Velox Media — Legal Center

Terms of Service

Velox Media Inc. 301 Grant Street, Pittsburgh, PA 15219, United States [email protected]

Version: 2.1 Effective Date: 27 April 2026 Last Reviewed: 27 April 2026

These Terms of Service (together with the Policies referred to herein, the “Agreement”) are entered into between Velox Media Inc., a corporation organised and existing under the laws of the United States, having its registered office at 301 Grant Street, Pittsburgh, Pennsylvania 15219 (“Velox Media”, “we”, “us”, or “our”), and the person, firm, or corporation accepting the Agreement (the “Customer”, “you”, or “your”). By submitting any Order, accessing the Services, opening or using an Account, or otherwise indicating acceptance, the Customer enters into the Agreement and represents that the individual so acting has full authority to bind the Customer.

The Agreement comprises these Terms of Service together with the Acceptable Use Policy (the “AUP”), the Privacy Policy, the Cookie Policy, the Service Level Agreement (the “SLA”), the Data Processing Agreement (the “DPA”), the Sub-processor List, the DMCA Policy, the Trust & Safety Policy, and the Law Enforcement Guidelines (collectively, the “Policies”), each of which is incorporated herein by reference and forms an integral part hereof.

1. Definitions and interpretation

1.1 In the Agreement, unless the context otherwise requires:

1.2 References to clauses, sub-clauses, and the Policies are references to clauses and sub-clauses of these Terms of Service, and to the Policies, respectively. Headings are for convenience only and shall not affect the construction of the Agreement. References to a statute or statutory provision include any subordinate legislation made under it and any modification or re-enactment from time to time. The words “include”, “including”, and “in particular” are illustrative and shall not limit the generality of the preceding words. References to “writing” include email and electronic communication except where otherwise expressly stated.

2. Customer representations, warranties, and undertakings

2.1 The Customer represents, warrants, and undertakes to Velox Media on a continuing basis throughout the term of the Agreement that:

(a) the Customer is of full legal age and capacity (and, where the Customer is a body corporate, has been duly incorporated and is in good standing under the laws of its jurisdiction of organisation) and has full power, authority, and right to enter into and to perform the Agreement;

(b) all information furnished by the Customer to Velox Media at any time, including in connection with the opening of the Account, the placing of any Order, the configuration of any Service, the verification of any matter under sub-clause 2.2, or otherwise in connection with the Agreement, is and shall remain true, accurate, complete, current, and not misleading in any respect, and the Customer shall, without delay, notify Velox Media of any change thereto or any inaccuracy therein;

(c) neither the Customer, nor any of its principals, beneficial owners, directors, officers, employees, agents, end users, or any person or entity for whose benefit the Services are used, is (i) located in, ordinarily resident in, organised under the laws of, or owned or controlled by any person located in or organised under the laws of, any country, region, or territory subject to comprehensive economic sanctions administered by the Government of the United States, the Government of the United Kingdom, the European Union, or the United Nations Security Council; (ii) listed on the United States Department of the Treasury’s Office of Foreign Assets Control Specially Designated Nationals and Blocked Persons List, the Consolidated List of Financial Sanctions Targets maintained by His Majesty’s Treasury (United Kingdom), the European Union Consolidated Financial Sanctions List, or any analogous restricted-party list maintained by any competent authority of any jurisdiction in which Velox Media operates; or (iii) using or proposing to use the Services in connection with any activity that would constitute, cause, or facilitate any breach of any sanctions, anti-money-laundering, anti-bribery, anti-terrorism, or export-control laws applicable to either party;

(d) the Customer shall, at its own cost and on demand, furnish to Velox Media such documents, information, certifications, attestations, declarations, and other materials as Velox Media may from time to time, in its sole and absolute discretion, request for the purposes of confirming any matter set out in this clause 2, of satisfying Velox Media’s policies or the requirements of its payment processors, networks, registries, suppliers, or insurers, of preventing or detecting fraud, abuse, or sanctions risk, of complying with any law, regulation, court order, subpoena, warrant, regulatory direction, or other legal process or request from any competent authority in any jurisdiction in which Velox Media operates, or otherwise in connection with the proper administration of the Account or the Services. Without prejudice to the generality of the foregoing, such materials may include government-issued identification, evidence of address, evidence of business registration, beneficial-ownership disclosure, evidence of payment-method ownership, evidence of control of any domain or address space, and such further matter as Velox Media shall reasonably require. Failure to comply with any such request within such period as Velox Media shall stipulate (which shall be reasonable in the circumstances) shall constitute a material breach of the Agreement; and

(e) the Customer shall comply at all times with the Agreement, with each of the Policies as in force from time to time, and with all laws, statutes, regulations, codes, and other rules of any jurisdiction in which the Customer is established, in which any of its end users access any Content, or in which any Service is provided.

2.2 Velox Media may, by reference to any information furnished by the Customer or otherwise available to it, decline to enter into, may decline to renew, or may terminate the Agreement with any person, in its sole and absolute discretion and without thereby incurring any liability of any nature, subject only to such mandatory provisions of law as may not be excluded.

3. Orders, fees, and payment

3.1 Each Order shall constitute an offer by the Customer to purchase the relevant Service upon and subject to the Agreement. Such offer is accepted, and a binding contract for the relevant Service is formed, only upon the earlier of (a) Velox Media’s express acceptance and (b) the provisioning of the relevant Service.

3.2 Fees shall be payable in advance in the currency stated at the point of Order. Recurring fees shall renew automatically at the commencement of each Billing Cycle unless cancelled in accordance with clause 9.

3.3 Velox Media may from time to time amend the fees payable in respect of any Service. Amendments shall apply with effect from the next Billing Cycle and shall be notified to the Customer not less than thirty (30) days before they take effect; the Customer’s continued use of the Services into the next Billing Cycle shall constitute acceptance of the amended fees.

3.4 The Customer hereby authorises Velox Media, and Velox Media’s payment processors, to charge the Customer’s nominated payment method in respect of all amounts due. Any failure of payment shall not relieve the Customer of liability for the amount due, together with all reasonable costs of recovery (including chargeback fees, bank charges, collection agency costs, and reasonable attorneys’ fees).

3.5 All fees are exclusive of value added tax, sales tax, goods and services tax, withholding tax, and any other tax, levy, charge, or duty of like kind, all of which (where applicable) shall be payable by the Customer in addition.

3.6 A money-back guarantee period of seven (7) days from the date of provisioning shall apply to first-time orders of monthly virtual private server plans only, and only where the Account is in good standing and has not been suspended for any reason. For the avoidance of doubt, the following are non-refundable and shall be retained by Velox Media in any event: (a) fees paid in respect of dedicated servers, custom configurations, add-on services, and any plan other than monthly virtual private server plans; (b) fees paid more than seven (7) days before the request for refund; (c) any fees paid in respect of any Account or Service which has at any time been suspended or terminated for breach of the Agreement; (d) any administrative, abuse-handling, investigation, or other fee levied under the AUP or otherwise; and (e) any amount in respect of which Velox Media reasonably suspects fraud, abuse, or chargeback misuse. Velox Media may withhold any refund pending investigation.

3.7 The Customer shall not initiate any chargeback, dispute, reversal, or analogous process in respect of any amount properly chargeable hereunder without first having raised the matter in writing with Velox Media’s billing department and having afforded Velox Media a reasonable period in which to respond. The initiation of any chargeback in breach of this sub-clause shall constitute a material breach of the Agreement.

4. Provision of, and access to, the Services

4.1 Velox Media shall use reasonable commercial efforts to make the Services available in accordance with the SLA.

4.2 The Customer acknowledges and agrees that the operation, security, integrity, billing, support, abuse-prevention, and lawful provision of the Services entail, and shall continue throughout the term of the Agreement to entail, the collection, generation, retention, processing, and analysis by Velox Media (and by such third parties as Velox Media may engage from time to time) of operational, network, performance, capacity, security, fraud, sanctions, abuse, billing, and Account data of any nature whatsoever arising in or in connection with the Services, in such manner, by such means, and to such extent as Velox Media shall, in its sole and absolute discretion, determine to be necessary or appropriate. The Customer further acknowledges and agrees that Velox Media may, in its sole and absolute discretion, undertake or refrain from undertaking any such activity in any particular case, may employ such automated and manual means, such third-party tools, providers, intelligence sources, and reputation services as it shall consider appropriate, and shall not be obliged to disclose to the Customer the particulars of any such activity or means, the absence of any such disclosure not implying any representation as to whether any particular activity is or is not undertaken; and Velox Media’s exercise of, or forbearance from exercising, any right under this sub-clause in any particular case shall be without prejudice to its exercise of the same in any other case.

4.3 Velox Media may from time to time add to, modify, suspend, relocate, withdraw, or discontinue any feature, component, or part of the Services. Where any such change materially and adversely affects a Service ordered by the Customer, Velox Media shall give the Customer not less than thirty (30) days’ notice; where the change materially reduces the functionality so ordered, the Customer’s sole remedy shall be to terminate the affected Service in accordance with clause 8.1 and to receive a pro rata refund of any prepaid fees referable to the unused portion of the then-current Billing Cycle.

4.4 Scheduled maintenance, emergency maintenance, and short interruptions undertaken for security, stability, or operational reasons form part of the ordinary operation of the Services and are addressed in the SLA.

5. Customer obligations

5.1 The Customer shall at all times be solely and exclusively responsible for the Content, for the configuration of the Services, for the conduct of its end users, and for all activity carried on under the Account, whether or not authorised by the Customer. References to the Customer in this clause 5 and elsewhere in the Agreement shall, where the context so admits, include the end users of the Customer and any other person availing themselves of the Services through the Account.

5.2 The Customer shall comply at all times with the AUP, the Trust & Safety Policy, and all laws, statutes, regulations, codes, and other rules applicable to the Customer, the Content, and the activities for which the Services are used.

5.3 The Customer shall implement and maintain such technical and organisational security measures as may be appropriate to the Content, including measures relating to patching, password and key management, access control, encryption, and the maintenance of independent backups. The Customer acknowledges and agrees that Velox Media supplies infrastructure and not application security, and that the security of any operating system, application, or other software run on the Services is the sole responsibility of the Customer.

5.4 The Customer shall maintain its own backups of the Content. Where Velox Media offers a backup service as a separately priced add-on, such service is offered on a best-efforts basis and shall not relieve the Customer of its obligation to maintain independent backups.

5.5 The Customer shall not resell, sublicense, or make the Services available to any third party as the Customer’s own service except pursuant to a reseller plan ordered from Velox Media and subject to such additional terms as Velox Media may from time to time stipulate.

6. Suspension

6.1 Velox Media reserves the right, exercisable at any time, in its sole and absolute discretion, with or without prior notice, and without thereby incurring any liability of any nature to the Customer or to any third party, to suspend, restrict, throttle, null-route, filter, or otherwise interrupt the provision of any or all of the Services, in whole or in part, and to take such other action consistent with the Agreement as it shall consider appropriate, where Velox Media has reason to believe (such reason to be determined in its sole judgement and on the basis of any information available to it, including any information generated, collected, or analysed in connection with sub-clause 4.2) that:

(a) the Customer is in breach of any provision of the Agreement (including any of the Policies);

(b) such action is necessary or appropriate to protect the Services, Velox Media’s infrastructure, Velox Media’s other customers, or any third party from loss, damage, attack, abuse, malware, denial of service, compromise, or other harm or risk;

(c) such action is necessary or appropriate to comply with any law, regulation, court order, subpoena, warrant, regulatory direction, sanctions designation, or other legal process or request from any competent authority in any jurisdiction in which Velox Media operates;

(d) any sum payable hereunder is overdue;

(e) the Customer has failed to furnish to Velox Media’s reasonable satisfaction any documents, information, certifications, attestations, or other materials requested under sub-clause 2.1(d), or any matter so furnished is or has become inaccurate or incomplete;

(f) the Customer, the Content, or the Customer’s activity creates a material risk of legal, regulatory, reputational, or financial harm to Velox Media; or

(g) any other circumstance arises which, in Velox Media’s reasonable judgement, justifies such action.

6.2 The Customer shall remain liable for all fees during the period of any suspension. Velox Media shall not be liable for any loss, damage, cost, or expense howsoever arising from any suspension undertaken in good faith pursuant to this clause, and no such suspension shall constitute a breach by Velox Media of the Agreement or of the SLA.

6.3 Velox Media may make the lifting of any suspension conditional upon the Customer satisfying such reasonable conditions as Velox Media shall stipulate, including (without limitation) compliance with any request under sub-clause 2.1(d), payment of all outstanding fees and any administrative or abuse-handling fee, and removal of any offending Content.

7. Termination

7.1 Either party may terminate the Agreement, or any Service, for convenience by giving written notice with effect from the end of the then-current Billing Cycle. Notice by the Customer shall be given through the customer area or by email to [email protected].

7.2 Velox Media may terminate the Agreement, or any Service, with immediate effect, by notice (which may be given retrospectively where prior notice would have been impractical), and without thereby incurring any liability whatsoever, where:

(a) any ground for suspension under clause 6 has subsisted for a period exceeding seven (7) days, or where, in Velox Media’s sole judgement, immediate termination is justified notwithstanding the lapse of any shorter period;

(b) the Customer commits any material or repeated breach of the Agreement or of any of the Policies;

(c) the Customer becomes insolvent, enters into any analogous insolvency procedure under any applicable law, or ceases to carry on business; or

(d) Velox Media is required to do so by law, by regulation, or by any competent authority.

7.3 Upon termination of the Agreement or of any Service, for any reason: (a) all affected Services shall cease; (b) all sums due to Velox Media up to and including the effective date of termination shall remain immediately payable; (c) Velox Media may, but shall not be obliged to, retain the Content for such period as it shall consider reasonable (which shall not normally exceed thirty (30) days) prior to secure deletion thereof, save insofar as longer retention is required by law or under sub-clause 7.4; and (d) where termination is by Velox Media for breach by the Customer, Velox Media shall be entitled to retain the Content, the Account, and all related information for the longer of (i) such period as is required by law and (ii) such period as is reasonably necessary to permit the investigation, the resolution of disputes, the recovery of fees, the defence of claims, and the cooperation with any competent authority.

7.4 Survival; accrual of remedies. No termination of the Agreement, of any Service, or of any of the Policies shall affect any right, power, or remedy of either party that has accrued, or any obligation or liability that has been incurred, prior to such termination. Without prejudice to the generality of the foregoing, the rights of Velox Media to investigate any breach, to enforce any provision of the Agreement, to recover any sum payable hereunder, and to claim damages or other relief in respect of any breach by the Customer of the Agreement (including any of the Policies) accrue at the time of the breach in question and shall survive any subsequent amendment to the Agreement and any termination of the Agreement, and may be exercised by Velox Media at any time. Conduct constituting a breach shall be governed by the version of the Agreement in force at the time of such conduct.

7.5 Clauses 1, 3.4, 3.5, 3.7, 5.1, 6 (insofar as it pertains to retained data), 7.3, 7.4, this clause 7.5, 8, 9, 10, 11, 12, 13, 14, 15, 17, 18, 19, and 20 shall survive any termination of the Agreement.

8. Cancellation by the Customer

8.1 The Customer may cancel any Service through the customer area, with effect from the end of the then-current Billing Cycle, save where the Customer elects immediate cancellation, in which case no refund shall be due in respect of the unused portion of such Billing Cycle.

8.2 Failure by the Customer to cancel a Service prior to the commencement of any new Billing Cycle shall result in automatic renewal at the then-current price.

9. Intellectual property

9.1 As between the Customer and Velox Media, the Customer shall retain all right, title, and interest in and to the Content, and Velox Media shall retain all right, title, and interest in and to the Services and all underlying software, infrastructure, documentation, trademarks, trade names, and other intellectual-property rights of any nature.

9.2 The Customer hereby grants to Velox Media a non-exclusive, royalty-free, worldwide licence to host, store, process, transmit, copy, display, analyse, scan, and otherwise use the Content insofar as is necessary or appropriate for the purposes of (a) providing, operating, securing, maintaining, supporting, billing, and lawfully administering the Services; (b) complying with any law, regulation, or legal process referred to in sub-clause 6.1(c); (c) enforcing the Agreement and exercising the rights and discretions of Velox Media hereunder (including under sub-clause 4.2); and (d) protecting the rights, property, or safety of Velox Media, its customers, or any third party. The Customer warrants that it has all rights necessary to grant the foregoing licence.

9.3 The Customer shall not remove, obscure, alter, or interfere with any notice, branding, or attribution of Velox Media on or in the Services and shall not use the name, logo, or marks of Velox Media save as expressly authorised in writing by Velox Media.

10. Confidentiality

Each party shall protect the confidential information of the other using no less than reasonable care, shall use such information only as necessary to perform under the Agreement, and shall not disclose such information except to its personnel and professional advisers who are bound by equivalent obligations of confidentiality, or as required by law. Nothing in this clause shall restrict the exercise by Velox Media of its rights under sub-clauses 4.2, 6, 7, 9.2, or 16.

11. Warranties and disclaimers

11.1 Velox Media warrants that it shall provide the Services with reasonable skill and care.

11.2 EXCEPT AS EXPRESSLY SET FORTH IN SUB-CLAUSE 11.1, AND TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, THE SERVICES ARE PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS, AND VELOX MEDIA HEREBY DISCLAIMS ALL WARRANTIES, REPRESENTATIONS, CONDITIONS, AND TERMS OF ANY NATURE, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING (WITHOUT LIMITATION) ANY WARRANTY OF MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR ANY PARTICULAR PURPOSE, NON-INFRINGEMENT, ACCURACY, COMPLETENESS, AVAILABILITY, OR ACHIEVEMENT OF ANY PARTICULAR RESULT, AND ANY WARRANTY ARISING FROM ANY COURSE OF DEALING OR USAGE OF TRADE.

