Business Terms of Use (B2B) — ReplicaZero
Version: 1.0 — MVP
Effective date: June 28, 2026
Last updated: June 28, 2026
These Business Terms of Use ("B2B Terms") govern the access and use of the ReplicaZero platform ("Platform"), including the Business Console ("Console") and integration APIs, by the legal entity ("Company" or "Partner") that contracts or uses the services to request, collect, and manage identity data of its respective clients and users ("End Users").
By creating a business account, accessing the Console, or integrating ReplicaZero APIs, the Company agrees to and is fully bound by these B2B Terms.
1. The ReplicaZero B2B Ecosystem
ReplicaZero provides a decentralized, sovereign identity-based PrivacyTech infrastructure, allowing the Company to request and receive registration data directly from End Users with speed, security, and consent traceability.
1.1 Platform Features for Businesses
The Platform provides the Company with:
- Web Console: Control panel to create and manage Data Request Profiles, configure Webhooks, view consent interaction reports, and export data.
- Uplink (Data Request): Sending data requests to End Users (via QR Code, push, or email) based on pre-defined Request Profiles.
- CrossLink (Preliminary Onboarding): Route that allows the Company to fill in basic registration data on behalf of an End User, depending on verification and active consent via a temporary token (OTP), as detailed in Section 3.2.
- Reception of DropLinks: Panel and APIs to accept or reject registration data sent spontaneously by End Users to the Company.
2. Legal Relationship and Roles under LGPD (Law No. 13,709/2018)
For all compliance purposes with the Brazilian General Data Protection Law (LGPD), the parties declare and establish that:
- The Company acts as the CONTROLLER (Art. 5, VI, of the LGPD): The Company is solely responsible for determining the purposes, legal bases (Art. 7 of the LGPD), and scope of the processing of registration data received through the Platform. It is up to the Company to decide what data to request, what to use it for, and how to protect it on its own servers.
- ReplicaZero acts as the PROCESSOR (Art. 5, VII, of the LGPD): ReplicaZero processes personal data in transit (Uplinks, DropLinks, CrossLinks, and staging) strictly in the name and under the technical guidelines parameterized by the Company. ReplicaZero functions as a blind tunnel of encrypted transit (Zero-Knowledge), not retaining or processing personal identity data of End Users for its own purposes.
3. Obligations and Responsibilities of the Company
The Company's compliance with the LGPD and other applicable laws is an obligatory condition for maintaining the license to use the Platform.
3.1 Guarantee of Purpose and Transparency
- The Company undertakes to use the Platform to obtain data from End Users always linked to a legitimate and explicit purpose (Art. 6, I of the LGPD). The cryptographic consent of the data subject or the legal basis for processing will be documented electronically at the moment of transaction acceptance (Consent Receipt) by the End User.
- The Company must provide clear, transparent, and accurate information to End Users regarding the specific purpose of collecting each requested data field.
3.2 Validation and Consent in the Use of CrossLink
CrossLink is a convenience tool that enables the filling of preliminary data on behalf of End Users who do not yet have the application installed. The validation and consent flow occurs as follows:
- The Company enters the preliminary registration data (including email) of the End User into the Console.
- The Platform temporarily stores the data in an encrypted format in server memory and sends an email with a one-time password (OTP) to the End User.
- The End User, upon receiving the email, must actively pass this OTP to the Company. The entry of the OTP by the Company in the Console validates and formalizes the unequivocal manifestation of consent of the data subject for the processing of that data.
- After this validation by OTP, the encrypted data remains stored in temporary memory for up to 24 (twenty-four) hours (TTL). The End User has this time limit to install the application and claim the data ("Claim") to their local Vault. After 24 hours without a claim, the data is permanently deleted from ReplicaZero's servers (Forget).
3.3 Minimization and Adequacy Principle
The Company must create Data Request Profiles containing only the fields strictly necessary to achieve the declared purpose (Art. 6, I and III of the LGPD). ReplicaZero reserves the right to audit Profiles and suspend requests that require sensitive or disproportionate data without proper technical/legal justification.
3.4 APIs, Integration Keys, and Fanout Configuration
- The Company is responsible for providing the correct credentials, API tokens, and endpoints in the Console for the execution of automated data delivery (Webhooks/Fanout) to its own ecosystem.
- ReplicaZero undertakes to store and process these credentials and API secrets of the Company in an encrypted and secure environment, using them solely for the purpose of performing the integrations and transfers configured by the Company.
3.5 Console Access Security and ReplicaZero Edge API Keys
- The Company is fully responsible for maintaining the confidentiality and security of all access credentials (logins and passwords) of its employees for Console operation.
- For system integrations via APIs (such as the ReplicaZero Edge API), the Company will generate API keys (API Keys) in the Console. The secure storage, safeguarding, and non-exposure of these API Keys (which grant administrative access to query and trigger data transactions on behalf of the Company) are the exclusive and non-transferable responsibility of the Company.
