Terms and Conditions

1. Introduction and Acceptance of Terms

1.1 Agreement to Terms

These Terms and Conditions, together with any applicable Order Form, Service Plan, API Documentation, Privacy Policy, Data Processing Addendum, Service Level Agreement, Acceptable Use Policy, and any product-specific addenda, form a legally binding agreement between you and MudraID.

By creating an account, registering a bot, registering a website, requesting or verifying a Mudra Token, using the MudraID APIs, integrating the Mudra Gateway, accessing the Public Key Directory, or otherwise using any MudraID service, you agree to be bound by these Terms.

If you are using MudraID on behalf of a company, organization, government body, partnership, or other legal entity, you confirm that you have the legal authority to accept these Terms on behalf of that entity. In that case, “you” and “Customer” refer to that entity.

If you do not agree to these Terms, you must not access or use MudraID.

MudraID may provide identity, verification, trust scoring, gateway, API, developer tooling, and related services for AI agents, bots, websites, APIs, and enterprise systems. These Terms govern your use of those services.

1.2 Who May Use MudraID

MudraID is intended for business, developer, enterprise, organizational, and professional use only. It is not intended for consumer, household, personal, or non-business use, or for use by individuals who are not legally able to enter into binding agreements.

You may use MudraID only if:

a. you are legally permitted to enter into these Terms;
b. you are not prohibited from using MudraID under applicable law;
c. you are not located in, organized under the laws of, or ordinarily resident in a country or territory subject to sanctions or trade restrictions that prohibit your use of MudraID;
d. you will use MudraID only for lawful purposes;
e. you will comply with these Terms, the Acceptable Use Policy, the API Documentation, and all applicable laws and regulations;
f. any bots, AI agents, websites, APIs, or systems you register or connect to MudraID are owned, operated, or lawfully controlled by you, or you have proper authorization to manage them.

MudraID may refuse registration, suspend access, revoke credentials, or terminate an account if MudraID reasonably believes that a user, account, bot, website, API, integration, or activity creates legal, security, fraud, abuse, reputational, operational, or compliance risk.

1.3 Business Use and Authority to Bind an Organization

MudraID is designed primarily for business and professional use, including use by bot developers, AI agent builders, website owners, API providers, SaaS providers, security teams, platform operators, and enterprises.

If you use MudraID for an organization, you represent and warrant that:

a. you are authorized to create the account and use the services on behalf of that organization;
b. you are authorized to register bots, AI agents, websites, domains, APIs, public keys, gateway configurations, or other technical assets on behalf of that organization;
c. you are authorized to bind the organization to these Terms;
d. all information you provide about the organization, its bots, websites, APIs, domains, and use cases is accurate, complete, and not misleading;
e. the organization is responsible for all activity under its account, including activity by its employees, contractors, administrators, developers, bots, agents, integrations, and API credentials.

If you are not authorized to act on behalf of an organization, you must not register that organization, its bots, its websites, its domains, its APIs, or its technical assets with MudraID.

MudraID may request verification of your authority, organization identity, domain ownership, bot ownership, or system control. Failure to provide satisfactory verification may result in refusal, suspension, limitation, or termination of access.

1.4 Relationship Between Terms, Order Forms, Service Plans, API Documentation, Privacy Policy, DPA, SLA, and Acceptable Use Policy

These Terms are the main legal terms governing your use of MudraID. Additional documents may also apply depending on the services you use, the plan you select, and the way you integrate MudraID.

The following documents may form part of your agreement with MudraID:

a. Order Form — describes commercial terms such as subscription plan, fees, usage limits, billing cycle, committed usage, support level, and contract period;
b. Service Plan — describes the features, limits, quotas, entitlements, and restrictions applicable to your selected plan;
c. API Documentation — describes technical requirements, endpoints, authentication methods, token handling, verification methods, gateway configuration, public-key lookup, rate limits, and integration instructions;
d. Privacy Policy — explains how MudraID collects, uses, stores, and protects personal data;
e. Data Processing Addendum or DPA — applies where MudraID processes personal data on behalf of a Customer as a processor or service provider;
f. Service Level Agreement or SLA — describes uptime commitments, service credits, support levels, exclusions, and availability terms, if applicable to your plan;
g. Acceptable Use Policy — describes prohibited uses, abuse rules, security restrictions, bot behavior restrictions, and enforcement rights;
h. Product-Specific Addenda — may apply to specific MudraID products or features, including APIs, Mudra Gateway, trust scoring, public-key directory, beta services, SDKs, enterprise features, or marketplace integrations.

If there is a conflict between these documents, the following order of precedence applies unless expressly stated otherwise:

the applicable Order Form;

the applicable product-specific addendum;

the Data Processing Addendum, but only for personal data processing matters;

the Service Level Agreement, but only for service availability and service credit matters;

these Terms;

the Acceptable Use Policy;

the Service Plan;

the API Documentation.

API Documentation may be updated from time to time to reflect product changes, security improvements, technical requirements, or deprecated functionality. You are responsible for reviewing and following the current API Documentation when integrating with MudraID.

1.5 Changes to These Terms

MudraID may update these Terms from time to time. Changes may be made to reflect new services, changes in law, security requirements, technical changes, business changes, or improvements to the MudraID platform.

If MudraID makes material changes to these Terms, MudraID will provide notice through reasonable means, such as by posting the updated Terms on the MudraID website, sending an email notification, displaying an in-product notice, or notifying account administrators.

Unless a different effective date is stated, updated Terms will become effective when posted or when notice is provided. For material changes, MudraID may provide a reasonable advance notice period where legally or commercially appropriate.

Your continued use of MudraID after the updated Terms become effective means that you accept the updated Terms.

If you do not agree to the updated Terms, you must stop using MudraID before the updated Terms become effective. If you have a paid subscription, your rights after rejection of updated Terms will be handled according to the applicable Order Form, Service Plan, or termination provisions of these Terms.

MudraID may make immediate changes where required for legal, security, fraud prevention, service integrity, or operational reasons. In such cases, changes may take effect immediately.

2. Definitions

For the purposes of these Terms, the following definitions apply. Some terms may also be defined elsewhere in these Terms, an Order Form, Service Plan, API Documentation, Privacy Policy, Data Processing Addendum, Service Level Agreement, Acceptable Use Policy, or product-specific addendum.

2.1 MudraID

“MudraID” means the identity, trust, token issuance, token verification, public-key directory, gateway, trust scoring, audit, and related services provided by MudraID, including any websites, dashboards, APIs, SDKs, developer tools, gateway components, documentation, software, and related infrastructure made available by MudraID.

MudraID may also be referred to as “we,” “us,” or “our” in these Terms.

2.2 Services

“Services” means all products, services, software, APIs, dashboards, developer tools, SDKs, gateway components, verification services, public-key directory services, trust scoring services, documentation, support services, and related features made available by MudraID.

The Services may include, without limitation:

a. bot and AI agent registration;
b. website and domain registration;
c. public-key registration and discovery;
d. client credential issuance;
e. Mudra Token issuance;
f. JWT and JWKS-based verification;
g. verification API services;
h. Mudra Gateway services;
i. trust score or trust level services;
j. abuse reporting and investigation tools;
k. logging and audit services;
l. bot-to-bot signature verification support;
m. SDKs, plugins, and integration tools.

2.3 Customer

“Customer” means the person, company, organization, government body, partnership, sole proprietor, developer, platform operator, website owner, API provider, or other legal entity that creates an account, signs an Order Form, registers a bot, registers a website, uses the APIs, integrates Mudra Gateway, verifies a Mudra Token, accesses the Public Key Directory, or otherwise uses the Services.

Where an individual uses the Services on behalf of an organization, “Customer” refers to that organization.

2.4 End User

“End User” means any person, employee, contractor, developer, administrator, user, system, bot, AI agent, website, API, or technical process that accesses or uses the Services through, under, or in connection with a Customer account.

Customers are responsible for the acts and omissions of their End Users.

2.5 Bot / AI Agent

“Bot” or “AI Agent” means any automated, semi-automated, software-based, model-based, script-based, API-driven, or AI-enabled system that performs actions, sends requests, accesses websites, interacts with APIs, communicates with other bots, executes workflows, retrieves information, submits data, or performs tasks on behalf of a user, developer, organization, platform, or system.

A Bot may include, without limitation:

a. AI assistants;
b. autonomous agents;
c. workflow agents;
d. web automation agents;
e. research agents;
f. booking agents;
g. customer support agents;
h. API agents;
i. scraping or crawling agents;
j. enterprise automation bots;
k. bot-to-bot communication agents;
l. software agents using large language models or other AI models.

A Bot does not become safe, trusted, endorsed, or legally compliant merely because it is registered with MudraID or has received a Mudra Token.

2.6 Bot Developer

“Bot Developer” means a person, company, organization, platform operator, or other entity that creates, owns, operates, controls, registers, manages, or deploys a Bot using MudraID.

A Bot Developer is responsible for the accuracy of bot registration information, the security of bot credentials and private keys, the behavior of its Bots, and compliance with these Terms and applicable law.

2.7 Website Owner

“Website Owner” means a person, company, organization, platform operator, API provider, domain owner, or other entity that owns, controls, operates, manages, or has authorization to register a website, domain, API, application, service, or digital property with MudraID.

A Website Owner may use MudraID to verify Mudra Tokens, configure bot access policies, use the Mudra Gateway, check trust levels, report abuse, or control how Bots interact with its websites, APIs, or systems.

2.8 Registered Bot

“Registered Bot” means a Bot that has been registered with MudraID by a Customer or Bot Developer and assigned a MudraID bot identity, client credentials, public-key record, metadata record, or other registration profile.

Registration of a Bot does not mean that MudraID approves, certifies, guarantees, endorses, or accepts responsibility for the Bot, its owner, its behavior, its output, its purpose, its security, or its compliance with law.

2.9 Mudra Token

“Mudra Token” means a cryptographically signed token issued by MudraID to represent a registered Bot’s identity, status, claims, permissions, trust information, or other metadata.

A Mudra Token may be implemented as a JSON Web Token or another supported token format described in the API Documentation.

A Mudra Token may include, without limitation:

a. bot identifier;
b. issuer information;
c. token issue time;
d. token expiration time;
e. token audience;
f. token scope;
g. trust level or trust-related claims;
h. registration status;
i. other technical or policy-related claims.

A Mudra Token is used for identity and verification purposes. It does not guarantee that a Bot is safe, lawful, accurate, non-malicious, or suitable for a particular purpose.

2.10 JWT, JWKS, API Credentials, Client ID, and Client Secret

“JWT” means JSON Web Token, a token format used to securely transmit claims between parties.

“JWKS” means JSON Web Key Set, a public-key format used to verify the signature of tokens issued by MudraID.

“API Credentials” means credentials issued or accepted by MudraID for authentication, authorization, token issuance, API access, or service integration. API Credentials may include client IDs, client secrets, API keys, access tokens, refresh tokens, signing keys, certificates, or similar credentials.

“Client ID” means a public or semi-public identifier assigned to a Customer, Bot, application, or integration.

“Client Secret” means a confidential credential issued by MudraID or generated for use with MudraID that must be kept secure and must not be disclosed, exposed, shared, embedded in public code, or made available to unauthorized parties.

2.11 Public Key and Private Key

“Public Key” means a cryptographic key that may be uploaded, registered, stored, displayed, shared, or made discoverable through MudraID for the purpose of verifying signatures, tokens, or bot-to-bot messages.

“Private Key” means the corresponding confidential cryptographic key that is used to create signatures or prove control of an identity.

Customers, Bot Developers, and Bots are responsible for protecting their Private Keys. Unless MudraID expressly agrees otherwise in writing, MudraID does not store, manage, custody, recover, or protect Customer Private Keys.

Compromise, loss, theft, misuse, or exposure of a Private Key may allow unauthorized parties to impersonate a Bot or sign messages. Customers must notify MudraID promptly if they suspect that a Private Key or credential has been compromised.

2.12 Trust Score / Trust Level

“Trust Score” or “Trust Level” means a rating, score, level, classification, status, signal, or indicator assigned or made available by MudraID to help assess the relative trust, risk, reputation, registration status, or policy status of a Bot, Customer, website, API, or integration.

A Trust Score or Trust Level may be based on information such as:

a. registration information;
b. verification status;
c. usage history;
d. token activity;
e. abuse reports;
f. policy violations;
g. manual review;
h. automated risk signals;
i. security incidents;
j. customer feedback;
k. gateway decisions;
l. other data available to MudraID.

Trust Scores and Trust Levels are mutable and may change over time. They are risk indicators only. They are not guarantees of safety, legality, accuracy, quality, reliability, good behavior, or future conduct.

2.13 Mudra Gateway

“Mudra Gateway” means a gateway, proxy, middleware, edge component, plugin, hosted service, self-hosted component, or integration tool provided or supported by MudraID that helps websites, static sites, APIs, or digital services verify Mudra Tokens, apply bot access policies, check trust levels, filter requests, block requests, throttle requests, or route traffic.

The Mudra Gateway may inspect incoming requests, verify tokens, query MudraID services, cache verification data, enforce policy rules, generate logs, and forward or block traffic according to Customer configuration and MudraID security controls.

2.14 Verification Service

“Verification Service” means the MudraID service, API, endpoint, JWKS endpoint, token validation mechanism, or related infrastructure used to verify Mudra Tokens, check token status, validate signatures, confirm bot registration, retrieve trust levels, or return verification results.

Verification may confirm that a token appears to have been issued by MudraID and has not expired according to available information. Verification does not guarantee that the Bot is safe, authorized for every action, legally compliant, or free from malicious behavior.

2.15 Public Key Directory

“Public Key Directory” means the MudraID registry, directory, API, endpoint, or service that stores, publishes, exposes, or makes available Public Keys, bot identifiers, registration status, and related metadata for supported verification purposes.

The Public Key Directory may be used by websites, APIs, Bots, Customers, or other systems to verify signed messages, validate bot identity, check registration status, or support bot-to-bot communication.

MudraID may limit, restrict, rate limit, modify, or remove access to the Public Key Directory for security, privacy, abuse prevention, compliance, operational, or legal reasons.

2.16 Customer Data

“Customer Data” means data, content, information, metadata, configurations, keys, identifiers, domain information, bot information, website information, API information, policy settings, logs, messages, requests, or other materials submitted to, uploaded to, generated through, processed by, or stored in the Services by or on behalf of a Customer.

Customer Data may include, without limitation:

a. account information;
b. organization information;
c. bot metadata;
d. website metadata;
e. domain records;
f. public keys;
g. gateway configuration;
h. access policies;
i. abuse reports;
j. verification logs;
k. token request logs;
l. integration configuration;
m. support communications.

Customer Data does not include MudraID’s platform software, APIs, algorithms, models, trust scoring methods, security systems, aggregated analytics, anonymized data, or Usage Data, except where applicable law provides otherwise.

2.17 Usage Data / Telemetry Data

“Usage Data” or “Telemetry Data” means technical, operational, security, diagnostic, statistical, and analytical data generated from the use, performance, security, operation, or availability of the Services.

Usage Data may include, without limitation:

a. API request counts;
b. token issuance events;
c. verification events;
d. response times;
e. error rates;
f. rate-limit events;
g. gateway decisions;
h. traffic patterns;
i. abuse indicators;
j. threat signals;
k. service performance metrics;
l. feature usage;
m. logs used for security, fraud prevention, compliance, debugging, billing, and service improvement.

MudraID may use Usage Data to operate, secure, monitor, improve, and support the Services, develop new features, detect abuse, enforce policies, calculate fees, and improve trust and verification systems.

2.18 Beta Services

“Beta Services” means any service, feature, API, SDK, gateway component, trust scoring function, dashboard feature, integration, documentation, or product capability that MudraID identifies as alpha, beta, preview, pilot, experimental, evaluation, early access, limited release, private beta, public beta, or similar.

Beta Services may be incomplete, unstable, unavailable, inaccurate, changed, restricted, suspended, or discontinued at any time. Beta Services are provided for testing and evaluation unless expressly stated otherwise.

2.19 Documentation

“Documentation” means the official technical, operational, product, API, gateway, SDK, integration, security, and support documentation made available by MudraID.

Documentation may include, without limitation:

a. API reference materials;
b. integration guides;
c. token issuance instructions;
d. token verification instructions;
e. JWKS usage guidance;
f. gateway setup instructions;
g. SDK instructions;
h. public-key directory usage rules;
i. rate-limit information;
j. service plan limits;
k. security guidance;
l. support articles;
m. product-specific instructions.

MudraID may update the Documentation from time to time. Customers are responsible for following the current Documentation when using or integrating the Services.

3. Description of MudraID Services

3.1 General Description

MudraID provides identity, token issuance, token verification, trust signaling, public-key discovery, gateway, logging, and related services for Bots, AI Agents, websites, APIs, applications, and enterprise systems.

The Services are designed to help Customers identify registered Bots, verify certain cryptographic credentials, apply Customer-defined access policies, support bot-to-bot verification, and make more informed decisions about automated access.

MudraID is a trust and identity infrastructure provider. MudraID does not operate, control, supervise, guarantee, or accept responsibility for the Bots, websites, APIs, applications, systems, content, data, actions, decisions, outputs, or business processes of Customers or third parties.

Unless expressly stated in an applicable Order Form or product-specific addendum, MudraID does not guarantee that the Services will detect, prevent, block, or stop all unauthorized access, malicious bots, scraping, abuse, fraud, security incidents, impersonation, token misuse, credential compromise, or other harmful activity.

3.2 Bot and AI Agent Registration

MudraID may allow Customers to register Bots or AI Agents and create associated identity records. Registration may include information such as bot name, bot identifier, owner information, developer information, use case, description, endpoint information, public keys, trust-related metadata, and other technical or operational details.

Customers are solely responsible for ensuring that all registration information is accurate, complete, lawful, current, and not misleading.

MudraID may approve, reject, suspend, limit, revoke, or remove any Bot registration at any time if MudraID reasonably believes that the Bot, its owner, its metadata, its behavior, its credentials, or its use of the Services creates security, legal, compliance, fraud, operational, reputational, or abuse risk.

Registration of a Bot with MudraID does not mean that MudraID endorses, certifies, audits, guarantees, approves, or accepts responsibility for the Bot, its developer, its owner, its behavior, its output, its purpose, its security, or its compliance with law.

3.3 Website, API, and Domain Registration

MudraID may allow Customers to register websites, APIs, domains, applications, or other digital services for the purpose of verifying Mudra Tokens, applying access policies, using the Mudra Gateway, checking trust information, or managing automated access.

Customers represent and warrant that they own, operate, or have proper authorization to register and manage any website, API, domain, application, or digital service submitted to MudraID.

MudraID may require proof of ownership, control, authorization, or administrative authority before enabling certain features. MudraID may reject, suspend, restrict, or remove any website, API, domain, application, or service registration if MudraID reasonably believes that the registration is unauthorized, inaccurate, misleading, harmful, unlawful, or risky.

Customers remain solely responsible for configuring and enforcing access rules for their websites, APIs, applications, and systems.

3.4 Token Issuance Services

MudraID may issue Mudra Tokens to Registered Bots or approved integrations through supported token issuance methods described in the Documentation.

Mudra Tokens may include claims relating to bot identity, issue time, expiration time, issuer, audience, scope, trust level, registration status, or other technical and policy-related information.

MudraID may refuse to issue a token, limit token issuance, shorten token duration, revoke tokens, invalidate tokens, rotate signing keys, suspend credentials, or require additional verification where MudraID reasonably believes such action is necessary for security, abuse prevention, compliance, operational integrity, legal compliance, or protection of MudraID, Customers, third parties, or the Services.

A Mudra Token is a technical identity and verification artifact. It is not a guarantee that a Bot is safe, lawful, accurate, non-malicious, properly authorized for every action, or suitable for any particular use case.

3.5 Token Verification Services

MudraID may provide token verification services through supported methods such as JWKS, verification APIs, SDKs, gateway components, or other mechanisms described in the Documentation.

Verification services may help Customers determine whether a Mudra Token appears to be valid, properly signed, unexpired, associated with a registered Bot, or linked to certain trust-related information.

Verification results are provided based on information available to MudraID at the time of verification. Such information may be incomplete, delayed, cached, unavailable, inaccurate, or subject to later change.

Customers are solely responsible for deciding whether to allow, deny, throttle, challenge, monitor, or otherwise respond to a Bot, request, token, message, or interaction. MudraID is not responsible for any Customer decision made based on verification results, trust levels, policies, cached data, logs, Documentation, or other information provided through the Services.

3.6 Public Key Directory Services

MudraID may provide a Public Key Directory to support verification of Bot identities, token signatures, signed messages, and bot-to-bot communication.

The Public Key Directory may include public keys, bot identifiers, registration status, and related metadata. MudraID may control what information is displayed, restricted, hidden, rate limited, cached, modified, or removed.

Customers are responsible for registering correct public keys, protecting corresponding private keys, rotating keys when necessary, and promptly notifying MudraID of any suspected key compromise.

MudraID does not guarantee that a public key, directory entry, metadata record, or verification result proves that a Bot’s current behavior is safe, lawful, accurate, authorized, or non-malicious.

3.7 Mudra Gateway Services

MudraID may provide a Mudra Gateway as a hosted, self-hosted, proxy, middleware, edge, plugin, or integration component to help Customers verify Mudra Tokens and apply bot access policies to websites, static sites, APIs, or other services.

Depending on configuration, the Mudra Gateway may inspect requests, check tokens, query MudraID services, cache verification information, evaluate Customer-defined policies, generate logs, block requests, throttle requests, challenge requests, or forward requests to Customer systems.

Customers are solely responsible for correctly configuring, deploying, testing, monitoring, and maintaining the Mudra Gateway within their environment.

MudraID is not responsible for losses, downtime, incorrect blocking, incorrect allowing, degraded performance, misrouting, data exposure, security incidents, or business interruption caused by Customer configuration, Customer infrastructure, third-party infrastructure, DNS settings, hosting environments, network conditions, unsupported integrations, or failure to follow Documentation.

MudraID may apply emergency security controls, updates, restrictions, bypasses, or blocking actions where MudraID reasonably believes such action is necessary to protect the Services, Customers, third parties, or the integrity of MudraID.

3.8 Trust Score and Trust Level Services

MudraID may provide Trust Scores, Trust Levels, risk indicators, reputation signals, abuse indicators, registration status, or related trust information for Bots, accounts, integrations, websites, APIs, or other entities.

Trust-related information may be based on registration data, token activity, verification activity, usage patterns, abuse reports, Customer feedback, manual review, automated systems, security signals, gateway decisions, historical behavior, third-party reports, or other available information.

Trust Scores and Trust Levels are informational risk indicators only. They are not guarantees of safety, lawfulness, authorization, reliability, accuracy, quality, good behavior, future conduct, non-malicious intent, or suitability for a particular purpose.

MudraID may update, downgrade, upgrade, suspend, hide, remove, or modify trust-related information at any time. MudraID is not required to disclose all scoring methods, signals, weights, thresholds, investigation methods, security logic, or abuse detection methods.

Customers are solely responsible for determining how much weight to give any Trust Score, Trust Level, or risk indicator when making access-control, business, legal, compliance, or security decisions.

3.9 Bot-to-Bot Verification Support

MudraID may provide services that help Bots verify signed messages or identity claims from other Bots. Such services may include public-key lookup, bot metadata lookup, registration status lookup, trust-level lookup, token verification, or related cryptographic verification support.

Bot-to-bot verification helps determine whether a message or identity claim appears to be associated with a registered Bot or public key. It does not guarantee the truth, safety, legality, quality, intent, authorization, or reliability of the message content, the Bot’s actions, or the Bot’s future behavior.

Customers remain solely responsible for designing, implementing, and enforcing their own bot-to-bot communication rules, access controls, authorization flows, message validation, data handling rules, and security protections.

3.10 Logs, Audit Trails, and Reporting

MudraID may generate, collect, process, store, analyze, or display logs, audit trails, usage records, verification events, token issuance events, gateway events, abuse reports, trust events, API events, security events, and other operational records.

MudraID may use such information to provide the Services, secure the platform, investigate abuse, enforce these Terms, calculate fees, improve reliability, debug technical issues, support Customers, comply with legal obligations, and improve trust and verification systems.

Logs and audit records may not capture every event, request, decision, threat, failure, or interaction. MudraID does not guarantee that logs will be complete, error-free, continuously available, legally sufficient for every compliance requirement, or retained indefinitely.

Customers are responsible for maintaining their own logs, backups, records, compliance evidence, security monitoring, and incident response processes where required.

3.11 SDKs, Developer Tools, and Integration Materials

MudraID may provide SDKs, sample code, gateway configuration examples, API clients, command-line tools, plugins, libraries, scripts, templates, reference implementations, technical examples, or other developer materials.

Developer materials are provided to assist integration and may not be suitable for every environment, architecture, compliance requirement, security posture, or production use case.

Customers are responsible for reviewing, testing, securing, adapting, and validating any SDK, sample code, integration material, or developer tool before using it in production.

Unless expressly stated otherwise, SDKs, sample code, templates, and developer materials are provided as-is and without warranty.

3.12 Service Plans, Limits, and Feature Availability

MudraID may offer different Service Plans with different features, usage limits, rate limits, quotas, availability commitments, support levels, retention periods, security features, integration options, and pricing.

Features may vary by plan, region, customer type, product maturity, regulatory requirement, technical environment, or commercial agreement.

MudraID may impose, modify, or enforce limits on API calls, token issuance, verification requests, gateway traffic, public-key lookups, log retention, abuse reports, dashboard access, support requests, storage, bandwidth, or other usage.

MudraID may suspend, throttle, reject, or limit usage that exceeds applicable limits or creates risk to the Services, Customers, third parties, or MudraID.

3.13 Service Modifications and Discontinuation

MudraID may modify, update, improve, restrict, suspend, replace, deprecate, or discontinue any part of the Services from time to time.

MudraID may make changes for reasons including security, reliability, scalability, legal compliance, technical improvement, product development, cost management, abuse prevention, third-party dependency changes, or business needs.

Where commercially reasonable, MudraID may provide notice before materially discontinuing a generally available paid feature. However, MudraID may make immediate changes without prior notice where necessary for security, legal, operational, abuse prevention, or service integrity reasons.

3.14 No Transfer of Responsibility

MudraID helps provide identity, verification, trust signaling, and access-control support. It does not replace the Customer’s own security program, access-control systems, legal review, compliance program, user authorization process, incident response process, monitoring tools, or business judgment.

Customers remain responsible for:

a. their Bots and AI Agents;
b. their websites, APIs, applications, and systems;
c. their access-control decisions;
d. their use of Mudra Tokens and verification results;
e. their configuration of policies and gateway settings;
f. their compliance with laws and regulations;
g. their security architecture;
h. their private keys, credentials, and secrets;
i. their handling of data;
j. their relationship with their own customers, users, partners, and third parties.

4. Account Registration and Customer Responsibilities

4.1 Account Registration

To access or use certain MudraID Services, you may be required to create an account, provide registration information, accept these Terms, select a Service Plan, complete an Order Form, or complete additional verification steps.

You agree that all information you provide to MudraID will be accurate, complete, current, lawful, and not misleading. This includes information about you, your organization, your administrators, your developers, your Bots, your websites, your APIs, your domains, your use cases, your billing details, and any other information requested by MudraID.

You must promptly update your account information if it changes.

MudraID may reject, suspend, limit, or terminate an account if MudraID reasonably believes that the registration information is inaccurate, incomplete, outdated, misleading, fraudulent, unauthorized, unlawful, or creates legal, security, operational, reputational, fraud, abuse, or compliance risk.

4.2 Account Eligibility

You may create or use a MudraID account only if you are legally permitted to do so and are not prohibited from using the Services under applicable law or these Terms.

MudraID may require additional identity, business, domain, payment, security, technical, or authorization verification before allowing access to certain Services or features.

MudraID may refuse account creation or restrict access to the Services for any lawful reason, including where MudraID reasonably believes that the account, Customer, Bot, website, API, domain, integration, use case, jurisdiction, payment method, or activity presents unacceptable risk.

4.3 Organization Accounts

If you create or use an account on behalf of an organization, you represent and warrant that you have authority to act for that organization and to bind that organization to these Terms.

The organization is responsible for all activity under its account, including activity by administrators, employees, contractors, developers, agents, Bots, integrations, API credentials, gateway configurations, and any other users or systems acting through the account.

MudraID may treat actions taken by account administrators or authorized account users as actions taken by the Customer.

The Customer is responsible for managing internal approvals, access rights, role assignments, administrator privileges, and internal governance for its MudraID account.

4.4 Account Administrators and Users

Customers may be able to designate administrators, developers, operators, or other users with access to the MudraID account.

Customers are solely responsible for:

a. selecting trustworthy administrators and users;
b. assigning appropriate roles and permissions;
c. reviewing user access regularly;
d. removing users who no longer require access;
e. preventing unauthorized access;
f. monitoring account activity;
g. ensuring that all users comply with these Terms, the Acceptable Use Policy, the Documentation, and applicable law.

MudraID is not responsible for losses, unauthorized changes, credential exposure, bot registration errors, gateway misconfiguration, policy errors, data exposure, service disruption, or other harm caused by Customer administrators, users, employees, contractors, service providers, or other persons or systems acting through the Customer account.

4.5 Responsibility for Bots Registered Under the Account

Customers are responsible for all Bots, AI Agents, applications, scripts, automation tools, integrations, and systems registered, operated, connected, or used through their MudraID account.

This responsibility includes, without limitation:

a. ensuring that each Bot is lawfully owned, operated, or controlled by the Customer;
b. ensuring that each Bot is registered with accurate and current metadata;
c. ensuring that each Bot uses MudraID credentials, keys, tokens, and APIs securely;
d. ensuring that each Bot acts only within lawful and authorized purposes;
e. ensuring that each Bot does not impersonate others or misrepresent its identity;
f. monitoring Bot activity for misuse, compromise, or abnormal behavior;
g. responding promptly to abuse reports or security concerns;
h. disabling, rotating, or revoking credentials where compromise is suspected;
i. ensuring that Bots comply with third-party website, API, platform, and data-use rules.

MudraID is not responsible for Bot behavior, Bot outputs, Bot decisions, Bot communications, Bot misuse, Bot errors, Bot security vulnerabilities, or Bot compliance with laws or third-party terms.

4.6 Responsibility for Websites, APIs, Domains, and Integrations

Customers are responsible for all websites, APIs, domains, applications, services, infrastructure, and integrations registered, configured, connected, or protected through their MudraID account.

This responsibility includes, without limitation:

a. confirming that the Customer owns, operates, or is authorized to manage the relevant website, API, domain, application, or service;
b. configuring access policies correctly;
c. testing token verification, gateway rules, trust-level rules, block rules, allow rules, throttling rules, and fallback behavior before production use;
d. monitoring the effect of MudraID policies on legitimate and unwanted traffic;
e. maintaining their own security controls, authentication systems, authorization systems, logging systems, backups, and incident response processes;
f. complying with all laws, contracts, platform rules, privacy obligations, and third-party rights that apply to their websites, APIs, domains, applications, and services.

MudraID is not responsible for customer-side misconfiguration, DNS errors, hosting issues, third-party infrastructure issues, gateway deployment errors, incorrect access rules, incorrect policy settings, or business decisions made by the Customer.

4.7 Credential and Access Security

Customers are responsible for maintaining the confidentiality and security of all account credentials, administrator credentials, API Credentials, Client IDs, Client Secrets, API keys, tokens, signing keys, Private Keys, certificates, passwords, authentication factors, and other security credentials.

Customers must not:

a. share credentials with unauthorized persons;
b. expose credentials in public repositories, client-side code, logs, screenshots, documentation, support tickets, or unsecured systems;
c. embed secrets in publicly accessible applications;
d. use weak, reused, or compromised passwords;
e. bypass or disable required security controls;
f. allow unauthorized persons or systems to access the Services.

Customers must use reasonable security measures to protect credentials, including access control, least-privilege permissions, secure storage, secret management, key rotation, monitoring, and prompt revocation of compromised credentials.

MudraID is not responsible for losses, unauthorized access, token misuse, Bot impersonation, data exposure, service disruption, or other harm resulting from compromised, lost, stolen, leaked, misused, or mishandled Customer credentials, Private Keys, tokens, or account access.

4.8 Unauthorized Use and Security Notifications

Customers must notify MudraID promptly if they become aware of or reasonably suspect:

a. unauthorized access to their MudraID account;
b. compromise of any API Credential, Client Secret, Private Key, token, certificate, password, or authentication factor;
c. unauthorized registration of a Bot, website, API, domain, or integration;
d. misuse of a Mudra Token;
e. unauthorized use of the Public Key Directory;
f. gateway misconfiguration causing security or access issues;
g. abusive, unlawful, fraudulent, or harmful Bot activity;
h. any other security incident involving MudraID Services.

Notification to MudraID does not remove the Customer’s responsibility to investigate, mitigate, notify affected parties, comply with applicable laws, preserve evidence, rotate credentials, revoke keys, update configurations, or take other appropriate security actions.

MudraID may take reasonable steps in response to suspected unauthorized use or security risk, including suspending access, revoking credentials, invalidating tokens, disabling Bots, limiting API access, changing trust levels, blocking gateway traffic, requiring additional verification, or taking other protective action.

4.9 Customer Systems and Infrastructure

Customers are responsible for obtaining, maintaining, securing, and operating all systems, software, networks, browsers, devices, cloud services, DNS services, hosting environments, development environments, identity providers, firewalls, monitoring tools, and other infrastructure required to access or use MudraID.

MudraID is not responsible for failures, delays, security incidents, data loss, access issues, performance problems, misrouting, downtime, or other harm caused by Customer systems, third-party systems, internet connectivity, hosting providers, DNS providers, cloud providers, identity providers, firewalls, network rules, or unsupported environments.

4.10 Compliance with Laws and Third-Party Terms

Customers are responsible for ensuring that their use of MudraID complies with all applicable laws, regulations, industry rules, contractual obligations, website terms, API terms, platform policies, privacy obligations, data-protection requirements, export-control laws, sanctions rules, and third-party rights.

Customers must not use MudraID to enable, support, conceal, authenticate, verify, or legitimize unlawful, abusive, deceptive, harmful, unauthorized, or non-compliant activity.

MudraID is not responsible for determining whether a Customer’s Bots, websites, APIs, data, workflows, business operations, or use cases comply with applicable law or third-party terms.

4.11 Customer Decisions and Reliance on MudraID

Customers are responsible for all decisions they make using MudraID, including decisions to allow, block, throttle, challenge, trust, distrust, report, suspend, or interact with any Bot, website, API, token, message, integration, or third party.

MudraID may provide technical identity signals, verification results, Trust Scores, Trust Levels, logs, audit records, gateway actions, public-key information, and other information. Such information is provided to support Customer decision-making and does not replace the Customer’s independent judgment, security controls, legal review, compliance obligations, or operational responsibility.

Customers use MudraID outputs, trust signals, verification responses, logs, and recommendations at their own risk.

4.12 Cooperation with MudraID

Customers must reasonably cooperate with MudraID in connection with security investigations, abuse reports, compliance reviews, technical troubleshooting, service integrity issues, billing inquiries, and enforcement of these Terms.

MudraID may request information, documents, logs, technical evidence, ownership verification, domain verification, identity verification, security confirmations, or other materials reasonably necessary to investigate or resolve an issue.

Failure to cooperate may result in suspension, limitation, revocation, downgrade of trust status, termination, or other protective action.

4.13 Responsibility for End Users

Customers are responsible for ensuring that all End Users comply with these Terms, the Acceptable Use Policy, the Documentation, and applicable law.

Any breach of these Terms by an End User will be treated as a breach by the Customer.

Customers are responsible for all access, use, misuse, configurations, instructions, data submissions, Bot registrations, website registrations, token requests, verification requests, gateway actions, public-key directory lookups, and other activity performed by or on behalf of their End Users.

4.14 No Use on Behalf of Unauthorized Third Parties

Customers must not use MudraID to register, verify, impersonate, manage, protect, monitor, or control Bots, websites, APIs, domains, applications, systems, or organizations that they do not own, operate, or have express authorization to manage.

MudraID may require proof of authorization at any time. If MudraID reasonably believes that a Customer lacks proper authorization, MudraID may suspend, restrict, remove, or disable the relevant account, Bot, website, API, domain, integration, key, token, gateway configuration, or verification capability.

4.15 Customer Responsibility Continues After Integration

Integration with MudraID does not transfer responsibility for security, compliance, access control, system operation, or user protection from the Customer to MudraID.

Customers remain responsible for regularly reviewing their configuration, monitoring their systems, updating their integration, rotating credentials, responding to incidents, reviewing trust decisions, testing gateway behavior, and adapting their security controls as risks change.

5. Bot Registration and Identity Obligations

5.1 Bot Registration

MudraID may allow Customers to register Bots or AI Agents and create associated identity records within the Services.

A Bot registration may include information such as bot name, bot identifier, owner information, developer information, public key, use case, description, endpoint information, permitted domains, API access requirements, trust-related metadata, contact information, and other technical, operational, or policy-related information requested by MudraID.

Customers are solely responsible for ensuring that all Bot registration information is accurate, complete, current, lawful, and not misleading.

MudraID may approve, reject, suspend, revoke, limit, downgrade, hide, remove, or require correction of any Bot registration at any time if MudraID reasonably believes that the Bot, its owner, its metadata, its credentials, its keys, its activity, its use case, or its related account creates legal, security, fraud, abuse, compliance, operational, technical, or reputational risk.

5.2 Bot Identity Accuracy

Customers must not register a Bot using false, misleading, incomplete, deceptive, confusing, or unauthorized identity information.

Customers must not register a Bot in a way that impersonates or suggests false affiliation with any person, company, organization, government body, platform, website, product, trademark, service, or third party.

Customers must ensure that each Registered Bot has a clear and accurate identity that reasonably reflects the Bot’s owner, operator, purpose, and intended use.

MudraID may require Customers to update, correct, verify, or remove Bot identity information at any time.

5.3 Bot Ownership and Authority

Customers may register a Bot only if they own, operate, control, or have express authorization to register and manage that Bot.

By registering a Bot, the Customer represents and warrants that:

a. the Customer has the legal right and technical authority to register the Bot;
b. the Customer has the right to upload or associate the Bot’s public key with MudraID;
c. the Customer has the right to request Mudra Tokens for the Bot;
d. the Customer has the right to use MudraID to identify, verify, or support the Bot’s interactions with websites, APIs, systems, or other Bots;
e. the Bot’s operation does not violate applicable law, third-party rights, platform terms, website terms, API terms, or contractual obligations.

MudraID may require proof of ownership, control, authorization, or lawful operation before approving or continuing a Bot registration.

5.4 Bot Metadata and Use Case Disclosure

Customers must provide accurate and current metadata for each Registered Bot where requested by MudraID.

This may include, without limitation:

a. Bot name;
b. Bot owner or operator;
c. Bot developer;
d. Bot description;
e. intended use case;
f. permitted environments;
g. endpoint URLs;
h. public keys;
i. contact information;
j. organization information;
k. trust-related information;
l. security information;
m. compliance information;
n. other information reasonably requested by MudraID.

Customers must not conceal, misstate, or misrepresent the purpose, behavior, ownership, security posture, data practices, or intended use of a Bot.

MudraID may rely on Bot metadata when issuing tokens, assigning trust levels, supporting verification, reviewing abuse reports, investigating incidents, or enforcing these Terms. MudraID is not responsible for harm caused by inaccurate, incomplete, outdated, or misleading Bot metadata provided by Customers.

5.5 Bot Behavior and Compliance

Customers are solely responsible for the behavior, outputs, actions, decisions, communications, requests, data collection, data use, and consequences of their Bots.

Customers must ensure that their Bots:

a. operate only for lawful and authorized purposes;
b. comply with these Terms, the Acceptable Use Policy, the Documentation, and applicable law;
c. comply with third-party website, API, platform, and service terms;
d. do not impersonate others;
e. do not misrepresent identity, authority, trust status, or affiliation;
f. do not bypass security controls, access restrictions, rate limits, consent mechanisms, paywalls, robots.txt rules where legally or contractually applicable, or platform policies;
g. do not scrape, collect, store, or process data unlawfully or without proper authorization;
h. do not perform harmful, abusive, deceptive, fraudulent, spam, malware, phishing, surveillance, credential theft, or unauthorized access activities;
i. do not overload, degrade, disrupt, or interfere with websites, APIs, systems, networks, or services;
j. do not use Mudra Tokens, Trust Scores, verification status, or MudraID registration to mislead third parties.

MudraID is not responsible for monitoring every Bot action or preventing every misuse of a Registered Bot.

5.6 Bot Credentials and Private-Key Security

Customers are solely responsible for protecting all credentials, secrets, tokens, certificates, signing materials, and Private Keys associated with their Bots.

Customers must use reasonable and appropriate security measures to protect Bot credentials and Private Keys, including secure storage, least-privilege access, access logging, secret management, credential rotation, key rotation, monitoring, and prompt revocation of compromised credentials.

Customers must not expose Bot credentials, Client Secrets, API keys, access tokens, or Private Keys in public repositories, browser-side code, insecure applications, screenshots, logs, documentation, support requests, or any location accessible to unauthorized parties.

MudraID does not control Customer Private Keys unless expressly agreed otherwise in writing. MudraID is not responsible for unauthorized Bot activity, impersonation, signed messages, token misuse, or security incidents caused by compromised, exposed, stolen, lost, weak, reused, or mishandled Customer credentials or Private Keys.

