Acceptable Use Policy for gro.now Platform (B2B)

Version v.1.1 as of 28.11.2025

1. General Provisions

1.1.

This Acceptable Use Policy (AUP) for the gro.now Platform (hereinafter – the Policy or AUP) establishes mandatory requirements for the use of the Platform, its modules, services, API, integrations, and other functions provided to Customers and Customer Users.

1.2. Policy Purpose

The purpose of the Policy is to ensure lawful, secure, and fair use of the Platform, prevent violations of third-party rights, abuses, and actions that could cause harm to gro.now, its users, partners, or data providers.

1.3.

The Policy is an integral part of the Customer Agreement between the Customer and the Platform Provider https://www.gro.now/legal/terms; (hereinafter – CA). In case of contradictions between the CA and this Policy, the following principles apply:

(i) if the contradiction relates to restrictions or prohibitions on the use of the Platform, this document shall prevail;
(ii) on all other matters, the provisions of the CA shall prevail.

1.4. Related Documents.

Other documents governing the use of the Platform are the following documents:

Description of Rates https://www.gro.now/ru#pricing;
Billing Policy https://www.gro.now/legal/billing-policy
Service Level Agreement (SLA) https://www.gro.now/legal/sla;
Rules for Conducting Surveys and Activities https://app.gro.now/legal/activity-rules;
General Personal Data Processing Policy https://www.gro.now/legal/general-privacy-policy;
Data Processing Addendum (DPA) https://www.gro.now/legal/dpa;
Cookie Policy https://app.gro.now/legal/cookie-policy.

1.5.

In cases where the Customer uses other gro.now documents (including the Data Processing Policy, Data Processing Addendum (DPA), Rules for Conducting Surveys and Activities, Cookie Policy, SLA, Appendices to Rate Plans), the Customer is obligated to comply with the requirements of all specified documents in their entirety.

1.6.

The Policy applies to all Customer Users acting on its behalf or in its interests, including employees, contractors, and agents who have accessed the Platform within the Customer's Account.

1.7.

By using the Platform, the Customer confirms that it has read this Policy, accepts it, and undertakes to ensure its compliance by all persons having access to the Platform through its Account.

2. Terms and Definitions

Unless the context otherwise requires, the following terms shall have the meanings set forth below:

2.1. Platform – the gro.now hardware and software complex, including web interfaces, mobile applications (app), backend services, AI-based analytics modules, data connectors, SDK, and (if any) API, as well as related documentation.
2.2. Provider – “Pwron” LLP, BIN 241040012133, address: Republic of Kazakhstan, Almaty, Bostandyk district, Satpayev St., 90/54, apt. 5, index 050000; e-mail: t@gro.now; website: https://gro.now/.
2.3. Customer – a legal entity or natural person who has concluded a Customer Agreement (CA) with the Provider and received access to the Platform.
2.4. Customer Agreement (CA) — the customer agreement that governs the procedure for providing access to the gro.now Platform and its use under the Software as a Service (SaaS) model.
2.5. Services – the Provider’s services for providing access to the Platform under the SaaS model, ensuring its operability and infrastructure support within the limits of the SLA, as well as configuration work on setting up the Platform's functionality (including Modules), if such work is provided for by the Rate or agreed upon separately.
2.6. SaaS (Software as a Service) — is a cloud model for providing software (SW), in which the Provider develops cloud software, ensures its maintenance, automatic updating, and availability, and provides such software to customers over the Internet for a fee proportional to the volume of use. The Provider manages all hardware, standard software, including middleware, software applications, and security.
2.7. Customer User – any person to whom the Customer has granted access to the Platform through its Account (including employees, contractors, agents, and other authorized persons).
2.8. Customer Account (Account) — a set of accounts, settings, and data created by the Customer in the Platform for using the Services.
2.9. Account Administrator – a Customer user empowered to manage access and Customer settings in the Platform (creating/deleting users, assigning roles, selecting a rate plan, etc.).
2.10. Modules – pre-configured software components within the Platform's functionality that allow for automated collection, conducting of Activities, and analysis of information. The Provider ensures their operability and, if necessary, carries out configuration/inclusion in the scope provided for by this Agreement and the Rate.
2.11. Activities (Activity) — a set of marketing, research, and/or engagement activities carried out by the Customer using the Platform's functionality for interacting with respondents and/or collecting and analyzing data. Activities include, in particular, Surveys, tests and quizzes, gaming and gamified scenarios, contests and sweepstakes, referral and partner programs, and other campaigns.
2.12. Survey (Surveys) – an Activity in the form of an online questionnaire and/or interview conducted in an automated manner using the Platform, in which respondents answer the Customer's questions according to a predefined scenario (including NPS, CSI, ENPS, and other satisfaction/engagement metrics).
2.13. Customer Data – any reports, visualizations, metrics, and other output materials generated by the Platform automatically based on Customer Data and/or data from open sources during the use of the Platform's functionality (including analytical metrics for Surveys and other Activities), excluding materials the rights to which belong to the Provider in accordance with the Customer Agreement.
2.14. Results – output data, analytical reports, visualizations, texts, models, and other materials generated by the Platform based on Customer requests.
2.15. Trial Features – mean any free access to the Platform: a trial version, pilot/proof of concept, beta version, demo environment, or other Services provided without charge, as indicated by the Provider in the interface, order/invitation, or otherwise communicated to the Customer.
2.16. Subscription – a paid right to access the Platform for a selected period (month/year or other) within the selected Rate, with included limits/functionality and valid SLA.
2.17. Rate (Plan) – a package of functionality, limits, and conditions for providing Services, published at https://www.gro.now/ru#pricing, indicating the price, period, and restrictions.
2.18. Additional Agreement / Order – a document signed by the Parties and explicitly providing for special obligations of the Provider to perform tasks outside the scope of the Services (e.g., development/configuration of an additional Module), including the scope, timing, and cost of such services.
2.19. Website – the public pages https://gro.now/ and https://app.gro.now/.
2.20. DPA – the Data Processing Addendum, posted at https://www.gro.now/legal/dpa, regulating the roles of the Parties (Customer – operator/controller, Provider – processor, if applicable), security measures, and interaction procedure.
2.21. SLA – the Service Level Agreement, posted at https://www.gro.now/legal/sla, setting target availability/response metrics and service credits.
2.22. AUP – the Acceptable Use Policy, posted at https://www.gro.now/legal/acceptable-use-policy, defining prohibitions and restrictions on the use of the Platform.
2.23. Third-Party Services (Integrations) – external services and providers not controlled by the Provider (e.g., authentication/SSO providers, scheduling tools, payment organizations), interaction with which may be carried out at the Customer’s choice.

