Terms of Use – OneAI SaaS Platform

General Terms and Conditions for the use of the OneAI platform (hub.oneai.eu)

Version: 1.1 · Effective date: 22 April 2026 Provider: oneAI GmbH, Eisenbahnstraße 50, 72072 Tübingen, Germany Platform: OneAI SaaS platform – hub.oneai.eu Legal basis: German Civil Code §§ 305–310 (BGB), EU AI Act (EU) 2024/1689, GDPR (EU) 2016/679, EU Data Act (EU) 2023/2854, DDG, TDDDG

Binding language notice: Per § 24(3) the German version is the sole binding version. This English translation is provided for information only.

§ 1 Scope and clarification of roles

(1) These Terms of Use ("ToU") apply to all contracts for the use of the OneAI SaaS platform ("Platform" or "OneAI") that oneAI GmbH (the "Provider") concludes with entrepreneurs (§ 14 BGB), legal persons under public law and special funds under public law (the "Customer").

(2) The Platform is intended exclusively for customers acting in a business capacity and not for consumers within the meaning of § 13 BGB.

(3) Within the meaning of Regulation (EU) 2024/1689 (EU AI Act), the Provider acts as Provider under Art. 3(3) EU AI Act. The Provider develops the Platform and places it on the EU market under its own name. This role arises by operation of law (Art. 25(1)(a) EU AI Act) and is non-derogable.

(4) The Customer acts as Deployer under Art. 3(4) EU AI Act and bears the resulting independent statutory obligations, in particular under Art. 26 EU AI Act.

(5) The General Terms and Conditions of oneAI GmbH apply additionally in their respective current version (available at /en/customer-terms). In the event of conflict between these ToU and the General Terms of oneAI GmbH, these ToU prevail for use of the Platform.

(6) Conflicting or deviating terms of the Customer do not become part of the contract unless the Provider expressly agrees to their validity in writing.

§ 2 Subject matter and description of services

2.1 Platform service

(1) OneAI is an AI governance and productivity platform for enterprises. It provides chat-based access to Large Language Models (LLMs) with integrated compliance monitoring, audit logging and data governance for EU enterprises.

(2) The Platform comprises the following modules:

(3) The Provider makes the Platform available as Software-as-a-Service (SaaS) at hub.oneai.eu. The Customer requires its own internet access, the provision of which is not part of the Provider's services.

2.2 AI models

(1) The Platform provides access to AI models from various providers (Public Models, e.g. OpenAI GPT, Anthropic Claude, Google Gemini, Mistral AI) and to models supplied or self-hosted by the Customer (Private Models).

(2) Public Models are operated and provided by third parties. The Provider gives no warranty for the functionality, availability, accuracy or completeness of Public Model outputs. The terms and privacy policies of the respective LLM provider apply additionally to these ToU.

(3) The Provider may change LLM providers, add new models or remove existing models, provided the essential usability of the Platform is not significantly impaired. The Customer will be informed of material changes with 14 days' notice. If a change leads to a significant restriction of usability, the Customer has a right of extraordinary termination on 30 days' notice to month-end.

2.3 Third-party integrations

(1) The OneConnect connectors integrate third-party services (Microsoft 365, Google Workspace, GitHub, ClickUp, weclapp, etc.). These services are subject to their own respective terms. The Provider is not liable for the availability, functionality or data-protection compliance of these third-party services.

(2) The Customer is responsible for proper authorisation of the connectors (OAuth tokens) and for compliance with the terms of the respective third parties.

§ 3 Intended Purpose and use restrictions

3.1 Intended use

(1) OneAI is a general AI governance and productivity platform for enterprises. It provides chat-based access to Large Language Models with integrated compliance monitoring, audit logging and data governance for EU enterprises.

(2) Intended use comprises in particular: text creation and editing, document analysis, summarisation, translation, code assistance, research, brainstorming, data analysis and general knowledge-based tasks in a business context.

