Merchant Terms of Service

1. Agreement to Terms

These Merchant Terms of Service (“Terms”) constitute a legally binding agreement between your organisation (“you”, “your”, or “Merchant”) and SEQURE PTY LTD (ABN pending), trading as Sequre Information Management (“Sequre”, “we”, “our”, or “us”).

By registering as a tenant on the Sequre platform, creating OAuth clients, or integrating with our authentication or identity verification APIs, you agree to be bound by these Terms. The individual accepting these Terms represents and warrants that they have authority to bind the organisation.

These Terms should be read in conjunction with our Privacy Policy and the Customer Terms of Service that apply to your end users.

2. Description of Services

Sequre provides merchants with infrastructure to integrate authentication and identity verification into their products and services:

2.1 Authentication Services

OAuth 2.0 and OpenID Connect (OIDC) authentication, allowing your users to log in to your applications using their Sequre identity. This includes passkey (WebAuthn) authentication, federated sign-in, and session management.

2.2 Identity Verification Services

Access to identity verification assertions for your users, subject to user consent. This includes age verification, identity level assertions, and other verification attributes as available. You receive assertions about your users (for example, that a user is over 18), not the underlying identity documents or raw personal information.

2.3 Portal

A management portal for configuring your integration, managing OAuth clients and API keys, viewing usage, and administering your tenant account.

3. Tenant Registration

3.1 Business Verification

You must provide accurate business details when registering, including your legal entity name and Australian Business Number (ABN) where applicable. We may verify these details and may refuse or revoke registration if information is found to be inaccurate.

3.2 Account Administration

The individual who registers the tenant account is designated the account owner. You may add team members with appropriate roles (admin, viewer). You are responsible for managing access to your tenant account and for the actions of all team members.

3.3 KYC Verification

Depending on the services you access and your plan tier, the account owner or authorised representative may be required to complete identity verification (KYC) before certain features are enabled.

4. Data Obligations

Your obligations under this section are fundamental to this agreement. Breach of these obligations may result in immediate suspension of your tenant account and all associated services, and may expose you to significant regulatory penalties.

4.1 Purpose Limitation

Personal information and identity assertions you receive through the Sequre platform must be used solely for the purpose for which they were requested and for which the user granted consent. You must not:

• Use personal information for any purpose beyond what was disclosed to the user at the time of consent
• Aggregate, correlate, or combine personal information received from Sequre with data from other sources to build profiles beyond the consented scope
• Sell, licence, or otherwise transfer personal information received through Sequre to any third party
• Retain personal information longer than necessary for the stated purpose

4.2 Cross-Application Data Isolation

If you operate multiple applications (OAuth clients) on the Sequre platform, you must treat the personal information received by each application as separate and isolated. You must not correlate, cross-reference, or combine user data across your applications unless the user has given explicit, informed consent for that specific combination.

Sequre uses pairwise subject identifiers to enforce this separation at a technical level. Each of your applications receives a different identifier for the same user. Any attempt to circumvent this separation is a serious breach of these Terms.

4.3 No Scraping or Bulk Collection

You must not use the Sequre platform to systematically collect, harvest, or scrape personal information or identity assertions in bulk. Identity requests must be made in the context of a genuine, user-initiated interaction with your application.

4.4 Security Obligations

You must implement and maintain appropriate technical and organisational security measures to protect any personal information received through the Sequre platform. At a minimum, you must:

• Encrypt personal information in transit and at rest
• Restrict access to personal information to authorised personnel only
• Maintain access logs for personal information
• Promptly notify Sequre of any data breach involving personal information received through our platform

4.5 Regulatory Compliance

You are responsible for your own compliance with all applicable privacy and data protection laws, including but not limited to:

• The Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs)
• The Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth), where applicable to your business
• The General Data Protection Regulation (GDPR), where you process data of individuals in the European Economic Area
• Any other applicable privacy, data protection, or consumer protection legislation in the jurisdictions in which you operate

Sequre provides infrastructure and assertions. You remain the data controller (or equivalent under applicable law) for the personal information you collect about your users, and you bear full responsibility for how that information is used.

4.6 User Rights

You must respect the rights of your users under applicable privacy law, including rights of access, correction, and deletion. Where a user exercises their rights in relation to data you received through Sequre, you must comply with that request in accordance with applicable law.

5. Monitoring and Enforcement

5.1 Activity Monitoring

Sequre monitors the use of its platform to ensure compliance with these Terms and to protect end users. This includes monitoring the volume, frequency, and patterns of identity requests and authentication flows associated with your tenant account.

5.2 Anomaly Detection

Unusual patterns of activity — such as spikes in identity requests, bulk requests for specific data fields, or requests inconsistent with your application’s stated purpose — may trigger a review. We may contact you to request an explanation before taking further action.

