Terms and Conditions

Document Structure

These Terms and Conditions are organized as follows:

  • General Part — applies to all Syrto Software and to all Customers
  • Module A — MCP (Model Context Protocol) — specific conditions for the MCP service
  • Module B — On-demand credit purchase — specific conditions for on-demand purchase of content and data through the credit system
  • Module C — API Access — specific conditions for programmatic access to Syrto data via API (alternative to and incompatible with the Software license)
  • Annex 1 — Data Processing Agreement (DPA) — governs the processing of Customer Data by Syrto as Data Processor pursuant to Art. 28 GDPR (Arts. 1–13)
  • Annex 2 — Description of processing — per-product schedules with categories of data, purposes, and retention

Modules A and B apply cumulatively to the General Part and only if the Customer has subscribed to the relevant features in the Order Form. Module C is alternative to the General Part and applies exclusively to Customers who have subscribed to the API Access Service in lieu of the Software license. Annexes 1, 2, and 3 are an integral part of this Agreement for all Customers.

GENERAL PART

1. Definitions

For the purposes of this Agreement:

  • Customer: the legal entity that enters into this Agreement.
  • Agreement: these Terms and Conditions, the Order Form, any applicable Modules, the DPA (Annex 1), and Syrto’s Privacy Policy.
  • Customer Data: all data and content entered or uploaded by the Customer or Users into the Software.
  • DPA: the Data Processing Agreement attached as Annex 1, an integral part of the Agreement.
  • Internal Purposes: financial analysis and research activities on companies and markets carried out by the Customer in the course of its operations.
  • Force Majeure: events beyond the reasonable control of the parties (natural disasters, wars, terrorist acts, strikes, governmental measures, network outages, cyberattacks).
  • Confidential Information: all non-public information of a technical, commercial, or organizational nature received by one party from the other in connection with the Agreement.
  • Order Form: the document containing the specific elements of the transaction (term, fees, subscribed features, renewal terms).
  • Privacy Policy: the personal data processing notice published by Syrto on its website, an integral part of the Agreement.
  • Software (or Syrto Software): the software platform owned by Syrto S.r.l., including all its features, web interface, and related technical materials.
  • Users: the natural persons authorized by the Customer to access the Software within the limits of the Order Form.

2. Subject matter and nature of the Software

2.1 Purpose. This Agreement governs the conditions of use of the Syrto Software. Access to the Software occurs exclusively under the terms set out herein and in accordance with the executed Order Form.

2.2 Nature of the Software. The Syrto Software is a technological tool for analysis and decision support aimed at professional operators in the financial sector. It does not constitute, nor may it be construed as, financial, legal, tax, or other regulated professional advisory services.

2.3 No warranty of result. The processing and results generated by the Software do not replace the autonomous judgment of the Customer and the Users. Syrto does not warrant the achievement of any specific results or benefits through the use of the Software.

3. License of use

3.1 Grant of license. Syrto grants the Customer, for the duration of the Agreement, a limited, non-exclusive, non-transferable license to access and use the Software exclusively for the Internal Purposes set out in the Agreement and in the Order Form.

3.2 Scope of the license. The license does not entail any transfer of intellectual property rights in the Software. Unless otherwise specified in the Order Form, the maximum number of companies that can be downloaded monthly will be 2,000, and may in no event exceed 10,000. All rights not expressly granted remain the exclusive property of Syrto.

The Software license includes access to data exclusively through the platform interface. A Customer holding a Software license may not separately purchase the API Access Service referred to in Module C, nor access Syrto data through channels other than the web interface made available by Syrto.

3.3 Use restrictions. The Customer and Users are prohibited from:

a) installing, copying, modifying, decompiling, reverse engineering, or creating derivative works from the Software;

b) systematically extracting or reusing all or a substantial part of the database or content accessible through the Software;

c) sublicensing, leasing, selling, transferring, or distributing the Software to third parties;

d) using the Software for unlawful purposes or in violation of third-party rights;

e) circumventing, removing, or tampering with the Software’s security measures;

f) using the data, content, or output of the Software to train models, algorithms, or systems of any kind;

g) accessing the Software through means other than the web interface made available by Syrto, including the direct use of APIs, backend services, or automated tools not expressly authorized by Syrto;

h) extracting or exporting data in an automated or systematic manner, regardless of volume;

i) reproducing or reconstructing the database or features of the Software through repeated extractions of non-substantial portions;

l) entering into Hiku prompts personal data of third parties not necessary for the use of the service, classified information, third-party trade secrets, or data covered by confidentiality agreements with parties other than Syrto;

m) attempting to manipulate, circumvent, or alter the behavior of Hiku through prompt injection, jailbreaking, or similar techniques.

