Effective date: 25 December 2025

Operator: Kortado Pty Ltd ("Provider", "we", "us", "our")

Contact: info@kortado.com.au

Governing law: New South Wales, Australia

These Terms govern access to and use of the Provider's software platform and related services (the "Services").

1. Binding agreement and authority

By accessing or using the Services, you agree to these Terms.

If you use the Services on behalf of an organisation (the "Customer"), you warrant that you have authority to bind that Customer. In that case, "you" means both you and the Customer.

2. Decision-support only (no advice, no certification)

The Services provide workflow, evidence management, reporting, and risk and assurance tooling.

We do not provide legal advice, audit opinions, certification, or professional assurance. Any outputs (including alerts, scores, flags, dashboards, templates, or reports) are decision-support tools only.

You are solely responsible for validating outputs and for determining and meeting your compliance, legal, contractual, and regulatory obligations.

3. Data residency (Australia only)

All Customer Data is stored and processed on-shore in Australia only. The Services are designed so Customer Data is never off-shored, including for storage, backup, or processing. This is a core security and privacy control and forms part of our protective baseline for regulated environments.

4. Account security is your responsibility

You must:

·       keep credentials confidential;

·       enforce strong passwords and MFA where available;

·       ensure only authorised End Users have access;

·       promptly remove access for departed staff, contractors, or agents; and

·       ensure End Users comply with these Terms.

You are responsible for all activity occurring under your accounts, including any activity by End Users.

5. Acceptable use (strict)

You must not (and must not allow anyone to):

·       attempt to bypass access controls, probe, or test vulnerabilities without our prior written permission;

·       interfere with, disrupt, or degrade the Services or related infrastructure;

·       upload malware or harmful code, or use the Services to deliver malicious payloads;

·       access or attempt to access data not intended for you;

·       use the Services to breach privacy, confidentiality, or applicable laws;

·       reverse engineer the Services except to the extent permitted by law that cannot be excluded; or

·       copy, resell, time-share, or provide the Services to third parties except as expressly authorised.

We may suspend or terminate access immediately where we reasonably suspect misuse, a security risk, or a breach of these Terms.

6. Customer Data (ownership and licence)

Customer retains ownership of Customer Data.

You grant us a limited, worldwide, royalty-free licence to host, process, transmit, and display Customer Data only to:

·       provide and secure the Services;

·       perform support and maintenance;

·       prevent fraud and abuse;

·       comply with legal obligations; and

·       improve the Services, including through aggregated and de-identified analytics.

7. Security and data protection

We maintain a security program designed to protect Customer Data through layered administrative, technical, and organisational controls proportionate to risk. Our practices are designed to support obligations under the Privacy Act 1988 (Cth) and APP 11.

You acknowledge that no system can be guaranteed as completely secure and that risk cannot be eliminated.

8. Third-party services and integrations

The Services may interoperate with third-party systems (including integrations, imports/exports, identity providers, and payment processors). Third-party services are governed by their own terms and availability.

We are not responsible for third-party systems, their security, outages, data handling, or changes that affect integrations.

9. Fees, billing, and suspension

If you are on a paid plan, fees are as agreed in an order, proposal, statement of work, or checkout flow (an "Order"). Fees are exclusive of GST unless stated.

If payment is overdue, we may suspend access after reasonable notice, or immediately where required to prevent fraud or abuse.

10. Intellectual property

We own all intellectual property in the Services, documentation, and updates, excluding Customer Data.

We grant Customer a limited, non-exclusive, non-transferable, revocable licence to use the Services during the subscription term, subject to these Terms and any Order.

11. Confidentiality

Each party must protect the other’s confidential information and use it only for purposes related to the Services. This does not apply to information that is public, independently developed, or required to be disclosed by law.

12. Disclaimers

To the maximum extent permitted by law, the Services are provided on an "as is" and "as available" basis. We disclaim all warranties not expressly stated, including implied warranties of fitness, merchantability, and non-infringement.

We do not warrant that the Services will be uninterrupted, error-free, or that outputs will be complete or suitable for your specific requirements.

13. Australian Consumer Law (ACL)

Nothing in these Terms excludes or limits consumer guarantees under the Australian Consumer Law that cannot be excluded.

Where liability cannot be excluded, our liability is limited (at our option) to supplying the Services again or paying the cost of having the Services supplied again.

14. Liability (cap: 3 months)

To the maximum extent permitted by law:

·       we are not liable for indirect, incidental, special, or consequential loss (including loss of profit, revenue, goodwill, opportunities, or data), even if advised of the possibility; and

·       our total aggregate liability arising out of or related to the Services is capped at the fees paid by Customer to us in the 3 months immediately preceding the event giving rise to the claim.

15. Indemnity

Customer indemnifies and holds us harmless against claims, losses, damages, liabilities, costs, and expenses arising from or related to:

·       Customer Data (including legality, accuracy, and privacy compliance);

·       End User misuse or unauthorised access caused by Customer;

·       Customer’s breach of law, regulation, or third-party rights; or

·       Customer’s breach of these Terms.

16. Suspension and termination

We may suspend or terminate access to the Services to address security threats, respond to suspected breach, comply with law or regulator direction, or for non-payment.

Customer may terminate in accordance with an Order or for material breach not remedied within 14 days of written notice.

17. Data export and deletion

On termination, Customer may request an export of Customer Data within 30 days, subject to payment of all outstanding amounts and reasonable technical limitations.

After that period, we may delete Customer Data consistent with our retention practices and any agreement with Customer, except where retention is required by law.

18. Changes to the Services or Terms

We may update the Services and these Terms from time to time. Continued use of the Services after changes take effect constitutes acceptance of the updated Terms.

19. Governing law and jurisdiction

These Terms are governed by the laws of New South Wales, Australia. The parties submit to the exclusive jurisdiction of the courts of New South Wales, Australia.