SiteTrust Terms and Conditions

Table of Contents

1. Definitions

The following defined terms apply throughout these Terms:

2. Description of Services: The Four-Pillar Framework

SiteTrust's certification and advisory services are organized around the Four-Pillar Framework. Each pillar represents a distinct domain of AI governance accountability. The scope of services available under each pillar is described below.

2.1 Pillar 1 — Transparency

Transparency services address an organization's obligations to disclose its AI systems, use cases, data practices, and governance commitments to internal and external stakeholders. Services under this pillar include:

• AI system inventory documentation and disclosure framework development

• AI Usage Policy drafting, review, and alignment with applicable disclosure laws

• Content labeling standards implementation (AI-Generated, AI-Assisted, AI as Tool)

• Consumer notice templates (website banners, chatbot disclosures, email footers, point-of-sale notices)

• Transparency self-assessment and gap analysis against the Tier 1 certification standard

2.2 Pillar 2 — Governance

Governance services address the structures, processes, and controls organizations establish to oversee AI systems throughout their lifecycle. Services under this pillar include:

• AI governance framework design (committee charter, roles, decision rights, escalation paths)

• AI use case intake and pre-deployment risk review processes

• AI risk assessment and scoring methodology implementation

• AI vendor due diligence program development

• AI incident response planning and tabletop exercises

• Board and executive AI governance reporting frameworks

2.3 Pillar 3 — Compliance

Compliance services address an organization's obligations under applicable AI laws, regulations, and enforcement frameworks. Services under this pillar include:

• Jurisdiction-specific regulatory compliance mapping (California, Colorado, Illinois, Texas, EU, and others)

• Annual AI impact assessment support (Colorado SB 24-205 and analogous requirements)

• FTC compliance self-audit and substantiation review

• Regulatory change monitoring and alert services (powered by the SiteTrust Regulatory Tracker)

• Compliance certification checklist development and renewal support

2.4 Pillar 4 — Workforce Sustainability

Workforce Sustainability services address the human dimensions of AI deployment, including workforce impact, employee training, and responsible AI in employment decisions. Services under this pillar include:

• AI workforce impact assessment (evaluating effects on roles, skills, and workforce composition)

• Employee AI training program design and delivery

• AI-augmented role description frameworks and job description updates

• Employment AI disclosure compliance (Illinois AEDT, and state-law analogues)

• Employee AI concern reporting mechanism design

3. Certification Tiers, Badge Rights, and Obligations

SiteTrust awards certifications at three tier levels. The following table defines each tier, the certification scope, and the badge rights associated with each.

3.1 Badge Display Requirements

All badge display is subject to the following requirements:

• Badges must be displayed in the form provided by SiteTrust, without modification to colors, proportions, or text

• Badge display must link to the SiteTrust public certification registry entry for the Client

• Clients may not use the Badge or SiteTrust name to imply endorsement of any product, service, or claim not covered by the certification scope

• Clients may not display a Badge for a tier or pillar they have not been certified for

• Upon expiration, suspension, or revocation of certification, the Client must remove all Badge displays within 5 business days

3.2 Certification Renewal

Certifications are valid for the periods stated in Section 3 above. Renewal requires:

• Completion of an updated assessment reflecting any material changes in the Client's AI systems, operations, or applicable regulations since the prior certification

• Payment of the applicable renewal fee

• Confirmation of continued compliance with the requirements of the certified tier(s) and pillar(s)

SiteTrust will provide renewal notice no later than 90 days before expiration. Failure to renew by the expiration date results in automatic badge suspension pending renewal. Certifications lapsed for more than 6 months require a new application.

3.3 Suspension and Revocation

SiteTrust may suspend or revoke certification upon:

• Material misrepresentation in a certification application or assessment

• Material breach of these Terms that remains uncured for 30 days following written notice

• A regulatory finding, enforcement action, or court order establishing that the Client's AI practices are inconsistent with the certified standard

• Failure to renew certification within the applicable period

• Voluntary withdrawal by the Client

Upon suspension, the Client's badge display rights are immediately suspended. SiteTrust will provide written notice of suspension with a cure period of 30 days (where the breach is curable). Revocation is permanent and requires a new application for recertification.