3.2 Exclusion of high-risk applications (Annex III EU AI Act)

⚠️ IMPORTANT — Please read carefully

(1) OneAI is NOT designed, intended or marketed for use in any of the areas listed in Annex III of Regulation (EU) 2024/1689. Use of the Platform for the following purposes is expressly prohibited:

(2) Use of the Platform for any of the above purposes constitutes a material breach of contract entitling the Provider to immediate suspension of access and extraordinary termination.

(3) Pursuant to Art. 25(1)(c) EU AI Act, a Customer who uses OneAI for an unintended high-risk purpose may assume the obligations of a Provider for the resulting high-risk AI system. The Customer indemnifies the Provider against all claims by third parties, authorities and regulators arising from non-contractual use.

3.3 Art. 6(4) – Non-high-risk assessment

(1) The Provider has carried out a documented assessment under Art. 6(4) EU AI Act establishing that OneAI is not a high-risk AI system despite potential overlap with Annex III. The assessment relies on the fact that OneAI:

• is a general productivity tool comparable to a search engine or AI-assisted word processor,
• makes no autonomous decisions in Annex III areas,
• does not create profiles of natural persons for decision-making purposes,
• is not embedded in safety-critical systems.

(2) This assessment is made available to competent national authorities upon request.

3.4 Compliance monitoring

(1) The Provider operates an automated Compliance Copilot (self-hosted AI model) that screens usage requests for possible Annex III patterns. The Compliance Copilot may block, escalate or attach a risk notice to requests.

(2) The Customer accepts that automated compliance checks take place and that requests may be blocked or modified if an Annex III pattern is detected.

3.5 Exclusion of safety-critical and life-endangering use cases (hazardous environments)

⚠️ IMPORTANT — Safety-critical applications

(1) The Platform is NOT designed, developed, tested, licensed or approved for use in safety-critical environments where software failure could result in death, personal injury, severe property or environmental damage, or endangerment of public safety ("Safety-Critical Applications"). This includes in particular but is not limited to:

(2) The Customer acknowledges that the Platform is a general productivity tool and does not meet the requirements for fail-safe systems (Fail-Safe-Design) that apply to the above areas under the state of the art and the relevant standards (including IEC 61508, IEC 62304, DO-178C, ISO 26262, DIN EN 50126, IAEA Safety Standards).

(3) If the Customer uses the Platform in a Safety-Critical Application contrary to this provision, this is at the sole risk and responsibility of the Customer. The Customer is then required to implement all necessary fail-safe, backup, redundancy and other safety measures itself.

(4) The Provider and its affiliated companies exclude — to the maximum extent permitted by law — all liability for damages arising from use of the Platform in Safety-Critical Applications. This includes in particular property damage, environmental damage and indirect/consequential damages. Mandatory statutory liability (in particular for intent, gross negligence, injury to life, body or health and under the Product Liability Act) remains unaffected.

(5) The Customer indemnifies the Provider against all third-party claims arising from use of the Platform in Safety-Critical Applications, including claims by authorities, regulators, injured third parties and insurers. The duty to indemnify also covers reasonable legal-defence costs.

(6) Use in Safety-Critical Applications constitutes a material breach of contract entitling the Provider to immediate suspension (§ 15) and extraordinary termination (§ 12(4)).

§ 4 Registration and customer account

(1) Use of the Platform requires registration of a customer account. The Customer undertakes to provide truthful, complete and current information at registration and to keep it up to date.

(2) The Customer is responsible for the secrecy of its access credentials. Employees of the Customer and users authorised by it are not third parties within the meaning of this provision. The Customer must inform the Provider immediately if there are indications that an account is being used by unauthorised third parties.

(3) Each organisation (tenant) is strictly isolated from other tenants. All database queries are filtered per tenant.

§ 5 Conclusion of contract

(1) The presentation of the Platform and tariffs on the website does not constitute a binding offer of the Provider.