Customers must notify MudraID promptly if they know or suspect that a Bot credential, token, Client Secret, Private Key, certificate, or signing material has been compromised.

5.7 Token Requests by Bots

Registered Bots may request Mudra Tokens only through supported methods described in the Documentation and only for lawful, authorized, and permitted purposes.

Customers must not cause or allow Bots to:

a. request tokens using stolen, exposed, forged, unauthorized, or misused credentials;
b. request tokens for a Bot that is suspended, revoked, misrepresented, or no longer authorized;
c. request tokens to support unlawful, abusive, deceptive, or harmful activity;
d. attempt to bypass MudraID rate limits, trust controls, verification checks, security systems, or usage restrictions;
e. use tokens outside their intended purpose, audience, scope, or validity period;
f. replay, alter, forge, sell, transfer, or misuse Mudra Tokens.

MudraID may deny, delay, throttle, restrict, revoke, or invalidate token requests where MudraID reasonably believes such action is necessary for security, service integrity, abuse prevention, compliance, operational reliability, or protection of MudraID, Customers, third parties, or the Services.

5.8 No Endorsement, Certification, or Guarantee

Bot registration, token issuance, public-key publication, verification success, or assignment of a Trust Score or Trust Level does not mean that MudraID endorses, certifies, audits, insures, sponsors, guarantees, approves, recommends, or accepts responsibility for a Bot.

MudraID does not guarantee that a Registered Bot:

a. is safe;
b. is lawful;
c. is accurate;
d. is non-malicious;
e. is secure;
f. is reliable;
g. is operated by a trustworthy party;
h. will behave consistently in the future;
i. has authority to access a particular website, API, system, or dataset;
j. will comply with third-party terms;
k. will not cause harm, loss, downtime, unauthorized access, data exposure, or legal risk.

MudraID provides identity, verification, and trust-signaling infrastructure. Customers and third parties remain responsible for their own security, access-control, compliance, and risk decisions.

5.9 Bot Suspension, Revocation, and Removal

MudraID may suspend, revoke, downgrade, limit, disable, remove, or restrict a Bot registration, Mudra Token, public-key record, Trust Score, Trust Level, API access, or related feature if MudraID reasonably believes that:

a. the Bot is involved in unlawful, abusive, harmful, deceptive, fraudulent, or unauthorized activity;
b. the Bot’s identity, metadata, ownership, or use case is inaccurate, incomplete, misleading, or unverifiable;
c. the Bot is impersonating another person, entity, product, service, website, API, brand, or platform;
d. the Bot’s credentials, Client Secret, token, Private Key, or signing materials may be compromised;
e. the Bot violates these Terms, the Acceptable Use Policy, Documentation, or applicable law;
f. the Bot creates security, legal, compliance, operational, technical, reputational, fraud, abuse, or service-integrity risk;
g. MudraID is required to do so by law, regulation, court order, government request, contractual requirement, or security requirement;
h. continued registration or operation may harm MudraID, Customers, third parties, or the Services.

MudraID may take such action with or without prior notice, depending on the urgency and nature of the risk.

5.10 Bot Identity Changes and Key Rotation

Customers must keep Bot identity information, public keys, endpoint information, ownership information, and use-case information current.

Customers must promptly update MudraID if:

a. Bot ownership changes;
b. Bot operator changes;
c. Bot purpose changes materially;
d. Bot endpoints change;
e. Bot risk profile changes;
f. Bot credentials are rotated;
g. Bot public keys are rotated;
h. Bot Private Keys are compromised or suspected to be compromised;
i. Bot activity becomes abnormal, unauthorized, or harmful;
j. Bot is discontinued.

MudraID may require key rotation, metadata updates, re-verification, token revocation, credential reset, or additional review at any time for security, compliance, operational, or trust-related reasons.

5.11 Bot Abuse Reports and Investigations

MudraID may receive, review, investigate, process, or act upon abuse reports, complaints, security reports, website-owner reports, third-party notices, law-enforcement requests, platform reports, automated signals, or internal risk indicators relating to Bots.

Customers must cooperate with MudraID in abuse investigations and provide information reasonably requested by MudraID, including logs, ownership evidence, use-case explanations, technical details, key-rotation evidence, security measures, and remediation steps.

MudraID may take protective action while an investigation is pending, including suspending tokens, limiting verification status, changing Trust Scores, disabling Bot registration, removing public-key records, restricting API access, or applying other controls.

MudraID is not required to disclose all details of abuse reports, complainants, investigation methods, scoring methods, internal security systems, or enforcement logic.

5.12 Bot Deactivation and Discontinuation

Customers must deactivate, revoke, or remove Bots that are no longer in use, no longer authorized, compromised, discontinued, transferred, or no longer compliant with these Terms.

Customers remain responsible for any activity associated with a Bot until the Bot is properly deactivated, credentials are revoked, keys are rotated or removed, and token use is stopped.

MudraID may retain certain records relating to deactivated Bots where necessary for security, fraud prevention, abuse investigation, audit, legal compliance, dispute resolution, billing, or service integrity.

5.13 Customer Liability for Bots

Customers are responsible and liable for all acts, omissions, misuse, violations, claims, losses, damages, penalties, costs, and expenses arising from or relating to their Bots, including:

a. Bot registration;
b. Bot metadata;
c. Bot identity claims;
d. Bot credentials;
e. Bot Private Keys;
f. Bot token requests;
g. Bot use of Mudra Tokens;
h. Bot interactions with websites, APIs, systems, users, or other Bots;
i. Bot data collection or processing;
j. Bot outputs, decisions, or communications;
k. Bot violation of law, third-party rights, or third-party terms;
l. Bot security incidents;
m. Bot abuse, fraud, scraping, spam, impersonation, or unauthorized access.

MudraID may seek indemnification, suspension, termination, or other remedies as provided in these Terms if Customer Bots create liability, risk, harm, or claims against MudraID or third parties.

6. API Credentials, Keys, Tokens, and Security

6.1 Issuance of API Credentials

MudraID may issue or allow Customers to create API Credentials for accessing the Services, registering Bots, requesting Mudra Tokens, verifying tokens, accessing the Public Key Directory, using the Mudra Gateway, configuring policies, or performing other supported actions.

API Credentials may include Client IDs, Client Secrets, API keys, access tokens, refresh tokens, signing keys, certificates, authentication factors, service-account credentials, gateway credentials, or other credentials described in the Documentation.

MudraID may determine the type, scope, duration, permissions, usage limits, rate limits, expiration period, rotation requirements, and security requirements applicable to API Credentials.

MudraID may deny, revoke, rotate, suspend, disable, limit, or replace API Credentials at any time if MudraID reasonably believes such action is necessary for security, abuse prevention, service integrity, compliance, fraud prevention, operational reliability, or protection of MudraID, Customers, third parties, or the Services.

6.2 Customer Responsibility for Credentials

Customers are solely responsible for protecting all API Credentials, Client Secrets, Private Keys, tokens, certificates, passwords, authentication factors, signing materials, and other security credentials associated with their account, Bots, websites, APIs, gateways, SDKs, applications, and integrations.

Customers must implement reasonable and appropriate security measures, including:

a. secure storage of secrets and Private Keys;
b. least-privilege access controls;
c. strong authentication for account users;
d. restricted administrator permissions;
e. key and credential rotation;
f. monitoring for abnormal credential use;
g. prompt revocation of unused or compromised credentials;
h. secure CI/CD and deployment practices;
i. secret scanning for source code repositories;
j. protection against credential exposure in logs, screenshots, analytics tools, browser-side code, support messages, build artifacts, containers, serverless functions, and configuration files.

MudraID is not responsible for losses, unauthorized access, Bot impersonation, token misuse, gateway misbehavior, service disruption, data exposure, or other harm caused by compromised, mishandled, leaked, stolen, lost, reused, weak, shared, embedded, or improperly stored Customer credentials.

6.3 Prohibited Credential Practices

Customers must not:

a. share API Credentials with unauthorized persons or systems;
b. sell, transfer, sublicense, rent, lease, lend, disclose, publish, or make API Credentials available to third parties except as expressly permitted by MudraID;
c. embed Client Secrets, Private Keys, or other confidential credentials in public code, browser-side applications, mobile apps without appropriate protection, client-side scripts, public repositories, public documentation, support tickets, screenshots, logs, or other accessible locations;
d. use API Credentials issued to another Customer, Bot, website, API, domain, or integration;
e. use stolen, leaked, guessed, forged, altered, expired, revoked, or unauthorized credentials;
f. attempt to bypass authentication, authorization, rate limits, trust controls, service limits, billing controls, security systems, or verification requirements;
g. create, use, or distribute tools intended to abuse, overload, scrape, attack, bypass, or evade MudraID or third-party systems;
h. remove, alter, or conceal token claims, signatures, headers, timestamps, expiry information, Bot identifiers, trust indicators, or audit information;
i. misuse Mudra Tokens or verification status to mislead websites, APIs, users, platforms, regulators, or third parties.

MudraID may suspend or terminate access, revoke credentials, invalidate tokens, downgrade trust status, restrict API access, or take other protective action if MudraID reasonably believes that a Customer has engaged in prohibited credential practices.

6.4 Client IDs and Client Secrets

MudraID may issue a Client ID and Client Secret to a Customer, Bot, application, or integration.

A Client ID may be used to identify the Customer, Bot, application, or integration. A Client Secret is confidential and must be protected as a sensitive security credential.

Customers are responsible for ensuring that Client Secrets are used only in secure environments and are never exposed to unauthorized parties.

MudraID may require Client Secret rotation, expiration, replacement, revocation, or additional security controls where MudraID reasonably believes such action is necessary or appropriate.

If a Client Secret is exposed, compromised, suspected to be compromised, or no longer needed, the Customer must promptly rotate or revoke the Client Secret and notify MudraID where the compromise may affect the Services, Customers, third parties, or the integrity of MudraID.

6.5 Public Keys and Private Keys

Customers may register Public Keys with MudraID to support Bot identity, token verification, signed messages, public-key discovery, bot-to-bot verification, or other supported cryptographic verification use cases.

Customers are solely responsible for generating, storing, protecting, rotating, validating, and managing the corresponding Private Keys.

Customers must ensure that uploaded or registered Public Keys are accurate, current, lawfully controlled, technically valid, and associated with the correct Bot, Customer, application, or integration.

MudraID is not responsible for:

a. weak key generation by Customers;
b. compromised Customer Private Keys;
c. incorrect Public Keys uploaded by Customers;
d. failure to rotate keys;
e. loss of Private Keys;
f. unauthorized signatures created with compromised Private Keys;
g. Bot impersonation caused by Customer-side key compromise;
h. verification failures caused by incorrect or outdated Customer key records.

MudraID may reject, remove, suspend, replace, or require re-verification of Public Keys where MudraID reasonably believes such action is necessary for security, compliance, operational integrity, or abuse prevention.

6.6 Key Rotation

Customers must rotate keys and credentials when required by the Documentation, an applicable Service Plan, an Order Form, a security notice, or reasonable security practice.

Customers must promptly rotate keys and credentials if:

a. a Private Key, Client Secret, API key, token, certificate, password, authentication factor, or credential is compromised or suspected to be compromised;
b. an employee, contractor, developer, administrator, or service provider with access to credentials leaves or no longer requires access;
c. credentials are exposed in code, logs, build systems, screenshots, documentation, repositories, support tickets, or third-party tools;
d. a Bot, website, API, gateway, or integration changes ownership or control;
e. MudraID reasonably requires rotation for security, compliance, or service-integrity reasons.

MudraID may invalidate, suspend, or limit credentials if the Customer fails to rotate credentials when reasonably required.

6.7 Mudra Tokens

MudraID may issue Mudra Tokens to Registered Bots, Customers, applications, or integrations through supported token issuance methods.

Mudra Tokens may include identity, trust, scope, status, issuer, audience, timestamp, expiration, and other claims.

Customers must use Mudra Tokens only for their intended purpose and within their applicable scope, audience, expiration period, and authorization limits.

Customers must not:

a. forge, alter, tamper with, replay, resell, transfer, lend, lease, publish, or misuse Mudra Tokens;
b. use expired, revoked, altered, unauthorized, or improperly obtained Mudra Tokens;
c. use Mudra Tokens to misrepresent identity, authority, trust, certification, endorsement, permission, or compliance status;
d. use Mudra Tokens to access websites, APIs, systems, or data without authorization;
e. attempt to bypass token expiration, signature validation, trust checks, rate limits, policy controls, or verification mechanisms.

A Mudra Token is not a guarantee that a Bot is safe, lawful, authorized for every action, reliable, non-malicious, or suitable for a particular purpose.

6.8 Token Expiration, Revocation, and Invalidation

Mudra Tokens may expire, be revoked, become invalid, be replaced, or be rejected based on expiration time, key rotation, credential compromise, Bot suspension, trust downgrade, policy changes, account suspension, security events, service changes, or other reasons.

MudraID may revoke, invalidate, shorten, restrict, or refuse Mudra Tokens at any time if MudraID reasonably believes such action is necessary for security, abuse prevention, compliance, operational reliability, fraud prevention, service integrity, or protection of MudraID, Customers, third parties, or the Services.

Customers are responsible for designing their systems to handle token expiration, verification failure, revocation, key rotation, service unavailability, rate limits, error responses, and fallback behavior safely.

MudraID is not responsible for harm caused by a Customer’s failure to handle token expiration, revocation, invalidation, verification errors, key rotation, or integration changes.

6.9 Token Replay, Misuse, and Unauthorized Use

Customers must implement reasonable protections against token replay, theft, misuse, and unauthorized use.

Depending on the Customer’s use case and Documentation, such protections may include:

a. short token lifetimes;
b. audience validation;
c. issuer validation;
d. expiration validation;
e. signature verification;
f. nonce or request binding where supported;
g. timestamp checks;
h. transport-layer security;
i. secure storage;
j. server-side verification;
k. rate limiting;
l. anomaly monitoring;
m. revocation checks where appropriate.

MudraID does not guarantee that token replay, theft, misuse, credential compromise, or unauthorized use will always be detected or prevented.

Customers are responsible for investigating and mitigating suspected token misuse affecting their Bots, websites, APIs, systems, or integrations.

6.10 Verification of Tokens

Customers using Mudra Tokens must verify tokens according to the Documentation before relying on them.

Token verification may include checking signature, issuer, audience, expiration, scope, Bot identifier, trust level, revocation status, and other claims or policy rules.

Customers are responsible for determining which verification method is appropriate for their environment, including JWKS verification, verification API calls, SDK verification, gateway verification, cached verification, or other supported methods.

Customers are responsible for the consequences of:

a. accepting unverified tokens;
b. accepting expired tokens;
c. failing to validate audience or issuer;
d. failing to check revocation or trust status where appropriate;
e. using stale cached keys or trust data;
f. misconfiguring SDKs, gateways, policies, or verification logic;
g. relying on token claims beyond their intended purpose.

MudraID is not responsible for Customer-side verification errors, incorrect implementation, misconfiguration, or unsafe reliance on tokens.

6.11 Rate Limits and Usage Controls

MudraID may apply rate limits, quotas, throttling, concurrency limits, traffic limits, token issuance limits, verification limits, gateway limits, Public Key Directory limits, abuse controls, billing limits, and other usage controls.

MudraID may change or enforce usage limits to protect the Services, ensure fair use, prevent abuse, comply with law, manage infrastructure, reduce fraud, maintain performance, or control excessive usage.

Customers must not attempt to bypass, evade, distribute around, disable, or interfere with MudraID usage limits, rate limits, quotas, security controls, or billing controls.

MudraID may throttle, reject, delay, suspend, or block requests that exceed limits or create risk.

6.12 Security Testing and Vulnerability Research

Customers must not perform penetration testing, vulnerability scanning, load testing, stress testing, fuzzing, automated probing, exploit testing, denial-of-service testing, credential testing, or similar security testing against MudraID systems without prior written authorization from MudraID.

MudraID may provide a responsible disclosure or vulnerability reporting process. Customers and researchers must follow that process and must not access, modify, delete, exfiltrate, disclose, or disrupt MudraID data, Customer data, systems, services, credentials, tokens, logs, or infrastructure.

Unauthorized security testing may result in suspension, termination, legal action, and referral to appropriate authorities.

6.13 Customer Integration Security

Customers are responsible for securely designing, implementing, testing, deploying, monitoring, and maintaining all integrations with MudraID.

Customers must ensure that their integrations:

a. use HTTPS and secure transport;
b. validate certificates where applicable;
c. protect secrets and Private Keys;
d. verify tokens correctly;
e. handle error responses safely;
f. handle revocation and expiration;
g. handle rate limits and service unavailability;
h. avoid exposing tokens or credentials in logs;
i. follow the Documentation;
j. are tested before production deployment;
k. are monitored for abnormal behavior.

MudraID is not responsible for Customer-side integration vulnerabilities, insecure architecture, unsupported implementation, misconfigured gateways, exposed secrets, or failure to follow Documentation.

6.14 MudraID Security Actions

MudraID may take any action it reasonably considers necessary or appropriate to protect the Services, Customers, third parties, or MudraID. Such actions may include:

a. revoking or rotating credentials;
b. invalidating tokens;
c. suspending or limiting accounts;
d. suspending or disabling Bots;
e. removing or hiding Public Keys;
f. changing Trust Scores or Trust Levels;
g. blocking or throttling requests;
h. applying gateway rules;
i. limiting Public Key Directory access;
j. requiring re-authentication or re-verification;
k. requiring key rotation;
l. disabling features;
m. preserving or reviewing logs;
n. cooperating with legal, regulatory, or law-enforcement requests where required or permitted by law.

MudraID may take emergency action without prior notice where MudraID reasonably believes that advance notice may increase risk, delay mitigation, compromise security, violate law, or harm MudraID, Customers, third parties, or the Services.

6.15 No Security Guarantee

MudraID provides identity, token, verification, gateway, trust-signaling, and related security-support services. However, no security service can guarantee complete prevention, detection, or elimination of all threats.

MudraID does not guarantee that the Services will prevent, detect, block, or stop all unauthorized access, malicious Bots, scraping, fraud, impersonation, token misuse, credential compromise, cyberattacks, data breaches, policy violations, or harmful activity.

Customers remain responsible for their own security architecture, access controls, monitoring, incident response, legal compliance, data protection, business decisions, and risk management.

7. Mudra Tokens and Verification

7.1 Purpose of Mudra Tokens

Mudra Tokens are issued to support technical identity, authentication, verification, trust signaling, policy enforcement, and controlled interaction between Registered Bots, websites, APIs, applications, systems, and other Bots.

A Mudra Token may help a receiving system determine whether a request, message, or interaction appears to be associated with a Registered Bot or approved integration.

Mudra Tokens are technical security artifacts. They are not legal approvals, regulatory certifications, security guarantees, endorsements, insurance, authorization for every action, or proof that a Bot is safe, lawful, accurate, non-malicious, or suitable for a particular purpose.

7.2 Token Format and Claims

Mudra Tokens may be implemented as JSON Web Tokens or another supported format described in the Documentation.

A Mudra Token may contain claims such as:

a. issuer;
b. subject;
c. Bot identifier;
d. Customer identifier;
e. audience;
f. issue time;
g. expiration time;
h. token identifier;
i. scope;
j. permitted use;
k. trust level;
l. registration status;
m. key identifier;
n. policy-related claims;
o. other technical, security, or operational claims.

MudraID determines the format, claim structure, signing method, validity period, supported algorithms, token profile, and verification requirements for Mudra Tokens.

MudraID may modify token format, claims, signing keys, supported algorithms, expiration periods, and verification requirements from time to time, subject to applicable Documentation, Service Plan, Order Form, or product-specific terms.

7.3 Token Issuance

MudraID may issue Mudra Tokens to Registered Bots, Customers, applications, or integrations that satisfy applicable authentication, authorization, registration, trust, and security requirements.

MudraID may refuse, delay, throttle, restrict, revoke, or invalidate token issuance if MudraID reasonably believes that:

a. credentials are invalid, expired, revoked, exposed, compromised, or misused;
b. the Bot registration is incomplete, inaccurate, misleading, suspended, revoked, or under review;
c. the request exceeds usage limits or rate limits;
d. the request appears suspicious, abusive, fraudulent, automated in an unauthorized manner, or inconsistent with the Customer’s stated use case;
e. the account has unpaid fees or unresolved compliance issues;
f. the request creates security, legal, compliance, operational, fraud, reputational, or service-integrity risk;
g. MudraID is required or permitted to do so by law, regulation, court order, government request, security requirement, or contractual obligation.

MudraID is not liable for refusing, delaying, limiting, revoking, or invalidating token issuance where MudraID acts in good faith to protect security, service integrity, legal compliance, Customers, third parties, or MudraID.

7.4 Token Validity and Expiration

Mudra Tokens are valid only for the period, purpose, scope, audience, and use case for which they are issued.

Customers must not use, accept, rely on, or present expired, revoked, altered, unauthorized, forged, replayed, or improperly obtained Mudra Tokens.

Customers must design their systems to handle token expiration, verification failure, key rotation, revocation, rate limits, service downtime, and other expected security or operational conditions.

MudraID may shorten token lifetimes, change expiration rules, require re-authentication, or invalidate tokens where MudraID reasonably believes such action is necessary for security, abuse prevention, compliance, operational reliability, or protection of the Services.

7.5 Token Verification Methods

MudraID may support one or more token verification methods, including:

a. verification using MudraID’s JWKS endpoint;
b. verification through MudraID’s verification API;
c. verification using MudraID SDKs or libraries;
d. verification through the Mudra Gateway;
e. cached verification methods supported by the Documentation;
f. other verification methods made available by MudraID.

Customers are responsible for selecting and implementing the verification method appropriate for their system, security posture, performance needs, compliance requirements, and risk tolerance.

MudraID may update, limit, deprecate, replace, or remove verification methods from time to time, including for security, technical, operational, legal, or product reasons.

7.6 What Verification May Confirm

Depending on the verification method used and the information available at the time of verification, verification may help confirm some or all of the following:

a. that the token appears to be signed by MudraID or another supported issuer;
b. that the token signature appears valid;
c. that the token has not expired based on its expiry claim;
d. that the token issuer is recognized;
e. that the token audience matches the intended recipient, where applicable;
f. that the token subject or Bot identifier is present;
g. that the token is associated with a Registered Bot or supported integration;
h. that certain trust, scope, or policy claims are present;
i. that the token has not been marked invalid according to available information;
j. that the Bot or account has a particular registration or trust status at the time of verification.

Verification results depend on correct implementation, current keys, token claims, network availability, cached data, service availability, Customer configuration, and other technical conditions.

7.7 What Verification Does Not Confirm

Token verification does not confirm or guarantee that:

a. the Bot is safe;
b. the Bot is lawful;
c. the Bot is non-malicious;
d. the Bot is accurate;
e. the Bot is reliable;
f. the Bot is free of vulnerabilities;
g. the Bot’s owner is trustworthy;
h. the Bot has permission to access a particular website, API, system, data source, or user account;
i. the Bot’s current action is authorized by an end user or third party;
j. the Bot’s output is correct, complete, unbiased, or lawful;
k. the Bot will behave properly in the future;
l. the Bot complies with all applicable laws, contracts, platform terms, website terms, API terms, privacy rules, or industry standards;
m. the Bot has not been compromised after token issuance;
n. the request is free from fraud, scraping, abuse, spam, malware, phishing, surveillance, or unauthorized access risk.

Customers and receiving systems remain responsible for making their own access-control, authorization, risk, compliance, and security decisions.

7.8 Customer Responsibility for Verification

Customers that receive or rely on Mudra Tokens must verify them according to the current Documentation before relying on them.

Customers are responsible for:

a. validating token signature;
b. validating issuer;
c. validating audience;
d. validating expiration time;
e. validating scope;
f. validating token claims relevant to their use case;
g. checking trust level or live status where appropriate;
h. handling revoked or invalid tokens;
i. handling key rotation;
j. handling verification service errors;
k. handling stale cached verification data;
l. applying access policies correctly;
m. monitoring verification outcomes;
n. maintaining their own fallback and incident response processes.

MudraID is not responsible for any harm caused by Customer failure to verify tokens correctly, failure to follow Documentation, failure to check relevant claims, improper caching, unsafe fallback behavior, incorrect access rules, or reliance on expired, revoked, altered, unauthorized, or improperly verified tokens.

7.9 Customer Responsibility for Access Decisions

Customers are solely responsible for deciding whether to allow, block, throttle, challenge, monitor, restrict, log, report, or otherwise respond to any Bot, token, request, message, website interaction, API call, or bot-to-bot communication.

MudraID may provide token verification, identity signals, trust indicators, registration status, logs, or policy-support tools. These are decision-support tools only.

MudraID does not make the final access-control decision for the Customer unless expressly agreed in writing and configured through a supported MudraID-controlled service. Even where MudraID provides automated gateway actions, Customers remain responsible for selecting, configuring, testing, and monitoring the applicable policies.

MudraID is not responsible for Customer decisions to allow a harmful Bot, block a legitimate Bot, throttle traffic, reject requests, expose data, interrupt business processes, or rely on MudraID outputs beyond their intended purpose.

7.10 JWKS Verification

MudraID may provide a JWKS endpoint to enable Customers and third parties to verify token signatures using public keys.

Customers using JWKS verification are responsible for:

a. retrieving keys from the correct MudraID endpoint;
b. validating the key identifier;
c. using supported algorithms;
d. validating issuer and audience;
e. handling key rotation;
f. refreshing cached keys appropriately;
g. handling unavailable or delayed key updates;
h. rejecting tokens that fail verification;
i. following the Documentation.

MudraID may rotate, replace, remove, or invalidate signing keys at any time where MudraID reasonably believes such action is necessary for security, compliance, service integrity, or operational reliability.

MudraID is not responsible for Customer-side failures caused by stale JWKS caches, incorrect key selection, unsupported algorithms, failure to refresh keys, failure to reject invalid tokens, or incorrect implementation.

7.11 Verification API

MudraID may provide a verification API to support token validation, live status checks, trust-level checks, revocation checks, registration checks, or related verification functions.

Verification API responses are based on information available to MudraID at the time of the request. Responses may be affected by latency, caching, service availability, network conditions, Customer configuration, data freshness, third-party reports, or ongoing investigations.

Customers are responsible for handling verification API errors, timeouts, unavailable responses, rate limits, degraded responses, stale responses, and unexpected results safely.

MudraID may limit, throttle, modify, suspend, or discontinue verification API access where necessary for security, abuse prevention, service integrity, compliance, fair use, or operational reasons.

7.12 Cached Verification

MudraID or Customers may use caching to improve performance, reduce latency, reduce API load, or maintain limited functionality during temporary service disruption.

Cached verification data may be stale, incomplete, delayed, or different from live trust or revocation information.

Customers are responsible for determining whether cached verification is appropriate for their use case and for configuring cache duration, refresh behavior, fallback rules, and risk controls safely.

MudraID is not responsible for harm caused by Customer reliance on stale cached verification data, outdated trust levels, expired keys, delayed revocation information, or incorrect cache configuration.

7.13 Revocation and Status Changes

MudraID may revoke, invalidate, suspend, downgrade, or modify token status, Bot status, account status, trust status, key status, or verification status at any time if MudraID reasonably believes such action is necessary or appropriate.

Reasons may include:

a. suspected credential compromise;
b. suspected Private Key compromise;
c. Bot misuse;
d. policy violation;
e. abuse report;
f. security incident;
g. inaccurate metadata;
h. unauthorized registration;
i. legal or regulatory requirement;
j. third-party complaint;
k. service-integrity risk;
l. non-payment;
m. operational need.

Customers are responsible for checking revocation and status information where appropriate and for designing systems that can respond safely to status changes.

7.14 Token Replay and Request Context

A valid token may still be misused if it is stolen, replayed, copied, presented outside the intended context, or used by an unauthorized party.

Customers are responsible for implementing reasonable protections against token replay and misuse, including controls such as TLS, short token lifetimes, audience checks, request signing, nonce validation, timestamp validation, IP or device controls where appropriate, anomaly detection, rate limits, and server-side verification.

MudraID does not guarantee that a validly signed token is being presented by the legitimate Bot in every case.

7.15 No Duty to Monitor Every Token Use

MudraID may monitor certain token issuance, verification, and usage activity for security, abuse prevention, billing, reliability, service improvement, and enforcement purposes.

However, MudraID has no obligation to monitor every token request, every verification event, every Bot action, every website interaction, every API request, every gateway decision, or every bot-to-bot message.

Customers remain responsible for monitoring their own Bots, websites, APIs, integrations, traffic, logs, users, policies, and security events.

7.16 Customer Misuse of Verification Results

Customers must not misuse MudraID verification results, Trust Scores, Trust Levels, registration status, logs, or token claims.

Customers must not represent that MudraID has approved, certified, audited, guaranteed, sponsored, endorsed, or accepted responsibility for a Bot, website, API, application, organization, integration, or transaction unless MudraID has expressly provided such written authorization.

Customers must not use MudraID verification status in a misleading, deceptive, defamatory, unlawful, or unfair manner.

MudraID may suspend or terminate access if MudraID reasonably believes that a Customer is misusing verification results or making misleading claims about MudraID.

7.17 Verification Limitations

Verification depends on technical and operational factors that may be outside MudraID’s control, including:

a. Customer implementation;
b. Customer configuration;
c. Customer infrastructure;
d. third-party hosting;
e. DNS routing;
f. network availability;
g. gateway deployment;
h. cached data;
i. key rotation timing;
j. token handling practices;
k. clock synchronization;
l. integration errors;
m. third-party systems;
n. malicious actors.

MudraID is not responsible for verification failures, false accepts, false rejects, degraded performance, service disruption, data exposure, or security incidents caused by factors outside MudraID’s reasonable control or by Customer-side implementation choices.

7.18 No Independent Authorization Grant

A Mudra Token does not independently grant a Bot permission to access any website, API, system, user account, dataset, service, platform, or third-party resource.

Authorization to access a website, API, system, user account, dataset, or third-party resource must come from the relevant owner, operator, user, platform, contract, law, or access-control system.

MudraID token verification may support identity and policy decisions, but it does not replace the Customer’s own authorization checks, user consent flows, permissions model, contractual rights, or legal obligations.

7.19 Token and Verification Records

MudraID may create and retain records relating to token issuance, token verification, token revocation, key rotation, Bot status, trust status, gateway decisions, and related events.

MudraID may use such records for security, abuse prevention, compliance, audit, billing, service operation, product improvement, dispute resolution, legal compliance, and enforcement of these Terms.

MudraID does not guarantee that token or verification records will be complete, error-free, continuously available, legally sufficient for every purpose, or retained indefinitely.

7.20 Customer Indemnity for Token Misuse

Customers are responsible for claims, losses, damages, penalties, costs, and expenses arising from or relating to misuse of Mudra Tokens, failure to verify tokens correctly, unauthorized token use, credential compromise, Bot impersonation, inaccurate token-related metadata, Customer access decisions, or Customer reliance on token verification beyond its intended purpose.

MudraID may seek indemnification and other remedies as provided in these Terms where token misuse, verification misuse, Bot activity, Customer configuration, or Customer decisions create liability, harm, or claims against MudraID or third parties.

8. Website Registration and Access Policies

8.1 Website, API, and Domain Registration

MudraID may allow Customers to register websites, APIs, domains, applications, services, or other digital properties for use with the Services.

Registration may be used to support token verification, access policy configuration, Mudra Gateway deployment, bot access control, trust-level checks, abuse reporting, public metadata, or other supported features.

Customers are solely responsible for ensuring that all website, API, domain, application, and service registration information is accurate, complete, current, lawful, and not misleading.

MudraID may reject, suspend, limit, revoke, remove, or require correction of any website, API, domain, application, or service registration if MudraID reasonably believes that the registration is unauthorized, inaccurate, incomplete, misleading, unlawful, harmful, abusive, technically unsafe, or creates legal, security, fraud, compliance, operational, reputational, or service-integrity risk.

8.2 Ownership, Control, and Authority

Customers may register a website, API, domain, application, or service with MudraID only if they own, operate, control, or have express authorization to manage that property.

By registering a website, API, domain, application, or service, the Customer represents and warrants that:

a. the Customer has the legal and technical authority to register and manage the property;
b. the Customer has authority to configure access policies for the property;
c. the Customer has authority to allow, block, throttle, challenge, or otherwise manage Bot traffic to the property;
d. the Customer has authority to deploy the Mudra Gateway, SDKs, APIs, scripts, configurations, or other MudraID integration components where applicable;
e. the Customer’s use of MudraID for the property does not violate any law, contract, third-party right, hosting rule, platform rule, DNS provider rule, website term, API term, privacy obligation, or security obligation.

MudraID may request proof of ownership, control, authorization, or administrative authority at any time. Failure to provide satisfactory proof may result in refusal, suspension, limitation, revocation, or removal of the registration or related features.

8.3 Domain Verification

MudraID may require Customers to complete domain verification before enabling certain features, including access policy enforcement, public metadata, token audience configuration, Mudra Gateway integration, or abuse reporting features.

Domain verification may involve DNS records, file upload, email confirmation, account verification, API verification, manual review, or other methods determined by MudraID.

Domain verification confirms only that the Customer completed a supported verification step at a point in time. It does not guarantee that the Customer has continuing legal rights, contractual rights, or operational authority over the domain.

Customers must promptly notify MudraID if they lose ownership, control, authority, or operational responsibility for a registered domain, website, API, application, or service.

MudraID may require re-verification or suspend features if MudraID reasonably believes that ownership, control, or authorization has changed or is uncertain.

8.4 Website Metadata and Policy Information

Customers may be required to provide website, API, application, or service metadata, including domain name, endpoint details, owner information, contact information, permitted Bot categories, restricted Bot categories, access rules, trust-level requirements, rate limits, gateway configuration, abuse contact details, or other information requested by MudraID.

Customers are solely responsible for the accuracy, completeness, legality, and currency of such metadata.

MudraID may use this information to support token verification, gateway rules, policy evaluation, public metadata, Bot discovery, abuse reporting, trust analysis, customer support, security review, or enforcement of these Terms.

MudraID is not responsible for harm caused by inaccurate, incomplete, outdated, misleading, or unauthorized website metadata or policy information provided by Customers.

8.5 Customer-Configured Access Policies

MudraID may allow Customers to configure policies that determine how Bots, Mudra Tokens, trust levels, token claims, public-key records, request attributes, or other signals are treated when interacting with Customer websites, APIs, applications, or systems.

Policies may include, without limitation:

a. allow rules;
b. block rules;
c. trust-level thresholds;
d. token requirement rules;
e. Bot category rules;
f. Bot identity rules;
g. rate limits;
h. throttling rules;
i. challenge rules;
j. logging rules;
k. gateway routing rules;
l. abuse escalation rules;
m. fallback behavior;
n. custom rules supported by MudraID.

Customers are solely responsible for creating, reviewing, testing, approving, deploying, monitoring, and updating their access policies.

MudraID is not responsible for policy misconfiguration, incorrect policy logic, unintended blocking, unintended allowing, business interruption, data exposure, degraded performance, lost traffic, lost revenue, user complaints, Bot complaints, or other harm caused by Customer-configured policies.

8.6 Final Access Decisions

Customers are solely responsible for deciding whether to allow, block, throttle, challenge, log, monitor, restrict, report, or otherwise respond to any Bot, token, request, message, API call, website interaction, or automated access attempt.

MudraID may provide identity signals, token verification, trust indicators, gateway tools, logs, policy-support tools, and technical infrastructure. These are decision-support tools only.

Unless expressly agreed otherwise in writing, MudraID does not make final access-control, authorization, legal, compliance, or business decisions for Customers.

Even where the Mudra Gateway or other MudraID tools automatically apply Customer-configured rules, the Customer remains responsible for the design, selection, configuration, testing, and consequences of those rules.

8.7 Minimum Trust-Level Rules

Customers may configure policies that require Bots to meet a minimum Trust Score, Trust Level, verification status, registration status, or other risk-related condition before access is allowed.

Customers acknowledge that Trust Scores and Trust Levels are informational risk indicators only and may be incomplete, delayed, cached, disputed, inaccurate, unavailable, or subject to change.

A minimum trust-level rule does not guarantee that allowed Bots are safe, lawful, non-malicious, properly authorized, reliable, or suitable for the Customer’s use case.

Customers are responsible for determining whether a trust-level rule is appropriate for their website, API, application, risk tolerance, regulatory obligations, business needs, and user expectations.

8.8 Allowlists, Blocklists, and Custom Rules

MudraID may support allowlists, blocklists, custom Bot lists, domain rules, endpoint rules, API rules, trust rules, token rules, or other access-control features.

Customers are responsible for the accuracy and maintenance of any allowlists, blocklists, or custom rules they create or import.

MudraID is not responsible for harm caused by:

a. allowing a harmful Bot;
b. blocking a legitimate Bot;
c. using outdated lists;
d. importing inaccurate lists;
e. failing to remove obsolete rules;
f. applying overly broad rules;
g. applying overly narrow rules;
h. relying on third-party lists;
i. failing to monitor policy effects.

MudraID may remove, disable, or override rules where MudraID reasonably believes that the rule creates legal, security, operational, abuse, compliance, service-integrity, or third-party risk.

8.9 Abuse Reports by Website Owners

Customers may be able to report suspected Bot abuse, token misuse, scraping, spam, unauthorized access, credential misuse, policy violation, or other harmful activity through MudraID-supported reporting tools.

Customers must submit abuse reports in good faith and must not submit false, misleading, malicious, retaliatory, defamatory, automated, or abusive reports.

MudraID may review, investigate, ignore, reject, escalate, share, or act on abuse reports at its discretion, subject to applicable law and internal security processes.

Submitting an abuse report does not guarantee that MudraID will suspend a Bot, downgrade a Trust Score, revoke a token, remove a public key, block traffic, contact a Bot Developer, or take any particular action.

MudraID may use abuse reports to support trust scoring, enforcement, security investigations, legal compliance, fraud prevention, and service improvement.

8.10 Bot Discovery and Website Policy Publication

MudraID may provide features that allow Customers to publish or expose certain website policy information, such as whether a website uses MudraID, whether Bot tokens are required, minimum trust-level requirements, supported verification methods, contact information, or other metadata.

Customers are responsible for ensuring that any published policy information is accurate, lawful, current, and not misleading.

MudraID is not responsible for Bots, developers, users, search engines, platforms, or third parties relying on outdated, inaccurate, incomplete, or misunderstood website policy information.

MudraID may limit, hide, modify, or remove published website policy information where MudraID reasonably believes such action is necessary for security, abuse prevention, privacy, compliance, or service integrity.

8.11 Customer Website Terms and User Notices

Customers are responsible for maintaining their own website terms, API terms, privacy notices, cookie notices, bot access rules, user notices, data-processing notices, and any other legal or compliance documents required for their websites, APIs, applications, or services.

MudraID does not provide legal advice and is not responsible for determining what notices, consents, disclosures, contractual terms, privacy terms, or compliance measures a Customer must provide to its users, Bots, developers, partners, or third parties.

Customers are responsible for ensuring that their use of MudraID, including token verification, gateway inspection, logging, Bot filtering, trust-level rules, and abuse reporting, complies with applicable law and their own legal obligations.

8.12 False Accepts and False Rejects

Customers acknowledge that any identity, trust, token, gateway, or access-control system may produce false accepts or false rejects.

A false accept may occur when a Bot, token, request, message, or interaction is allowed even though the Customer may later consider it unwanted, unauthorized, harmful, risky, or non-compliant.

A false reject may occur when a Bot, token, request, message, or interaction is blocked, challenged, throttled, or restricted even though the Customer may later consider it legitimate, authorized, useful, or low-risk.

MudraID does not guarantee that the Services will eliminate false accepts, false rejects, incorrect trust decisions, incorrect gateway decisions, incorrect policy outcomes, or incorrect verification outcomes.

Customers are responsible for monitoring outcomes, reviewing policies, handling appeals or complaints, and adjusting configurations where appropriate.

8.13 Emergency Actions and Security Overrides

MudraID may take emergency action to protect the Services, Customers, third parties, or MudraID. Such action may include suspending accounts, disabling Bot registrations, revoking tokens, changing trust status, limiting verification, blocking or throttling traffic, disabling gateway functionality, restricting public-key lookups, or applying other security controls.

MudraID may take emergency action without prior notice where MudraID reasonably believes that prior notice may increase risk, delay mitigation, compromise security, violate law, or harm MudraID, Customers, third parties, or the Services.

MudraID is not liable for reasonable emergency actions taken in good faith to protect security, legal compliance, operational reliability, or service integrity.

8.14 No Guarantee of Website Protection

MudraID provides identity, verification, trust-signaling, gateway, and policy-support tools. MudraID does not guarantee that the Services will protect every website, API, application, or system from all unwanted Bots, malicious Bots, scraping, fraud, spam, abuse, credential attacks, denial-of-service activity, unauthorized access, data extraction, policy violation, security threats, or business harm.

Customers remain responsible for maintaining appropriate security controls, access controls, rate limits, monitoring, incident response, backups, authentication systems, authorization systems, fraud controls, data-protection measures, and legal compliance programs for their websites, APIs, applications, and systems.