3.4 Account and access. Access to the Software is permitted exclusively to Users authorized within the limits of the Order Form. Credentials are personal and non-shareable.

3.5 Verifications. Syrto reserves the right to adopt reasonable measures, including technical ones, to monitor the Customer’s compliance with the authorized use of the Software.

4. Account and security

4.1 Access procedures. Access to the Software occurs through the credentials provided to the Customer. The Customer is responsible for ensuring that only authorized persons access the Software.

4.2 Credential management. The Customer is responsible for the creation, management, and safekeeping of credentials. Credentials may not be shared among multiple persons, except with Syrto’s prior written authorization. Any activity carried out using the Customer’s or its Users’ credentials is presumed to have been performed by the Customer.

4.3 Security. The Customer must adopt reasonable measures to protect the confidentiality of credentials. In the event of suspected misuse or loss of credentials, the Customer shall promptly inform Syrto.

4.4 Obligations of Users. The Customer warrants that all authorized Users comply with this Agreement. Any breach committed by a User shall be considered a breach by the Customer.

4.5 Termination of Users. The Customer undertakes to promptly notify Syrto of the termination of the employment or collaboration relationship of any authorized User, in order to allow the deactivation of the relevant credentials. Syrto is not liable for accesses made through credentials not revoked due to the Customer’s failure to notify.

5. Intellectual property

5.1 Rights in the Software. The Syrto Software, including source code, interfaces, database architecture, algorithms, technical materials, trademarks, logos, and know-how, is and remains the exclusive property of Syrto S.r.l. This Agreement is a license of use and not of sale.

5.2 Generated results. The results, processing, and reports obtained through the Software are intended exclusively for the Customer’s Internal Purposes. Any use outside such scope requires Syrto’s prior written authorization.

5.3 Company descriptions. The company descriptions on the platform are original elaborations generated by Syrto, including by means of artificial intelligence systems, and constitute content owned exclusively by Syrto S.r.l.

5.4 Feedback. Any observations or suggestions provided by the Customer to Syrto may be freely used by Syrto for development and improvement of the Software, without any obligation of acknowledgment or compensation.

5.5 Protection. Syrto reserves the right to take all necessary measures, including legal action, to protect its intellectual property rights.

6. Confidentiality

6.1 General obligations. Each party undertakes to treat as confidential all Confidential Information received from the other party, adopting protection measures equivalent to those used for its own confidential information, and in any event no less than those reasonably required by market practice.

6.2 Customer’s obligations. The Customer undertakes to: (a) protect the confidentiality of the Software and prevent unauthorized access; (b) immediately inform Syrto in the event of unauthorized access; (c) notify Syrto if an authority requests the disclosure of Syrto’s Confidential Information.

6.3 Use of the Customer’s name. Syrto may identify the Customer as a user of its services, including through use of the Customer’s name and/or logo, for informational and commercial reference purposes. The Customer may request the cessation of such use by written notice.

7. Personal data protection

7.1 Roles. Syrto processes personal data in two distinct capacities:

a) Data Processor (Art. 28 GDPR): for personal data that the Customer enters into the Software in the course of using the Services. The Customer is the Data Controller of such data. The processing is governed by Annex 1 (DPA), accepted in full upon acceptance of this Agreement.

b) Independent Data Controller: for all other data processed for its own purposes (account management, billing, security, analytics, product improvement). Governed by Syrto’s Privacy Policy published on its website.

7.2 Customer’s obligations. The Customer warrants that it has an adequate legal basis for the personal data entered into the Software and undertakes not to enter special categories of data pursuant to Art. 9 GDPR without prior written notice to Syrto.

7.3 Security measures. Syrto adopts adequate technical and organizational measures pursuant to Art. 32 GDPR, detailed in the DPA (Annex 1) for processing as Data Processor.

8. Customer’s obligations and liability

8.1 Responsibility for decisions. The Customer and the Users are solely responsible for decisions made on the basis of the processing generated by the Software.

8.2 Lawful use. The Customer undertakes to use the Software in compliance with applicable laws and this Agreement.

8.3 Prohibitions. The Customer and the Users are prohibited from: (a) using the Software for unlawful or fraudulent purposes; (b) uploading unlawful, harmful, or false content; (c) compromising the security of Syrto’s infrastructure; (d) circumventing technical or security measures.