(2) The contract is concluded when the Customer completes registration and confirms the chosen tariff by clicking "Order with payment obligation" (or a comparable button). The Provider confirms conclusion of the contract by e-mail within 5 business days.

(3) Different rules apply to Enterprise contracts, set out in a separate Enterprise Agreement.

§ 6 Rights of use

(1) The Provider grants the Customer, for the term of the contract, a non-exclusive, non-transferable, non-sublicensable, revocable right to use the Platform within these ToU.

(2) Use is limited to the Customer's own business use. In particular, the Customer is prohibited from:

• a) making the Platform available to third parties, leasing or sublicensing it,
• b) reproducing, decompiling, disassembling or reverse-engineering the Platform or parts thereof (except as legally permitted under §§ 69d, 69e UrhG),
• c) using the Platform to develop a competing service,
• d) carrying out automated access (scraping, bots) other than via the provided API within the Fair-Use Policy.

§ 7 Customer obligations and responsibilities

7.1 Content responsibility

(1) The Customer grants the Provider a right to use the Customer's submitted content (prompts, documents, files), limited to the term of the contract, to the extent required for performance of the contract (in particular processing by LLMs, RAG indexing and storage).

(2) The Customer warrants that the content it processes via the Platform does not violate applicable law or third-party rights. In particular, the Customer must not submit or process content that:

• a) infringes copyrights, trademarks, patents or other third-party rights,
• b) is criminally relevant, racist, discriminatory, pornographic or glorifies violence,
• c) violates the Acceptable Use Policies of the LLM providers used.

(3) Use of the Platform for any of the high-risk purposes excluded under § 3.2 (Annex III EU AI Act) or for Safety-Critical Applications under § 3.5 is expressly prohibited.

7.2 Cooperation duties (Art. 26 EU AI Act)

(1) The Customer undertakes to:

• a) inform the Provider of specific use cases that go beyond the intended use described in § 3.1,
• b) use the Platform in accordance with the Provider's instructions and technical documentation,
• c) ensure human oversight of AI-generated outputs (Art. 26(2) EU AI Act),
• d) report identified risks to the Provider without undue delay (Art. 26(5) EU AI Act),
• e) inform its own employees about AI use prior to deploying the Platform at the workplace (Art. 26(7) EU AI Act).

7.3 Compliance with LLM provider policies

(1) When using Public Models, the Customer must additionally comply with the Acceptable Use Policies (AUPs) of the respective LLM providers, in particular:

• Microsoft Azure Code of Conduct (for models served via Azure),
• OpenAI Usage Policies,
• Anthropic Acceptable Use Policy,
• Google Cloud Terms of Service.

7.4 Fair-Use Policy

(1) Use is subject to a Fair-Use Policy. The Provider reserves the right to restrict access in cases of abusive or excessive use (e.g. automated bulk requests, systematic scraping).

7.5 Indemnification

(1) The Customer indemnifies the Provider against all third-party claims arising from non-contractual use of the Platform by the Customer. This includes in particular claims for infringement of third-party rights through Customer content, claims for prohibited high-risk use (§ 3.2) and claims arising from use in Safety-Critical Applications (§ 3.5).

7.6 Data backup

(1) The Customer is responsible for the regular backup of its data. The Provider recommends regular export of important content via the export functions provided (JSON, CSV, PDF).

§ 8 Availability and maintenance

(1) The Provider targets a monthly average availability of 99 % of the Platform (measured per calendar month). The following are not included in the calculation:

• a) scheduled maintenance windows under para. 3,
• b) disruptions caused by force majeure (§ 12(5)),
• c) disruptions for which the Customer is responsible,
• d) restrictions or outages of LLM providers outside the Provider's control.

(2) Availability of the LLM models used is not guaranteed by the Provider, as these are operated by third parties. The Provider informs the Customer without undue delay of any restrictions at LLM providers known to it.

(3) Maintenance work is preferably carried out on Saturdays and Sundays between 00:00 and 07:00 and announced at least 7 days in advance. Maintenance time is limited to a maximum of 24 hours per calendar month.