3. Scope of Application

3.1.

The Policy applies to any use of the gro.now Platform, including web interfaces, bots and plugins, mobile and desktop applications, SDK, API, LLM functions, connectors and third-party integrations, as well as to all related environments (production, test, “sandbox”, beta/preview).

3.2.

The Policy is mandatory for all Customer Users acting through the Customer Account, regardless of their status (employees, contractors, agents, and other authorized persons) and access method (personal login, SSO, API tokens/keys, service accounts).

3.3. The Policy applies to:

(i) Customer Data uploaded or otherwise transferred to the Platform;
(ii) data exchange between the Platform and integrations/sources connected by the Customer;
(iii) Results generated by the Platform's tools;
(iv) technical traffic and operations performed via API/interfaces.

3.4.

The use of Trial Features is governed by the Policy, taking into account the special restrictions and disclaimers established by the CA and the announcement materials for the respective features. In case of a prohibition on uploading sensitive data to Trial Features, the Customer is obliged to comply with such prohibition.

3.5. Geographical Applicability.

The Provider has the right to restrict access to the Platform, individual functions, or integrations, taking into account the requirements of export control, sanctions, and other applicable legislation, as well as contractual restrictions of technology/content providers. The Customer undertakes to consider such restrictions when granting access to its Users and when choosing processing regions.

3.6. Integrations and External Services.

Where the Platform's functionality depends on third-party services (including, but not limited to, LLM providers, analytics tools, communication platforms), the use of such services is subject to this Policy regarding the Customer's actions on the Platform and is simultaneously governed by the terms of the respective third parties. The Customer is responsible for the legality of data transfer to such services and the correctness of integration settings.

3.7. Exclusions.

If a specialized gro.now document (e.g., Rules for Conducting Surveys and Activities, DPA, Security Policy) explicitly establishes a different regulation for a specific type of activity or data, the provisions of such specialized document shall apply to that subject matter. This document applies to the remaining part.

3.8. Priority over Customer's Internal Regulations.

In case of a conflict between the Customer's internal regulations/policies for using the Platform and this Policy, this Policy and the CA shall apply in relations with the Provider. The Customer has the right to introduce stricter internal requirements for its Users that do not contradict the Policy.

3.9. Extension to Automation.

The Policy equally applies to actions performed manually and through automation (scripts, bots, integration buses, RPA), including scheduled operations and bulk API calls.

3.10. Entry into Force for New and Existing Customers.

The Policy enters into force from the date of its publication on the Website (hereinafter - the Publication Date).

3.10.1. For new Customers, the Policy is mandatory from the moment of first access to the Platform after the Publication Date.
3.10.2. For existing Customers, the Policy is mandatory: a) from the Publication Date, if the CA already provided for the inclusion of the AUP by reference, or b) after 5 calendar days from the date of sending the notification, if the AUP is introduced for the first time and was not previously included in the CA. Continued use of the Platform after the specified deadlines means acceptance of the Policy.

