Terms of Service

1. Parties and acceptance

These Terms of Service (the "Terms") form a binding agreement between you, either personally or on behalf of the legal entity you represent ("Customer", "you"), and Sigill AS, a private limited company established in Norway ("Sigill", "we", "us"). You accept these Terms by creating an account, by using the Service, or by clicking an acceptance control where one is presented. If you are entering into these Terms on behalf of a legal entity, you confirm that you have authority to bind that entity.

2. The Service

Sigill.ai (the "Service") is a hub for cryptographic evidence. Specifically, the Service:

• Relays RFC 3161 timestamp requests to independent Timestamp Authorities (TSAs) and returns their signed tokens. Sigill is not itself a TSA and does not issue its own time anchors. The cryptographic authority of a timestamp rests on the TSA that signed it.
• Produces PAdES seals for PDF documents and CAdES detached signatures for other file types, using an organisational certificate issued by an external Certificate Authority. Sigill is not itself a Certificate Authority and does not issue its own certificates.
• Stores evidence metadata — file hashes, labels you supply, algorithm and certificate identifiers, success or failure — so that you can recognise your own past stamps and seals. Optionally, and only when you have left the per-tenant setting on, Sigill also stores the RFC 3161 timestamp token and (for CAdES seals only) the detached .p7s signature. Sigill is not a document store. The unsigned input and the sealed output for both PAdES and CAdES are processed in memory and streamed back in the HTTP response; neither is persisted. PAdES sealed PDFs are never retained.
• Operates a Model Context Protocol (MCP) server for AI agents that cannot stream binary content through their tool interface. MCP uploads and sealed downloads transit through temporary server-side slots with a hard one-hour expiry and a 50 MB upload cap. This is the only context in which Sigill temporarily holds file bytes, and only when you choose to use the MCP integration.
• Lets you verify a stamp or seal you produced elsewhere, against the upstream authority that issued it. The verify endpoint is fully stateless — the file you upload to verify is processed in memory and discarded with the response. Verification does not require Sigill — it requires the file's hash and the issuing authority's certificate chain.

The Service does not include the underlying TSAs, Certificate Authorities, EU Trusted Lists, or third-party tools used to verify outputs. Sigill is not responsible for the availability, accuracy, or revocation decisions of those external parties — though we choose, monitor, and replace them with care.

3. Eligibility, accounts, and security

The Service is offered to organisations and to the developers who build for them. You must be at least 16 years old to create an account, and you must provide accurate information when you register. You are responsible for the security of your account credentials and API keys, for everything that happens under them, and for promptly notifying us via security@sigill.ai if you suspect a compromise. Sigill is entitled to act on instructions delivered through your valid credentials.

Each tenant has at least one owner. The owner is responsible for managing roles, billing, and the membership of the tenant.

4. Acceptable use

You agree not to:

• Use the Service to commit fraud, forgery, or any unlawful act, or to assist anyone else in doing so.
• Stamp or seal content that infringes a third party's intellectual property, privacy, or other rights.
• Submit content that is unlawful where you are established or where Sigill operates, including content depicting child sexual abuse, content that incites violence, or content that breaches export controls.
• Attempt to bypass plan limits, abuse free-tier provisioning, or share a paid plan with parties that are not part of your tenant.
• Attempt to access another tenant's data, probe the Service for vulnerabilities outside the scope set out in our responsible disclosure policy, or interfere with the Service's operation.
• Resell or rebrand the Service as your own without a written reseller agreement.
• Use the Service for cryptocurrency-mining, sustained adversarial load, or any workload that materially burdens shared infrastructure beyond reasonable expectation.
• Misrepresent the nature of a Sigill proof — for example, by describing a relayed third-party timestamp as having been issued by Sigill, or by describing a sealed document as "tamper-proof" without acknowledging what the seal actually proves.

We may suspend or terminate accounts that breach this section, on notice where practicable and without notice where the breach is material or ongoing.

5. Your content

You retain all rights to the files you stamp, seal, or verify with the Service ("Customer Content"). For the limited purposes of operating the Service, you grant Sigill a worldwide, royalty-free, non-exclusive licence to process Customer Content as required to produce, store, retrieve, and verify the cryptographic evidence you request — and for no other purpose. This licence terminates when the corresponding evidence record is deleted, except where data must be retained to satisfy a legal obligation.

For timestamping and verification, only a SHA hash of your file crosses the network. For sealing, the file bytes are processed in memory inside the EU to produce the signature; neither the unsigned input nor the sealed output is persisted — the sealed file is streamed back to you in the HTTP response. What Sigill keeps on your behalf is the file's hash and a small metadata row, plus — when you have left the per-tenant setting on — the RFC 3161 timestamp token and the CAdES detached .p7s signature. PAdES sealed PDFs are never retained.