8.15 Indemnity for Website and Policy Use

Customers are responsible for claims, losses, damages, penalties, costs, and expenses arising from or relating to their websites, APIs, domains, applications, services, access policies, gateway configurations, allowlists, blocklists, trust-level rules, abuse reports, false accepts, false rejects, user notices, legal compliance, third-party terms, or decisions made using MudraID.

MudraID may seek indemnification and other remedies as provided in these Terms where Customer website use, policy configuration, abuse reporting, or access decisions create liability, harm, or claims against MudraID or third parties.

9. Mudra Gateway Terms

9.1 Mudra Gateway Description

MudraID may provide the Mudra Gateway as a hosted, self-hosted, managed, unmanaged, proxy, reverse proxy, middleware, edge component, plugin, integration component, or related tool to help Customers verify Mudra Tokens and apply Bot access policies to websites, static sites, APIs, applications, or other digital services.

The Mudra Gateway may support functions such as:

a. receiving incoming requests;
b. inspecting request headers, tokens, metadata, source information, and other request attributes;
c. extracting and verifying Mudra Tokens;
d. checking Bot registration status;
e. checking Trust Scores or Trust Levels;
f. querying MudraID services;
g. using cached verification or trust data;
h. applying Customer-configured policies;
i. allowing, blocking, throttling, challenging, redirecting, or forwarding requests;
j. creating logs, audit records, metrics, and security events;
k. supporting static websites or websites without backend token-verification logic;
l. performing other functions described in the Documentation.

The Mudra Gateway is a security-support and access-policy enforcement tool. It is not a guarantee that all unwanted, malicious, abusive, unauthorized, or harmful traffic will be detected or blocked.

9.2 Customer Authorization to Process Traffic

By deploying, configuring, enabling, or using the Mudra Gateway, the Customer represents and warrants that it has all rights, permissions, authority, contracts, notices, consents, and lawful basis required for the Mudra Gateway to receive, inspect, process, log, route, block, throttle, challenge, or forward traffic for the relevant website, API, domain, application, service, or system.

The Customer is responsible for ensuring that its use of the Mudra Gateway complies with applicable laws, privacy requirements, data-protection obligations, telecom rules, cybersecurity laws, contractual duties, website terms, API terms, platform rules, and third-party rights.

MudraID is not responsible for determining whether the Customer has authority to route traffic through the Mudra Gateway or whether the Customer’s use of the Mudra Gateway complies with applicable law or third-party obligations.

9.3 Deployment Models

The Mudra Gateway may be made available in one or more deployment models, including hosted service, managed gateway, customer-managed gateway, self-hosted gateway, cloud deployment, edge deployment, containerized deployment, middleware deployment, static-site proxy, or other supported model.

The applicable deployment model may determine Customer responsibilities, MudraID responsibilities, support levels, update process, availability commitments, data-processing behavior, logging behavior, security controls, and limitations.

Unless expressly stated otherwise in an Order Form, Service Plan, SLA, or product-specific addendum:

a. Customers are responsible for deploying, configuring, testing, securing, and monitoring the Mudra Gateway in their own environment;
b. Customers are responsible for DNS, routing, hosting, cloud resources, certificates, firewalls, networking, availability, scaling, backup, monitoring, and incident response relating to their own deployment;
c. MudraID is not responsible for Customer-managed infrastructure, third-party infrastructure, unsupported deployments, or Customer-side gateway operation.

9.4 Gateway Configuration

Customers are solely responsible for configuring the Mudra Gateway correctly.

Gateway configuration may include:

a. domain routing;
b. DNS settings;
c. TLS certificates;
d. origin server details;
e. token verification settings;
f. JWKS or verification API settings;
g. Trust Score or Trust Level thresholds;
h. allow rules;
i. block rules;
j. throttling rules;
k. challenge rules;
l. fallback behavior;
m. cache duration;
n. logging settings;
o. header forwarding rules;
p. request and response handling rules;
q. emergency bypass settings;
r. monitoring and alerting settings.

Customers must review, test, approve, and monitor Gateway configuration before using it in production.

MudraID is not responsible for harm caused by incorrect, incomplete, outdated, unsupported, insecure, or untested Gateway configuration.

9.5 Traffic Forwarding and Blocking

Depending on Customer configuration and supported features, the Mudra Gateway may allow, deny, block, throttle, challenge, redirect, modify, or forward requests.

Customers acknowledge that Gateway decisions may affect website availability, user experience, Bot access, API behavior, search engine access, partner integrations, business operations, revenue, analytics, customer support, and third-party relationships.

Customers are responsible for the consequences of Gateway actions, including:

a. legitimate Bots being blocked;
b. unwanted Bots being allowed;
c. users or systems being delayed, throttled, or challenged;
d. requests being misrouted;
e. traffic being interrupted;
f. website or API performance being degraded;
g. third-party integrations failing;
h. logs or analytics changing;
i. revenue, leads, bookings, transactions, or conversions being affected;
j. customer complaints or Bot developer complaints.

MudraID does not guarantee that Gateway decisions will always be accurate, complete, timely, suitable, or error-free.

9.6 Static Website Protection

The Mudra Gateway may be used to support static websites or websites that do not have backend logic for verifying Mudra Tokens.

Customers acknowledge that static-site protection may depend on external factors such as DNS configuration, hosting provider behavior, CDN configuration, edge caching, browser behavior, Bot behavior, network conditions, token availability, gateway availability, and Customer-defined fallback rules.

MudraID does not guarantee that a static website using the Mudra Gateway will be protected from all unwanted Bots, malicious traffic, scraping, denial-of-service activity, token misuse, bypass attempts, origin exposure, or unauthorized access.

Customers are responsible for securing origin infrastructure, restricting direct origin access where appropriate, configuring DNS and hosting rules, testing bypass scenarios, and maintaining complementary security controls.

9.7 Gateway Caching

The Mudra Gateway may cache public keys, token verification results, Trust Scores, Trust Levels, registration status, policy decisions, configuration data, or other information to improve performance, reduce latency, reduce dependency on real-time API calls, or support limited operation during temporary service disruption.

Cached data may be stale, incomplete, delayed, inaccurate, or different from live MudraID data.

Customers are responsible for selecting cache settings appropriate for their risk tolerance, performance needs, compliance obligations, and business requirements.

MudraID is not responsible for harm caused by stale cached data, delayed revocation, outdated Trust Scores, old public keys, outdated policies, incorrect cache duration, cache poisoning caused by Customer infrastructure, or Customer reliance on cached information beyond its intended purpose.

9.8 Gateway Logs and Request Data

The Mudra Gateway may generate, process, transmit, store, or display logs, request metadata, verification events, policy decisions, traffic events, error messages, Bot identifiers, token metadata, trust information, source information, routing information, and other operational or security data.

Customers are responsible for determining what data may lawfully be processed, logged, retained, exported, monitored, or disclosed through the Mudra Gateway.

Customers must not configure the Mudra Gateway in a way that unlawfully collects, exposes, stores, or transmits sensitive data, personal data, confidential information, regulated data, authentication credentials, payment data, health data, or other restricted information.

MudraID does not guarantee that Gateway logs will capture every request, decision, error, security event, bypass attempt, or incident. Gateway logs may be incomplete, delayed, unavailable, truncated, overwritten, or subject to retention limits.

Customers are responsible for maintaining their own logs, backups, compliance records, monitoring, and incident response procedures where required.

9.9 Gateway Availability and Fallback Behavior

Gateway availability may depend on MudraID systems, Customer infrastructure, DNS providers, hosting providers, cloud providers, CDNs, network providers, internet conditions, TLS certificates, Customer configuration, third-party services, and other factors.

Customers are responsible for configuring appropriate fallback behavior, fail-open or fail-closed rules, bypass procedures, monitoring, alerting, redundancy, and incident response processes.

A fail-open configuration may allow requests that would otherwise be blocked. A fail-closed configuration may block requests that would otherwise be allowed. Customers are responsible for selecting the configuration appropriate for their business and security needs.

MudraID is not responsible for harm caused by Gateway downtime, Customer infrastructure failure, DNS failure, certificate failure, misrouting, incorrect fallback design, fail-open decisions, fail-closed decisions, or failure to plan for service disruption.

9.10 Gateway Updates and Maintenance

MudraID may provide updates, patches, configuration changes, security fixes, performance improvements, version changes, deprecations, or migration requirements for the Mudra Gateway.

Customers are responsible for applying updates to Customer-managed or self-hosted Gateway deployments unless MudraID expressly agrees otherwise in writing.

MudraID may require Customers to upgrade, patch, rotate credentials, change configuration, or stop using outdated Gateway versions where MudraID reasonably believes continued use creates security, compliance, operational, compatibility, or service-integrity risk.

MudraID is not responsible for vulnerabilities, failures, incompatibilities, downtime, data exposure, security incidents, or performance issues caused by Customer failure to apply updates, use supported versions, follow migration instructions, or maintain Customer-managed deployments.

9.11 Emergency Gateway Actions

MudraID may take emergency action affecting the Mudra Gateway where MudraID reasonably believes such action is necessary to protect MudraID, Customers, third parties, the Services, infrastructure, security, legal compliance, or service integrity.

Emergency action may include:

a. disabling Gateway functionality;
b. blocking or throttling traffic;
c. revoking tokens;
d. disabling credentials;
e. changing verification behavior;
f. invalidating cached data;
g. requiring configuration changes;
h. disabling a Gateway deployment;
i. suspending a domain, Bot, account, or integration;
j. applying temporary security rules;
k. restricting API access;
l. requiring immediate upgrade or key rotation.

MudraID may take emergency action with or without prior notice.

MudraID is not liable for reasonable emergency action taken in good faith to protect security, legal compliance, operational reliability, or service integrity.

9.12 Customer Monitoring and Testing

Customers must test and monitor the Mudra Gateway before and after production deployment.

Customers are responsible for:

a. validating token verification behavior;
b. testing allow and block rules;
c. testing trust-level thresholds;
d. testing fallback behavior;
e. testing origin routing;
f. testing DNS and TLS configuration;
g. monitoring latency and availability;
h. monitoring false accepts and false rejects;
i. reviewing logs and alerts;
j. updating policies as risks change;
k. maintaining a rollback or bypass plan;
l. training relevant technical teams.

MudraID is not responsible for harm caused by Customer failure to test, monitor, update, review, or maintain the Mudra Gateway or related policies.

9.13 No Responsibility for Customer Origin Systems

The Mudra Gateway may forward traffic to Customer origin systems, hosting environments, APIs, cloud services, static-site platforms, CDNs, or other infrastructure.

Customers are solely responsible for securing and maintaining their origin systems.

Customers must not rely on the Mudra Gateway as the only security control unless the Customer has independently determined that such configuration is appropriate for its risk profile.

MudraID is not responsible for origin exposure, origin compromise, direct-to-origin bypass, insecure origin configuration, weak authentication, missing authorization checks, insecure APIs, excessive permissions, vulnerable applications, data leaks, or Customer infrastructure failures.

9.14 Third-Party Infrastructure and Dependencies

Gateway performance and behavior may depend on third-party infrastructure, including hosting providers, cloud providers, CDN providers, DNS providers, registrar services, certificate authorities, network providers, monitoring systems, identity providers, analytics tools, and Customer-selected vendors.

MudraID is not responsible for third-party outages, security incidents, configuration changes, service limitations, rate limits, DNS propagation delays, certificate failures, routing failures, network congestion, hosting misconfiguration, or other third-party issues.

Customers are responsible for reviewing and complying with any third-party terms that apply to their Gateway deployment or traffic routing.

9.15 No Gateway Security Guarantee

The Mudra Gateway is designed to assist with token verification and Bot access-policy enforcement. It does not guarantee complete protection against all security threats.

MudraID does not guarantee that the Mudra Gateway will detect, prevent, block, or stop all malicious Bots, unwanted Bots, scraping, credential attacks, denial-of-service attacks, bypass attempts, origin attacks, data extraction, fraud, spam, malware, phishing, token replay, impersonation, unauthorized access, or harmful traffic.

Customers remain responsible for maintaining appropriate layered security controls, including authentication, authorization, rate limiting, bot management, firewall rules, origin protection, monitoring, alerting, backups, incident response, data protection, and legal compliance.

9.16 Gateway Indemnity

Customers are responsible for claims, losses, damages, penalties, costs, and expenses arising from or relating to:

a. Customer deployment of the Mudra Gateway;
b. Customer Gateway configuration;
c. Customer access policies;
d. traffic routing decisions;
e. blocked, throttled, challenged, redirected, modified, or forwarded traffic;
f. Customer infrastructure;
g. Customer origin systems;
h. Customer DNS, CDN, TLS, hosting, or cloud configuration;
i. Customer failure to provide required notices, consents, or legal basis;
j. Customer failure to comply with laws, contracts, or third-party terms;
k. Customer reliance on Gateway outputs beyond their intended purpose;
l. false accepts or false rejects;
m. security incidents caused by Customer-side configuration or infrastructure.

MudraID may seek indemnification and other remedies as provided in these Terms where Customer Gateway use, configuration, deployment, or related decisions create liability, harm, or claims against MudraID or third parties.

10. Trust Scores, Trust Levels, and Reputation Data

10.1 Purpose of Trust Scores and Trust Levels

MudraID may provide Trust Scores, Trust Levels, reputation indicators, risk signals, abuse indicators, registration status, verification status, policy status, or related trust information to help Customers make more informed decisions about Bots, AI Agents, accounts, websites, APIs, applications, integrations, tokens, messages, or interactions.

Trust Scores and Trust Levels are intended to support risk-based decision-making. They are not absolute judgments, legal determinations, safety guarantees, security certifications, compliance certifications, endorsements, insurance, approvals, or promises of future behavior.

Customers and third parties remain responsible for making their own access-control, authorization, security, legal, compliance, operational, and business decisions.

10.2 Nature of Trust and Reputation Data

Trust and reputation data may include, without limitation:

a. Trust Scores;
b. Trust Levels;
c. registration status;
d. verification status;
e. token status;
f. key status;
g. abuse indicators;
h. risk categories;
i. policy flags;
j. suspension or revocation status;
k. historical activity signals;
l. usage patterns;
m. gateway decision signals;
n. website-owner reports;
o. Bot developer responses;
p. manual review outcomes;
q. automated risk indicators;
r. other information made available through the Services.

MudraID determines the format, meaning, availability, visibility, weighting, retention, update frequency, and display of trust and reputation data.

10.3 Inputs Used for Trust Scoring

Trust Scores, Trust Levels, and reputation indicators may be based on one or more available inputs, including:

a. Bot registration information;
b. Customer verification information;
c. organization information;
d. public-key records;
e. token issuance activity;
f. verification activity;
g. API usage patterns;
h. gateway activity;
i. abuse reports;
j. website-owner feedback;
k. third-party complaints;
l. user reports;
m. security signals;
n. credential compromise indicators;
o. policy violations;
p. historical behavior;
q. manual review;
r. automated analysis;
s. service-integrity signals;
t. legal or regulatory requests;
u. other data reasonably available to MudraID.

MudraID is not required to use all possible inputs, disclose all inputs, verify all inputs independently, or explain all scoring methods, thresholds, weights, security signals, abuse-detection logic, or review processes.

10.4 Automated and Manual Review

MudraID may use automated systems, manual review, human moderation, rule-based systems, machine-learning models, risk scoring, abuse-detection tools, third-party signals, internal security processes, or a combination of these methods to generate, update, review, or act on trust and reputation data.

Automated and manual review processes may produce errors, false positives, false negatives, delays, inconsistencies, incomplete conclusions, or disputed outcomes.

MudraID does not guarantee that any Trust Score, Trust Level, risk signal, abuse indicator, or review outcome will be accurate, complete, current, fair, consistent, explainable, or free from error.

10.5 Mutable Nature of Trust Scores

Trust Scores, Trust Levels, reputation indicators, registration status, verification status, token status, and policy status may change at any time.

Changes may occur due to:

a. new information;
b. abuse reports;
c. security incidents;
d. credential compromise;
e. Customer behavior;
f. Bot behavior;
g. token activity;
h. gateway activity;
i. verification activity;
j. account review;
k. manual review;
l. automated review;
m. policy changes;
n. legal or regulatory requirements;
o. third-party complaints;
p. system updates;
q. scoring model updates;
r. correction of errors;
s. operational needs;
t. service-integrity concerns.

MudraID may increase, decrease, hide, remove, suspend, freeze, or otherwise modify trust and reputation data at any time where MudraID reasonably believes such action is appropriate.

10.6 No Guarantee of Accuracy or Completeness

Trust Scores, Trust Levels, and reputation indicators are based on available information and may be incomplete, delayed, inaccurate, stale, disputed, cached, or unavailable.

MudraID does not guarantee that trust and reputation data:

a. reflects all relevant facts;
b. reflects current Bot behavior;
c. reflects future Bot behavior;
d. has been independently verified;
e. is free from errors;
f. is suitable for every Customer use case;
g. is legally sufficient for any compliance purpose;
h. will identify all harmful Bots;
i. will clear all legitimate Bots;
j. will prevent all abuse;
k. will protect against all losses.

Customers use trust and reputation data at their own risk.

10.7 No Certification, Endorsement, or Approval

A Trust Score, Trust Level, high rating, verified status, public-key record, token issuance, successful verification, or registration status does not mean that MudraID certifies, endorses, sponsors, approves, audits, guarantees, insures, recommends, or accepts responsibility for any Bot, Customer, website, API, application, integration, organization, transaction, message, or interaction.

Customers must not represent or imply that MudraID has certified, endorsed, approved, audited, guaranteed, or insured a Bot, Customer, website, API, application, integration, organization, transaction, message, or interaction unless MudraID has expressly authorized that representation in writing.

10.8 Customer Reliance on Trust Scores

Customers are solely responsible for determining how to use Trust Scores, Trust Levels, reputation indicators, registration status, verification status, and related data.

Customers are responsible for deciding:

a. whether to allow, block, throttle, challenge, monitor, report, or restrict a Bot;
b. what minimum Trust Level to require;
c. whether to rely on cached or live trust data;
d. whether additional authentication, authorization, consent, legal review, or security controls are required;
e. whether a Bot should be permitted to access a particular website, API, system, account, dataset, or workflow;
f. how to handle disputed, unavailable, stale, or conflicting trust data.

MudraID is not responsible for Customer reliance on trust data, Customer access decisions, Customer policy design, Customer business decisions, or Customer failure to apply independent judgment.

10.9 False Positives and False Negatives

Customers acknowledge that trust and reputation systems may produce false positives and false negatives.

A false positive may occur where a Bot, Customer, account, token, message, or interaction is classified as risky, abusive, low-trust, suspicious, or non-compliant even if it is later found to be legitimate.

A false negative may occur where a Bot, Customer, account, token, message, or interaction is classified as trusted, verified, low-risk, or acceptable even if it is later found to be harmful, abusive, unauthorized, unlawful, compromised, or non-compliant.

MudraID does not guarantee that trust and reputation systems will eliminate false positives, false negatives, inaccurate scores, incorrect classifications, incorrect downgrades, incorrect upgrades, or disputed trust outcomes.

10.10 Downgrades, Suspensions, and Revocations

MudraID may downgrade, suspend, revoke, hide, restrict, freeze, or remove Trust Scores, Trust Levels, registration status, verification status, token eligibility, Public Key Directory visibility, API access, or related features where MudraID reasonably believes such action is necessary or appropriate.

Reasons may include:

a. abuse reports;
b. suspected Bot misuse;
c. suspected credential compromise;
d. suspected Private Key compromise;
e. inaccurate or misleading metadata;
f. unauthorized registration;
g. policy violations;
h. harmful traffic;
i. scraping or data abuse concerns;
j. fraud, spam, malware, phishing, or unauthorized access concerns;
k. legal or regulatory requests;
l. third-party complaints;
m. Customer failure to cooperate;
n. payment issues;
o. security incidents;
p. reputational risk;
q. operational risk;
r. service-integrity risk;
s. any other reason permitted by these Terms.

MudraID may act with or without prior notice depending on the nature and urgency of the risk.

MudraID is not liable for reasonable actions taken in good faith to protect Customers, third parties, the Services, MudraID, security, legal compliance, or service integrity.

10.11 Appeals and Review

MudraID may, but is not required to, provide a process for Customers or Bot Developers to request review of certain trust-related decisions, suspensions, revocations, downgrades, or abuse findings.

Any review process may require the requesting party to provide information, documents, logs, technical evidence, ownership evidence, security evidence, remediation steps, or other materials requested by MudraID.

Submission of a review request does not guarantee restoration, upgrade, reversal, reinstatement, publication, explanation, refund, service credit, or any particular outcome.

MudraID may decline to review, delay review, limit review, or refuse to disclose detailed reasoning where disclosure could compromise security, abuse prevention, fraud detection, legal compliance, third-party privacy, investigation methods, proprietary systems, or service integrity.

10.12 Abuse Reports and Third-Party Signals

MudraID may receive and use abuse reports, complaints, security reports, website-owner reports, third-party notices, regulatory communications, law-enforcement communications, automated signals, customer feedback, or other information relating to Bots, Customers, websites, APIs, tokens, keys, or interactions.

MudraID may consider such information in trust scoring, investigations, enforcement, product improvement, customer support, legal compliance, and abuse prevention.

MudraID is not required to independently verify every report or signal before using it for risk assessment, temporary restriction, investigation, or protective action.

MudraID may reject, ignore, remove, investigate, share, or act on reports at its discretion, subject to applicable law.

10.13 Publication and Visibility of Trust Data

MudraID may make certain trust and reputation data visible to Customers, Bot Developers, Website Owners, verified users, the Public Key Directory, APIs, dashboards, gateway tools, or other supported interfaces.

MudraID may limit or control visibility based on account type, role, Service Plan, authorization, privacy, security, legal requirements, operational needs, or product design.

MudraID may remove, hide, delay, restrict, summarize, aggregate, or modify displayed trust data where MudraID reasonably believes such action is appropriate.

Customers must not scrape, republish, resell, redistribute, rank, profile, defame, misuse, or make misleading claims based on trust and reputation data except as expressly permitted by MudraID.

10.14 Customer Submissions Affecting Trust Data

Customers may submit information that affects trust and reputation data, including Bot metadata, website metadata, abuse reports, security reports, ownership information, use-case descriptions, remediation evidence, or appeal materials.

Customers represent and warrant that all such submissions are accurate, lawful, current, complete to the best of their knowledge, and not misleading.

Customers must not submit false, malicious, retaliatory, defamatory, fraudulent, automated, spam, or abusive reports or materials.

Customers are responsible for claims, losses, damages, penalties, costs, and expenses arising from false, misleading, unlawful, defamatory, or abusive submissions.

10.15 Confidentiality of Scoring Methods

MudraID’s trust scoring methods, abuse-detection methods, risk models, thresholds, rules, weighting systems, internal signals, investigation methods, security logic, fraud-detection logic, and enforcement processes are confidential and proprietary to MudraID.

MudraID is not required to disclose such methods except where required by applicable law.

Customers must not attempt to reverse engineer, extract, bypass, manipulate, probe, game, or evade MudraID’s trust scoring, risk scoring, abuse detection, fraud detection, verification, or enforcement systems.

10.16 Manipulation of Trust Scores

Customers must not attempt to manipulate, artificially inflate, suppress, bypass, or game Trust Scores, Trust Levels, reputation indicators, verification status, abuse indicators, or related data.

Prohibited conduct includes, without limitation:

a. submitting false or misleading information;
b. creating fake usage patterns;
c. generating artificial token activity;
d. submitting false abuse reports;
e. coordinating deceptive reports;
f. using multiple accounts to evade restrictions;
g. rotating Bot identities to avoid enforcement;
h. hiding ownership or control;
i. misrepresenting use cases;
j. evading rate limits or policy controls;
k. attempting to influence trust data through fraud, spam, deception, or technical abuse.

MudraID may suspend, revoke, downgrade, terminate, or take other enforcement action where MudraID reasonably believes trust manipulation has occurred.

10.17 Legal and Compliance Use

Trust Scores, Trust Levels, and reputation indicators are not legal advice, compliance advice, cybersecurity certification, regulatory approval, audit evidence, or professional advice.

Customers are responsible for determining whether any use of trust or reputation data satisfies their legal, regulatory, contractual, security, risk-management, procurement, audit, insurance, or compliance requirements.

Customers should not rely solely on MudraID trust data for high-risk, regulated, safety-critical, financial, legal, medical, employment, law-enforcement, or other sensitive decisions unless expressly permitted by MudraID in writing and supported by appropriate independent controls.

10.18 Indemnity for Trust Data Use

Customers are responsible for claims, losses, damages, penalties, costs, and expenses arising from or relating to:

a. Customer reliance on Trust Scores, Trust Levels, or reputation data;
b. Customer access decisions based on trust data;
c. Customer publication, republication, sharing, misuse, or misinterpretation of trust data;
d. Customer-submitted abuse reports or trust-related submissions;
e. Customer attempts to manipulate trust data;
f. Customer claims that a Bot, Customer, website, API, or integration was certified, endorsed, approved, or guaranteed by MudraID without written authorization;
g. Customer use of trust data in violation of law, contract, third-party rights, or these Terms.

MudraID may seek indemnification and other remedies as provided in these Terms where Customer use, misuse, reliance, submission, or publication of trust and reputation data creates liability, harm, or claims against MudraID or third parties.

11. Public Key Directory and Bot-to-Bot Verification

11.1 Public Key Directory Description

MudraID may provide a Public Key Directory to support identity verification, token verification, signed-message verification, bot-to-bot verification, registration status checks, trust lookups, and related cryptographic verification use cases.

The Public Key Directory may include information such as:

a. Bot identifiers;
b. registered Public Keys;
c. key identifiers;
d. supported algorithms;
e. registration status;
f. Trust Scores or Trust Levels;
g. Bot metadata;
h. owner or developer metadata;
i. key status;
j. revocation status;
k. timestamps;
l. other information made available by MudraID.

MudraID determines what information is included, displayed, withheld, limited, modified, removed, or made available through the Public Key Directory.

11.2 Purpose and Limitations of the Public Key Directory

The Public Key Directory is intended to help Customers and supported systems verify whether a Public Key, Bot identifier, or related record appears to be associated with a Registered Bot or supported integration.

The Public Key Directory does not guarantee that:

a. a Bot is safe;
b. a Bot is lawful;
c. a Bot is non-malicious;
d. a Bot’s current behavior is authorized;
e. a Bot has permission to access a particular website, API, system, account, dataset, or workflow;
f. a Bot’s owner is trustworthy;
g. a Bot’s metadata is complete or current;
h. a Bot’s Private Key has not been compromised;
i. a signed message is true, accurate, complete, safe, lawful, or suitable for any purpose;
j. the Bot will behave properly in the future.

Customers and relying parties remain responsible for their own verification, authorization, security, compliance, and risk decisions.

11.3 Customer Responsibility for Public Keys

Customers are solely responsible for generating, registering, maintaining, rotating, validating, and protecting Public Keys and corresponding Private Keys used with MudraID.

Customers must ensure that each Public Key submitted to MudraID is:

a. technically valid;
b. associated with the correct Bot, Customer, application, or integration;
c. lawfully controlled by the Customer;
d. not misleading;
e. not associated with an unauthorized or impersonating Bot;
f. updated or removed when no longer valid;
g. rotated when required or appropriate.

MudraID is not responsible for incorrect, outdated, weak, unauthorized, misleading, or improperly registered Public Keys submitted by Customers.

11.4 Private-Key Security

Customers are solely responsible for protecting all Private Keys corresponding to Public Keys registered with MudraID.

Customers must use reasonable and appropriate security measures to protect Private Keys, including secure generation, secure storage, restricted access, secret management, hardware or managed key protection where appropriate, monitoring, rotation, and prompt revocation of compromised keys.

Customers must not expose Private Keys in public repositories, browser-side code, mobile apps without appropriate protection, logs, screenshots, documentation, support requests, analytics tools, build systems, containers, serverless functions, or other insecure locations.

MudraID does not store, control, recover, or protect Customer Private Keys unless expressly agreed otherwise in writing.

MudraID is not responsible for Bot impersonation, unauthorized signatures, token misuse, signed-message misuse, Public Key Directory misuse, data exposure, unauthorized access, or other harm caused by compromised, lost, stolen, exposed, weak, reused, or mishandled Customer Private Keys.

11.5 Key Rotation and Revocation

Customers must rotate or revoke Public Keys and corresponding Private Keys when required by the Documentation, an Order Form, Service Plan, security notice, or reasonable security practice.

Customers must promptly rotate or revoke keys if:

a. a Private Key is compromised or suspected to be compromised;
b. a Public Key was incorrectly registered;
c. a Bot changes ownership or operator;
d. a Bot is discontinued;
e. a Bot’s security posture changes materially;
f. an administrator, developer, contractor, or service provider with access to the Private Key leaves or no longer needs access;
g. MudraID reasonably requires rotation or revocation for security, compliance, abuse prevention, or service-integrity reasons.

MudraID may suspend, remove, hide, revoke, or require re-verification of Public Keys where MudraID reasonably believes such action is necessary or appropriate.

11.6 Directory Access

MudraID may allow Customers, Bots, websites, APIs, systems, or third parties to access the Public Key Directory through dashboards, APIs, SDKs, gateway components, metadata endpoints, or other supported interfaces.

MudraID may apply access controls, authentication requirements, rate limits, caching rules, query limits, visibility limits, logging, monitoring, usage restrictions, or other controls to Public Key Directory access.

MudraID may restrict, suspend, throttle, block, or terminate Public Key Directory access where MudraID reasonably believes access is abusive, excessive, unlawful, automated in an unauthorized manner, harmful, misleading, privacy-invasive, competitive misuse, or risky to MudraID, Customers, third parties, or the Services.

11.7 Prohibited Use of the Public Key Directory

Customers must not use the Public Key Directory to:

a. scrape, harvest, copy, republish, resell, redistribute, or build a competing database except as expressly permitted by MudraID;
b. identify, profile, target, harass, defame, spam, attack, or exploit Bot Developers, Customers, websites, APIs, organizations, or third parties;
c. bypass rate limits, access controls, authentication controls, visibility restrictions, or security protections;
d. infer, reverse engineer, manipulate, evade, or game MudraID’s trust scoring, risk scoring, directory structure, security logic, or enforcement systems;
e. misrepresent Public Key Directory data as a certification, endorsement, approval, guarantee, or audit by MudraID;
f. use directory data for unlawful, deceptive, discriminatory, abusive, harmful, or unauthorized purposes;
g. use directory data in violation of privacy laws, data-protection laws, contracts, third-party rights, or these Terms.

MudraID may restrict or terminate access to the Public Key Directory if MudraID reasonably believes prohibited use has occurred.

11.8 Bot-to-Bot Verification

MudraID may support bot-to-bot verification by enabling one Bot, application, system, or Customer to retrieve or use another Bot’s Public Key, registration status, trust information, or related metadata for the purpose of verifying signed messages or identity claims.

Bot-to-bot verification may help determine whether a message appears to have been signed using a Private Key corresponding to a Public Key associated with a Registered Bot.

Bot-to-bot verification does not guarantee that:

a. the message content is true;
b. the message content is safe;
c. the message content is complete;
d. the message content is lawful;
e. the message content is free from malware, harmful instructions, prompt injection, fraud, or manipulation;
f. the signing Bot was authorized to send the message;
g. the signing Bot has permission to access or share the data in the message;
h. the signing Bot has not been compromised;
i. the recipient Bot should act on the message;
j. the interaction complies with law, contract, platform rules, or user permissions.

Customers remain responsible for their own bot-to-bot authorization, message validation, content filtering, consent, policy enforcement, data handling, and security controls.

11.9 Signed Messages

Customers may use Public Keys, Private Keys, signatures, or MudraID-supported verification methods to sign and verify messages, requests, payloads, events, or communications.

Customers are solely responsible for:

a. determining what messages should be signed;
b. determining what signature algorithm to use where options are available;
c. protecting signing materials;
d. validating signatures correctly;
e. validating message freshness, timestamp, nonce, audience, scope, source, destination, and context where appropriate;
f. preventing replay attacks;
g. validating message content;
h. enforcing authorization rules;
i. storing signed messages securely;
j. complying with applicable laws and third-party obligations.

MudraID is not responsible for Customer-side message signing errors, verification errors, replay vulnerabilities, unsafe message handling, incorrect authorization, or reliance on signed messages beyond their intended purpose.

11.10 Message Content and Bot Output

MudraID does not control and is not responsible for the content, accuracy, legality, safety, reliability, completeness, confidentiality, confidentiality classification, intellectual-property status, privacy status, or consequences of messages, prompts, outputs, instructions, actions, decisions, or data exchanged between Bots or systems.

A valid signature or successful verification means only that certain cryptographic checks appear to have passed. It does not mean that MudraID reviewed, approved, verified, endorsed, or accepted responsibility for the content of the message or any resulting action.

Customers are responsible for reviewing, filtering, validating, logging, and controlling Bot messages and outputs where appropriate.

11.11 Metadata Visibility and Privacy

The Public Key Directory may expose or make available certain Bot metadata, Customer metadata, Public Keys, key identifiers, trust information, registration information, or related records.

Customers are responsible for determining what information they submit to MudraID and whether that information may be published, shared, displayed, or made discoverable through the Services.

Customers must not submit confidential, sensitive, regulated, personal, proprietary, or restricted information for directory publication unless they have the right and lawful basis to do so and accept the associated risks.

MudraID may remove, redact, restrict, delay, hide, or modify metadata visibility where MudraID reasonably believes such action is appropriate for security, privacy, legal compliance, abuse prevention, or service integrity.

11.12 Directory Data Accuracy

MudraID may rely on Customer-submitted information when maintaining Public Key Directory records.

MudraID does not guarantee that Public Key Directory data is accurate, complete, current, verified, continuously available, error-free, or suitable for any specific purpose.

Customers are responsible for notifying MudraID promptly of errors, outdated keys, incorrect metadata, unauthorized records, compromise events, ownership changes, or other issues affecting Public Key Directory accuracy.

MudraID may correct, remove, hide, restrict, or update directory records at its discretion.

11.13 Public Key Directory Availability

MudraID does not guarantee uninterrupted availability of the Public Key Directory unless expressly provided in an applicable SLA.

Directory access may be unavailable, delayed, rate limited, degraded, cached, restricted, or modified due to maintenance, outages, security incidents, high traffic, abuse prevention, third-party dependencies, legal requirements, operational needs, or service changes.

Customers are responsible for designing integrations that safely handle Public Key Directory unavailability, stale records, rate limits, errors, key rotation, and verification failures.

11.14 No Private-Key Custody

Unless expressly agreed in a separate written agreement, MudraID does not provide custody, escrow, backup, recovery, or management of Customer Private Keys.

Customers are solely responsible for creating, storing, securing, backing up, rotating, revoking, and recovering their Private Keys.

Loss of a Private Key may result in inability to sign messages, authenticate Bot identity, verify historical signatures, or maintain continuity of Bot identity. MudraID is not responsible for such consequences.

11.15 Directory and Bot-to-Bot Verification Indemnity

Customers are responsible for claims, losses, damages, penalties, costs, and expenses arising from or relating to:

a. Customer-submitted Public Keys;
b. incorrect or outdated Public Keys;
c. compromised, lost, stolen, weak, or exposed Private Keys;
d. Bot impersonation caused by Customer-side key compromise;
e. Customer misuse of Public Key Directory data;
f. Customer reliance on Public Key Directory data;
g. Customer bot-to-bot verification logic;
h. signed messages sent or received by Customer Bots;
i. Customer failure to validate message content, authorization, freshness, or context;
j. Customer publication or misuse of directory metadata;
k. Customer violation of privacy, data-protection, intellectual-property, contract, platform, or third-party rights.

MudraID may seek indemnification and other remedies as provided in these Terms where Customer use of the Public Key Directory, Public Keys, Private Keys, signed messages, or bot-to-bot verification creates liability, harm, or claims against MudraID or third parties.

12. Acceptable Use Policy

12.1 General Acceptable Use Requirement

Customers must use MudraID only for lawful, authorized, secure, and legitimate purposes.

Customers must not use, allow, enable, assist, or encourage the use of MudraID in any way that violates these Terms, the Documentation, any applicable Order Form, any applicable Service Plan, the Privacy Policy, any applicable Data Processing Addendum, any applicable Service Level Agreement, any product-specific addendum, applicable law, third-party rights, third-party platform terms, website terms, API terms, or industry security rules.

Customers are responsible for ensuring that their employees, contractors, administrators, developers, Bots, AI Agents, websites, APIs, applications, integrations, and End Users comply with this Acceptable Use Policy.

MudraID may suspend, restrict, revoke, downgrade, block, throttle, terminate, or take other enforcement action if MudraID reasonably believes that a Customer, Bot, website, API, integration, token, key, account, request, or activity violates this Acceptable Use Policy or creates legal, security, fraud, abuse, compliance, operational, reputational, or service-integrity risk.

12.2 Prohibited Illegal or Harmful Use

Customers must not use MudraID to engage in, facilitate, support, conceal, authenticate, verify, legitimize, or enable any unlawful, harmful, abusive, deceptive, fraudulent, or unauthorized activity.

Prohibited activities include, without limitation:

a. violation of applicable laws or regulations;
b. unauthorized access to websites, APIs, systems, accounts, networks, devices, applications, data, or services;
c. theft, misuse, exfiltration, scraping, harvesting, or unlawful processing of data;
d. fraud, scams, phishing, social engineering, impersonation, or deceptive activity;
e. malware, ransomware, spyware, credential theft, botnets, exploit deployment, or malicious code;
f. spam, abusive automation, fake engagement, manipulation, or platform abuse;
g. denial-of-service activity, service disruption, overload, stress testing without authorization, or traffic flooding;
h. evasion of security controls, access controls, rate limits, paywalls, consent systems, verification systems, or abuse-detection systems;
i. unauthorized surveillance, tracking, profiling, or monitoring;
j. harassment, threats, intimidation, doxxing, or targeted abuse;
k. activities that violate intellectual-property rights, privacy rights, publicity rights, contractual rights, or other third-party rights;
l. activities that create material risk of harm to MudraID, Customers, users, third parties, infrastructure, websites, APIs, or the public.

MudraID may determine, in its reasonable judgment, whether use is harmful, abusive, deceptive, unauthorized, or risky.

12.3 No Impersonation or Misrepresentation

Customers must not use MudraID to impersonate, misrepresent, or falsely suggest association with any person, company, organization, government body, platform, website, API, Bot, AI Agent, product, service, brand, trademark, or third party.

Customers must not:

a. register a Bot using false or misleading identity information;
b. register a website, API, domain, or service without proper authority;
c. upload a Public Key for a Bot, application, or system the Customer does not own, control, or have authority to manage;
d. request Mudra Tokens for an unauthorized Bot or integration;
e. use Mudra Tokens to misrepresent identity, authority, trust status, certification, endorsement, approval, or compliance;
f. claim that MudraID has endorsed, certified, approved, audited, insured, or guaranteed a Bot, website, API, Customer, integration, message, transaction, or organization without MudraID’s express written authorization;
g. conceal Bot ownership, Bot purpose, Bot operator, or Bot behavior in a misleading way.

MudraID may suspend, revoke, remove, or downgrade any Bot, account, token, key, website, API, or integration associated with impersonation or misrepresentation.

12.4 No Credential, Key, or Token Abuse

Customers must not misuse API Credentials, Client IDs, Client Secrets, API keys, access tokens, Mudra Tokens, Public Keys, Private Keys, certificates, signing materials, passwords, authentication factors, or other security credentials.

Prohibited credential, key, and token conduct includes, without limitation:

a. using stolen, leaked, forged, altered, expired, revoked, unauthorized, or improperly obtained credentials or tokens;
b. exposing, publishing, selling, transferring, renting, lending, or sharing credentials or tokens except as expressly permitted by MudraID;
c. embedding confidential credentials or Private Keys in public code, browser-side code, public repositories, insecure systems, screenshots, logs, documentation, or unsecured tools;
d. attempting to forge, alter, replay, bypass, decode, manipulate, or misuse Mudra Tokens;
e. using one Bot’s credentials or tokens for another Bot without authorization;
f. registering incorrect, unauthorized, misleading, or compromised Public Keys;
g. failing to revoke or rotate credentials after suspected compromise;
h. using credentials to exceed rate limits, evade billing, bypass service limits, or avoid enforcement.

MudraID may revoke, rotate, suspend, invalidate, or restrict credentials, keys, tokens, or related access where MudraID reasonably believes abuse, compromise, or risk has occurred.

12.5 No Unauthorized Bot Activity

Customers must not use MudraID to support Bots or AI Agents that engage in unauthorized, abusive, harmful, deceptive, or non-compliant activity.

Prohibited Bot activity includes, without limitation:

a. accessing websites, APIs, systems, accounts, or data without authorization;
b. ignoring or bypassing access restrictions, authentication systems, authorization systems, rate limits, robots.txt rules where legally or contractually applicable, or platform policies;
c. scraping, crawling, harvesting, or extracting data in violation of law, contract, website terms, API terms, privacy obligations, or third-party rights;
d. submitting forms, creating accounts, sending messages, generating traffic, or performing actions in a deceptive, abusive, or unauthorized manner;
e. performing automated purchasing, booking, voting, ranking, reviewing, posting, bidding, clicking, account creation, or engagement manipulation where not authorized;
f. interacting with users or systems while concealing that the interaction is automated where disclosure is legally or contractually required;
g. using MudraID verification to bypass reasonable website controls or platform rules;
h. causing excessive load, disruption, degradation, or interference with third-party systems.