3.11. Retroactivity and Current Processes.

The Policy **is not retroactive** with respect to actions fully completed before the Publication Date/entry into force. However, the Policy **applies to current and future use of the Platform**, to ongoing processes and their consequences (including data storage and processing, integration work, Customer User access). The Provider has the right to establish a reasonable period for bringing use into compliance; in the presence of a significant risk of violating the law/security – to temporarily restrict access immediately.

4. Administration and Security

4.1. Customer Responsibility.

The Customer is responsible for the administration of its Account, the creation and deletion of Customer Users, the assignment of roles and rights, the issuance/revocation of keys and tokens, as well as for compliance with this Policy by all persons acting through the Customer Account.

4.2. Accounts and Access.

4.2.1. Personal Access: a separate account for each Customer User; **shared accounts are prohibited**.
4.2.2. Principle of Least Privilege: rights are granted to the extent necessary for the Customer User's tasks.
4.2.3. MFA: multi-factor authentication is **mandatory** for Account Administrators and integration owners; for other roles – according to Customer policy, but recommended.
4.2.4. SSO/IdP: when using SSO, the Customer ensures correct configuration of the identity provider and timely deactivation of access.

4.3. Keys, Tokens, Webhooks.

4.3.1. Issuance/Storage: API keys and tokens are securely generated and stored by the Customer, without transfer to third parties outside the purposes of integration.
4.3.2. Rotation/Revocation: The Customer must immediately revoke compromised keys/tokens and carry out their planned rotation according to its own policy.
4.3.3. Restrictions: it is prohibited to circumvent limits, substitute the source of requests, or use proxies/emulators to mask traffic.
4.3.4. Webhooks: The Customer must verify the authenticity of notifications (signatures/secrets) and protect webhook endpoints.

4.4. Devices and Environment.

4.4.1. Access to the Platform is allowed only from managed or properly secured devices (up-to-date OS/software updates, antivirus, disk encryption if confidential data is present).
4.4.2. Public/shared devices, as well as insecure networks, **must not be used** for administrative operations.

4.5. Customer Data.

4.5.1. Minimization: upload and transfer only the data that is necessary for the purpose of processing.
4.5.2. Classification: The Customer must consider data sensitivity and not place data on the Platform whose uploading is explicitly prohibited by this Policy or gro.now documents.
4.5.3. Masking: for integrations and LLM calls, the Customer must, where possible, mask/pseudonymize personal and confidential data.

4.6. Security Incidents.

4.6.1. Provider Notification: upon suspicion of account compromise, keys, integrations, or unauthorized access, the Customer must notify the Provider without undue delay through the specified support/security channels.
4.6.2. Primary Measures: immediate change of passwords/MFA, key revocation, session and account blocking, logging of events at the Customer's side.
4.6.3. Cooperation: The Customer provides reasonable information and assistance for the investigation and remediation of the incident.

4.7. Logs and Audit.

4.7.1. The Customer ensures the maintenance and preservation of available logs of Customer User actions and integrations, sufficient for internal control and investigations.
4.7.2. Intentional deletion/distortion of logs is prohibited if it impedes incident investigation.

4.8. Platform Security Settings.

4.8.1. The Customer must use available Platform security features (IP restrictions, roles, password policies, session control, etc.), and also keep them up-to-date.
4.8.2. It is prohibited to disable or circumvent access control mechanisms, rate limits, bot checks, and other Platform protective measures.

4.9. Security Testing and Research.

4.9.1. Scanning, load testing, and pen-testing of the Platform **without the Provider's prior written consent** are **prohibited**.
4.9.2. The Customer undertakes to notify the Provider of discovered vulnerabilities and refrain from exploiting them.

4.10. Compliance with Limits.

The Customer must comply with technical limits/quotas and other fair use parameters. Automation (scripts/bots) must adhere to these restrictions.

4.11. Revoking User Access.

The Customer must promptly revoke access from dismissed/suspended employees and contractors, and also review roles when an employee's functions change.

4.12. Responsibility for Contractors.

If the Customer engages contractors/agents, granting them access to the Platform, the Customer ensures the same security standards for them and is responsible for their actions as for its own.

5. Basic Prohibitions and Unacceptable Actions

5.1. Unlawful Activity and Content.

The Platform must not be used for violations of applicable law, including for:

a) distributing materials that violate copyrights and related rights, trademarks, patents, trade secrets;
b) infringement of honor, dignity, and privacy;
c) discrimination, threats, harassment, incitement to hatred, promotion of violence;
d) fraud, misleading, illegal financial transactions, circumvention of sanctions and export control.

5.2. Violation of Security and Service Integrity.

The following are prohibited:

a) attempts at hacking, privilege escalation, credential stuffing;
b) scanning, load tests, pen-testing without the Provider's written consent;
c) interference with the Platform's operation (DDoS, exploitation of vulnerabilities, injections, circumvention of limits/captchas, traffic substitution, emulators/botnets).

5.3. Circumvention of Technical and Commercial Restrictions.

It is prohibited to:

a) circumvent limits/quotas, rate restrictions, billing mechanisms, licensing, and access control;
b) use multi-accounting/parallelization to circumvent limits;
c) substitute the source of requests or mask their origin.