Customers who use the Model Context Protocol (MCP) integration are subject to a narrow exception: because MCP tool responses cannot carry binary content, MCP file uploads and sealed downloads transit through temporary server-side slots in AWS eu-north-1 with a hard one-hour expiry, after which they are deleted automatically. The slots are scoped to the originating tenant; the maximum upload size is 50 MB. MCP slots are the only context in which Sigill temporarily holds Customer file bytes outside the HTTP request that produced them.

You are responsible for ensuring that you have the right to submit Customer Content to the Service and for the lawfulness of its contents. Sigill does not review Customer Content beyond what is necessary to operate the Service and to meet a legal obligation.

6. Our intellectual property

Sigill, its name, logo, the Sigill.ai platform, its source code, its documentation, and all derivative work are owned by Sigill AS or licensed to it. We grant you a limited, revocable, non-exclusive, non-transferable right to use the Service in accordance with these Terms during the term of your subscription. Nothing in these Terms transfers ownership of any Sigill IP to you. Feedback you give us about the Service may be used by us without restriction or obligation.

7. Plans, billing, and taxes

Paid plans are billed via our payment processor, Stripe Payments Europe, Ltd. Subscriptions renew automatically at the end of each billing period at the then-current price for your plan. You can cancel a renewal from the billing portal at any time; cancellation takes effect at the end of the paid period and does not entitle you to a refund for the unused remainder, except where required by mandatory consumer law.

Plan limits and prices are documented at sigill.ai and inside the billing portal. We may change them with at least 30 days' notice to active customers by email; if a price increase affects your subscription, you may cancel before the change takes effect without further charge. All prices are exclusive of VAT and other applicable taxes, which are added at the rate in force for your billing address.

You are responsible for keeping your billing details current. If a payment fails, we will retry it under Stripe's smart-retry schedule. After repeated failure, we may downgrade your tenant to the free plan and restrict paid features until payment is restored.

8. Service availability

Sigill operates the Service with reasonable care, using EU-hosted infrastructure and continuously monitored deployments. The Service is provided on a best-effort availability basis. We do not offer a contractual uptime SLA on the free plan. Enterprise-grade SLA commitments, where required, are documented in a separate order form signed by both parties.

Planned maintenance is announced in advance through the support channel and, for material work, by email. Outages, when they occur, are communicated as quickly as we can confirm scope. Until a public real-time status page is in place — see compliance posture — incident updates are delivered by email and through the support channel.

9. Third-party authorities and dependencies

Sigill relies on independent Timestamp Authorities, Certificate Authorities, and cloud sub-processors to deliver the Service. These third parties are listed at /trust-center/sub-processors and (for cryptographic counterparties) at /trust-center/standards. Sigill takes commercially reasonable steps to keep those relationships healthy, but is not liable for downtime, errors, or revocation decisions originating with a third party, except to the extent of Sigill's own negligence. Where a third-party outage prevents the Service from functioning, Sigill will route around it where possible (for example, by relaying to an alternate TSA) and communicate the impact.

10. Data protection

Where Sigill processes personal data on a Customer's behalf — for example, when a Customer uses the Service to seal documents that contain personal data of their own end users — Sigill acts as a processor under Article 28 of the General Data Protection Regulation. Those terms are set out in our Data Processing Agreement, which is incorporated into these Terms by reference. Where Sigill processes personal data for its own purposes — for example, account credentials and billing information — Sigill acts as a controller, and those processing activities are described in the Privacy Policy.

11. Confidentiality

Each party agrees to keep confidential information received from the other party confidential, to use it only for purposes contemplated by these Terms, and to protect it with the same care it uses for its own confidential information (never less than reasonable care). This obligation does not apply to information that becomes public other than through a breach of this section, that the receiving party already lawfully held, or that it is required to disclose by law or by a competent authority. Customer Content is confidential information of the Customer.

12. Warranties and disclaimers

Sigill warrants that it operates the Service with reasonable skill and care and in compliance with applicable laws. Otherwise, the Service is provided "as is" and "as available", without warranty of any kind, whether express, implied, statutory, or otherwise, to the maximum extent permitted by law. In particular, Sigill does not warrant that the Service will be uninterrupted, error-free, or fit for any particular purpose, that any third-party Timestamp Authority or Certificate Authority will remain available on any particular schedule, or that any proof produced will be accepted by any specific court, regulator, or counterparty.

The statements at /trust-center about what Sigill can and cannot prove form part of these Terms. In particular, Sigill does not claim that a proof establishes the factual truth of a document's contents, the identity of its author, or that a sealed document was approved by every individual mentioned inside it.