MudraID is not responsible for monitoring every Bot action, but may take enforcement action when MudraID reasonably identifies prohibited Bot activity.

12.6 No Abuse of Websites, APIs, or Third-Party Systems

Customers must not use MudraID to attack, overload, disrupt, degrade, scan, exploit, bypass, or abuse websites, APIs, applications, systems, networks, devices, or services belonging to MudraID, Customers, or third parties.

Customers must not use MudraID to:

a. perform unauthorized vulnerability scanning;
b. perform unauthorized penetration testing;
c. perform unauthorized load testing;
d. perform denial-of-service activity;
e. exploit vulnerabilities;
f. bypass authentication or authorization;
g. evade rate limits or access controls;
h. test stolen credentials;
i. enumerate accounts, tokens, endpoints, keys, users, Bots, or systems without authorization;
j. interfere with normal service operation;
k. create traffic patterns designed to disrupt, degrade, or manipulate services.

MudraID may immediately restrict or terminate activity that appears to threaten service integrity or third-party systems.

12.7 No Harmful AI Agent Use

Customers must not use MudraID to enable or support AI Agents that cause or materially increase the risk of harm.

Prohibited harmful AI Agent use includes, without limitation:

a. autonomous or semi-autonomous actions that violate law or third-party rights;
b. unauthorized access to personal, confidential, proprietary, regulated, or sensitive data;
c. deception of users, websites, APIs, platforms, or systems regarding identity, authority, automation, or purpose;
d. generation or execution of harmful instructions, malware, phishing, fraud, harassment, or abuse;
e. unsafe automated decision-making in high-risk domains without appropriate human oversight, legal review, and safeguards;
f. attempts to manipulate trust systems, verification systems, security systems, financial systems, public services, or digital platforms;
g. use of MudraID identity or tokens to create false confidence in unsafe or unauthorized AI Agent behavior.

Customers are responsible for implementing appropriate human oversight, policy controls, safety measures, logging, review, and compliance processes for AI Agent activity.

12.8 No Trust Score or Reputation Manipulation

Customers must not manipulate, game, inflate, suppress, evade, or interfere with MudraID Trust Scores, Trust Levels, reputation indicators, abuse indicators, verification status, registration status, risk systems, or enforcement systems.

Prohibited conduct includes, without limitation:

a. submitting false registration information;
b. submitting false abuse reports;
c. creating fake usage patterns;
d. generating artificial token or verification activity;
e. rotating Bot identities to evade enforcement;
f. using multiple accounts to bypass restrictions;
g. hiding ownership or control;
h. misrepresenting Bot purpose or behavior;
i. coordinating deceptive reports;
j. probing or reverse engineering scoring thresholds;
k. attempting to bypass trust-level restrictions;
l. using third parties to do any of the above.

MudraID may downgrade, suspend, revoke, restrict, or terminate accounts, Bots, tokens, keys, trust data, or Services associated with trust manipulation.

12.9 No Public Key Directory Abuse

Customers must not misuse the Public Key Directory or related metadata services.

Prohibited conduct includes, without limitation:

a. scraping, harvesting, copying, republishing, reselling, or redistributing directory data except as expressly permitted by MudraID;
b. using directory data to target, harass, spam, attack, defame, profile, or exploit Customers, Bot Developers, websites, APIs, organizations, or third parties;
c. exceeding query limits or bypassing rate limits;
d. using directory data to reverse engineer MudraID’s trust, risk, security, or enforcement systems;
e. using directory data for unlawful, privacy-invasive, deceptive, or discriminatory purposes;
f. presenting directory data as proof of MudraID certification, endorsement, approval, or guarantee;
g. building a competing directory or trust database using MudraID data without express written authorization.

MudraID may limit, restrict, suspend, or terminate Public Key Directory access at any time for abuse prevention, privacy, security, legal, operational, or service-integrity reasons.

12.10 No Gateway Misuse

Customers must not use the Mudra Gateway in a way that is unlawful, unauthorized, deceptive, harmful, privacy-invasive, or inconsistent with these Terms.

Customers must not configure or deploy the Mudra Gateway to:

a. intercept traffic for websites, APIs, domains, applications, or services the Customer does not own, operate, or have authority to manage;
b. collect, log, expose, or process data without proper legal authority, notice, consent, or lawful basis;
c. capture credentials, payment data, health data, personal data, confidential data, or regulated data unlawfully;
d. misroute, redirect, block, throttle, or modify traffic in a deceptive or unlawful manner;
e. bypass security controls or platform rules;
f. conceal malicious, fraudulent, or abusive activity;
g. interfere with third-party systems;
h. violate hosting, DNS, cloud, CDN, platform, or network provider terms.

MudraID may suspend or disable Gateway functionality where MudraID reasonably believes misuse, unauthorized routing, unlawful processing, or security risk has occurred.

12.11 No High-Risk Use Without Written Approval

Customers must not use MudraID for high-risk use cases unless MudraID has expressly approved such use in writing and the Customer implements appropriate safeguards.

High-risk use cases may include, without limitation:

a. critical infrastructure;
b. emergency services;
c. medical diagnosis or treatment;
d. life-support systems;
e. aviation, transport, or industrial control systems;
f. nuclear, chemical, or hazardous operations;
g. law-enforcement decisions;
h. immigration, asylum, or border-control decisions;
i. financial credit, lending, insurance, or eligibility decisions;
j. employment, education, housing, or benefits eligibility decisions;
k. legally significant automated decision-making;
l. systems where failure may lead to death, personal injury, severe property damage, unlawful discrimination, or substantial legal harm.

MudraID is not designed to be the sole control for high-risk systems. Customers remain responsible for independent safety, legal, compliance, security, audit, and human-review controls.

12.12 No Regulated Data Misuse

Customers must not use MudraID to collect, transmit, store, verify, process, expose, or misuse regulated data unless permitted by their agreement with MudraID and applicable law.

Regulated data may include, without limitation:

a. payment card data;
b. financial account data;
c. health data;
d. biometric data;
e. government identification numbers;
f. children’s data;
g. precise geolocation data;
h. sensitive personal data;
i. confidential business data;
j. export-controlled data;
k. classified or restricted government data;
l. data subject to special legal or contractual protection.

Customers are responsible for determining whether their use of MudraID involves regulated data and for implementing all required legal, security, contractual, and technical safeguards.

12.13 No Reverse Engineering or Circumvention

Except to the extent prohibited by applicable law, Customers must not:

a. reverse engineer, decompile, disassemble, or attempt to derive source code from MudraID software, SDKs, gateway components, APIs, models, scoring systems, or security systems;
b. bypass, disable, interfere with, or circumvent any security, authentication, authorization, rate limit, billing, monitoring, logging, verification, trust, or access-control feature;
c. probe, scan, test, or exploit MudraID systems without written authorization;
d. access undocumented APIs or internal systems;
e. use automated tools to interfere with MudraID operations;
f. use MudraID to develop competing services through unauthorized copying, scraping, benchmarking, or reverse engineering.

12.14 No Misuse of MudraID Marks or Claims

Customers must not use MudraID names, logos, trademarks, badges, trust indicators, verification marks, certification language, or brand assets without MudraID’s prior written authorization.

Customers must not make misleading claims about MudraID or their use of MudraID, including claims that:

a. MudraID guarantees Bot safety;
b. MudraID guarantees website protection;
c. MudraID has approved or certified the Customer;
d. MudraID has audited a Bot or website;
e. MudraID accepts responsibility for Customer Bots or websites;
f. MudraID guarantees compliance with law;
g. MudraID guarantees prevention of malicious Bots, scraping, fraud, or abuse.

MudraID may require Customers to remove or correct any misleading reference to MudraID.

12.15 Fair Use, Rate Limits, and Service Integrity

Customers must use MudraID in a manner that does not interfere with service reliability, availability, performance, security, or fair use by other Customers.

MudraID may apply and enforce rate limits, usage limits, quotas, traffic limits, storage limits, verification limits, token issuance limits, Public Key Directory limits, Gateway limits, and other controls.

Customers must not attempt to bypass, evade, distribute around, or manipulate such limits.

MudraID may throttle, reject, block, suspend, or limit usage that exceeds applicable limits or creates risk to the Services, Customers, third parties, or MudraID.

12.16 Monitoring and Enforcement

MudraID may monitor, investigate, review, restrict, suspend, revoke, downgrade, remove, or terminate accounts, Bots, tokens, keys, websites, APIs, integrations, Gateway deployments, Public Key Directory access, Trust Scores, Trust Levels, or other features where MudraID reasonably believes there has been a violation of this Acceptable Use Policy or other risk.

MudraID may take enforcement action based on internal signals, automated systems, manual review, abuse reports, third-party complaints, legal requests, security reports, Customer feedback, or other available information.

MudraID is not required to provide prior notice, detailed explanation, evidence, scoring logic, complainant identity, internal security methods, or appeal rights where disclosure may create legal, security, privacy, abuse, fraud, operational, or service-integrity risk.

12.17 Reporting Abuse

Customers may report suspected abuse, security incidents, impersonation, token misuse, Bot misuse, Public Key Directory misuse, Gateway misuse, or other violations through MudraID’s supported reporting channels.

Reports must be submitted in good faith and must not be false, misleading, malicious, retaliatory, defamatory, automated, spam, or abusive.

MudraID may review, investigate, ignore, reject, share, escalate, or act on reports at its discretion, subject to applicable law.

Submitting a report does not guarantee that MudraID will take any particular action.

12.18 Customer Responsibility and Indemnity

Customers are responsible for all activity under their accounts and for all activity involving their Bots, websites, APIs, domains, applications, integrations, tokens, credentials, keys, Gateway configurations, Public Key Directory use, Trust Score submissions, and End Users.

Customers are responsible for claims, losses, damages, penalties, costs, and expenses arising from or relating to violations of this Acceptable Use Policy.

MudraID may seek indemnification and other remedies as provided in these Terms where Customer activity, Bot activity, website activity, API activity, Gateway use, credential misuse, token misuse, or other conduct creates liability, harm, or claims against MudraID or third parties.

13. Customer Data, Logs, and Privacy

13.1 Customer Data

“Customer Data” means data, content, information, metadata, configurations, records, keys, identifiers, domain information, Bot information, website information, API information, policy settings, logs, messages, requests, reports, or other materials submitted to, uploaded to, generated through, processed by, or stored in the Services by or on behalf of a Customer.

Customer Data may include, without limitation:

a. account information;
b. organization information;
c. administrator and user information;
d. Bot metadata;
e. website, API, domain, application, or service metadata;
f. Public Keys;
g. Gateway configuration;
h. access policies;
i. abuse reports;
j. support communications;
k. token request records;
l. verification request records;
m. Gateway logs;
n. Public Key Directory records;
o. trust-related submissions;
p. other information processed through the Services.

Customer Data does not include MudraID platform software, APIs, SDKs, models, algorithms, trust scoring methods, security systems, proprietary methods, aggregated data, anonymized data, de-identified data, Usage Data, Telemetry Data, or MudraID operational data, except where applicable law provides otherwise.

13.2 Customer Responsibility for Customer Data

Customers are solely responsible for Customer Data and for ensuring that Customer Data is accurate, lawful, appropriate, current, complete, and not misleading.

Customers represent and warrant that they have all rights, permissions, notices, consents, lawful bases, authorizations, and licenses required to submit, upload, register, transmit, disclose, process, store, use, publish, or make available Customer Data through MudraID.

Customers must not submit Customer Data that is unlawful, infringing, defamatory, deceptive, harmful, confidential without authorization, privacy-invasive, regulated without proper safeguards, or otherwise prohibited by these Terms.

MudraID is not responsible for reviewing all Customer Data for accuracy, legality, completeness, ownership, privacy compliance, security classification, or suitability.

13.3 License to Process Customer Data

Customers grant MudraID a worldwide, non-exclusive, royalty-free license to host, store, copy, process, transmit, display, publish where configured, analyze, use, modify, and create technical outputs from Customer Data as necessary or appropriate to:

a. provide the Services;
b. operate and maintain the platform;
c. issue and verify Mudra Tokens;
d. provide the Public Key Directory;
e. operate the Mudra Gateway;
f. generate logs and audit records;
g. provide Trust Scores, Trust Levels, and risk signals;
h. investigate abuse, security incidents, and policy violations;
i. enforce these Terms;
j. provide support;
k. comply with legal obligations;
l. prevent fraud, abuse, and security threats;
m. improve, secure, and develop the Services.

This license continues for as long as necessary to provide the Services, comply with legal obligations, resolve disputes, enforce agreements, maintain security, investigate abuse, and protect MudraID, Customers, third parties, and the Services.

13.4 Usage Data and Telemetry Data

MudraID may collect, generate, process, and use Usage Data and Telemetry Data relating to use, operation, security, performance, availability, reliability, and improvement of the Services.

Usage Data and Telemetry Data may include, without limitation:

a. API request counts;
b. token issuance events;
c. token verification events;
d. response times;
e. error rates;
f. latency data;
g. rate-limit events;
h. Gateway decisions;
i. Public Key Directory lookup events;
j. feature usage;
k. traffic patterns;
l. abuse indicators;
m. trust signals;
n. security events;
o. diagnostic information;
p. system performance data;
q. billing and usage metrics.

MudraID may use Usage Data and Telemetry Data to operate, secure, monitor, improve, and support the Services; develop new features; calculate fees; enforce limits; detect fraud and abuse; investigate incidents; improve trust systems; and comply with legal obligations.

MudraID may use aggregated, anonymized, or de-identified data for analytics, benchmarking, product development, research, reporting, and business purposes, provided that such data does not identify the Customer or an individual where required by applicable law.

13.5 Token Request Logs

MudraID may generate and retain logs relating to token requests, token issuance, token denial, token revocation, token expiration, credential use, Client ID use, Bot identifiers, timestamps, request metadata, response metadata, error codes, and related security or operational events.

Token request logs may be used for:

a. security monitoring;
b. abuse detection;
c. fraud prevention;
d. billing;
e. troubleshooting;
f. trust scoring;
g. audit support;
h. incident investigation;
i. enforcement of these Terms;
j. service improvement;
k. legal compliance.

MudraID does not guarantee that token request logs will capture every token event, remain available indefinitely, be error-free, or satisfy every Customer audit, legal, regulatory, or evidentiary requirement.

13.6 Verification Logs

MudraID may generate and retain logs relating to token verification, JWKS usage, verification API calls, verification outcomes, Trust Score lookups, Trust Level lookups, Bot registration checks, revocation checks, Public Key Directory lookups, timestamps, request metadata, response metadata, error codes, and related events.

Verification logs may be incomplete, delayed, cached, aggregated, truncated, unavailable, or subject to retention limits.

Customers are responsible for maintaining their own verification logs, access logs, security logs, compliance records, and audit evidence where required for their own business, security, contractual, or legal purposes.

13.7 Gateway Logs

Where the Mudra Gateway is used, MudraID or the Customer may generate logs relating to traffic, request metadata, token presence, token verification, policy decisions, allowed requests, blocked requests, throttled requests, challenged requests, routing decisions, errors, latency, Gateway health, source information, Bot identifiers, trust information, and related events.

Depending on the deployment model, Gateway logs may be stored by MudraID, the Customer, a cloud provider, an edge provider, a hosting provider, or another third-party system.

Customers are responsible for configuring Gateway logging appropriately and lawfully.

Customers must not configure Gateway logging in a way that unlawfully captures, exposes, stores, or transmits sensitive information, personal data, payment data, health data, authentication credentials, confidential data, regulated data, or third-party data.

MudraID is not responsible for Customer-side Gateway log configuration, Customer-side log retention, Customer-side log access, Customer-side log security, or third-party logging infrastructure.

13.8 Abuse Reports and Security Data

MudraID may receive, generate, process, retain, and use abuse reports, security reports, third-party complaints, website-owner reports, Bot developer responses, trust submissions, incident reports, fraud indicators, risk signals, enforcement records, and related security data.

MudraID may use such data to:

a. investigate abuse;
b. detect security threats;
c. enforce these Terms;
d. update Trust Scores or Trust Levels;
e. suspend or revoke Bots, tokens, keys, accounts, integrations, or Gateway access;
f. protect Customers, third parties, MudraID, and the Services;
g. improve risk detection;
h. comply with legal obligations;
i. cooperate with legal or regulatory requests where required or permitted by law.

MudraID is not required to disclose all abuse reports, complainant identities, investigation details, internal security data, scoring methods, enforcement logic, or risk signals where disclosure may create legal, security, fraud, privacy, abuse, operational, or service-integrity risk.

13.9 Personal Data

MudraID may process personal data in connection with account registration, user administration, support, billing, security, logs, abuse reports, Gateway operation, verification activity, and related Services.

MudraID’s handling of personal data is described in the MudraID Privacy Policy and, where applicable, the Data Processing Addendum.

Customers are responsible for determining whether their use of the Services involves personal data and for ensuring that they have all required notices, consents, lawful bases, contracts, data-processing terms, cross-border transfer mechanisms, and security measures required by applicable data-protection law.

Customers must not submit or process personal data through MudraID unless they have the right and lawful basis to do so.

13.10 Data Processing Addendum

Where MudraID processes personal data on behalf of a Customer as a processor, service provider, or equivalent role under applicable data-protection law, the Data Processing Addendum applies.

Where MudraID processes personal data as an independent controller, business, or equivalent role, such processing is governed by the Privacy Policy and applicable law.

If there is a conflict between these Terms and the Data Processing Addendum regarding processing of personal data on behalf of the Customer, the Data Processing Addendum controls only for that personal data processing matter.

Customers are responsible for entering into a Data Processing Addendum with MudraID where required by applicable law or their own compliance obligations.

13.11 Sensitive and Regulated Data

Unless expressly permitted in writing by MudraID, Customers must not submit, route, log, store, expose, or process sensitive or regulated data through the Services beyond what is necessary for the intended use of the Services.

Sensitive or regulated data may include, without limitation:

a. payment card data;
b. bank account data;
c. health data;
d. biometric data;
e. children’s data;
f. government identification numbers;
g. precise geolocation data;
h. special-category personal data;
i. criminal records data;
j. export-controlled data;
k. classified or restricted government data;
l. authentication credentials;
m. secrets or Private Keys;
n. confidential third-party data;
o. data subject to special contractual or legal restrictions.

Customers are solely responsible for determining whether their data is sensitive or regulated and for implementing all required legal, technical, organizational, and contractual safeguards.

MudraID is not responsible for Customer submission, logging, routing, or processing of sensitive or regulated data in violation of these Terms, applicable law, or third-party obligations.

13.12 Data Retention

MudraID may retain Customer Data, Usage Data, Telemetry Data, logs, audit records, abuse reports, trust data, security records, billing records, support records, and operational data for the period necessary or appropriate to provide the Services, comply with law, resolve disputes, enforce agreements, prevent fraud, investigate abuse, maintain security, support audits, improve the Services, and protect MudraID, Customers, third parties, and the Services.

Retention periods may vary by data type, Service Plan, deployment model, legal requirement, security need, product feature, or Customer agreement.

MudraID does not guarantee indefinite retention of any data, logs, audit records, trust data, verification records, token records, or Gateway records unless expressly agreed in writing.

Customers are responsible for exporting, backing up, archiving, preserving, or retaining any data or logs they require for their own business, security, compliance, legal, regulatory, or audit purposes.

13.13 Data Deletion

Customers may request deletion of certain Customer Data as supported by the Services, Documentation, applicable law, or written agreement.

MudraID may retain copies of Customer Data or related records where necessary or appropriate for:

a. legal compliance;
b. security;
c. abuse investigation;
d. fraud prevention;
e. dispute resolution;
f. enforcement of these Terms;
g. billing;
h. backup systems;
i. audit purposes;
j. service integrity;
k. legitimate business purposes permitted by law.

Deletion from active systems may not immediately delete data from backups, logs, archives, security systems, or legally retained records.

MudraID is not required to delete aggregated, anonymized, or de-identified data where such data no longer identifies the Customer or an individual under applicable law.

13.14 Data Export

MudraID may provide tools or support for exporting certain Customer Data, depending on the Service Plan, feature availability, Documentation, technical feasibility, and applicable law.

MudraID does not guarantee that all Customer Data, logs, trust records, verification records, Gateway records, audit records, or historical events will be exportable.

Customers are responsible for exporting and preserving data before terminating their account or discontinuing use of the Services.

MudraID is not responsible for Customer failure to export data, Customer loss of access after termination, or Customer reliance on MudraID as the sole storage, archive, audit, or compliance system.

13.15 Data Security

MudraID will use commercially reasonable technical and organizational measures designed to protect the Services and Customer Data under MudraID’s control against unauthorized access, loss, misuse, or alteration.

Customers acknowledge that no system, network, transmission, storage system, security control, encryption method, gateway, API, or verification service can be guaranteed to be completely secure.

Customers are responsible for securing their own accounts, credentials, Private Keys, Bots, websites, APIs, Gateways, integrations, systems, networks, users, devices, logs, and data.

MudraID is not responsible for security incidents caused by Customer-side systems, Customer credentials, Customer Private Keys, Customer configuration, third-party systems, unauthorized users, compromised endpoints, malware, insecure integrations, or failure to follow Documentation.

13.16 Security Incident Notification

MudraID may notify affected Customers of a confirmed security incident involving Customer Data under MudraID’s control where required by applicable law, the Data Processing Addendum, or a written agreement.

MudraID’s notification may be made through email, dashboard notice, account notice, support channel, or other reasonable means.

Customers are responsible for maintaining accurate contact information and monitoring official MudraID communication channels.

Customer-side incidents, including compromised Customer credentials, exposed Private Keys, Bot compromise, Gateway misconfiguration, Customer infrastructure breach, or Customer-side data exposure, are the Customer’s responsibility. MudraID may assist at its discretion, but is not responsible for Customer-side incident response unless expressly agreed in writing.

13.17 Third-Party Processing and Subprocessors

MudraID may use third-party service providers, hosting providers, cloud providers, infrastructure providers, analytics providers, support tools, payment processors, security tools, communication tools, and other subprocessors or vendors to provide, secure, support, and improve the Services.

Where required by applicable data-protection law or the Data Processing Addendum, MudraID will provide information about subprocessors and applicable subprocessors’ obligations.

MudraID is not responsible for third-party services selected, configured, connected, or used by the Customer outside MudraID’s control.

13.18 Customer Instructions

Where MudraID processes Customer Data or personal data on behalf of the Customer, MudraID will process such data according to the Customer’s documented instructions, these Terms, the Data Processing Addendum where applicable, the Documentation, and applicable law.

MudraID may refuse or suspend processing instructions that MudraID reasonably believes are unlawful, technically infeasible, insecure, inconsistent with the Services, inconsistent with these Terms, or likely to create legal, security, operational, or service-integrity risk.

13.19 Public and Shared Data

Certain Customer Data may be made public, visible, or discoverable through the Services depending on Customer configuration, product design, Service Plan, Documentation, or feature use.

This may include Public Keys, Bot identifiers, Bot metadata, registration status, trust-related information, website policy metadata, or other information intended for verification, discovery, transparency, or interoperability.

Customers are responsible for reviewing what information may be made public or shared before submitting it to MudraID.

MudraID is not responsible for Customer submission of information that the Customer did not intend to make public, discoverable, or shareable where the feature, Documentation, or configuration reasonably indicates that such information may be exposed.

13.20 Data Accuracy and Correction

Customers are responsible for maintaining accurate and current Customer Data.

MudraID may allow Customers to correct or update certain Customer Data through dashboards, APIs, support processes, or other supported methods.

MudraID may correct, restrict, remove, or update Customer Data where MudraID reasonably believes the data is inaccurate, unlawful, misleading, harmful, abusive, unauthorized, or risky.

MudraID is not responsible for harm caused by Customer failure to keep Customer Data accurate, current, complete, or lawful.

13.21 Data and Logs Disclaimer

MudraID may provide logs, reports, dashboards, alerts, trust data, verification records, Gateway records, audit records, and analytics for Customer convenience and operational use.

Such records may be incomplete, delayed, inaccurate, unavailable, aggregated, sampled, truncated, cached, overwritten, or subject to retention limits.

MudraID does not guarantee that such records will be legally sufficient for any audit, investigation, litigation, regulatory filing, compliance requirement, insurance claim, forensic analysis, or evidentiary purpose.

Customers should maintain independent records, monitoring, backups, and audit systems where required.

13.22 Privacy Policy

MudraID’s Privacy Policy explains how MudraID collects, uses, shares, and protects personal data in connection with the Services.

By using the Services, Customers acknowledge the Privacy Policy.

Customers are responsible for ensuring that their own privacy policies, notices, contracts, and disclosures accurately describe their use of MudraID where required by applicable law.

13.23 Customer Indemnity for Data

Customers are responsible for claims, losses, damages, penalties, costs, and expenses arising from or relating to:

a. Customer Data;
b. inaccurate, unlawful, misleading, or unauthorized Customer Data;
c. Customer failure to obtain required rights, consents, notices, or lawful bases;
d. Customer submission or processing of sensitive or regulated data;
e. Customer Gateway logging configuration;
f. Customer misuse of logs, trust data, verification records, or Public Key Directory data;
g. Customer violation of privacy, data-protection, confidentiality, intellectual-property, contractual, platform, or third-party rights;
h. Customer failure to maintain required records, notices, backups, or audit evidence.

MudraID may seek indemnification and other remedies as provided in these Terms where Customer Data or Customer data practices create liability, harm, or claims against MudraID or third parties.

14. Security Commitments

14.1 Security Program

MudraID will maintain a security program designed to protect the confidentiality, integrity, availability, and resilience of the Services under MudraID’s control.

MudraID’s security program may include administrative, technical, and organizational measures appropriate to the nature of the Services, the risks involved, the sensitivity of data processed, and the current state of commercially reasonable security practices.

MudraID may update, modify, improve, replace, or change its security program from time to time to address evolving threats, operational needs, legal requirements, product changes, and industry practices.

MudraID does not guarantee that its security program will prevent, detect, block, or eliminate every unauthorized access attempt, cyberattack, Bot misuse, credential compromise, data exposure, service disruption, vulnerability, or security incident.

14.2 Commercially Reasonable Security Measures

MudraID will use commercially reasonable measures designed to secure the Services under MudraID’s control.

Such measures may include, where appropriate:

a. encryption in transit;
b. access controls;
c. authentication controls;
d. role-based access management;
e. logging and monitoring;
f. vulnerability management;
g. infrastructure security controls;
h. secure development practices;
i. incident response processes;
j. backup or recovery measures;
k. security review of critical components;
l. internal policies and procedures;
m. employee or contractor access restrictions.

MudraID may determine the specific security measures used and may change those measures over time, provided that such changes do not materially reduce the overall security of the Services during an active paid subscription, except where required for legal, operational, or emergency security reasons.

14.3 Encryption in Transit

MudraID will use commercially reasonable transport security for supported production Services under MudraID’s control.

Customers must use secure transport methods, including HTTPS or other supported encrypted channels, when accessing MudraID APIs, dashboards, token endpoints, verification endpoints, Public Key Directory services, Gateway services, and related infrastructure.

Customers must not intentionally transmit Client Secrets, Private Keys, tokens, credentials, regulated data, personal data, or confidential information over insecure channels.

MudraID is not responsible for security risks caused by Customer use of insecure transport, misconfigured TLS, invalid certificates, insecure clients, unsupported environments, compromised devices, or third-party network interception outside MudraID’s reasonable control.

14.4 Access Controls

MudraID will apply access controls designed to restrict access to MudraID systems, infrastructure, and Customer Data under MudraID’s control to authorized personnel, systems, vendors, or subprocessors with a legitimate need for access.

Customers are responsible for configuring and maintaining access controls for their own MudraID accounts, administrators, developers, service accounts, Bots, APIs, websites, Gateways, integrations, cloud environments, infrastructure, devices, and internal users.

MudraID is not responsible for unauthorized access caused by Customer-side weak passwords, shared credentials, exposed secrets, compromised accounts, excessive permissions, inactive users, poor identity governance, missing multi-factor authentication where available, or failure to remove users who no longer require access.

14.5 Role-Based Access and Administrative Permissions

MudraID may provide role-based access controls, administrator roles, developer roles, service-account roles, or permission settings for certain Services or Service Plans.

Customers are responsible for selecting appropriate roles, limiting administrator access, reviewing permissions, removing unnecessary users, and monitoring account activity.

MudraID may treat actions taken by Customer administrators, authorized users, API Credentials, service accounts, or integrated systems as authorized Customer actions.

MudraID is not responsible for harm caused by Customer permission errors, excessive privileges, internal misuse, administrator mistakes, compromised user accounts, or unauthorized users acting through Customer credentials.

14.6 Secure Development and Product Changes

MudraID will use commercially reasonable development practices designed to reduce security risk in the Services under MudraID’s control.

MudraID may review, test, update, patch, or modify the Services to address bugs, vulnerabilities, performance issues, compatibility requirements, legal requirements, security issues, or product improvements.

MudraID may make changes to APIs, SDKs, Gateway components, token behavior, verification methods, Trust Score methods, Public Key Directory behavior, or other technical components where MudraID reasonably believes such changes are necessary or appropriate.

Customers are responsible for reviewing updates, following Documentation, applying required changes, updating integrations, and testing their systems after product changes.

14.7 Vulnerability Management

MudraID may maintain processes designed to identify, evaluate, prioritize, and remediate vulnerabilities affecting the Services under MudraID’s control.

MudraID may determine remediation timelines based on severity, exploitability, impact, operational risk, legal requirements, technical feasibility, third-party dependencies, and service integrity.

MudraID does not guarantee that all vulnerabilities will be identified, corrected, or remediated within a specific period unless expressly stated in an applicable written agreement.

Customers are responsible for managing vulnerabilities in their own Bots, websites, APIs, Gateways, applications, infrastructure, dependencies, SDK implementations, client code, deployment pipelines, containers, cloud environments, and third-party systems.

14.8 Security Testing by Customers

Customers must not perform penetration testing, vulnerability scanning, load testing, stress testing, fuzzing, exploit testing, denial-of-service testing, credential testing, social engineering, physical testing, or similar security testing against MudraID systems without MudraID’s prior written authorization.

Any authorized testing must follow the scope, timing, methods, rate limits, reporting requirements, and restrictions approved by MudraID.

Customers must not access, modify, delete, exfiltrate, disclose, or disrupt MudraID data, Customer Data, credentials, tokens, logs, systems, infrastructure, or third-party data.

MudraID may suspend or terminate access and take legal or technical action against unauthorized testing or activity that threatens the Services.

14.9 Vulnerability Reporting

MudraID may provide a vulnerability reporting or responsible disclosure process.

Customers, researchers, and third parties who discover a suspected vulnerability must report it through MudraID’s designated channel and must not publicly disclose, exploit, sell, weaponize, or share the vulnerability before MudraID has had a reasonable opportunity to investigate and respond.

Submitting a vulnerability report does not create any employment, contractor, partnership, bounty, payment, confidentiality, or agency relationship with MudraID unless expressly agreed in writing.

MudraID is not required to provide compensation, recognition, or a particular response to any vulnerability report unless expressly stated in a written program.

14.10 Security Incident Response

MudraID will maintain processes designed to respond to confirmed security incidents involving the Services under MudraID’s control.

MudraID may investigate, contain, mitigate, remediate, notify, or take other action in response to suspected or confirmed security incidents.

MudraID may take emergency security actions, including suspending accounts, revoking tokens, rotating keys, disabling credentials, restricting API access, disabling Bots, changing Trust Scores, disabling Gateway functionality, limiting Public Key Directory access, or applying temporary security controls.

MudraID may act without prior notice where MudraID reasonably believes prior notice may increase risk, delay mitigation, compromise security, violate law, or harm MudraID, Customers, third parties, or the Services.

14.11 Security Incident Notification

MudraID will notify affected Customers of a confirmed security incident involving Customer Data under MudraID’s control where required by applicable law, the Data Processing Addendum, or a written agreement.

Notification may be provided by email, dashboard notice, account notice, support ticket, website notice, or other reasonable means.

MudraID’s notification may include information that MudraID reasonably determines is appropriate under the circumstances, considering security, legal, privacy, operational, and investigation constraints.

MudraID is not required to disclose information that may compromise security, reveal confidential security methods, expose other customers’ data, interfere with an investigation, increase risk, violate law, or harm MudraID or third parties.

14.12 Customer-Side Security Incidents

Customers are responsible for investigating, responding to, mitigating, notifying, and remediating security incidents involving their own accounts, administrators, users, Bots, AI Agents, Private Keys, API Credentials, Client Secrets, tokens, websites, APIs, Gateways, infrastructure, cloud environments, logs, data, integrations, devices, and third-party systems.

Customer-side security incidents may include, without limitation:

a. compromised Customer credentials;
b. exposed Client Secrets;
c. exposed or stolen Private Keys;
d. compromised Bots;
e. Bot impersonation caused by Customer-side compromise;
f. insecure Gateway configuration;
g. DNS or TLS misconfiguration;
h. vulnerable Customer APIs;
i. Customer infrastructure compromise;
j. unauthorized administrator access;
k. exposed logs;
l. misuse of Mudra Tokens by Customer systems;
m. failure to revoke or rotate compromised credentials.

MudraID may provide reasonable assistance at its discretion or as required under an applicable paid support plan, Order Form, DPA, or SLA. MudraID is not responsible for Customer-side security incidents unless expressly required by applicable law or written agreement.

14.13 Shared Responsibility Model

Security of MudraID depends on a shared responsibility model.

MudraID is responsible for commercially reasonable security measures for the Services under MudraID’s direct control.

Customers are responsible for security of their own use of MudraID, including:

a. account security;
b. administrator and user access;
c. Client Secrets;
d. API Credentials;
e. Private Keys;
f. Bot security;
g. website and API security;
h. Gateway deployment and configuration;
i. access policies;
j. token handling;
k. verification logic;
l. Public Key registration accuracy;
m. Customer Data;
n. Customer infrastructure;
o. third-party integrations;
p. legal and compliance obligations;
q. incident response.

MudraID is not responsible for security failures caused by Customer actions, omissions, configurations, systems, credentials, integrations, or third-party services outside MudraID’s reasonable control.

14.14 Customer Security Obligations

Customers must implement reasonable and appropriate security measures for their use of the Services.

Such measures may include, where appropriate:

a. using strong authentication;
b. enabling multi-factor authentication where available;
c. limiting administrator access;
d. protecting Client Secrets and API Credentials;
e. protecting Private Keys;
f. using secret-management tools;
g. rotating credentials;
h. monitoring account activity;
i. reviewing logs;
j. testing Gateway configuration;
k. validating token verification logic;
l. securing origin systems;
m. applying software updates;
n. monitoring Bots for abnormal behavior;
o. maintaining incident response procedures;
p. training personnel with account access.

Customers must promptly notify MudraID of suspected compromise involving MudraID credentials, tokens, keys, accounts, Bots, or integrations.

14.15 Security Documentation and Guidance

MudraID may provide Documentation, guidance, recommendations, examples, checklists, or best-practice materials relating to security, integration, token handling, key rotation, Gateway deployment, Public Key Directory use, or verification.

Such materials are provided for general guidance only and may not address every Customer environment, legal requirement, security risk, compliance obligation, technical architecture, or business use case.

Customers are responsible for independently assessing, testing, and implementing appropriate security controls for their own environment.

MudraID is not responsible for Customer reliance on general guidance where additional controls, legal review, security review, or architecture review are required.

14.16 Third-Party Security

MudraID may rely on third-party cloud providers, infrastructure providers, hosting providers, security tools, analytics tools, support tools, payment processors, communication services, and other service providers to deliver or support the Services.

MudraID will use commercially reasonable efforts to select and manage such providers where they materially affect the Services under MudraID’s control.

MudraID is not responsible for third-party services, platforms, tools, integrations, or infrastructure selected, configured, connected, or used by Customers outside MudraID’s control.

Customers are responsible for reviewing and complying with third-party terms and for securing third-party integrations used with MudraID.

14.17 Backups and Recovery

MudraID may maintain backup, redundancy, or recovery measures for certain Services under MudraID’s control, depending on the Service Plan, product, deployment model, and operational needs.

MudraID does not guarantee that all Customer Data, logs, audit records, trust records, Gateway records, token records, verification records, or Public Key Directory records will be backed up, recoverable, exportable, or retained indefinitely unless expressly agreed in writing.

Customers are responsible for maintaining their own backups, exports, logs, records, configuration copies, keys, credentials, business continuity plans, and disaster recovery processes where required.

14.18 No Absolute Security

Customers acknowledge that no security program, identity system, token system, trust scoring system, gateway, API, encryption method, network, software, infrastructure, or cloud service can be guaranteed to be completely secure, uninterrupted, or error-free.

MudraID does not guarantee that the Services will prevent, detect, block, or eliminate all unauthorized access, attacks, scraping, Bot misuse, token misuse, credential compromise, fraud, impersonation, malware, vulnerabilities, data exposure, service disruption, or security incidents.

Customers use the Services with this understanding and remain responsible for maintaining appropriate layered security, monitoring, incident response, compliance, and risk-management controls.

15. Service Availability, Support, and SLA

15.1 Service Availability

MudraID will use commercially reasonable efforts to make the generally available paid Services available in accordance with the applicable Service Plan, Order Form, or Service Level Agreement, if any.

Unless expressly stated in an applicable SLA, Order Form, or product-specific addendum, MudraID does not guarantee any specific uptime percentage, response time, latency, performance level, support response time, recovery time, or error rate.

Service availability may depend on factors inside and outside MudraID’s control, including Customer configuration, Customer infrastructure, third-party systems, cloud providers, hosting providers, DNS providers, internet connectivity, security incidents, maintenance, product changes, rate limits, legal requirements, and force majeure events.

15.2 No Continuous Availability Guarantee

MudraID does not guarantee that the Services will be uninterrupted, error-free, continuously available, secure from all threats, or suitable for every Customer use case.

The Services may be unavailable, delayed, degraded, limited, suspended, throttled, or modified from time to time due to:

a. planned maintenance;
b. emergency maintenance;
c. security incidents;
d. cyberattacks;
e. abuse prevention;
f. fraud prevention;
g. infrastructure failures;
h. third-party provider failures;
i. Customer misconfiguration;
j. network issues;
k. DNS issues;
l. certificate issues;
m. software bugs;
n. excessive traffic;
o. rate limits;
p. legal or regulatory requirements;
q. service changes;
r. force majeure events;
s. other operational reasons.

MudraID is not responsible for downtime, degradation, data loss, access interruption, business interruption, lost revenue, lost traffic, false accepts, false rejects, delayed verification, token issuance failure, Gateway failure, or Public Key Directory unavailability except to the limited extent expressly provided in an applicable SLA.

15.3 Service Level Agreement

Certain paid Service Plans may include a Service Level Agreement.

If an SLA applies, the SLA will describe the applicable availability target, service credit process, exclusions, measurement method, support requirements, and Customer remedies.

Unless expressly stated otherwise in the applicable SLA, service credits are the Customer’s sole and exclusive remedy for MudraID’s failure to meet an applicable SLA commitment.

No SLA applies to free services, trial services, beta services, preview services, experimental services, pilot services, evaluation services, unsupported services, deprecated services, customer-managed deployments, self-hosted components, third-party services, or any feature for which an SLA is not expressly provided.

15.4 SLA Exclusions

Unless expressly stated otherwise in an applicable SLA, downtime, degradation, errors, latency, or unavailability will not count against any availability commitment if caused by or relating to:

a. Customer systems, infrastructure, software, Bots, websites, APIs, domains, DNS, TLS certificates, cloud environments, hosting providers, CDNs, identity providers, firewalls, networks, devices, or integrations;
b. Customer misuse, misconfiguration, unsupported use, excessive use, failure to follow Documentation, or failure to apply updates;
c. Customer credentials, Private Keys, API Credentials, Client Secrets, tokens, or account security issues;
d. Customer Gateway deployment, configuration, origin systems, routing rules, cache settings, or fallback rules;
e. third-party services or providers outside MudraID’s reasonable control;
f. internet, network, telecom, routing, DNS, certificate authority, cloud, hosting, or CDN failures;
g. planned maintenance;
h. emergency maintenance;
i. security incidents, attacks, denial-of-service activity, malicious traffic, abuse, fraud, or threat mitigation;
j. rate limits, quotas, throttling, or protective controls;
k. beta, trial, preview, pilot, experimental, deprecated, or unsupported features;
l. suspension, termination, or restriction under these Terms;
m. legal, regulatory, sanctions, export-control, or government requirements;
n. force majeure events;
o. any issue outside MudraID’s reasonable control.

15.5 Planned Maintenance

MudraID may perform planned maintenance, updates, patches, upgrades, migrations, configuration changes, infrastructure changes, or other service work from time to time.

MudraID may provide advance notice of planned maintenance where commercially reasonable, especially where planned maintenance is expected to materially affect generally available paid Services.

Planned maintenance may cause temporary service unavailability, degraded performance, changed behavior, API changes, Gateway changes, token issuance delay, verification delay, or Public Key Directory unavailability.

Customers are responsible for planning their own systems, fallback behavior, monitoring, and business continuity processes around planned maintenance.

15.6 Emergency Maintenance and Security Changes

MudraID may perform emergency maintenance or make emergency changes without prior notice where MudraID reasonably believes such action is necessary to protect security, service integrity, legal compliance, reliability, Customers, third parties, or MudraID.