8.4 Liability towards third parties. The Customer warrants that the data entered into the Software does not infringe the intellectual property, privacy, or other rights of third parties, and shall hold Syrto harmless from any claim relating to such content.

9. Indemnification

9.1 Indemnification in favor of Syrto. The Customer undertakes to indemnify and hold Syrto harmless from any damages, liabilities, or expenses arising from: (a) use of the Software in breach of the Agreement or laws; (b) content or data uploaded that infringe third-party rights; (c) unlawful or negligent conduct by the Customer or the Users.

9.2 Indemnification in favor of the Customer. Syrto undertakes to indemnify the Customer from third-party claims based on the assertion that the Software, as supplied without unauthorized modifications, infringes intellectual property rights valid in the European Union. In such cases Syrto may, at its discretion: (a) obtain for the Customer the right to continue using the Software; (b) modify the Software to make it non-infringing; (c) terminate the Agreement with pro rata refund.

9.3 Exclusions. Syrto’s indemnification obligation does not apply where the claim arises from non-compliant use, unauthorized modifications, or combination with products not supplied by Syrto.

10. Limitation of liability

10.1 Exclusion for Customer’s decisions. Syrto is not liable for decisions, actions, or omissions made by the Customer or the Users on the basis of analyses generated by the Software.

10.2 Excluded damages. Save in cases of willful misconduct or gross negligence, Syrto shall not be liable for indirect, incidental, special, punitive, or consequential damages, including loss of profits, revenues, data, or business opportunities.

10.3 Maximum cap. Save in cases of willful misconduct or gross negligence, Syrto’s aggregate liability shall not exceed the amount paid by the Customer in the twelve (12) months preceding the event giving rise to liability.

10.4 Specific limitation of liability for Hiku. Save in cases of willful misconduct or gross negligence, Syrto is not liable for: (a) decisions made by the Customer or the Users on the basis of Hiku’s outputs; (b) inaccuracies, errors, or hallucinations in the outputs generated by the AI model; (c) damages arising from the entry of personal data or sensitive information into prompts in violation of Art. 3.3.

10.5 Third-party services. Syrto is not liable for defects or interruptions arising from: (a) third-party services or content; (b) malfunctions of networks or providers not controlled by Syrto; (c) Force Majeure events; (d) errors in public sources or in data from third-party providers.

10.6 Allocation of risk. The parties acknowledge that the limitations of liability reflect a fair allocation of risks and constitute an essential element of the agreed economic balance. The Customer acknowledges that the Software constitutes a unique, proprietary resource of significant commercial value to Syrto, and that any breach of this Agreement could cause Syrto irreparable harm not adequately compensable by monetary damages alone. Syrto therefore reserves the right to seek, in addition to any other available remedy, immediate injunctive or interim relief without the need to post security.

11. Maintenance, support, and warranties

11.1 “As is” provision. The Software is provided as is and as available. Syrto does not warrant that it is error-free or that it will operate without interruption.

11.2 Updates. Syrto will provide periodic updates at no additional charge, with no warranty of predetermined cadence. During updates the Software may experience temporary interruptions.

11.3 Technical support. Syrto will provide technical support in accordance with the terms set out in the Order Form.

11.4 Operating warranty. For the entire duration of the Agreement, Syrto undertakes to remedy technical malfunctions attributable to the Software that prevent or significantly impair its use.

11.5 Limited warranty (90 days). For ninety (90) days from the delivery of credentials, Syrto warrants that the Software will substantially perform as described in the technical materials and operating guides made available by Syrto. In the event of malfunctions attributable to the Software that significantly impair its use, the Customer may report them to Syrto and obtain, at Syrto’s option:

a) correction of the Software within a reasonable time, or

b) termination of the Agreement with pro rata refund of the fees already paid for the period of non-use, provided that the Customer has notified the issue in writing to Syrto within the applicable warranty period.

If Syrto provides a correction, a new warranty period of ninety (90) days will run from delivery of the updated release.

11.6 Incremental features. The introduction of updates or new features that do not negatively affect the main functionalities shall not entitle the Customer to withdraw from the Agreement.

12. Fees and payments

12.1 Fees. The Customer shall pay Syrto the fees set out in the Order Form. Syrto will issue an invoice, which the Customer shall settle by the last day of the month of receipt, unless otherwise specified in the Order Form.

12.2 Currency and method. Payments shall be made in the currency specified in the Order Form. Banking or transaction costs are borne by the Customer.

