OrbitMesh Terms of Service

Effective date: 2026-03-11
Last updated: 2026-03-11

These Terms of Service ("Terms") are a legal agreement between OrbitMesh and the customer entity that purchases, accesses, or uses OrbitMesh services ("Customer").

If you accept these Terms on behalf of a company or other legal entity, you represent that you have authority to bind that entity.

These Terms are written for OrbitMesh's current B2B SaaS implementation.

1. Agreement Structure and Order of Precedence

This agreement may include:

• these Terms;
• an Order Form, quote, or subscription purchase record;
• a Data Processing Addendum ("DPA"), if executed;
• any written security or support addendum explicitly incorporated.

Order of precedence for conflicts:

1. signed Order Form / negotiated amendment;
2. DPA (for privacy-processing terms only);
3. these Terms;
4. supporting policies and documentation.

2. Definitions

• "Services" means OrbitMesh-hosted or OrbitMesh-provided software, APIs, and related functionality.
• "Customer Data" means data submitted to or processed by Services on Customer's behalf, including telemetry/evidence data.
• "Authorized User" means an individual Customer permits to use Services under Customer's account/tenant.
• "Documentation" means OrbitMesh technical and product documentation made available to Customer.
• "Subscription Term" means the period identified in an Order Form or applicable billing cycle.
• "Third-Party Services" means third-party products or services integrated with, connected to, or used by Services.

3. Eligibility and Account Authority

Customer must:

• be a legally formed entity or otherwise legally capable of entering this agreement;
• ensure Authorized Users are at least the age of majority in their jurisdiction and authorized to act for Customer;
• maintain accurate account and tenant information.

Customer is responsible for all acts and omissions of its Authorized Users and anyone using Customer credentials or API keys.

4. License and Access Rights

Subject to these Terms and payment of applicable fees, OrbitMesh grants Customer a limited, non-exclusive, non-transferable, non-sublicensable right during the Subscription Term to:

• access and use Services for Customer's internal business purposes; and
• deploy supported OrbitMesh components in accordance with Documentation.

No rights are granted except as expressly stated in these Terms.

5. Service Scope

OrbitMesh Services may include:

• telemetry/evidence ingestion from gateway/relay components;
• tenant-scoped dashboard and API access;
• query/analytics processing for supported data models;
• compliance artifact generation and export workflows;
• subscription and entitlement enforcement features.

Features may vary by plan, configuration, region, and release stage.

6. Customer Responsibilities

Customer will:

• configure and use Services in accordance with Documentation and law;
• obtain all required notices/consents and lawful basis for data collection and transfer to OrbitMesh;
• maintain secure credential management (including relay tokens, API keys, and admin credentials);
• implement appropriate network, host, and runtime security in self-hosted/deployment-controlled environments;
• maintain backup and disaster recovery practices appropriate for Customer's risk profile;
• promptly notify OrbitMesh of suspected unauthorized use or security incidents.

Customer is solely responsible for:

• gateway configuration decisions and traffic handling behavior;
• legality and accuracy of Customer Data;
• data retention settings and internal policy compliance where customer-controlled.

7. Acceptable Use Restrictions

Customer will not, and will not permit others to:

• use Services unlawfully or in violation of applicable regulations;
• interfere with, disrupt, scan, or abuse Service infrastructure;
• attempt unauthorized access to accounts, tenants, systems, or data;
• reverse engineer Services except to the extent such restriction is prohibited by law;
• use Services to build or benchmark a competing service in a way that violates law or contract;
• transmit malware or harmful code through Services.

OrbitMesh may investigate suspected violations and may suspend access as described in Section 18.

8. Security and Shared Responsibility

OrbitMesh implements administrative, technical, and organizational safeguards appropriate to the Services.

Customer acknowledges:

• no system is perfectly secure;
• certain controls are configuration-dependent (for example, object-storage encryption options);
• self-hosted/runtime environment hardening remains Customer responsibility;
• debug and operational settings can affect data exposure risk if not properly managed.

Security details are further described in OrbitMesh privacy/security documentation and may evolve over time.

9. Customer Data Rights and Processing

As between the parties:

• Customer retains all right, title, and interest in Customer Data.
• Customer grants OrbitMesh the rights necessary to host, process, transmit, store, and otherwise use Customer Data solely to provide, secure, support, and improve Services consistent with this agreement.

Where OrbitMesh processes personal data on Customer's behalf, the parties may execute a DPA.

OrbitMesh does not acquire ownership of Customer Data.

10. Privacy

OrbitMesh's privacy practices are described in the Privacy Policy:

• Privacy Policy

Customer is responsible for providing legally required notices to its end users, customers, and personnel regarding Customer's use of OrbitMesh.