Emergency actions may include:

a. suspending or limiting access;
b. revoking or rotating credentials;
c. invalidating tokens;
d. disabling Bots;
e. disabling websites, APIs, domains, or integrations;
f. changing Trust Scores or Trust Levels;
g. disabling or modifying Gateway functionality;
h. limiting Public Key Directory access;
i. throttling or blocking traffic;
j. changing verification behavior;
k. applying security patches;
l. modifying APIs or SDK behavior;
m. requiring Customer action.

MudraID is not liable for reasonable emergency maintenance or emergency security action taken in good faith.

15.7 Support Services

MudraID may provide support through channels such as email, dashboard tickets, chat, support portal, documentation, community resources, enterprise support channels, or other methods made available by MudraID.

Support availability, response times, escalation rights, technical account management, implementation assistance, incident support, and support scope may vary by Service Plan, Order Form, SLA, product, region, and feature availability.

Unless expressly stated in an applicable Order Form, Service Plan, or SLA, MudraID does not guarantee any specific support response time, resolution time, escalation time, fix time, or outcome.

Support does not include legal advice, compliance advice, security consulting, incident response for Customer-side systems, custom development, integration engineering, architecture review, forensic investigation, or managed security services unless expressly agreed in writing.

15.8 Customer Responsibilities for Support

Customers are responsible for providing accurate and complete information when requesting support.

MudraID may require Customers to provide:

a. account information;
b. affected Bot identifiers;
c. affected website, API, domain, or Gateway information;
d. error messages;
e. logs;
f. request IDs;
g. timestamps;
h. configuration details;
i. reproduction steps;
j. integration details;
k. security context;
l. evidence of ownership or authorization;
m. other information reasonably needed to investigate or resolve the issue.

Failure to provide sufficient information may limit MudraID’s ability to provide support.

Customers are responsible for ensuring that support requests do not contain unnecessary secrets, Private Keys, Client Secrets, API keys, passwords, regulated data, personal data, confidential data, or other sensitive information.

15.9 Support Limitations

MudraID may decline, limit, delay, or condition support where:

a. the issue is caused by Customer systems, Customer infrastructure, Customer Bots, Customer Gateways, Customer websites, Customer APIs, third-party systems, or unsupported integrations;
b. the Customer has not followed Documentation;
c. the Customer uses an unsupported, outdated, modified, or self-hosted component;
d. the issue relates to misuse, abuse, prohibited activity, suspicious activity, or non-compliance;
e. the account is unpaid, suspended, terminated, or outside support entitlement;
f. the request requires professional services not included in the Service Plan;
g. the request would create security, legal, privacy, operational, or service-integrity risk;
h. the Customer fails to cooperate or provide necessary information.

MudraID may require a paid professional services agreement for custom support, custom integration, migration assistance, security review, architecture review, incident assistance, or engineering assistance.

15.10 Beta, Trial, Preview, and Experimental Services

Beta, trial, preview, pilot, evaluation, experimental, early-access, and free Services are provided for testing, evaluation, or limited use unless expressly stated otherwise.

Such Services may be incomplete, unstable, unavailable, inaccurate, insecure, unsupported, rate limited, changed, suspended, or discontinued at any time.

Unless expressly stated otherwise in writing:

a. no SLA applies;
b. no support commitment applies;
c. no service credit applies;
d. no availability commitment applies;
e. no data-retention commitment applies;
f. no feature-continuity commitment applies;
g. use is at the Customer’s own risk.

MudraID is not responsible for losses, downtime, data loss, integration failure, business interruption, security issues, false accepts, false rejects, or other harm arising from beta, trial, preview, pilot, evaluation, experimental, early-access, or free Services.

15.11 Customer-Managed and Self-Hosted Components

MudraID may provide customer-managed or self-hosted components, including Gateway components, SDKs, libraries, plugins, command-line tools, sample code, configuration templates, or deployment artifacts.

Unless expressly agreed otherwise in writing, Customers are responsible for deploying, securing, updating, monitoring, scaling, backing up, configuring, and maintaining customer-managed and self-hosted components.

MudraID is not responsible for availability, performance, security, data loss, misconfiguration, downtime, incorrect behavior, or service interruption caused by customer-managed or self-hosted components.

SLA commitments, if any, do not apply to customer-managed or self-hosted components unless expressly stated in the applicable SLA.

15.12 Service Credits

If an SLA provides service credits, Customers must request credits according to the process, deadline, evidence requirements, and limitations stated in the SLA.

Service credits are not automatic unless the SLA expressly states otherwise.

Service credits have no cash value, may not be transferred, may not be refunded, may not be applied to unrelated accounts, and may be limited to future invoices.

Unless expressly stated otherwise in the SLA, service credits are the sole and exclusive remedy for failure to meet an applicable SLA commitment.

15.13 Suspension and Availability

MudraID may suspend, restrict, throttle, block, revoke, or terminate access to the Services as permitted under these Terms.

Service unavailability, degradation, errors, or access restrictions caused by suspension, enforcement, non-payment, misuse, abuse, security risk, legal risk, sanctions risk, Customer breach, or protective action do not count as downtime under any SLA unless expressly stated otherwise.

MudraID is not liable for service impact caused by suspension, restriction, revocation, throttling, blocking, or termination taken in good faith under these Terms.

15.14 No Sole-Reliance Requirement

Customers must not rely on MudraID as their sole security, access-control, verification, logging, compliance, continuity, or incident-response system unless they have independently determined that such reliance is appropriate for their risk profile and applicable obligations.

Customers are responsible for implementing appropriate fallback systems, monitoring, backups, incident response, business continuity, authentication, authorization, rate limiting, fraud controls, and security controls.

MudraID is not responsible for Customer failure to maintain independent systems, fallback processes, or continuity plans.

15.15 Changes to Availability, Support, and SLA Terms

MudraID may modify availability targets, support processes, SLA terms, maintenance practices, service credit rules, support channels, and support scope from time to time.

For active paid subscriptions, changes to an applicable SLA or support commitment will apply as stated in the relevant Order Form, Service Plan, SLA, or renewal terms.

MudraID may make immediate changes where required for security, legal compliance, abuse prevention, operational reliability, third-party dependency changes, or service integrity.

16. Beta Services and Experimental Features

16.1 Beta Services

MudraID may offer certain Services, features, APIs, SDKs, Gateway components, dashboards, integrations, trust scoring tools, blockchain-related features, public-key features, abuse-detection tools, analytics, webhooks, governance features, or other capabilities as alpha, beta, preview, pilot, experimental, evaluation, early-access, limited-release, private beta, public beta, or similar services.

These features are referred to in these Terms as “Beta Services.”

MudraID may identify Beta Services through the Documentation, dashboard, product label, release notes, Order Form, Service Plan, email, support communication, or other reasonable method.

16.2 Purpose of Beta Services

Beta Services are provided for testing, evaluation, feedback, research, validation, product development, security review, market testing, or limited early use.

Unless expressly stated otherwise in writing, Beta Services are not intended for production use, mission-critical use, regulated use, high-risk use, or sole reliance in security-sensitive environments.

Customers use Beta Services at their own risk.

16.3 No Production Commitment

MudraID does not guarantee that any Beta Service will become generally available, remain available, be supported, be maintained, be backward compatible, be included in any paid plan, or continue in its current form.

MudraID may modify, restrict, suspend, discontinue, rename, replace, merge, remove, or commercialize any Beta Service at any time, with or without notice.

MudraID may decide not to release a Beta Service as a generally available product.

16.4 As-Is Basis

Beta Services are provided “as is,” “as available,” and without warranties of any kind to the maximum extent permitted by law.

MudraID does not warrant that Beta Services will be accurate, complete, secure, uninterrupted, error-free, stable, production-ready, compliant, compatible, scalable, available, or suitable for any particular purpose.

Beta Services may contain bugs, vulnerabilities, incorrect outputs, incomplete functionality, unstable behavior, performance issues, integration issues, documentation gaps, data loss risks, incorrect trust signals, incorrect verification results, false accepts, false rejects, or other defects.

16.5 No SLA or Support Commitment

Unless expressly stated otherwise in a written agreement, no Service Level Agreement applies to Beta Services.

MudraID does not provide any uptime commitment, support response commitment, support resolution commitment, service credit, maintenance commitment, data-retention commitment, backup commitment, compatibility commitment, or availability commitment for Beta Services.

MudraID may provide support for Beta Services at its discretion, but is not required to do so.

16.6 Changes to Beta Services

MudraID may change Beta Services at any time.

Changes may include:

a. API changes;
b. token format changes;
c. claim changes;
d. verification behavior changes;
e. trust scoring changes;
f. Gateway behavior changes;
g. Public Key Directory changes;
h. dashboard changes;
i. SDK changes;
j. webhook changes;
k. blockchain anchoring changes;
l. data model changes;
m. retention changes;
n. performance changes;
o. access restriction changes;
p. pricing changes;
q. removal of features.

Customers are responsible for monitoring changes, reviewing Documentation, testing integrations, and avoiding sole reliance on Beta Services.

16.7 Data in Beta Services

Beta Services may process, store, generate, display, delete, overwrite, modify, or lose data differently from generally available Services.

Unless expressly stated otherwise in writing, MudraID does not guarantee that data submitted to, generated by, or processed through Beta Services will be retained, exportable, recoverable, complete, accurate, secure, or available.

Customers must not submit production data, sensitive data, regulated data, personal data, confidential data, payment data, health data, government data, authentication credentials, Private Keys, or other high-risk data to Beta Services unless the Customer has independently determined that such use is lawful and appropriate and MudraID has expressly permitted such use where required.

Customers are responsible for backing up, exporting, and preserving any data they require.

16.8 Security of Beta Services

MudraID may apply security measures to Beta Services, but Beta Services may not have the same security maturity, testing, monitoring, resilience, audit coverage, access controls, documentation, availability, or compliance posture as generally available paid Services.

Customers must not use Beta Services as the sole control for identity verification, Bot access control, gateway enforcement, token verification, trust scoring, abuse detection, audit, compliance, or security decisions unless expressly approved by MudraID in writing.

MudraID does not guarantee that Beta Services will prevent, detect, block, or stop unauthorized access, malicious Bots, scraping, abuse, fraud, impersonation, token misuse, credential compromise, data exposure, or security incidents.

16.9 Feedback

Customers may provide feedback, suggestions, comments, ideas, bug reports, feature requests, test results, security observations, performance information, or other input relating to Beta Services.

Unless otherwise agreed in writing, Customers grant MudraID a perpetual, irrevocable, worldwide, royalty-free, transferable, sublicensable license to use, copy, modify, create derivative works from, commercialize, publish, distribute, and otherwise exploit such feedback for any purpose without restriction or compensation.

MudraID is not required to use feedback, keep feedback confidential, provide attribution, implement requested changes, or provide any product roadmap commitment.

Customers must not submit feedback that contains confidential information, personal data, regulated data, trade secrets, third-party data, or information the Customer is not authorized to provide.

16.10 Confidential Beta Features

Some Beta Services may be provided on a confidential basis.

Where MudraID identifies a Beta Service, roadmap item, private feature, test environment, API, documentation, result, benchmark, technical detail, trust scoring method, security method, or product plan as confidential, the Customer must not disclose, publish, share, benchmark, review, demonstrate, or discuss it with third parties without MudraID’s prior written consent.

Confidential Beta Services may be subject to additional restrictions in an Order Form, non-disclosure agreement, private beta agreement, or written communication from MudraID.

16.11 No Benchmarking or Public Claims

Customers must not publish benchmarks, performance results, security findings, trust score comparisons, uptime results, verification accuracy claims, Gateway performance data, abuse-detection results, or public reviews of Beta Services without MudraID’s prior written consent.

Customers must not make public claims that a Beta Service is production-ready, certified, audited, compliant, secure, generally available, or endorsed by MudraID unless MudraID expressly authorizes such claim in writing.

16.12 Suspension or Termination of Beta Access

MudraID may suspend, restrict, revoke, or terminate access to Beta Services at any time, with or without notice.

Reasons may include, without limitation:

a. product changes;
b. security concerns;
c. excessive usage;
d. abuse risk;
e. Customer breach;
f. legal or compliance concerns;
g. operational limitations;
h. capacity limits;
i. end of testing period;
j. commercial rollout;
k. discontinuation of the feature.

MudraID is not liable for suspension, restriction, revocation, termination, modification, or discontinuation of Beta Services.

16.13 Customer Responsibility

Customers are responsible for all use of Beta Services under their account.

Customers are responsible for:

a. testing Beta Services before relying on them;
b. avoiding mission-critical reliance;
c. avoiding unlawful or high-risk use;
d. maintaining backup systems;
e. maintaining independent verification controls;
f. monitoring outputs and behavior;
g. protecting credentials and data;
h. complying with applicable law;
i. informing their own users, customers, developers, or partners where Beta Service use affects them;
j. stopping use if a Beta Service is unsuitable, unstable, insecure, or non-compliant for the Customer’s use case.

16.14 Beta Services and Fees

MudraID may provide Beta Services free of charge, for a limited period, as part of a paid plan, or for separate fees.

MudraID may change pricing, usage limits, plan availability, commercial terms, or access rights for Beta Services at any time.

Use of a Beta Service during a free, trial, or evaluation period does not guarantee future free access or continued availability.

16.15 Beta Services Disclaimer

To the maximum extent permitted by law, MudraID disclaims all liability arising from or relating to Beta Services, including liability for downtime, data loss, inaccurate outputs, incorrect trust scores, incorrect verification results, false accepts, false rejects, security incidents, integration failure, lost revenue, lost profits, business interruption, customer claims, regulatory issues, or reliance on Beta Services.

Customers use Beta Services voluntarily and at their own risk.

16.16 Beta Services Indemnity

Customers are responsible for claims, losses, damages, penalties, costs, and expenses arising from or relating to their use of Beta Services, including:

a. production use of Beta Services;
b. mission-critical reliance on Beta Services;
c. use of Beta Services with sensitive or regulated data;
d. use of Beta Services in violation of law, contract, or third-party rights;
e. public claims about Beta Services;
f. unauthorized disclosure of confidential Beta Services;
g. Customer reliance on Beta Service outputs;
h. harm caused to Customer systems, users, partners, or third parties.

MudraID may seek indemnification and other remedies as provided in these Terms where Customer use of Beta Services creates liability, harm, or claims against MudraID or third parties.

17. Fees, Payment, Taxes, and Plans

17.1 Fees

Customers must pay all fees applicable to their use of MudraID according to the applicable Order Form, Service Plan, pricing page, invoice, usage records, or written agreement.

Fees may include, without limitation:

a. subscription fees;
b. usage-based fees;
c. API request fees;
d. token issuance fees;
e. token verification fees;
f. Public Key Directory lookup fees;
g. Mudra Gateway traffic fees;
h. storage fees;
i. log retention fees;
j. support fees;
k. onboarding fees;
l. professional services fees;
m. overage fees;
n. enterprise feature fees;
o. beta or early-access feature fees where applicable;
p. other fees described in the applicable commercial terms.

Customers are responsible for reviewing the applicable pricing, plan limits, usage limits, billing rules, and overage rules before using the Services.

17.2 Service Plans

MudraID may offer different Service Plans with different features, usage limits, support levels, availability commitments, retention periods, API limits, Gateway limits, trust scoring features, Public Key Directory access, security features, and pricing.

MudraID may modify, add, remove, rename, bundle, unbundle, discontinue, or replace Service Plans from time to time.

Features available under one Service Plan may not be available under another Service Plan.

MudraID does not guarantee that any feature, limit, price, support level, or plan structure will remain available indefinitely unless expressly agreed in an applicable Order Form.

17.3 Subscription Fees

Where a Customer purchases a subscription, the Customer must pay the subscription fees stated in the applicable Order Form, Service Plan, invoice, pricing page, or written agreement.

Subscription fees may be charged monthly, annually, prepaid, postpaid, or on another billing cycle specified by MudraID.

Unless expressly stated otherwise in an Order Form or written agreement, subscription fees are non-cancellable and non-refundable for the applicable subscription period.

Failure to use the Services, partial use of the Services, Customer-side technical issues, Customer misconfiguration, or Customer decision to stop using the Services does not entitle the Customer to a refund or fee reduction.

17.4 Usage-Based Fees

MudraID may charge usage-based fees for certain Services.

Usage-based fees may be calculated based on metrics such as:

a. number of registered Bots;
b. number of registered websites, APIs, domains, applications, or services;
c. number of token requests;
d. number of tokens issued;
e. number of verification requests;
f. number of Public Key Directory lookups;
g. Mudra Gateway requests;
h. bandwidth;
i. storage;
j. log retention;
k. API calls;
l. trust lookups;
m. abuse reports;
n. webhook events;
o. enterprise integrations;
p. other usage metrics described in the applicable Service Plan, Order Form, pricing page, Documentation, or invoice.

MudraID’s usage records will be the basis for calculating usage-based fees unless the Customer reasonably disputes them in accordance with these Terms.

17.5 Overage Fees

If Customer usage exceeds the limits included in the applicable Service Plan, Order Form, free tier, trial, quota, or usage allowance, MudraID may charge overage fees.

MudraID may also throttle, reject, limit, suspend, or require upgrade of usage that exceeds applicable limits.

Customers are responsible for monitoring their own usage. MudraID may provide usage dashboards, alerts, API responses, or notices for convenience, but does not guarantee that all usage alerts will be accurate, complete, timely, or available.

Failure to receive an alert does not relieve the Customer from responsibility for overage fees.

17.6 Billing and Invoicing

MudraID may bill Customers in advance, in arrears, or on another schedule stated in the applicable Order Form, Service Plan, invoice, or written agreement.

Invoices may be issued electronically.

Customers must provide accurate and current billing information, including legal entity name, billing contact, tax information, payment method, purchase order information where required, and any other information reasonably requested by MudraID.

MudraID is not responsible for delayed billing, failed payment, tax issues, account suspension, or collection activity caused by inaccurate, incomplete, outdated, or invalid billing information provided by the Customer.

17.7 Payment Terms

Customers must pay invoices by the due date stated on the invoice, Order Form, Service Plan, or written agreement.

If no due date is stated, invoices are due upon receipt or within the period specified by MudraID’s standard payment terms.

Payments must be made in the currency stated by MudraID.

Customers are responsible for all bank charges, wire fees, payment processor fees, currency conversion costs, withholding taxes, and similar charges unless expressly stated otherwise in writing.

MudraID may require payment by credit card, bank transfer, payment processor, automated payment method, prepaid credits, or another supported payment method.

17.8 Automatic Renewal

Unless expressly stated otherwise in the applicable Order Form or Service Plan, subscriptions may automatically renew for successive renewal terms.

Customers authorize MudraID to charge the applicable payment method for renewal fees, usage fees, overage fees, taxes, and other applicable charges.

Customers must cancel or give non-renewal notice before the renewal date according to the applicable cancellation or notice process.

Failure to cancel before renewal may result in renewal charges, and such charges are non-refundable except where required by law or expressly stated in writing.

17.9 Price Changes

MudraID may change prices, fees, usage limits, plan limits, overage rates, billing methods, free tier limits, trial terms, and commercial terms from time to time.

For existing paid subscriptions, price changes will apply at renewal, upgrade, plan change, or as otherwise stated in the applicable Order Form, Service Plan, pricing notice, or written agreement.

MudraID may make immediate pricing or limit changes where required due to legal, tax, security, abuse, third-party provider cost, infrastructure cost, or service-integrity reasons.

Customers are responsible for reviewing pricing and plan terms before continuing to use the Services after changes become effective.

17.10 Taxes

Fees are exclusive of taxes unless expressly stated otherwise.

Customers are responsible for all taxes, duties, levies, assessments, withholding taxes, value-added taxes, goods and services taxes, sales taxes, use taxes, digital services taxes, and similar governmental charges arising from or relating to their purchase or use of the Services.

If MudraID is required to collect or remit taxes, MudraID may add such taxes to invoices or charges.

If the Customer is required to withhold any tax from payments to MudraID, the Customer must gross up payments so that MudraID receives the full amount it would have received without withholding, unless applicable law prohibits gross-up or the parties expressly agree otherwise in writing.

Customers must provide valid tax exemption certificates, VAT numbers, GST numbers, withholding certificates, or other tax documentation where applicable. MudraID may reject tax exemptions that are incomplete, invalid, expired, or not legally sufficient.

17.11 Late Payment

If a Customer fails to pay amounts when due, MudraID may:

a. charge late fees or interest at the maximum rate permitted by law or the rate stated in the applicable Order Form;
b. suspend or limit access to the Services;
c. revoke or restrict API Credentials;
d. restrict token issuance;
e. restrict verification services;
f. restrict Gateway functionality;
g. restrict Public Key Directory access;
h. downgrade support;
i. require prepayment;
j. require payment assurance;
k. terminate the account or applicable Order Form;
l. refer the matter to collections;
m. recover collection costs, legal fees, and related expenses where permitted by law.

MudraID is not liable for service interruption, token failure, verification failure, Gateway impact, data unavailability, business interruption, or other harm caused by suspension or limitation due to non-payment.

17.12 Payment Disputes

Customers must notify MudraID in writing of any good-faith invoice dispute within the period stated in the applicable Order Form or, if no period is stated, within fifteen days after the invoice date.

The notice must describe the disputed amount, the reason for dispute, and supporting evidence.

Customers must pay all undisputed amounts by the applicable due date.

Failure to dispute an invoice within the applicable dispute period means the invoice is accepted and payable.

MudraID may suspend or restrict Services for unpaid amounts that are not subject to a timely good-faith dispute.

17.13 No Setoff

Customers may not withhold, reduce, offset, or set off payment obligations against any amounts allegedly owed by MudraID unless expressly required by law or agreed in writing by MudraID.

Payment obligations are independent of any Customer claims, disputes, service issues, support requests, or alleged damages, except to the extent expressly provided in an applicable SLA or written agreement.

17.14 Refunds

Unless expressly stated in an applicable Order Form, Service Plan, SLA, refund policy, or required by law, all fees are non-refundable.

MudraID does not provide refunds for:

a. partial subscription periods;
b. unused Services;
c. Customer failure to use the Services;
d. Customer misconfiguration;
e. Customer-side technical issues;
f. Customer infrastructure issues;
g. third-party service issues;
h. Customer cancellation after renewal;
i. account suspension due to breach, misuse, non-payment, or security risk;
j. discontinued use by the Customer;
k. downgrade during a billing period;
l. usage-based charges already incurred;
m. overage charges already incurred.

Any refund, credit, or waiver provided by MudraID is discretionary unless expressly required by law or a written agreement.

17.15 Free Trials and Free Plans

MudraID may offer free trials, free tiers, credits, promotional plans, evaluation access, or limited free Services.

MudraID may modify, restrict, suspend, or discontinue free trials, free plans, credits, promotional offers, and evaluation access at any time.

Free plans and trials may have limited features, lower limits, restricted support, reduced retention, no SLA, no service credits, and additional restrictions.

MudraID may require a payment method before or during a free trial. If the Customer does not cancel before the trial ends, MudraID may charge the applicable fees.

Customers must not create multiple accounts, fake accounts, duplicate organizations, or artificial usage patterns to abuse free trials, credits, free tiers, or promotional offers.

17.16 Upgrades and Downgrades

Customers may be able to upgrade or downgrade Service Plans, subject to feature availability, billing rules, technical limitations, Order Form terms, and MudraID approval.

Upgrades may result in immediate additional fees, prorated fees, increased usage limits, or additional feature access.

Downgrades may result in loss of features, reduced limits, reduced retention, reduced support, disabled integrations, reduced Gateway capacity, reduced Public Key Directory access, or other limitations.

Customers are responsible for reviewing the consequences of a downgrade before requesting or applying it.

MudraID is not responsible for data loss, feature loss, integration failure, service disruption, token failure, verification failure, Gateway impact, or business interruption caused by a Customer downgrade.

17.17 Billing Records and Usage Measurement

MudraID may use internal metering, logs, billing systems, telemetry, API records, Gateway records, token records, verification records, Public Key Directory records, and other usage data to calculate fees.

MudraID’s billing and usage records are controlling unless the Customer provides clear evidence of material error within the applicable dispute period.

Customers acknowledge that usage data shown in dashboards, alerts, API responses, or reports may be delayed, estimated, rounded, aggregated, sampled, cached, or different from final billing records.

17.18 Payment Processor and Third-Party Fees

MudraID may use third-party payment processors, banks, billing platforms, tax platforms, or collection providers.

Customers are responsible for complying with payment processor terms and for ensuring that payment methods remain valid and authorized.

MudraID is not responsible for payment failures, processor errors, bank delays, card declines, chargebacks, currency conversion costs, payment holds, account freezes, tax platform errors, or third-party payment issues outside MudraID’s reasonable control.

17.19 Chargebacks

If a Customer initiates a chargeback, reversal, payment dispute, or similar action without first attempting to resolve the issue with MudraID in good faith, MudraID may suspend or terminate the Customer’s account, restrict Services, revoke credentials, invalidate tokens, and recover chargeback fees, collection costs, and related expenses where permitted by law.

A chargeback does not relieve the Customer of payment obligations for Services used.

17.20 Non-Payment and Data Access

If Services are suspended, restricted, or terminated for non-payment, Customer access to accounts, dashboards, APIs, logs, Gateway features, token issuance, verification services, Public Key Directory access, support, data export, or other features may be limited or unavailable.

MudraID may delete, archive, restrict, or retain Customer Data after non-payment or termination according to these Terms, the Documentation, applicable law, and MudraID’s retention practices.

Customers are responsible for exporting or preserving data before suspension, termination, downgrade, or expiration of a subscription.

17.21 Professional Services

MudraID may provide professional services, onboarding, integration support, custom development, training, architecture review, migration assistance, security review, or consulting only if expressly agreed in an Order Form or separate written agreement.

Professional services are separate from subscription Services unless expressly stated otherwise.

Unless expressly agreed in writing, professional services do not include legal advice, compliance advice, managed security services, incident response, forensic investigation, or custom warranty obligations.

Fees for professional services are non-refundable unless expressly stated otherwise in the applicable written agreement.

17.22 No Contingency on Customer Outcomes

Customer payment obligations are not contingent on Customer business outcomes, security outcomes, traffic outcomes, revenue outcomes, investor outcomes, regulatory outcomes, Bot adoption, website adoption, integration success, customer satisfaction, or third-party behavior.

MudraID does not guarantee that use of the Services will increase revenue, reduce costs, eliminate abuse, improve trust, prevent attacks, satisfy compliance requirements, or produce any specific commercial, technical, legal, or security result.

17.23 Survival of Payment Obligations

All payment obligations incurred before suspension, cancellation, expiration, or termination survive suspension, cancellation, expiration, or termination.

MudraID may continue to seek payment, collection costs, taxes, interest, legal fees, and other amounts owed after the Customer stops using the Services or after the account is suspended or terminated.

18. Intellectual Property

18.1 MudraID Ownership

MudraID and its licensors own and retain all right, title, and interest in and to the Services, including all intellectual property rights.

This includes, without limitation:

a. the MudraID platform;
b. MudraID APIs;
c. token issuance systems;
d. verification systems;
e. JWKS infrastructure;
f. Public Key Directory systems;
g. Mudra Gateway software, components, configurations, and hosted services;
h. SDKs, libraries, plugins, command-line tools, examples, and developer materials;
i. dashboards, user interfaces, workflows, and product designs;
j. trust scoring systems;
k. Trust Scores, Trust Levels, reputation systems, risk signals, abuse-detection systems, and related methodologies;
l. security systems, detection rules, monitoring logic, and enforcement logic;
m. algorithms, models, rules, thresholds, weights, data structures, schemas, and technical methods;
n. Documentation;
o. reports, templates, product materials, and training materials;
p. trademarks, service marks, logos, trade names, branding, and design assets;
q. aggregated, anonymized, or de-identified data generated from operation of the Services;
r. improvements, modifications, derivative works, updates, and enhancements to the Services.

No rights are granted to Customers except the limited rights expressly stated in these Terms, an Order Form, Service Plan, Documentation, or written agreement.

18.2 Limited License to Use the Services

Subject to these Terms, payment of applicable fees, and compliance with the Documentation, MudraID grants the Customer a limited, non-exclusive, non-transferable, non-sublicensable, revocable right to access and use the Services during the applicable subscription term or authorized usage period.

This license is solely for the Customer’s internal business purposes or other expressly authorized purposes described in the applicable Order Form, Service Plan, or Documentation.

Customers may not use the Services beyond the scope of their purchased plan, usage limits, authorized users, authorized Bots, authorized websites, authorized APIs, authorized domains, or permitted use cases.

MudraID may revoke, suspend, limit, or terminate this license as permitted under these Terms.

18.3 Customer Ownership of Customer Data

As between the Customer and MudraID, the Customer retains ownership of Customer Data, subject to MudraID’s rights to process, use, store, transmit, display, analyze, disclose, and otherwise handle Customer Data as necessary or appropriate to provide, secure, support, improve, and enforce the Services as described in these Terms, the Privacy Policy, the Data Processing Addendum where applicable, and any applicable written agreement.

Customer ownership of Customer Data does not give the Customer any ownership interest in MudraID’s platform, APIs, SDKs, Gateway, trust scoring methods, verification systems, security systems, Documentation, Usage Data, Telemetry Data, aggregated data, anonymized data, de-identified data, or MudraID intellectual property.

18.4 License to Customer Data

Customers grant MudraID a worldwide, non-exclusive, royalty-free, transferable, sublicensable license to host, store, copy, process, transmit, display, publish where configured, analyze, use, modify, and create technical outputs from Customer Data as necessary or appropriate to:

a. provide the Services;
b. issue and verify Mudra Tokens;
c. operate the Public Key Directory;
d. operate the Mudra Gateway;
e. provide dashboards, logs, reports, and audit records;
f. provide Trust Scores, Trust Levels, risk signals, and reputation indicators;
g. investigate abuse, security incidents, fraud, and policy violations;
h. enforce these Terms;
i. provide support;
j. comply with legal obligations;
k. secure, monitor, improve, and develop the Services;
l. protect MudraID, Customers, third parties, and the Services.

This license survives as long as necessary for MudraID to comply with legal obligations, resolve disputes, enforce agreements, maintain security, investigate abuse, retain records, and protect the Services.

18.5 Usage Data, Telemetry, Aggregated Data, and Improvements

MudraID may collect, generate, process, and use Usage Data, Telemetry Data, operational data, security data, diagnostic data, performance data, trust signals, abuse indicators, and other data generated from the operation or use of the Services.

MudraID may use such data to:

a. operate the Services;
b. monitor performance and reliability;
c. detect abuse and fraud;
d. improve trust scoring;
e. improve token verification;
f. improve Gateway behavior;
g. improve security systems;
h. improve Documentation;
i. develop new products and features;
j. create aggregated, anonymized, or de-identified analytics;
k. support billing, compliance, and enforcement.

MudraID owns all aggregated, anonymized, or de-identified data and all improvements, modifications, enhancements, models, rules, insights, methods, and derivative works created from Usage Data, Telemetry Data, operational data, or service feedback, except to the extent applicable law provides otherwise.

MudraID will not identify the Customer or an individual in public aggregated or anonymized outputs unless permitted by the Customer, permitted by law, or otherwise allowed under these Terms.

18.6 Feedback

If a Customer, End User, Bot Developer, Website Owner, administrator, developer, contractor, or other person provides feedback, suggestions, ideas, comments, bug reports, feature requests, product requests, technical recommendations, integration suggestions, performance information, security observations, or other input relating to MudraID, the Customer grants MudraID a perpetual, irrevocable, worldwide, royalty-free, fully paid, transferable, sublicensable license to use, copy, modify, create derivative works from, publish, distribute, commercialize, and otherwise exploit that feedback for any purpose.

MudraID may use feedback without restriction, attribution, approval, confidentiality obligation, or compensation.

Customers must not submit feedback that contains confidential information, personal data, regulated data, third-party data, trade secrets, or information the Customer is not authorized to provide.

18.7 Documentation

MudraID owns all right, title, and interest in the Documentation.

Customers may use the Documentation solely to access, integrate with, configure, and use the Services as permitted under these Terms.

Customers must not copy, reproduce, publish, distribute, sell, sublicense, modify, create derivative works from, or use the Documentation to build competing products or services, except as expressly permitted by MudraID in writing.

MudraID may update, modify, remove, replace, or discontinue Documentation at any time.

18.8 SDKs, Sample Code, and Developer Materials

MudraID may provide SDKs, sample code, scripts, templates, configuration examples, plugins, libraries, command-line tools, or other developer materials.

Unless a separate license is provided, such materials are licensed only for use with the MudraID Services and only in accordance with these Terms and the Documentation.

Customers may not use MudraID SDKs, sample code, developer tools, or integration materials to build, train, support, or operate a competing service, token verification system, bot identity system, trust scoring system, public-key directory, gateway service, or related product.

Developer materials are provided as-is unless expressly stated otherwise in writing. Customers are responsible for reviewing, testing, securing, and validating any developer material before production use.

18.9 Mudra Gateway Intellectual Property

MudraID owns and retains all intellectual property rights in the Mudra Gateway, including hosted Gateway services, self-hosted Gateway components, configurations, rules, templates, routing logic, verification logic, policy enforcement logic, caching logic, and related Documentation.

Customers receive only the limited right to use the Mudra Gateway as permitted under their applicable Service Plan, Order Form, Documentation, and these Terms.

Customers must not copy, modify, fork, reverse engineer, decompile, disassemble, extract, resell, sublicense, redistribute, host for third parties, or create derivative works of the Mudra Gateway except as expressly permitted by MudraID in writing or by an applicable open-source license.

18.10 Trust Scoring and Security Methods

MudraID’s trust scoring systems, Trust Scores, Trust Levels, risk models, security models, abuse-detection methods, fraud-detection methods, gateway enforcement logic, verification logic, algorithms, rules, thresholds, weights, signals, investigation methods, scoring methods, and related systems are proprietary to MudraID.

Customers must not:

a. reverse engineer MudraID’s trust scoring methods;
b. probe or manipulate scoring thresholds;
c. extract scoring logic;
d. attempt to bypass trust controls;
e. game or artificially influence Trust Scores or Trust Levels;
f. copy, reproduce, or recreate MudraID risk models;
g. use MudraID trust data to build a competing trust or reputation system without express written authorization.

MudraID is not required to disclose its scoring methods, thresholds, rules, models, signals, or security logic except where required by applicable law.

18.11 Public Key Directory Data

MudraID may make certain Public Key Directory data available for supported verification purposes.

Customers may use Public Key Directory data only to verify supported identities, signatures, tokens, messages, registration status, or trust information as permitted by the Documentation and these Terms.

Customers must not scrape, harvest, copy, republish, resell, redistribute, export, profile, enrich, or build a competing database or directory using Public Key Directory data unless expressly permitted by MudraID in writing.

MudraID may restrict, suspend, rate limit, or terminate access to Public Key Directory data at any time for security, privacy, abuse prevention, service integrity, legal compliance, or business reasons.

18.12 MudraID Marks

MudraID owns all right, title, and interest in its names, trademarks, service marks, logos, trade names, product names, domain names, badges, icons, design marks, slogans, and brand assets.

Customers must not use MudraID Marks without MudraID’s prior written authorization.

Customers must not use MudraID Marks in a way that:

a. suggests endorsement, certification, sponsorship, approval, guarantee, audit, or partnership where none exists;
b. misrepresents the Customer’s relationship with MudraID;
c. damages or dilutes MudraID’s brand;
d. is misleading, unlawful, defamatory, or harmful;
e. appears in connection with prohibited, abusive, unlawful, or high-risk activity;
f. violates MudraID brand guidelines.

MudraID may require Customers to remove, modify, or stop using MudraID Marks at any time.

18.13 Customer Marks

Customers grant MudraID a limited, non-exclusive, worldwide, royalty-free license to use the Customer’s name, logo, and marks solely as necessary to provide the Services, identify the Customer within the Services, provide support, configure integrations, issue invoices, manage accounts, or fulfill the applicable agreement.

MudraID may use the Customer’s name and logo in customer lists, pitch decks, case studies, marketing materials, website materials, or public announcements only if permitted in an Order Form, separate written consent, or other written agreement.

Customers may revoke marketing use permission by written notice unless otherwise agreed in an Order Form or separate written agreement. Revocation will not require MudraID to remove materials already printed, published, distributed, or committed before revocation, but MudraID will use commercially reasonable efforts to stop new use after a reasonable transition period.

18.14 Open-Source Software

The Services, SDKs, Gateway components, developer tools, or other materials may include or be distributed with open-source software.

Open-source software is licensed under the applicable open-source license, not these Terms, to the extent required by that license.

Nothing in these Terms restricts rights that Customers may have under applicable open-source licenses.

Customers are responsible for complying with any open-source license terms that apply to Customer use, modification, distribution, or deployment of open-source components.

18.15 Third-Party Materials

The Services may interoperate with or include links, references, integrations, connectors, libraries, APIs, documentation, software, data, or services provided by third parties.

Third-party materials are owned by their respective owners and may be subject to separate terms, licenses, restrictions, or fees.

MudraID does not grant Customers any rights in third-party materials except to the extent MudraID is authorized to do so.

MudraID is not responsible for third-party materials, third-party intellectual property, third-party availability, third-party security, third-party changes, or Customer compliance with third-party terms.

18.16 Restrictions

Except as expressly permitted by these Terms or applicable law, Customers must not:

a. copy, modify, translate, adapt, or create derivative works of the Services;
b. reverse engineer, decompile, disassemble, or attempt to derive source code from the Services;
c. access or use the Services to build, benchmark, train, support, or improve a competing product or service;
d. scrape, harvest, or extract MudraID data except as expressly permitted;
e. remove, obscure, or alter proprietary notices;
f. sublicense, resell, rent, lease, lend, distribute, or make the Services available to third parties except as expressly permitted;
g. bypass technical restrictions, rate limits, access controls, billing controls, trust controls, or security controls;
h. use the Services in a way that infringes, misappropriates, or violates MudraID’s or any third party’s intellectual property rights.

18.17 Reservation of Rights

MudraID reserves all rights not expressly granted in these Terms.

No implied licenses are granted.

Customer access to or use of the Services does not transfer any ownership interest in MudraID intellectual property, platform technology, security methods, scoring methods, algorithms, data models, software, Documentation, Marks, or business processes.

18.18 Intellectual Property Infringement Claims

If MudraID reasonably believes that Customer Data, Bot metadata, website metadata, Public Keys, Customer Marks, Customer integrations, Customer use cases, or Customer use of the Services may infringe, misappropriate, or violate intellectual property rights or third-party rights, MudraID may remove, restrict, suspend, disable, or require modification of the relevant material or account activity.

Customers must promptly cooperate with MudraID in responding to intellectual property complaints or legal notices relating to Customer use of the Services.

MudraID may terminate repeat infringers or Customers that create significant intellectual-property risk.

18.19 Customer Indemnity for Intellectual Property Matters

Customers are responsible for claims, losses, damages, penalties, costs, and expenses arising from or relating to:

a. Customer Data;
b. Customer Marks;
c. Bot names, Bot metadata, Bot outputs, or Bot behavior;
d. website, API, domain, or application metadata;
e. Public Keys or directory submissions;
f. Customer integrations;
g. Customer use of third-party materials;
h. Customer misuse of MudraID Marks;
i. Customer violation of intellectual-property rights, privacy rights, publicity rights, contractual rights, or third-party rights;
j. Customer use of the Services outside the permitted scope.

MudraID may seek indemnification and other remedies as provided in these Terms where Customer intellectual-property matters create liability, harm, or claims against MudraID or third parties.

19. Third-Party Services and Integrations

19.1 Third-Party Services

The Services may interoperate with, depend on, link to, connect with, or be used together with third-party services, systems, platforms, software, infrastructure, websites, APIs, applications, networks, hosting providers, cloud providers, DNS providers, CDN providers, identity providers, payment processors, analytics tools, developer tools, bot frameworks, AI platforms, or other third-party products.

Third-party services are not controlled by MudraID unless expressly stated otherwise in writing.

MudraID is not responsible for third-party services, including their availability, security, performance, accuracy, reliability, legality, pricing, support, documentation, data practices, privacy practices, intellectual property, or continued operation.

19.2 Customer Responsibility for Third-Party Services

Customers are solely responsible for selecting, purchasing, configuring, securing, maintaining, monitoring, and using any third-party services they use with MudraID.

Customers are responsible for complying with all third-party terms, policies, licenses, platform rules, website terms, API terms, privacy requirements, data-processing terms, security requirements, rate limits, acceptable-use rules, and payment obligations that apply to those third-party services.

MudraID is not responsible for Customer breach of third-party terms or for disputes between Customers and third-party providers.

19.3 Third-Party Integrations

MudraID may provide integrations, connectors, plugins, SDKs, webhooks, API examples, gateway configurations, documentation, or other tools that help Customers connect MudraID with third-party services.

Such integrations are provided for Customer convenience and may depend on third-party APIs, third-party permissions, third-party authentication systems, third-party rate limits, third-party data formats, third-party uptime, third-party pricing, and third-party product changes.

MudraID does not guarantee that any third-party integration will remain available, compatible, secure, supported, accurate, or uninterrupted.

MudraID may modify, suspend, restrict, or discontinue any third-party integration at any time where MudraID reasonably believes such action is necessary or appropriate.

19.4 Customer Authorization for Integrations

Customers must not connect MudraID to any third-party service unless they have all required rights, permissions, consents, lawful bases, contracts, account access, and authority to do so.