11.3 Velox Media does not warrant that the Services will be uninterrupted, error-free, or secure against all attack, or that they will meet the requirements of the Customer.

11.4 The Customer acknowledges that it has not relied upon any representation, warranty, statement, or assurance of any nature whatsoever not expressly set out in the Agreement.

12. Indemnity

12.1 The Customer shall, at its own cost, defend, indemnify, and hold harmless Velox Media, its Affiliates, and their respective directors, officers, employees, agents, and contractors (each an “Indemnified Person”) from and against any and all claims, demands, suits, actions, proceedings, losses, damages, fines, penalties, liabilities, costs, and expenses (including reasonable attorneys’ fees and the costs of investigation) of any nature whatsoever arising out of or in connection with:

(a) the Content;

(b) the use of the Services by the Customer or any of its end users;

(c) any breach by the Customer of the Agreement (including any Policy);

(d) any breach or alleged breach by the Customer of any law, statute, regulation, code, or other rule, including (without limitation) any law, statute, regulation, code, or rule pertaining to the verification of the identity, age, or attributes of any end user of the Customer, the lawful provision of any service to the public, or the obtaining or maintenance of any licence, registration, or authorisation;

(e) any actual or alleged infringement of any right of any third party (including any intellectual-property right, right of privacy, or right of publicity) by the Customer or by the Content;

(f) any complaint, regulatory enquiry, investigation, or legal process directed at any Indemnified Person and relating to the Account, the Content, or the activities of the Customer; and

(g) any chargeback, dispute, or non-payment.

12.2 Velox Media shall give the Customer prompt notice of any such claim, shall permit the Customer to control the defence (subject always to Velox Media’s right to participate at its own cost and to approve in advance any settlement that admits any liability or imposes any non-monetary obligation upon any Indemnified Person), and shall provide reasonable cooperation at the Customer’s expense.

13. Limitation of liability

13.1 Nothing in the Agreement shall limit or exclude any liability of either party which cannot be limited or excluded under the applicable law, including any liability for fraud, fraudulent misrepresentation, or, in any jurisdiction in which such liability cannot be excluded, death or personal injury caused by negligence.

13.2 Subject to sub-clause 13.1, the aggregate liability of Velox Media to the Customer arising out of or in connection with the Agreement and the Services, howsoever arising, whether in contract, tort (including negligence), breach of statutory duty, strict liability, or otherwise, shall in no event exceed the lesser of (a) the fees paid by the Customer to Velox Media in respect of the affected Service in the three (3) months immediately preceding the event giving rise to the claim and (b) United States dollars one thousand (US $1,000).

13.3 Subject to sub-clause 13.1, Velox Media shall in no event be liable for any: (a) loss of profit, loss of revenue, loss of business, loss of goodwill, loss of anticipated savings, or loss of opportunity; (b) loss of, or corruption of, data; (c) loss of use; (d) any indirect, special, incidental, consequential, exemplary, or punitive damages of any nature; (e) cost of substitute services; or (f) any loss arising from any act or omission of any third party (including any upstream network operator, payment processor, registry, or end user of the Customer), in each case howsoever arising and whether or not foreseeable and whether or not Velox Media has been advised of the possibility of such loss.

13.4 The Customer acknowledges that the SLA, including the regime of service credits set out therein, constitutes the sole and exclusive remedy of the Customer in respect of any failure to meet any service level.

13.5 Each of the limitations and exclusions in this clause 13 shall operate severally. The failure or unenforceability of any one shall not affect the operation of any other.

13.6 No claim by the Customer arising out of or in connection with the Agreement may be brought more than one (1) year after the date on which the cause of action accrued, and any claim not so brought shall be irrevocably barred to the fullest extent permitted by law.

14. Force majeure

Neither party shall be liable for any failure or delay in performance hereunder to the extent such failure or delay is caused by any event or circumstance beyond its reasonable control, including (without limitation) any act of God, war, hostilities (whether or not war has been declared), act of terrorism, civil unrest, action of any government or public authority, sanctions, public-health emergency, labour dispute, denial-of-service attack, failure or interruption of upstream network or third-party provider, failure of power or telecommunications, or natural disaster. The party so affected shall use reasonable efforts to resume performance.

15. Subordinate cooperation with law and legal process

15.1 Each party shall comply with all laws applicable to its performance under the Agreement.

15.2 Velox Media may, in its sole and absolute discretion, take any action that it considers necessary or appropriate to comply with any law, regulation, court order, subpoena, warrant, production order, regulatory direction, sanctions designation, or other legal process or request from any competent authority in any jurisdiction in which Velox Media operates. Such action may include (without limitation) the preservation, accessing, copying, disclosure, removal, or blocking of access to the Content, the Account, or any associated information, with or without prior notice to the Customer. Where Velox Media is not legally prohibited from doing so, Velox Media shall use reasonable efforts to notify the Customer of any compelled disclosure of the Customer’s Personal Data, in accordance with the Law Enforcement Guidelines, but Velox Media shall not be obliged to delay or refuse compliance to enable the Customer to seek any relief.

15.3 The Customer shall not use the Services in any manner that would require Velox Media or any of its suppliers to obtain any licence, registration, or authorisation that it does not already hold, save with the express prior written consent of Velox Media.

16. Amendments

16.1 Velox Media may amend the Agreement (including any Policy) at any time. The current versions of the Agreement and the Policies shall be published at veloxmedia.co.uk and shall govern from their stated effective dates.

16.2 In respect of amendments which materially and adversely affect the rights or obligations of the Customer, Velox Media shall give not less than thirty (30) days’ notice by publication of the amended document and notification to the Customer by email and/or by message in the customer area. Other amendments shall take effect upon publication.

16.3 The continued use of the Services by the Customer after the effective date of any amendment shall constitute acceptance thereof. Where the Customer does not accept any material amendment, the sole remedy of the Customer shall be to terminate the affected Service in accordance with sub-clause 8.1, with a pro rata refund of any prepaid fees referable to the unused portion of the then-current Billing Cycle.

16.4 Conduct occurring prior to the effective date of any amendment shall be governed by the version of the Agreement (including the Policies) in force at the time of such conduct. The rights of Velox Media to investigate, suspend, terminate, and recover in respect of such conduct shall not be affected by any subsequent amendment and shall survive any termination of the Agreement.

16.5 No amendment to the Agreement by the Customer shall be effective unless agreed in writing and signed by an authorised representative of Velox Media. Any purported variation by way of any purchase order, terms of business, or other document of the Customer shall be void.

17. Notices

17.1 Notices to the Customer may be given by email to the address recorded on the Account, by message in the customer area, or by post to the address recorded on the Account. Such notices shall be deemed received on the day of sending (in the case of electronic notice) or on the second business day following posting (in the case of post).

17.2 Notices to Velox Media shall be sent to [email protected] and, in the case of any notice intended to commence formal proceedings, shall additionally be sent to the registered office of Velox Media by recorded post.

18. Assignment, subcontracting, and Affiliates

18.1 The Customer shall not assign, transfer, charge, or sublicense the Agreement or any Service without the prior written consent of Velox Media.

18.2 Velox Media may assign the Agreement, in whole or in part, to any Affiliate, to any successor in interest, or in connection with any merger, acquisition, reorganisation, or sale of all or substantially all of the assets to which the Services relate, upon notice to the Customer.

18.3 Velox Media may engage Affiliates and subcontractors (including the data centre operators, sub-processors, and other suppliers from time to time identified in the Sub-processor List) to perform under the Agreement. Velox Media shall remain responsible to the Customer for the performance of any such Affiliate or subcontractor.

19. Governing law and jurisdiction

19.1 The Agreement, and any non-contractual obligation arising out of or in connection with it, shall be governed by, and construed in accordance with, the laws of the State of Ohio, United States, without regard to any principle of conflict of laws.

19.2 Each party hereby submits to the exclusive jurisdiction of the state and federal courts located in the State of Ohio in respect of any dispute arising out of or in connection with the Agreement; provided that Velox Media may bring proceedings in any jurisdiction in which the Customer is located, in which the Customer carries on business, or in which the Content is hosted, in respect of injunctive or equitable relief or for the purposes of enforcing any judgement.

19.3 Where the Customer is a consumer ordinarily resident in the European Economic Area or the United Kingdom, nothing in sub-clauses 19.1 or 19.2 shall deprive the Customer of the protection of the mandatory consumer-protection laws of the country of the Customer’s habitual residence, and the Customer may bring proceedings in the courts of such country in accordance with such laws.

20. General

20.1 Entire agreement. The Agreement constitutes the entire agreement between the parties in respect of the subject matter hereof and supersedes all prior agreements, representations, and understandings, whether oral or written.

20.2 No waiver. No failure or delay by either party in exercising any right, power, or remedy under the Agreement shall operate as a waiver thereof. A waiver in any one case shall not constitute a waiver in any other case. No waiver shall be effective unless made in writing and signed by the waiving party.

20.3 Severability. If any provision of the Agreement is held by any court or competent authority to be invalid, illegal, or unenforceable, in whole or in part, such provision shall be modified to the minimum extent necessary to render it valid, legal, and enforceable; if no such modification is possible, such provision shall be deemed deleted, and the remaining provisions of the Agreement shall continue in full force and effect.

20.4 No third-party beneficiaries. A person who is not a party to the Agreement shall have no right to enforce any term of the Agreement, save that the Affiliates, directors, officers, employees, agents, and contractors of Velox Media may enforce clauses 11, 12, and 13 in their own right.

20.5 Independent contractors. The parties are independent contractors. Nothing in the Agreement shall create or be deemed to create any partnership, joint venture, agency, or employment relationship between the parties.

20.6 Counterparts and execution. Acceptance of the Agreement by clicking, by Order, or by use of the Services shall have the same effect as signature.

Velox Media Inc., 301 Grant Street, Pittsburgh, PA 15219, United States. Contact: [email protected].

Acceptable Use Policy

Velox Media Inc.

Version: 2.1 Effective Date: 27 April 2026 Last Reviewed: 27 April 2026

This Acceptable Use Policy (the “AUP”) forms part of, and is incorporated by reference into, the Terms of Service (the “Agreement”) between the Customer and Velox Media Inc. (“Velox Media”). Capitalised terms used in this AUP without definition shall have the meanings ascribed to them in the Agreement. This AUP shall apply to all Services and to all activities undertaken on, through, or in connection with the Services, and shall extend to the Customer, to all end users of the Customer, and to any other person availing themselves of the Services through the Account.

1. General

1.1 The Services are general-purpose hosting infrastructure and may be used for any lawful purpose that does not contravene this AUP, the Agreement, or any other Policy.

1.2 Velox Media does not undertake to pre-screen the Content, but reserves the right to do so. The detection of any actual or apparent breach of this AUP shall be a matter for the sole judgement of Velox Media, exercisable on the basis of any information available to it, including (without limitation) any operational, network, security, abuse, billing, or Account data referred to in sub-clause 4.2 of the Agreement, any complaint received by Velox Media (whether from another customer, an authority, an industry partner, an affected third party, or otherwise), any output of any automated or third-party intelligence, reputation, or detection service, and any matter disclosed by the Customer or otherwise furnished pursuant to sub-clause 2.1(d) of the Agreement. Velox Media shall not be obliged to disclose to any person the nature or particulars of any source, means, or process so employed.

1.3 The Customer shall be solely and exclusively responsible for the activity of its end users and of any other person availing themselves of the Services through the Account. References herein to the Customer shall, where the context so admits, include each such person.

1.4 The determination by Velox Media of whether any conduct constitutes a breach of this AUP shall be conclusive for the purposes of any enforcement action taken hereunder, without prejudice to such rights as the Customer may have at law.

2. Prohibited content and activities

The Customer shall not, and shall not permit any other person to, use the Services to host, store, generate, transmit, distribute, link to, or otherwise make available any of the following:

2.1 Unlawful material and conduct

(a) Any material or activity the possession, distribution, hosting, or carrying out of which is unlawful in any jurisdiction in which Velox Media operates or in which the Content is materially accessed.

(b) Child sexual abuse material (“CSAM”) of any kind whatsoever, including (without limitation) photographic, photorealistic, computer-generated, drawn, written, simulated, or otherwise depicted material; any material that sexualises a minor; and any material the predominant purpose of which is the sexual exploitation of children. Any apparent CSAM shall be reported to the National Center for Missing and Exploited Children, the Internet Watch Foundation, and to such other competent authority as may be appropriate, with immediate termination of the Account, the preservation of all related materials, and full cooperation with law enforcement.

(c) Terrorist content as defined in Regulation (EU) 2021/784 and equivalent legislation, including (without limitation) any content inciting, soliciting, contributing to, glorifying, or providing instruction in respect of any terrorist offence.

(d) Non-consensual intimate imagery, “revenge pornography”, and sexual deepfakes of any identifiable person without their informed and freely given consent.

(e) Material which contravenes the Online Safety Act 2023 (United Kingdom), the Digital Services Act (Regulation (EU) 2022/2065), or equivalent law of any other jurisdiction in respect of illegal content.

(f) Any other material or conduct that is unlawful in any jurisdiction in which the Customer operates, in which any end user of the Customer accesses any Content, or in which Velox Media operates. The Customer shall comply at all times with all laws applicable to the lawful provision, marketing, or operation of any service, application, or content made available by the Customer through the Services, including (without limitation) laws relating to age verification, identity verification, recordkeeping, consumer protection, licensing, and reporting (such laws including, by way of example only and not by way of limitation, the Digital Age Assurance Act of California (AB 1043), the Online Safety Act 2023 of the United Kingdom, the Digital Services Act of the European Union, applicable state-level adult-content laws of the United States including Texas HB 1181 and Louisiana Act 440, online-gambling licensing regimes, and 18 U.S.C. § 2257 (United States) where applicable). Compliance in respect of the Customer’s end users in such matters shall in all events remain the sole responsibility of the Customer, and the Customer shall, on demand, demonstrate such compliance to Velox Media’s reasonable satisfaction.

2.2 Adult content

(a) Adult content is not permitted on the Services save with the express prior written approval of Velox Media. Where any such approval has been granted, the Customer shall in any event comply with all laws applicable to adult content in each jurisdiction in which any end user accesses such content, including (without limitation) all laws referred to in sub-clause 2.1(f), all rules of any applicable payment processor, and all consumer-protection law.

(b) The operation of any adult-content service without the prior written approval of Velox Media shall constitute a material breach of the Agreement, irrespective of whether Velox Media has previously raised the matter with the Customer. Any approval, where granted, shall be Service-specific, may be withdrawn at any time, and shall not extend to any other Service or to any other Account.

2.3 Network and information-security abuse

(a) Any unauthorised access to, attempted access to, or interference with, any system, network, account, device, data, or communication, whether of Velox Media or of any third party, including any penetration testing or security research conducted otherwise than pursuant to the documented prior written authorisation of the owner of the system in question.

(b) Port scanning, vulnerability scanning, brute-force attack, credential stuffing, password cracking, header forgery, IP spoofing, ARP, DNS, or BGP poisoning, route hijacking, and any equivalent reconnaissance or attack technique against any system in respect of which the Customer has no express authorisation.

(c) The distribution, hosting, or operation of any malware, ransomware, spyware, stalkerware, keylogger, dropper, command-and-control infrastructure, exploit kit, phishing kit, or any other tool the principal purpose of which is the compromise of any system or person.

(d) The initiation of, participation in, or facilitation of, any denial-of-service or distributed denial-of-service (“DDoS”) attack, including (without limitation) reflection, amplification, application-layer, or volumetric attack; the operation of any “booter”, “stresser”, or “DDoS-for-hire” service; and the knowing provision of infrastructure to any person engaged in such activity.

(e) Any conduct interfering with, disrupting, degrading, or impairing the integrity, security, performance, or operation of the Services, of Velox Media’s infrastructure, of any other customer, or of any third party.

2.4 Email, messaging, and unsolicited communications

(a) The sending of any unsolicited bulk or commercial email (“spam”), short message, instant message, voice call, or equivalent communication, in contravention of the CAN-SPAM Act (United States), the Privacy and Electronic Communications Regulations (United Kingdom), the ePrivacy Directive of the European Union and any transposing legislation, the Anti-Spam Legislation of Canada, or any other applicable law.

(b) The operation of any mailing list otherwise than upon confirmed (double opt-in) subscriber consent, with a working unsubscribe mechanism in every message.

(c) The operation of any open SMTP relay, open mail proxy, or any service permitting third parties to send mail through any Service without authentication.

(d) The sending of any mail in a manner that causes any address space of Velox Media to be added to any reputation blocklist, RBL, or feedback loop.

(e) The forgery of mail headers, return paths, or sender identities; the misrepresentation of the origin of any communication; and the use of any purchased, harvested, or scraped recipient list.

2.5 Resource and infrastructure abuse

(a) The consumption of any disproportionate share of central processing unit, memory, disk input/output, network input/output, address space, or any other shared resource, in a manner materially impairing the Services for any other customer.