13. Limitation of liability

To the maximum extent permitted by law, neither party is liable for indirect, incidental, consequential, special, or punitive damages, or for lost profits, lost revenue, loss of business, loss of goodwill, or loss of data, arising out of or in connection with these Terms or the Service, whether in contract, tort (including negligence), or otherwise, even if advised of the possibility of such damages.

To the maximum extent permitted by law, each party's aggregate liability arising out of or in connection with these Terms in any twelve-month period is capped at the greater of (a) the fees paid or payable by Customer to Sigill for the Service in that twelve-month period, and (b) one hundred euros (€100).

Nothing in these Terms limits or excludes either party's liability for: (i) death or personal injury caused by negligence; (ii) fraud or fraudulent misrepresentation; (iii) gross negligence or wilful misconduct; or (iv) any liability that cannot be limited or excluded under applicable law. Where you are a consumer under Norwegian or EU law, your statutory rights as a consumer are not affected by these Terms.

14. Indemnification

You agree to indemnify Sigill against third-party claims, damages, and reasonable costs (including legal fees) arising from (a) your use of the Service in breach of these Terms, (b) Customer Content that infringes a third party's rights, and (c) your breach of applicable law. Sigill will notify you promptly of any claim, give you reasonable cooperation in defending it, and not settle it without your written consent (not to be unreasonably withheld).

15. Term, termination, and suspension

These Terms take effect when you first accept them and continue until terminated. You may terminate at any time by closing your account in the settings or by cancelling your subscription in the billing portal. Sigill may terminate or suspend your access (a) for material breach of these Terms that you fail to cure within 30 days of notice, (b) immediately for breach of section 4 (Acceptable use) where the breach is material or ongoing, (c) for non-payment after a reasonable cure period, or (d) if continued provision would expose Sigill to legal or regulatory risk.

On termination, your right to use the Service ceases. Sigill does not store customer files at any time, so there are no document copies to return — the signed outputs Sigill produced for you are the copies that already left in the HTTP responses, and the verifiable proof material that you can use to confirm them is held by the upstream Timestamp Authority and Certificate Authority, not by Sigill. The evidence metadata Sigill holds on your behalf (hashes, labels, TSA name and certificate window, and — where you left the per-tenant setting on — the RFC 3161 timestamp token and the CAdES .p7s signature) remains available for export for 30 days following termination, after which it may be deleted. The following sections survive termination: 5 (Your content) to the extent of any retained record, 6 (Our IP), 10 (Data protection), 11 (Confidentiality), 12 (Warranties), 13 (Liability), 14 (Indemnification), 17 (Governing law), and any other clause that by its nature is intended to survive.

16. Changes to these Terms

We may update these Terms from time to time. The version and effective date at the top of the page identify the current text. Material changes are announced to active customers by email at least 30 days before they take effect. If you do not agree to a material change, your remedy is to terminate before it takes effect. Continued use of the Service after the effective date constitutes acceptance.

17. Governing law and disputes

These Terms and any non-contractual obligation arising out of them are governed by the laws of Norway, without regard to its conflict-of-laws rules. The parties submit to the non-exclusive jurisdiction of the courts of Norway, with venue in Trøndelag tingrett (Trondheim). Nothing in this clause limits the right of either party to seek interim relief in any competent court, or any consumer's right to bring proceedings in the courts of the consumer's place of residence under mandatory law.

18. General

• Entire agreement. These Terms, the Privacy Policy, the Data Processing Agreement (where applicable), and any order form signed by both parties form the entire agreement between you and Sigill. Other terms (including any terms you may submit through a procurement portal) are expressly rejected.
• Severability. If a clause is held unenforceable, the rest remains in force.
• No waiver. A delay or failure to enforce a right is not a waiver of it.
• Assignment. You may not assign these Terms without our prior written consent (not to be unreasonably withheld). Sigill may assign them to an affiliate or to a successor in a corporate transaction, on written notice.
• Force majeure. Neither party is liable for failure or delay caused by events beyond its reasonable control, including network outages of upstream cryptographic authorities, war, civil unrest, fire, flood, or industrial action — provided that the affected party promptly notifies the other and uses reasonable efforts to mitigate.
• Independent contractors. Nothing in these Terms creates a partnership, joint venture, agency, or employment relationship between the parties.
• Notices. Notices to Sigill should be sent to contact@sigill.ai. Notices to you may be sent by email to the billing contact or by in-product notification.

19. Contact

Questions about these Terms, contract enquiries, or notices: write to contact@sigill.ai. Suspected security issues: security@sigill.ai — see responsible disclosure for scope and response targets.