5.4. Unfair Use of API and Integrations.

It is prohibited to:

a) automated data collection from sources or integrations if it violates their rules/access (including robots.txt, captchas, technical prohibitions);
b) calling third-party APIs through the Platform in violation of their terms;
c) transferring more data than necessary (including personal and confidential data) to integrations without a legal basis.

5.5. Reverse Engineering and Unacceptable Competition.

It is prohibited to:

a) decompile, disassemble, attempt to obtain the source code, algorithms, or models of the Platform;
b) use the Platform solely to create a functionally competing service;
c) publish Platform benchmark results without the Provider's prior consent.

5.6. Prohibited Data Categories.

Without the Provider's express written consent, it is prohibited to upload/process:

a) primary payment data (full card numbers, CVV, PIN, etc.);
b) state, lawyer-client, banking, and other legally protected secrets of third parties without proper right;
c) biometric and other special categories of personal data (if the legal basis and processing regime are not agreed upon);
d) malicious code, exploits, materials aimed at causing harm.

5.7. Communication Abuse.

The following are prohibited: spamming, mass unsolicited messages, farming/phishing, manipulation of metrics, rating and voting systems, including generating fake reviews or boosting.

5.8. Identity Theft and Unauthorized Access.

It is prohibited to: a) impersonate another person/organization without authorization; b) gain access to third-party Accounts/data without permission; c) use someone else's tokens/keys, share one's own access credentials, or organize a shared “shared” account.

5.9. Violation of Data Subject Rights and Confidentiality.

It is prohibited to: a) upload/process personal data without a proper legal basis and notification of data subjects (if required by law); b) publish Results containing personal data/secrets of third parties if it violates the law or the terms of the sources.

5.10. Manipulation of Results and Sources.

It is prohibited to: a) represent aggregated/synthesized Results as a primary source when the data owner's terms do not permit it; b) remove/hide mandatory notices, watermarks, metadata, or source attributions; c) consciously distort content to cause harm to third parties.

5.11. Use of Trial Features.

In test, introductory, and beta environments, the uploading of sensitive data (including special categories of PD and secrets) and the exploitation of such environments for production operations are prohibited, unless explicitly agreed upon with the Provider.

5.12. Platform Technical Security Measures.

It is prohibited to disable, modify, or circumvent protection mechanisms (anti-bot, rate-limit, session control, webhook verification, integration policies), or interfere with logs/journals to conceal actions.

5.13. Prohibited Content in Generated Materials.

When using LLM functions, it is prohibited to request/generate materials that clearly violate the law, third-party rights, security, or other prohibitions of this section (including instructions for creating malicious tools, promoting violence, inciting hatred, exploitation of minors).

5.14. Exceptions for Good Faith Security Research.

Security testing of the Platform is allowed only with the Provider's prior written consent and within the framework of the provided testing scenarios/windows. Discovered vulnerabilities must be reported to the Provider immediately, and exploitation must be refrained from.

5.15. Consequences of Violations.

Violations of this section may lead to measures provided for in Section 9 (warning, temporary restrictions, blocking, termination), as well as refusal of support and transfer of information to competent authorities if required by law or necessary to prevent harm.

6. Restrictions on the Use of Data and Results

6.1. Legality and Grounds.

The Customer guarantees that it has legal grounds (contract, consent, law, or otherwise) for uploading, transferring, storing, and processing Customer Data on the Platform, as well as for transferring such data to integrations/third parties at its discretion.

6.2. Minimization and Proportionality.

The Customer uploads and processes only the data and in the volume that is necessary for the stated purpose, and ceases processing/deletes data upon achieving the purpose or expiration of the grounds.

6.3. Restrictions of Source Owners.

If Results are generated based on data/content from third parties (sources), the Customer must comply with the terms of the respective sources, including licenses, attributions, prohibitions on reuse, commercialization, public distribution, and other restrictions.

6.4. External Distribution of Results.

a) Results are primarily intended for the Customer's internal use. b) When distributing Results externally, the Customer independently conducts a legal assessment (source licenses, PD, confidentiality, know-how, export control) and ensures compliance with the requirements of applicable law and contracts. c) It is prohibited to represent Results as a “primary source” if this contradicts the terms of the data owners or is misleading.

6.5. Third-Party Confidentiality and Secrets.

It is prohibited to place information on the Platform that constitutes state, banking, commercial, attorney-client, and other legally protected secrets of third parties without proper right. When working with Customer secrets, the Customer must apply a regime comparable to the confidentiality regime established by it.

6.6. Personal Data and Sensitive Categories.

a) PD collection/processing is permitted if there is a legal basis, with mandatory compliance with notifications, consents, and restrictions on territory/cross-border transfer (if required by law). b) Working with special categories of PD, children's data, medical/biometric data - only if there are special grounds and additional protection measures. c) Masking/pseudonymization, minimization of fields and retention periods are recommended where possible.