5.3 Investigation and Audit

We reserve the right to investigate suspected breaches of these Terms. In the course of an investigation, we may:

• Review logs and analytics associated with your tenant account
• Request information from you about your data handling practices
• Engage external auditors where appropriate

You agree to cooperate with any reasonable investigation in a timely manner. Failure to cooperate may itself be grounds for suspension.

6. Suspension and Termination

6.1 Immediate Suspension

We may immediately suspend your entire tenant account, without prior notice, if we reasonably believe that:

• You have breached any of the data obligations in Section 4
• Your use of the platform poses a risk to the privacy or security of end users
• You are using the platform for unlawful purposes
• We have received a complaint, regulatory enquiry, or legal direction concerning your handling of data received through Sequre

6.2 Effect of Suspension

When a tenant account is suspended, the following takes effect immediately:

• All OAuth clients owned by your tenant are deactivated
• All API keys are revoked
• All webhook endpoints are disabled
• Identity requests from your applications are rejected — no personal information is returned
• Portal access is restricted to a suspension notice — all management operations are blocked
• New OAuth authentication flows cannot be initiated through your clients

Existing user sessions authenticated through your clients will expire naturally but cannot be renewed. End users of other merchants and of the Sequre platform itself are not affected by your suspension.

6.3 Reinstatement

Reinstatement of a suspended tenant account is at the sole discretion of Sequre and requires:

• Resolution of the issue that led to suspension
• Satisfactory evidence of remediation and future compliance
• Manual review and reactivation of each client, API key, and webhook by Sequre operations

Reinstatement does not automatically restore your previous configuration. Resources are reviewed and re-enabled individually to ensure compliance.

6.4 Termination by You

You may terminate your tenant account at any time by contacting us. Upon termination, all clients, API keys, and webhooks will be deactivated. You must ensure that your users are informed and can make alternative arrangements for any services that relied on Sequre authentication.

6.5 Termination by Us

We may terminate your tenant account with 90 days’ written notice if we discontinue the service or can no longer support your integration. During this notice period, we will make reasonable efforts to assist you in migrating to an alternative solution.

We may terminate immediately for cause, including material breach of these Terms. Even in cases of immediate termination, you may request a review of the decision under Section 6.6.

6.6 Dispute and Review Process

If you believe a suspension or termination decision is unjustified, you may request a formal review within 14 days by writing to legal@seqim.com.au. We will:

• Acknowledge your request within 3 business days
• Provide a written explanation of the grounds for our decision
• Consider any evidence or context you provide in support of your position
• Issue a determination within 14 business days, which may include reinstatement, continued suspension with conditions, or confirmation of termination

This review process does not affect your right to pursue formal dispute resolution under Section 19.2.

7. Regulatory Penalties

Misuse of personal information received through the Sequre platform may expose you to significant regulatory penalties under applicable law, including:

• Australian Privacy Act 1988 (APP 6): Penalties of up to $50,000,000 AUD for serious or repeated breaches of the Australian Privacy Principles, as amended by the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022
• Notifiable Data Breaches scheme: Obligations to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) in the event of an eligible data breach, with penalties for failure to notify
• GDPR (where applicable): Penalties of up to 4% of annual global turnover or €20,000,000 (whichever is greater) for breaches of data protection obligations under Article 83

Sequre may cooperate with regulatory authorities — including the OAIC and relevant GDPR Data Protection Authorities — in any investigation relating to your handling of personal information received through our platform.

These are the penalties imposed by regulators. They are separate from and additional to any remedies available to Sequre under these Terms, including suspension, termination, and indemnification.

8. Accountability

8.1 Tenant Administrator Accountability

Your organisation is responsible for ensuring that the tenant account owner and any administrators with access to personal information or platform management functions comply with these Terms and applicable law. Where a breach of the data obligations in Section 4 is attributable to the deliberate or reckless conduct of an individual administrator, that individual may be held personally accountable under applicable privacy and data protection law.

The scope and application of individual accountability may be modified by a separate enterprise agreement where one is in effect.

8.2 Record Keeping

You must maintain adequate records of how personal information received through the Sequre platform is used, stored, and (where applicable) deleted. These records must be available for review upon reasonable request from Sequre or a regulatory authority.

8.3 Breach Notification

If you become aware of any breach, suspected breach, or potential breach of the data obligations in Section 4 — whether by your employees, contractors, or systems — you must notify Sequre within 24 hours at security@seqim.com.au.

9. Intellectual Property

9.1 Sequre Property

All content, software, APIs, documentation, trademarks, and other intellectual property associated with the Sequre platform are owned by or licensed to SEQURE PTY LTD. You are granted a limited, non-exclusive, non-transferable, revocable licence to use our APIs and services in accordance with these Terms.

