Master Service Agreement (MSA)

1. Introduction and Objectives

This Master Service Agreement (“Agreement”) is entered into between Ambriel SRL, a company incorporated and existing under the laws of Romania, with its principal place of business in Bucharest (“Ambriel”), and the customer identified in the applicable Order Form or Statement of Work (“Customer”). The purpose of this Agreement is to establish the general terms and conditions under which Ambriel shall provide its fraud prevention, risk scoring, onboarding, monitoring, and related SaaS services (the “Services”) to Customer. This Agreement is designed to ensure a consistent contractual framework, with specific commercial terms, pricing, and service commitments to be further detailed in applicable Order Forms, Service Level Agreements (“SLAs”), and Data Processing Agreements (“DPAs”).

2. Definitions

For the purposes of this Agreement, the following terms shall have the meanings set out below:

  • “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with a party.
  • “Agreement” means this Master Service Agreement, together with all annexes, schedules, Order Forms, and incorporated policies.
  • “Confidential Information” means all non-public business, technical, or financial information disclosed by one Party to the other, whether orally, in writing, or electronically, that is designated as confidential or would reasonably be understood as confidential.
  • “Customer Data” means all data provided by Customer or its end-users to Ambriel in connection with the Services, including personal data.
  • “Order Form” means any ordering document executed by the Parties that specifies the Services to be provided, pricing, and other commercial details.
  • “Services” means Ambriel’s fraud detection, risk scoring, sanctions screening, monitoring, onboarding, authentication, and related SaaS services, including any updates, enhancements, or new features made available.
  • “SLA” means the Service Level Agreement attached as Annex 1.
  • “DPA” means the Data Processing Agreement attached as Annex 2.
  • “Term” means the duration of this Agreement as set forth in Section 14.

3. Services

3.1 Provision of Services. Ambriel shall make the Services available to Customer in accordance with this Agreement, the applicable Order Forms, and the SLA.

3.2 Service Modules. The Services may include, without limitation:

  • Risk Scoring (real-time analysis of transactions, users, and behaviors) 
  • Screening (sanctions, PEP, crime, fraud, IP, email, and phone reputation checks) 
  • Monitoring (ongoing AML/CFT, sanctions, and fraud monitoring) 
  • Onboarding (digital KYC, custom forms, liveness, and identity verification) 
  • Authentication (OTP, magic link, and login verification) 
  • Marketplace & Retail Fraud Prevention (bonus abuse, account takeover, fake account detection, referral fraud).

3.3 Changes to Services. Ambriel may enhance, update, or modify the Services from time to time, provided that such changes do not materially diminish the overall functionality of the Services.

3.4 Availability. Ambriel shall use commercially reasonable efforts to make the Services available in accordance with the SLA.

4. Customer Responsibilities

4.1 Compliance. Customer shall use the Services only in compliance with this Agreement, applicable Order Forms, and all applicable laws and regulations, including but not limited to data protection, financial services, AML/CFT, and consumer protection laws.

4.2 Account Security.Customer is responsible for maintaining the confidentiality of its account credentials and for all activities under its accounts. Customer shall promptly notify Ambriel of any unauthorized access or use.

4.3 Customer Data. Customer represents and warrants that it has the necessary rights and consents to provide Customer Data to Ambriel and to permit Ambriel’s processing of such data as contemplated by this Agreement and the DPA.

4.4 Prohibited Uses. Customer shall not, and shall not permit others to: (a) reverse engineer, decompile, or disassemble the Services; (b) use the Services to infringe intellectual property rights or violate the rights of third parties; (c) interfere with or disrupt the integrity or performance of the Services; (d) use the Services to process unlawful content or to engage in fraudulent, abusive, or illegal activity.

4.5 Third-Party Access. Customer shall not resell, sublicense, or otherwise provide the Services to third parties, except as expressly permitted in an Order Form.

5. Fees and Payment

5.1 Fees. Customer shall pay all fees specified in the applicable Order Forms. Fees may be based on subscription tiers, volume of transactions processed, or other agreed usage metrics.

5.2 Payment Terms. Unless otherwise stated in the Order Form, all fees shall be invoiced monthly in arrears and payable within thirty (30) days of the invoice date.

5.3 Taxes. Fees are exclusive of applicable taxes (e.g., VAT, GST, sales taxes), which shall be added and invoiced where required. Customer is responsible for all applicable taxes except for taxes based on Ambriel’s income.

5.4 Late Payments. Overdue amounts may accrue interest at the rate of 1.5% per month (or the maximum rate permitted by law, if lower). Ambriel may suspend Services for accounts overdue by more than thirty (30) days, following written notice.

5.5 No Refunds. Except as expressly set out in this Agreement or applicable law, all fees are non-refundable.

6. Service Levels and Support

6.1 Service Availability. Ambriel shall make the Services available 99.9% of the time per calendar month, excluding scheduled maintenance and force majeure events, as set forth in the SLA (Annex 1).

6.2 Support Services. Ambriel shall provide Customer with support in accordance with the SLA. Support may include ticketing, email, and live support channels during business hours, and critical incident response outside business hours.

6.3 Service Credits. If Ambriel fails to meet the service availability commitments set out in the SLA, Customer shall be eligible for service credits, calculated as specified in the SLA.

6.4 Exclusions. The SLA does not apply to unavailability or issues caused by Customer systems, third-party integrations not authorized by Ambriel, or failures of the internet outside Ambriel’s reasonable control.