6.7. Attribution and Notification Requirements.

The Customer **does not remove or hide** mandatory notices of copyrights, licenses, data sources, trademarks, and other legal notices if they are provided by the sources or Results.

6.8. Restrictions on Service Building.

It is prohibited to use the Platform and Results to form publicly available datasets/models/indexes intended for commercial distribution as a standalone product, unless explicitly agreed upon with the Provider.

6.9. Export Control and Sanctions.

The Customer does not use the Platform and Results in activities that violate export control, sanctions regimes, and other restrictive measures. Upon the Provider's request, the Customer provides confirmation of compliance with the relevant requirements.

6.10. Retention and Deletion.

The Customer manages the retention periods for Customer Data on the Platform (where technically available) and initiates deletion/anonymization upon completion of the processing purpose, unless otherwise required by law or contract with the Provider.

6.11. Customer Liability.

The Customer is responsible for any use of Customer Data and Results carried out by it and Customer Users, as well as for compliance with the contractual restrictions of the sources and this Policy. The Provider is not obliged to check the legality of the external distribution of Results by the Customer.

7. Limits, Quotas, and Fair Use

7.1. Plans and Rates.

The use of the Platform is carried out within the parameters established by the selected Rate (number of users, storage volumes, request limits, functions, integrations, projects, etc.).

7.2. Technical Limits.

The Provider sets technical quotas (including rate limits, maximum payload sizes, job/webhook frequencies, operation parallelism). Specific values may vary by plan and be changed by the Provider according to the rules provided for in the CA.

7.3. Fair Use.

The Customer undertakes not to perform actions that a) create a disproportionate load on the infrastructure; b) interfere with the normal operation of other customers; c) circumvent or artificially stretch limits (including multi-accounting, proxying through third-party services, artificial “parallelization”).

7.4. Automation.

Robots, scripts, integration buses, RPA, and other automation tools must comply with the limits and frequency specified in the documentation. Infinite retries without exponential backoff, “spike” traffic, and polling cycles with intervals below the recommended are prohibited.

7.5. Exceeding Limits.

Upon reaching a limit, operations may be automatically suspended/rejected until the next quota window. The Provider has the right to temporarily restrict functions/integrations until the load is reduced or the Customer moves to a higher plan.

7.6. Limit Changes.

The Provider has the right to adjust limits to ensure service stability and security, notifying the Customer within a reasonable time, unless immediate measures require otherwise. For Trial Features, limits may change without prior notice.

7.7. Peak Loads and “Spikes”.

The Provider may apply throttling and queuing. The Customer must design integrations taking into account idempotence, retries, and processing delays.

7.8. Billing for Overage.

If the Rate provides for overage payment, such accrual is made according to the current rates and terms of the rate. Absence or delay of notifications about reaching limits does not exempt from paying for actual consumption.

7.9. Local Restrictions.

Special limits established by third-party service providers may apply to individual functions/integrations; the Customer bears the risk of such restrictions and undertakes to follow them.

7.10. Expansion Requests.

Upon the Customer's request, the Provider may offer a temporary quota expansion, a separate limit for a project/integration, or a transition to another plan; such changes take effect only after the Provider's confirmation.

8. Surveys and Activities (Special Rules)

8.1. Applicability.

This section applies to all types of Activities (including Surveys) conducted through the Platform (researcher accounts, data collection and processing, surveys, audiences, scenarios, parsing through provided connectors, etc.).

8.2. Legality of Purpose and Methodology.

The Customer ensures the legality of the Activities' purposes, the correctness of the methodology, compliance with the rights of respondents and source owners, as well as compliance with the requirements of the platforms where data collection takes place.

8.3. Transparency and No Deception.

When interacting with respondents and audiences, deception, hidden manipulation, unlawful inducement/pressure, data collection contrary to platform rules or without mandatory notifications are prohibited.

8.4. Data Collection from Open Sources.

Allowed only within the limits permitted by the respective sources (terms of use, licenses, robots.txt, technical prohibitions, anti-bot mechanisms). Circumvention of captchas, access restrictions, and paid APIs without right is prohibited.

8.5. Personal Data and Vulnerable Groups.

a) PD collection/processing is allowed if there is a legal basis, with compliance with mandatory notifications, consents, and restrictions on territory/cross-border transfer. b) Working with special categories of PD, children's data, medical/biometric data - only if there are special grounds and additional protection measures. c) Masking/pseudonymization, minimization of fields, and retention periods are recommended.

8.6. Restrictions on Content and Activity Artifacts.

a) It is prohibited to create/distribute artifacts (reports, datasets, instructions) that clearly violate the law, third-party rights, or the prohibitions of this Policy. b) External publication of artifacts requires checking source licenses, platform terms, and deletion/anonymization of PD, if there is no basis for disclosure.

