Terms of Service & Data Processing Agreement

1. Acceptable use

You may use VigilPath only for lawful financial-crime investigation, regulatory record-keeping and Suspicious Activity Reporting. You may not attempt to reverse-engineer the platform, share access credentials, or upload data unrelated to your firm's regulated activity.

2. Roles under UK GDPR

For tenant-uploaded personal data, your firm is the controller and VigilPath is the processor. For account, audit and security data, VigilPath is the controller. This DPA forms part of these Terms.

3. Processor obligations

• Process personal data only on documented instructions from the controller.
• Ensure personnel are bound by confidentiality.
• Implement Article 32 security measures (encryption, access control, audit).
• Engage sub-processors only with prior notice and equivalent contractual obligations.
• Assist with data-subject rights, DPIAs and breach notifications (within 72 hours).
• Return or delete personal data at end of contract.

4. Tipping-off (POCA s.333A)

The platform is designed so that no customer-facing communications reference an investigation. You must operate access controls so that only authorised financial-crime personnel can read case material.

5. Service availability

Target uptime is 99.9% measured monthly, excluding scheduled maintenance announced 7 days in advance.

6. Liability

VigilPath is a decision-support platform. The accountable signatory for any SAR remains the named investigator and MLRO. To the maximum extent permitted by law, our aggregate liability is limited to fees paid in the preceding 12 months.

7. Governing law

England and Wales. Exclusive jurisdiction of the courts of London.