7. Data Protection and Security

7.1 DPA Incorporation. The Data Processing Agreement (“DPA”) attached as Annex 2 forms an integral part of this Agreement. In the event of any conflict between the DPA and this Agreement with respect to personal data processing, the DPA shall control.

7.2 Data Hosting. Customer Data is primarily hosted and processed in the European Union, with infrastructure provided by Hetzner (data hosting), Typesense (search), and Cloudflare (CDN, security, DDoS protection).

7.3 Security Measures. Ambriel shall implement appropriate technical and organizational measures to protect Customer Data, including encryption in transit and at rest, access controls, monitoring, and regular security assessments.

7.4 Compliance with Laws. Both parties shall comply with applicable data protection laws, including the EU General Data Protection Regulation (GDPR).

7.5 Customer Responsibilities. Customer remains responsible for obtaining appropriate consents from end-users and ensuring that its instructions to Ambriel comply with applicable laws.

7.6 Data Breach Notification. Ambriel shall notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Data

8. Confidentiality

8.1 Definition. “Confidential Information” means all non-public information disclosed by a party (“Disclosing Party”) to the other party (“Receiving Party”), whether orally or in writing, that is designated as confidential or that, given the nature of the information or circumstances of disclosure, should reasonably be considered confidential. Confidential Information includes Customer Data, business and marketing plans, technology, product designs, technical and business information, and the terms of this Agreement.

8.2 Exclusions. Confidential Information does not include information that: (a) is or becomes generally known to the public without breach of this Agreement; (b) was lawfully known to the Receiving Party prior to disclosure by the Disclosing Party; (c) is independently developed by the Receiving Party without use of or reference to the Disclosing Party’s Confidential Information; or (d) is lawfully obtained from a third party without restriction. Confidential Information does not include information that: (a) is or becomes generally known to the public without breach of this Agreement; (b) was lawfully known to the Receiving Party prior to disclosure by the Disclosing Party; (c) is independently developed by the Receiving Party without use of or reference to the Disclosing Party’s Confidential Information; or (d) is lawfully obtained from a third party without restriction.

8.3 Obligations. The Receiving Party shall: (a) use the same degree of care that it uses to protect its own confidential information (but no less than a reasonable degree of care) to protect the Disclosing Party’s Confidential Information; (b) not use the Confidential Information for any purpose outside the scope of this Agreement; (c) not disclose the Confidential Information to any third party, except to its employees, affiliates, and contractors who need to know it and are bound by confidentiality obligations at least as protective as those herein.

8.4 Compelled Disclosure. The Receiving Party may disclose Confidential Information if required by law, provided it gives the Disclosing Party prompt written notice (where legally permitted) and cooperates with reasonable efforts to limit disclosure.

8.5 Return or Destruction. Upon termination of this Agreement, the Receiving Party shall return or destroy the Disclosing Party’s Confidential Information, except as required to comply with legal or regulatory obligations.

9. Intellectual Property

9.1 Ownership of Services. Ambriel and its licensors retain all rights, title, and interest in and to the Services, including all software, algorithms, user interfaces, know-how, documentation, and derivative works. Except for the limited rights expressly granted under this Agreement, no rights are granted to Customer.

9.2 Customer Data.As between the parties, Customer retains all rights, title, and interest in and to Customer Data. Ambriel shall process Customer Data only as necessary to provide the Services and in accordance with this Agreement and the DPA.

9.3 Feedback. Customer may provide feedback or suggestions about the Services. Ambriel may freely use, disclose, and exploit such feedback without restriction or compensation to Customer. 9.4 Restrictions. Customer shall not remove, alter, or obscure proprietary notices of Ambriel or its licensors.

10. Warranties and Disclaimers

10.1 Mutual Warranties. Each party represents and warrants that it has the legal power and authority to enter into this Agreement.

10.2 Ambriel Warranties. Ambriel warrants that: (a) it will provide the Services in a professional and workmanlike manner consistent with industry standards; (b) the Services will materially conform to the documentation; and (c) it will use commercially reasonable efforts to prevent the introduction of malicious code into the Services.

10.3 Customer Warranties. Customer warrants that: (a) it has obtained and will maintain all necessary rights, consents, and authorizations to provide Customer Data to Ambriel; (b) its use of the Services will comply with applicable laws and regulations; (c) it is not located in, and will not provide access to the Services from, a jurisdiction subject to comprehensive U.S., EU, or U.K. trade sanctions.

10.4 Disclaimer. Except as expressly provided in this Agreement, the Services are provided “as is.” Ambriel disclaims all other warranties, whether express, implied, statutory, or otherwise, including any implied warranties of merchantability, fitness for a particular purpose, title, and non-infringement.

11. Limitation of Liability

11.1 Exclusion of Indirect Damages. To the fullest extent permitted by law, neither party shall be liable for any indirect, incidental, special, consequential, or punitive damages, including lost profits, revenue, goodwill, or data, even if advised of the possibility of such damages.

11.2 Cap on Liability. Except for liability arising from (a) a party’s breach of confidentiality obligations, (b) a party’s indemnification obligations, or (c) a party’s gross negligence, willful misconduct, or fraud, each party’s aggregate liability under this Agreement shall not exceed the total fees paid or payable by Customer to Ambriel under this Agreement in the twelve (12) months preceding the claim.

11.3 Exclusions from Cap. The liability cap in Section 11.2 shall not apply to: (a) Customer’s obligation to pay fees due; (b) either party’s liability for death or personal injury caused by negligence; (c) violations of data protection obligations under the DPA where prohibited by law.