8.7. Technical Integrity.

Scripts/bots/connectors must operate within the established limits, intervals, and routes, without creating excessive load on sources and the Platform. The Customer ensures idempotence, error handling, respect for rate limits, and fault tolerance.

8.8. Prohibition of “Shadow” Parsing.

Using one's own or third-party tools for hidden data collection through the Platform bypassing source rules, masking traffic/identity, user emulation without permission – is prohibited.

8.9. Sensitive Environments.

In test/beta Activity environments, the placement of sensitive data and the conduct of active external impacts (mass requests, load scenarios) are prohibited, unless explicitly agreed upon with the Provider.

8.10. Rights of Source Owners.

Upon receipt of claims from data owners/platforms related to a specific Customer Activity, the Provider has the right to immediately restrict the corresponding functions or integrations until the incident is resolved.

8.11. Documentation and Reproducibility.

The Customer maintains a log of key Activity parameters (goals, sources, legal grounds, script/survey versions, dates), sufficient for internal control and responding to requests from regulatory authorities and source owners.

8.12. Liability.

The Customer is responsible for compliance with this section and indemnifies the Provider for losses if third-party claims are caused by the actions of the Customer or its Customer Users during the Activity.

9. Monitoring and Measures for Violations

9.1. Compliance Monitoring.

The Provider has the right, with reasonable frequency and in necessary volumes, to monitor technical metrics of Platform use (request logs, performance telemetry, error indicators, authorization/audit events) to identify violations of this Policy, security incidents, and abuses. **The content of Customer Data is not viewed** without a legal basis (incident, request from a competent authority, Customer consent).

9.2. Incident Verification.

Upon detecting anomalies, the Provider may temporarily restrict individual functions/integrations for verification, request information from the Customer (request IDs, integration configurations, responsible contact person), and set a deadline for response.

9.3. Escalation of Response Measures.

Depending on the nature and severity of the violation, measures are applied in increasing severity: (i) warning and requirement to remedy the violation within a set period; (ii) temporary restriction of functionality/integrations/user roles; (iii) temporary suspension of access for individual Customer Users; (iv) suspension of the Customer Account; (v) termination of access/rescission in the manner provided for in the CA; (vi) notification of source owners/third parties and (or) transfer of information to competent authorities if required by law.

9.4. Urgent Measures.

In the presence of signs of (i) a threat to the security of the Platform or third parties, (ii) probable material violation of law/third-party rights, (iii) circumvention of technical restrictions with risk to service stability, the Provider has the right to apply **immediate blocking** of functions/integrations/Account with subsequent notification to the Customer.

9.5. Remedying Violations.

The Customer must, within a reasonable period set by the Provider: cease the violation, delete/correct problematic data, revert configurations, revoke compromised keys/accesses, set limits, update the access policy for Customer Users, and **confirm the actions taken in writing**.

9.6. Repeated/Gross Violations.

In case of repeated, systematic, or gross violations (including intentional circumvention of restrictions, interference with protective measures, causing harm to third parties), the Provider has the right to move to a stricter measure without adhering to the sequence specified in clause 9.3, including termination of access.

9.7. Suspension due to External Requirements.

If the violation is related to claims from source owners/integrations or mandatory requirements from authorities, the Provider has the right to suspend the corresponding functions until the issue is resolved; access resumption is possible after confirmation of the elimination of violations.

9.8. Access Restoration.

Access is restored after confirmation of the elimination of the causes of the violation, and, if necessary, agreement with source owners/third parties. The Provider may set a trial period with additional limits.

9.9. Appeals.

The Customer has the right to appeal the applied measures in the manner provided for in Section 10 of the Policy. Filing an appeal does not suspend the effect of urgent measures under clause 9.4.

10. Reporting Violations and Appeals

10.1. Communication Channels.

Reports of Policy violations, security incidents, and vulnerabilities are sent through: (i) the support form in the Platform interface; (ii) email t@gro.now, specified on the Website; (iii) other channels explicitly indicated by the Provider in the documentation.

10.2. Notification Content.

The appeal is recommended to include: a) Customer Account identifier; b) date/time (with time zone) and example(s) of requests/events; c) description of the facts and alleged violation; d) contact person responsible; e) technical artifacts (logs, screenshots, traces) without excessive personal data.

10.3. Confirmation and Initial Check.

The Provider sends confirmation of receipt of the appeal (if technically possible) and conducts an initial check for sufficiency of information. If necessary, the Provider has the right to request additional information from the Customer and set a deadline for its provision.

10.4. Confidentiality and “Good Faith Disclosure”.

Notifications of vulnerabilities/incidents are treated confidentially. Publication of details before problem resolution is not allowed. Persons who in good faith reported vulnerabilities **are not considered violators** if they refrained from exploitation and acted within the Provider's instructions.

