# exployt.ai Legal and Terms Summary Last updated: 2026-07-08 Canonical legal page: https://exployt.ai/legal Canonical privacy page: https://exployt.ai/privacy Canonical Trust & Security page: https://exployt.ai/security ## Legal operator exployt.ai is operated by exployt Software GmbH, Lange Gasse 30, 8010 Graz, Austria. Commercial register: FN 675480d, Landesgericht fuer ZRS Graz. VAT ID: ATU83180825. Managing director: Michael Martin Schoeggl. Contact: office@exployt.ai. ## Terms of Service highlights The Terms of Service cover account use, subscriptions, acceptable use, intellectual property, termination, disclaimer, governing law, subscription compliance, project integrity, marketplace/user budget features, payout/tax handling and liability limitations. Marketplace publishing is a deliberate upload: files and metadata chosen by the publisher are transmitted for review, hosting, sharing, sale and buyer delivery. Marketplace items can include integrations, modules, standalone apps, settings sets, workflows, connector packages or other reusable assets. For code-containing Marketplace items, exployt recommends package minimization and obfuscation where appropriate and can support that workflow. The legal page is the canonical source. ## Service availability and SLA Support requests sent to office@exployt.ai or submitted through product support/feedback forms receive an initial response within 24 hours. exployt cloud is needed for account creation, login/account management, billing, payment, subscription/license validation, Marketplace cloud actions and fresh entitlement checks. Ordinary desktop project work is local-first: the desktop app keeps a signed entitlement snapshot with a maximum 72-hour grace window, so transient server outages do not immediately remove access to subscription-locked features. If an exployt cloud outage occurs, the operational commitment is to restore the account/subscription service before that 72-hour grace window expires. This public commitment does not create service credits unless a separate written enterprise agreement says so. ## Security and certification status Security and compliance information is published at https://exployt.ai/security and in plain text at https://exployt.ai/trust.txt, https://exployt.ai/security.txt and https://exployt.ai/faq-security.txt. As of 2026-07-08, exployt is not ISO 27001 certified and does not provide a SOC 2 Type I or Type II report. exployt is preparing the control documentation, risk assessment, access-review evidence, incident-response evidence, vendor review and management-review material needed for an ISO 27001 or SOC 2 readiness/audit process. ## DPA, subprocessors and data residency Business and enterprise customers can request a Data Processing Agreement by contacting office@exployt.ai. exployt is preparing a public DPA package and expects to publish it in the coming weeks. The primary production web service is hosted on Microsoft Azure in the West Europe region (Netherlands). Current service providers for the public website, account service, billing, email, security and optional website analytics stack include Microsoft Azure, Stripe, Resend, MaxMind offline geolocation data, and optional Google Analytics 4 / Microsoft Clarity website analytics where enabled. Customer-selected AI providers, Git services, tools, plugins, connectors, OpenRouter and local Ollama models used by the desktop app are chosen or configured by the customer and are not exployt cloud subprocessors for local project content. ## Export, deletion and exit Local project files, source code, agent history, local credentials and the local project database remain under customer control during ordinary desktop-app operation. The project database is a local SQLite database stored under the project's .exployt folder; when local database encryption is not enabled, it can be inspected or exported with ordinary SQLite-compatible tools. exployt also provides export/import flows for workflows, settings sets and many configuration assets such as agent/workflow settings. Project content leaves the local boundary only through explicit user actions: the customer selects a cloud AI provider or external tool and sends task context to it, publishes selected files and metadata as a Marketplace item for sharing or sale, or submits a support/bug report after preview and confirmation. The Terms do not restrict customers from using their own local project data with other software. Cloud account data and personal data requests are handled under the Privacy Policy and applicable law. Some records must be retained for legal, tax, accounting, fraud-prevention, dispute or security reasons.