(b) The mining of any cryptocurrency, the carrying out of any “proof-of-work” computation for any purpose, GPU farming, or any equivalent activity, on any Service save where such activity has been ordered on a Service plan expressly designated by Velox Media as suitable therefor.

(c) Tor exit relays. Tor entry guards, middle relays, bridges, and personal-use Tor clients are permitted subject to advance registration of the Service with Velox Media, the maintenance of accurate WHOIS contact information, and response to any abuse complaint within twenty-four (24) hours.

(d) Public anonymising VPN services, public proxy services, and similar shared anonymisation infrastructure, save with the express prior written approval of Velox Media. Personal-use and small-team VPN servers (for example, WireGuard or OpenVPN access for the Customer’s own organisation) are permitted.

(e) IRC and IRCd services, file-sharing trackers, and Minecraft or other game servers may attract DDoS or abuse, and are accordingly permitted only on Services expressly approved by Velox Media for such use.

(f) Excessive use of tmpfs, ramfs, or any equivalent technique for the purpose of bypassing storage quotas.

2.6 Intellectual property and confidential information

(a) The hosting, distribution, or facilitation of the infringement of any copyright, trademark, patent, trade secret, database, design, or other intellectual-property right.

(b) Any pirated or “warez” software, cracked binary, key generator, licence-bypass tool, or equivalent material.

(c) The bulk distribution of any copyright work without licence; the operation of any torrent tracker or seedbox in respect of infringing material.

(d) The disclosure, hosting, or distribution of any personal data, confidential information, or trade secret without lawful basis.

2.7 Fraud, deception, and economic crime

(a) Phishing, spear-phishing, smishing, vishing, business email compromise, and the impersonation of any person, brand, or institution.

(b) Carding, credit-card testing, BIN attack, fraudulent payment activity, “money muling”, and the facilitation of any of the foregoing.

(c) Money laundering, terrorist financing, sanctions evasion, and any trade in goods or services subject to sanctions or export controls without licence.

(d) Any Ponzi or pyramid scheme operated unlawfully, any multi-level-marketing arrangement operated in contravention of applicable law, any “high-yield investment programme”, and any equivalent fraud.

(e) The operation of any unlicensed financial service, money-services business, or virtual-asset service provider in any jurisdiction in which licensing is required.

2.8 Violence, harassment, and harmful conduct

(a) Any content that incites, threatens, glorifies, or facilitates violence against any person or group on the basis of race, ethnicity, national origin, religion, sex, gender, sexual orientation, disability, or any other protected characteristic.

(b) Targeted harassment, doxxing, stalking, or coordinated abuse of any identifiable person.

(c) Material promoting self-harm or suicide.

(d) Material promoting the unlawful sale of weapons, drugs, or any other contraband.

2.9 Other prohibited use

(a) Any activity which, in the sole judgement of Velox Media, exposes Velox Media or any of its Affiliates, suppliers, customers, or upstream networks to material legal, regulatory, reputational, or financial risk.

(b) Any activity contravening the rules of any data centre, IP-transit provider, payment processor, registrar, or other supplier upon which the relevant Service depends.

(c) Any activity for which a particular Service plan is required and which the Customer has not ordered.

3. Customer cooperation and information

3.1 The Customer shall cooperate with Velox Media in respect of any actual or suspected breach of this AUP, including by:

(a) furnishing such information, documents, certifications, attestations, declarations, and other materials as may be requested under sub-clause 2.1(d) of the Agreement, including (without limitation) information sufficient to identify any end user, traffic source, payment source, or content source as Velox Media may from time to time require;

(b) demonstrating, on demand, that the Customer has implemented and operates such identity, age, consent, recordkeeping, licensing, or other controls in respect of the Customer’s end users as may be required by any law referred to in sub-clause 2.1(f);

(c) preserving any material, log, or record relevant to any actual or suspected breach; and

(d) responding to any abuse complaint within such period as Velox Media shall stipulate (which shall be reasonable in the circumstances).

3.2 Failure by the Customer to comply with any request under sub-clause 3.1 within the period stipulated by Velox Media shall constitute a material breach of the Agreement.

4. Reporting abuse

4.1 Any complaint of abuse should be sent by email to [email protected] and should include:

(a) the IP address, hostname, URL, message, or other identifier of the matter complained of;

(b) the date and time of the matter complained of, with timezone;

(c) such supporting evidence as is available, including (without limitation) logs, full email headers, traffic captures, screenshots, or links;

(d) the name and contact details of the complainant; and

(e) in the case of any complaint relating to intellectual property, the additional information required by the DMCA Policy.

4.2 Velox Media shall ordinarily acknowledge receipt of any complaint within one business day. The targets for action upon any complaint are set out in the Trust & Safety Policy.

4.3 Complaints relating to terrorist content, CSAM, or any imminent threat to life shall be handled by Velox Media on an immediate-priority basis at any hour.

5. Enforcement

5.1 Without limiting any right of Velox Media under the Agreement, Velox Media may, in its sole and absolute discretion, with or without prior notice, take any one or more of the following actions in response to any actual or suspected breach of this AUP:

(a) issue a warning;

(b) require remediation by a stated deadline;

(c) require the furnishing of any information, document, certification, attestation, or other material under clause 3 hereof or sub-clause 2.1(d) of the Agreement;

(d) throttle, rate-limit, null-route, or filter traffic to or from the relevant Service;

(e) suspend the relevant Service, related Services, or the Account;

(f) remove, disable access to, or preserve specific Content;

(g) terminate the relevant Service, related Services, or the Account, with or without refund;

(h) report the matter, and disclose Account and Content data, to any competent authority, supplier network, abuse-intelligence service, or affected third party, where lawful and appropriate;

(i) recover from the Customer the administrative cost of investigation and response in accordance with clause 6 hereof; and

(j) decline to do business with the Customer, or with any related person, in future.

5.2 Velox Media may select such action as it considers proportionate in the circumstances, having regard to (without limitation) the nature, severity, and persistence of the breach, the risk of harm to others, and any prior conduct on the Account. The selection of any less severe action in any particular case shall not constitute a waiver of any more severe action in any other case.

6. Administrative and abuse-handling fees

6.1 The fees set out in the table below shall be payable by the Customer on demand and represent the parties’ reasonable pre-estimate of the administrative, technical, and reputational cost incurred by Velox Media in investigating and responding to the relevant matter. Such fees do not constitute a penalty.

6.2 The fees set out in this clause are in addition to, and not in substitution for, any other right or remedy available to Velox Media, including (without limitation) the right to terminate, the right to recover damages, and the right to recover legal costs.

6.3 Velox Media may set off any such fee against any credit, refund, or balance on the Account.

6.4 Velox Media may waive any such fee in its sole and absolute discretion. Any such waiver in any particular case shall not constitute a waiver in any other case.

7. Cooperation with authorities and third parties

7.1 Velox Media shall cooperate with competent law-enforcement and regulatory authorities, with industry bodies (including, without limitation, the Internet Watch Foundation, the National Center for Missing and Exploited Children, INHOPE, the Global Internet Forum to Counter Terrorism, M3AAWG, and equivalent bodies), and with rightsholder programmes, in such manner as Velox Media shall consider appropriate and consistent with the Law Enforcement Guidelines and the Privacy Policy.

7.2 Velox Media may share Account, Content, and abuse-related information with upstream networks, data centre operators, payment processors, and abuse-intelligence services, where reasonably necessary for the purposes of investigating, preventing, or responding to abuse.

8. Survival, accrual of remedies, and amendments

8.1 The right of Velox Media to investigate, and to take any action under this AUP in respect of, any conduct shall accrue at the time of such conduct and shall survive any termination of the Services and of the Agreement.

8.2 The version of this AUP in force at the time of any conduct shall govern such conduct, irrespective of any subsequent amendment. Velox Media may amend this AUP at any time in accordance with clause 16 of the Agreement; no amendment shall reclassify retrospectively any conduct, but the right of Velox Media to enforce the provisions of this AUP in force at the time of any conduct shall be unaffected by any subsequent amendment.

Contact: [email protected] for abuse complaints; [email protected] for legal process.

Privacy Policy

Velox Media Inc. 301 Grant Street, Pittsburgh, PA 15219, United States [email protected]

Version: 2.1 Effective Date: 27 April 2026 Last Reviewed: 27 April 2026

This Privacy Policy describes the manner in which Velox Media Inc. (“Velox Media”, “we”, or “us”) collects, uses, retains, discloses, and safeguards information relating to identifiable individuals (“personal information”) in connection with the websites operated by Velox Media at veloxmedia.co.uk and at my.veloxmedia.co.uk, the opening and operation of an Account, and the provision of the Services. Capitalised terms used herein without definition shall have the meanings ascribed to them in the Terms of Service.

This Policy concerns personal information in respect of which Velox Media acts as a controller. Personal information that is stored, transmitted, or processed by you, the Customer, through your use of the Services, in respect of which Velox Media acts as a processor, shall be governed by the Data Processing Agreement and not by this Policy.

1. The controller

1.1 The controller of the personal information described herein is Velox Media Inc., a corporation organised under the laws of the United States, having its registered office at 301 Grant Street, Pittsburgh, Pennsylvania 15219.

1.2 Velox Media operates its own infrastructure across multiple territories, including (without limitation) the United States (East and West), the United Kingdom, the Netherlands, Poland, and Canada.

1.3 For the purposes of the United Kingdom General Data Protection Regulation and the General Data Protection Regulation of the European Union, the contact for individuals exercising rights under such laws is [email protected]. The details of any representative appointed under Article 27 of each such regulation are available on request to the same address.

1.4 The privacy team may be contacted at any time by email to [email protected] or by post to the address set out above marked for the attention of “Privacy”.

2. Categories of personal information collected

In connection with the Account, the Services, and the websites operated by Velox Media, the following categories of personal information may be collected:

(a) Identification, contact, and Account information, including the name, business name, address, country of residence and tax residence, telephone number, email address, account credentials (passwords being stored only in hashed and salted form), API keys and SSH keys (stored in encrypted form), preferences, and any other information furnished by an individual in connection with the establishment, operation, security, billing, support, or administration of the Account.

(b) Financial and transaction information, including payment-method details processed through Velox Media’s payment processors (Velox Media not itself storing complete card numbers; tokenised references being retained), billing and tax-residency information, tax identification numbers, transaction history, refund and chargeback history, and information returned by Velox Media’s payment processors and fraud-prevention providers in connection with any transaction.

(c) Order, Service, and configuration information, including the Services ordered, configurations selected, hostnames, address-space allocations, BGP advertisements, datacenter locations, renewal and cancellation history, and related technical information.

(d) Support and correspondence information, including support tickets, chat transcripts, recordings of calls (where calls are recorded, the individual being notified in advance), and survey responses or feedback.

(e) Verification, eligibility, and risk-assessment information, including any documents, certifications, attestations, declarations, or other materials furnished pursuant to sub-clause 2.1(d) of the Terms of Service or otherwise reasonably required by Velox Media for the purposes of confirming any matter set out in clause 2 of the Terms of Service, satisfying the requirements of any payment processor, network, registry, supplier, or insurer, preventing or detecting fraud, abuse, or sanctions risk, complying with any law, regulation, or legal process, or otherwise in connection with the proper administration of the Account or the Services. Such information may include (without limitation) government-issued identification, evidence of address, evidence of business registration, beneficial-ownership information, evidence of payment-method ownership, evidence of control of any domain or address space, age-confirmation information, results returned by third-party identity, age-assurance, sanctions, or politically-exposed-person screening providers, and information of analogous nature. Information falling within this paragraph (e) may, by reason of its nature, constitute special-category or sensitive personal information for the purposes of applicable data-protection law and shall be processed accordingly.

(f) Technical and device information, including the internet protocol address, device type, browser, operating system, language, and similar information collected when an individual interacts with the websites, the customer area, or the Services.

(g) Usage, log, and security information, including records of customer-area logins, two-factor authentication events, password changes, application-programming-interface calls, configuration changes, security alerts, and other events of operational significance.

(h) Operational and Service-related information, including bandwidth volumes, abuse signals, network telemetry, and other data generated, collected, retained, processed, or analysed by Velox Media in connection with the operation, security, integrity, billing, support, abuse-prevention, and lawful provision of the Services, including (without limitation) information of the kind referred to in sub-clause 4.2 of the Terms of Service. Such information may, by reason of its association with an Account or an individual, constitute personal information for the purposes of applicable data-protection law.

(i) Cookie and similar identifiers, as further described in the Cookie Policy.

(j) Information from third parties, including information from payment processors and fraud-prevention services (such as transaction outcomes and risk scores), from sanctions and politically-exposed-person screening services, from abuse-intelligence services and reputation providers, from publicly available sources (such as WHOIS records, business registries, and publicly available professional profiles), and from any affiliate, reseller, or partner introducing or referring an individual to Velox Media.

(k) Visitor information, in respect of visitors to the websites operated by Velox Media who have not opened an Account, including internet protocol address, device and browser information, page views, referring URL, and cookie identifiers as set out in the Cookie Policy.

3. Purposes for which personal information is processed and the bases of processing

The personal information identified at clause 2 above is processed for the purposes set out in the table below. Where the United Kingdom General Data Protection Regulation or the General Data Protection Regulation of the European Union (collectively, the “GDPR”) applies, the legal basis on which such processing is undertaken is identified.

A more detailed assessment of the legitimate-interest balancing exercise undertaken by Velox Media in respect of any of the foregoing purposes shall be made available on request.

4. Disclosure of personal information

4.1 Velox Media does not sell personal information. Velox Media may disclose personal information in the following circumstances:

(a) To service providers and processors. Velox Media engages a limited number of service providers in support of its operations. Current sub-processors are identified in the Sub-processor List and include payment processors, anti-fraud and identity-verification providers, transactional email providers, customer-support tooling, and analytics providers. Each such service provider is bound by contract to data-protection terms substantially equivalent to those set out herein.

(b) Within Velox Media. Personal information may be shared between Velox Media Inc. and any Affiliate for the purposes set out in this Policy, subject to internal access controls.

(c) To competent authorities and pursuant to legal process. Velox Media may disclose personal information where it considers in good faith that such disclosure is necessary or appropriate (i) to comply with any law, regulation, court order, subpoena, warrant, production order, regulatory direction, sanctions designation, or other legal process or request from any competent authority in any jurisdiction in which Velox Media operates; (ii) to enforce the Terms of Service or any Policy, including for the purposes of investigating and responding to abuse; (iii) to protect the rights, property, or safety of Velox Media, its customers, its employees, or any third party, including in cases of imminent risk to life or serious physical injury; or (iv) to prevent or address fraud, security incidents, or technical issues. Velox Media’s procedures for handling requests from law-enforcement and similar authorities are set out in the Law Enforcement Guidelines. Where Velox Media is not legally prohibited from doing so, Velox Media shall use reasonable efforts to notify the affected individual of any compelled disclosure of personal information so that such individual may seek a protective order, but Velox Media shall not be obliged to delay or refuse compliance to enable such an outcome.

(d) To industry bodies and abuse partners. Velox Media may share personal information with industry bodies and abuse partners (including, without limitation, the Internet Watch Foundation, the National Center for Missing and Exploited Children, INHOPE, the Global Internet Forum to Counter Terrorism, M3AAWG, Spamhaus, and equivalent bodies) where necessary to investigate, prevent, or respond to abuse, illegal content, or threats to network integrity.

(e) To affected third parties. Velox Media may share personal information with third parties affected by any abuse originating from an Account (for example, the operators of systems targeted by attacks from a Service), to the minimum extent necessary to enable such third parties to investigate or remediate.

(f) In connection with corporate transactions. Where Velox Media is involved in any merger, acquisition, restructuring, financing, sale of assets, or insolvency, personal information may be disclosed to prospective or actual counterparties and their advisers, subject to appropriate undertakings of confidentiality.

(g) With consent or at direction. Personal information may be disclosed to third parties at the direction of, or with the consent of, the relevant individual.

5. Retention

Personal information shall be retained for no longer than is necessary for the purposes for which it was collected. The default retention periods are set out in the table below.

Following the relevant period, personal information shall be securely deleted or anonymised, save where applicable law requires further retention.

6. International transfers

6.1 Velox Media operates infrastructure in multiple jurisdictions and is incorporated in the United States. Personal information may accordingly be transferred to, accessed from, and stored in countries other than the country of residence of the relevant individual, including the United States.

6.2 Where personal information is transferred from the United Kingdom or the European Economic Area to a country in respect of which no adequacy decision has been adopted by the United Kingdom or the European Commission (as applicable), Velox Media shall implement appropriate safeguards, including (without limitation):

(a) the Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021, modules 1 to 4 as applicable;

(b) the United Kingdom Addendum to the Standard Contractual Clauses, or the United Kingdom International Data Transfer Agreement, as applicable;

(c) such supplementary technical and organisational measures as Velox Media shall consider appropriate, including encryption in transit and at rest, access controls, and pseudonymisation; and

(d) such transfer-impact assessments as may be required, documented internally.

6.3 A summary of the safeguards applicable to any specific transfer shall be made available on request to [email protected].

7. Security

7.1 Velox Media implements technical and organisational measures appropriate to the nature, scope, context, and purposes of processing, including (without limitation):

(a) the encryption of communications between individuals and the websites, customer area, and application-programming interfaces, by means of Transport Layer Security;

(b) encryption at rest in respect of backups, the verification, eligibility, and risk-assessment information referred to in sub-clause 2(e), and Account credentials;

(c) role-based access control, with multi-factor authentication, for personnel access to systems containing personal information;

(d) network segmentation, firewalling, intrusion detection, and DDoS mitigation;

(e) the logging, alerting, and monitoring of access and security events;

(f) the screening, training, and confidentiality obligations of personnel;

(g) the periodic review of the security of suppliers; and

(h) documented procedures for incident response and breach notification.