10.5. Customer Appeals against Response Measures.

a) The Customer has the right to appeal the applied measures (warning, restrictions, blocking, termination) by submitting justification and supporting materials through the communication channels under clause 10.1. b) Minimum appeal content: reference to the notification/incident, date the measure was applied, arguments of disagreement (factual/legal), description of steps taken to eliminate the causes. c) Filing an appeal **does not suspend** the effect of urgent measures applied under clause 9.4.

10.6. Appeal Review and Timeframes.

The Provider reviews the appeal within a reasonable period, taking into account the complexity of the issue and the involvement of third parties (source owners, integration providers). If necessary, the Provider may establish intermediate measures (mitigation of restrictions, trial period).

10.7. Review Outcomes.

Based on the results of the appeal review, the Provider: (i) cancels the measure; (ii) changes its scope/duration; (iii) leaves the measure unchanged; (iv) proposes a corrective plan with control points (remediation plan). The decision and its reasons are communicated to the Customer through the chosen communication channel.

10.8. Abuse of Procedures.

Intentional submission of knowingly false reports, mass “noise” appeals, as well as refusal to cooperate in an investigation may be considered a violation of this Policy and lead to measures according to Section 10.

10.9. Interaction with Third Parties and Authorities.

If the incident affects the rights of source owners/integrations or is governed by mandatory legal requirements, the Provider has the right to inform them of the necessary information to the extent sufficient for resolution.

10.10. Material Retention.

The Provider and the Customer have the right to retain correspondence materials, logs, and artifacts related to the appeal/complaint for the period necessary for the purposes of investigation, defense of rights, and fulfillment of legal requirements.

11. Interaction with Authorities and Source Owners

11.1. Lawful Requests from Authorities.

Upon reasoned and legally binding requests from competent authorities, the Provider discloses the requested information to the extent required by law. If not prohibited by law or the request, the Provider will notify the Customer of the received request and the scope of data to be disclosed.

11.2. Judicial and Pre-Trial Requirements.

Upon receipt of subpoenas, orders, rulings, or equivalent acts related to the Customer Account, the Provider acts within the scope of the legal obligation and, if possible, grants the Customer a reasonable period for independent defense of rights (petitions, objections, withdrawal of the requirement).

11.3. Claims from Source Owners/Integrations.

If data owners, platforms, or integrations have sent a claim to the Provider related to the Customer's actions (violation of terms, licenses, limits, IP rights, or confidentiality), the Provider has the right to: a) request information and explanations from the Customer; b) temporarily restrict the corresponding functions/integrations; c) forward the requirements to the Customer's Contact Persons for resolution; d) if necessary – delete/block the disputed material until the claim is resolved.

11.4. Notice and Takedown Procedure.

11.4.1. The Provider accepts notifications of rights infringement (including IP rights and confidentiality) for review through the channels specified on the Website.
11.4.2. The notification must contain sufficient information to identify the material/action, the rights, and the grounds of the claimant.
11.4.3. After a preliminary check, the Provider notifies the Customer and may temporarily restrict access to the material/functions.
11.4.4. The Customer has the right to send reasoned objections/counter-notification with supporting documents; based on the review results, access may be restored or the restriction maintained.

11.5. Minimization of Disclosure.

In any interaction with third parties and authorities, the Provider strives to limit disclosure to only necessary information, maintaining confidentiality and security requirements.

11.6. Preservation of Evidence.

Upon a lawful request or during an incident investigation, the Provider has the right to ensure the preservation of relevant logs and artifacts (legal hold). The Customer undertakes to similarly record relevant data on its side and ensure their immutability.

11.7. Customer Cooperation.

The Customer undertakes to promptly provide information, documents, and technical assistance necessary to resolve claims from source owners/integrations and comply with lawful requests from authorities, and to refrain from actions that impede verification.

11.8. Expenses and Losses.

If interaction with authorities or source owners is caused by the Customer's violations, the Customer indemnifies the Provider for documented expenses (including legal fees, expert fees, technical work) and losses in the manner and within the limits provided for in the CA.

11.9. Emergency Cases.

In the event of an imminent threat to life, health, or a significant risk of harm to third parties, the Provider has the right to **immediately restrict access**, transfer necessary information to competent authorities, and notify the Customer as soon as possible, if notification is not prohibited by law.

11.10. Cross-Border Interaction.

For requests from foreign jurisdictions, the Provider acts in accordance with applicable law and international legal assistance mechanisms. The Customer understands that fulfilling such requests may require time and special procedures.

11.11. Contacts.

Current addresses and channels for legal requests, violation notifications, and derivative communications are specified on the Website. The Provider has the right to update them without amending this document.

12. Liability and Limitations

12.1. Customer Liability.

The Customer is responsible for all actions performed on the Platform through its Account (including the actions of Customer Users and contractors), as well as for the compliance of such actions with this Policy, the CA, and applicable law.

12.2. Third-Party Violations.

If claims from source owners, integrations, right holders, or other third parties against the Provider are caused by the Customer's actions/inaction (including violation of their terms, intellectual property rights, confidentiality, data use rules), the Customer must resolve such claims and indemnify the Provider for documented losses in the manner and within the limits established by the CA.