(4) The Customer reports incidents by e-mail to support@oneai.eu. The Provider acknowledges receipt within 1 business day and initiates remediation.

§ 9 Fees and payment terms

(1) Fees are determined by the tariff chosen by the Customer (Starter, Team, Enterprise) and actual usage (token consumption, number of users, storage volume). Current tariffs are available at hub.oneai.eu/pricing.

(2) All prices are net prices plus the applicable statutory VAT.

(3) Billing is monthly. Invoices are due within 14 days of issue without deduction. The Customer agrees to electronic invoicing.

(4) LLM-related cost increases attributable to the upstream LLM providers (OpenAI, Anthropic, Google, Mistral, etc.) are passed on to the Customer. The Provider gives the Customer at least 30 days' notice before such changes take effect. If the increase exceeds 10 % of the previous monthly fee, the Customer has a right of extraordinary termination on 4 weeks' notice to month-end.

(5) Foreign-currency costs (in particular USD-denominated LLM costs) are converted using the European Central Bank's reference rate on the invoice date.

(6) Payments are processed through Stripe, Inc. (EU processing via Stripe Payments Europe, Ltd., Ireland).

(7) The Customer is entitled to set off or withhold only with undisputed or finally adjudicated counterclaims.

(8) If the Customer is more than 30 calendar days late on payment, the Provider may temporarily suspend access until the outstanding amounts are paid. Suspension does not constitute rescission of the contract. The Customer's contractual payment obligations remain unaffected.

§ 10 Warranty

(1) The provision of the Platform as SaaS is governed by §§ 536 et seq. BGB (lease law) by analogy. Strict liability for defects existing at conclusion of the contract (§ 536a(1) Alt. 1 BGB) is excluded.

(2) The Provider owes the availability of the Platform in a contractually compliant condition and its maintenance. Subsequent performance is at the Provider's option by remedying the defect free of charge or providing a defect-free version.

(3) Reduction by the Customer requires that the Provider has not remedied the defect despite reasonable extension of time. Self-remedy under § 536a(2) BGB is excluded.

(4) The Provider gives no warranty for the Customer's internet connection or for hardware/software compatibility on the Customer's side.

10.1 AI-specific disclaimer

⚠️ Important note on AI-generated content

(5) AI-generated content (text, summaries, code, images, analyses) is produced by third-party LLMs and may be incorrect, incomplete, misleading or factually wrong (so-called "hallucinations"). The Provider gives no warranty for:

• a) the accuracy, completeness or timeliness of AI-generated outputs,
• b) the suitability of outputs for any particular purpose,
• c) the freedom from copyright issues of AI-generated content,
• d) freedom from bias of the AI models used.

(6) The Customer must review AI-generated outputs on its own responsibility before using them for business decisions, legal purposes or communications with third parties. The Platform does not replace professional advice (legal, medical, tax, technical or otherwise).

§ 11 Liability and damages

(1) The Provider's liability is governed by the following provisions, which regulate the Provider's liability in damages or expense reimbursement on any legal ground (breach of contract, default, tort, pre-contractual fault).

(2) The Provider has unlimited liability:

• a) for intent and gross negligence,
• b) for injury to life, body or health,
• c) under the Product Liability Act (ProdHaftG),
• d) for guaranteed characteristics.

(3) The Provider is not liable for ordinary negligence except for breach of cardinal contractual duties — duties whose fulfilment makes proper performance of the contract possible in the first place and on whose observance the Customer regularly relies. These include in particular:

• the provision of the Platform in a contractually compliant state,
• compliance with the agreed availability,
• the protection of customer data against unauthorised access,
• the proper performance of data processing on behalf.

(4) Where the Provider is liable in principle under para. 3, liability is limited to the damage foreseeable at conclusion of the contract and typical of the contract. Indirect and consequential damages (in particular lost profit, loss of production, loss of data) are recoverable only to the extent typically expected.