7.2 No security measure can be perfect. Each individual is responsible for keeping the credentials of any Account confidential, for enabling two-factor authentication, and for notifying Velox Media without delay of any actual or suspected compromise.

8. Rights of individuals

Subject to the applicable law of the jurisdiction in which the individual is resident, the following rights may be exercised in relation to the personal information held by Velox Media.

8.1 Rights under the United Kingdom and European Union General Data Protection Regulations

(a) The right of access to the personal information held about the individual and to information about the processing thereof.

(b) The right of rectification of inaccurate or incomplete personal information.

(c) The right of erasure (“the right to be forgotten”) in certain circumstances.

(d) The right to restriction of processing in certain circumstances.

(e) The right of portability of personal information furnished by the individual, in a structured, commonly used, and machine-readable format.

(f) The right to object to processing undertaken on the basis of legitimate interests, and to object to direct marketing.

(g) The right to withdraw consent to any processing undertaken on the basis of consent, at any time, without affecting the lawfulness of processing prior to such withdrawal.

(h) The right not to be subject to automated decision-making producing legal effects or significantly affecting the individual.

(i) The right to lodge a complaint with a supervisory authority, including (in the United Kingdom) the Information Commissioner’s Office at ico.org.uk, and (in the European Economic Area) the supervisory authority of the relevant Member State.

8.2 Rights under the California Consumer Privacy Act

If you are a resident of California, you may exercise the following rights:

(a) the right to know the categories of personal information collected, used, disclosed, and (where applicable) sold or shared;

(b) the right of access to specific pieces of personal information collected about you in the preceding twelve (12) months (extendable upon request);

(c) the right to delete personal information collected from you, subject to such exceptions as are permitted by law;

(d) the right to correct inaccurate personal information;

(e) the right to opt out of the “sale” or “sharing” of personal information for cross-context behavioural advertising; for the avoidance of doubt, Velox Media does not sell or share personal information for cross-context behavioural advertising as those terms are defined in the said Act;

(f) the right to limit the use and disclosure of sensitive personal information to that which is necessary to perform the Services; and

(g) the right of non-discrimination for the exercise of any of the foregoing rights.

To submit a verifiable consumer request, you may email [email protected]. Velox Media shall verify your identity by reference to information already held in the Account; in the case of higher-risk requests, additional verification may be required. You may use an authorised agent, in which case Velox Media may require evidence of authorisation. Velox Media shall not be obliged to delete personal information that it is required by law to retain.

8.3 Rights under the laws of Canada

If you are resident in Canada, you may have rights of access and correction under the Personal Information Protection and Electronic Documents Act and any applicable provincial legislation. You may complain to the Office of the Privacy Commissioner of Canada at priv.gc.ca.

8.4 Rights under the laws of other jurisdictions

The laws of other jurisdictions in which Velox Media operates may grant additional rights. You may contact Velox Media to enquire about rights specific to your jurisdiction.

8.5 Exercise of rights

You may exercise any of the foregoing rights by emailing [email protected] with a description of your request and such information as is reasonably necessary to enable Velox Media to verify your identity. Velox Media shall respond within one (1) calendar month (in the case of rights under the United Kingdom and European Union General Data Protection Regulations) or forty-five (45) days (in the case of rights under the California Consumer Privacy Act), or such longer period as may be permitted by law. Where any request is manifestly unfounded, excessive, or repetitive, Velox Media may charge a reasonable fee or refuse the request.

9. Automated decision-making and profiling

9.1 Velox Media may use automated tools to assess risk in connection with the opening of any Account, the taking of any payment, and the detection of any abuse. Where any automated system identifies an Account as warranting further action, the resulting action (whether suspension, the request for further information under sub-clause 2.1(d) of the Terms of Service, or refusal to provision) shall ordinarily be subject to human review prior to becoming final, save in cases of imminent harm or where automatic action is necessary to protect the Services.

9.2 An individual may request human review of any decision, an explanation of its basis, and the opportunity to contest it, by emailing [email protected].

10. Children

The Services are intended for use by businesses and adult individuals. Velox Media does not knowingly collect personal information from children under the age of sixteen (16). Where Velox Media becomes aware that any such information has been collected, Velox Media shall delete it. Parents who believe that any such information has been provided to Velox Media may contact [email protected].

11. Cookies and similar technologies

The cookies and similar technologies used by Velox Media, and the choices available in respect thereof, are described in the Cookie Policy.

12. Amendments

This Policy may be amended in accordance with clause 16 of the Terms of Service. The current version shall be published at veloxmedia.co.uk/privacy-policy. Conduct occurring prior to the effective date of any amendment shall be governed by the version of this Policy in force at the time of such conduct.

13. Contact

This Privacy Policy was last reviewed on 27 April 2026.

Cookie Policy

Velox Media Inc.

Version: 2.1 Effective Date: 27 April 2026 Last Reviewed: 27 April 2026

This Cookie Policy describes the cookies and similar technologies employed by Velox Media Inc. (“Velox Media”, “we”, or “us”) on the websites operated by Velox Media at veloxmedia.co.uk and at my.veloxmedia.co.uk, and on any other website operated by Velox Media. This Policy supplements, and forms part of, the Privacy Policy.

1. Cookies and similar technologies

A cookie is a small text file deposited upon a device when a website is visited. Cookies enable the recognition of the device, the retention of preferences, the maintenance of authenticated sessions, the security of transactions, and the gathering of information regarding the use of the website. References herein to “cookies” shall include pixels, web beacons, local storage objects, HTML5 storage objects, and other technologies of equivalent function.

2. Categories of cookies

The cookies employed by Velox Media are classified into the four categories set out below. The cookies named in each category are accurate as at the date of the most recent review of this Policy; the live and current list shall be maintained in the consent banner and shall be accessible at any time by selecting “Cookie preferences” in the footer of the website.

2.1 Strictly necessary cookies

The following cookies are required for the operation of the website, the customer area, and the checkout process. Such cookies cannot be disabled.

2.2 Functional cookies

The following cookies enable enhanced functionality and personalisation. Such cookies shall be set only with consent.

2.3 Analytics cookies

The following cookies assist Velox Media in understanding the manner in which visitors use the website, with a view to its improvement. Such cookies shall be set only with consent.

The Google Analytics advertising features are not enabled. Google Analytics is not linked to Google Ads. Google Analytics has been configured so as to anonymise internet protocol addresses and to exclude the export of server-side data to Google for the purposes of advertising.

2.4 Marketing and advertising cookies

Velox Media does not at present set any cookie of this category. Should any such cookie be added in future, this Policy shall be updated and no such cookie shall be set otherwise than with consent.

3. Choices

3.1 Upon a first visit to the website, a consent banner shall be presented. The visitor may accept all cookies, reject all cookies (other than strictly necessary cookies), or select categories.

3.2 The visitor may at any time amend the choices so made by selecting “Cookie preferences” in the footer of the website.

3.3 The visitor may also block or delete cookies by means of the visitor’s browser settings. Such action may affect the operation of the website and the customer area.

3.4 In respect of Google Analytics, the visitor may install the Google Analytics opt-out browser add-on, available at https://tools.google.com/dlpage/gaoptout.

3.5 In respect of interest-based advertising more generally, the visitor may have recourse to https://www.aboutads.info/choices and https://www.youronlinechoices.eu (where available in the visitor’s country).

4. Do Not Track and Global Privacy Control

Velox Media honours the Global Privacy Control signal as a request to opt out of the “sale” or “sharing” of personal information for the purposes of the California Consumer Privacy Act. As Velox Media does not sell or share personal information for the purposes of cross-context behavioural advertising, the practical effect of any such signal in respect of the website shall be confined to the disabling of non-essential cookies for the duration of the visit.

Velox Media does not at present respond to legacy “Do Not Track” headers, no consensus standard for such headers having been established.

5. Third-party cookies and links

The consent mechanism described herein controls cookies set by Velox Media. Third-party services to which Velox Media links or which Velox Media embeds (including (without limitation) Stripe checkout and Cloudflare security challenges) may set cookies of their own for the purposes of security and fraud prevention. Such cookies are listed above as strictly necessary, the services they support being required for the proper operation of the website and the Services.

6. Amendments

This Policy may be amended in accordance with clause 16 of the Terms of Service. The current version shall be published at veloxmedia.co.uk/cookie-policy. Any material amendment shall be notified through the consent banner.

7. Contact

Enquiries in respect of this Policy or the cookies employed by Velox Media may be addressed to [email protected].

This Cookie Policy was last reviewed on 27 April 2026.

Data Processing Agreement

Velox Media Inc.

Version: 2.1 Effective Date: 27 April 2026 Last Reviewed: 27 April 2026

This Data Processing Agreement (the “DPA”) is entered into between Velox Media Inc. (“Velox Media”) and the Customer and forms part of, and is incorporated by reference into, the Terms of Service. Capitalised terms not defined herein shall have the meanings ascribed to them in the Terms of Service or in the Data Protection Laws (as defined below).

This DPA shall apply to such Processing of Customer Personal Data as is undertaken by Velox Media on behalf of the Customer in connection with the Services. Such Processing of personal information about the Customer (and the Customer’s representatives) as is undertaken by Velox Media in its capacity as a controller (including (without limitation) for the purposes of billing, account administration, fraud prevention, sanctions screening, and the verification of any matter referred to in clause 2 of the Terms of Service) shall be governed by the Privacy Policy and not by this DPA.

1. Definitions

1.1 In this DPA, unless the context otherwise requires:

(a) “Data Protection Laws” means all data-protection and privacy laws applicable to the Processing of Personal Data hereunder, including (without limitation):

(i) Regulation (EU) 2016/679 of the European Parliament and of the Council (the “EU GDPR”);

(ii) the General Data Protection Regulation as incorporated into the law of the United Kingdom by the Data Protection Act 2018 (the “UK GDPR”);

(iii) the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (the “CCPA”);

(iv) the Personal Information Protection and Electronic Documents Act of Canada (“PIPEDA”); and

(v) any other equivalent law of any jurisdiction in which Velox Media Processes Personal Data hereunder.

(b) “Personal Data”, “Controller”, “Processor”, “Sub-processor”, “Data Subject”, “Processing”, and “Personal Data Breach” shall bear the meanings respectively ascribed to them in the EU GDPR. References to “Business”, “Service Provider”, “Sale”, and “Share” shall bear the meanings respectively ascribed to them in the CCPA.

(c) “Customer Personal Data” means Personal Data which the Customer (or any end user of the Customer) stores, transmits, or otherwise Processes by means of the Services and in respect of which Velox Media acts as a Processor.

(d) “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses set out in the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

(e) “UK Addendum” means the International Data Transfer Addendum to the SCCs issued by the Information Commissioner under section 119A of the Data Protection Act 2018.

2. Roles and scope

2.1 In respect of Customer Personal Data, the Customer shall act as the Controller (or, where the Customer itself acts as a Processor for any third-party Controller, as the Processor) and Velox Media shall act as the Processor (or Sub-processor, as the case may be).

2.2 Each party shall comply with its obligations under the Data Protection Laws.

2.3 The subject matter, duration, nature, purpose, types of Personal Data, and categories of Data Subjects to which this DPA relates are set out in Annex I.

3. Obligations of Velox Media as Processor

Velox Media shall:

(a) Process on documented instructions. Process Customer Personal Data only upon the documented instructions of the Customer (including in respect of any transfer to any third country), save where required to do otherwise by any law to which Velox Media is subject (in which case Velox Media shall, prior to any such Processing, inform the Customer of the relevant requirement, save where the said law prohibits such notice on important grounds of public interest). The Terms of Service, this DPA, the configurations selected by the Customer through the Services, and the reasonable use by the Customer of the Services shall constitute such documented instructions. Velox Media shall inform the Customer where, in its opinion, any instruction infringes any of the Data Protection Laws.

(b) Confidentiality. Procure that any person authorised to Process Customer Personal Data shall be bound by an appropriate obligation of confidentiality.

(c) Security. Implement appropriate technical and organisational measures, having regard to the state of the art, the costs of implementation, the nature, scope, context, and purposes of Processing, and the risks of varying likelihood and severity to the rights and freedoms of natural persons. The current measures are summarised in Annex II.

(d) Sub-processors. Engage any Sub-processor only in accordance with clause 5 hereof.

(e) Assistance with Data Subject rights. Taking into account the nature of the Processing, assist the Customer, by appropriate technical and organisational measures and insofar as is possible, in the discharge of the Customer’s obligations to respond to requests from Data Subjects exercising their rights. The Customer acknowledges that Velox Media supplies infrastructure and does not have access in the ordinary course to the application data of the Customer, and that the Customer is in most cases best placed to action any request from a Data Subject directly.

(f) Assistance with Controller obligations. Assist the Customer in ensuring compliance with Articles 32 to 36 of the EU GDPR (relating to security, breach notification, data-protection impact assessment, and prior consultation), having regard to the nature of the Processing and the information available to Velox Media.

(g) Notification of Personal Data Breaches. Notify the Customer without undue delay, and in any event within forty-eight (48) hours, after Velox Media becomes aware of any Personal Data Breach affecting Customer Personal Data. The notification shall describe, to the extent then known, the nature of the breach, the categories and approximate number of Data Subjects and records affected, the likely consequences, and the measures taken or proposed.

(h) Deletion or return on termination. Upon termination of the Services, at the choice of the Customer, delete or return all Customer Personal Data and delete any existing copies, save where retention is required by any law to which Velox Media is subject. In the absence of any election by the Customer, Velox Media shall securely delete all such Customer Personal Data within thirty (30) days following the effective date of termination, with backups being overwritten in the ordinary course (typically within a further ninety (90) days).

(i) Records and audit. Make available to the Customer such information as is necessary to demonstrate compliance with the obligations set out in this clause 3, and permit and contribute to audits in accordance with clause 7 hereof.

4. Obligations of the Customer as Controller

The Customer shall:

(a) ensure that there is, and that there shall continue to be, a valid lawful basis for the Processing of Customer Personal Data, and that all required notices have been given and consents obtained;

(b) be solely responsible for the accuracy, quality, and lawfulness of the Customer Personal Data and the means by which the Customer acquired the same;

(c) configure the Services, and use any security feature made available by Velox Media, in a manner appropriate to the sensitivity of the Customer Personal Data;

(d) comply with the Customer’s own obligations to respond to Data Subject requests and to authorities;

(e) refrain from providing to Velox Media any special-category or sensitive Personal Data save where the Customer has implemented appropriate additional safeguards; and

(f) refrain from using the Services in any manner requiring Velox Media to obtain any registration, licence, or authorisation that it does not hold.

5. Sub-processors

5.1 The Customer hereby authorises Velox Media to engage the Sub-processors identified in the Sub-processor List (as updated from time to time) for the purposes set out therein.

5.2 Velox Media shall impose upon each Sub-processor obligations no less protective than those set out herein.

5.3 Velox Media shall give the Customer not less than thirty (30) days’ prior notice of the engagement of any new Sub-processor or any material change to any existing Sub-processor, by means of an update to the Sub-processor List and notification to the Customer through the customer area or by email if the Customer has subscribed to notifications of Sub-processor changes.

5.4 The Customer may object to any new or changed Sub-processor on reasonable grounds of data protection within thirty (30) days following such notice. The parties shall discuss any such objection in good faith. Where the parties cannot resolve the objection within thirty (30) days, the Customer shall be entitled, as the Customer’s sole remedy, to terminate the affected Service in respect of the unused portion of the prepaid term and to receive a pro rata refund of any prepaid fees in respect thereof.

5.5 Velox Media shall remain liable for the acts and omissions of its Sub-processors as if such acts and omissions were its own.

6. International transfers

6.1 The Customer hereby authorises Velox Media to transfer Customer Personal Data to, and to Process Customer Personal Data in, any jurisdiction in which Velox Media, any Affiliate, or any Sub-processor operates, including (without limitation) the United States, the United Kingdom, the European Economic Area, Canada, and any datacenter location selected by the Customer.

6.2 Where any Customer Personal Data originating in the European Economic Area is transferred to a country in respect of which no adequacy decision has been adopted by the European Commission, the parties hereby agree to be bound by the SCCs, on the following bases:

(a) Module Two (Controller to Processor) shall apply where the Customer is the Controller;

(b) Module Three (Processor to Sub-processor) shall apply where the Customer is itself a Processor;

(c) Clause 7 of the SCCs (the docking clause) shall not be incorporated;

(d) Clause 9(a) of the SCCs shall be incorporated as Option 2 (general written authorisation), the period for prior notice of any change to Sub-processors being that set out in sub-clause 5.3 hereof;

(e) Clause 11(a) of the SCCs: the optional language relating to independent dispute resolution shall not be incorporated;

(f) Clause 17 of the SCCs: the SCCs shall be governed by the law of the Republic of Ireland;

(g) Clause 18(b) of the SCCs: the parties select the courts of the Republic of Ireland; and

(h) Annexes I, II, and III of the SCCs shall be populated by reference to Annexes I, II, and III hereof.