12.3 Taxes. Amounts are exclusive of VAT and other applicable taxes, which are borne by the Customer.

12.4 Late payments. In the event of late payment, Syrto may apply default interest at the rate provided for in Italian Legislative Decree 231/2002 and suspend access to the Software until payment is made.

12.5 Ius variandi. Syrto reserves the right to amend the list price upon written notice of at least thirty (30) days prior to the renewal date. The Customer may exercise the right of withdrawal within such period. Failing this, the changes will be deemed accepted.

13. Term, renewal, suspension, and termination

13.1 Term and renewal. The term is the one specified in the Order Form. Annual licenses last twelve (12) months from receipt of credentials. Upon expiration the Agreement renews automatically for the same duration, unless written notice of non-renewal is given at least thirty (30) days before expiration.

13.2 Suspension. Syrto may suspend access, with or without notice, in case of: (a) non-payment; (b) non-compliant or unlawful use; (c) risk to the security of systems. The suspension does not release the Customer from the obligation to pay accrued fees.

13.3 Termination by the Customer. The Customer may terminate the Agreement in case of material breach by Syrto, not cured within thirty (30) days of written notice via certified email (PEC).

13.4 Termination by Syrto. Syrto may terminate the Agreement with immediate effect in case of: (a) material or repeated breach; (b) insolvency or insolvency proceedings of the Customer; (c) infringement of Syrto’s intellectual property rights.

13.5 Automatic termination pursuant to Art. 1456 of the Italian Civil Code. The Agreement shall be deemed automatically terminated, upon Syrto’s declaration, in the event of breach of the obligations set out in Articles: 3 (License of use), 5 and 6 (Intellectual property and confidentiality), 12 (Fees), 16 (General provisions), as well as the obligations set out in Modules A, B, and C if subscribed, with particular reference to the use restrictions set out therein.

13.6 Effects of termination. Upon termination: (a) the Customer shall cease all use of the Software; (b) Syrto shall deactivate the accounts; (c) accrued payment obligations remain unaffected; (d) the provisions of Articles 5, 6, 7, 9, 10, 16 shall survive, as well as the use restrictions set out in Modules A, B, and C if subscribed.

14. Governing law and jurisdiction

14.1 Governing law. This Agreement is governed by the laws of the Italian Republic.

14.2 Jurisdiction. Any dispute shall fall under the exclusive jurisdiction of the Court of Milan, Italy.

15. Notices

15.1 Methods. Notices relating to the Agreement must be made in writing by certified email (PEC), registered letter with return receipt, or, unless otherwise agreed, by ordinary email.

15.2 Syrto’s contact details. PEC: syrto@pec.it — Address: Milan, Via Settembrini 2, 20124, Italy.

16. General provisions

16.1 Entire agreement. This Agreement constitutes the entire agreement between the parties in relation to its subject matter and supersedes any previous understanding, written or oral.

16.2 Severability. The invalidity of any clause shall not affect the validity of the remaining provisions.

16.3 Waiver. Failure to exercise a right shall not constitute a waiver.

16.4 Assignment. The Customer may not assign the Agreement without Syrto’s prior written consent. Syrto may assign the Agreement in the context of corporate transactions without the Customer’s consent.

16.5 Force Majeure. Syrto is not liable for delays or failures due to Force Majeure events.

16.6 Order of precedence. In case of conflict: (i) DPA (for personal data matters); (ii) Order Form; (iii) these T&Cs; (iv) Privacy Policy.

16.7 Amendments. Any amendment must be in writing and signed by both parties.

16.8 Electronic communications. The parties agree that communications transmitted via certified email (PEC) or email constitute a written form suitable and fully valid for the purposes of this Agreement, except for the amendments referred to in Art. 16.7 which require signature.

MODULE A — MCP (MODEL CONTEXT PROTOCOL)

This Module applies to Customers who have subscribed to the MCP Service in the Order Form. The MCP Service may be purchased either together with the Software license or as a standalone service. The economic terms and access procedures are defined in the Order Form.

A.1 Service description

The MCP Service (Model Context Protocol) allows the Customer to access financial data from the Syrto database via the MCP protocol, integrating with the main compatible AI assistants. Available features, supported clients, and configuration instructions are documented at docs.syrto.ai, which Syrto keeps up to date.

A.2 Authentication and access

A.2.1 Access to the MCP server occurs via WorkOS authentication. Credentials are personal and non-transferable.

A.2.2 The Customer is responsible for the management and security of its credentials and for any action carried out through them.