By connecting MudraID to a third-party service, the Customer represents and warrants that:

a. the Customer is authorized to connect the relevant third-party account, website, API, platform, service, or system;
b. the Customer is authorized to transmit data between MudraID and the third-party service;
c. the Customer’s use of the integration complies with applicable law and third-party terms;
d. the Customer has provided all required notices and obtained all required consents;
e. the Customer has properly configured permissions, scopes, access rights, and security settings.

MudraID may suspend, disable, or remove integrations where MudraID reasonably believes the Customer lacks authority or the integration creates legal, security, privacy, operational, abuse, compliance, or service-integrity risk.

19.5 Third-Party Account Credentials and Permissions

Customers may be required to provide, generate, authorize, or configure third-party credentials, access tokens, OAuth grants, API keys, webhook secrets, certificates, service accounts, or permissions to use certain integrations.

Customers are solely responsible for:

a. selecting appropriate permission scopes;
b. granting only necessary access;
c. protecting third-party credentials;
d. rotating or revoking third-party credentials when appropriate;
e. monitoring third-party account access;
f. removing integrations no longer needed;
g. ensuring third-party permissions remain lawful and authorized.

MudraID is not responsible for unauthorized access, data exposure, service disruption, token misuse, or third-party account compromise caused by Customer-side credential handling, excessive permissions, third-party vulnerabilities, or Customer misconfiguration.

19.6 Third-Party API Changes and Limitations

Third-party providers may change, restrict, suspend, deprecate, remove, price, rate limit, or discontinue APIs, features, data formats, authentication methods, scopes, webhooks, SDKs, terms, or services at any time.

Such changes may affect MudraID integrations, token verification workflows, Gateway behavior, Bot operation, Public Key Directory use, website access policies, logs, billing, support, or Customer systems.

MudraID is not responsible for losses, downtime, degraded performance, integration failure, data loss, access loss, increased costs, or business interruption caused by third-party changes or limitations.

MudraID may update or discontinue integrations in response to third-party changes, but is not obligated to maintain compatibility with every third-party system indefinitely.

19.7 Third-Party Outages and Incidents

MudraID is not responsible for service interruption, degraded performance, verification failure, Gateway failure, token issuance delay, Public Key Directory unavailability, data loss, security incidents, or support delays caused by third-party outages, incidents, limitations, misconfigurations, attacks, legal restrictions, or service changes.

Third-party events may include, without limitation:

a. cloud provider outages;
b. DNS failures;
c. CDN failures;
d. hosting failures;
e. identity provider outages;
f. payment processor outages;
g. API provider changes;
h. certificate authority failures;
i. network provider failures;
j. AI platform failures;
k. bot framework failures;
l. third-party security incidents;
m. third-party rate limiting;
n. third-party account suspension;
o. third-party legal or policy restrictions.

Customers are responsible for maintaining appropriate fallback systems, redundancy, monitoring, backups, incident response, and business continuity measures.

19.8 Customer Websites, APIs, and Systems

Customer websites, APIs, applications, domains, networks, hosting environments, origin servers, databases, cloud accounts, infrastructure, identity systems, and Bot systems are Customer-controlled systems.

MudraID is not responsible for Customer-controlled systems, including their availability, security, legality, configuration, data, content, access controls, authentication, authorization, vulnerabilities, performance, or compliance.

Customers are responsible for securing and maintaining Customer-controlled systems and for ensuring that their use of MudraID does not create unauthorized access, data exposure, traffic disruption, compliance failure, or third-party rights violations.

19.9 AI Platforms, Bot Frameworks, and Agent Systems

Customers may use MudraID with AI platforms, bot frameworks, agent orchestration tools, model providers, automation platforms, workflow engines, browser automation tools, API agents, MCP servers, or other agentic systems.

MudraID does not control and is not responsible for such systems, including their model outputs, prompts, actions, decisions, autonomy, safety controls, hallucinations, errors, security issues, data practices, or compliance.

Customers are responsible for ensuring that AI platforms, Bots, agents, models, tools, and workflows connected to MudraID operate lawfully, safely, securely, and within authorized boundaries.

MudraID token verification, Public Key Directory lookup, Trust Scores, or Gateway enforcement do not guarantee the safety, lawfulness, accuracy, reliability, or authorization of any AI system or agentic workflow.

19.10 Identity Providers and Authentication Systems

Customers may connect MudraID with identity providers, single sign-on systems, OAuth providers, SAML providers, directory services, access-management tools, or authentication systems.

Customers are responsible for configuring identity providers and authentication systems correctly, including users, roles, groups, scopes, claims, permissions, account lifecycle, multi-factor authentication, access policies, and revocation.

MudraID is not responsible for unauthorized access, excessive permissions, incorrect claims, account takeover, failed deprovisioning, identity provider outages, or authentication failures caused by Customer-selected identity systems or configurations.

19.11 DNS, CDN, Hosting, and Network Providers

Mudra Gateway, token verification, website protection, API routing, and other Services may depend on DNS, CDN, hosting, cloud, certificate, and network providers.

Customers are responsible for configuring and maintaining DNS records, TLS certificates, CDN rules, hosting environments, origin access controls, routing rules, firewall rules, network rules, and related infrastructure.

MudraID is not responsible for DNS propagation delays, certificate failures, CDN misconfiguration, hosting outages, cloud outages, network failures, direct-origin bypass, misrouting, degraded latency, or Customer infrastructure issues.

19.12 Payment Processors and Billing Providers

MudraID may use third-party payment processors, tax platforms, billing systems, banking partners, card networks, collection providers, or financial service providers.

Customers are responsible for providing accurate billing information, maintaining valid payment methods, complying with payment processor terms, and paying all applicable fees and taxes.

MudraID is not responsible for bank delays, card declines, payment processor outages, currency conversion issues, payment holds, chargebacks, payment account restrictions, tax platform errors, or third-party payment failures outside MudraID’s reasonable control.

19.13 Third-Party Data

Customers are responsible for any third-party data they submit to, route through, process with, or make available to MudraID.

Customers represent and warrant that they have all required rights, permissions, notices, consents, lawful bases, contracts, and authorizations to process third-party data through MudraID.

MudraID is not responsible for Customer misuse, unauthorized processing, unlawful disclosure, or improper handling of third-party data.

19.14 Third-Party Security and Privacy

Third-party services may have their own security practices, privacy practices, data-retention practices, data-transfer rules, subprocessors, compliance programs, breach notification processes, and legal obligations.

Customers are responsible for reviewing third-party security and privacy terms before using third-party services with MudraID.

MudraID does not guarantee that third-party services meet any particular security, privacy, compliance, regulatory, contractual, or industry standard.

19.15 Links and References

The Services or Documentation may contain links or references to third-party websites, documentation, tools, libraries, standards, products, services, or resources.

Such links and references are provided for convenience only.

MudraID does not endorse, control, or accept responsibility for third-party websites, materials, content, services, or resources.

Customers access third-party links and resources at their own risk.

19.16 Third-Party Marketplace or Partner Integrations

MudraID may offer or participate in marketplaces, partner programs, integration directories, app stores, developer ecosystems, or partner integrations.

Unless expressly stated otherwise in writing, third-party marketplace listings, partner integrations, badges, references, or compatibility statements do not mean that MudraID endorses, certifies, guarantees, audits, or accepts responsibility for the third-party product or provider.

MudraID may add, remove, restrict, delist, suspend, or modify marketplace or partner integrations at any time.

19.17 No Responsibility for Third-Party Terms

Customers may be subject to third-party terms when using MudraID with third-party services.

Such terms may include website terms, API terms, cloud provider terms, platform policies, model provider terms, marketplace terms, app store terms, data-processing terms, security terms, or acceptable-use policies.

MudraID is not responsible for interpreting, enforcing, satisfying, or monitoring Customer compliance with third-party terms.

Customers are responsible for determining whether their Bots, websites, APIs, tokens, Gateway configurations, trust rules, integrations, or data practices comply with third-party terms.

19.18 Suspension Due to Third-Party Risk

MudraID may suspend, restrict, disable, remove, or limit any third-party integration, Customer account, Bot, website, API, Gateway configuration, token, key, or Service feature if MudraID reasonably believes that a third-party service, integration, provider, account, API, or dependency creates legal, security, privacy, compliance, abuse, operational, reputational, or service-integrity risk.

MudraID may take such action with or without prior notice depending on the nature and urgency of the risk.

19.19 Third-Party Service Disclaimer

MudraID provides integrations and interoperability tools for convenience and functionality. MudraID does not guarantee third-party services or Customer-selected integrations.

To the maximum extent permitted by law, MudraID disclaims liability for third-party services, third-party data, third-party APIs, third-party integrations, third-party outages, third-party security incidents, third-party terms, third-party charges, third-party changes, and third-party acts or omissions.

19.20 Customer Indemnity for Third-Party Matters

Customers are responsible for claims, losses, damages, penalties, costs, and expenses arising from or relating to:

a. Customer use of third-party services with MudraID;
b. Customer violation of third-party terms;
c. Customer-selected integrations;
d. Customer third-party credentials, tokens, API keys, OAuth grants, or permissions;
e. Customer websites, APIs, domains, applications, infrastructure, or systems;
f. Customer AI platforms, Bots, agents, models, tools, or workflows;
g. Customer processing of third-party data;
h. Customer disputes with third-party providers;
i. Customer failure to obtain required rights, permissions, notices, consents, or lawful bases;
j. third-party claims relating to Customer use of MudraID.

MudraID may seek indemnification and other remedies as provided in these Terms where Customer use of third-party services, integrations, or data creates liability, harm, or claims against MudraID or third parties.

20. Disclaimers

20.1 General Disclaimer

To the maximum extent permitted by law, the Services are provided on an “as is” and “as available” basis, except to the limited extent expressly stated in an applicable Order Form, Service Level Agreement, Data Processing Addendum, product-specific addendum, or other written agreement signed by MudraID.

MudraID disclaims all warranties, representations, conditions, and guarantees, whether express, implied, statutory, or otherwise, including warranties of merchantability, fitness for a particular purpose, title, non-infringement, accuracy, availability, security, reliability, performance, compliance, and uninterrupted or error-free operation.

Customers use the Services at their own risk and remain responsible for determining whether the Services are suitable for their intended use, technical environment, legal obligations, security requirements, compliance obligations, and business needs.

20.2 No Bot Safety Guarantee

MudraID does not guarantee that any Bot, AI Agent, application, integration, developer, Customer, website, API, message, token, key, or interaction is safe, lawful, accurate, reliable, non-malicious, non-deceptive, secure, compliant, or suitable for any particular purpose.

Bot registration, token issuance, successful verification, Public Key Directory listing, Trust Score, Trust Level, Gateway allow decision, or any other MudraID signal does not mean that MudraID has approved, certified, audited, endorsed, insured, guaranteed, or accepted responsibility for a Bot or its behavior.

Customers and relying parties remain responsible for evaluating Bot activity, Bot permissions, Bot outputs, Bot authorization, Bot compliance, and Bot-related risks.

20.3 No Website or API Protection Guarantee

MudraID provides identity, verification, trust-signaling, gateway, and policy-support tools. MudraID does not guarantee that the Services will protect any website, API, application, system, domain, dataset, user account, or digital property from all unwanted, unauthorized, abusive, malicious, automated, fraudulent, or harmful activity.

MudraID does not guarantee prevention, detection, or blocking of all scraping, spam, fraud, abuse, denial-of-service activity, credential attacks, token misuse, Bot impersonation, data extraction, malware, phishing, unauthorized access, policy violations, or security threats.

Customers remain responsible for their own layered security controls, including authentication, authorization, access control, rate limiting, monitoring, logging, fraud prevention, incident response, backups, and legal compliance.

20.4 No Trust Score Guarantee

Trust Scores, Trust Levels, reputation indicators, risk signals, abuse indicators, registration status, verification status, or related trust data are informational risk indicators only.

MudraID does not guarantee that trust data is accurate, complete, current, fair, explainable, uninterrupted, error-free, or suitable for any particular Customer use case.

Trust data may be incomplete, delayed, cached, inaccurate, disputed, unavailable, or changed at any time.

A high Trust Score or Trust Level does not guarantee that a Bot is safe, lawful, authorized, reliable, non-malicious, or suitable. A low Trust Score or Trust Level does not necessarily prove that a Bot is unlawful, malicious, unsafe, or non-compliant.

Customers are solely responsible for deciding how to use trust data and for all consequences of relying on trust data.

20.5 No Verification Guarantee Beyond Technical Checks

Token verification, public-key verification, signed-message verification, JWKS verification, verification API responses, Gateway verification, and bot-to-bot verification may confirm certain technical facts based on available information at the time of verification.

Verification does not guarantee:

a. that the Bot is safe;
b. that the Bot is lawful;
c. that the Bot is authorized for a specific action;
d. that the Bot’s owner is trustworthy;
e. that the Bot has not been compromised;
f. that a message is true, safe, complete, lawful, or accurate;
g. that a request should be allowed;
h. that a website, API, system, account, or dataset may lawfully be accessed;
i. that a Bot will behave properly in the future.

Customers remain responsible for independent authorization, consent, access control, security review, compliance review, and business judgment.

20.6 No Gateway Accuracy Guarantee

The Mudra Gateway may allow, block, throttle, challenge, redirect, modify, or forward requests depending on Customer configuration, cached data, token verification, trust signals, policy rules, and technical conditions.

MudraID does not guarantee that Gateway decisions will always be correct, complete, timely, available, or suitable.

The Gateway may produce false accepts, false rejects, latency, downtime, routing issues, cache issues, policy errors, integration issues, or unexpected behavior.

Customers are responsible for configuring, testing, monitoring, and maintaining the Gateway and for all consequences of Gateway decisions.

20.7 No Security Guarantee

No security system, identity system, token system, cryptographic system, gateway, trust scoring system, API, software platform, cloud service, or monitoring process can guarantee complete security.

MudraID does not guarantee that the Services will prevent, detect, block, or eliminate all security incidents, vulnerabilities, cyberattacks, unauthorized access, credential compromise, Private Key compromise, token theft, token replay, Bot impersonation, data exposure, service disruption, abuse, fraud, or malicious activity.

Customers remain responsible for their own security architecture, credential protection, Private Key protection, account security, Bot security, website security, API security, Gateway configuration, monitoring, incident response, and compliance controls.

20.8 No Availability or Performance Guarantee

Except to the limited extent expressly stated in an applicable SLA, MudraID does not guarantee that the Services will be uninterrupted, continuously available, timely, error-free, secure, fast, scalable, compatible, or free from latency, downtime, degradation, bugs, defects, or interruptions.

MudraID does not guarantee any particular uptime percentage, response time, latency, throughput, recovery time, error rate, token issuance speed, verification speed, Gateway performance, support response time, or resolution time unless expressly stated in an applicable written agreement.

20.9 No Compliance Guarantee

MudraID does not guarantee that use of the Services will cause a Customer, Bot, website, API, application, system, workflow, or integration to comply with any law, regulation, contract, industry standard, security standard, privacy law, data-protection law, AI regulation, cybersecurity rule, platform rule, website term, API term, procurement requirement, audit requirement, or insurance requirement.

Customers are responsible for determining whether their use of MudraID complies with applicable laws, regulations, contracts, policies, and standards.

MudraID does not provide legal, regulatory, compliance, accounting, tax, security, or professional advice.

20.10 No Professional Advice

Any Documentation, support response, dashboard information, trust data, security guidance, integration guidance, sample code, template, report, alert, recommendation, or other information provided by MudraID is for general informational and operational purposes only.

Such information is not legal advice, compliance advice, tax advice, accounting advice, cybersecurity consulting, professional security certification, audit opinion, forensic opinion, or regulatory advice.

Customers should obtain independent professional advice where appropriate.

20.11 No High-Risk Use Warranty

MudraID is not designed to be the sole control for high-risk, life-critical, safety-critical, legally significant, regulated, emergency, medical, financial, law-enforcement, infrastructure, industrial, aviation, transportation, or similar high-risk systems.

Customers must not use MudraID in high-risk environments unless expressly approved in writing by MudraID and unless the Customer implements appropriate independent safeguards, human oversight, redundancy, testing, audit, and compliance controls.

MudraID disclaims all liability arising from unauthorized high-risk use.

20.12 No Data Completeness Guarantee

MudraID may provide logs, audit records, verification records, token records, Gateway records, trust records, reports, alerts, dashboards, analytics, or usage records.

MudraID does not guarantee that such records will be complete, accurate, current, uninterrupted, legally sufficient, forensically reliable, exportable, recoverable, or retained indefinitely.

Customers are responsible for maintaining their own records, monitoring, backups, archives, compliance evidence, and audit trails where required.

20.13 No Third-Party Service Guarantee

MudraID does not guarantee and is not responsible for third-party services, including cloud providers, hosting providers, DNS providers, CDN providers, identity providers, payment processors, bot frameworks, AI platforms, APIs, websites, networks, software libraries, open-source components, or other third-party systems.

MudraID is not responsible for third-party outages, security incidents, API changes, pricing changes, rate limits, legal restrictions, data practices, privacy practices, or support failures.

20.14 No Customer Outcome Guarantee

MudraID does not guarantee any particular business, technical, security, legal, compliance, financial, operational, commercial, reputational, investment, adoption, revenue, cost-saving, traffic, or customer outcome.

MudraID does not guarantee that Customers will reduce abuse, increase trusted traffic, obtain customers, pass audits, satisfy regulators, prevent attacks, avoid disputes, reduce liability, improve conversion, increase revenue, or achieve any commercial result.

20.15 No Error-Free Documentation or Materials

MudraID may provide Documentation, SDKs, sample code, configuration examples, templates, integration guides, support articles, and developer materials.

MudraID does not guarantee that such materials are complete, accurate, current, secure, production-ready, free from errors, or suitable for every Customer environment.

Customers are responsible for reviewing, testing, adapting, securing, and validating any Documentation or materials before relying on them.

20.16 Beta and Free Services Disclaimer

Beta Services, preview services, pilot services, experimental services, evaluation services, free services, free trials, early-access features, and unsupported features are provided as-is, without warranties, support commitments, availability commitments, data-retention commitments, service credits, or production-readiness commitments unless expressly stated in writing.

Customers use such services at their own risk.

20.17 Customer Configuration Disclaimer

MudraID is not responsible for harm caused by Customer configuration, Customer policies, Customer infrastructure, Customer integrations, Customer credentials, Customer Private Keys, Customer Bots, Customer websites, Customer APIs, Customer Gateways, Customer DNS, Customer hosting, Customer cloud environments, Customer identity systems, Customer data, Customer users, or Customer third-party services.

Customers are responsible for all decisions, configurations, and actions taken through or in connection with their accounts.

20.18 Jurisdictional Limitations

Some jurisdictions do not allow certain warranty disclaimers or limitations. In such jurisdictions, MudraID’s disclaimers apply to the maximum extent permitted by law.

Nothing in these Terms excludes or limits warranties, rights, or remedies that cannot lawfully be excluded or limited.

20.19 Survival

The disclaimers in this Section survive suspension, expiration, termination, cancellation, non-renewal, and discontinuation of the Services.

21. Limitation of Liability

21.1 General Limitation of Liability

To the maximum extent permitted by law, MudraID’s total aggregate liability arising out of or relating to these Terms, the Services, any Order Form, any Service Plan, any API Documentation, any Data Processing Addendum, any Service Level Agreement, any Acceptable Use Policy, any product-specific addendum, or any related agreement will not exceed the amounts paid by the Customer to MudraID for the affected Services during the twelve months immediately before the event giving rise to the claim.

If the Customer has not paid any fees for the affected Services, MudraID’s total aggregate liability will not exceed one hundred United States dollars.

The liability cap applies whether the claim is based on contract, tort, negligence, strict liability, statute, warranty, misrepresentation, indemnity, equity, or any other legal theory, even if MudraID has been advised of the possibility of such damages.

21.2 Exclusion of Indirect and Consequential Damages

To the maximum extent permitted by law, MudraID will not be liable for any indirect, incidental, special, consequential, exemplary, punitive, enhanced, or similar damages.

This exclusion includes, without limitation, damages for:

a. lost profits;
b. lost revenue;
c. lost business;
d. lost opportunities;
e. lost goodwill;
f. reputational harm;
g. business interruption;
h. loss of customers;
i. loss of traffic;
j. loss of leads;
k. loss of contracts;
l. loss of anticipated savings;
m. loss of investment value;
n. cost of substitute services;
o. loss, corruption, or unavailability of data;
p. loss of use of systems;
q. downtime;
r. service disruption;
s. security incidents;
t. third-party claims, except to the limited extent expressly covered by MudraID’s indemnity obligations, if any.

This exclusion applies even if MudraID knew or should have known that such damages were possible.

21.3 Security-Service Specific Limitations

MudraID provides identity, verification, trust-signaling, gateway, and security-support services. Because no security or identity system can prevent all threats, MudraID will not be liable for damages arising from or relating to:

a. malicious Bots;
b. unwanted Bots;
c. unauthorized Bots;
d. scraping;
e. spam;
f. fraud;
g. abuse;
h. phishing;
i. malware;
j. denial-of-service activity;
k. credential attacks;
l. token misuse;
m. token replay;
n. Bot impersonation;
o. Private Key compromise;
p. Client Secret compromise;
q. API Credential compromise;
r. public-key errors;
s. incorrect trust scores;
t. incorrect verification outcomes;
u. Gateway false accepts;
v. Gateway false rejects;
w. failure to detect or block threats;
x. Customer security incidents;
y. third-party security incidents.

This limitation applies except to the extent such liability cannot be excluded or limited under applicable law.

21.4 Trust Score and Verification Limitations

MudraID will not be liable for damages arising from or relating to Trust Scores, Trust Levels, reputation indicators, risk signals, abuse indicators, registration status, verification status, token status, key status, or related trust data.

This includes, without limitation, claims based on:

a. inaccurate trust data;
b. incomplete trust data;
c. delayed trust data;
d. stale cached trust data;
e. disputed trust data;
f. trust score downgrades;
g. trust score upgrades;
h. trust score removals;
i. account suspensions;
j. Bot suspensions;
k. token revocations;
l. Public Key Directory restrictions;
m. Customer reliance on trust data;
n. Customer or third-party decisions based on trust data;
o. alleged reputational harm from trust classifications;
p. alleged business losses from access restrictions.

Trust data is informational only, and Customers use it at their own risk.

21.5 Token and Credential Limitations

MudraID will not be liable for damages arising from or relating to:

a. expired tokens;
b. revoked tokens;
c. invalidated tokens;
d. delayed token issuance;
e. refused token issuance;
f. failed token verification;
g. incorrect Customer verification logic;
h. Customer failure to validate token claims;
i. Customer failure to check issuer, audience, scope, expiration, or signature;
j. Customer failure to handle key rotation;
k. Customer failure to handle revocation;
l. compromised Customer credentials;
m. exposed Client Secrets;
n. compromised Private Keys;
o. unauthorized signatures created using Customer Private Keys;
p. token replay;
q. token theft;
r. Customer misuse of Mudra Tokens;
s. use of Mudra Tokens beyond their intended purpose.

Customers are responsible for securing credentials, verifying tokens correctly, and handling token lifecycle events safely.

21.6 Gateway Limitations

MudraID will not be liable for damages arising from or relating to the Mudra Gateway, including:

a. Gateway downtime;
b. Gateway latency;
c. Gateway misconfiguration;
d. Customer deployment errors;
e. DNS errors;
f. TLS certificate errors;
g. hosting or cloud provider failures;
h. CDN failures;
i. origin exposure;
j. direct-origin bypass;
k. false accepts;
l. false rejects;
m. blocked legitimate traffic;
n. allowed unwanted traffic;
o. throttled traffic;
p. challenged traffic;
q. misrouted traffic;
r. degraded website or API performance;
s. lost revenue, lost leads, or lost traffic;
t. Customer-selected fail-open or fail-closed behavior;
u. stale cached verification or trust data;
v. Customer failure to monitor, test, update, or maintain Gateway configuration.

Customers are responsible for deployment, configuration, monitoring, fallback design, and business consequences of Gateway use.

21.7 Data and Logs Limitations

MudraID will not be liable for damages arising from or relating to:

a. incomplete logs;
b. delayed logs;
c. missing logs;
d. inaccurate logs;
e. truncated logs;
f. overwritten logs;
g. unavailable logs;
h. failure to retain logs;
i. inability to export logs;
j. incomplete audit records;
k. missing token records;
l. missing verification records;
m. missing Gateway records;
n. missing abuse reports;
o. Customer reliance on logs for legal, regulatory, audit, forensic, insurance, or evidentiary purposes.

Customers are responsible for maintaining their own records, backups, monitoring, compliance evidence, and audit trails where required.

21.8 Third-Party and Customer-Side Limitations

MudraID will not be liable for damages arising from or relating to:

a. Customer systems;
b. Customer infrastructure;
c. Customer Bots;
d. Customer websites;
e. Customer APIs;
f. Customer applications;
g. Customer Gateways;
h. Customer domains;
i. Customer DNS;
j. Customer hosting;
k. Customer cloud environments;
l. Customer identity providers;
m. Customer integrations;
n. Customer users;
o. Customer administrators;
p. Customer contractors;
q. Customer data;
r. Customer configurations;
s. third-party services;
t. third-party outages;
u. third-party security incidents;
v. third-party API changes;
w. third-party terms;
x. third-party providers selected or configured by the Customer.

21.9 Beta, Trial, Free, and Evaluation Services

To the maximum extent permitted by law, MudraID will have no liability arising from or relating to beta services, trial services, free services, preview services, pilot services, experimental services, evaluation services, early-access services, unsupported services, deprecated services, or services provided without charge.

If liability for such services cannot be fully excluded under applicable law, MudraID’s total aggregate liability for such services will not exceed one hundred United States dollars.

No SLA, service credit, support commitment, availability commitment, data-retention commitment, or production-readiness commitment applies to such services unless expressly stated in writing.

21.10 SLA Service Credits as Exclusive Remedy

Where an applicable SLA provides service credits, those service credits are the Customer’s sole and exclusive remedy for MudraID’s failure to meet the applicable SLA commitment.

Service credits will not be available unless the Customer follows the claim process, deadlines, evidence requirements, and limitations stated in the applicable SLA.

Service credits have no cash value and do not increase MudraID’s liability cap.

21.11 Claims Period

To the maximum extent permitted by law, any claim arising out of or relating to these Terms, the Services, any Order Form, any Service Plan, any API Documentation, any Data Processing Addendum, any Service Level Agreement, any Acceptable Use Policy, any product-specific addendum, or any related agreement must be brought within one year after the event giving rise to the claim.

Any claim not brought within that period is permanently barred.

This provision does not apply where a shorter or longer period is required by applicable law and cannot be contractually modified.

21.12 Multiple Claims

The existence of more than one claim, incident, event, breach, failure, service issue, security incident, token issue, Gateway issue, verification issue, trust score issue, or dispute will not increase MudraID’s liability cap.

All claims arising from the same or related facts, events, circumstances, systems, configurations, security incidents, or service issues will be treated as one claim for purposes of the liability cap.

21.13 No Liability for Customer Decisions

MudraID will not be liable for Customer decisions made using the Services, including decisions to:

a. allow a Bot;
b. block a Bot;
c. throttle traffic;
d. challenge traffic;
e. trust a token;
f. reject a token;
g. rely on a Trust Score;
h. rely on Public Key Directory data;
i. route traffic through the Gateway;
j. configure fail-open or fail-closed behavior;
k. publish website policy metadata;
l. report abuse;
m. suspend or interact with a Bot;
n. take legal, security, compliance, business, or operational action.

Customers are responsible for independent judgment, access-control decisions, authorization decisions, compliance decisions, and business decisions.

21.14 Exceptions Required by Law

Nothing in these Terms excludes or limits liability to the extent such liability cannot be excluded or limited under applicable law.

Depending on applicable law, this may include liability for fraud, fraudulent misrepresentation, intentional misconduct, gross negligence, death or personal injury caused by negligence, or other liability that cannot lawfully be excluded or limited.

Any legally required exception will apply only to the minimum extent required by applicable law.

21.15 Allocation of Risk

The limitations and exclusions in these Terms reflect the allocation of risk between the parties and are an essential basis of the bargain.

The fees charged for the Services reflect these limitations and exclusions.

Customers acknowledge that MudraID would not provide the Services on the same terms without these limitations and exclusions.

21.16 Survival

The limitations of liability in this Section survive suspension, expiration, termination, cancellation, non-renewal, and discontinuation of the Services.

22. Indemnification

22.1 Customer Indemnification

To the maximum extent permitted by law, the Customer will defend, indemnify, and hold harmless MudraID, its affiliates, officers, directors, employees, contractors, agents, licensors, service providers, successors, and assigns from and against any claims, demands, actions, proceedings, investigations, damages, losses, liabilities, penalties, fines, costs, and expenses, including reasonable attorneys’ fees, arising from or relating to:

a. Customer use or misuse of the Services;
b. Customer breach of these Terms, the Acceptable Use Policy, the Documentation, an Order Form, a Service Plan, a Data Processing Addendum, a Service Level Agreement, or any product-specific addendum;
c. Customer Bots, AI Agents, applications, scripts, automation tools, models, workflows, or integrations;
d. Customer websites, APIs, domains, applications, systems, services, infrastructure, or digital properties;
e. Customer Data;
f. Customer Public Keys, Private Keys, API Credentials, Client Secrets, tokens, certificates, passwords, service accounts, or signing materials;
g. Customer use, misuse, exposure, compromise, or mishandling of Mudra Tokens;
h. Customer use, misuse, exposure, compromise, or mishandling of Public Keys or Private Keys;
i. Customer use or configuration of the Mudra Gateway;
j. Customer access policies, allowlists, blocklists, trust-level rules, routing rules, throttling rules, challenge rules, or fallback behavior;
k. Customer reliance on Trust Scores, Trust Levels, reputation indicators, verification results, Public Key Directory data, logs, reports, or audit records;
l. Customer abuse reports, security reports, trust submissions, appeals, or other submissions to MudraID;
m. Customer violation of applicable law, regulation, sanctions rule, export-control rule, privacy law, data-protection law, cybersecurity law, AI regulation, intellectual-property law, consumer-protection law, or other legal requirement;
n. Customer violation of third-party rights, including intellectual-property rights, privacy rights, publicity rights, confidentiality rights, contractual rights, platform rights, website rights, API rights, or data rights;
o. Customer violation of third-party terms, including website terms, API terms, platform policies, hosting terms, cloud provider terms, model provider terms, payment processor terms, or marketplace terms;
p. Customer failure to obtain required rights, permissions, notices, consents, lawful bases, contracts, or authorizations;
q. Customer security incidents, credential compromise, Bot compromise, Gateway compromise, website compromise, API compromise, infrastructure compromise, or data exposure;
r. Customer high-risk use, regulated use, unlawful use, abusive use, or unauthorized use of the Services;
s. Customer misrepresentation that MudraID endorsed, certified, approved, audited, guaranteed, insured, sponsored, or accepted responsibility for any Bot, website, API, Customer, application, integration, transaction, message, or service;
t. acts or omissions of Customer administrators, employees, contractors, developers, agents, End Users, Bots, service providers, or other persons or systems acting through or on behalf of the Customer.

22.2 Bot-Related Indemnity

Without limiting Section 22.1, the Customer will defend, indemnify, and hold harmless MudraID from and against any claim, loss, liability, penalty, cost, or expense arising from or relating to any Customer Bot or AI Agent, including:

a. Bot registration;
b. Bot identity claims;
c. Bot metadata;
d. Bot ownership disputes;
e. Bot impersonation;
f. Bot behavior;
g. Bot outputs;
h. Bot decisions;
i. Bot communications;
j. Bot data collection or processing;
k. Bot interactions with websites, APIs, systems, users, or other Bots;
l. Bot use of Mudra Tokens;
m. Bot use of Public Keys or Private Keys;
n. Bot scraping, spam, fraud, abuse, unauthorized access, or other harmful activity;
o. Bot violation of law, third-party terms, or third-party rights.

MudraID does not assume responsibility for Customer Bots merely because they are registered, tokenized, verified, listed, assigned a Trust Score, or allowed through a MudraID-supported mechanism.

22.3 Website, API, and Gateway Indemnity

Without limiting Section 22.1, the Customer will defend, indemnify, and hold harmless MudraID from and against any claim, loss, liability, penalty, cost, or expense arising from or relating to:

a. Customer websites, APIs, applications, domains, or services registered with MudraID;
b. Customer authority or lack of authority to register or manage a website, API, domain, application, or service;
c. Customer DNS, TLS, CDN, hosting, cloud, network, or origin configuration;
d. Customer deployment, configuration, operation, or misuse of the Mudra Gateway;
e. blocked traffic;
f. allowed traffic;
g. throttled traffic;
h. challenged traffic;
i. redirected or forwarded traffic;
j. false accepts;
k. false rejects;
l. Customer-selected fail-open or fail-closed behavior;
m. Customer access policies;
n. Customer failure to provide required notices, consents, privacy disclosures, user terms, or legal basis;
o. Customer violation of third-party website, API, platform, cloud, CDN, DNS, hosting, or network terms.

22.4 Data and Privacy Indemnity

Without limiting Section 22.1, the Customer will defend, indemnify, and hold harmless MudraID from and against any claim, loss, liability, penalty, cost, or expense arising from or relating to:

a. Customer Data;
b. Customer-submitted personal data;
c. Customer-submitted sensitive or regulated data;
d. Customer failure to obtain required rights, notices, consents, lawful bases, contracts, or authorizations;
e. Customer violation of privacy laws, data-protection laws, data-transfer rules, confidentiality obligations, or data-processing obligations;
f. Customer Gateway logging configuration;
g. Customer routing, processing, storage, disclosure, or deletion of data;
h. Customer misuse of logs, verification records, trust data, abuse reports, Public Key Directory data, or audit records;
i. Customer failure to maintain required records, backups, exports, deletion processes, or audit evidence;
j. Customer data breach, data exposure, or security incident caused by Customer systems, Customer credentials, Customer Bots, Customer Gateways, Customer integrations, or Customer third-party services.

22.5 Intellectual Property Indemnity by Customer

Without limiting Section 22.1, the Customer will defend, indemnify, and hold harmless MudraID from and against any claim, loss, liability, penalty, cost, or expense arising from or relating to:

a. Customer Data;
b. Customer Marks;
c. Bot names, Bot metadata, Bot outputs, or Bot behavior;
d. website, API, domain, application, or service metadata;
e. Public Keys or directory submissions;
f. Customer integrations;
g. Customer use of third-party materials;
h. Customer misuse of MudraID Marks;
i. Customer violation or alleged violation of intellectual-property rights, privacy rights, publicity rights, confidentiality rights, contractual rights, or other third-party rights;
j. Customer use of the Services outside the permitted scope.

22.6 Third-Party Services Indemnity

Without limiting Section 22.1, the Customer will defend, indemnify, and hold harmless MudraID from and against any claim, loss, liability, penalty, cost, or expense arising from or relating to:

a. Customer use of third-party services with MudraID;
b. Customer violation of third-party terms;
c. Customer-selected integrations;
d. Customer third-party credentials, OAuth grants, API keys, tokens, service accounts, permissions, or scopes;
e. Customer AI platforms, Bots, models, frameworks, tools, or workflows;
f. Customer disputes with third-party providers;
g. third-party claims relating to Customer use of MudraID;
h. Customer failure to obtain required third-party rights, permissions, notices, consents, lawful bases, or authorizations.

22.7 MudraID Intellectual Property Indemnity

Subject to this Section and the limitations of liability in these Terms, MudraID may defend the Customer against a third-party claim alleging that the generally available paid Services, when used by the Customer as authorized under these Terms and the Documentation, directly infringe that third party’s intellectual-property rights.

MudraID’s obligation under this Section applies only if:

a. the Customer promptly notifies MudraID in writing of the claim;
b. the Customer gives MudraID sole control of the defense and settlement of the claim;
c. the Customer provides reasonable cooperation at MudraID’s expense;
d. the Customer has used the Services according to these Terms, the Documentation, and the applicable Order Form;
e. the claim does not fall within an exclusion stated in these Terms.

MudraID may, at its option, resolve an infringement claim by:

a. procuring the right for the Customer to continue using the affected Service;
b. modifying the affected Service so it is no longer allegedly infringing;
c. replacing the affected Service with a substantially similar service;
d. terminating the affected Service and providing any refund expressly required by the applicable written agreement.

This Section states MudraID’s sole obligation and the Customer’s exclusive remedy for third-party intellectual-property infringement claims relating to the Services.

22.8 Exclusions from MudraID IP Indemnity

MudraID has no obligation to indemnify, defend, or hold harmless the Customer for claims arising from or relating to:

a. Customer Data;
b. Customer Marks;
c. Customer Bots, AI Agents, applications, models, workflows, or integrations;
d. Customer websites, APIs, domains, systems, or infrastructure;
e. Customer use of the Services in violation of these Terms, the Documentation, or applicable law;
f. Customer modifications to the Services;
g. Customer combination of the Services with non-MudraID products, services, data, software, systems, or materials;
h. Customer use of unsupported, beta, trial, preview, pilot, experimental, free, deprecated, or modified Services;
i. Customer failure to use updates, patches, replacements, or modified Services provided by MudraID;
j. third-party services, open-source software, or third-party materials;
k. use of the Services after MudraID instructs the Customer to stop due to a claim or risk;
l. claims that would not have arisen but for Customer conduct, Customer data, Customer systems, Customer configuration, or Customer instructions.

22.9 Indemnification Procedure

The party seeking indemnification must:

a. promptly notify the indemnifying party in writing of the claim;
b. provide reasonable information, assistance, and cooperation;
c. allow the indemnifying party to control the defense and settlement, subject to the limitations in these Terms.

Failure to provide prompt notice does not relieve the indemnifying party of its obligations except to the extent the delay materially prejudices the defense.

The indemnifying party may not settle a claim in a way that admits fault by the indemnified party, imposes non-monetary obligations on the indemnified party, restricts the indemnified party’s business, or requires payment by the indemnified party without the indemnified party’s prior written consent.

22.10 MudraID Control of Customer-Related Claims

Where a claim is made against MudraID arising from Customer conduct, Customer Data, Customer Bots, Customer websites, Customer APIs, Customer Gateway use, Customer integrations, Customer tokens, Customer keys, Customer compliance failures, Customer violations, or Customer misuse of the Services, MudraID may control its own defense, select its own counsel, and take reasonable action to protect its interests.

The Customer must cooperate with MudraID and reimburse MudraID for covered losses, costs, and expenses according to this Section.

MudraID is not required to allow the Customer to control any defense where the claim may affect MudraID’s intellectual property, platform integrity, security systems, trust scoring methods, reputation, business operations, legal obligations, other customers, or third-party relationships.

22.11 No Limitation of Customer Indemnity

Unless expressly required by applicable law or expressly stated in a written agreement, Customer indemnification obligations are not subject to the limitation of liability where the claim arises from:

a. Customer breach of confidentiality;
b. Customer violation of intellectual-property rights;
c. Customer violation of privacy or data-protection laws;
d. Customer violation of applicable law;
e. Customer payment obligations;
f. Customer fraud, willful misconduct, or gross negligence;
g. Customer misuse of the Services;
h. Customer Bots, websites, APIs, Gateways, integrations, data, credentials, keys, or tokens;
i. Customer obligations that expressly survive termination.

22.12 Survival

The indemnification obligations in this Section survive suspension, expiration, termination, cancellation, non-renewal, and discontinuation of the Services.

23. Suspension and Termination

23.1 MudraID Suspension Rights

MudraID may suspend, restrict, throttle, block, downgrade, disable, revoke, or limit Customer access to all or part of the Services at any time if MudraID reasonably believes that suspension or restriction is necessary or appropriate.

Suspension may apply to:

a. Customer accounts;
b. administrator accounts;
c. End User access;
d. Bots or AI Agents;
e. Bot registrations;
f. website, API, domain, application, or service registrations;
g. Mudra Tokens;
h. API Credentials;
i. Client IDs;
j. Client Secrets;
k. Public Keys;
l. Private Key-associated records;
m. Public Key Directory access;
n. Trust Scores or Trust Levels;
o. Mudra Gateway functionality;
p. verification services;
q. token issuance services;
r. support access;
s. dashboards;
t. SDK, webhook, or integration access;
u. any other Service feature.

23.2 Grounds for Suspension

MudraID may suspend or restrict access if MudraID reasonably believes that:

a. the Customer has breached these Terms, the Acceptable Use Policy, the Documentation, an Order Form, a Service Plan, a DPA, an SLA, or any product-specific addendum;
b. the Customer has failed to pay fees when due;
c. the Customer, a Bot, website, API, domain, integration, token, credential, key, Gateway, or End User creates legal, security, privacy, fraud, abuse, compliance, operational, reputational, or service-integrity risk;
d. account information, Bot metadata, website metadata, domain information, public-key data, billing information, or trust-related information is inaccurate, incomplete, misleading, unauthorized, or unverifiable;
e. the Customer does not have authority to register or manage a Bot, website, API, domain, application, service, key, or integration;
f. API Credentials, Client Secrets, Private Keys, tokens, certificates, passwords, or authentication factors are compromised or suspected to be compromised;
g. a Bot is involved in scraping, spam, fraud, phishing, malware, unauthorized access, impersonation, excessive traffic, abuse, or other harmful activity;
h. the Customer uses MudraID to misrepresent endorsement, certification, approval, guarantee, audit, sponsorship, or trust status;
i. the Customer attempts to bypass rate limits, usage limits, billing controls, security controls, trust controls, gateway controls, verification controls, or enforcement systems;
j. the Customer uses the Services in a high-risk, regulated, unlawful, harmful, or unauthorized way;
k. the Customer fails to cooperate with a security, abuse, compliance, billing, ownership, domain, or identity investigation;
l. MudraID is required or reasonably requested to act by law, regulation, court order, government authority, law-enforcement authority, sanctions requirement, export-control requirement, or third-party platform obligation;
m. continued access may harm MudraID, Customers, third parties, the Services, infrastructure, or public trust in MudraID.