6.3 Where any Customer Personal Data originating in the United Kingdom is transferred to a country in respect of which no adequacy decision has been adopted by the United Kingdom, the parties hereby agree to be bound by the UK Addendum, with Tables 1 to 4 of the UK Addendum populated by reference to this DPA, the SCCs as adopted in sub-clause 6.2 hereof, and the relevant Annexes. In the event of any conflict, the UK Addendum shall prevail in respect of transfers from the United Kingdom.

6.4 Where required by Swiss data-protection law, references in the SCCs to “Member State” shall be read so as to include Switzerland, and references to the EU GDPR shall be read so as to include the Federal Act on Data Protection of Switzerland.

6.5 Velox Media has carried out, and shall keep under review, transfer-impact assessments addressing the considerations identified in the judgement of the Court of Justice of the European Union in Data Protection Commissioner v Facebook Ireland and Schrems (Case C-311/18). A summary of any such assessment shall be made available on request.

7. Audit

7.1 Velox Media shall, on reasonable written request, make available to the Customer:

(a) the most recent independent third-party audit reports or certifications relevant to the Services (where available);

(b) a written response to a reasonable security questionnaire (no more than once per year, save where required by law or following a Personal Data Breach affecting the Customer); and

(c) responses to such reasonable written questions as are necessary to demonstrate compliance with this DPA.

7.2 Where the information furnished pursuant to sub-clause 7.1 is insufficient and the Customer is required by the Data Protection Laws to conduct a more detailed audit, the Customer may, on not less than thirty (30) days’ written notice and no more than once per year (save where required by law or following a confirmed Personal Data Breach affecting the Customer), conduct an audit of the Processing by Velox Media of Customer Personal Data, in cooperation with Velox Media. Such audit shall:

(a) be conducted during business hours;

(b) not unreasonably interfere with the operations of Velox Media;

(c) be carried out by the Customer or by an independent, qualified third-party auditor approved by Velox Media (such approval not to be unreasonably withheld);

(d) be subject to obligations of confidentiality binding upon the auditor; and

(e) be at the expense of the Customer, save where the audit reveals a material breach by Velox Media of this DPA, in which case Velox Media shall bear the reasonable cost.

7.3 Velox Media shall not be required to disclose any information the disclosure of which would compromise the security or confidentiality of any other customer, or which is subject to legal privilege or to any non-disclosure obligation.

8. Liability

8.1 The liability of each party arising under or in connection with this DPA shall be subject to the limitations and exclusions of liability set out in the Terms of Service.

8.2 Where the parties are bound by the SCCs, the liability of the parties under the SCCs shall, to the maximum extent permitted by law, be subject to such limitations and exclusions; this sub-clause shall not affect the rights of any Data Subject under clause 12 of the SCCs.

9. Term and termination

This DPA shall apply with effect from the date of acceptance of the Terms of Service and shall continue for so long as Velox Media Processes any Customer Personal Data. The clauses hereof which by their nature should survive any termination (including (without limitation) sub-clauses 3(g), 3(h), 6, 7, and 8) shall so survive.

10. General

10.1 In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail in respect of the Processing of Customer Personal Data. In the event of any conflict between this DPA and the SCCs (or the UK Addendum), the SCCs (or the UK Addendum, as the case may be) shall prevail in respect of the Processing they govern.

10.2 Velox Media may amend this DPA in accordance with clause 16 of the Terms of Service. Any amendment which materially diminishes the protection afforded to Customer Personal Data shall be notified not less than thirty (30) days in advance and shall give the Customer the right to object and to terminate as provided in sub-clause 5.4 hereof.

10.3 Notices hereunder: to Velox Media, at [email protected]; to the Customer, at the address recorded on the Account.

Annex I — Description of the Processing

A. List of parties

Data Exporter: the Customer (being the entity which has accepted the Terms of Service). Data Importer: Velox Media Inc., 301 Grant Street, Pittsburgh, Pennsylvania 15219, United States. Contact (Importer): [email protected].

B. Description of transfer

C. Competent supervisory authority

For transfers from the European Economic Area, the competent supervisory authority is the Data Protection Commission of Ireland (selected pursuant to clause 13(a)(ii) of the SCCs). For transfers from the United Kingdom, the competent authority is the Information Commissioner’s Office of the United Kingdom.

Annex II — Technical and organisational measures

Velox Media implements the measures set out below, as appropriate to the nature, scope, context, and purposes of Processing and proportionate to the risk:

Pseudonymisation and encryption. Transport Layer Security version 1.2 or higher in respect of data in transit; encryption at rest in respect of management-plane systems, verification information, backups, and Account credentials.

Confidentiality. Role-based access control with multi-factor authentication for personnel access to systems containing Personal Data; principles of least privilege; segregation of duties; and a documented joiner-mover-leaver process.

Integrity. Change management with code review and approval; cryptographic verification of software updates; and tamper-evident logging.

Availability and resilience. Redundant power, networking, and storage in respect of operated facilities; DDoS mitigation; backup and recovery procedures; capacity management; and an incident-response plan tested at least annually.

Restoration. Documented backup and disaster-recovery procedures; tested restoration; and defined recovery-time and recovery-point objectives.

Testing and evaluation. Periodic vulnerability scanning, patching, security review, and penetration testing of the management plane.

Personnel security. Background checks proportionate to the role and to local law; undertakings of confidentiality; and security and privacy training.

Physical security. Access control, monitoring, and environmental controls in respect of operated facilities.

Sub-processor management. Due-diligence assessment, contractual obligations equivalent to those set out herein, and ongoing monitoring.

Logging. Audit logging of administrative access, security-relevant events, and changes to access rights.

Incident response. Documented incident-response procedures with defined notification timelines, and periodic tabletop exercises.

Data minimisation and retention. Documented retention schedules, with secure deletion or anonymisation upon expiry.

A more detailed description of the foregoing measures shall be made available to the Customer under appropriate undertakings of confidentiality, on request to [email protected].

Annex III — List of Sub-processors

The current Sub-processor List, as published at veloxmedia.co.uk/sub-processors, forms part of, and is incorporated by reference into, this DPA.

This DPA was last reviewed on 27 April 2026.

Sub-processor List

Velox Media Inc.

Version: 2.1 Effective Date: 27 April 2026 Last Reviewed: 27 April 2026

This Sub-processor List forms part of, and is incorporated by reference into, the Data Processing Agreement (the “DPA”) between Velox Media Inc. (“Velox Media”) and the Customer. It identifies the Sub-processors engaged by Velox Media in connection with the Processing of Customer Personal Data, together with the purposes for which each is engaged. Velox Media shall give the Customer not less than thirty (30) days’ notice of any change hereto in accordance with sub-clause 5.3 of the DPA. Capitalised terms not defined herein shall bear the meanings ascribed to them in the DPA.

Velox Media operates its own infrastructure in the United States (East and West), the United Kingdom, the Netherlands, Poland, and Canada. The operators of the underlying physical facilities at which such infrastructure is located do not access Customer Personal Data in the ordinary course and are therefore not Sub-processors for the purposes of the DPA, being instead engaged on the basis of colocation contracts and not authorised to access Customer Personal Data.

Sub-processors

Subscription to changes

To receive electronic mail notification of changes to this Sub-processor List, log in to the customer area at my.veloxmedia.co.uk, navigate to Profile → Notifications, and enable Sub-processor updates.

Past versions

Past versions of this Sub-processor List shall be made available on request to [email protected].

Change history

The following table records the changes made to this Sub-processor List. The current list is set out above; the entries below are retained for the purposes of audit and to comply with sub-clause 5.3 of the Data Processing Agreement.

Future entries shall record, in respect of each change: the addition or removal of any Sub-processor; any material change to the description, location of Processing, or category of personal information of any Sub-processor; the date upon which the change took effect; and the date upon which notice was given to Customers in accordance with sub-clause 5.3 of the Data Processing Agreement.

This Sub-processor List was last reviewed on 27 April 2026.

Service Level Agreement

Velox Media Inc.

Version: 2.1 Effective Date: 27 April 2026 Last Reviewed: 27 April 2026

This Service Level Agreement (the “SLA”) forms part of, and is incorporated by reference into, the Terms of Service entered into between Velox Media Inc. (“Velox Media”) and the Customer. The regime of service credits set out herein constitutes the sole and exclusive remedy of the Customer in respect of any failure to meet the service levels set out herein. Capitalised terms not defined herein shall bear the meanings ascribed to them in the Terms of Service.

1. Network and host availability

1.1 Velox Media commits, in respect of each Service, to a target of ninety-nine point nine per cent. (99.9%) monthly availability of:

(a) its core network (“Network Availability”); and

(b) the hypervisor underlying each virtual server of the Customer (“Host Availability”).

1.2 A Service shall be regarded as “Available” where it responds to standard ICMP and TCP probes from the monitoring infrastructure of Velox Media located outside its network. A Service shall be regarded as “Unavailable” where, for a continuous period of not less than five (5) minutes, the Service is not Available, the cause is within the reasonable control of Velox Media, and the cause does not fall within any exclusion set out in clause 3 hereof.

1.3 Availability shall be calculated separately in respect of each Service per calendar month, on the following formula:

Availability % = (Total minutes − Excluded minutes − Unavailable minutes) / (Total minutes − Excluded minutes) × 100

2. Support response times

The foregoing represent targets for response, not for resolution. Velox Media shall use reasonable efforts to resolve in proportion to severity.

3. Exclusions from the SLA

The following events shall not give rise to any liability under this SLA and the periods to which they relate shall be excluded from the calculation of availability:

(a) Scheduled maintenance, in respect of which Velox Media has given not less than forty-eight (48) hours’ prior notice through the customer area, the status page, or by email, and which does not exceed the duration stated in the notice.

(b) Emergency maintenance required for the purposes of addressing security vulnerabilities, threats to network integrity, or critical infrastructure issues. Velox Media shall give such notice as is reasonably practicable in the circumstances.

(c) Force majeure, as defined in the Terms of Service.

(d) Acts or omissions of the Customer or of any end user of the Customer, including (without limitation) misconfiguration, exhaustion of resource quotas, expiry of payment, breach of the Acceptable Use Policy, or installation of incompatible software.

(e) DDoS attacks targeting the Customer or affecting the Customer’s Service, including any time spent in mitigation, null-routing, or scrubbing.

(f) Any suspension under the Terms of Service or the Acceptable Use Policy.

(g) Failure or interruption of upstream networks, peering, transit, registries, certificate authorities, or any other third party beyond the reasonable control of Velox Media.

(h) Failure of any software or configuration supplied or installed by the Customer, including (without limitation) operating system, applications, scripts, control panels, and third-party plugins.

(i) Domain name resolution issues, where the affected domain is not under the authoritative DNS of Velox Media.

(j) Beta, trial, or experimental services, where designated as such.

4. Service credits

4.1 Where the Availability of an eligible Service falls below ninety-nine point nine per cent. (99.9%) in any calendar month, the Customer may claim a service credit calculated against the monthly recurring fee for the affected Service, on the following scale:

4.2 Service credits shall be applied to the balance of the Account and may be set off against future invoices. Service credits shall not be refundable in cash and shall not be capable of being transferred or assigned.

4.3 The total credit issued in any single calendar month shall not exceed one hundred per cent. (100%) of the monthly recurring fee for the affected Service.

4.4 Service credits shall constitute the sole and exclusive remedy in respect of any failure to meet the SLA, to the maximum extent permitted by law.

5. Procedure for claims

5.1 The Customer shall, in order to claim any service credit:

(a) submit a ticket within the customer area within thirty (30) days following the end of the calendar month to which the claim relates, with the subject “SLA Credit Request”;

(b) state the affected Service, the dates and times of the alleged Unavailability, and any supporting evidence (including any third-party monitoring exports or ticket references); and

(c) be in good standing, having no outstanding invoices and no current suspension for breach of the Terms of Service or the Acceptable Use Policy.

5.2 Velox Media shall respond to any properly submitted claim within fourteen (14) days. The monitoring records of Velox Media shall be determinative for the purposes of any calculation of Availability, save where compelling evidence to the contrary is presented.

6. Backups and the integrity of data

6.1 The Customer shall be solely responsible for the maintenance of backups of the Customer’s data, including (without limitation) the operating system, applications, and content. Where Velox Media offers any backup add-on, such service is offered on a best-efforts basis and shall not displace the foregoing obligation of the Customer.

6.2 Velox Media shall not be liable hereunder, under the Terms of Service, or under any other Policy in respect of any loss of, or corruption of, the Customer’s data.

7. Amendments

This SLA may be amended from time to time in accordance with clause 16 of the Terms of Service.

This SLA was last reviewed on 27 April 2026.

DMCA and Copyright Policy

Velox Media Inc.

Version: 2.1 Effective Date: 27 April 2026 Last Reviewed: 27 April 2026

Velox Media Inc. (“Velox Media”) respects the intellectual-property rights of others and expects the Customer and the Customer’s end users to do likewise. This Policy describes the manner in which Velox Media handles claims of copyright infringement under the Digital Millennium Copyright Act of the United States, codified at 17 U.S.C. § 512 (the “DMCA”), and equivalent legislative regimes in other jurisdictions in which Velox Media operates, including the Copyright, Designs and Patents Act 1988 and the Online Safety Act 2023 of the United Kingdom and the Directive 2000/31/EC and the Digital Services Act (Regulation (EU) 2022/2065) of the European Union.

This Policy forms part of, and is incorporated by reference into, the Terms of Service and the Acceptable Use Policy.

1. Designated Copyright Agent

Notices of claimed infringement under the DMCA shall be addressed to the Designated Copyright Agent of Velox Media:

Designated Copyright Agent — Velox Media Inc. Attn: DMCA Agent Velox Media Inc., 301 Grant Street, Pittsburgh, Pennsylvania 15219, United States Email: [email protected]

The Designated Copyright Agent is registered with the United States Copyright Office in accordance with 17 U.S.C. § 512(c)(2); the registration may be searched at https://dmca.copyright.gov/.

In respect of complaints of copyright infringement arising under the law of the United Kingdom, the European Union, or any other jurisdiction, the same address and electronic mail address may be used; the subject line should bear the words “Copyright complaint — non-DMCA” and should identify the country whose law is relied upon.

2. Notices of claimed infringement

A notice of claimed infringement under the DMCA shall be in writing and shall include substantially the following:

(a) a physical or electronic signature of the owner of the copyright, or of a person authorised to act on behalf of the owner thereof;

(b) identification of the copyrighted work alleged to have been infringed (or, where multiple works are involved, a representative list);

(c) identification of the material alleged to be infringing or the subject of infringing activity, in sufficient detail (URL, internet protocol address, hostname, or file path) to enable Velox Media to locate it;

(d) the contact information of the complainant (name, address, telephone number, and electronic mail address);

(e) a statement that the complainant has a good-faith belief that the use of the material in the manner complained of is not authorised by the owner, by the owner’s agent, or by law; and

(f) a statement that the information contained in the notice is accurate, and under penalty of perjury, that the complainant is authorised to act on behalf of the owner of an exclusive right alleged to have been infringed.

A notice that is materially incomplete may be returned without action.

The submission of any knowingly false notice under 17 U.S.C. § 512(f) may give rise to liability for damages, including costs and reasonable attorneys’ fees. Notices should be submitted only where well-founded.

3. Action by Velox Media

3.1 Upon receipt of any substantially compliant notice, Velox Media shall, in accordance with the DMCA and equivalent law:

(a) acknowledge receipt to the complainant;

(b) act expeditiously to remove or disable access to the material alleged to be infringing, or require the affected Customer to do so within such short period as Velox Media shall stipulate;

(c) notify the affected Customer of the complaint and provide a copy of the notice (with such redaction of the personal information of the complainant as the law may require); and

(d) record the complaint for the purposes of clause 5 hereof (concerning repeat infringers).

3.2 Where the affected Service consists of a hosted website, virtual server, or storage volume, Velox Media may, in its sole and absolute discretion and according to the circumstances:

(a) notify the Customer and require the Customer to remove the material within twenty-four (24) hours;

(b) restrict access to the affected URL, internet protocol address, or directory; or

(c) suspend the affected Service.

3.3 Velox Media reserves the right to act prior to any response from the Customer where the material appears unmistakably infringing, where there is a risk of significant harm, or where the law requires immediate action.

4. Counter-notices

4.1 A Customer in receipt of any notice that material has been removed pursuant to clause 3 hereof may submit a counter-notice. A counter-notice shall include substantially the following:

(a) the physical or electronic signature of the Customer;

(b) identification of the material that has been removed and of the location at which it appeared prior to removal;

(c) a statement, under penalty of perjury, that the Customer has a good-faith belief that the material was removed by mistake or as a result of misidentification;

(d) the name, address, and telephone number of the Customer; and

(e) a statement that the Customer consents to the jurisdiction of the federal district court for the judicial district in which the Customer is located (or, where the Customer is located outside the United States, of the federal district court for any judicial district in which Velox Media may be found), and that the Customer shall accept service of process from the complainant or its agent.

4.2 Upon receipt of any substantially compliant counter-notice, Velox Media shall forward the same to the complainant. Where Velox Media does not receive notice within ten (10) to fourteen (14) business days that the complainant has commenced an action seeking a court order against the Customer, Velox Media may restore the material in accordance with the DMCA.

4.3 Velox Media shall be under no obligation to evaluate the merits of any notice or counter-notice and may decline to restore any material in any case where, in Velox Media’s sole and absolute discretion, restoration would expose Velox Media to risk under the Acceptable Use Policy, the Trust & Safety Policy, or any law.

