automated categorisation of financial transactions using AI.
   • Import and analysis of accounting data via API Integrations.
   • Generation of carbon emissions reports.
   • Storage and processing of business unit and supplier data.
   • User authentication, access management and service analytics.
4. Purpose of processing
   • Providing carbon accounting and reporting services.
   • Improving categorisation accuracy and service quality.
   • Generating industry benchmarks and insights using anonymised data.
   • Providing technical support and security.
5. Types of Personal Data
   • User account information (name, email, role).
   • Supplier and contractor contact details contained within accounting records.
   • Transaction metadata that may include personal information.
   • Usage logs and support tickets.
   Exclusions: payment card primary account numbers (PAN), government ID images and biometric identifiers are not intended to be processed unless expressly agreed in writing and subject to additional safeguards (e.g., PCI DSS where applicable).
6. Categories of Data Subject
   • Customer employees and Users.
   • Suppliers and contractors present in accounting data.
   • Support requesters.
   • Business unit managers.
7. Controller obligations and rights
   As set out in the Data Protection Laws and this Agreement. The Customer shall ensure it has a valid lawful basis and appropriate transparency for all Customer Data provided to ECOHEDGE.
8. Processing instructions
   ECOHEDGE shall act strictly in accordance with the Customer’s documented instructions, unless required by law to process Personal Data otherwise, in which case ECOHEDGE shall inform the Customer (unless legally prohibited).

Annex A – Technical and Organisational Measures (TOMs)

ECOHEDGE implements the following baseline TOMs and shall not materially reduce them during the Subscription Term:

1. Encryption: TLS 1.2+ for data in transit; AES‑256 (or functionally equivalent) for data at rest. Separate encryption domains per environment; key management with restricted access and rotation.
2. Access Control: Role‑based access control, least privilege, MFA for privileged access, SSO where feasible, quarterly access reviews, joiner‑mover‑leaver process.
3. Secure Development: Secure SDLC with code review, dependency management, SAST/DAST, supply‑chain scanning; secrets management; IaC controls.
4. Vulnerability Management: Formal programme with SLAs: critical vulnerabilities remediated within 72 hours, high within 7 days, medium within 30 days; emergency patching process.
5. Logging & Monitoring: Centralised logging, time synchronisation, alerting for suspicious activities, retention aligned to legal and operational needs.
6. Network Security: Segmentation, firewalls/WAF, hardening standards, DDoS protections, least‑exposed services principle.
7. Data Segregation: Logical tenant isolation and safeguards against cross‑tenant data access.
8. Backups & DR: Encrypted daily backups; periodic restore testing; defined RPO/RTO; documented business continuity and disaster recovery plans.
9. Incident Response: 24×7 on‑call rotation, runbooks, tabletop exercises, defined escalation paths and communication plans.
10. Supplier Risk Management: Security and privacy due diligence for sub‑processors; annual reassessment; contractual controls aligned with Article 28.
11. Penetration Testing: At least annually by an independent, suitably qualified provider (e.g., CREST/TIGER); executive summary available to Customers under NDA.
12. Data Deletion and Media Sanitisation: Secure deletion aligned to NIST SP 800‑88 (or equivalent) standards; documented retention schedules; verifiable deletion on request and post‑termination.
13. Customer Responsibilities: The Customer is responsible for securing its endpoints, accounts, and client‑side connectors/agents, including timely patching and MFA enforcement.

Cookie Policy Reference

Use of cookies and similar technologies on www.ecohedge.com and app.ecohedge.ai is described in ECOHEDGE’s Cookie Policy available at www.ecohedge.com/privacy, which forms part of these terms by reference.

Contact Information

ECOHEDGE LTD.
71–75 Shelton Street, Covent Garden
London, England WC2H 9JQ
Email (general, legal, privacy, and support): support@ecohedge.com

If you have any questions about these Terms or how we handle Personal Data, please contact support@ecohedge.com.