Terms of Service

These Terms of Service (the “Terms” or “Agreement”) are entered into between Velarum Labs LLC (Wyoming, USA) (“Velarum”, “we”, “us”) and you (“you”, “Customer”), and govern your access to and use of the Velarum platform, SDK, API, developer console, Management Center, and related services (collectively, the “Services”).

By registering an account, calling the API, submitting a payment intent, or otherwise using the Services, you confirm that you have read, understood, and fully accept these Terms. If you do not agree to any part of these Terms, you must stop using the Services immediately.

You must be at least 18 years old (or the age of majority in your jurisdiction, whichever is higher) to use the Services.

These Terms, together with the Velarum Privacy Policy, the Acceptable Use Policy (where applicable), the Data Processing Agreement (for enterprise customers), and any finalized SLA and Pricing Schedule, form the entire agreement. On conflict the order above controls — except that the mandatory clauses in §3.2 (non-custodial declaration) and §13 (geographic restrictions) prevail over any conflict.

2.1 What the Services include

Velarum provides a non-custodial payment protocol layer and developer infrastructure for the AI-agent economy, including:

• Protocol SDK & API — agent identity, on-chain session-key authorization management, unsigned-transaction assembly.
• On-chain event indexing — passive observation of your on-chain transaction status with webhook notifications.
• Developer console — projects, API-key issuance and rotation, testnet sandbox, monitoring dashboards.
• Management Center — RBAC, policy configuration, audit logs, compliance reports (subscription).
• Multi-chain support across the ten V1 chains: ethereum, solana, base, arbitrum, stellar, starknet, polygon, optimism, avalanche, ton.

2.2 Service boundaries — what Velarum does NOT do

Velarum does not provide the following, and any request that appears to require them will be refused:

1. Velarum does not hold, custody, safeguard, or co-sign your private keys, mnemonics, MPC shares, HSM-signable material, social-recovery admin shares, or any other signing material (see §3.2).
2. Velarum does not act as a Money Services Business (MSB), Virtual Asset Service Provider (VASP), Crypto-Asset Service Provider (CASP), Digital Payment Token (DPT) provider, Virtual Asset Trading Platform (VATP), or any other licensed financial service (HC-NC-3).
3. Velarum does not provide fiat on-ramp / off-ramp / exchange / custody — choose your own licensed Anchor for fiat rails.
4. Velarum does not collect your KYC documents, ID, passport, or proof of address as a default behavior (see §12 and the JIT-KYC triggers).
5. Velarum does not backstop your loss of funds, agent prompt-injection, failed on-chain transactions, or third-party failures (see §9).
6. Velarum does not take a percentage of your transaction value — no bps, no take rate, no spread capture, no gas markup (HC-NC-4).

2.3 V1 scope limit

The first V1 release opens real-fund payment only on [V1_LIVE_CHAINS] (default: base / stellar with base_eth / base_usdc / stellar_xlm / stellar_usdc). Other chains remain in sandbox, paused, or smoke-tested.

3.1 Registration

1. You must register using real, accurate, and current information, including email, username, and any wallet addresses you connect.
2. You are fully responsible for the confidentiality and security of your credentials and for all activity under your account. Report any unauthorized access within 24 hours to [VELARUM_SECURITY_EMAIL].
3. You may create accounts only for yourself or a legal entity you are authorized to represent. Anonymous accounts for others, credential sharing, account resale, and bot mass-registration are prohibited.

3.2 Non-custodial declaration (mandatory — may not be weakened)

1. Your assets are controlled solely by you. Private keys, mnemonics, and signing authority live entirely in your device / wallet / agent runtime; Velarum can never access, copy, move, pause, or freeze your assets.
2. Signing and broadcast happen on your client. Velarum servers only assemble unsigned transactions; signing and broadcast must occur in your wallet extension, mobile Secure Enclave, hardware wallet, your self-deployed smart-contract account, or a licensed external custodian you choose.
3. On-chain transactions are irreversible. Once you sign and broadcast, Velarum cannot reverse, roll back, accelerate, or compensate for any consequence. Verify address, amount, chain ID, and calldata before signing.
4. Lost mnemonic or private key means lost assets. Velarum provides no key recovery or custodial substitute and never acts as a social-recovery guardian. Keep your recovery path safe.
5. Velarum is not a financial institution and holds no financial license. It provides only software, protocol access, and developer infrastructure; any fiat / KYC / AML / Travel-Rule service is provided by third-party licensed institutions you choose.