A.3 Customer’s obligations and liability

The Customer is fully responsible for the use of the MCP Service in compliance with this Agreement and applicable law, including use by AI models or automated systems connected via MCP. Any action carried out using the Customer’s credentials is presumed to have been performed by the Customer.

A.4 Service limitations

Use of the MCP Service is subject to the rate limits published at docs.syrto.ai, which may be updated by Syrto without the need to amend this Agreement.

A.5 Data processing

A.5.1 The MCP server exposes data from the Syrto database. Syrto records exclusively analytical data on tool calls for purposes of consumption accounting and service monitoring, processed as Independent Data Controller pursuant to the Privacy Policy.

A.5.2 The Customer is responsible for ensuring that any AI model or third-party system connected via MCP uses the data received exclusively for the purposes permitted by this Agreement.

A.6 Specific limitation of liability

Save in cases of willful misconduct or gross negligence, Syrto is not liable for:

a) actions carried out by the Customer’s AI models or automated systems through the MCP Service;

b) damages arising from incorrect MCP client configurations by the Customer;

c) unauthorized use of MCP credentials by third parties, where attributable to the Customer’s negligence.

MODULE B — ON-DEMAND CREDIT PURCHASE

This Module applies to Customers who have activated the on-demand credit purchase system in the Order Form, in addition to and integrating the General Part.

B.1 Specific definitions

  • Credits: the consumption units used to access on-demand Content through the Software. Credits may be purchased on demand and are valid for one year, coinciding with the duration of the license. They are not carried over to the following period, transferable to third parties, or convertible into cash.
  • On-demand Content: the content, data, and information that may be purchased using Credits, including by way of example: B2B contact data (via Apollo.io integration), documents and information produced by Syrto. The updated list of available Content and the relevant cost in Credits can be consulted directly within the Software.
  • B2B Contact Data: professional contact information (first name, last name, job title, employer, individual professional email, business phone number) made available through integration with Apollo.io.
  • Generic Company Email: any email address not attributable to a specific natural person (e.g. info@, marketing@, sales@, contact@, support@).

B.2 Operation of the credit system

B.2.1 No credits included. The annual license does not include credits. Credits may be purchased exclusively on demand as described in Article B.2.2 below.

B.2.2 Credit purchase. The Customer may purchase Credits on demand directly through the Software at the price indicated at the time of purchase. Payment is made via immediate charge.

B.2.3 Cost of Content. Each on-demand Content item has a cost in Credits indicated at the time of purchase within the Software. Syrto reserves the right to change the cost in Credits of Content with at least thirty (30) days’ written notice, except for changes imposed by variations in the conditions of third-party providers, in which case the notice will be that reasonably possible.

B.2.4 Validity and expiration. Credits expire on the expiration or renewal date of the Agreement with no right to refund, compensation, or transfer to the following period.

B.2.5 Non-transferability. Credits are not transferable to third parties or convertible into cash.

B.2.6 Non-refundability. Purchased Credits are non-refundable, except as expressly provided for in the Agreement.

B.3 Content produced by Syrto

The documents and information produced by Syrto and purchasable through Credits constitute original elaborations by Syrto, including those generated by means of artificial intelligence systems. Such content is intended exclusively for the Customer’s Internal Purposes. Syrto does not warrant that they are error-free or fit for any specific purpose.

B.4 B2B Contact Data — nature and source

The Customer acknowledges that:

a) the B2B Contact Data comes from the proprietary database of Apollo.io, an independent third-party provider;

b) Syrto acts as a technological intermediary and does not produce, independently verify, or warrant the accuracy, completeness, or lawfulness of the data provided by Apollo.io;

c) the B2B Contact Data is collected and processed by Apollo.io on the basis of legitimate interest pursuant to Art. 6(1)(f) GDPR, and Apollo.io provides notice to data subjects residing in the EU/EEA;

d) use of the B2B Contact Data takes place under the full and exclusive responsibility of the Customer.

B.5 Permitted purposes of use for B2B Contact Data

The B2B Contact Data may be used exclusively for:

a) B2B communications strictly relevant to the recipient’s profession or work activity;

b) identification of business opportunities, research on existing and potential customers, and B2B business development activities;

c) the Customer’s Internal Purposes.

B.6 Use restrictions for B2B Contact Data

The Customer is expressly prohibited from:

a) using the B2B Contact Data for communications addressed to Generic Company Emails;

b) carrying out mass, automated, or indiscriminate mailings (spam);

c) reselling, sublicensing, distributing, or transferring the B2B Contact Data to third parties;

d) using the data to create or enrich databases intended for commercialization;

e) using the data to train AI models or algorithms;

f) using the data for purposes governed by the FCRA or equivalent regulations;

g) circumventing Credit limits through multiple accounts or automated tools;

h) incorporating the B2B Contact Data into products or services offered to third parties.