(5) For ordinary negligence, the Provider's liability is capped at:

• €50,000 per loss event, and
• €100,000 in aggregate for all loss events arising in a calendar year.

(6) The above exclusions and limitations apply equally for the benefit of the Provider's officers, statutory representatives, employees and other vicarious agents.

11.1 Liability allocation for LLM providers

(7) Where damage is attributable to the conduct of a third-party LLM provider (OpenAI, Anthropic, Google, Mistral, etc.), the Provider's liability is limited to assigning to the Customer the claims it has against that LLM provider. The Provider supports the Customer in enforcing those claims.

11.2 Liability under EU AI Act

(8) Statutory liability of the Provider under Regulation (EU) 2024/1689 (EU AI Act) cannot be excluded by these ToU. In particular, the Provider's obligations as Provider under Art. 16 EU AI Act remain unaffected.

11.3 Liability for non-contractual high-risk use and Safety-Critical Applications

(9) The Provider is not liable for damage resulting from the Customer's use of the Platform contrary to § 3.2 for high-risk purposes (Annex III EU AI Act) or contrary to § 3.5 in Safety-Critical Applications. In that case the Customer assumes Provider obligations under Art. 25(1)(c) EU AI Act and indemnifies the Provider against all resulting claims.

§ 12 Term and termination

(1) The contract is concluded for an indefinite term (monthly tariffs) or for a fixed term (annual tariffs).

(2) Monthly tariffs may be terminated on 7 days' notice to the end of the calendar month. Annual tariffs automatically renew for 12 months unless terminated on 30 days' notice before the end of the term.

(3) The notice period is capped at 2 months (Art. 25(1) Regulation (EU) 2023/2854 – EU Data Act).

(4) The right to extraordinary termination for cause remains unaffected. Cause for the Provider exists in particular where:

• a) the Customer uses the Platform for excluded high-risk purposes (§ 3.2) or in Safety-Critical Applications (§ 3.5),
• b) the Customer breaches the LLM providers' Acceptable Use Policies,
• c) the Customer is more than 2 months in arrears on due payments,
• d) insolvency proceedings are opened over the Customer's assets or rejected for lack of assets.

(5) If a case of force majeure (natural disasters, pandemics, war, civil unrest, cyber-attacks not preventable with reasonable diligence, official orders, strikes) substantially impedes or prevents performance and lasts more than 30 days, both parties are entitled to extraordinary termination.

(6) Termination must be in writing or by electronic transmission by e-mail to the address on file.

§ 13 Data export and switching (EU Data Act)

(1) The Customer may export all of its data and digital assets from the Platform at any time. Export is in structured, common and machine-readable formats (JSON, CSV, PDF).

(2) Following termination, the Provider ensures full data export within a 30-day transition period and supports the Customer in migration.

(3) From 12 January 2027 no switching or data-egress fees will be charged (Art. 29 Regulation (EU) 2023/2854).

(4) The Provider publishes up-to-date documentation of the available export formats, API endpoints and data structures.

§ 14 Consequences of termination

(1) Following termination of the contract:

(2) Statutory retention periods remain unaffected. This includes in particular:

• billing data: 10 years (§ 257 HGB, § 147 AO),
• Provider Audit Log: 36 months (EU AI Act Art. 19, 72).

(3) For Self-Managed or Private Cloud installations, the Customer must delete all copies of the software and confirm deletion in writing on request.

§ 15 Suspension of access

(1) The Provider may temporarily or permanently suspend the Customer's access where:

• a) there is reasonable suspicion of a breach of § 3.2 (high-risk use), § 3.5 (Safety-Critical Applications) or § 7.1(2) (prohibited content),
• b) the Customer is in arrears on due payments despite reminder,
• c) suspension is necessary to avert immediate risk to the Platform, other customers or third parties.

(2) The Provider informs the Customer without undue delay by e-mail of the suspension and its reasons. For temporary suspensions, access is restored once the cause has been removed.