3.3 KYC / KYB (zero-collection by default + 4-tier trigger)

Default zero-KYC: when you register, call the API, subscribe to webhooks, or connect a wallet, Velarum holds only six minimal PII items — email, username, api_key_hash, public wallet address, API call logs, and IP address. Velarum never collects ID documents, passports, selfies, proof of address, or UBO files by default.

Triggered KYC: only in the following four situations may Velarum ask you to present a Verifiable Credential (VC) issued by a trusted Issuer / Anchor of your choosing:

• L1 — Legal compulsion: a lawful subpoena, court order, or OFAC enforcement notice, or a clear regulation in your jurisdiction requiring Velarum to assist in identifying users.
• L2 — Customer contract: an enterprise customer contract expressly requires KYC of that customer’s end-users, or a fiat Anchor you connect requires Travel-Rule data.
• L3 — Product gating: you opt into enterprise add-ons (private deployment, automated compliance reports, dedicated CSM, etc.).
• L4 — Never triggered: 99% of ordinary usage.

Even when triggered, you submit identity documents directly to an approved third-party Issuer / Anchor. Velarum is not a KYC-collection intermediary, does not store your raw ID data, and consumes only the Issuer-signed VC. If you decline to present a VC when triggered, Velarum may suspend or terminate the relevant function.

4.1 What you may do

• Integrate the Velarum SDK into your agent / app / service within the scope of these Terms.
• Create restricted authorizations (session key / on-chain multisig / AA module) for your agents on V1 chains.
• Call the Velarum API to assemble unsigned transactions, then sign and broadcast on your client.
• Subscribe to webhooks to receive on-chain event indexing.
• Use compliance reports, dedicated CSM, and other add-ons within your enterprise subscription.

4.2 Strictly prohibited (AUP summary)

You must not:

1. Bypass the non-custodial boundary — induce, trick, or exploit Velarum systems into holding signing material, co-signing, or overriding on-chain policy constraints.
2. Bypass geographic restrictions — use a VPN, false KYC residence, or third-party co-signing to evade the excluded regions in §13.
3. Engage in sanctions evasion — involving entities, regions, or individuals on the OFAC SDN List, EU CFSP, or UK OFSI lists.
4. Abuse via bots — mass registration, automated attacks, scraping, DDoS, or API calls beyond reasonable rate.
5. Reverse-engineer — decompile, disassemble, or attempt to obtain the source of Velarum’s closed-source components (open-source components follow their license).
6. Use the Services for illegal purposes — money laundering, fraud, unauthorized transfers, or anything illegal in your jurisdiction.
7. Infringe the IP, trademarks, patents, or trade secrets of Velarum, other customers, or any third party.
8. Abuse agents — deliberately manipulate an agent to act against your jurisdiction’s law or these Terms.
9. Resell the Services, API keys, or agent tokens to third parties not bound by these Terms.
10. Interfere with Velarum’s operations — harming the availability, security, or reputation of the Services.

5.1 Fee forms

Velarum charges only in one of the following forms (locked by HC-NC-4; no fee may be proportional to a single payment amount):

• SaaS subscription (monthly / annual).
• Per API call (by call count, not transaction value).
• Per seat / per agent.
• Per storage / bandwidth / compute.
• By support tier (Standard / Premium / Enterprise).
• Pass-through on-chain gas (shown transparently in the UI and passed to the real gas recipient; Velarum keeps no spread).

Specific prices appear in the Velarum Pricing Schedule (published after legal finalization).

5.2 Payment

1. Velarum processes subscription fees via [VELARUM_PAYMENT_PROCESSOR] (default Stripe / Coinbase Commerce / bank transfer — no Singapore SVF/DPT-licensed party, HC-NC-2).
2. Monthly subscriptions auto-renew unless you cancel 7 days before renewal; annual subscriptions auto-renew unless you cancel 30 days before renewal.
3. Overdue payment: 7-day grace period after notice → service suspension → account termination after 30 days.

5.3 Refunds

1. SaaS subscriptions follow a pay-as-you-go principle: the used portion is non-refundable; the unused portion is refunded pro-rata.
2. Post-termination refund window: submit a request to [VELARUM_BILLING_EMAIL] within 30 days.
3. No refund applies to accounts terminated for breaching §4.2, to a period already credited under SLA Tier 1, or to gas already paid on-chain.