9.2 Use of Sequre Branding

You may use the Sequre name and logo solely to indicate that your application integrates with the Sequre platform, and only in accordance with any brand guidelines we provide. You must not use our branding in a way that implies endorsement, partnership, or affiliation beyond the integration.

10. Disclaimers

10.1 Services Provided “As Is”

To the maximum extent permitted by law, our services are provided “as is” and “as available”, without warranties of any kind. We do not warrant uninterrupted or error-free operation of the platform.

10.2 Identity Verification and Trust

Sequre provides identity verification assertions that include a trustworthiness level derived from initial verification and ongoing monitoring. Where payment services are enabled, Sequre performs ongoing monitoring for fraud and AML/CTF compliance for transactions that fall outside the scope of financial services providers (such as card networks operating over payment platforms).

While we take reasonable steps to ensure the accuracy and timeliness of our verification and monitoring services, no system can guarantee the complete elimination of fraud or identity misuse. Sequre’s assertions and trustworthiness levels are provided as part of a broader risk framework and should be used alongside your own risk management processes where appropriate.

10.3 Australian Consumer Law

Nothing in these Terms excludes, restricts, or modifies any guarantee, right, or remedy conferred on you by the Competition and Consumer Act 2010 (Cth), Schedule 2 (Australian Consumer Law), or any other applicable law that cannot be excluded by agreement.

11. Limitation of Liability

11.1 Exclusion of Consequential Loss

To the maximum extent permitted by law, Sequre is not liable for any indirect, incidental, special, consequential, or punitive damages, or any loss of profits, revenue, data, customers, or business opportunity, arising out of or related to your use of our services.

11.2 Cap on Liability

To the maximum extent permitted by law, our total aggregate liability to you for all claims arising out of or related to these Terms is limited to the greater of: (a) the amount you have paid to Sequre in the 12 months preceding the claim; or (b) AUD $100.

11.3 Exceptions

The limitations in this section do not apply to: (a) liability that cannot be excluded under applicable law; (b) your indemnification obligations under Section 12; or (c) liability arising from your breach of the data obligations in Section 4.

12. Indemnification

12.1 Merchant Indemnification

You agree to indemnify and hold harmless Sequre, its officers, directors, employees, and agents from and against any claims, liabilities, damages, losses, and expenses (including reasonable legal fees) arising out of or related to:

• Your breach of these Terms, including the data obligations in Section 4
• Any misuse, unauthorised disclosure, or loss of personal information received through the Sequre platform
• Any claim by a user, regulator, or third party relating to your handling of personal information
• Your violation of any applicable law or regulation
• Any regulatory penalty, fine, or enforcement action arising from your data handling practices

12.2 Sequre Indemnification

Sequre agrees to indemnify and hold harmless the Merchant, its officers, directors, employees, and agents from and against any claims, liabilities, damages, losses, and expenses (including reasonable legal fees) arising out of or related to:

• Any claim that the Merchant’s authorised use of the Sequre platform in accordance with these Terms infringes a third party’s intellectual property rights
• Sequre’s breach of its obligations under the Privacy Act 1988 (Cth) in relation to personal information processed by Sequre
• Sequre’s gross negligence or wilful misconduct in the provision of the platform services

12.3 Indemnification Procedure

The indemnified party must: (a) promptly notify the indemnifying party in writing of any claim; (b) give the indemnifying party reasonable control of the defence and settlement of the claim; and (c) provide reasonable cooperation at the indemnifying party’s expense. The indemnifying party must not settle any claim in a manner that imposes obligations on the indemnified party without their prior written consent.

13. Service Levels

13.1 Availability Target

Sequre targets 99.9% availability for its authentication and identity verification services, measured monthly, excluding scheduled maintenance and events covered under Section 16 (Force Majeure).

13.2 Scheduled Maintenance

We will provide at least 48 hours’ notice for scheduled maintenance that may affect service availability. Where practicable, maintenance will be scheduled outside peak business hours (Australian Eastern Time).

13.3 Service Credits

If monthly availability falls below the target for merchants on a paid plan, service credits will be applied as follows:

• Below 99.9% but above 99.0%: 10% credit on the affected month’s fees
• Below 99.0% but above 95.0%: 25% credit on the affected month’s fees
• Below 95.0%: 50% credit on the affected month’s fees

Service credits are applied to future invoices and do not constitute a cash refund. Service credits are your sole and exclusive remedy for failure to meet the availability target, except as otherwise required by law.

13.4 Plan Tiers

Service level commitments and credit entitlements apply to paid plan tiers only. Free-tier accounts are provided on a best-effort basis without availability commitments or service credits.