5. Repeat infringers

In accordance with 17 U.S.C. § 512(i), Velox Media maintains a policy of terminating, in appropriate circumstances, the Accounts of Customers who are repeat infringers. The presumptive thresholds are as follows:

(a) a single notice involving particularly egregious or systematic infringement may result in immediate termination;

(b) three (3) or more substantiated notices within any twelve (12)-month period shall ordinarily result in the termination of the affected Service; and

(c) five (5) or more substantiated notices within any twenty-four (24)-month period shall ordinarily result in the termination of the Account.

Velox Media may apply or depart from the foregoing thresholds in any individual case, in its sole and absolute discretion.

6. Trademark and other intellectual-property complaints

In respect of any complaint concerning trademarks, patents, designs, database rights, trade secrets, rights of publicity, or any other intellectual-property right, the complainant should contact [email protected] with full particulars, including the right relied upon, the basis for the complainant’s ownership of, or authority to act in respect of, the right, and the location of the offending material. Velox Media shall respond as it considers appropriate, including (without limitation) by requiring the Customer to remove or modify the material, by restricting access, or by terminating the Service.

7. Cooperation under the Digital Services Act of the European Union

In respect of any complaint of copyright infringement arising under the Digital Services Act of the European Union, the complainant may also use the contact and notice-and-action mechanism described in the Trust & Safety Policy. The DSA process and the DMCA process operate independently; Velox Media may apply the more protective standard.

8. Amendments

This Policy may be amended in accordance with clause 16 of the Terms of Service.

This DMCA and Copyright Policy was last reviewed on 27 April 2026.

Trust & Safety Policy

Velox Media Inc.

Version: 2.1 Effective Date: 27 April 2026 Last Reviewed: 27 April 2026

This Trust & Safety Policy describes the manner in which Velox Media Inc. (“Velox Media”) handles complaints, reports of illegal content, and risks to users in connection with the Services. This Policy further constitutes the notice-and-action mechanism of Velox Media for the purposes of Article 16 of the Digital Services Act of the European Union (Regulation (EU) 2022/2065, the “DSA”), and supports compliance with the Online Safety Act 2023 of the United Kingdom and equivalent law.

This Policy forms part of, and is incorporated by reference into, the Terms of Service and the Acceptable Use Policy. In respect of complaints of copyright infringement, see further the DMCA and Copyright Policy; in respect of requests from law-enforcement and similar authorities, see the Law Enforcement Guidelines.

1. Single point of contact (Articles 11 and 12 DSA)

The authorities of any Member State of the European Union, the European Commission, the European Board for Digital Services, and other public bodies may communicate with Velox Media at the foregoing addresses, and may expect a response within the timeframes prescribed by the DSA.

2. Reporting of illegal content (Article 16 DSA notice-and-action)

2.1 Any person may submit a notice that any specific item hosted on the Services is alleged to constitute illegal content. Such notices should be addressed to [email protected] and should include:

(a) a sufficiently substantiated explanation of the basis on which the notifier alleges that the information is illegal content (including the law alleged to be contravened and the relevant jurisdiction);

(b) a clear indication of the precise electronic location of the information (URL, internet protocol address, or file path);

(c) the name and electronic mail address of the notifier (anonymous notices being accepted in respect of content alleged to be CSAM, terrorist content, or to give rise to any imminent threat to life); and

(d) a statement of good faith that the information and allegations contained in the notice are accurate and complete.

2.2 The submission of a notice in accordance with this clause shall be regarded as giving Velox Media actual knowledge of the allegedly illegal content for the purposes of Articles 6 and 16 of the DSA, but shall not of itself determine whether the content is illegal.

2.3 Velox Media shall:

(a) confirm receipt of the notice without undue delay where contact details have been provided;

(b) evaluate the notice and the content in a timely, diligent, non-arbitrary, and objective manner;

(c) take action against the content where it is illegal or contravenes the Acceptable Use Policy, in accordance with clause 4 hereof;

(d) inform the notifier of the decision and of the redress available; and

(e) inform the affected Customer of the decision and of the redress available, in accordance with clause 5 hereof.

3. Categories of illegal content and targets for action

The foregoing represent targets and not contractual commitments. Velox Media may act in any case more or less rapidly according to the circumstances.

4. Action that Velox Media may take

Velox Media may, in its sole and absolute discretion and consistent with the Acceptable Use Policy and the Terms of Service:

(a) leave the content in place where the notice is unfounded;

(b) require the Customer to remove the content within a stated period;

(c) restrict access to specific URLs, files, or addresses;

(d) suspend the affected Service or Account;

(e) terminate the affected Service or Account;

(f) preserve evidence and report to law enforcement, to the National Center for Missing and Exploited Children, to the Internet Watch Foundation, to INHOPE, to the Global Internet Forum to Counter Terrorism, or to any other competent body; or

(g) take any combination of the foregoing.

The fee schedule contained in the Acceptable Use Policy shall apply as appropriate.

5. Statement of reasons (Article 17 DSA)

5.1 Where Velox Media restricts the visibility of, removes, suspends or terminates a Service or Account in respect of, or otherwise takes any content-restriction action against the Customer in respect of any specific content, Velox Media shall provide to the Customer a clear and specific statement of reasons including, as applicable:

(a) whether the decision involves removal, restriction of visibility, suspension, or termination, and the territorial scope thereof;

(b) the facts and circumstances relied upon;

(c) where applicable, the use of any automated means in the decision;

(d) where the decision concerns alleged illegal content, a reference to the legal ground relied upon and an explanation of why the content is considered to be illegal;

(e) where the decision concerns alleged incompatibility with the Acceptable Use Policy or the Terms of Service, a reference to the contractual ground relied upon and an explanation; and

(f) the redress available to the Customer.

5.2 Where Velox Media is a covered hosting provider for the purposes of the DSA, statements of reasons shall be submitted to the transparency database maintained by the European Commission in the manner required.

6. Internal complaint-handling and out-of-court dispute settlement

6.1 A Customer in respect of whom any content-restriction decision has been made may appeal by replying to the statement of reasons within six (6) months. Velox Media shall review any such appeal in a timely, non-discriminatory, and diligent manner and shall inform the Customer of the outcome.

6.2 A Customer established in the European Union shall further have the right to refer disputes to a certified out-of-court dispute settlement body pursuant to Article 21 of the DSA. Velox Media shall engage in good faith but the decision of any such body shall not be binding upon Velox Media save where the law so requires.

6.3 The judicial rights of the Customer at law are reserved.

7. Trusted flaggers (Article 22 DSA)

Velox Media shall give priority to notices submitted by entities granted “trusted flagger” status by a Digital Services Coordinator. Notices from trusted flaggers shall be processed within the targets set out in clause 3 hereof and shall be afforded the higher end of priority.

8. Misuse of notice and complaint mechanisms (Article 23 DSA)

Velox Media may suspend, for a reasonable period and after warning, the processing of notices submitted by any person or entity which frequently submits manifestly unfounded notices, and may suspend the Account of any Customer which frequently provides manifestly illegal content. The decision to suspend shall have regard to the volume, the nature, and the consequences of the misuse, and to any explanation provided.

9. Child safety and CSAM

9.1 Velox Media shall not tolerate the presence of CSAM upon the Services. CSAM shall be reported to the National Center for Missing and Exploited Children (under 18 U.S.C. § 2258A where Velox Media obtains actual knowledge while subject to the jurisdiction of the United States) and to the Internet Watch Foundation (in respect of reporting in the United Kingdom), and shall be referred to law-enforcement as appropriate.

9.2 Velox Media may participate in industry hash-sharing initiatives where appropriate and may employ automated detection in respect of indicators of CSAM in administrative metadata.

9.3 Velox Media shall preserve evidence in connection with any report of CSAM for such period as is required by law.

10. Terrorist content (Regulation (EU) 2021/784)

10.1 Velox Media shall act on a removal order from a competent authority of a Member State of the European Union within one (1) hour of receipt, in accordance with the Terrorist Content Online Regulation of the European Union.

10.2 Velox Media may decline to act on the merits of any removal order to such extent as is permitted by Article 4 of the said Regulation, including where compliance would be manifestly contrary to fundamental rights, and shall notify the issuing authority and the affected Customer accordingly.

11. Online Safety Act 2023 of the United Kingdom

11.1 Where Velox Media is a regulated service for the purposes of the Online Safety Act 2023 of the United Kingdom, Velox Media shall comply with the duties applicable to its category, including (without limitation) duties relating to illegal content, duties relating to the safety of children (where in scope), and duties of reporting and information owed to the Office of Communications.

11.2 The content-moderation practices of Velox Media are designed to be consistent with such duties and with any code of practice published by the Office of Communications.

12. Transparency reporting

Velox Media intends to publish an annual transparency report describing, in aggregate, the number and types of notices received, the actions taken, the number of law-enforcement requests received and complied with, and other matters required by law. The first such report shall cover the period from the effective date of this Policy.

13. Amendments

This Policy may be amended in accordance with clause 16 of the Terms of Service.

This Trust & Safety Policy was last reviewed on 27 April 2026.

Law Enforcement Guidelines

Velox Media Inc.

Version: 2.1 Effective Date: 27 April 2026 Last Reviewed: 27 April 2026

These Law Enforcement Guidelines describe the manner in which Velox Media Inc. (“Velox Media”) handles requests from governmental and law-enforcement authorities for information, content removal, or other action, and the standards which Velox Media applies in responding to any such request. They are intended to facilitate legitimate engagement with law-enforcement, to set expectations, and to support transparency. They do not create any contractual right and may be amended at any time.

1. Single point of contact for law-enforcement engagement

Velox Media is incorporated under the laws of the United States, with infrastructure operated in the United States, the United Kingdom, the Netherlands, Poland, and Canada. Velox Media accepts service of process at the postal address set out above.

2. Standards of process

2.1 United States

2.2 United Kingdom

2.3 European Union and European Economic Area

2.4 Other jurisdictions

Requests from authorities of jurisdictions other than the United States, the United Kingdom, and the European Union should be routed through Mutual Legal Assistance Treaty channels to the relevant authority of a jurisdiction in which Velox Media operates. Velox Media may, in its sole and absolute discretion, voluntarily comply with any such request where it considers compliance lawful and appropriate, but reserves the right to decline.

3. Form requirements

3.1 Each request shall:

(a) be in writing on official letterhead, and shall set out the name, title, signature, agency, and contact details of the requesting officer;

(b) state the legal authority on which the request is based, with citation;

(c) identify with specificity the Account, Service, internet protocol address, hostname, transaction identifier, or other identifier in respect of which information is sought;

(d) state the period of time covered by the request (Velox Media shall not process indefinite requests);

(e) state the data items sought;

(f) state any non-disclosure provision relied upon, with citation; and

(g) be signed and dated.

3.2 Velox Media may require additional verification of the identity and authority of the requester prior to responding.

3.3 Requests sent by electronic mail shall come from an official governmental electronic mail address.

4. Notice to the Customer

4.1 It is the policy of Velox Media to notify the affected Customer of any governmental request for information about the Customer or the Account before disclosure, with sufficient time to enable the Customer to seek a protective order or other relief, save where:

(a) Velox Media is prohibited by law (for example, by any non-disclosure order accompanying the request);

(b) the request is accompanied by a court-issued non-disclosure order, gag order, sealing order, or any equivalent;

(c) the request relates to a matter involving CSAM, terrorist content, or any imminent threat to life or serious physical injury;

(d) Velox Media has, in its sole judgement, reason to believe that notice would be counter-productive (for example, where notice would result in the destruction of evidence or harm to any person); or

(e) the Customer has consented to disclosure.

4.2 Where any non-disclosure restriction expires or is lifted, Velox Media may notify the Customer at such time as it considers appropriate.

4.3 Velox Media may give delayed notice in any case where the law so permits.

5. Emergency disclosure

5.1 Where Velox Media has a good-faith belief that disclosure of information is necessary to address an emergency involving danger of death or serious physical injury, Velox Media may voluntarily disclose information to law-enforcement without legal process, as permitted by 18 U.S.C. § 2702(b)(8) and equivalent provisions of the law of the United Kingdom and the European Union.

5.2 Emergency requests shall be marked “EMERGENCY DISCLOSURE REQUEST” in the subject line, shall come from an official governmental electronic mail address, shall include the name, agency, and verifiable contact information of the requester, shall describe the nature of the emergency, and shall specify the data items sought and the manner in which they relate to the emergency.

5.3 Velox Media may require a follow-up call to a verified agency telephone number prior to disclosure.

5.4 Velox Media may, but shall not be obliged to, comply with any emergency request, and may decline any request which does not, in Velox Media’s sole judgement, present an emergency.

6. Preservation requests

6.1 Upon receipt of any properly framed preservation request from law-enforcement of a jurisdiction in which Velox Media operates, Velox Media shall preserve specifically identified data already in its possession for an initial period of ninety (90) days, extendable upon request for a further ninety (90) days.

6.2 Preservation does not afford the requester access to the data; access shall require legal process under clause 2 hereof.

7. Data held and retention

7.1 The categories of data which Velox Media may hold are described in clause 2 of the Privacy Policy and the corresponding retention periods at clause 5 thereof.

7.2 Velox Media does not retain data solely for the purposes of enabling law-enforcement responses. Data not in the possession of Velox Media at the time of a request, or which has lapsed prior to the receipt of any preservation request, shall not be capable of production.

8. Reimbursement of costs

8.1 Velox Media may seek reimbursement of reasonable costs in accordance with applicable law (in the United States, 18 U.S.C. § 2706; in the United Kingdom, the Investigatory Powers Act 2016 and any associated regulations).

8.2 Velox Media may also charge reasonable costs in respect of compliance with civil discovery, third-party subpoenas, and similar process, in accordance with the fee schedule set out in clause 6 of the Acceptable Use Policy.

9. Compelled disclosure of Customer Personal Data by public authorities (Schrems II)

9.1 Where Velox Media receives any legally binding request from a public authority for Customer Personal Data covered by the Data Processing Agreement, Velox Media shall:

(a) review the request for legal validity;

(b) challenge the request where, in Velox Media’s reasonable judgement, lawful grounds exist for so doing under the law of the requesting authority;

(c) seek to limit the scope of the disclosure to that which is necessary and proportionate;

(d) where prohibited from notifying the Customer, use best efforts to obtain a waiver of the prohibition or to challenge the prohibition by judicial means; and

(e) maintain documentation of the request and of its handling, for the purposes of transparency reporting.

10. Civil legal process

10.1 Civil subpoenas and discovery requests shall be accepted through the channels set out above. Velox Media may require:

(a) an undertaking that the requester has properly served the Customer (where the Customer is a party);

(b) reimbursement of reasonable costs;

(c) where production includes the Customer’s content, that the Customer be afforded the opportunity to seek a protective order; and

(d) such further steps as are reasonably necessary to protect the other Customers of Velox Media and any third party.

11. Sanctioned-jurisdictions filter

Velox Media shall not knowingly disclose information to authorities of any jurisdiction subject to comprehensive economic sanctions of the United States, the United Kingdom, the European Union, or the United Nations, save where compelled by binding law of a jurisdiction in which Velox Media operates.

12. Transparency

Velox Media intends to publish an annual transparency report covering law-enforcement requests received, jurisdictions of origin, types of process, and the response of Velox Media. The report shall not identify any individual matter where prohibited by law.

13. Amendments

These Guidelines may be amended at any time. The current version shall be published at veloxmedia.co.uk/law-enforcement.

Contact: [email protected]. These Guidelines do not create any contractual right.

Vulnerability Disclosure Policy

Velox Media Inc.

Version: 1.0 Effective Date: 27 April 2026 Last Reviewed: 27 April 2026

Velox Media Inc. (“Velox Media”, “we”, or “us”) welcomes the responsible disclosure of security vulnerabilities affecting the Services, the websites operated by Velox Media at veloxmedia.co.uk and at my.veloxmedia.co.uk, the Velox Media application-programming interfaces, and the underlying infrastructure operated by Velox Media. This Vulnerability Disclosure Policy (the “VDP”) describes the manner in which security researchers may report vulnerabilities to Velox Media, the scope and exclusions of such reporting, and the safe-harbour position adopted by Velox Media in respect of good-faith research conducted in accordance herewith.

This VDP is published in accordance with the recommendations of ISO/IEC 29147:2018 and follows the convention of the IETF specification at RFC 9116 (security.txt).

1. Reporting channel

A report should include such information as is necessary to enable Velox Media to reproduce and to remediate the vulnerability, including (without limitation) a description of the vulnerability, the affected URL or system, the steps necessary to reproduce, any proof-of-concept material, the impact upon confidentiality, integrity, or availability, and the contact details of the reporter (or an indication that the report is to be treated as anonymous).

2. Scope

2.1 This VDP applies to:

(a) the websites operated by Velox Media at veloxmedia.co.uk, at my.veloxmedia.co.uk, and at any subdomain of veloxmedia.co.uk operated by Velox Media;

(b) the application-programming interfaces operated by Velox Media for the administration of Accounts and Services;

(c) the management plane underlying the Services, including hypervisor, network, control-plane, and operational tooling operated by Velox Media; and

(d) any other system within the operational control of Velox Media in respect of which Velox Media gives express written consent.