4. Certified Trust Advisor (CTA) Program Terms

4.1 CTA Credentialing Requirements

To earn and maintain CTA status, a candidate must:

• Complete SiteTrust's CTA training curriculum, covering the Four-Pillar Framework, advisory methodology, legal context, client communication, and SiteTrust tools

• Pass the CTA assessment with a minimum qualifying score established by SiteTrust

• Execute the CTA Program Agreement, including confidentiality and code of conduct provisions

• Complete continuing education requirements (minimum 8 hours per year) to maintain CTA status

• Maintain professional standards consistent with the CTA Code of Conduct

4.2 CTA Scope of Authority

CTAs are authorized to:

• Represent themselves as Certified Trust Advisors under the SiteTrust framework

• Use SiteTrust's CTA designation, tools, and materials in client engagements as authorized

• Recommend clients for SiteTrust certification across all four pillars and three tiers

• Deliver pillar health assessments, implementation guidance, and compliance advisory services using SiteTrust's framework

CTAs are not authorized to:

• Issue, award, modify, suspend, or revoke SiteTrust certifications or badges (all certification decisions are made by SiteTrust)

• Execute contracts on behalf of SiteTrust or bind SiteTrust to any obligation

• Represent themselves as employees, agents, or officers of SiteTrust

• Modify, rebrand, or create derivative works from SiteTrust's proprietary materials without written authorization

• Offer legal advice to clients regarding AI regulation or compliance — CTAs must direct clients to engage qualified legal counsel for legal matters

4.3 CTA Commission Structure

Commission rates, payment schedules, clawback provisions, and pipeline attribution are set forth in the CTA Program Agreement and the current Pricing Schedule. The following general terms apply:

• Commissions are earned upon client payment of the applicable SiteTrust service fee

• Commissions are subject to clawback if the underlying client contract is cancelled or refunded within 90 days of execution

• CTAs must maintain accurate client attribution records; disputed attributions are resolved under the process set forth in the CTA Program Agreement

• SiteTrust reserves the right to modify commission rates with 60 days advance notice to active CTAs

4.4 CTA Decertification

SiteTrust may suspend or revoke CTA status upon:

• Failure to complete annual continuing education requirements

• Material violation of the CTA Code of Conduct

• Misrepresentation to clients regarding CTA scope, certification authority, or SiteTrust's services

• Unauthorized disclosure of client or SiteTrust Confidential Information

• Material breach of the CTA Program Agreement

CTA decertification is subject to the notice and cure process set forth in the CTA Program Agreement. Decertified CTAs must immediately cease use of the CTA designation and SiteTrust materials.

5. Trust Center Terms of Use

5.1 Access and Account Security

Trust Center access is granted to Clients and authorized CTAs upon execution of the applicable agreement and completion of account setup. Account holders are responsible for:

• Maintaining the confidentiality of account credentials

• All activity conducted under their account

• Immediately notifying SiteTrust of any unauthorized access or security incident at wecare@sitetrust.com

SiteTrust may suspend or terminate Trust Center access upon material breach of these Terms, non-payment of fees, or as required for security purposes. SiteTrust will provide notice prior to suspension except in cases of security risk or legal obligation.

5.2 Acceptable Use

Trust Center users may not:

• Use Trust Center tools or materials for any purpose outside the scope of their SiteTrust engagement or CTA authorization

• Attempt to access accounts, data, or areas of the platform for which they are not authorized

• Upload malicious code, harmful content, or materials that infringe third-party intellectual property rights

• Reverse-engineer, scrape, or systematically extract Trust Center content outside of authorized export functions

• Share access credentials with unauthorized individuals

• Use the Trust Center to facilitate deceptive, fraudulent, or unlawful AI practices

5.3 Content Ownership and Data Rights

Client-uploaded content (governance documents, policies, AI system inventories, assessment responses) remains the property of the Client. SiteTrust does not claim ownership of Client-uploaded content. SiteTrust's rights to Client-uploaded content are limited to:

• Processing the content as necessary to deliver the contracted Services

• Retaining the content for the periods required by the applicable retention schedule in the Privacy Policy

• Using aggregated, de-identified insights to improve SiteTrust's tools and standards (no individual client data is identifiable in such improvements)

Trust Center templates, tools, assessment frameworks, and other SiteTrust-created content are and remain SiteTrust IP, licensed to Clients and CTAs under Section 8 (Intellectual Property).

5.4 Tool Usage Limits

Tool usage limits, API call limits, document storage limits, and user seat counts are set forth in the applicable Order Form or Pricing Schedule. Clients who exceed usage limits will be notified and offered options to upgrade their plan. SiteTrust will not suspend access for usage overages without prior notice and a 15-day cure period.

