Acceptance
By accessing veliro.comor using the Veliro Platform you accept and agree to these Terms of Use. If you are accepting these terms on behalf of an organization (your employer, a customer, or a partner), you represent that you have authority to bind that organization, and the word “you” in these terms refers to that organization.
If you do not agree with any part of these terms, do not use the marketing site or the Veliro Platform. Continued use after the effective date of any update constitutes acceptance of the updated terms.
Scope
These terms govern your use of the marketing site at veliro.com and, for paid customers, of the Veliro Platform (the API, the Console, the SDKs, the sandbox, and associated documentation).
Paid customers contract on a Master Services Agreement (MSA)Master Services Agreement: primary commercial contract with Veliro and a Data Processing Addendum (DPA)Data Processing Addendum: processor terms for customer personal data, each signed at the time of order. These Terms of Use apply to all use of the marketing site and to any use of the Platform not expressly addressed by the MSA. In the event of a conflict between these terms and the MSA, the MSA controls; in the event of a conflict between these terms and the DPA, the DPA controls for data-protection matters.
Account terms
Veliro provisions one tenant account per contracting organization. User accounts within that tenant are administered by your designated administrators via the Console.
You are responsible for safeguarding your access credentials, including passwords, API keys, and signing keys, and for all activity carried out under them. Notify security@veliro.com within 24 hours of any suspected compromise so we can rotate keys and assist with containment.
Sandbox API keys are scoped read/write to the sandbox tenant only. They cannot authorize a production transaction, provision a production token, or read production data; production access requires a separately issued production key bound to the named tenant in the order form.
Acceptable use
The Veliro Platform is operated as a regulated service. The following uses are prohibited and will result in suspension, termination, and where appropriate, referral to law enforcement or the card networks:
- Tokenizing card data that you do not have lawful authority to process.
- Attempting to circumvent vault tenancy, access another tenant’s data, or escalate privilege beyond the scopes provisioned for your account.
- Reverse engineering, decompiling, or attempting to derive the source code, cryptographic seeds, or model weights of any Veliro component, except to the limited extent permitted by mandatory law.
- Using the service to violate card network rules, including Mastercard, Visa, and American Express operating regulations, or any applicable law in the jurisdiction of the cardholder, the merchant, or your operations.
- Training machine-learning models on PANPrimary Account Number: the raw card number-bearing payloads, transaction histories, or cryptograms emitted by the Platform.
- Using the Platform to send unsolicited communications, to host content that infringes third-party rights, or to facilitate any activity that is unlawful in a jurisdiction where the activity occurs.
We will give you written notice and a reasonable opportunity to cure where the violation is curable and a cure can be effected without further harm; in cases involving imminent risk to the card networks, to other customers, or to cardholders, we may suspend access without prior notice.
Service availability
Availability targets for the production API are defined in the Service Level Agreement attached to the order form and measured against the methodology published alongside it. Live status and a trailing 90-day history are available at status.veliro.com.
Planned maintenance is announced at least 7 days in advance through the status page and via email to the technical contact on file. Emergency maintenance is carried out only where required to preserve service integrity or to apply a security fix, and is documented in a written post-event notice within 5 business days.
Service credits for missed availability targets are issued in accordance with the SLAService Level Agreement: availability targets and service credits. Credits are the sole remedy for availability shortfalls and are not refundable in cash.
Fees and billing
Fees are set in the order form executed under the MSA. The default fee shape is a per-token usage fee plus a monthly platform fee, billed monthly in arrears with net-30 payment terms in US dollars unless an alternative currency is agreed in writing.
Veliro may revise fees with at least 60 days’ written notice, taking effect at the next renewal. Invoice disputes must be raised in writing within 30 days of the invoice date; undisputed amounts remain due on the original date.
Taxes are exclusive of fees and will be added where applicable. You are responsible for any withholding tax obligation in your jurisdiction.
Intellectual property
Veliro retains all right, title, and interest in and to the Veliro Platform, including the API surface, the Console, the SDKs, the documentation, the diagrams, the marketing site content, and any improvements derived from operation of the service. No license is granted by implication or estoppel.
You retain all right, title, and interest in and to your data, your configuration, and any content you upload through the Platform. You grant Veliro a limited, non-exclusive license to process that data solely as needed to deliver the Platform under the MSA and the DPA.
Veliro may use aggregated, anonymized metrics derived from operation of the service (for example, aggregate request volumes, latency distributions, and error rates) to operate, improve, and report on the Platform. No personally identifying or customer-identifying information is included in any such metric. Customer logos and customer references may be used by Veliro only with the customer’s separate written consent.