(3) Permanent suspension constitutes extraordinary termination and entitles the Provider to immediate deletion of non-contractual content.

§ 16 AI transparency (Art. 50 EU AI Act)

(1) OneAI informs the user at the interface that they are interacting with an AI system and that responses are AI-generated (Art. 50(1) EU AI Act).

(2) Synthetic content generated by OneAI (text, images) is labelled as AI-generated. AI-generated images contain machine-readable metadata identifying them as synthetic content (Art. 50(2) EU AI Act).

(3) Exported documents include an AI disclaimer in the footer indicating AI generation.

(4) The Customer as Deployer is required to comply with its own Art. 50 obligations, in particular toward persons with whom it shares AI-generated content.

§ 17 Data processing and data protection

17.1 Data processing on behalf

(1) The Provider processes the personal data of the Customer's users on behalf of the Customer. The Customer is Controller under Art. 4(7) GDPR; the Provider is Processor under Art. 28 GDPR.

(2) Use of the Platform requires conclusion of a Data Processing Agreement (DPA) under Art. 28 GDPR. The DPA becomes part of the contract on acceptance of these ToU and is available at hub.oneai.eu/legal/avv.

(3) For certain own purposes (account administration, billing, anonymised Provider Audit Log, platform analytics, abuse prevention) the Provider acts as independent Controller. Details are set out in the privacy policy at hub.oneai.eu/legal/datenschutz.

17.2 No training on customer data

(4) The Provider never uses customer data to train its own or third-party AI models. This is contractually guaranteed and technically enforced.

17.3 Sub-processors

(5) The Provider engages external sub-processors. The current list is available at hub.oneai.eu/legal/subprocessors and is attached as Annex 1.

(6) Customers are notified of changes to the sub-processor list at least 30 days in advance by e-mail and have a right to object. If no agreement can be reached, the Customer has a right of extraordinary termination.

17.4 Third-country transfers

(7) Data is processed primarily in Germany (Hetzner Online GmbH, data centres Nuremberg/Falkenstein). Where data is transferred to US-based sub-processors (OpenAI, Anthropic, Stripe, etc.), this is based on EU Standard Contractual Clauses (SCCs) under Implementing Decision (EU) 2021/914 and supplementary technical measures (TLS encryption, zero data retention, contractual no-training clauses).

(8) Third-country transfer can be entirely avoided by exclusive use of Private Models and EU-based services (Mistral AI, Hetzner, weclapp).

§ 18 Dual Audit Log

(1) The Provider operates a dual audit-log system:

(2) Both log systems are immutable (hash chain + database rules against UPDATE/DELETE) and ensure continuous traceability of all AI interactions.

(3) The Deployer Log is exportable by the Customer in CSV, JSON or PDF.

(4) Logged in particular: AI interactions (model selection, token consumption), risk classifications by the Compliance Copilot, blocked or escalated requests, user-management events, connector synchronisations and system events.

§ 19 Intellectual property and copyright

(1) All rights to the Platform (software, user interface, algorithms, documentation, trademarks) belong exclusively to the Provider. These ToU grant the Customer no ownership or other rights beyond the right of use granted in § 6.

(2) The Provider gives no warranty as to the freedom from copyright issues of AI-generated content. The third-party LLMs were trained on materials whose copyright status is not clear in every case. The Customer is responsible for reviewing and using the generated content.

(3) All rights remain with the Customer in content the Customer enters into the Platform. The Provider acquires only the rights of use mentioned in § 7.1(1) for performance of the contract.

§ 20 Confidentiality

(1) Both parties undertake to treat as confidential and not to disclose to third parties all confidential information of the other party obtained in connection with the contract (in particular trade secrets, technical know-how, customer data, algorithms, pricing, business strategies).

(2) The duty of confidentiality does not apply to information that:

• a) was already publicly known at the time of disclosure or becomes public without fault of the receiving party,
• b) was already known to the receiving party prior to disclosure,
• c) was independently developed by the receiving party,
• d) must be disclosed under legal or official order.