23.3 Emergency Suspension

MudraID may suspend or restrict access immediately and without prior notice where MudraID reasonably believes that advance notice may:

a. increase security risk;
b. enable continued abuse;
c. allow evidence destruction;
d. allow further credential misuse;
e. allow further token misuse;
f. allow further Bot impersonation;
g. harm MudraID, Customers, users, websites, APIs, third parties, or the Services;
h. violate law or legal obligations;
i. interfere with an investigation;
j. compromise MudraID’s security systems, trust systems, scoring methods, or enforcement processes.

MudraID is not liable for reasonable emergency suspension or restriction taken in good faith.

23.4 Suspension for Non-Payment

MudraID may suspend, restrict, downgrade, or terminate access if the Customer fails to pay fees when due.

MudraID may restrict features including token issuance, verification services, Gateway functionality, Public Key Directory access, dashboards, support, logs, API access, and data export until overdue amounts are paid.

Suspension for non-payment does not relieve the Customer of its obligation to pay all amounts due, including subscription fees, usage fees, overage fees, taxes, late fees, collection costs, and legal fees where permitted by law.

MudraID is not liable for service interruption, token failure, verification failure, Gateway impact, data unavailability, business interruption, or other harm caused by suspension for non-payment.

23.5 Suspension for Security Risk or Credential Compromise

MudraID may suspend or restrict access if MudraID reasonably believes that any account, Bot, credential, token, Client Secret, Private Key, Public Key, certificate, Gateway configuration, integration, or system is compromised, exposed, misused, or vulnerable.

MudraID may require the Customer to take remediation steps before restoring access, including:

a. rotating credentials;
b. rotating keys;
c. revoking tokens;
d. resetting passwords;
e. enabling stronger authentication;
f. correcting Bot metadata;
g. correcting website metadata;
h. disabling affected Bots;
i. updating Gateway configuration;
j. patching affected systems;
k. providing logs or evidence;
l. completing re-verification;
m. confirming remediation in writing.

MudraID may deny restoration if the Customer does not complete remediation to MudraID’s reasonable satisfaction.

23.6 Suspension for Abuse or Policy Violation

MudraID may suspend or restrict access where MudraID reasonably believes the Services are being used for abuse, unlawful activity, prohibited automation, impersonation, fraud, spam, scraping, malware, phishing, unauthorized access, token misuse, trust-score manipulation, Public Key Directory abuse, Gateway misuse, or other prohibited conduct.

MudraID may also suspend or restrict access while investigating suspected abuse or policy violation.

MudraID is not required to prove final liability, unlawful conduct, or actual harm before taking protective action.

23.7 Suspension for Legal or Compliance Reasons

MudraID may suspend, restrict, terminate, or refuse access where MudraID reasonably believes such action is required or appropriate to comply with law, regulation, sanctions, export control, court order, government request, law-enforcement request, regulatory request, platform rule, contractual obligation, or legal risk.

MudraID may also suspend or restrict access if continuing to provide the Services may expose MudraID to legal, regulatory, sanctions, export-control, privacy, cybersecurity, intellectual-property, or compliance risk.

23.8 Effect of Suspension

During suspension, the Customer may lose access to some or all Services, including token issuance, token verification, Gateway functionality, Public Key Directory access, trust data, dashboards, APIs, logs, support, data export, SDKs, webhooks, integrations, and other features.

MudraID may continue to process, retain, use, restrict, preserve, or disclose certain data and records as necessary or appropriate for security, abuse investigation, legal compliance, billing, enforcement, dispute resolution, or protection of MudraID, Customers, third parties, and the Services.

Suspension does not waive MudraID’s right to terminate, seek payment, seek indemnification, pursue legal remedies, or take further enforcement action.

23.9 Customer Termination

Customers may stop using the Services at any time.

If the Customer has a paid subscription, Order Form, committed term, minimum spend, usage commitment, or other contractual obligation, termination rights and payment obligations are governed by the applicable Order Form, Service Plan, or written agreement.

Unless expressly stated otherwise in writing, Customer termination does not entitle the Customer to a refund, credit, fee reduction, or release from accrued payment obligations.

Customers are responsible for exporting data, rotating keys, revoking credentials, disabling integrations, updating DNS, removing Gateway configurations, and transitioning their systems before termination.

23.10 MudraID Termination for Cause

MudraID may terminate the Customer’s account, Order Form, Service Plan, or access to the Services if:

a. the Customer materially breaches these Terms or any related agreement;
b. the Customer fails to cure a breach within the period specified by MudraID, if a cure period is provided;
c. the Customer fails to pay amounts when due;
d. the Customer engages in unlawful, abusive, harmful, deceptive, fraudulent, or unauthorized activity;
e. the Customer creates legal, security, privacy, compliance, fraud, operational, reputational, or service-integrity risk;
f. the Customer repeatedly violates the Documentation, Acceptable Use Policy, or service limits;
g. the Customer attempts to reverse engineer, bypass, manipulate, or attack MudraID systems;
h. the Customer misuses MudraID Marks, trust data, verification results, Public Key Directory data, or Mudra Tokens;
i. the Customer ceases business, becomes insolvent, enters liquidation, or becomes subject to bankruptcy or similar proceedings;
j. MudraID is required or reasonably requested to terminate by law, regulation, court order, government authority, law-enforcement authority, platform provider, or contractual obligation.

23.11 MudraID Termination for Convenience

Unless an applicable Order Form states otherwise, MudraID may terminate or discontinue free, trial, beta, preview, pilot, evaluation, early-access, deprecated, unsupported, or non-paid Services at any time, with or without notice.

For paid Services, MudraID may terminate for convenience at the end of the then-current subscription term by providing notice of non-renewal.

MudraID may also discontinue a Service, feature, product, plan, API, Gateway component, SDK, or integration according to the service-change and deprecation provisions of these Terms.

23.12 Effect of Termination

Upon termination, expiration, cancellation, or non-renewal:

a. the Customer’s right to access and use the Services ends;
b. MudraID may disable accounts, dashboards, APIs, credentials, tokens, Bots, Gateways, Public Key Directory access, verification services, and integrations;
c. the Customer must stop using the Services;
d. the Customer must stop using MudraID Marks unless separately authorized;
e. the Customer must pay all amounts due;
f. MudraID may retain or delete Customer Data according to these Terms, the Documentation, the DPA where applicable, and applicable law;
g. MudraID may continue to retain records needed for security, billing, legal compliance, abuse investigation, dispute resolution, audit, or enforcement;
h. the Customer remains responsible for its Bots, websites, APIs, integrations, credentials, keys, Gateway configurations, and data after termination.

23.13 Data Export After Termination

MudraID may allow the Customer to export certain Customer Data after termination, depending on the Service Plan, product capability, account status, legal requirements, security conditions, payment status, and technical feasibility.

MudraID is not required to provide data export where:

a. the account is suspended or terminated for security risk, abuse, unlawful activity, non-payment, or legal reasons;
b. export may expose data of other customers or third parties;
c. export may compromise security, investigations, or service integrity;
d. the requested data is not exportable;
e. the data has been deleted, anonymized, aggregated, overwritten, or is no longer retained;
f. the Customer has not paid amounts due;
g. applicable law permits or requires MudraID to restrict access.

Customers are responsible for exporting and preserving needed data before termination whenever possible.

23.14 Deletion and Retention After Termination

After termination, MudraID may delete, archive, anonymize, de-identify, restrict, or retain Customer Data according to its retention practices, Documentation, DPA where applicable, and legal obligations.

MudraID may retain data and records where necessary or appropriate for:

a. legal compliance;
b. security;
c. abuse investigation;
d. fraud prevention;
e. billing;
f. tax;
g. accounting;
h. dispute resolution;
i. enforcement of these Terms;
j. audit;
k. backup systems;
l. service integrity;
m. protection of MudraID, Customers, third parties, and the Services.

MudraID is not required to retain Customer Data indefinitely.

23.15 Transition Responsibilities

Customers are responsible for managing their transition away from the Services.

Transition responsibilities may include:

a. disabling Bots;
b. revoking Mudra Tokens;
c. rotating Client Secrets;
d. rotating Private Keys;
e. removing Public Keys;
f. updating website access policies;
g. disabling or removing Gateway deployments;
h. changing DNS and routing;
i. updating APIs and integrations;
j. notifying their own users, customers, partners, or developers where appropriate;
k. exporting needed data;
l. maintaining alternative security controls.

MudraID is not responsible for Customer failure to transition safely or for continued reliance on MudraID after termination.

23.16 Reinstatement

MudraID may, at its discretion, reinstate suspended or terminated access if the Customer resolves the issue to MudraID’s reasonable satisfaction.

Reinstatement may require:

a. payment of overdue amounts;
b. credential rotation;
c. key rotation;
d. account re-verification;
e. domain re-verification;
f. Bot re-verification;
g. security remediation;
h. written compliance confirmation;
i. revised Service Plan or Order Form;
j. additional fees;
k. additional restrictions;
l. legal or compliance review.

MudraID is not obligated to reinstate any account, Bot, token, key, Gateway, integration, or Service access.

23.17 No Liability for Suspension or Termination

To the maximum extent permitted by law, MudraID is not liable for damages, losses, costs, penalties, claims, business interruption, lost profits, lost revenue, lost traffic, lost customers, data loss, access loss, reputational harm, or other consequences arising from or relating to suspension, restriction, revocation, downgrade, termination, non-renewal, or discontinuation taken in good faith under these Terms.

23.18 Survival

Any provisions that by their nature should survive suspension, expiration, cancellation, non-renewal, termination, or discontinuation will survive, including provisions relating to:

a. payment obligations;
b. intellectual property;
c. Customer Data rights and retention;
d. confidentiality;
e. disclaimers;
f. limitation of liability;
g. indemnification;
h. dispute resolution;
i. governing law;
j. audit and enforcement;
k. security investigations;
l. data retention;
m. provisions necessary to interpret or enforce these Terms.

24. Compliance, Export, and Sanctions

24.1 Compliance with Laws

Customers are solely responsible for ensuring that their access to and use of MudraID complies with all applicable laws, regulations, rules, orders, directives, industry requirements, contractual obligations, and third-party terms.

This includes, without limitation, laws and rules relating to:

a. cybersecurity;
b. artificial intelligence;
c. automated systems;
d. data protection and privacy;
e. electronic communications;
f. computer misuse and unauthorized access;
g. intellectual property;
h. consumer protection;
i. unfair competition;
j. sanctions;
k. export controls;
l. anti-bribery and anti-corruption;
m. anti-money laundering;
n. tax;
o. regulated industries;
p. online safety;
q. platform governance;
r. website, API, and data-access restrictions.

MudraID is not responsible for determining whether a Customer’s Bots, websites, APIs, data, integrations, workflows, business operations, access policies, or use cases comply with applicable law.

24.2 Customer Legal Responsibility

Customers represent and warrant that:

a. they will use MudraID only for lawful and authorized purposes;
b. they have all rights, licenses, permissions, notices, consents, lawful bases, contracts, and authority required to use the Services;
c. their Bots, websites, APIs, domains, applications, systems, integrations, data, and workflows comply with applicable law and third-party terms;
d. their use of MudraID will not violate the rights of MudraID, Customers, users, Bot developers, website owners, API providers, platforms, or third parties;
e. they will not use MudraID to enable, support, conceal, authenticate, verify, legitimize, or facilitate unlawful, abusive, harmful, deceptive, fraudulent, or unauthorized activity.

Customers are responsible for obtaining independent legal, compliance, security, privacy, and regulatory advice where appropriate.

24.3 Export Controls

Customers must comply with all applicable export-control, re-export, transfer, trade-control, and technology-control laws and regulations.

Customers must not access, use, export, re-export, transfer, provide, disclose, or make available MudraID, its software, APIs, SDKs, Gateway components, Documentation, technical data, cryptographic functionality, security features, or related technology in violation of applicable export-control laws.

Customers represent and warrant that they are not prohibited from receiving or using the Services under applicable export-control laws.

MudraID may restrict, suspend, or terminate access where MudraID reasonably believes that continued access may violate export-control laws or create export-control risk.

24.4 Sanctions Compliance

Customers must comply with all applicable sanctions, embargoes, restricted-party rules, denied-party rules, and trade-restriction laws.

Customers represent and warrant that:

a. they are not located in, organized under the laws of, ordinarily resident in, or operating from a country or territory subject to sanctions or trade restrictions that prohibit their use of MudraID;
b. they are not listed on any applicable sanctions, denied-party, restricted-party, blocked-person, or prohibited-person list;
c. they are not owned or controlled by a sanctioned, denied, restricted, blocked, or prohibited person or entity;
d. they will not make the Services available to any sanctioned, denied, restricted, blocked, or prohibited person or entity;
e. they will not use MudraID for the benefit of any sanctioned, denied, restricted, blocked, or prohibited person, entity, country, territory, or activity.

MudraID may screen Customers, accounts, payments, usage, jurisdictions, organizations, Bots, domains, and related information for sanctions or trade-compliance purposes.

MudraID may refuse, suspend, restrict, or terminate access without liability where MudraID reasonably believes that sanctions or trade-compliance risk exists.

24.5 Restricted Jurisdictions

MudraID may restrict access to the Services from certain countries, territories, regions, networks, IP ranges, organizations, entities, or users where MudraID reasonably believes access may create legal, sanctions, export-control, security, fraud, abuse, operational, reputational, or service-integrity risk.

Customers must not use VPNs, proxies, routing services, shell companies, false information, third-party accounts, or other methods to bypass geographic, sanctions, export-control, or access restrictions.

MudraID may suspend or terminate access if MudraID reasonably believes that a Customer is attempting to bypass restricted-jurisdiction controls.

24.6 Anti-Bribery and Anti-Corruption

Customers must comply with all applicable anti-bribery, anti-corruption, anti-kickback, public-procurement, and conflicts-of-interest laws.

Customers must not use MudraID in connection with bribes, kickbacks, improper payments, unlawful gifts, facilitation payments, corrupt procurement practices, or other improper benefits.

Customers must not offer, promise, authorize, request, or accept anything of value in connection with MudraID in a way that violates applicable law.

MudraID may suspend or terminate access where MudraID reasonably believes that anti-bribery or anti-corruption risk exists.

24.7 Anti-Money Laundering and Fraud Prevention

Customers must not use MudraID to facilitate money laundering, terrorist financing, fraud, sanctions evasion, identity fraud, payment fraud, account fraud, procurement fraud, cybercrime, or other unlawful financial activity.

MudraID may monitor, investigate, restrict, suspend, or terminate activity that MudraID reasonably believes may involve fraud, financial crime, identity abuse, suspicious activity, or unlawful conduct.

MudraID may cooperate with payment processors, banks, regulators, law enforcement, and other authorities where required or permitted by law.

24.8 Cybersecurity and Computer Misuse Laws

Customers must comply with all applicable cybersecurity, computer misuse, unauthorized access, hacking, network abuse, malware, botnet, vulnerability disclosure, and electronic communications laws.

Customers must not use MudraID to:

a. gain unauthorized access to websites, APIs, systems, accounts, networks, data, or devices;
b. bypass authentication, authorization, rate limits, security controls, consent mechanisms, or access restrictions;
c. distribute or support malware, ransomware, spyware, credential theft, phishing, or exploit activity;
d. conduct unauthorized vulnerability scanning, penetration testing, load testing, scraping, crawling, or automated access;
e. conceal or legitimize malicious, unauthorized, or abusive Bot activity;
f. interfere with the security, availability, integrity, or operation of MudraID, Customers, or third-party systems.

MudraID may take immediate protective action where cybersecurity or computer misuse risk is suspected.

24.9 AI, Automation, and Bot Laws

Customers are responsible for complying with all laws, regulations, platform rules, and contractual obligations applicable to AI systems, automated agents, Bots, automated decision-making, automated data collection, synthetic content, user disclosure, transparency, human oversight, and agentic workflows.

Customers must not use MudraID to mislead users, websites, APIs, platforms, regulators, or third parties about the identity, nature, automation status, authority, purpose, trust status, or certification status of a Bot or AI Agent.

Where applicable law requires disclosure that a system is automated or AI-enabled, the Customer is responsible for providing that disclosure.

Where applicable law requires human review, risk assessment, logging, audit, testing, transparency, consent, opt-out, or impact assessment for AI or automated systems, the Customer is responsible for implementing those requirements.

MudraID does not guarantee that registration, token issuance, token verification, Trust Scores, or Gateway enforcement will satisfy any AI-law or automation-law requirement.

MudraID is not the provider, deployer, operator, controller, owner, or decision-maker for Customer Bots, AI Agents, automated systems, datasets, outputs, or workflows merely because MudraID provides identity registration, token issuance, token verification, Gateway support, Public Key Directory access, Trust Scores, or related infrastructure. Customers remain responsible for determining and satisfying any AI-law role, classification, risk-management, transparency, human-oversight, recordkeeping, testing, monitoring, registration, or conformity-assessment obligation applicable to their own AI systems and use cases.

24.10 Data Protection and Privacy Compliance

Customers are responsible for complying with all applicable privacy, data-protection, electronic communications, cookie, tracking, data-transfer, data-localization, confidentiality, and security laws.

Customers must not use MudraID to collect, process, transmit, expose, store, log, or disclose personal data unless they have the required rights, notices, consents, lawful bases, contracts, and safeguards.

Customers are responsible for their own privacy notices, user notices, consent flows, data-processing agreements, data-transfer mechanisms, deletion processes, data subject request processes, and security controls.

MudraID’s Privacy Policy and DPA, where applicable, govern MudraID’s handling of personal data, but do not relieve Customers of their own compliance obligations.

24.11 Regulated Data and Regulated Industries

Customers must not use MudraID with regulated data, sensitive data, or regulated-industry workflows unless they have confirmed that such use is lawful, authorized, secure, and permitted under their agreement with MudraID.

Regulated or sensitive use may include, without limitation:

a. health data;
b. payment card data;
c. financial account data;
d. biometric data;
e. children’s data;
f. government identification data;
g. criminal records data;
h. precise geolocation data;
i. employment, education, housing, credit, insurance, immigration, or benefits eligibility data;
j. export-controlled data;
k. government-restricted data;
l. data subject to sector-specific secrecy, confidentiality, or security duties.

MudraID may refuse, restrict, suspend, or require additional terms for regulated-data or regulated-industry use.

24.12 High-Risk Use Restrictions

Customers must not use MudraID as the sole or primary control in high-risk, safety-critical, life-critical, legally significant, regulated, or mission-critical systems unless MudraID expressly approves such use in writing.

High-risk systems include, without limitation:

a. critical infrastructure;
b. emergency services;
c. medical diagnosis or treatment;
d. life-support systems;
e. aviation, transport, or industrial control systems;
f. nuclear, chemical, or hazardous operations;
g. law-enforcement decisions;
h. immigration, asylum, or border-control decisions;
i. financial credit, lending, insurance, or eligibility decisions;
j. employment, education, housing, or benefits eligibility decisions;
k. legally significant automated decision-making;
l. systems where failure may lead to death, personal injury, severe property damage, unlawful discrimination, or substantial legal harm.

Customers using MudraID in approved high-risk contexts remain responsible for independent safeguards, human oversight, testing, redundancy, audit, legal review, compliance review, and risk controls.

24.13 Government and Public Sector Use

Government, public sector, defense, intelligence, law-enforcement, public procurement, public infrastructure, or state-affiliated use may be subject to additional legal, security, procurement, export-control, sanctions, data-handling, or contractual requirements.

Customers must not use MudraID for such purposes unless they have all required authority and have disclosed relevant requirements to MudraID where necessary.

MudraID may require additional terms, security review, compliance review, or written approval before supporting government or public-sector use.

24.14 Compliance Information and Cooperation

MudraID may request information reasonably necessary to assess legal, sanctions, export-control, security, privacy, abuse, or compliance risk.

Requested information may include:

a. identity information;
b. organization information;
c. ownership information;
d. jurisdiction information;
e. beneficial ownership information;
f. billing information;
g. use-case information;
h. Bot metadata;
i. website or domain information;
j. API or integration information;
k. data categories;
l. security controls;
m. compliance documentation;
n. proof of authorization;
o. remediation evidence.

Customers must provide accurate, complete, current, and non-misleading information.

Failure to provide requested information may result in refusal, suspension, restriction, or termination of access.

24.15 Legal Requests and Government Requests

MudraID may respond to subpoenas, court orders, warrants, regulatory requests, law-enforcement requests, government requests, legal process, or other legal obligations as required or permitted by law.

MudraID may disclose Customer information, logs, records, account data, token records, verification records, Gateway records, Public Key Directory records, trust data, or other information where MudraID reasonably believes disclosure is required or permitted by law or necessary to protect MudraID, Customers, third parties, or the Services.

Where legally permitted and commercially reasonable, MudraID may notify the Customer of legal requests affecting the Customer. MudraID is not required to provide notice where prohibited by law, court order, security risk, emergency circumstances, confidentiality obligation, or investigation requirements.

24.16 Compliance Suspension and Termination

MudraID may refuse, suspend, restrict, block, revoke, or terminate access to the Services where MudraID reasonably believes:

a. the Customer has violated applicable law;
b. the Customer has violated sanctions or export-control rules;
c. the Customer’s use creates legal, regulatory, privacy, cybersecurity, AI, sanctions, export-control, or compliance risk;
d. the Customer failed to provide requested compliance information;
e. the Customer provided inaccurate or misleading compliance information;
f. continued service may expose MudraID to liability, enforcement action, investigation, reputational harm, or operational risk.

MudraID may act with or without prior notice depending on the nature and urgency of the risk.

24.17 No Compliance Warranty

MudraID does not warrant or guarantee that the Services satisfy any Customer legal, regulatory, security, audit, procurement, insurance, compliance, industry, or contractual requirement.

Customers are responsible for determining whether MudraID is suitable for their compliance obligations.

Documentation, support, security materials, trust information, logs, audit records, or reports provided by MudraID are for operational support only and do not constitute legal, regulatory, audit, compliance, security, or professional advice.

24.18 Customer Indemnity for Compliance Matters

Customers are responsible for claims, losses, damages, penalties, fines, costs, and expenses arising from or relating to:

a. Customer violation of applicable law;
b. Customer violation of sanctions or export-control rules;
c. Customer use in restricted jurisdictions;
d. Customer AI, automation, or Bot compliance failures;
e. Customer privacy or data-protection violations;
f. Customer regulated-data or regulated-industry use;
g. Customer high-risk use;
h. Customer failure to obtain required rights, permissions, notices, consents, contracts, or lawful bases;
i. Customer failure to comply with third-party terms;
j. Customer false or misleading compliance information;
k. Customer use of MudraID in a way that creates legal, regulatory, sanctions, export-control, privacy, cybersecurity, AI, or compliance risk for MudraID.

MudraID may seek indemnification and other remedies as provided in these Terms where Customer compliance matters create liability, harm, or claims against MudraID or third parties.

24.19 Survival

The obligations in this Section survive suspension, expiration, termination, cancellation, non-renewal, and discontinuation of the Services.

25. Confidentiality

25.1 Confidential Information

“Confidential Information” means any non-public information disclosed by one party to the other party, whether directly or indirectly, in writing, orally, electronically, visually, through access to systems, through the Services, or by any other means, that is identified as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure.

Confidential Information may include, without limitation:

a. business information;
b. technical information;
c. product information;
d. pricing information;
e. financial information;
f. customer information;
g. supplier information;
h. security information;
i. product roadmaps;
j. non-public APIs;
k. system architecture;
l. software designs;
m. source code;
n. object code;
o. trade secrets;
p. audit information;
q. incident information;
r. vulnerability information;
s. credentials, keys, tokens, and secrets;
t. data-processing information;
u. legal, compliance, or regulatory information;
v. information disclosed during support, onboarding, security review, beta testing, or commercial discussions.

25.2 MudraID Confidential Information

MudraID Confidential Information includes, without limitation, non-public information relating to:

a. the MudraID platform;
b. MudraID APIs;
c. Mudra Gateway architecture, logic, configuration, rules, and operation;
d. token issuance systems;
e. token verification systems;
f. JWKS infrastructure;
g. Public Key Directory systems;
h. Trust Scores, Trust Levels, reputation systems, risk systems, and scoring methods;
i. abuse-detection systems;
j. fraud-detection systems;
k. security controls;
l. monitoring systems;
m. enforcement logic;
n. internal rules, thresholds, weights, models, signals, or algorithms;
o. incident response processes;
p. vulnerability information;
q. beta services, pilot features, preview features, and experimental features;
r. product roadmap;
s. pricing, discounts, commercial terms, and Order Forms;
t. performance data, benchmarks, and test results;
u. non-public Documentation;
v. support communications;
w. business strategy, partners, customers, vendors, and financial information.

Customers must treat MudraID Confidential Information as confidential even if it is not specifically marked as confidential, where the confidential nature of the information is reasonably apparent.

25.3 Customer Confidential Information

Customer Confidential Information may include Customer Data, non-public Bot metadata, non-public website or API information, non-public configurations, non-public business information, non-public security information, and other information that the Customer discloses to MudraID and identifies as confidential or that reasonably should be understood to be confidential.

Customer Confidential Information does not include Usage Data, Telemetry Data, aggregated data, anonymized data, de-identified data, MudraID security data, MudraID operational data, or information that MudraID independently develops without use of Customer Confidential Information, except where applicable law provides otherwise.

25.4 Protection Obligations

Each party must use reasonable care to protect the other party’s Confidential Information from unauthorized access, use, disclosure, loss, or misuse.

The receiving party must use at least the same degree of care it uses to protect its own confidential information of similar nature, but not less than reasonable care.

The receiving party may use the disclosing party’s Confidential Information only as necessary to perform, receive, provide, support, secure, improve, enforce, or use the Services, or as otherwise permitted by these Terms or a written agreement.

25.5 Permitted Disclosures

The receiving party may disclose Confidential Information to its affiliates, employees, contractors, advisors, auditors, attorneys, accountants, service providers, subprocessors, and agents who need to know the information for purposes permitted under these Terms and who are bound by confidentiality obligations at least as protective as those in this Section.

MudraID may disclose Customer Confidential Information to service providers and subprocessors as necessary to provide, secure, support, operate, improve, and enforce the Services, subject to applicable confidentiality and data-protection obligations.

The receiving party remains responsible for unauthorized use or disclosure of Confidential Information by persons or entities to whom it discloses the information, except to the extent the disclosure is expressly permitted by these Terms or required by law.

25.6 Exclusions

Confidential Information does not include information that the receiving party can show:

a. is or becomes publicly available without breach of these Terms;
b. was lawfully known to the receiving party before disclosure by the disclosing party;
c. was lawfully received from a third party without breach of any confidentiality obligation;
d. was independently developed by the receiving party without use of or reference to the disclosing party’s Confidential Information;
e. is approved for release by the disclosing party in writing.

The burden of proving an exclusion applies rests with the receiving party.

25.7 Legal or Required Disclosure

The receiving party may disclose Confidential Information where required by law, regulation, court order, subpoena, government request, regulatory request, law-enforcement request, legal process, stock exchange rule, or professional obligation.

Where legally permitted and commercially reasonable, the receiving party must provide the disclosing party with prompt notice before making the disclosure so that the disclosing party may seek protective treatment or object to the disclosure.

The receiving party must disclose only the portion of Confidential Information legally required to be disclosed and must use reasonable efforts to obtain confidential treatment where appropriate.

MudraID is not required to provide notice where notice is prohibited by law, court order, security risk, emergency circumstances, confidentiality obligation, investigation requirement, or where notice may compromise the Services, Customers, third parties, or MudraID.

25.8 Security, Abuse, and Enforcement Disclosures

MudraID may use and disclose Customer Confidential Information where MudraID reasonably believes such use or disclosure is necessary or appropriate to:

a. investigate abuse;
b. prevent fraud;
c. detect or respond to security incidents;
d. enforce these Terms;
e. protect MudraID, Customers, users, Bots, websites, APIs, third parties, or the Services;
f. comply with legal obligations;
g. respond to legal, regulatory, or law-enforcement requests;
h. prevent harm, unauthorized access, token misuse, credential compromise, gateway misuse, or service disruption.

MudraID is not required to disclose internal investigation details, security methods, scoring logic, enforcement logic, complainant identities, abuse-detection methods, fraud-detection methods, or other sensitive operational information where disclosure may create legal, security, privacy, abuse, fraud, operational, or service-integrity risk.

25.9 Confidentiality of Security and Incident Information

Information relating to security incidents, suspected vulnerabilities, penetration testing, abuse investigations, enforcement actions, trust score decisions, gateway security events, token compromise, credential compromise, Public Key Directory misuse, or similar matters must be treated as highly confidential.

Customers must not disclose, publish, discuss, post, benchmark, report, or distribute such information publicly or to third parties without MudraID’s prior written consent, unless required by law.

Customers must not use security or incident information to attack, exploit, bypass, reverse engineer, manipulate, or interfere with MudraID systems, Customers, third parties, or the Services.

25.10 Confidentiality of Beta and Roadmap Information

Non-public beta features, preview features, pilot programs, experimental features, roadmap information, product plans, unreleased APIs, unreleased Gateway features, trust-scoring changes, security features, pricing plans, and commercial strategy disclosed by MudraID are MudraID Confidential Information.

Customers must not disclose, publish, benchmark, demonstrate, review, compare, or rely publicly on beta, preview, pilot, experimental, or roadmap information without MudraID’s prior written consent.

MudraID may change, delay, cancel, or discontinue any roadmap item, beta feature, or planned release at any time without liability.

25.11 Confidentiality of Pricing and Commercial Terms

Order Forms, pricing, discounts, credits, commercial terms, negotiated terms, enterprise terms, support terms, professional services terms, and similar commercial information are MudraID Confidential Information unless MudraID expressly agrees otherwise in writing.

Customers must not disclose such information to third parties without MudraID’s prior written consent, except to their legal, tax, accounting, procurement, or financial advisors who need to know the information and are bound by confidentiality obligations.

25.12 Credentials and Secrets

API Credentials, Client Secrets, Private Keys, access tokens, refresh tokens, passwords, certificates, signing materials, webhook secrets, service-account credentials, and similar security credentials are confidential and must be protected with heightened care.

Customers must not disclose, share, publish, expose, or transmit such credentials except through secure methods and only to authorized persons or systems with a legitimate need for access.

Disclosure or exposure of credentials may result in immediate suspension, revocation, token invalidation, key rotation, account restriction, or other protective action by MudraID.

25.13 Publicity and Announcements

Neither party may issue press releases, public announcements, case studies, marketing statements, public customer references, or public partnership claims using the other party’s name, logo, marks, or Confidential Information without the other party’s prior written consent, except where expressly permitted by an Order Form or separate written agreement.

Customers must not publicly claim that MudraID has endorsed, certified, approved, audited, guaranteed, insured, sponsored, or accepted responsibility for the Customer, any Bot, website, API, integration, transaction, or service unless MudraID expressly authorizes that claim in writing.

25.14 Return or Destruction

Upon termination of the Services or written request by the disclosing party, the receiving party must return or destroy Confidential Information in its possession or control, except where retention is permitted or required by these Terms, applicable law, backup systems, security obligations, audit requirements, dispute resolution, enforcement rights, or legitimate business purposes.

MudraID may retain Customer Confidential Information where necessary or appropriate for legal compliance, security, fraud prevention, abuse investigation, billing, tax, accounting, dispute resolution, audit, backup, enforcement, or protection of MudraID, Customers, third parties, and the Services.

25.15 No Obligation to Accept Unsolicited Confidential Information

Customers must not submit unsolicited confidential, proprietary, regulated, sensitive, or trade-secret information to MudraID unless MudraID has expressly agreed in writing to receive it under applicable confidentiality terms.

MudraID is not responsible for unsolicited confidential information submitted outside approved channels or without appropriate marking, context, or agreement.

25.16 Injunctive Relief

Unauthorized use or disclosure of Confidential Information may cause irreparable harm for which monetary damages may be inadequate.

The disclosing party may seek injunctive relief, specific performance, or other equitable remedies for breach or threatened breach of this Section, without the need to prove actual damages or post a bond, to the extent permitted by law.

Such remedies are in addition to any other rights or remedies available under these Terms or applicable law.

25.17 Duration of Confidentiality Obligations

The receiving party’s confidentiality obligations continue for five years after disclosure, except that trade secrets and highly sensitive security information must be protected for as long as they remain trade secrets or confidential under applicable law.

Confidentiality obligations relating to credentials, Private Keys, security methods, scoring methods, abuse-detection methods, vulnerability information, incident information, and non-public technical systems continue for as long as the information remains non-public and sensitive.

25.18 Survival

The confidentiality obligations in this Section survive suspension, expiration, termination, cancellation, non-renewal, and discontinuation of the Services.

26. Audit, Abuse Investigation, and Enforcement

26.1 Audit and Investigation Rights

MudraID may audit, review, monitor, investigate, analyze, restrict, suspend, or take enforcement action in relation to any account, Bot, AI Agent, website, API, domain, application, integration, Gateway, token, key, credential, Public Key Directory record, Trust Score, Trust Level, verification event, usage pattern, or Customer activity where MudraID reasonably believes such action is necessary or appropriate.

MudraID may act for purposes including:

a. security;
b. abuse prevention;
c. fraud prevention;
d. service integrity;
e. legal compliance;
f. sanctions and export-control compliance;
g. payment enforcement;
h. trust scoring;
i. incident response;
j. vulnerability management;
k. platform reliability;
l. support;
m. enforcement of these Terms;
n. protection of MudraID, Customers, users, websites, APIs, Bots, third parties, and the Services.

26.2 Sources of Information

MudraID may rely on information from multiple sources when auditing, investigating, or enforcing these Terms.

Such sources may include, without limitation:

a. account records;
b. Bot registration records;
c. website, API, domain, and integration records;
d. Public Key Directory records;
e. token issuance records;
f. token verification records;
g. Gateway logs;
h. API logs;
i. billing records;
j. Usage Data;
k. Telemetry Data;
l. Trust Scores and Trust Levels;
m. abuse reports;
n. security reports;
o. third-party complaints;
p. Customer submissions;
q. Bot developer submissions;
r. website-owner submissions;
s. automated risk signals;
t. manual review;
u. public information;
v. legal, regulatory, law-enforcement, or government requests;
w. third-party platform, hosting, cloud, API, or network-provider notices;
x. internal security and service-integrity systems.

MudraID is not required to independently verify every source before taking temporary, protective, or emergency action.

26.3 Abuse Reports

MudraID may receive, review, investigate, ignore, reject, escalate, share, or act on abuse reports at its discretion, subject to applicable law.

Abuse reports may relate to:

a. Bot misuse;
b. token misuse;
c. credential compromise;
d. Private Key compromise;
e. Public Key Directory misuse;
f. Gateway misuse;
g. impersonation;
h. false identity information;
i. unauthorized website or domain registration;
j. scraping;
k. spam;
l. fraud;
m. phishing;
n. malware;
o. unauthorized access;
p. excessive traffic;
q. trust-score manipulation;
r. policy violations;
s. legal violations;
t. other harmful, abusive, deceptive, or unauthorized activity.

Submitting an abuse report does not guarantee that MudraID will take any particular action, provide any particular outcome, disclose investigation details, or notify the reporting party of results.

26.4 Customer Obligation to Cooperate

Customers must reasonably cooperate with MudraID in connection with audits, abuse investigations, security reviews, compliance reviews, payment reviews, ownership reviews, domain verification, Bot verification, Gateway reviews, and enforcement actions.

MudraID may request information including:

a. account verification information;
b. organization information;
c. ownership information;
d. beneficial ownership information;
e. Bot metadata;
f. website, API, domain, application, or service metadata;
g. Public Key records;
h. key-rotation evidence;
i. credential-rotation evidence;
j. Gateway configuration details;
k. access policy details;
l. logs;
m. request IDs;
n. timestamps;
o. security evidence;
p. remediation evidence;
q. billing information;
r. proof of authorization;
s. compliance documentation;
t. explanation of use case;
u. other information reasonably necessary to investigate or resolve an issue.

Failure to cooperate may result in suspension, restriction, token revocation, trust downgrade, Gateway restriction, account termination, or other enforcement action.

26.5 Protective and Enforcement Actions

MudraID may take protective or enforcement actions where MudraID reasonably believes such action is necessary or appropriate.

Such actions may include:

a. warning the Customer;
b. requiring additional information;
c. requiring account verification;
d. requiring Bot re-verification;
e. requiring domain re-verification;
f. requiring key rotation;
g. requiring credential rotation;
h. requiring configuration changes;
i. requiring security remediation;
j. limiting API access;
k. throttling requests;
l. blocking requests;
m. suspending token issuance;
n. revoking or invalidating Mudra Tokens;
o. disabling API Credentials;
p. disabling Client Secrets;
q. hiding or removing Public Keys;
r. restricting Public Key Directory access;
s. downgrading, hiding, freezing, or removing Trust Scores or Trust Levels;
t. disabling or restricting Gateway functionality;
u. suspending Bots;
v. suspending websites, APIs, domains, applications, or integrations;
w. suspending or terminating accounts;
x. preserving or restricting data;
y. notifying affected parties where appropriate or required;
z. taking legal action.

MudraID may choose the enforcement action it considers appropriate based on the nature, severity, urgency, recurrence, and risk of the issue.

26.6 Emergency Enforcement

MudraID may take immediate enforcement action without prior notice if MudraID reasonably believes that delay may:

a. increase security risk;
b. enable continued abuse;
c. allow further token misuse;
d. allow further credential compromise;
e. allow further Bot impersonation;
f. allow data exposure;
g. allow harm to Customers, users, websites, APIs, third parties, or MudraID;
h. compromise an investigation;
i. violate law;
j. damage the Services;
k. harm MudraID’s reputation or trust ecosystem.

MudraID is not liable for reasonable emergency enforcement action taken in good faith.

26.7 Review of Logs and Usage Data

MudraID may access, review, analyze, preserve, and use logs, usage records, telemetry, token records, verification records, Gateway records, Public Key Directory records, trust data, billing records, security events, and other operational data for purposes permitted by these Terms.

MudraID may use such data to:

a. investigate abuse;
b. detect fraud;
c. identify compromised credentials;
d. identify suspicious Bots;
e. identify trust-score manipulation;
f. debug issues;
g. support Customers;
h. enforce limits;
i. calculate fees;
j. comply with law;
k. protect security;
l. improve the Services.

MudraID is not required to monitor every event, token, Bot action, website request, Gateway decision, Public Key Directory lookup, or API request.

26.8 Preservation of Evidence

MudraID may preserve data, records, logs, tokens, keys, account information, Gateway records, trust data, abuse reports, support communications, and other information where MudraID reasonably believes preservation is necessary or appropriate for security, abuse investigation, legal compliance, dispute resolution, fraud prevention, audit, billing, or enforcement.

MudraID may restrict deletion, export, or modification of certain records during an investigation or legal hold.

MudraID is not liable for preservation, restriction, or retention of records undertaken in good faith for investigation, legal, security, compliance, or enforcement purposes.

26.9 Disclosure During Investigations

MudraID may disclose information relating to an investigation where MudraID reasonably believes disclosure is necessary or appropriate to:

a. comply with law;
b. respond to legal process;
c. cooperate with law enforcement;
d. respond to regulators;
e. prevent harm;
f. investigate abuse;
g. notify affected Customers or third parties;
h. enforce these Terms;
i. protect MudraID, Customers, users, websites, APIs, Bots, third parties, or the Services.

MudraID may withhold information where disclosure may compromise security, privacy, confidentiality, legal compliance, fraud prevention, abuse prevention, investigation methods, trust scoring, enforcement systems, or service integrity.

26.10 Cooperation with Authorities

MudraID may cooperate with courts, regulators, law-enforcement agencies, government authorities, sanctions authorities, cybersecurity authorities, data-protection authorities, and other authorities where required or permitted by law.

MudraID may provide records, logs, account information, token records, verification records, Gateway records, Public Key Directory records, trust data, abuse reports, Customer Data, or other information where MudraID reasonably believes disclosure is required or permitted by law.

Where legally permitted and commercially reasonable, MudraID may notify the affected Customer of such requests. MudraID is not required to provide notice where prohibited by law, court order, emergency circumstances, confidentiality obligation, security risk, or investigation requirement.

26.11 No Duty to Disclose Internal Methods

MudraID is not required to disclose its internal investigation methods, security systems, trust scoring methods, abuse-detection methods, fraud-detection methods, risk models, thresholds, rules, signals, weights, enforcement logic, monitoring tools, incident response playbooks, or proprietary processes.

MudraID may limit explanations for enforcement actions where disclosure may create security, fraud, abuse, privacy, legal, operational, competitive, or service-integrity risk.