- Any unauthorized access, data leak, or misuse resulting from compromised employee credentials or API Keys generated for the Company's integration shall be the sole responsibility of the Company, exempting ReplicaZero from any liability or damages.
4. Anti-Abuse Policy and Prohibited Practices
To preserve the integrity of the ReplicaZero network and the privacy of data subjects, it is expressly forbidden for the Company to:
- Send repetitive, excessive, or abusive data requests to ZeroTags of users without a direct business relationship, constituting Spam.
- Use the Platform to collect data from minors under 18 years of age without proper legal guardian authorization, as required by local law.
- Use reverse engineering techniques on the APIs or attempt to bypass the cryptographic signature (Dual Request Signing) and RASP protection mechanisms of the Mobile Application.
[!WARNING] Infringement of any clause in this Section 4 may result in the immediate suspension and unilateral blocking of the Company's account in the Console, without prejudice to any damages and sanctions provided for under the LGPD.
5. Billing, Payments, and Tariffs
5.1 Pricing Model and Payments
Access to the Platform by the Company may be subject to a subscription fee (SaaS) and/or a transactional fee based on the volume of data requests and shares successfully processed (e.g., Pay-as-you-go). The specific tariffs, billing cycles, and payment methods applicable to the Company are defined during account registration or in a separate commercial agreement.
5.2 Tariff Changes
ReplicaZero reserves the right to modify its tariffs, subscription plans, or transactional fees at any time. The Company will be notified of any price changes with at least 30 (thirty) days' prior written notice (via email or Console dashboard). Continued use of the Platform after the new tariffs take effect constitutes the Company's explicit agreement to the updated pricing.
5.3 Payment Processing and Security
To guarantee maximum security and PCI compliance, ReplicaZero does not natively collect, process, or store full credit card data. All financial transactions are tokenized and processed by authorized third-party payment gateways. ReplicaZero will not share transaction data except with its payment processors or in response to valid legal demands.
5.4 Default and Suspension
In the event of non-payment, expired payment methods, or negative balances, ReplicaZero reserves the right to automatically suspend the Company's API keys, Webhooks, and access to the Console until the outstanding balance is settled. Suspension for non-payment does not exempt the Company from paying accumulated fees.
5.5 Taxes
Unless otherwise stated, all fees are exclusive of applicable taxes, levies, or duties imposed by taxing authorities. The Company is responsible for payment of all such taxes or withholdings associated with its use of the Platform, excluding taxes based solely on ReplicaZero's net income.
6. Limitation of Liability and Disclaimer
6.1 Post-Delivery Data Custody
From the moment the encrypted data envelope is delivered to the Company (via Webhook, API, or CSV file export from the Console), the data enters the exclusive custody of the Company. ReplicaZero is not responsible for data leaks, losses, unauthorized alterations, or any improper use of the information within the Company's internal infrastructure, servers, or systems.
6.2 End User Decisions
The End User has absolute control over sharing their data. ReplicaZero is not responsible for any refusals (rejections of requests) made by End Users, nor for the entry of incomplete or inaccurate data by them in the local application (Vault).
6.3 SLA and Technical Availability
The platform is offered "as is" and "as available." Although ReplicaZero uses best practices for redundancy and infrastructure (AWS/Cloudflare), uninterrupted or error-free operation 100% of the time is not guaranteed. ReplicaZero will not be liable for loss of profits or indirect damages caused by temporary unavailability of the APIs or the Console.
7. Consent Audit (Consent Receipts)
With each successful sharing, the Platform records a Consent Receipt containing cryptographic hashes and digital signatures of the user's device.
- ReplicaZero will keep these consent receipts stored for a period of 5 (five) years for audit purposes and compliance with the Company's legal obligation to prove the data subject's consent.
- The Company may access and extract these receipts through the corporate Console at any time during the term of its account.
8. Contracting Entity, Governing Law, and Jurisdiction
The ReplicaZero entity the Company is contracting with, the governing law that will apply to any dispute arising out of these B2B Terms, and the jurisdiction designated to resolve such disputes depend on where the Company is domiciled (primary place of business):
8.1 For Companies Located in Brazil
- Contracting Entity: [Legal Name of the Brazilian Entity Ltda.], a company registered under CNPJ [Insert CNPJ], headquartered in Curitiba, State of Paraná, Brazil.
- Governing Law: The laws of the Federative Republic of Brazil, in particular Law No. 13,709/2018 (LGPD) and Law No. 10,406/2002 (Civil Code).
- Jurisdiction: The Judicial District of Curitiba, State of Paraná, Brazil, to the exclusion of any other court.
8.2 For Companies Located Outside of Brazil (Rest of the World)
- Contracting Entity: [Legal Name of the US Entity LLC], a company registered in Delaware, headquartered in Houston, Texas, United States of America.
- Governing Law: The laws of the State of Delaware and applicable federal laws of the United States of America, without regard to its conflict of laws principles.
- Jurisdiction: The state and federal courts located in Harris County, Texas, United States of America.