B.7 Direct marketing obligations

The Customer undertakes to:

a) comply with applicable regulations on electronic communications and direct marketing (ePrivacy Directive 2002/58/EC, Italian Legislative Decree 196/2003, GDPR);

b) verify the existence of an adequate legal basis for each contact;

c) provide recipients with adequate notice pursuant to Arts. 13 and 14 GDPR;

d) ensure an effective opt-out mechanism in every communication;

e) comply with applicable opt-out registers (e.g. the Italian Public Opt-out Register / Registro Pubblico delle Opposizioni);

f) keep documentation suitable to demonstrate compliance of marketing activities.

B.8 Apollo.io terms

The Customer acknowledges that the B2B Contact Data service relies on the Apollo.io platform and that the use of such data is also subject to Apollo.io‘s terms (https://www.apollo.io/terms), to the extent reflected in the restrictions set out in this Module. In case of conflict, the more restrictive provisions shall prevail.

B.9 Specific limitation of liability

Save in cases of willful misconduct or gross negligence, Syrto is not liable for:

a) the accuracy, completeness, or lawfulness of the B2B Contact Data provided by Apollo.io;

b) damages, sanctions, or claims arising from the use of the Content in violation of applicable regulations or this Module;

c) complaints or actions by the data subjects whose data has been used by the Customer;

d) interruption or suspension of Apollo.io services; in such case the Customer is not entitled to a refund of unused Credits;

e) inaccuracies or errors in the Content produced by Syrto, within the limits set out in Art. B.3.

MODULE C — API ACCESS

This Module applies to Customers who have subscribed to the API Access Service in the Order Form. This Module is alternative to and incompatible with the Software license referred to in the General Part: a Customer who has subscribed to a Software license cannot at the same time subscribe to the API Access Service, and vice versa.

C.1 Service description

C.1.1 The API Access Service allows the Customer to programmatically query the Syrto database via authenticated APIs, obtaining access to the same data available on the Software platform. Technical documentation, integration specifications, and instructions for use are available at docs.syrto.ai, which Syrto keeps up to date.

C.1.2 Incompatibility with the Software license. Customers holding a Software license access the data exclusively through the platform interface and cannot separately purchase the API Access Service. Any attempt to access Syrto data via API without having subscribed to this Module constitutes a material breach of the Agreement pursuant to Art. 3.3.

C.2 Authentication

C.2.1 API access occurs via WorkOS authentication. Credentials are personal, reserved to the Customer, and non-transferable to third parties.

C.2.2 The Customer is responsible for the safekeeping of its credentials and for any use made through them. Syrto reserves the right to revoke them in the event of a breach of the Agreement or anomalous use.

C.3 Use limits

Use of the API is subject to the rate limits indicated in the Order Form, which may be updated by Syrto upon at least thirty (30) days’ written notice, unless the change is necessary for security or system stability reasons, in which case it may be applied with immediate effect. Exceeding the rate limits results in the automatic temporary suspension of access, without this constituting a breach by Syrto.

C.4 Use restrictions

The Customer is prohibited from:

a) sharing API credentials with unauthorized third parties;

b) systematically extracting all or a substantial part of the Syrto database;

c) reselling, sublicensing, or distributing data obtained via API to third parties;

d) using data obtained via API to train models, algorithms, or systems of any kind;

e) circumventing rate limits through multiple accounts or automated tools;

f) incorporating Syrto data into products or services offered to third parties without Syrto’s prior written authorization.

C.5 Data processing

Syrto records logs of API calls for purposes of service monitoring, rate limit verification, and billing, processed as Independent Data Controller pursuant to the Privacy Policy. The Customer, as Data Controller, is responsible for the proper use of the data obtained via API in compliance with applicable regulations.

C.6 Specific limitation of liability

Save in cases of willful misconduct or gross negligence, Syrto is not liable for:

a) damages arising from the use of data obtained via API for purposes not permitted by this Agreement;

b) interruptions of the API service due to maintenance, updates, or Force Majeure events;

c) unauthorized use of API credentials by third parties, where attributable to the Customer’s negligence.