6.1 Overview

6.2 SLO numbers

Specific SLI / SLO figures will be published at [VELARUM_SLO_SLI_MATRIX_URL] (after ADR-001 is accepted).

6.3 Claim window & review

• Tier 1: file a ticket within 30 days of the incident; reply within 5 business days.
• Tier 2: within 30 days of the incident (up to 90 days if a single loss exceeds 10× the monthly fee); 24-hour acknowledgement, 7-day audit conclusion, payment within 30 days if attributed to a platform bug.

6.4 Out of scope

1. Loss of a self-custody mnemonic or hardware-wallet key.
2. Chain-native forks, consensus failure, congestion, or gas spikes.
3. Failures of third-party RPC, Anchor, on-ramp, payment, or KYC services.
4. Force majeure (earthquake, regulatory ban, war, internet-backbone failure).
5. Your own policy misconfiguration (e.g., setting a whitelist to *).
6. Leak of your API key, agent token, or admin password.
7. Agent behavior within your authorization (including in-scope prompt-injection).

6.5 Fund-sovereignty clause (mandatory)

7.1 Velarum-retained IP

Velarum retains all ownership and intellectual-property rights in: platform code and architecture (closed-source parts); Velarum trademarks, logo, and brand assets; documentation and SDK API design; Velarum-maintained contract templates (open-source, used under each repository’s LICENSE); and patents and trade secrets.

7.2 Customer data ownership

1. You retain full ownership of your customer data (payment intents, agent metadata, policy configuration, webhook endpoint URLs, etc. that you input or upload).
2. You grant Velarum a limited, non-exclusive, non-transferable, royalty-free license solely to provide the Services to you, to improve the Services through de-identified aggregate statistics, and to meet legal obligations (e.g., audit, regulatory reporting).
3. After termination, Velarum handles your data per the Velarum Data Retention & Deletion Spec.

7.3 On-chain data is public

You understand and accept that all transactions you initiate on-chain (sender, recipient, amount, calldata) are permanently public and immutable on the blockchain. Velarum cannot delete on-chain data, nor control the visibility of your on-chain activity to third-party explorers and indexers.

1. Each party shall keep the other’s confidential information strictly confidential, for 5 years after termination of this Agreement.
2. Confidential information excludes: information already public; information independently developed by the receiver; information lawfully disclosed by a third party; and information disclosed under legal compulsion (with notice to the other party where lawful).
3. Velarum staff and contractors are under NDA. Velarum will not disclose your non-public data to third parties without your prior written consent, except: under legal compulsion (subpoena / court order / OFAC notice); to protect Velarum’s own rights (compliance, litigation); or as anonymized aggregate statistics for product improvement.

9.1 No warranties

The Services are provided AS-IS and AS-AVAILABLE. Velarum expressly disclaims all express or implied warranties, including merchantability, fitness for a particular purpose, non-infringement, uninterrupted or error-free operation, freedom from security vulnerabilities, perfect compatibility with third-party systems, and attainment of any specific result.

9.2 Exclusion of indirect damages

To the maximum extent permitted by law, Velarum is not liable for:

• Consequences of your on-chain transactions (wrong address, mis-bridged transfers, failed contract calls).
• Consequences of your agent being prompt-injected (even with Velarum’s multi-layer policy defenses).
• Loss or theft of your wallet, mnemonic, or hardware wallet.
• Failures or acts of third-party services you choose (RPC, Anchor, KYC vendor, custodian).
• Chain-native events (fork, reorg, gas spike, congestion, smart-contract bug).
• Force majeure (war, natural disaster, regulatory ban, internet-infrastructure failure).
• Any indirect, incidental, punitive, special, or consequential damages (lost profit, business interruption, goodwill, data loss), whether or not Velarum was advised of the possibility.

9.3 Aggregate liability cap

Velarum’s total cumulative liability under this Agreement shall in no event exceed the lower of: (a) the subscription fees you actually paid Velarum in the 12 months before the event giving rise to the claim; or (b) USD [LIABILITY_CAP_USD] (default USD 100,000; negotiable upward by Legal, but not below this figure). Exception: Tier 2 Fund Incident Compensation may apply within §6.1, but Tier 2 and the §9.3 cap apply the higher of the two once (not cumulatively).