2.2 This VDP does not apply to:

(a) the operating systems, applications, content, or configurations of any Customer hosted upon the Services. Vulnerabilities in such systems should be reported to the relevant Customer; testing or research in respect of such systems shall not be conducted otherwise than upon the documented prior written authorisation of the Customer in question;

(b) any third-party service or system not operated by Velox Media; or

(c) issues identified in the absence of any actual technical vulnerability, including (without limitation) pure social-engineering reports, denial-of-service findings (other than where a vulnerability permits low-volume amplification or asymmetry materially disproportionate to ordinary use), missing best-practice headers in respect of which no exploit can be demonstrated, and self-XSS findings.

3. Conduct expected of researchers

3.1 In the course of any research conducted under this VDP, the researcher shall:

(a) make a good-faith effort to avoid any privacy violation, degradation of the Services, disruption to other Customers, destruction of data, and harm to any individual;

(b) cease testing immediately upon the discovery of any vulnerability, of any sensitive personal information, or of any access exceeding that necessary to demonstrate the vulnerability, and shall report the matter to Velox Media without delay;

(c) refrain from accessing, copying, modifying, deleting, exfiltrating, or disclosing any data of Velox Media or of any other person otherwise than as is strictly necessary to demonstrate the vulnerability, and refrain from retaining any such data following submission of the report;

(d) refrain from any social-engineering attack against the personnel of Velox Media or against any Customer;

(e) refrain from any physical attack against any property of Velox Media;

(f) refrain from any denial-of-service or stress-testing attack;

(g) refrain from any automated, high-volume, or destructive testing technique;

(h) refrain from public disclosure of the vulnerability prior to the earlier of (i) Velox Media’s confirmation that the vulnerability has been remediated and (ii) the expiry of ninety (90) days following the date of the initial report, save with the express prior written consent of Velox Media; and

(i) comply with all applicable law.

4. Safe harbour

4.1 Velox Media shall consider security research conducted in good faith and in accordance with this VDP to be authorised access for the purposes of (and to the extent permitted by) the Computer Fraud and Abuse Act of the United States, the Computer Misuse Act 1990 of the United Kingdom, equivalent legislation of the European Union and any other jurisdiction in which Velox Media operates, and the Terms of Service of Velox Media (including the Acceptable Use Policy).

4.2 Velox Media shall not pursue, support, or facilitate any civil or criminal action against any researcher who has acted in good faith and in accordance with this VDP, and shall, where appropriate, take reasonable steps to make known to any third party (including any law-enforcement authority) the authorised nature of such research.

4.3 The safe harbour set out in this clause 4 shall not extend to any activity which (a) materially exceeds the scope set out in clause 2, (b) materially contravenes the conduct requirements set out in clause 3, (c) constitutes any breach of any obligation of confidentiality owed to Velox Media or to any other person, or (d) is otherwise unlawful.

4.4 Where the researcher is in any doubt as to whether contemplated activity falls within the scope of this VDP, the researcher should contact [email protected] for guidance prior to undertaking such activity.

5. Velox Media’s response

5.1 Velox Media shall acknowledge receipt of any report submitted in accordance with this VDP within three (3) business days.

5.2 Velox Media shall undertake an initial triage and shall communicate the disposition of the report (whether accepted, requiring further information, or out of scope) within ten (10) business days.

5.3 Velox Media shall use reasonable efforts to remediate any accepted vulnerability within a period proportionate to its severity, having regard to the Common Vulnerability Scoring System or equivalent assessment.

5.4 Velox Media shall, where appropriate, credit the reporter in any public disclosure or acknowledgement of the vulnerability, save where the reporter has elected anonymity.

5.5 Velox Media does not at present operate a paid bug-bounty programme. Reporters acknowledge that no monetary reward is offered or implied by this VDP. Velox Media may, in its sole and absolute discretion, recognise particularly significant contributions by means of an acknowledgement, by inclusion in any “hall of fame”, or by such other non-monetary means as it shall consider appropriate.

6. Confidentiality

6.1 Reports submitted under this VDP shall be treated as confidential by Velox Media, save where disclosure is necessary or appropriate for the purposes of remediation, of compliance with any law or legal process, or of any public disclosure agreed with the reporter.

6.2 The personal information of the reporter shall be processed in accordance with the Privacy Policy.

7. Customer-hosted systems

Vulnerabilities affecting any Customer-hosted system are not within the scope of this VDP. The reporter is encouraged to communicate any such vulnerability directly to the Customer in question. Where such Customer cannot be identified or contacted, the reporter may notify Velox Media at [email protected] with sufficient information to enable Velox Media, where it considers it appropriate, to forward the report to the relevant Customer.

8. Amendments

This VDP may be amended in accordance with clause 16 of the Terms of Service. The current version shall be published at veloxmedia.co.uk/vulnerability-disclosure.

Contact: [email protected] for vulnerability reports; [email protected] for vulnerabilities affecting Customer-hosted systems.

Regulated Workloads and Customer Compliance Statement

Velox Media Inc.

Version: 1.0 Effective Date: 27 April 2026 Last Reviewed: 27 April 2026

This Statement describes the position of Velox Media Inc. (“Velox Media”) in respect of regulated workloads, sector-specific compliance frameworks, and the allocation of compliance responsibility between Velox Media and the Customer. This Statement forms part of, and is incorporated by reference into, the Terms of Service and the Acceptable Use Policy. Capitalised terms not defined herein shall bear the meanings ascribed to them in the Terms of Service.

1. Shared-responsibility model

1.1 The Services consist of unmanaged hosting infrastructure. Velox Media is responsible for the security, availability, and lawful operation of the underlying infrastructure (the operation of facilities, networking, hypervisor, control plane, and management tooling). The Customer is responsible for the security, configuration, content, lawfulness, and compliance of everything which the Customer runs upon the infrastructure (the operating system, applications, software, data, configurations, identity and access management within the Customer’s environment, and the conduct of the Customer’s end users).

1.2 The Customer shall not, by reason of using the Services, be deemed to have inherited any compliance, certification, attestation, or warranty held by Velox Media. The Customer remains solely responsible for assessing whether the Services are appropriate for the Customer’s regulated workloads and for obtaining any assessment, certification, or attestation required to operate such workloads.

2. Regimes in respect of which Velox Media does not warrant the Services

2.1 The Services are not warranted, certified, attested, or held out by Velox Media as being compliant with, suitable for, or capable of supporting any of the following regulatory or industry frameworks (the “Regulated Frameworks”). Without prejudice to the generality of the foregoing, Velox Media specifically does not provide:

(a) HIPAA / HITECH (United States healthcare). Velox Media does not enter into Business Associate Agreements (“BAAs”) in the standard course and does not warrant that the Services are suitable for the storage, processing, or transmission of Protected Health Information as defined under the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act. Customers subject to HIPAA shall not store, process, or transmit Protected Health Information using the Services save where Velox Media has expressly agreed in writing to enter into a BAA in respect of a specific Service and a specific Customer.

(b) HITRUST CSF. The Services are not HITRUST-certified.

(c) FedRAMP, IL2/IL4/IL5, GovCloud, or equivalent United States federal cloud-security regimes. Velox Media is not authorised under FedRAMP at any impact level and does not warrant that the Services are suitable for any United States federal workload, or for any workload involving Controlled Unclassified Information (“CUI”) or Federal Contract Information.

(d) CJIS (Criminal Justice Information Services). The Services are not warranted as compliant with the FBI CJIS Security Policy.

(e) StateRAMP, TX-RAMP, AZ-RAMP, or equivalent United States state-level cloud-security regimes. Velox Media is not authorised under any such state programme.

(f) PCI DSS. Velox Media has not undertaken a PCI DSS Service Provider attestation in respect of the Services. Velox Media’s own merchant payment surface is processed by means of third-party payment processors (Stripe and PayPal) who are independently PCI DSS-compliant. The Customer shall not store, process, or transmit cardholder data upon the Services save where the Customer has independently obtained any required PCI DSS attestation in respect of the Customer’s own environment.

(g) SOX (Sarbanes-Oxley) IT general controls. The Services have not been the subject of a SOC 1 (SSAE 18 / ISAE 3402) examination supporting Customer SOX assertions. Customers subject to SOX shall obtain their own controls assurance.

(h) GLBA (Gramm-Leach-Bliley Act) / NYDFS Part 500 / equivalent United States financial regulation. Velox Media does not warrant the Services as suitable for the activities of a financial institution subject to such regimes.

(i) FERPA (Family Educational Rights and Privacy Act). Velox Media is not warranted as a “school official” or otherwise as suitable for the processing of student educational records covered by FERPA.

(j) COPPA (Children’s Online Privacy Protection Act). The Services are not directed to children under thirteen (13). Customers operating any service directed to such children shall be solely responsible for compliance with COPPA.

(k) ITAR (International Traffic in Arms Regulations) and EAR (Export Administration Regulations). Velox Media does not warrant the Services as suitable for the storage, processing, or transmission of any information subject to ITAR or to controlled categories of EAR. The Customer shall not use the Services in connection with any such information save with the express prior written consent of Velox Media; and any such consent, if granted, shall be subject to such additional terms as Velox Media may stipulate.

(l) Classified information of the United States, the United Kingdom, the European Union, or any other government. The Services shall not be used in connection with any such information.

(m) NHS Data Security and Protection Toolkit (United Kingdom). Velox Media has not undertaken assessment under the DSPT.

(n) NIS2 Directive (Regulation (EU) 2022/2555). Where the Customer is itself an essential or important entity under NIS2, the Customer shall be solely responsible for compliance with NIS2 in respect of the Customer’s services.

(o) Operational Resilience regimes for financial services (DORA in the European Union (Regulation (EU) 2022/2554), the FCA / PRA Operational Resilience rules in the United Kingdom, equivalent rules of any other jurisdiction). Velox Media does not represent or warrant that the Services meet the requirements of any such regime in respect of the Customer’s critical or important functions.

(p) Special-category personal data under Article 9 of the EU GDPR or the UK GDPR. The Customer shall implement such additional safeguards as the Customer’s processing of such data may require; the Customer is reminded that the Data Processing Agreement requires such safeguards.

(q) Any sector-specific compliance regime not enumerated above. The Customer is solely responsible for identifying, assessing, and complying with any law, regulation, code, standard, or contractual requirement applicable to the Customer’s workloads.

2.2 The compliance certifications and attestations actually held by Velox Media (where any) shall be set out in the Trust & Compliance Statement and may be relied upon only as set out therein.

3. Customer obligations

3.1 The Customer represents, warrants, and undertakes that:

(a) the Customer has assessed whether the Services are appropriate for the Customer’s intended use and has determined that they are so appropriate, having regard to the limitations set out herein;

(b) the Customer shall not use the Services in connection with any activity, workload, or category of data which requires compliance with any of the Regulated Frameworks identified at clause 2 hereof, save where (i) the law, regulation, or contractual requirement in question permits the activity, workload, or data to be hosted upon non-certified infrastructure, and (ii) the Customer has implemented all measures necessary to achieve compliance independently of Velox Media; and

(c) the Customer shall, on demand, demonstrate to Velox Media’s reasonable satisfaction that the Customer has so implemented the necessary measures.

3.2 The Customer shall be solely responsible for:

(a) the lawfulness of the Customer’s processing under any privacy, data-protection, sector-specific, or other regime;

(b) the maintenance of any required policy, procedure, training, audit, or recordkeeping;

(c) the obtaining and renewal of any required licence, registration, or authorisation;

(d) the response to any audit, assessment, examination, or enforcement action of any regulator;

(e) the notification of any incident, breach, or non-compliance to any regulator, end user, or other person required by law to be notified;

(f) the implementation of any required identity-, age-, consent-, or attribute-verification of the Customer’s end users (for the avoidance of doubt, including (without limitation) any verification required by the Digital Age Assurance Act of California (AB 1043), the Online Safety Act 2023 of the United Kingdom, the Digital Services Act of the European Union, applicable state-level adult-content laws of the United States, online-gambling licensing regimes, and 18 U.S.C. § 2257 (United States) where applicable);

(g) the obtaining of any consent required from any data subject or end user; and

(h) the establishment of any contractual chain of obligation necessary to extend the Customer’s compliance posture to the Customer’s own customers.

4. Bespoke arrangements

4.1 Where the Customer requires Velox Media to enter into any sector-specific arrangement (including (without limitation) any BAA under HIPAA, any data-processing arrangement supporting any Regulated Framework, or any commitment in respect of data residency, encryption, key management, or audit), the Customer shall make a written request to [email protected].

4.2 Velox Media may, in its sole and absolute discretion, accept or decline any such request, and may make any acceptance subject to such additional terms (including (without limitation) additional fees, additional Service plans, and additional commitments by the Customer) as Velox Media shall stipulate.

4.3 No representation, advertisement, marketing communication, or other statement of Velox Media shall be construed as committing Velox Media to enter into any such arrangement otherwise than upon the terms expressly agreed in writing by Velox Media.

5. Indemnity (cross-reference)

The Customer’s indemnity to Velox Media under clause 12 of the Terms of Service extends to any claim, demand, suit, action, proceeding, loss, damage, fine, penalty, liability, cost, or expense arising out of or in connection with the Customer’s failure to comply with any Regulated Framework or any other law, regulation, or contractual requirement applicable to the Customer’s workloads.

6. Amendments

This Statement may be amended in accordance with clause 16 of the Terms of Service.

Contact: [email protected] for bespoke compliance enquiries.

Reseller Agreement Addendum

Velox Media Inc.

Version: 1.0 Effective Date: 27 April 2026 Last Reviewed: 27 April 2026

This Reseller Agreement Addendum (the “Reseller Addendum”) supplements, and forms part of, the Terms of Service entered into between Velox Media Inc. (“Velox Media”) and the Customer where the Customer has been approved by Velox Media to operate as a Reseller (as defined below). The Reseller Addendum governs the resale of the Services to End Customers (as defined below). Capitalised terms not defined herein shall bear the meanings ascribed to them in the Terms of Service.

Where any inconsistency arises between this Reseller Addendum and the Terms of Service in respect of any matter relating to resale, this Reseller Addendum shall prevail. In all other respects the Terms of Service and the Policies remain in full force and effect.

1. Definitions

1.1 In this Reseller Addendum:

(a) “End Customer” means any person to whom the Reseller resells, sublicenses, or otherwise makes available all or part of any Service.

(b) “Reseller” means a Customer of Velox Media which has been approved by Velox Media to resell the Services and which has accepted the terms of this Reseller Addendum.

(c) “Reseller Plan” means a Service plan designated by Velox Media as suitable for resale, ordered by the Reseller for the purposes of providing services to End Customers.

(d) “End Customer Terms” means the terms entered into between the Reseller and any End Customer in respect of the resold Services.

2. Approval of the Reseller

2.1 The Customer may operate as a Reseller only following written approval from Velox Media. Approval may be given, withheld, or withdrawn by Velox Media at any time, in its sole and absolute discretion.

2.2 Velox Media may, as a condition of approval and at any time thereafter, require the Reseller to furnish such information, documents, certifications, attestations, declarations, and other materials as Velox Media may consider appropriate (whether in respect of the identity, business, beneficial ownership, financial standing, anti-money-laundering, sanctions, or compliance posture of the Reseller, in respect of the Reseller’s End Customer Terms, in respect of the categories of End Customer the Reseller intends to serve, or otherwise), in accordance with sub-clause 2.1(d) of the Terms of Service.

2.3 Velox Media may, at any time and in its sole and absolute discretion, withdraw approval upon notice. Withdrawal shall take effect upon such date as Velox Media shall stipulate, and shall not affect any End Customer Terms then in force; the Reseller shall remain solely responsible for the orderly transition or termination of any such End Customer Terms.

3. Relationship of the parties

3.1 The Reseller acts in its own name and on its own behalf. The Reseller is not the agent of Velox Media. Nothing in this Reseller Addendum shall be construed as creating any agency, partnership, joint venture, or fiduciary relationship between Velox Media and the Reseller, or as creating any privity of contract between Velox Media and any End Customer.

3.2 The Reseller shall hold itself out to End Customers in its own name. The Reseller shall not represent that the Reseller is, or is acting on behalf of, Velox Media.

3.3 Velox Media owes no duty to any End Customer. The Reseller shall ensure that this position is reflected in the End Customer Terms.

4. End Customer Terms

4.1 The Reseller shall enter into End Customer Terms with each End Customer. The End Customer Terms shall, as a minimum:

(a) impose upon the End Customer obligations no less protective of Velox Media’s rights and interests than those set out in the Terms of Service and the Policies (including, without limitation, the Acceptable Use Policy, the Privacy Policy, the Trust & Safety Policy, the DMCA and Copyright Policy, and the Regulated Workloads and Customer Compliance Statement);

(b) include an acknowledgement by the End Customer that the underlying infrastructure is supplied by Velox Media, and that the End Customer’s use of the resold Services is subject to the policies of Velox Media as in force from time to time;

(c) include the same prohibitions on the End Customer in respect of CSAM, terrorist content, non-consensual intimate imagery, malware, network attack, spam, fraud, sanctions evasion, and the other matters set out in clause 2 of the Acceptable Use Policy;

(d) include consent by the End Customer to the suspension, throttling, restriction, or termination of any service in accordance with the foregoing matters;

(e) include the same intellectual-property licence in favour of the Reseller (and, as a sub-licensee, in favour of Velox Media) as is set out in clause 9 of the Terms of Service; and

(f) include such further provisions as Velox Media may from time to time stipulate.

4.2 The Reseller shall not enter into any End Customer Terms which contradict, dilute, or otherwise undermine the rights or remedies of Velox Media. Any such contradiction shall be void as between the Reseller and Velox Media, and the Reseller shall remain liable to Velox Media for any breach of the Terms of Service or of any Policy attributable to any End Customer.