Specific approval pursuant to Arts. 1341–1342 of the Italian Civil Code

The Customer declares that it has read and expressly approves, pursuant to and for the purposes of Arts. 1341, second paragraph, and 1342, second paragraph, of the Italian Civil Code, the following clauses of these Terms and Conditions:

  • Art. 3.3 (Use restrictions — prohibitions on the Customer)
  • Art. 8.4 (Liability towards third parties — Customer’s warranty on entered data and indemnification)
  • Art. 9 (Indemnification — Customer’s indemnification obligations)
  • Art. 10.2 (Limitation of liability — exclusion of indirect damages)
  • Art. 10.3 (Limitation of liability — maximum cap on damages)
  • Art. 11.1 (“As is” provision — exclusion of implied warranties)
  • Art. 12.2 (Fees — payment terms)
  • Art. 12.4 (Fees — default interest and suspension of access)
  • Art. 12.5 (Ius variandi — unilateral price modification)
  • Art. 13.1 (Term and automatic renewal)
  • Art. 13.2 (Suspension of access)
  • Art. 13.4 (Termination by Syrto with immediate effect)
  • Art. 13.5 (Automatic termination pursuant to Art. 1456 of the Italian Civil Code)
  • Art. 14.2 (Exclusive jurisdiction — Milan)
  • Art. 16.4 (Prohibition of assignment by the Customer / right of assignment by Syrto)
  • Module A, Art. A.3 (Customer’s responsibility in the use of MCP, if subscribed)
  • Module B, Arts. B.5 and B.6 (Use restrictions for B2B Contact Data, if subscribed)
  • Module C, Art. C.1.2 (Incompatibility and prohibition of API access without subscription, if subscribed)

ANNEX 1 — Data Processing Agreement (DPA)

This Annex governs the processing of personal data contained in Customer Data by Syrto as Data Processor pursuant to Art. 28 of Regulation (EU) 2016/679 (“GDPR”). The terms “Controller”, “Processor”, “Data Subject”, “Processing”, “Supervisory Authority” have the meaning attributed to them by the GDPR. For the purposes of this Annex, “Sub-Processor” means any third party appointed by the Processor to process Customer Data on behalf of the Controller.

Art. 1 — Subject matter and duration

1.1 This Annex governs the processing of Customer Data by the Processor in providing the Services.

1.2 The Processor shall process Customer Data exclusively on the documented instructions of the Controller, save for legal obligations.

1.3 The duration is that of the Agreement, subject to Art. 8.

Art. 2 — Nature and purposes of processing

2.1 Processing includes: temporary collection, automated processing, storage, transmission to AI systems, deletion.

2.2 Processing takes place exclusively for the provision of the Services. The detailed description is in Annex 2.

Art. 3 — Type of data and categories of data subjects

3.1 The types of data and categories of data subjects are described in Annex 2.

3.2 The Processor does not determine in advance the personal data entered by the Controller. Responsibility for lawfulness lies with the Controller.

3.3 The Controller shall not enter special categories of data (Art. 9 GDPR) without prior written notice to the Processor.

Art. 4 — Obligations of the Processor

4.1 The Processor undertakes to:

(a) process Customer Data exclusively within the limits of this Annex;

(b) ensure confidentiality of persons authorized to process the data;

(c) adopt the security measures referred to in Art. 5;

(d) comply with the conditions for Sub-Processors set out in Art. 6;

(e) assist the Controller in responding to data subject requests;

(f) assist the Controller on security, breach notification, DPIA, and prior consultation matters;

(g) delete or return Customer Data upon termination, pursuant to Art. 8;

(h) make available the information necessary to demonstrate compliance and allow audits pursuant to Art. 9.

4.2 The Processor shall inform the Controller if an instruction violates applicable data protection regulations.

Art. 5 — Security measures

5.1 The Processor adopts measures adequate pursuant to Art. 32 GDPR, including: encryption in transit (TLS 1.2+) and at rest, access control with least privilege, certified cloud infrastructure (Microsoft Azure, EU regions), monitoring and logging, incident management procedures.

Art. 6 — Sub-Processors

6.1 The Controller authorizes the Processor to engage Sub-Processors for the provision of the Services. The updated list of authorized Sub-Processors is available on Syrto’s website at [🔲 TRUST CENTER URL TO BE DEFINED].

6.2 The Processor shall notify the Controller of any changes to Sub-Processors with at least 30 days’ notice, giving the Controller the opportunity to object.

6.3 Contracts with Sub-Processors impose data protection obligations equivalent to this Annex.

6.4 The Processor remains fully liable to the Controller for the performance of the obligations of the Sub-Processors.

Art. 7 — Data subjects’ rights

7.1 The Processor assists the Controller in fulfilling data subject requests pursuant to Arts. 15–22 GDPR.

7.2 The Processor shall notify the Controller within 5 business days of any request received directly from a data subject, and shall not act upon it unless instructed by the Controller.