5.5 Monitoring and Audit

SiteTrust reserves the right to monitor Trust Center usage to ensure compliance with these Terms, investigate security incidents, and maintain platform performance. Monitoring is conducted in accordance with the Privacy Policy. SiteTrust will not access Client-uploaded content for monitoring purposes except as necessary to investigate a specific security or compliance concern, with notice to the Client where practicable.

6. Fees and Payment

6.1 Fees

Fees for SiteTrust's Services are set forth in the applicable Order Form or the current Pricing Schedule. SiteTrust reserves the right to update the Pricing Schedule with 60 days advance notice. Fee changes do not affect active Order Forms during their term.

6.2 Payment Terms

Unless otherwise specified in an Order Form:

• Certification fees are due upon execution of the applicable agreement

• Subscription and platform fees are billed in advance on the applicable billing cycle (monthly or annual)

• Advisory services are invoiced upon delivery of each milestone or on a monthly basis as specified in the SOW

• Invoices are due net 30 days from the invoice date

• Late payments accrue interest at 1.5% per month (or the maximum rate permitted by law, if lower)

6.3 Taxes

Fees are exclusive of applicable taxes. Client is responsible for all applicable taxes, levies, or duties imposed on Services, excluding taxes based on SiteTrust's net income. Where SiteTrust is required by law to collect taxes, they will be added to Client's invoice.

6.4 Refunds

SiteTrust's refund policy is as follows:

• Certification application fees are non-refundable once SiteTrust has commenced the assessment process

• Subscription fees paid in advance are non-refundable for the current billing period upon cancellation; cancellation takes effect at end of the current period

• Advisory service fees for completed milestones are non-refundable

• Refunds for uncompleted milestones or services not yet delivered will be issued within 30 days of a valid refund request, less any reasonable costs incurred

7. Confidentiality

7.1 Mutual Obligations

Each party agrees to: (a) keep the other party's Confidential Information strictly confidential; (b) not disclose Confidential Information to any third party without the disclosing party's prior written consent; (c) use Confidential Information only for the purposes of performing or receiving the Services; and (d) protect Confidential Information with at least the same degree of care used to protect its own confidential information, and no less than reasonable care.

7.2 Exceptions

Confidentiality obligations do not apply to information that: (a) is or becomes publicly known through no breach of these Terms; (b) was rightfully known to the receiving party before disclosure; (c) is independently developed by the receiving party without use of Confidential Information; or (d) is required to be disclosed by applicable law, court order, or government authority (in which case the receiving party will provide prompt written notice to the disclosing party, to the extent permitted by law).

7.3 CTA Confidentiality

CTAs are separately bound by confidentiality obligations in the CTA Program Agreement and CTA-Specific NDA. CTAs who access Client data through the Trust Center are bound by both these Terms and the Client's data sharing authorization. Any CTA who receives Confidential Information in the course of a client engagement must treat it as confidential both during and after the engagement period.

8. Intellectual Property

8.1 SiteTrust IP

All SiteTrust IP — including the Four-Pillar Framework, certification methodology, assessment tools, training materials, Trust Center software, templates, and the SiteTrust brand and badge — is and remains the exclusive property of SiteTrust. Nothing in these Terms transfers ownership of SiteTrust IP to Client or any CTA.

8.2 License to Clients

Subject to Client's compliance with these Terms and payment of applicable fees, SiteTrust grants Client a limited, non-exclusive, non-transferable, revocable license to:

• Access and use Trust Center tools and templates for Client's internal AI governance purposes

• Display the applicable SiteTrust Badge during the active certification period in accordance with Section 3.1

• Implement SiteTrust-provided templates and frameworks within Client's own policies, governance documents, and compliance programs

This license terminates upon expiration or termination of Client's certification or service agreement. Upon termination, Client must cease all use of SiteTrust IP and remove all Badge displays.

8.3 License to CTAs

Subject to the CTA Program Agreement and CTA's compliance with these Terms, SiteTrust grants CTAs a limited, non-exclusive, non-transferable, revocable license to:

• Use SiteTrust's CTA designation, tools, and materials in authorized client engagements

• Access the CTA Toolkit within the Trust Center for purposes of client advisory services

• Reference SiteTrust's Four-Pillar Framework and methodology in client proposals and deliverables

CTAs may not create derivative works from SiteTrust materials, rebrand SiteTrust content, or sublicense SiteTrust IP without written authorization.