12.3. Customer Warranties.

The Customer warrants that: a) it possesses the necessary rights and legal grounds for processing Customer Data and transferring it to integrations; b) when externally distributing Results, it complies with the requirements of the sources and the law; c) it does not use the Platform for prohibited purposes.

12.4. Provider Liability Limitation.

The scope and limits of the Provider's liability are determined by the CA. The Provider is not responsible for: a) unavailability or failures of third-party integrations and services; b) the consequences of external distribution of Results by the Customer; c) damages arising from the Customer's violation of this Policy, the CA, or third-party terms.

12.5. Force Majeure.

In cases of force majeure circumstances, the application of liability is governed by the CA. Obligations to provide Services may be suspended during the force majeure period.

12.6. Remedying Violations and Indemnity.

Upon the Provider's request, the Customer must: a) cease the violation; b) delete/correct the disputed data or configurations; c) provide confirmation of the actions taken; d) indemnify the Provider for reasonable expenses related to the violation (legal, technical, communication) within the limits established by the CA.

12.7. Priority of Documents.

The provisions of the CA prevail regarding the distribution of risks, limitations, and exemptions from liability. This section **does not expand or reduce** the liability of the parties beyond what is established by the CA, but specifies it in relation to the Policy.

13. Amendments to the Policy and Entry into Force

13.1. Publication and Version.

The current version of this Policy is published on the Platform Website and contains the version identifier and publication date. The Provider maintains an archive of previous versions.

13.2. Amendment Procedure.

The Provider has the right to update the Policy to reflect changes in functionality, legal requirements, security, and integrations. The Customer is notified of changes by one or more methods: publication on the Website, system notification in the interface, email to the Account contact, or other channel specified in the CA/documentation.

13.3. Effective Dates.

(i) For new Customers, changes are effective from the moment of first access to the Platform after the publication of the updated version. (ii) For existing Customers, changes take effect after a reasonable period from the date of notification (unless immediate measures for security/legislation require otherwise). Continued use of the Platform after the effective date means acceptance of the updated version.

13.4. Immediate Changes.

If updates are due to (i) requirements of law/authorities, (ii) elimination of a critical security risk, (iii) termination/change of terms of third-party integrations, — the corresponding provisions may be applied **immediately with notification** to the Customer.

13.5. Document Conflicts.

In case of contradictions between this Policy and other gro.now documents, the hierarchy established by the CA applies. Specialized documents (e.g., Rules for Surveys and Activities, DPA, Security Policy) prevail in their subject area; on other matters — this version of the Policy applies.

13.6. Ongoing Processes.

Policy updates apply to current and future use of the Platform and ongoing processes (data storage/processing, integration work). The Policy **is not retroactive** with respect to fully completed actions before the effective date, except in cases explicitly prescribed by law.

13.7. Versioning in Agreements.

If a specific version of the Policy is indicated in the CA/order/addendum, it applies until the parties, in the manner provided for in the CA, agree to the application of a new version or when the update is subject to mandatory application based on clauses 13.3 13.4.

13.8. Feedback.

The Customer has the right to send comments on Policy updates through the communication channels specified on the Website. Sending comments **does not suspend the entry of changes into force**, unless explicitly agreed upon with the Provider.

14. Miscellaneous Provisions

14.1. Applicable Law and Disputes.

The law of the Republic of Kazakhstan applies to this Policy. The dispute resolution procedure is determined by the CA; special procedures (e.g., for source/integration content) follow Sections 9 – 11 of the Policy.

14.2. Language Versions.

This Policy may be provided in several languages. In case of discrepancy, the **Russian version prevails**, unless explicitly provided otherwise in the CA.

14.3. Communications and Notifications.

Legally significant notifications between the Customer and the Provider are carried out in the manner provided for in the CA (including publications on the Website, messages in the Platform interface, and/or email to the Account contact). Operational notifications regarding incidents and response measures are sent through the channels specified in Sections 9 – 11 of the Policy.

14.4. No Waiver of Rights.

Failure to apply or delay in applying any measure **is not considered a waiver** of the corresponding rights by the Provider or the Customer.

14.5. Severability.

If any provision of this Policy is found to be invalid or unenforceable, this does not affect the validity of the remaining provisions; the disputed provision is applied to the maximum extent permitted by law.

14.6. Subcontractors and Transfer of Rights.

The Provider has the right to engage subcontractors (including cloud infrastructure and integration providers) for the performance of the Policy and the provision of Services, provided compliance with the requirements of the CA and data protection agreements. The Customer is not entitled to assign rights/obligations under the Policy to third parties without the Provider's consent, unless otherwise established by the CA.

14.7. Reference Materials.

Manuals, best practices, technical documentation, and other materials on the Website are for explanatory purposes and apply to the extent that they do not contradict the CA and this Policy.

Previous versions:
Version 1.0