9.4 Your indemnity

You shall indemnify, defend, and hold Velarum harmless from any claim, damage, loss, liability, and reasonable legal fees arising from: your breach of these Terms (especially the §4.2 prohibitions); your customer data infringing any third-party right; your agent’s behavior violating your jurisdiction’s law; or your bypassing the §13 geographic restrictions.

10.1 Term

This Agreement is effective from your first acceptance and continues until terminated by any of: your self-service account closure (with a 7-day cooling-off period); Velarum termination for your breach (§10.2); written mutual termination; or service discontinuation (with at least 90 days’ notice).

10.2 Immediate termination by Velarum

• You breach any item of §4.2.
• You breach the mandatory clauses in §3.2 or §13.
• You fail to pay within the grace period (§5.2).
• Your region enters the §13 permanent-exclusion list.
• Your insolvency, liquidation, receivership, or similar.
• Any legal or regulatory compulsion (e.g., OFAC enforcement).

10.3 After termination

• Data export window: 30 days after termination, via the DSAR SOP.
• On-chain assets: unaffected by termination; still accessible independently through your own wallet.
• Data deletion: per the Data Retention & Deletion Spec; some data (audit logs, compliance reports) is retained 5–7 years by legal obligation.
• Unpaid fees: amounts due before termination remain payable.

10.4 Survival

§3.2, §6.5, §7, §8, §9, §13, §14, and §15 survive termination of this Agreement.

The Services depend on the following third parties, for which Velarum provides no backstop:

• Blockchain networks (Ethereum, Solana, Stellar, Starknet, TON, etc.): availability, gas price, consensus, forks.
• Chain RPC providers (Alchemy / Infura / QuickNode / Helius, etc.) — see the Sub-processor List.
• Fiat Anchors (if you connect them): the Anchor bears its own compliance and Travel-Rule duties.
• Third-party wallets (MetaMask / Phantom / Ledger / Trezor / Safe / Fireblocks, etc.): your choice; Velarum endorses no specific vendor.
• Cloud providers (AWS / GCP, etc.) — see the Sub-processor List.
• Payment processors — see §5.2.
• KYC Issuers (if you present a VC under a trigger): the Issuer bears its own compliance.

1. You must not use the Services for money laundering, terrorist financing, fraud, sanctions evasion, or funding entities on the OFAC SDN list.
2. Velarum reserves the right to trigger risk alerts based on automated risk-control, on-chain analysis, and user behavior patterns, and to require a VC under the four KYC triggers in §3.3.2.
3. Velarum will not act as a KYC-collection intermediary; will not proactively disclose user data to regulators or law-enforcement absent legal compulsion; and will, where lawful, notify you upon a valid subpoena (except where tipping-off is legally prohibited).
4. SDN / sanctions hook: Velarum offers an optional address-level deny-list hint in the SDK and backend. On a hit, the UI shows a warning but does not force-block your on-chain signing — Velarum is not an OFAC adjudicator; the final determination rests with you and your legal counsel.

13.1 Permanently prohibited (no re-review)

• Singapore (Tier B / permanent project prohibition, HC-NC-2).
• North Korea, Iran, Syria, Cuba, and Crimea / Luhansk / Donetsk / Zaporizhzhia / Kherson (Tier A / OFAC + FATF blacklist).
• Afghanistan, Belarus, Myanmar (Tier D / high-risk, minimal market).

13.2 Pending-exclusion (Tier C — currently refused; may open after future re-review)

• The entire United States (50 states, DC, all overseas territories, tribal reservations) — ADR-NC-010.
• All of Japan — ADR-NC-011.
• Mainland China (31 provinces / municipalities; excludes Hong Kong / Macau / Taiwan) — ADR-NC-012; see the PIPL note in §13.4.
• The entire Russian Federation — ADR-NC-013; see the OFAC note in §13.5.

13.3 Legal-watch (Tier W — full service + ongoing watch)

In the following regions Velarum offers full service plus a jurisdiction annex, but tracks evolving legislation via the Risk Register and may, on decision-maker re-review, escalate to Tier C: South Korea (2024-07 Virtual Asset User Protection Act — VASP scope risk); Indonesia (UU PDP 2022 / 2024 implementation watch).