8.4 Client IP

Client retains ownership of all documents, policies, and proprietary information Client uploads to the Trust Center. Client grants SiteTrust a limited license to process and store such content solely as necessary to deliver the Services, as described in Section 5.3.

9. AI-Assisted Services: Disclaimers and Limitations

9.1 AI as a Support Tool, Not a Decision-Maker

AI tools used by SiteTrust assist SiteTrust professionals in analysis, research, and content generation. They do not make final certification decisions, issue or revoke badges, or determine compliance findings independently. All certification determinations, assessment findings communicated to Clients, and advisory recommendations are reviewed by a qualified SiteTrust professional before delivery.

9.2 Templates Are Not Legal Advice

SiteTrust's templates, frameworks, checklists, and model language — whether AI-assisted or manually drafted — are provided as governance and compliance tools. They are not legal advice. SiteTrust is not a law firm and does not practice law. Clients should engage qualified legal counsel to review any SiteTrust template before relying on it for legal compliance purposes, particularly in regulated industries or jurisdictions with active AI enforcement.

9.3 Regulatory Intelligence Limitations

SiteTrust's Regulatory Tracker and Trust Signal are designed to provide timely, accurate intelligence on AI regulatory developments. However:

• Regulatory content is provided for informational purposes only and does not constitute legal advice

• The regulatory landscape is evolving rapidly; clients should not rely solely on SiteTrust's summaries for compliance decisions

• SiteTrust makes reasonable efforts to ensure accuracy but does not guarantee that all regulatory developments are captured or that summaries are error-free

• Clients in jurisdictions not covered by SiteTrust's monitoring scope should supplement with local counsel

9.4 AI System Assessments

When SiteTrust assesses a Client's AI systems as part of a certification or advisory engagement, such assessments are based on the information provided by the Client. SiteTrust's findings are limited by the accuracy and completeness of Client-provided information. SiteTrust is not responsible for certification outcomes based on materially inaccurate or incomplete disclosures by the Client.

10. Limitation of Liability

10.1 Disclaimer of Warranties

SITETRUST'S SERVICES, DELIVERABLES, AND TRUST CENTER PLATFORM ARE PROVIDED "AS IS" AND "AS AVAILABLE." SITETRUST MAKES NO WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, OR ACCURACY OF REGULATORY CONTENT. SITETRUST DOES NOT WARRANT THAT CERTIFICATION WILL RESULT IN REGULATORY COMPLIANCE, ABSENCE OF ENFORCEMENT ACTIONS, OR IMMUNITY FROM LIABILITY UNDER ANY LAW.

10.2 Limitation of Damages

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT WILL SITETRUST BE LIABLE FOR: (A) INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES; (B) LOSS OF PROFITS, REVENUE, DATA, GOODWILL, OR BUSINESS OPPORTUNITY; OR (C) DAMAGES ARISING FROM RELIANCE ON AI-ASSISTED DELIVERABLES, REGULATORY INTELLIGENCE, OR TEMPLATE LANGUAGE, REGARDLESS OF WHETHER SITETRUST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

10.3 Cap on Liability

SITETRUST'S TOTAL CUMULATIVE LIABILITY TO CLIENT UNDER THESE TERMS WILL NOT EXCEED THE GREATER OF: (A) THE TOTAL FEES PAID BY CLIENT TO SITETRUST IN THE 12 MONTHS PRECEDING THE CLAIM; OR (B) $10,000. THIS CAP APPLIES TO ALL CLAIMS IN AGGREGATE, REGARDLESS OF THE FORM OF ACTION.

10.4 AI-Specific Liability Acknowledgment

Client acknowledges that: (a) SiteTrust certification does not guarantee that Client's AI systems comply with all applicable laws; (b) the AI regulatory environment is evolving and certain state laws (including California, Colorado, and Illinois) may limit a company's ability to fully disclaim liability for AI-related harm; and (c) Client remains solely responsible for its own AI governance practices, independent of its certification status. SiteTrust's liability for AI-assisted deliverables is limited to the same cap set forth in Section 10.3.

10.5 Indemnification

Each party agrees to indemnify, defend, and hold harmless the other party from third-party claims arising from: (a) the indemnifying party's gross negligence or willful misconduct; (b) breach of these Terms; or (c) infringement of a third party's intellectual property rights by materials provided by the indemnifying party. Client separately indemnifies SiteTrust for any claims arising from Client's misuse of SiteTrust-provided templates, inaccurate certification disclosures, or Client's own AI system operations.