(3) The duty of confidentiality survives the end of the contract.

§ 21 Special provisions for regulated industries

(1) Financial sector (DORA – EU 2022/2554): For Customers subject to Regulation (EU) 2022/2554, the Provider provides a DORA addendum on request, addressing ICT risk-management requirements, reporting obligations and audit rights of the financial supervisor.

(2) Healthcare: Healthcare customers are recommended to use Private Models exclusively. A separate agreement on processing of special categories of personal data (Art. 9 GDPR) is required.

(3) Public administration: The Provider supports BSI IT-Grundschutz-compliant configurations and offers exclusive EU data processing (Mistral AI + Private Models + Hetzner).

§ 22 Deployment-specific terms

(1) These ToU apply in full to SaaS use at hub.oneai.eu.

(2) For Private Cloud installations, these ToU apply in addition to a separate Enterprise Agreement governing hosting, maintenance, SLA and compliance.

(3) For On-Premises installations, separate licence terms apply. In that case §§ 8, 9, 14 and 17 of these ToU are wholly or partly replaced by the licence agreement.

§ 23 Changes to services and Terms of Use

(1) The Provider may amend these ToU and the services offered where required by changed technical, legal or regulatory requirements (in particular changes to the EU AI Act, GDPR, EU Data Act) or justified by changes at LLM providers or in infrastructure costs.

(2) Changes are notified to the Customer by e-mail at least 6 weeks before the proposed effective date. The Customer's consent is deemed given unless the Customer objects in writing before the proposed date. The Provider will expressly notify the Customer of this consequence in the change notification.

(3) The Provider is not entitled to materially change the subject matter (principal performance obligations) by unilateral amendment.

§ 24 Final provisions

(1) Applicable law: German law applies, excluding the UN Convention on Contracts for the International Sale of Goods (CISG) and the conflict-of-laws rules of private international law.

(2) Jurisdiction: Exclusive place of jurisdiction for all disputes is the Provider's seat (Tübingen) where the Customer is a merchant, legal person under public law or special fund under public law or has its seat abroad.

(3) Language: The German version of these ToU is exclusively binding. Translations are for information only.

(4) Severability: Should individual provisions of these ToU be or become wholly or partly invalid, this does not affect the validity of the remaining provisions. The invalid provision is replaced by a valid provision that comes closest to the economic purpose of the invalid provision.

(5) Written-form clause: Amendments and supplements to these ToU require written form. This also applies to the waiver of this written-form clause.

Annex 1 – Sub-processor list (as of April 2026)

Annex 2 – Intended Purpose Declaration (short form)

OneAI is a general AI governance and productivity platform for enterprises. It provides chat-based access to Large Language Models with integrated compliance monitoring, audit logging and data governance for EU enterprises.

OneAI is NOT designed, intended or marketed for use in any of the areas listed in Annex III of Regulation (EU) 2024/1689. Use of OneAI for Annex III purposes is a breach of these Terms of Use.

OneAI is also NOT designed, developed, tested or approved for use in safety-critical environments (hazardous environments), in particular not in nuclear facilities, aviation and air-traffic-control systems, weapons systems, life-support systems, autonomous transport, critical utilities infrastructure, chemical/petrochemical plants, space technology, emergency/disaster-response systems or safety-critical mining.

Pursuant to Art. 25(1)(c) EU AI Act, a Customer using OneAI for an unintended high-risk purpose may itself assume Provider obligations for the resulting high-risk AI system.

Annex 3 – Regulatory profile

Disclaimer: These Terms of Use were prepared with reference to the General Terms and Conditions of oneAI GmbH (November 2025), Regulation (EU) 2024/1689 (EU AI Act), the GDPR and Regulation (EU) 2023/2854 (EU Data Act).

Created: 22 April 2026 · Version 1.1 · Provider: oneAI GmbH, Eisenbahnstraße 50, 72072 Tübingen

© 2026 oneAI GmbH. All rights reserved.