5. Responsibility of the Reseller

5.1 The Reseller shall be solely and exclusively responsible to Velox Media for:

(a) the conduct of each End Customer and of any person availing themselves of the resold Services through the End Customer’s account;

(b) the lawfulness, accuracy, and completeness of the Content of each End Customer;

(c) the verification of the identity, address, payment-method ownership, and (where applicable) age, beneficial ownership, sanctions status, and licensing of each End Customer;

(d) the response to any abuse complaint, take-down request, regulatory enquiry, or law-enforcement request relating to any End Customer or any End Customer’s Content;

(e) the billing of, payment-collection from, refund and dispute administration of, and customer support to, each End Customer; and

(f) the operation of the Reseller’s own privacy, security, AML, sanctions, and compliance programmes.

5.2 Without prejudice to the generality of the foregoing, the Reseller shall ensure that the Reseller has implemented and maintains identity, age, and consent mechanisms appropriate to each End Customer and to each category of Content the Reseller’s End Customers operate. The Reseller shall, on demand, demonstrate to Velox Media’s reasonable satisfaction that such mechanisms are in place and are operating effectively.

5.3 The Reseller shall ensure that the Reseller has the operational capacity to respond to abuse complaints in accordance with the targets set out in clause 3 of the Trust & Safety Policy and to law-enforcement requests in accordance with the standards set out in the Law Enforcement Guidelines, in each case in respect of any matter relating to any End Customer.

6. Velox Media’s reserved rights

6.1 Notwithstanding the existence of any End Customer Terms, Velox Media may at any time, in its sole and absolute discretion:

(a) suspend, throttle, restrict, null-route, terminate, or otherwise interrupt any Service or Sub-Service provided to any End Customer, where Velox Media has reason to believe that any of the grounds for action set out in clause 6 of the Terms of Service or in clause 5 of the Acceptable Use Policy would be made out if the End Customer were the Customer of Velox Media;

(b) require the Reseller to take any such action against any End Customer within such period as Velox Media shall stipulate; and

(c) communicate directly with any End Customer in respect of any matter of urgent abuse, security, lawfulness, or compelled disclosure, where Velox Media considers it necessary or appropriate.

6.2 Where Velox Media takes any action under this clause 6, the Reseller shall cooperate fully and shall not be entitled to any refund, credit, or other compensation in respect of the affected End Customer.

7. Data and privacy

7.1 The Reseller shall act as Controller (or, where applicable, as Processor) in respect of the personal information of End Customers and of End Customers’ end users. Velox Media acts as Processor or Sub-processor in respect of such personal information, in accordance with the Data Processing Agreement.

7.2 The Reseller shall be solely responsible for the discharge of all obligations of a Controller (or Processor, as applicable) under the applicable data-protection law, including (without limitation) the obligations to give notice to data subjects, to obtain any required consents, to respond to data-subject rights requests, to notify Personal Data Breaches, and to maintain records of processing.

8. Pricing, billing, and currency of payment

8.1 The Reseller shall pay Velox Media the fees applicable to each Reseller Plan ordered. The Reseller shall set the Reseller’s own prices to End Customers and shall be entitled to retain any margin between such prices and the fees payable to Velox Media.

8.2 Velox Media shall invoice the Reseller. The Reseller shall invoice the End Customer. The Reseller’s failure to collect any amount from any End Customer shall not affect the Reseller’s liability to Velox Media in respect of the corresponding fees.

9. Indemnity (cross-reference)

The Reseller’s indemnity to Velox Media under clause 12 of the Terms of Service extends to any claim, demand, suit, action, proceeding, loss, damage, fine, penalty, liability, cost, or expense arising out of or in connection with (a) any End Customer Terms or any conduct of any End Customer, (b) any failure of the Reseller to comply with this Reseller Addendum, and (c) any representation made by the Reseller or by any End Customer in respect of Velox Media or in respect of any Service.

10. Term and termination

10.1 This Reseller Addendum shall apply with effect from the date of approval of the Reseller and shall continue until terminated.

10.2 Either party may terminate this Reseller Addendum in accordance with clause 7 of the Terms of Service. The withdrawal of approval under sub-clause 2.3 hereof shall constitute termination by Velox Media for the purposes of clause 7 of the Terms of Service.

10.3 Upon termination, the Reseller shall (a) cease to hold itself out as a Reseller of Velox Media; (b) effect the orderly transition or termination of all End Customer Terms within such period as Velox Media shall stipulate; and (c) cooperate with Velox Media in respect of any preservation, transfer, or deletion of any data of the Reseller or of any End Customer.

10.4 The clauses of this Reseller Addendum which by their nature should survive termination shall so survive.

11. Amendments

This Reseller Addendum may be amended in accordance with clause 16 of the Terms of Service.

Contact: [email protected] for reseller enquiries and approvals.

API Terms of Use

Velox Media Inc.

Version: 1.0 Effective Date: 27 April 2026 Last Reviewed: 27 April 2026

These API Terms of Use (the “API Terms”) govern the access to and use of the application-programming interfaces published by Velox Media Inc. (“Velox Media”) in respect of the Services (the “API”). The API Terms supplement, and form part of, the Terms of Service. Capitalised terms not defined herein shall bear the meanings ascribed to them in the Terms of Service.

1. Scope of access

1.1 The API enables programmatic access to the Customer’s Account and to the Services, for purposes including (without limitation) the placing of Orders, the configuration of Services, the retrieval of metrics, and the management of related operational tasks.

1.2 The API is made available solely for the lawful administration by the Customer of the Customer’s own Account and Services. The API shall not be used for the administration of the account or services of any other person save where such other person is an End Customer of an approved Reseller and the use is in accordance with the Reseller Agreement Addendum.

2. Authentication and credentials

2.1 Access to the API requires API credentials issued by Velox Media. The Customer shall:

(a) treat all API credentials as confidential information of the Customer;

(b) restrict access to API credentials to those personnel having a legitimate need;

(c) not share, transfer, or sell any API credential to any third party;

(d) rotate API credentials at intervals appropriate to the sensitivity of the operations performed;

(e) revoke without delay any API credential which has, or may have been, compromised, and notify Velox Media of any such compromise; and

(f) employ appropriate technical safeguards (including, where available, scope restriction and IP allowlisting) in respect of the storage and use of API credentials.

2.2 The Customer shall be solely responsible for any action taken by means of any API credential issued in respect of the Account, whether or not such action was authorised by the Customer.

3. Rate limits and fair use

3.1 The Customer shall not exceed any rate limit, quota, or fair-use threshold published by Velox Media from time to time in respect of the API. Velox Media may modify any such limit, quota, or threshold in its sole and absolute discretion.

3.2 The Customer shall not, by means of the API:

(a) circumvent, attempt to circumvent, or interfere with any rate limit, quota, throttling, or fair-use mechanism of Velox Media;

(b) consume any disproportionate share of the capacity of the API or of the underlying systems;

(c) generate any volume of traffic which materially impairs the API for any other Customer; or

(d) automate any operation in a manner which Velox Media has not, in writing or by published documentation, sanctioned.

3.3 Velox Media reserves the right to suspend, throttle, restrict, or terminate API access in respect of any Account where any such limit, quota, or threshold is exceeded, or where any other ground for action under the Terms of Service or the Acceptable Use Policy is made out.

4. Acceptable use of the API

4.1 The Customer’s use of the API shall comply at all times with the Terms of Service, the Acceptable Use Policy, and the other Policies. Without prejudice to the generality of the foregoing, the Customer shall not use the API to:

(a) reverse-engineer, replicate, or compete with the Services;

(b) scrape or extract data of Velox Media, of any other Customer, or of any third party, otherwise than as expressly contemplated by the published documentation of the API;

(c) test, probe, or scan the security of the API otherwise than in accordance with the Vulnerability Disclosure Policy;

(d) access, attempt to access, or interfere with any account, Service, data, or system not within the Customer’s authority;

(e) carry out any automation which generates spurious complaints, support tickets, or system alerts;

(f) carry out any activity prohibited by the Acceptable Use Policy; or

(g) carry out any activity which would, if carried out through the customer area, contravene the Terms of Service or any Policy.

5. Caching, storage, and onward use of API responses

5.1 The Customer may cache API responses for the limited purposes of the lawful administration of the Customer’s Account and Services. The Customer shall not retain any API response longer than is necessary for such purpose.

5.2 The Customer shall not redistribute, publish, or otherwise make available any API response to any third party save where (a) such third party is an End Customer of an approved Reseller, the disclosure being limited to information about that End Customer’s own services, or (b) Velox Media has expressly consented in writing.

6. Documentation, deprecation, and changes

6.1 The Customer shall use the API in accordance with the documentation published by Velox Media at developers.veloxmedia.co.uk (or such other location as Velox Media may from time to time designate).

6.2 Velox Media may add to, modify, deprecate, or withdraw any endpoint, parameter, response field, authentication method, rate limit, or other element of the API at any time. Where any such change materially and adversely affects the Customer’s use of the API, Velox Media shall use reasonable efforts to give not less than thirty (30) days’ notice; provided that no such notice shall be required in respect of changes necessary for the security, integrity, or lawful operation of the API.

6.3 Deprecated endpoints shall be removed in accordance with such timeline as Velox Media shall publish. The Customer shall be responsible for adapting the Customer’s integrations accordingly.

7. No SLA

The SLA does not apply to the API. The API is provided on an “as is” and “as available” basis. Without prejudice to the foregoing, Velox Media shall use reasonable commercial efforts to maintain the availability of the API.

8. Logging

The Customer acknowledges that, in the ordinary course of the operation, security, billing, support, abuse-prevention, and lawful administration of the Services, Velox Media collects, retains, and processes operational data relating to API requests, including (without limitation) request metadata, source addresses, authentication identifiers, timestamps, and outcomes, in the manner contemplated by sub-clause 4.2 of the Terms of Service. Such data forms part of the security and integrity controls of the Services and shall not be deleted on request.

9. Beta and experimental endpoints

9.1 Where any endpoint, feature, or method is designated by Velox Media as “beta”, “preview”, “experimental”, or with any equivalent designation, the Customer’s use shall be subject to such additional terms as Velox Media shall stipulate, including (without limitation) the absence of any service-level commitment, the absence of any right to support, and the right of Velox Media to modify or withdraw the endpoint at any time without notice.

9.2 The Customer shall not rely on any beta endpoint for any production or mission-critical purpose.

10. Suspension and termination

10.1 Without prejudice to clause 6 of the Terms of Service, Velox Media may suspend, throttle, restrict, or terminate API access in respect of any Account, with or without prior notice, where Velox Media has reason to believe that any provision of these API Terms, of the Terms of Service, or of any Policy has been or is being contravened, or where such action is otherwise appropriate.

10.2 Termination of API access does not of itself terminate the Account or any Service.

11. Amendments

These API Terms may be amended in accordance with clause 16 of the Terms of Service.

Contact: [email protected] for API support; [email protected] for vulnerability reports.

Trust and Compliance Statement

Velox Media Inc.

Version: 1.0 Effective Date: 27 April 2026 Last Reviewed: 27 April 2026

This Trust and Compliance Statement summarises the security, privacy, and operational posture of Velox Media Inc. (“Velox Media”), the certifications and attestations actually held in respect of the Services (where any), the technical and organisational measures upon which Velox Media relies, and the manner in which a Customer or prospective Customer may obtain further assurance. This Statement is a summary intended for general reference; it does not vary or limit the rights and obligations of the parties under the Terms of Service, the Privacy Policy, the Data Processing Agreement, or any other Policy. The detailed technical and organisational measures are set out in Annex II of the Data Processing Agreement; the limitations of warranty in respect of regulated workloads are set out in the Regulated Workloads and Customer Compliance Statement.

1. About Velox Media

2. Certifications and attestations

2.1 The certifications and attestations actually held by Velox Media in respect of the Services are set out below. This list shall be updated upon any change.

2.2 Where Velox Media does not hold a particular certification, no representation, warranty, or commitment to that effect is made or implied. Customers requiring services certified under any framework not held by Velox Media are referred to the Regulated Workloads and Customer Compliance Statement.

3. Security overview

The summary below complements (and does not displace) the technical and organisational measures set out in Annex II of the Data Processing Agreement.

3.1 Physical security

Velox Media operates within facilities maintaining controlled access, environmental controls (temperature, humidity, fire suppression), redundant power (mains and uninterruptible supply), and continuous monitoring. Visitor access is logged and escorted.

3.2 Network security

(a) Multi-vendor IP transit at each operated location, with redundant peering. (b) Edge filtering and stateful firewalling at perimeter. (c) DDoS detection and mitigation, with diversion to scrubbing capacity for volumetric or sustained attacks. (d) Segregation of management plane from customer plane; separate addressing, separate authentication. (e) BGP-RPKI origin validation in respect of accepted routes.

3.3 Hypervisor and virtualisation

(a) Customer instances are isolated by virtualisation primitives (KVM or equivalent), with separate kernel-level and storage-level enforcement. (b) Hypervisor patches and microcode updates are applied in accordance with risk-prioritised cadence. (c) The management plane is hardened, with role-based access control, multi-factor authentication, and tamper-evident logging.

3.4 Identity and access management for personnel

(a) Role-based access control with the principle of least privilege. (b) Multi-factor authentication for all personnel access to systems containing personal information or to the management plane. (c) Documented joiner-mover-leaver process. (d) Quarterly access review.

3.5 Cryptography

(a) Transport Layer Security version 1.2 or higher in respect of all customer-facing endpoints. (b) Encryption at rest in respect of management-plane systems, identity and verification documents (where collected), backups, and customer credentials. (c) Modern cryptographic algorithms only; deprecated suites are disabled at the perimeter.

3.6 Application and management-plane security

(a) Code review and approval workflow for changes to the management plane. (b) Periodic vulnerability scanning, with patching cadence proportionate to severity. (c) Independent penetration testing of the management plane on a periodic basis. (d) Vulnerability reports from external researchers handled in accordance with the Vulnerability Disclosure Policy.

3.7 Logging, monitoring, and incident response

(a) Centralised logging of administrative access, security-relevant events, and changes to access rights. (b) Continuous monitoring of network, host, and security telemetry, with alerting at defined thresholds. (c) Documented incident-response procedures with defined notification timelines. (d) Periodic tabletop exercises in respect of incident response.

3.8 Backup, resilience, and continuity

(a) Redundant power, networking, and storage in respect of operated facilities. (b) Documented backup and disaster-recovery procedures in respect of management-plane systems and Velox Media’s own operational data. (c) Customer is responsible for backups of Customer’s own data, in accordance with clause 6 of the Service Level Agreement.

3.9 Personnel and supply chain

(a) Personnel screening proportionate to role and applicable law. (b) Mandatory security and privacy training upon onboarding and annually thereafter. (c) Confidentiality undertakings binding upon all personnel. (d) Sub-processor due diligence and contractual obligations equivalent to those of the Data Processing Agreement, as set out in the Sub-processor List.

4. Privacy

4.1 The processing of personal information about the Customer (and the Customer’s representatives) is governed by the Privacy Policy.

4.2 The processing of personal information of the Customer’s data subjects, in respect of which Velox Media acts as processor, is governed by the Data Processing Agreement.

4.3 The categories of personal information collected, the legal bases for processing, the retention periods, and the rights of data subjects are described in those documents.

4.4 International transfers are addressed by the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and, in respect of transfers from the United Kingdom, the UK Addendum, in accordance with clause 6 of the Data Processing Agreement.

5. Trust and safety

5.1 Content moderation, illegal-content reporting, and the notice-and-action mechanism required by the EU Digital Services Act are described in the Trust & Safety Policy.

5.2 Velox Media cooperates with the Internet Watch Foundation, the National Center for Missing and Exploited Children, INHOPE, the Global Internet Forum to Counter Terrorism, M3AAWG, and equivalent bodies.

5.3 Acceptable use is governed by the Acceptable Use Policy.

6. Law-enforcement engagement

6.1 The standards applied by Velox Media in respect of requests for information from governmental and law-enforcement authorities are set out in the Law Enforcement Guidelines.

6.2 Velox Media intends to publish an annual transparency report describing, in aggregate, the requests received and the responses given.

7. Compliance limitations

7.1 The Services consist of unmanaged hosting infrastructure. Customers are reminded that the Services are not warranted as compliant with HIPAA, FedRAMP, CJIS, PCI DSS (above the merchant level), SOX IT general controls, GLBA, FERPA, ITAR/EAR, the NHS DSPT, NIS2, DORA, or any other sector-specific compliance regime, save where such certification or attestation is expressly listed at clause 2 hereof or has been the subject of an express written commitment by Velox Media. The detailed allocation of compliance responsibility is set out in the Regulated Workloads and Customer Compliance Statement.

8. Documentation available on request

The following documentation may be made available to Customers and prospective Customers under appropriate undertakings of confidentiality, by request to [email protected]:

• Information-security policy summary
• Penetration-test executive summary
• Business-continuity and disaster-recovery summary
• Sub-processor due-diligence summary
• Detailed technical and organisational measures
• Insurance coverage summary
• Where held, the most recent independent audit reports relevant to the certifications listed at clause 2

9. Reporting a concern

10. Amendments

This Statement may be amended in accordance with clause 16 of the Terms of Service.

This Trust and Compliance Statement was last reviewed on 27 April 2026.