13.4 PIPL cross-border note (Mainland China exclusion)

Velarum does not proactively collect the personal information of Mainland-China residents. If a user bypasses the IP / nationality / KYC barriers in violation, Velarum’s database stores no long-term record of that user, and any short-term logs are handled under the PIPL breach procedure (72-hour disclosure).

13.5 OFAC sanctions note (Russia exclusion)

Velarum’s registration, operating entities, Anchor integrations, and banking / card / stablecoin counterparties are screened in real time against OFAC / EU CFSP / UK OFSI lists. Velarum does not contract with any entity registered or primarily operating in Russia; even though registered in the USA, Velarum accepts OFAC secondary-sanctions constraints, and any Russia exposure requires an emergency response within 24 hours.

13.6 Barriers & handling

Velarum identifies your region through three barriers: IP geolocation + nationality declaration at registration + KYC residence check (if triggered). If you breach the foregoing representation, Velarum may immediately terminate your access and is not liable for the resulting consequences (the §9.4 indemnity applies).

14.1 Governing law (Wyoming)

This Agreement is governed by the substantive law of the State of Wyoming, USA, excluding its conflict-of-law rules and the UN Convention on Contracts for the International Sale of Goods (CISG). A Wyoming LLC entity with Wyoming governing law forms a same-jurisdiction contract structure, avoiding the need for cross-jurisdiction legal opinions.

14.2 Arbitration

1. Any dispute arising out of or relating to this Agreement shall first be resolved through 30 days of good-faith negotiation.
2. Failing that, the dispute is submitted to the American Arbitration Association (AAA), seat Wyoming, USA, under the AAA Commercial Arbitration Rules. The Singapore International Arbitration Centre (SIAC) is expressly excluded (HC-NC-2).
3. Arbitration is in English; one arbitrator is appointed by the AAA; the award is final and binding on both parties.

14.3 Court exceptions

Velarum may seek interim injunction or emergency relief directly from a court of competent jurisdiction, outside §14.2, where: you breach §3.2 by attempting to make Velarum hold signing material; you infringe Velarum IP (§7); you breach confidentiality (§8); or you seriously breach §4.2 (e.g., sanctions evasion, money laundering).

14.4 Class-action waiver

To the extent permitted by law, you waive any right to assert claims against Velarum as a class action, class arbitration, or representative action; each customer must assert claims individually.

14.5 Limitation period

Any claim against Velarum must be brought within 1 year of the event (to the shortest period permitted by law), failing which it is deemed waived.

15.1 Amendments

1. Velarum may amend these Terms from time to time. Material changes (affecting your substantive rights and obligations) are notified 30 days before they take effect, via email + dashboard banner.
2. During the notice period you may accept the change (automatic) or reject it and terminate your account (without penalty). Continued use of the Services constitutes acceptance.
3. Non-material changes (typos, link updates, formatting) take effect immediately; the latest version controls.

15.2 Assignment

1. You may not assign any right or obligation under this Agreement without Velarum’s prior written consent.
2. Velarum may freely assign this Agreement to a group entity, an acquirer, or a merger successor, on notice to you.

15.3 Notices

Notices to Velarum: [VELARUM_LEGAL_EMAIL] (legal) / [VELARUM_PRIVACY_EMAIL] (privacy) / [VELARUM_SECURITY_EMAIL] (security incidents). Notices to you are sent to the email you provided at registration.

15.4 Entire agreement & severability

1. This Agreement (together with the documents referenced in §1.4) is the entire agreement between the parties and supersedes any prior oral or written understanding.
2. If any provision is held invalid, the remaining provisions remain fully effective, and the invalid provision is replaced by the closest valid provision a court / tribunal determines reflects the original intent.

15.5 Waiver

A party’s failure or delay in exercising any right under this Agreement does not constitute a waiver of that right or any other right.

15.6 Force majeure

Neither party is liable for breach caused by force majeure (war, natural disaster, regulatory ban, internet-backbone failure, chain-native catastrophe, etc.); the affected party shall promptly notify the other and use reasonable efforts to mitigate.

15.7 Relationship

The parties are independent contractors; this Agreement creates no partnership, joint venture, employment, agency, or fiduciary relationship.

15.8 Third-party beneficiaries

This Agreement creates no third-party beneficiary rights unless expressly stated herein.

15.9 Language

If the Chinese and English versions conflict, the English version prevails, unless the parties expressly choose Chinese at the time of signing.