11. Third-Party Services and Dependencies

Services may integrate or interoperate with third-party providers, including (depending on plan and deployment):

• Kinde (authentication/identity),
• Google Chrome runtime (HTML-to-PDF conversion),
• object storage providers (such as AWS S3 or compatible endpoints),
• Paddle (billing, if enabled),
• GoatCounter and FormSubmit on public pages,
• Let's Encrypt/Certbot tooling for TLS operations (deployment-dependent).

Use of Third-Party Services may be subject to those providers' terms and privacy policies. OrbitMesh is not responsible for third-party products not controlled by OrbitMesh.

Reference links:

• Kinde: https://docs.kinde.com/trust-center/privacy-and-compliance/privacy-policy/
• Chrome: https://www.google.com/chrome/privacy/
• Google Privacy: https://policies.google.com/privacy
• AWS: https://aws.amazon.com/privacy/
• Paddle: https://www.paddle.com/legal/privacy
• GoatCounter: https://www.goatcounter.com/help/privacy
• FormSubmit: https://formsubmit.co/privacy.pdf
• Let's Encrypt: https://letsencrypt.org/privacy/

12. Fees, Billing, and Taxes

Unless otherwise stated in an Order Form:

• fees are due in advance for the applicable billing cycle;
• subscriptions auto-renew for successive billing periods;
• fees are non-refundable except where required by law or expressly stated.

If billing is enabled through a third-party provider (for example Paddle), payment processing and certain billing operations are handled by that provider subject to provider terms.

Customer is responsible for applicable taxes, duties, and similar governmental charges, excluding taxes based on OrbitMesh's net income.

OrbitMesh may suspend access for non-payment after reasonable notice, except where prohibited by law or contrary to a signed Order Form.

13. Trial, Beta, and Pre-Release Features

Trial, evaluation, "experience/demo," alpha, beta, or preview features may:

• be incomplete;
• change or be discontinued at any time;
• be subject to reduced or no support commitments.

Unless otherwise agreed in writing, such features are provided "AS IS" and may be excluded from service levels, indemnities, and warranties to the maximum extent permitted by law.

14. Intellectual Property

OrbitMesh and its licensors retain all right, title, and interest in and to:

• Services, software, APIs, and Documentation;
• related improvements, updates, and derivative works;
• all intellectual property rights therein.

No implied license is granted.

If Customer provides feedback, suggestions, or enhancement requests, OrbitMesh may use them without restriction or compensation, without acquiring ownership of Customer's Confidential Information.

15. Confidentiality

"Confidential Information" means non-public information disclosed by one party ("Discloser") to the other ("Recipient") that is designated confidential or should reasonably be understood as confidential.

Recipient will:

• protect Discloser's Confidential Information with reasonable care (at least the same care used for its own similar information);
• use it only to perform rights and obligations under this agreement;
• disclose it only to personnel/contractors with a need to know and confidentiality obligations no less protective.

Exclusions: information that is public without breach, already known without duty, independently developed, or rightfully received from a third party without confidentiality duty.

16. Warranties and Disclaimers

OrbitMesh warrants that during a paid Subscription Term it will provide Services in a professional and workmanlike manner materially consistent with applicable Documentation.

Except as expressly stated, Services are provided "AS IS" and "AS AVAILABLE."
To the maximum extent permitted by law, OrbitMesh disclaims all implied warranties, including merchantability, fitness for a particular purpose, non-infringement, and uninterrupted/error-free operation.

OrbitMesh does not warrant that:

• Services will be uninterrupted or error-free at all times;
• all security threats or vulnerabilities will be prevented;
• all customer-specific legal/regulatory requirements are met without customer configuration and governance.

17. Indemnification

17.1 OrbitMesh IP indemnity

OrbitMesh will defend Customer from third-party claims alleging Services infringe a third party's intellectual property rights, and will pay resulting damages/costs finally awarded or agreed in settlement, provided Customer:

• promptly notifies OrbitMesh;
• gives OrbitMesh sole control of defense/settlement; and
• reasonably cooperates.

OrbitMesh has no obligation for claims arising from:

• Customer Data;
• combinations with non-OrbitMesh products not supplied by OrbitMesh;
• Customer modifications or use outside Documentation;
• continued use after notice of alleged infringement if a reasonable workaround is offered.

If infringement is likely, OrbitMesh may:

• modify Services to be non-infringing;
• obtain rights for continued use; or
• terminate affected Services and provide pro-rated refund of prepaid unused fees for affected period.

17.2 Customer indemnity

Customer will defend and indemnify OrbitMesh against third-party claims arising from:

• Customer Data;
• Customer's unlawful or unauthorized use of Services;
• Customer's breach of these Terms;
• Customer's failure to obtain required notices/consents for data collection and processing.