11. Term and Termination

11.1 Term

These Terms are effective from the date Client first accesses SiteTrust's Services and continue until all active Order Forms, certifications, and program agreements expire or are terminated.

11.2 Termination for Cause

Either party may terminate these Terms or any Order Form immediately upon written notice if the other party: (a) materially breaches these Terms and fails to cure within 30 days of written notice; or (b) becomes insolvent, makes an assignment for the benefit of creditors, or has a receiver or trustee appointed.

11.3 Termination for Convenience

Client may terminate any Order Form for convenience with 60 days written notice. Fees paid for the current term are non-refundable; unpaid fees for work completed or milestones delivered are due upon termination.

11.4 Effect of Termination

Upon termination or expiration:

• Client's certification(s) and Badge display rights terminate as set forth in Section 3

• Trust Center access terminates on the effective date of termination

• Each party returns or destroys the other party's Confidential Information (except as required for legal compliance)

• Sections 7 (Confidentiality), 8 (IP), 9 (Disclaimers), 10 (Liability), 11.4, and 12 (Disputes) survive termination

12. Dispute Resolution

12.1 Governing Law

These Terms are governed by the laws of the State of Ohio, without regard to its conflict of law principles.

12.2 Informal Resolution

Before initiating formal dispute resolution, the parties agree to attempt to resolve any dispute through good-faith negotiation for a period of 30 days following written notice of the dispute.

12.3 Binding Arbitration

If informal resolution fails, disputes shall be resolved by binding arbitration administered by the American Arbitration Association (AAA) under its Commercial Arbitration Rules. The arbitration shall take place in Fairlawn, Ohio. The arbitrator's decision shall be final and binding, and judgment may be entered in any court of competent jurisdiction.

12.4 Class Action Waiver

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, CLIENT WAIVES THE RIGHT TO PARTICIPATE IN CLASS ACTION PROCEEDINGS AND AGREES TO RESOLVE DISPUTES WITH SITETRUST ONLY ON AN INDIVIDUAL BASIS.

12.5 Exceptions

Notwithstanding Section 12.3, either party may seek injunctive or other equitable relief in any court of competent jurisdiction to protect intellectual property rights, prevent unauthorized use of Confidential Information, or address imminent harm.

13. General Provisions

13.1 Entire Agreement

These Terms, together with any applicable Order Forms, SOWs, CTA Program Agreement, and SiteTrust's Privacy Policy, constitute the entire agreement between the parties with respect to the Services and supersede all prior agreements, understandings, and negotiations relating to the subject matter hereof.

13.2 Order of Precedence

In the event of conflict, the order of precedence is: (1) executed Order Form or SOW; (2) CTA Program Agreement (for CTAs); (3) these Terms; (4) the Privacy Policy.

13.3 Amendments

SiteTrust may update these Terms with 30 days advance notice for material changes. Continued use of Services after the effective date constitutes acceptance of the updated Terms. SiteTrust will maintain a version history of prior Terms accessible upon request.

13.4 Severability

If any provision of these Terms is found unenforceable, the remaining provisions will continue in full force and effect. The unenforceable provision will be modified to the minimum extent necessary to make it enforceable, consistent with the parties' original intent.

13.5 Waiver

Failure to enforce any provision of these Terms does not constitute a waiver of SiteTrust's right to enforce that provision in the future.

13.6 Assignment

Client may not assign these Terms or any rights hereunder without SiteTrust's prior written consent. SiteTrust may assign these Terms in connection with a merger, acquisition, or sale of substantially all assets, with notice to Client.

13.7 Force Majeure

Neither party is liable for delays or failures in performance resulting from causes beyond its reasonable control, including natural disasters, acts of government, telecommunications failures, or other events outside the affected party's reasonable control. The affected party must provide prompt written notice and use reasonable efforts to mitigate the impact.

13.8 Notices

Notices under these Terms must be in writing and delivered by: (a) email to the address on file with a read receipt or confirmation; (b) overnight courier; or (c) certified mail, return receipt requested. SiteTrust's notice address is: SiteTrust, Attn: Legal, 2725 Abington Road, Suite 202, Fairlawn, Ohio 44333. Email: wecare@sitetrust.com.