Confidentiality
Each party will protect the other party’s confidential information using at least the same degree of care it uses to protect its own confidential information of like importance, and no less than a reasonable degree of care. Confidential information may be used only to perform the obligations under these terms and the MSA.
Obligations of confidentiality survive for 5 years after the disclosure, except in respect of trade secrets, which survive for as long as the information qualifies as a trade secret under applicable law. Standard exceptions apply for information that is or becomes public through no breach, was already known without obligation of confidence, is independently developed, or is required to be disclosed under law (in which case the receiving party will give prompt notice where legally permitted).
Warranties and disclaimers
Veliro warrants that during the term the Veliro Platform will materially conform to the documentation published at the URL referenced in the order form. Veliro’s sole obligation, and your sole remedy, for a breach of this warranty is for Veliro to use reasonable efforts to remedy the non-conformance; if Veliro is unable to do so within a commercially reasonable period, you may terminate the affected order form and receive a pro-rata refund of pre-paid fees.
Except for the express warranty above, the Veliro Platform is provided “as is”. To the maximum extent permitted by law, Veliro disclaims all other warranties, whether express, implied, statutory, or otherwise, including the implied warranties of merchantability, fitness for a particular purpose, title, and non-infringement.
Indemnification
Veliro will defend you against any third-party claim alleging that the Veliro Platform, as provided by Veliro and used in accordance with these terms and the MSA, infringes the third party’s intellectual property rights, and will indemnify you for damages and costs finally awarded against you by a court of competent jurisdiction or agreed in a settlement approved by Veliro in writing.
You will defend Veliro against any third-party claim arising out of your misuse of the Platform, your violation of the acceptable-use provisions, your breach of these terms, or the content of data you introduce into the Platform, and will indemnify Veliro for damages and costs finally awarded or agreed.
Indemnification is conditioned on (a) prompt written notice of the claim, (b) sole control of defense and settlement by the indemnifying party, and (c) reasonable cooperation by the indemnified party at the indemnifying party’s expense.
Limitation of liability
Except for liability arising out of fraud, willful misconduct, breach of the confidentiality provisions, or Veliro’s indemnification obligations above, each party’s aggregate liability under these terms and the MSA is capped at the fees paid or payable by you to Veliro in the 12 months immediately preceding the event giving rise to the claim.
Neither party will be liable for any indirect, incidental, consequential, special, exemplary, or punitive damages, or for loss of profits, revenue, data, or goodwill, even if advised of the possibility. The exclusions and limitations in this section apply to the maximum extent permitted by law.
Term and termination
Unless otherwise agreed in the order form, the initial term of each order form is 12 months, automatically renewing for successive 12-month terms unless either party gives written non-renewal notice at least 60 days before the current term ends.
Either party may terminate an order form for material breach by the other party if the breach is not cured within 30 days of written notice describing the breach. Veliro may terminate immediately for any breach of the acceptable-use provisions that creates imminent risk to the card networks, to other customers, or to cardholders.
On termination, all rights granted under the affected order form cease. Veliro will, on written request received within 60 days of termination, return or destroy customer data in accordance with the DPA. After 60 days, Veliro may destroy customer data routinely, except where retention is required by law or to enforce these terms.
Governing law and venue
These terms are governed by the laws of the State of Delaware, United States, without regard to its conflict-of-laws principles. The United Nations Convention on Contracts for the International Sale of Goods does not apply.
The exclusive jurisdiction and venue for any dispute arising out of or relating to these terms is the state and federal courts located in Wilmington, Delaware, and each party submits to the personal jurisdiction of those courts. For cross-border customers that have elected the UNCITRAL Arbitration Rules in the order form, disputes will be resolved by arbitration in accordance with those rules in the seat designated in the order form.
Changes to these terms
Veliro may update these terms from time to time. Material changes will be announced at least 30 days before they take effect, by notice on this page and by email to active customers. Non-material changes (clarifications, typographical corrections) take effect on the date of posting.
Your continued use of veliro.com or the Veliro Platform after the effective date of any update constitutes acceptance of the updated terms. If you do not agree, you should stop using the service and contact legal@veliro.com to discuss next steps.
Contact and notices
Operational and commercial notices should be sent to legal@veliro.com. Formal legal notices must be sent in writing by courier with proof of delivery to:
Veliro Inc.
Attn: General Counsel
525 Market Street, 23F
San Francisco, CA 94105
United States
Notices to you will be sent to the contact addresses on file under the order form, or, in the absence of an order form, to the email address you provided when you most recently interacted with the marketing site or the Console. A notice is deemed given on receipt for courier delivery and on the date sent for email, provided no bounce or delivery failure is received.
Related policies: Privacy policy, Security & trust. The Master Services Agreement, Data Processing Addendum, and Service Level Agreement are available through the trust center for authenticated procurement contacts.