18. Suspension

OrbitMesh may suspend access immediately, in whole or part, if reasonably necessary to:

• prevent harm, security risk, or infrastructure abuse;
• address suspected unauthorized access or legal violations;
• respond to legal process or regulatory requirements;
• enforce payment obligations after notice.

OrbitMesh will use reasonable efforts to limit suspension scope/duration and restore access when the triggering issue is resolved.

19. Term and Termination

These Terms begin on first acceptance/use and continue until terminated.

Either party may terminate:

• for material breach not cured within 30 days after written notice;
• immediately if the other party becomes insolvent or enters formal insolvency proceedings;
• as otherwise set out in an Order Form.

On termination or expiration:

• Customer access rights end;
• Customer remains responsible for unpaid fees accrued before termination;
• each party may request deletion/return of certain data consistent with law, backup cycles, and technical constraints.

Sections intended to survive (including confidentiality, IP, payment obligations, disclaimers, liability limits, and dispute terms) survive termination.

20. Limitation of Liability

To the maximum extent permitted by law:

• neither party is liable for indirect, incidental, special, consequential, or punitive damages, or for lost profits, lost revenue, lost business opportunity, loss of goodwill, or loss/corruption of data, even if advised of possibility;
• each party's aggregate liability under these Terms will not exceed the fees paid or payable by Customer to OrbitMesh for Services giving rise to the claim during the 12 months preceding the event.

The exclusions/limits above do not apply to:

• Customer payment obligations;
• a party's indemnification obligations;
• a party's gross negligence, fraud, or willful misconduct;
• liability that cannot be limited under applicable law.

21. Export Controls and Sanctions

Customer represents and warrants that it is not subject to applicable trade sanctions prohibitions and will comply with applicable export control and sanctions laws in connection with Services.

Customer will not use or provide Services in prohibited jurisdictions or to prohibited parties where doing so would violate law.

22. Publicity

Neither party may publicly use the other party's name, logo, or trademarks without prior written consent, except:

• factual references permitted in an executed Order Form; or
• disclosures required by law.

23. Changes to Services and Terms

OrbitMesh may update Services and Documentation from time to time.

OrbitMesh may update these Terms by posting an updated version with revised "Last updated" date.
Material adverse changes for existing paid subscriptions will apply no earlier than the next renewal unless required sooner by law, security, or regulatory requirements.

Continued use after effective date of updated Terms constitutes acceptance.

24. Governing Law and Dispute Resolution

Unless otherwise specified in an executed Order Form:

• These Terms are governed by the laws of the jurisdiction where OrbitMesh's primary contracting entity is established, without regard to conflict-of-law rules.
• Before filing a formal claim, the parties will attempt good-faith business resolution for at least 30 days after written notice of the dispute.
• If unresolved, disputes must be brought exclusively in the state or federal courts located in the jurisdiction of OrbitMesh's principal place of business, and each party consents to personal jurisdiction and venue there.
• To the maximum extent permitted by law, each party waives any right to a jury trial and agrees to bring claims only on an individual basis (not as a plaintiff or class member in any class or representative action).

Either party may seek injunctive or equitable relief in any court of competent jurisdiction to prevent unauthorized use or disclosure of intellectual property, Confidential Information, or security-sensitive systems/data.

25. Miscellaneous

• Entire agreement: these Terms and incorporated documents are the complete agreement for subject matter.
• Assignment: neither party may assign without prior written consent, except to an affiliate or in connection with merger/acquisition/sale of substantially all assets, provided assignee assumes obligations.
• Force majeure: neither party is liable for delays/failures due to causes beyond reasonable control.
• Independent contractors: parties are independent contractors; no partnership or agency is created.
• No third-party beneficiaries: these Terms benefit only the parties.
• Waiver/severability: failure to enforce is not waiver; unenforceable provisions are modified/minimized to preserve enforceable intent.
• Notices: legal notices must be sent to designated legal contacts in writing.

26. Contact Information

Legal and contract notices:

• legal@orbitmesh.io (replace if different)
• privacy@orbitmesh.io (privacy-specific)
• security@orbitmesh.io (security-specific)

---

Appendix A: Service-Specific Clarifications

• Authentication:
  • OrbitMesh currently integrates with Kinde for user identity and tenant bootstrap/session context.
• Relay tokens:
  • relay token metadata is stored hashed (token_hash) plus masked suffix (token_last4), not plaintext token values.
• Upload and conversion:
  • evidence upload sessions are time-bounded and validated before conversion/indexing.
• Query safety:
  • read-only SQL constraints are enforced for supported query endpoints.
• Compliance PDF generation:
  • HTML-to-PDF conversion is performed via local Chromium-compatible runtime execution.
• Deployment:
  • customer-controlled deployments must maintain secure host/network/runtime posture and secret management.