14. Fees and Payment

14.1 Pricing

Fees for use of the Sequre platform are as published on our website or as agreed in a separate enterprise agreement. We may update published pricing with at least 30 days’ notice. Price changes do not apply to the current billing period.

14.2 Payment Terms

Invoices are payable within 30 days of issue. Late payments incur interest at a rate of 10% per annum above the Reserve Bank of Australia cash rate, calculated daily on the outstanding amount.

14.3 Taxes

All fees are exclusive of GST and other applicable taxes. Where GST applies, it will be added to the invoice in accordance with the A New Tax System (Goods and Services Tax) Act 1999 (Cth).

15. Confidentiality

15.1 Confidential Information

“Confidential Information” means any non-public information disclosed by one party to the other in connection with these Terms, including business plans, technical data, integration architecture, usage data, pricing, and any information marked or reasonably understood to be confidential. Confidential Information does not include information that: (a) is or becomes publicly available through no fault of the receiving party; (b) was already known to the receiving party prior to disclosure; (c) is independently developed without reference to the disclosing party’s information; or (d) is required to be disclosed by law or regulatory authority.

15.2 Obligations

Each party agrees to: (a) use the other party’s Confidential Information only for the purposes contemplated by these Terms; (b) protect it with at least the same degree of care used to protect their own confidential information (and no less than reasonable care); and (c) not disclose it to third parties except to employees, contractors, or advisers who need to know and are bound by equivalent confidentiality obligations.

15.3 Duration

Confidentiality obligations survive termination of these Terms for a period of 3 years, except for trade secrets which remain protected indefinitely.

16. Force Majeure

Neither party is liable for any failure or delay in performing its obligations under these Terms (other than payment obligations) where such failure or delay results from circumstances beyond the party’s reasonable control, including but not limited to: natural disasters, pandemic, war, terrorism, government actions or orders, failure of third-party infrastructure providers, power outages, or internet disruptions.

The affected party must: (a) promptly notify the other party of the force majeure event and its expected duration; (b) use reasonable efforts to mitigate the impact; and (c) resume performance as soon as practicable.

If a force majeure event continues for more than 60 days, either party may terminate these Terms by written notice, without liability for the termination itself.

17. Data Processing

17.1 Sequre as Processor

To the extent that Sequre processes personal information on your behalf in the course of providing authentication and identity verification services, Sequre acts as a data processor (or equivalent under applicable law). You remain the data controller.

17.2 Data Processing Addendum

A Data Processing Addendum (DPA) aligned with the Australian Privacy Principles (APP 8) and, where applicable, GDPR Article 28, is available on request for merchants who require formalised data processing terms. The DPA, where executed, forms part of these Terms.

18. Changes to These Terms

We may update these Terms from time to time. Where changes are material, we will notify you by email at least 30 days before the changes take effect. Your continued use of the platform after the effective date constitutes acceptance.

If you do not agree with updated Terms, you may terminate your tenant account before the effective date.

19. Governing Law and Dispute Resolution

19.1 Governing Law

These Terms are governed by and construed in accordance with the laws of the State of New South Wales, Australia. You submit to the non-exclusive jurisdiction of the courts of New South Wales.

19.2 Dispute Resolution

Before commencing legal proceedings, you agree to first attempt to resolve any dispute through good-faith negotiation. Either party may initiate the dispute resolution process by written notice. If the dispute cannot be resolved within 30 days, either party may pursue formal remedies.

20. General Provisions

20.1 Relationship to Other Agreements

These Terms, together with our Privacy Policy, form the base agreement between your organisation and Sequre. Where you have entered into a separate enterprise agreement with Sequre, that agreement may extend or override specific provisions of these Terms. In the event of a conflict between these Terms and a signed enterprise agreement, the enterprise agreement prevails.

20.2 Severability

If any provision of these Terms is found to be invalid or unenforceable, the remaining provisions continue in full force and effect.

20.3 Waiver

Our failure to enforce any provision does not constitute a waiver of that provision.

20.4 Assignment

Neither party may assign or transfer their rights or obligations under these Terms without the prior written consent of the other party, except in connection with a merger, acquisition, or sale of substantially all of the assigning party’s assets, provided the assignee agrees to be bound by these Terms.

20.5 Notices

Notices from Sequre will be sent to the billing email address associated with your tenant account. You are responsible for keeping this address current. Notices from you should be sent to the contact details in Section 21.

21. Contact

For questions about these Terms, to report a data breach, or to initiate a dispute resolution process:

SEQURE PTY LTD
Trading as Sequre Information Management
Legal: legal@seqim.com.au
Security: security@seqim.com.au
General: contact@seqim.com.au