Art. 8 — Deletion and return of data

8.1 Upon termination of the Services, the Processor shall, at the Controller’s choice: (a) delete all Customer Data certifying its deletion; or (b) return them in an exportable format.

8.2 Deletion or return takes place within 30 days of the termination of the Agreement.

8.3 Backups may retain copies for a maximum of 90 days from termination, after which they are overwritten.

8.4 In the absence of written instruction from the Controller, the Processor shall proceed with deletion.

8.5 Retention periods for each Service during the term of the Agreement are indicated in Annex 2.

Art. 9 — Audits and inspections

9.1 The Processor shall make available the necessary information upon written request from the Controller.

9.2 The Processor shall allow audits with at least 30 days’ notice. Costs are borne by the Controller, unless the audit reveals a breach by the Processor.

9.3 The Controller shall ensure the confidentiality of information obtained.

Art. 10 — Breach notification

10.1 The Processor shall notify the Controller without undue delay from discovery of any personal data breach, with the information necessary for compliance with Arts. 33 and 34 GDPR.

10.2 The Processor shall cooperate in the investigation, mitigation, and remediation of the breach.

Art. 11 — Impact assessment and prior consultation

11.1 The Processor shall provide reasonable assistance to the Controller for DPIAs (Art. 35 GDPR) and prior consultations (Art. 36 GDPR).

Art. 12 — Data transfers outside the EEA

12.1 The Processor shall not transfer Customer Data outside the European Economic Area without the Controller’s prior written consent, except as provided for in this Annex.

12.2 Extra-EEA transfers currently carried out and the relevant safeguards are indicated in the list of Sub-Processors available on Syrto’s website.

Art. 13 — Final provisions

13.1 Information acquired in connection with this Annex shall be treated as confidential by each Party.

13.2 In the event of conflict between this Annex and the remaining provisions of the Agreement, this Annex shall prevail with regard to the processing of personal data.

13.3 Material amendments to this Annex shall be notified with 30 days’ notice. The list of Sub-Processors (published on the website) may be updated with 30 days’ notice without re-execution of the Agreement.

13.4 This Annex is governed by Italian law. Exclusive jurisdiction: Milan.

ANNEX 2 — Description of processing

Schedule A.1 — SaaS Platform (financial analysis + AI personalized reports)

Subject matter: Processing of structured files (Excel/CSV) and generation of personalized content via AI on the basis of free text entered by the Controller.

Nature: Temporary collection, automated processing, transmission to AI models, deletion. Uploaded files deleted after processing. Report text transits through LangSmith with 14-day retention.

Purpose: Provision of the contractual financial analysis service on the Controller’s instructions.

Type of data: Identification and professional data possibly contained in the files (first name, last name, job title, role, contact details). The actual type depends on the content entered by the Controller.

Categories of data subjects: Natural persons contained in the uploaded files; typically managers, company contacts, or persons mentioned in analysis contexts.

Duration: Uploaded files: deleted immediately after processing. Report text: maximum 14 days on LangSmith, then automatically deleted.

Schedule A.2 — Hiku (AI chatbot)

Subject matter: Management and storage of conversations between the Controller’s users and the Hiku AI chatbot, transmission to LLM models for response generation.

Nature: Collection, storage, transmission to AI models, display to authorized users, deletion at the end of the contract.

Purpose: Provision of the AI assistance service; maintenance of conversation history for operational continuity.

Type of data: Data possibly contained in the text of conversations. By way of example: identification, professional, financial data referring to natural persons.

Categories of data subjects: The Controller’s authorized users; any third-party natural persons mentioned in the conversations.

Duration: For the entire duration of the Agreement + 30 days from termination, then mandatory deletion. Backups: maximum 90 days from termination.

Schedule A.3 — Authorized users (access data)

Subject matter: Management of the profiles of users designated by the Controller.

Nature: Collection, storage, authentication, updating, deletion on the Controller’s instructions.

Purpose: Secure and authenticated access to the platform.

Type of data: First name, last name, business email, role/job title, access logs.

Categories of data subjects: Employees, collaborators, or persons designated by the Controller as users.

Duration: For the entire duration of the Agreement + 30 days from termination. In case of deactivation of an individual user: deletion within 30 days of deactivation, unless otherwise instructed in writing by the Controller.