26.12 Appeals and Reconsideration

MudraID may, but is not required to, provide an appeal or reconsideration process for certain enforcement actions.

MudraID may require the Customer to provide information, evidence, remediation steps, ownership proof, security proof, logs, compliance documents, or other materials before considering reinstatement.

Submission of an appeal does not guarantee reversal, restoration, reinstatement, upgrade, explanation, refund, service credit, or any particular outcome.

MudraID may decline to consider repeated, abusive, incomplete, misleading, or unsupported appeals.

26.13 False or Abusive Reports

Customers must not submit false, misleading, defamatory, malicious, retaliatory, automated, spam, abusive, or bad-faith reports to MudraID.

MudraID may suspend, restrict, downgrade, or terminate accounts, Bots, websites, APIs, integrations, tokens, trust data, or Public Key Directory access associated with false or abusive reports.

Customers are responsible for claims, losses, damages, penalties, costs, and expenses arising from false, misleading, defamatory, malicious, or bad-faith reports submitted by or on behalf of the Customer.

26.14 Enforcement Does Not Create a Duty

MudraID’s decision to monitor, investigate, suspend, restrict, downgrade, revoke, or take enforcement action in one situation does not create a duty to take similar action in any other situation.

MudraID’s failure to act in any situation does not waive its rights and does not mean that MudraID approves, endorses, authorizes, certifies, or accepts responsibility for any activity.

MudraID may exercise enforcement discretion based on available information, risk level, operational capacity, legal constraints, and service-integrity considerations.

26.15 Customer Responsibility During Investigations

Customers remain responsible for their Bots, websites, APIs, Gateways, credentials, keys, tokens, integrations, data, users, and systems during any MudraID investigation.

Customers must take appropriate steps to mitigate harm, preserve evidence, rotate credentials, revoke compromised keys, disable affected Bots, update Gateway rules, notify affected parties where required, and comply with applicable law.

MudraID’s investigation or enforcement action does not replace the Customer’s own incident response, legal compliance, security obligations, or business responsibilities.

26.16 Costs of Investigation

MudraID may charge the Customer or seek reimbursement for reasonable costs incurred due to Customer breach, abuse, security incident, credential compromise, false report, non-cooperation, unlawful use, excessive support burden, or misuse of the Services, to the extent permitted by law and applicable agreements.

Such costs may include investigation costs, remediation costs, legal fees, infrastructure costs, support costs, third-party provider costs, and incident response costs.

26.17 Indemnity for Investigation and Enforcement Matters

Customers are responsible for claims, losses, damages, penalties, costs, and expenses arising from or relating to:

a. Customer breach of these Terms;
b. Customer abuse or misuse of the Services;
c. Customer Bots, websites, APIs, Gateways, integrations, tokens, keys, credentials, or data;
d. Customer failure to cooperate;
e. false, misleading, or bad-faith reports;
f. Customer violation of law or third-party rights;
g. enforcement actions taken by MudraID in good faith;
h. legal, regulatory, law-enforcement, or third-party claims relating to Customer activity.

MudraID may seek indemnification and other remedies as provided in these Terms where investigation or enforcement matters create liability, harm, or claims against MudraID or third parties.

26.18 Survival

The rights and obligations in this Section survive suspension, expiration, termination, cancellation, non-renewal, and discontinuation of the Services.

27. Changes to Services

27.1 Right to Modify the Services

MudraID may modify, update, improve, restrict, suspend, replace, deprecate, discontinue, rename, repackage, or remove any part of the Services from time to time.

Changes may apply to, without limitation:

a. APIs;
b. token issuance methods;
c. token format;
d. token claims;
e. token expiration rules;
f. verification methods;
g. JWKS endpoints;
h. signing keys;
i. Public Key Directory behavior;
j. Mudra Gateway behavior;
k. Gateway configuration options;
l. Trust Scores and Trust Levels;
m. trust scoring methods;
n. dashboards;
o. SDKs;
p. libraries;
q. plugins;
r. webhooks;
s. logs and reports;
t. abuse reporting tools;
u. rate limits;
v. Service Plans;
w. pricing;
x. Documentation;
y. support channels;
z. security controls.

MudraID may make changes for reasons including security, reliability, scalability, legal compliance, abuse prevention, fraud prevention, operational efficiency, product improvement, technology changes, third-party dependency changes, infrastructure changes, commercial needs, or service integrity.

27.2 Product Updates

MudraID may release updates, enhancements, fixes, patches, improvements, new features, modified features, or replacement features.

Product updates may change how the Services operate, including token behavior, verification behavior, trust scoring behavior, Gateway behavior, API responses, dashboard displays, logs, integrations, rate limits, or configuration options.

Customers are responsible for reviewing product updates, release notes, Documentation, notices, and technical changes that may affect their use of the Services.

MudraID is not responsible for Customer failure to review, test, adapt, or update Customer systems in response to product changes.

27.3 API Changes

MudraID may modify APIs, endpoints, request formats, response formats, headers, authentication methods, rate limits, error codes, schemas, payloads, parameters, SDK behavior, webhook behavior, or API Documentation.

Where commercially reasonable, MudraID may provide advance notice of material breaking changes to generally available paid APIs.

However, MudraID may make immediate API changes without advance notice where MudraID reasonably believes such changes are necessary for security, abuse prevention, legal compliance, fraud prevention, service integrity, infrastructure protection, or emergency operational reasons.

Customers are responsible for designing integrations that can handle API errors, version changes, deprecations, rate limits, changed responses, unavailable endpoints, and fallback behavior.

27.4 Token and Verification Changes

MudraID may modify token issuance, token format, token claims, signing keys, supported algorithms, token expiration periods, token audience rules, scope rules, verification requirements, JWKS behavior, revocation behavior, and verification API responses.

Customers are responsible for validating token claims according to the current Documentation and updating their systems to remain compatible with supported token and verification methods.

MudraID is not responsible for Customer-side failures caused by outdated token handling, unsupported algorithms, stale JWKS caches, incorrect verification logic, hardcoded assumptions, failure to handle key rotation, or failure to follow current Documentation.

27.5 JWKS and Key Rotation Changes

MudraID may rotate, replace, remove, invalidate, or add signing keys, JWKS entries, key identifiers, certificates, or supported cryptographic materials.

MudraID may perform key rotation on a scheduled, unscheduled, emergency, or security-driven basis.

Customers are responsible for implementing key-refresh logic, cache expiration, error handling, and fallback behavior according to the Documentation.

MudraID is not responsible for Customer-side verification failures, false rejects, false accepts, downtime, or security issues caused by stale key caches, hardcoded keys, unsupported key handling, or failure to support key rotation.

27.6 Gateway Changes

MudraID may modify Mudra Gateway features, routing behavior, token verification behavior, trust-level evaluation, caching behavior, policy rules, logging behavior, configuration options, deployment methods, supported platforms, rate limits, and security controls.

For customer-managed or self-hosted Gateway components, MudraID may require Customers to update, patch, reconfigure, or replace Gateway components.

Customers are responsible for testing Gateway changes before production deployment where applicable and for monitoring the effect of Gateway changes on traffic, availability, security, access policies, false accepts, false rejects, and business operations.

MudraID is not responsible for harm caused by Customer failure to apply required Gateway updates, Customer use of unsupported Gateway versions, or Customer failure to test Gateway changes.

27.7 Trust Scoring Changes

MudraID may modify Trust Scores, Trust Levels, reputation indicators, risk categories, scoring methods, thresholds, signals, weighting, visibility, update frequency, review methods, and enforcement logic.

Trust scoring changes may result in Bots, accounts, websites, APIs, integrations, tokens, keys, or Customers being upgraded, downgraded, hidden, restricted, suspended, or otherwise reclassified.

MudraID is not required to disclose scoring methods, internal signals, thresholds, models, weights, security rules, or abuse-detection logic.

Customers acknowledge that trust scoring is dynamic and may change over time. MudraID is not responsible for Customer or third-party reliance on prior Trust Scores, Trust Levels, or trust-related classifications.

27.8 Public Key Directory Changes

MudraID may modify the Public Key Directory, including data fields, visibility rules, access methods, rate limits, query behavior, metadata, key formats, search functionality, directory APIs, and publication rules.

MudraID may remove, hide, restrict, update, or correct Public Key Directory records where MudraID reasonably believes such action is necessary or appropriate.

Customers are responsible for designing systems that can handle Public Key Directory changes, stale records, unavailable records, missing fields, modified schemas, rate limits, and verification errors.

27.9 Documentation Changes

MudraID may update, modify, replace, remove, or reorganize Documentation at any time.

Documentation changes may reflect new features, changed technical requirements, security improvements, deprecations, updated examples, changed API behavior, Gateway updates, or revised operational guidance.

Customers are responsible for following the current Documentation.

MudraID is not responsible for Customer reliance on outdated Documentation, cached Documentation, third-party copies of Documentation, unofficial examples, or unsupported guidance.

27.10 Deprecation of Features

MudraID may deprecate features, APIs, SDKs, Gateway components, integrations, token formats, verification methods, dashboards, reports, logs, webhooks, or other Service components.

Where commercially reasonable, MudraID may provide notice of material deprecations affecting generally available paid Services.

MudraID may shorten or eliminate deprecation periods where necessary for security, legal compliance, abuse prevention, third-party dependency changes, infrastructure risk, or service integrity.

Customers are responsible for migrating away from deprecated features before they are discontinued.

MudraID is not responsible for service interruption, integration failure, data loss, verification failure, Gateway impact, or business disruption caused by Customer failure to migrate from deprecated features.

27.11 Backward Compatibility

MudraID may attempt to preserve backward compatibility for generally available paid Services where commercially reasonable.

However, MudraID does not guarantee backward compatibility unless expressly stated in an Order Form, SLA, product-specific addendum, or written agreement.

Customers must not rely on undocumented behavior, internal APIs, unofficial endpoints, hidden fields, unsupported claims, internal error codes, implementation details, or assumptions not stated in the Documentation.

MudraID may change undocumented or unsupported behavior at any time without notice.

27.12 Service Plan and Feature Availability Changes

MudraID may modify Service Plans, feature availability, usage limits, rate limits, quotas, support levels, retention periods, pricing, free tiers, trials, and commercial packaging.

For active paid subscriptions, plan changes will apply according to the applicable Order Form, Service Plan, renewal terms, pricing notice, or written agreement.

MudraID may immediately change features, limits, or access where necessary for security, legal compliance, abuse prevention, third-party dependency changes, operational reliability, or service integrity.

27.13 Third-Party Dependency Changes

The Services may depend on third-party providers, including cloud providers, hosting providers, DNS providers, CDN providers, identity providers, payment processors, analytics providers, AI platforms, bot frameworks, APIs, libraries, and open-source software.

Third-party changes may require MudraID to modify, suspend, replace, restrict, or discontinue features.

MudraID is not responsible for Customer losses, downtime, integration failure, cost increases, service disruption, or data loss caused by third-party dependency changes.

27.14 Security-Driven Changes

MudraID may make immediate changes to the Services where MudraID reasonably believes such changes are necessary for security, abuse prevention, fraud prevention, threat mitigation, vulnerability remediation, credential protection, token integrity, Gateway security, trust-system integrity, or protection of Customers, third parties, MudraID, or the Services.

Security-driven changes may occur without prior notice and may affect API behavior, token issuance, verification, Gateway decisions, trust scoring, Public Key Directory access, credentials, keys, rate limits, or account access.

MudraID is not liable for reasonable security-driven changes made in good faith.

27.15 Legal or Regulatory Changes

MudraID may modify, restrict, suspend, or discontinue Services where MudraID reasonably believes such action is necessary or appropriate to comply with law, regulation, court order, government request, sanctions, export-control rules, cybersecurity rules, AI regulations, privacy laws, platform obligations, or contractual obligations.

MudraID is not liable for changes required or reasonably made for legal, regulatory, sanctions, export-control, or compliance reasons.

27.16 Customer Responsibility to Adapt

Customers are responsible for maintaining their integrations, systems, Bots, websites, APIs, Gateways, verification logic, token handling, access policies, and internal processes so they remain compatible with the current Services and Documentation.

Customers must monitor notices, Documentation, release notes, API responses, support communications, dashboard alerts, and technical changes.

Customers are responsible for testing changes, updating code, rotating credentials, updating keys, changing configurations, migrating integrations, and implementing fallback behavior where appropriate.

27.17 No Liability for Service Changes

To the maximum extent permitted by law, MudraID is not liable for claims, losses, damages, penalties, costs, expenses, downtime, business interruption, lost profits, lost revenue, lost traffic, data loss, integration failure, verification failure, token failure, Gateway impact, false accepts, false rejects, or other harm arising from or relating to changes to the Services made in accordance with these Terms.

27.18 Continued Use After Changes

Customer continued use of the Services after a change becomes effective constitutes acceptance of the changed Services, updated Documentation, revised technical behavior, and applicable updated terms.

If the Customer does not agree with a change, the Customer must stop using the affected Services before the change applies, subject to any payment obligations, committed terms, and termination provisions in the applicable Order Form or these Terms.

27.19 Survival

The rights and obligations in this Section survive suspension, expiration, termination, cancellation, non-renewal, and discontinuation of the Services to the extent necessary to interpret or enforce changes made during the Customer’s use of the Services.

28. Governing Law and Dispute Resolution

28.1 Governing Law

These Terms, any Order Form, any Service Plan, any product-specific addendum, and any dispute, claim, or controversy arising out of or relating to the Services will be governed by and interpreted according to the laws of the State of Wyoming, United States, without regard to conflict-of-law rules that would require the application of another jurisdiction’s laws.

The United Nations Convention on Contracts for the International Sale of Goods does not apply to these Terms or the Services.

Customers are responsible for complying with all laws that apply to them in their own jurisdictions, even if these Terms are governed by the laws of another jurisdiction.

28.2 Good-Faith Resolution

Before either party begins formal legal proceedings, the parties will first attempt to resolve the dispute in good faith.

A party raising a dispute must provide written notice describing the nature of the dispute, the relevant facts, the requested remedy, and any supporting information reasonably available.

The parties will attempt to resolve the dispute through good-faith discussions between authorized representatives.

This informal process does not prevent MudraID from taking immediate action where MudraID reasonably believes action is necessary to protect security, prevent abuse, preserve evidence, comply with law, prevent unauthorized access, protect the Services, or avoid harm to MudraID, Customers, users, Bots, websites, APIs, or third parties.

28.3 Venue and Jurisdiction

Subject to any arbitration provision below, the parties agree that any legal proceeding arising out of or relating to these Terms or the Services must be brought exclusively in the courts located in the state and federal courts located in Wyoming, United States.

Each party consents to the personal jurisdiction and venue of those courts and waives any objection based on inconvenient forum, lack of personal jurisdiction, or improper venue, to the maximum extent permitted by law.

MudraID may bring proceedings in any jurisdiction to seek injunctive relief, protect its intellectual property, enforce confidentiality obligations, collect unpaid amounts, prevent misuse of the Services, respond to security threats, or protect MudraID, Customers, users, Bots, websites, APIs, third parties, or the Services.

28.4 Arbitration Only If Expressly Agreed

If an applicable Order Form, product-specific addendum, or separate written agreement states that disputes will be resolved by arbitration, then disputes will be resolved by binding arbitration according to the arbitration rules, seat, language, number of arbitrators, and procedure stated in that agreement.

If arbitration applies and the applicable agreement does not specify detailed arbitration rules, the parties will agree in good faith on appropriate arbitration rules and procedure. If the parties cannot agree, the arbitration rules and procedure will be determined by the arbitral institution or court with authority over the dispute.

Unless expressly stated otherwise in writing, arbitration will be conducted on an individual basis only and not as a class, collective, consolidated, or representative proceeding.

Nothing in this Section prevents MudraID from seeking injunctive or equitable relief in court where necessary to protect intellectual property, Confidential Information, security, service integrity, credentials, tokens, keys, trust systems, Gateway systems, Public Key Directory systems, or the Services.

28.5 Injunctive and Equitable Relief

Customers acknowledge that breach or threatened breach of certain obligations may cause irreparable harm to MudraID for which monetary damages may be inadequate.

MudraID may seek injunctive relief, specific performance, temporary restraining orders, preliminary injunctions, permanent injunctions, or other equitable relief without needing to prove actual damages or post a bond, to the maximum extent permitted by law.

This right applies to matters including, without limitation:

a. misuse of MudraID intellectual property;
b. misuse of MudraID Marks;
c. breach of confidentiality;
d. unauthorized access to the Services;
e. reverse engineering;
f. trust-score manipulation;
g. token misuse;
h. credential misuse;
i. Public Key Directory abuse;
j. Gateway misuse;
k. security threats;
l. abuse of Bots, websites, APIs, or integrations;
m. unlawful or harmful use of the Services.

MudraID’s right to seek equitable relief is in addition to any other rights or remedies available under these Terms or applicable law.

28.6 Class Action Waiver

To the maximum extent permitted by law, disputes must be brought only on an individual basis.

Customers may not bring claims against MudraID as a plaintiff or class member in any class action, collective action, consolidated action, mass action, private attorney general action, or representative proceeding.

The court or arbitrator may not consolidate more than one Customer’s claims or otherwise preside over any class, collective, consolidated, mass, private attorney general, or representative proceeding unless MudraID expressly agrees in writing.

If this class action waiver is found unenforceable for a particular claim, that claim must proceed only in a court of competent jurisdiction and not in arbitration, unless applicable law provides otherwise.

28.7 Jury Trial Waiver

To the maximum extent permitted by law, each party waives any right to a trial by jury in any dispute, claim, or proceeding arising out of or relating to these Terms, the Services, any Order Form, any Service Plan, any API Documentation, any Data Processing Addendum, any Service Level Agreement, any Acceptable Use Policy, any product-specific addendum, or any related agreement.

28.8 Limitation Period for Claims

Any claim not brought within that period is permanently barred.

This limitation does not apply where applicable law does not allow the limitation period to be shortened.

28.9 No Public Disparagement During Dispute

During any dispute, investigation, suspension, enforcement process, or legal proceeding, Customers must not make false, misleading, defamatory, deceptive, or bad-faith public statements about MudraID, the Services, Trust Scores, enforcement actions, security incidents, or dispute matters.

Nothing in this Section prevents a Customer from making truthful statements required by law, cooperating with regulators, reporting unlawful conduct to authorities, or exercising rights that cannot legally be waived.

28.10 Confidentiality of Disputes

Unless prohibited by law, the parties must keep confidential the existence, content, evidence, settlement discussions, and outcome of disputes, arbitration proceedings, enforcement discussions, and settlement negotiations.

This does not prevent disclosure to legal counsel, auditors, insurers, accountants, investors, regulators, courts, arbitrators, or other persons with a legitimate need to know, provided they are bound by confidentiality obligations or legal duties where appropriate.

MudraID may disclose dispute-related information where reasonably necessary to enforce these Terms, comply with law, protect security, respond to regulators, prevent abuse, protect the Services, or protect MudraID, Customers, users, Bots, websites, APIs, or third parties.

28.11 Costs and Attorneys’ Fees

Unless applicable law provides otherwise, the prevailing party in any action or proceeding to enforce these Terms may recover reasonable attorneys’ fees, expert fees, court costs, arbitration costs, collection costs, and other reasonable expenses.

MudraID may recover collection costs, legal fees, and related expenses incurred to collect overdue amounts, enforce payment obligations, respond to chargebacks, or address Customer breach, misuse, abuse, or unlawful activity, to the extent permitted by law.

28.12 Cumulative Remedies

The rights and remedies provided in these Terms are cumulative and not exclusive.

MudraID may exercise any rights or remedies available under these Terms, an Order Form, applicable law, equity, contract, statute, or other legal theory.

MudraID’s failure to enforce any right or remedy does not waive that right or remedy.

28.13 Survival

The governing law, venue, dispute resolution, limitation period, class action waiver, jury trial waiver, confidentiality, equitable relief, costs, and related provisions in this Section survive suspension, expiration, termination, cancellation, non-renewal, and discontinuation of the Services.

29. General Legal Terms

29.1 Entire Agreement

These Terms, together with any applicable Order Form, Service Plan, API Documentation, Privacy Policy, Data Processing Addendum, Service Level Agreement, Acceptable Use Policy, product-specific addendum, and any other document expressly incorporated by reference, constitute the entire agreement between the Customer and MudraID regarding the Services.

These Terms replace and supersede all prior or contemporaneous discussions, proposals, negotiations, representations, understandings, purchase orders, emails, presentations, marketing materials, or agreements relating to the Services, whether written or oral, unless expressly incorporated into a signed written agreement.

No statement, representation, promise, or commitment not expressly included in these Terms or an applicable written agreement is binding on MudraID.

29.2 Order of Precedence

If there is a conflict between documents, the following order of precedence applies unless expressly stated otherwise in a signed written agreement:

the applicable Order Form;

the applicable product-specific addendum;

the Data Processing Addendum, but only for personal data processing matters;

the Service Level Agreement, but only for service availability and service credit matters;

these Terms;

the Acceptable Use Policy;

the applicable Service Plan;

the API Documentation;

29.3 Assignment

Customers may not assign, transfer, delegate, sublicense, or otherwise dispose of any rights or obligations under these Terms, an Order Form, Service Plan, or related agreement without MudraID’s prior written consent.

Any attempted assignment without required consent is void.

MudraID may assign, transfer, delegate, subcontract, or otherwise dispose of its rights or obligations under these Terms, in whole or in part, to an affiliate, successor, acquirer, purchaser of assets, merger partner, investor-related restructuring, or other third party in connection with a merger, acquisition, reorganization, financing, sale of assets, change of control, corporate restructuring, or business transfer.

These Terms bind and benefit the parties and their permitted successors and assigns.

29.4 Subcontracting

MudraID may use affiliates, contractors, service providers, subprocessors, hosting providers, cloud providers, infrastructure providers, support providers, payment processors, security vendors, and other third parties to provide, secure, operate, support, improve, and enforce the Services.

MudraID remains responsible for its obligations under these Terms to the extent required by applicable law and the applicable written agreement.

Use of subcontractors does not create any direct contractual relationship between the Customer and MudraID’s subcontractors.

29.5 Force Majeure

MudraID will not be liable for delay, failure, interruption, degradation, suspension, or non-performance caused by events beyond MudraID’s reasonable control.

Force majeure events may include, without limitation:

a. natural disasters;
b. fire, flood, earthquake, storm, epidemic, pandemic, or public health emergency;
c. war, terrorism, civil unrest, sanctions, embargoes, military action, or government action;
d. labor disputes, strikes, or shortages;
e. power failures;
f. internet failures;
g. telecommunications failures;
h. cloud provider outages;
i. hosting provider outages;
j. DNS provider failures;
k. CDN failures;
l. certificate authority failures;
m. payment processor failures;
n. cyberattacks;
o. denial-of-service attacks;
p. malware, ransomware, or widespread security incidents;
q. supply-chain failures;
r. changes in law, regulation, court order, or government requirement;
s. third-party service failures;
t. other events outside MudraID’s reasonable control.

MudraID may take reasonable steps to mitigate the effect of force majeure events, but is not responsible for losses, downtime, service interruption, data loss, verification failure, token failure, Gateway impact, or business interruption caused by such events.

29.6 No Waiver

MudraID’s failure or delay in exercising any right, power, remedy, or enforcement action under these Terms does not waive that right, power, remedy, or enforcement action.

Any waiver must be in writing and signed by MudraID to be effective.

A waiver of one breach or event does not waive any other breach or future breach.

MudraID’s decision not to enforce a provision in one case does not prevent MudraID from enforcing that provision or any other provision later.

29.7 Severability

If any provision of these Terms is held invalid, illegal, or unenforceable, the remaining provisions will remain in full force and effect.

The invalid, illegal, or unenforceable provision will be interpreted, modified, or replaced to the maximum extent permitted by law to achieve the original intent and economic effect of the provision.

If modification is not possible, the provision will be severed, and the rest of the Terms will continue to apply.

29.8 Relationship of the Parties

The parties are independent contractors.

These Terms do not create any partnership, joint venture, agency, fiduciary relationship, employment relationship, franchise relationship, reseller relationship, or exclusive relationship between the Customer and MudraID.

Neither party has authority to bind the other party or make commitments on behalf of the other party unless expressly authorized in writing.

Customers must not represent that they are an agent, partner, reseller, certified partner, endorsed party, or representative of MudraID unless MudraID has expressly authorized that relationship in writing.

29.9 No Third-Party Beneficiaries

Except where expressly stated otherwise in these Terms, these Terms do not create rights for any third party.

No Customer user, End User, Bot Developer, Website Owner, API provider, platform provider, third-party service provider, or other third party may enforce these Terms against MudraID unless expressly permitted by applicable law or a written agreement signed by MudraID.

MudraID affiliates, officers, directors, employees, contractors, agents, licensors, service providers, successors, and assigns may benefit from provisions intended to protect them, including disclaimers, limitations of liability, indemnities, confidentiality protections, and enforcement rights.

29.10 Notices

MudraID may provide notices to Customers by email, dashboard notice, account notice, support portal notice, website posting, Documentation update, invoice notice, or other reasonable method.

Notices from MudraID are effective when sent, posted, or made available, unless the notice states a later effective date.

Customers are responsible for keeping account, administrator, legal, billing, security, and technical contact information accurate and current.

Customers must send legal notices to MudraID at the address or email designated by MudraID for legal notices.

Customer notices are effective only when received by MudraID at the correct notice address or notice email and must clearly identify the Customer, account, relevant Service, issue, and requested action.

29.11 Electronic Communications

Customers agree that MudraID may communicate electronically regarding the Services, including notices, invoices, security alerts, support communications, product updates, legal notices, policy updates, service changes, and account communications.

Electronic communications satisfy any legal requirement that communications be in writing, to the maximum extent permitted by law.

Customers are responsible for monitoring their email, account dashboard, support portal, and other communication channels used with MudraID.

29.12 Amendments

MudraID may update these Terms as described in Section 1.5.

Any Customer-specific amendment to these Terms must be in writing and signed by an authorized representative of MudraID.

No employee, contractor, support representative, salesperson, reseller, partner, or agent of MudraID is authorized to modify these Terms unless the modification is in a written agreement signed by an authorized representative of MudraID.

29.13 Interpretation

Headings are for convenience only and do not affect interpretation.

Words such as “including,” “includes,” and “include” mean “including without limitation.”

References to “Services” include any part of the Services.

References to “Customer” include the organization using the Services and, where applicable, its administrators, employees, contractors, developers, Bots, AI Agents, End Users, systems, and integrations.

References to “law” include statutes, regulations, rules, orders, directives, guidance with legal effect, court orders, sanctions rules, export-control rules, and other legally binding requirements.

The singular includes the plural, and the plural includes the singular.

29.14 Language

These Terms may be translated for convenience.

If there is any conflict between an English version and a translated version, the English version controls unless applicable law requires otherwise.

Customers are responsible for ensuring that they understand the version of the Terms that applies to them.

29.15 Publicity Restrictions

Customers must not issue press releases, public announcements, case studies, marketing materials, customer references, partnership claims, certification claims, or public statements about MudraID without MudraID’s prior written consent, except where expressly permitted in an Order Form or separate written agreement.

Customers must not claim or imply that MudraID endorses, certifies, approves, audits, guarantees, sponsors, insures, or accepts responsibility for the Customer, any Bot, website, API, integration, service, transaction, message, or organization unless MudraID expressly authorizes that claim in writing.

MudraID may require Customers to remove, correct, or stop using public statements that MudraID reasonably believes are inaccurate, misleading, harmful, unlawful, or inconsistent with these Terms.

29.16 Purchase Orders

Customer purchase orders are for administrative convenience only.

No purchase order, procurement document, vendor form, supplier portal term, invoice note, or similar document modifies these Terms or adds binding terms unless expressly signed by MudraID as a formal amendment.

MudraID’s acceptance of a purchase order, issuance of an invoice, provision of Services, or receipt of payment does not constitute acceptance of any Customer terms included in or attached to a purchase order.

29.17 Independent Remedies

MudraID’s rights and remedies under these Terms are cumulative and not exclusive.

MudraID may exercise any available contractual, legal, equitable, statutory, technical, operational, or security remedy.

MudraID may pursue payment, suspension, termination, injunctive relief, damages, indemnification, investigation, enforcement, or other remedies separately or together.

29.18 Records

MudraID may maintain records relating to accounts, billing, usage, token issuance, verification, Gateway activity, Public Key Directory access, trust data, support, abuse reports, security incidents, enforcement actions, and other operational matters.

MudraID’s records may be used for billing, support, security, audit, abuse investigation, dispute resolution, enforcement, legal compliance, and service improvement.

MudraID’s records are controlling for billing and usage purposes unless the Customer provides clear evidence of material error within the applicable dispute period.

29.19 No Reliance on Marketing Materials

Customers acknowledge that marketing materials, website content, sales presentations, product demos, pitch decks, public statements, roadmap discussions, examples, and promotional materials are for general informational purposes only.

Such materials do not create warranties, guarantees, contractual commitments, service commitments, security commitments, compliance commitments, feature commitments, performance commitments, or legal obligations unless expressly incorporated into a signed written agreement.

Customers must rely only on these Terms, applicable Order Forms, Service Plans, SLAs, DPAs, and official Documentation when determining their contractual rights.

29.20 Export of Contract Documents

MudraID may provide downloadable, printable, electronic, or web-based versions of these Terms and related documents.

Customers are responsible for retaining copies of contract documents, invoices, notices, and records needed for their own legal, financial, tax, procurement, audit, or compliance purposes.

MudraID is not required to retain or provide historical versions indefinitely unless required by law or expressly agreed in writing.

29.21 Contact Information

MudraID may designate contact information for support, billing, security reports, abuse reports, privacy requests, legal notices, and general inquiries.

Customers must use the correct designated contact channel for each type of request.

Sending a request to the wrong channel may delay response or may not constitute valid notice.

29.22 Survival

Any provision that by its nature should survive suspension, expiration, cancellation, termination, non-renewal, or discontinuation of the Services will survive.

Surviving provisions include, without limitation:

a. payment obligations;
b. Customer responsibility provisions;
c. intellectual property provisions;
d. confidentiality provisions;
e. data retention provisions;
f. disclaimers;
g. limitations of liability;
h. indemnification;
i. audit, investigation, and enforcement rights;
j. compliance obligations;
k. governing law and dispute resolution;
l. general legal terms;
m. provisions necessary to interpret or enforce these Terms.

30. Product-Specific Addenda

30.1 Product-Specific Addenda Generally

MudraID may provide product-specific addenda, policies, schedules, service descriptions, technical terms, security terms, data-processing terms, or supplemental terms that apply to particular Services, features, plans, integrations, deployment models, or customer categories.

Product-specific addenda may apply to, without limitation:

a. MudraID APIs;
b. Mudra Tokens;
c. token verification;
d. Public Key Directory;
e. Mudra Gateway;
f. Trust Scores and Trust Levels;
g. abuse reporting;
h. enterprise services;
i. professional services;
j. beta services;
k. SDKs and developer tools;
l. webhooks;
m. blockchain or ledger features;
n. data processing;
o. service availability;
p. security commitments;
q. acceptable use.

If a product-specific addendum applies to the Customer’s use of a Service, the Customer must comply with that addendum in addition to these Terms.

30.2 API Addendum

MudraID may provide an API Addendum governing access to and use of MudraID APIs.

The API Addendum may address:

a. API authentication;
b. API Credentials;
c. Client IDs and Client Secrets;
d. token request rules;
e. token verification rules;
f. JWKS use;
g. rate limits;
h. quotas;
i. caching;
j. error handling;
k. versioning;
l. deprecation;
m. API monitoring;
n. API misuse;
o. API security requirements;
p. usage-based billing;
q. support scope;
r. service limitations.

Customers using MudraID APIs must comply with the API Addendum, API Documentation, and any applicable Service Plan or Order Form.

30.3 Mudra Gateway Addendum

MudraID may provide a Mudra Gateway Addendum governing use of hosted, managed, customer-managed, self-hosted, proxy, reverse-proxy, middleware, edge, plugin, or other Gateway deployments.

The Mudra Gateway Addendum may address:

a. deployment models;
b. Customer and MudraID responsibilities;
c. traffic routing;
d. DNS and TLS requirements;
e. origin protection;
f. Gateway configuration;
g. token verification behavior;
h. trust-level enforcement;
i. allow, block, throttle, challenge, and redirect rules;
j. fallback behavior;
k. fail-open and fail-closed settings;
l. caching;
m. logging;
n. data processing;
o. security updates;
p. supported environments;
q. customer-managed infrastructure;
r. service availability;
s. support limitations;
t. emergency actions.

Customers using the Mudra Gateway must comply with the Mudra Gateway Addendum, Gateway Documentation, and any applicable Order Form or Service Plan.

30.4 Trust Score Addendum

MudraID may provide a Trust Score Addendum governing Trust Scores, Trust Levels, reputation indicators, risk signals, abuse indicators, verification status, registration status, and related trust information.

The Trust Score Addendum may address:

a. trust score meaning;
b. trust level categories;
c. risk indicators;
d. scoring inputs;
e. automated review;
f. manual review;
g. abuse reports;
h. scoring changes;
i. downgrades;
j. suspensions;
k. appeals;
l. publication or visibility of trust data;
m. restrictions on trust-data use;
n. no-certification disclaimers;
o. Customer reliance;
p. false positives and false negatives;
q. trust-score manipulation;
r. confidentiality of scoring methods.

Customers using or relying on trust-related information must comply with the Trust Score Addendum.

30.5 Public Key Directory Addendum

MudraID may provide a Public Key Directory Addendum governing access to and use of public-key records, bot identifiers, key metadata, registration status, trust status, and related directory information.

The Public Key Directory Addendum may address:

a. permitted directory use;
b. Public Key registration;
c. key metadata;
d. key rotation;
e. key revocation;
f. directory access methods;
g. rate limits;
h. directory visibility;
i. scraping restrictions;
j. redistribution restrictions;
k. bot-to-bot verification;
l. signed-message verification;
m. directory data accuracy;
n. directory data availability;
o. private-key responsibility;
p. directory abuse;
q. directory data disclaimers.

Customers accessing or using the Public Key Directory must comply with the Public Key Directory Addendum.

30.6 Bot-to-Bot Verification Addendum

MudraID may provide a Bot-to-Bot Verification Addendum governing signed-message verification, bot identity verification, public-key lookup, message signing, message validation, and bot-to-bot communication.

The Bot-to-Bot Verification Addendum may address:

a. message signing requirements;
b. signature verification;
c. timestamp and nonce validation;
d. replay protection;
e. message freshness;
f. audience and recipient validation;
g. bot identity claims;
h. authorization checks;
i. content validation;
j. trust-level checks;
k. public-key lookup;
l. private-key protection;
m. no-content-review disclaimers;
n. no-message-safety guarantees;
o. customer responsibility for bot-to-bot workflows.

Customers using MudraID for bot-to-bot verification must comply with the Bot-to-Bot Verification Addendum.

30.7 Enterprise Addendum

MudraID may provide an Enterprise Addendum for enterprise Customers, regulated Customers, large deployments, custom integrations, negotiated commercial terms, security reviews, procurement requirements, support upgrades, or custom service commitments.

The Enterprise Addendum may address:

a. custom Service Plans;
b. enterprise pricing;
c. committed usage;
d. volume discounts;
e. implementation support;
f. technical account management;
g. security review;
h. procurement requirements;
i. audit documentation;
j. custom support;
k. custom SLAs;
l. data retention;
m. regional hosting;
n. custom legal terms;
o. order of precedence;
p. renewal terms;
q. termination terms.

Enterprise-specific terms apply only if expressly agreed in a signed Order Form or written agreement.

30.8 Beta Services Addendum

MudraID may provide a Beta Services Addendum for alpha, beta, preview, pilot, experimental, early-access, evaluation, private beta, public beta, or limited-release Services.

The Beta Services Addendum may address:

a. testing purpose;
b. non-production use;
c. lack of SLA;
d. lack of support commitment;
e. data-retention limitations;
f. feature instability;
g. product changes;
h. confidentiality;
i. feedback rights;
j. public-claim restrictions;
k. no production-readiness warranty;
l. termination of beta access;
m. beta-specific disclaimers;
n. customer risk acceptance.

Customers using Beta Services must comply with the Beta Services Addendum and use Beta Services at their own risk.

30.9 Data Processing Addendum

MudraID may provide a Data Processing Addendum where MudraID processes personal data on behalf of a Customer as a processor, service provider, or equivalent role under applicable data-protection law.

The Data Processing Addendum may address:

a. processing roles;
b. processing instructions;
c. categories of personal data;
d. categories of data subjects;
e. processing purposes;
f. subprocessors;
g. security measures;
h. international data transfers;
i. data subject requests;
j. assistance obligations;
k. audit rights;
l. deletion and return;
m. incident notification;
n. regulatory obligations.

30.10 Service Level Agreement

MudraID may provide a Service Level Agreement for certain paid Service Plans.

The Service Level Agreement may address:

a. uptime target;
b. covered Services;
c. excluded Services;
d. measurement method;
e. maintenance exclusions;
f. third-party exclusions;
g. Customer-side exclusions;
h. security-event exclusions;
i. service credit process;
j. claim deadlines;
k. service credit limits;
l. sole remedy language.

No SLA applies unless expressly included in the applicable Service Plan, Order Form, or written agreement.

Unless expressly stated otherwise in the applicable SLA, service credits are the Customer’s sole and exclusive remedy for failure to meet an applicable SLA commitment.

30.11 Acceptable Use Policy

MudraID may maintain a separate Acceptable Use Policy governing prohibited uses, abuse rules, security restrictions, bot behavior, website behavior, API behavior, token use, Public Key Directory use, Gateway use, and enforcement rights.

The Acceptable Use Policy may address:

a. unlawful use;
b. harmful use;
c. impersonation;
d. token misuse;
e. credential misuse;
f. scraping abuse;
g. spam;
h. phishing;
i. malware;
j. unauthorized access;
k. trust-score manipulation;
l. Public Key Directory abuse;
m. Gateway misuse;
n. high-risk use;
o. regulated-data misuse;
p. enforcement rights.

Customers must comply with the Acceptable Use Policy at all times.

MudraID may update the Acceptable Use Policy from time to time to address new threats, abuse patterns, legal requirements, product changes, or service-integrity needs.

30.12 Security Policy

MudraID may maintain a Security Policy describing security practices, shared responsibility, vulnerability reporting, incident response, credential protection, key protection, and Customer security obligations.

The Security Policy may address:

a. account security;
b. API Credential security;
c. Client Secret security;
d. Private Key protection;
e. token handling;
f. Gateway security;
g. secure integration practices;
h. vulnerability reporting;
i. responsible disclosure;
j. incident reporting;
k. Customer-side security responsibilities;
l. shared responsibility model.

Customers must comply with any Security Policy applicable to their use of the Services.

30.13 Professional Services Addendum

MudraID may provide a Professional Services Addendum for onboarding, integration support, architecture review, training, migration assistance, custom implementation, technical consulting, or other professional services.

The Professional Services Addendum may address:

a. scope of work;
b. deliverables;
c. timelines;
d. assumptions;
e. Customer responsibilities;
f. fees;
g. expenses;
h. acceptance process;
i. change requests;
j. intellectual property;
k. support limitations;
l. exclusions;
m. no legal or compliance advice;
n. no managed security service unless expressly agreed.

Professional services are provided only if expressly agreed in an Order Form or separate written agreement.

30.14 Regional or Jurisdiction-Specific Addenda

MudraID may provide regional, country-specific, or jurisdiction-specific addenda where required or appropriate.

Such addenda may address:

a. local legal requirements;
b. consumer law where applicable;
c. data-protection requirements;
d. tax requirements;
e. public-sector requirements;
f. regulatory requirements;
g. dispute-resolution requirements;
h. mandatory rights that cannot be waived;
i. local contracting entity information.

Where a regional or jurisdiction-specific addendum applies, it controls only to the extent expressly stated and only for the relevant jurisdictional matter.

30.15 Order of Precedence for Addenda

If there is a conflict between these Terms and a product-specific addendum, the product-specific addendum controls only for the specific product, feature, service, or subject matter it addresses.

If there is a conflict between multiple addenda, the more specific addendum controls over the more general addendum for the relevant subject matter.

If there is a conflict between an Order Form and a product-specific addendum, the Order Form controls only where it expressly states that it modifies the addendum.

Nothing in any addendum limits MudraID’s disclaimers, limitations of liability, suspension rights, enforcement rights, intellectual-property rights, or indemnity rights unless expressly stated in a signed written agreement.

30.16 Updates to Addenda

MudraID may update product-specific addenda from time to time.

Updates may be made to reflect product changes, security requirements, legal requirements, operational needs, abuse patterns, pricing changes, technical changes, service changes, or business needs.

Customer continued use of the relevant Service after an updated addendum becomes effective constitutes acceptance of the updated addendum.

If the Customer does not agree to an updated addendum, the Customer must stop using the affected Service, subject to any payment obligations, committed terms, and termination provisions in the applicable Order Form or these Terms.

30.17 Survival

Any product-specific addendum provisions that by their nature should survive suspension, expiration, termination, cancellation, non-renewal, or discontinuation will survive.

This includes provisions relating to payment, confidentiality, intellectual property, Customer responsibilities, disclaimers, limitation of liability, indemnification, data retention, compliance, audit, investigation, enforcement, governing law, and dispute resolution.