The terms that govern use of the Xertilox HR platform.
Last updated: June 2026 (v1.1)
Master Agreement | Compliance Services Terms
Xertilox Ltd
Company No. 14689245
48 Sutton Mill Road, Potton, Sandy, England, SG19 2QB
Confidential
This document forms the contractual terms for the provision of the Xertilox HR Platform and the optional provision of compliance and verification services through the platform. It comprises two parts: Part 1 (Master Agreement) and Part 2 (Compliance Services Terms). The processing of personal data is governed by the Xertilox HR Platform Data Processing Agreement (the "DPA"), a separate document incorporated into this Agreement by reference.
Parties and Formation of Agreement
This Agreement is made between Xertilox Ltd, a company incorporated in England and Wales with company number 14689245 and registered office at 48 Sutton Mill Road, Potton, Sandy, England, SG19 2QB ("Xertilox"), and the business customer identified in the applicable Order Form or otherwise using the Platform (the "Customer").
This Agreement becomes binding on the earlier of: (a) signature of an Order Form by or on behalf of the Customer; or (b) the Customer accessing, enabling, or using the Platform.
Individuals who access the Platform on the Customer’s behalf do so under the Customer’s authority. They are not parties to this Agreement and acquire no direct contractual rights against Xertilox under it.
Definitions and Interpretation
In this Agreement, unless the context otherwise requires:
| Agreement | these terms and conditions, including Part 1, Part 2 and Part 3, the DPA, and any Order Form; |
| Authorised User | any employee, worker, contractor, consultant or other individual authorised by the Customer to access or use the Platform; |
| Compliance Services | the identity, document, Right to Work, driving licence, endorsement, attribute, and related verification services made available by Xertilox through the Platform or related APIs; |
| Confidential Information | all confidential commercial, technical, operational, financial or legal information disclosed by one party to the other, whether in writing, orally or by any other means, excluding information that is or becomes public other than through breach of this Agreement; |
| Controller, Processor, Personal Data, Personal Data Breach and Data Subject | have the meanings given in applicable Data Protection Laws; |
| Customer Data | all data, records, documents, personal data and other materials submitted to, stored on, or processed through the Platform by or on behalf of the Customer; |
| Data Protection Laws | all applicable laws relating to privacy, data protection and the processing of personal data, including the UK GDPR, the Data Protection Act 2018 and, where applicable, the EU GDPR; |
| DPA | the Xertilox HR Platform Data Processing Agreement entered into between the parties, incorporated into this Agreement by reference, as updated from time to time in accordance with its terms; |
| Fees | the charges payable by the Customer for the Services as set out in the Order Form or otherwise agreed in writing; |
| Monthly Active User or MAU | a user counted for billing purposes in accordance with clause 6; |
| Order Form | the ordering document, proposal, statement of work, signed quotation or other written commercial document identifying the Services, Fees and any agreed commercial terms; |
| Platform | the Xertilox cloud-based HR software platform, whether accessed by web application, mobile application, API or related interface; |
| Services | the HR Platform services provided under Part 1 and, where applicable, the Compliance Services governed by Part 3; |
In this Agreement, references to "including", "for example" or similar words are illustrative and do not limit the generality of the preceding words. Clause headings are for convenience only and do not affect interpretation.
Scope of Services
Xertilox shall provide the Customer with access to the Platform as a cloud-based HR management solution. The Platform may include functionality relating to employee records, onboarding, document and workflow management, holiday and absence management, compliance tracking, reporting, notifications, integrations and other associated features as made available from time to time.
Subject to the terms of this Agreement, Xertilox grants the Customer a limited, non-exclusive, non-transferable and non-sublicensable right during the term of this Agreement to permit Authorised Users to access and use the Platform for the Customer’s internal business operations.
Xertilox may update, improve, modify, replace or withdraw features of the Platform from time to time. Xertilox shall use reasonable endeavours not to make any change that materially degrades the core functionality expressly identified in the applicable Order Form.
Optional Compliance Services
The Platform may provide access to Compliance Services. Compliance Services are optional and are governed by Part 3 of this Agreement.
Access to Compliance Services is conditional upon the Customer agreeing to Part 3. If the Customer does not agree to Part 3, Xertilox shall have no obligation to provide Compliance Services and any discounts, bundled pricing, incentive pricing or other commercial concessions linked to the inclusion of Compliance Services shall not apply.
For the avoidance of doubt, the Customer may continue to use the HR Platform under Part 1 without access to Compliance Services, subject to the agreed Fees being adjusted to remove any discount or pricing assumption connected to those services.
Authorised Users and Account Security
The Customer may authorise Authorised Users to access the Platform. The Customer is responsible for all acts and omissions of Authorised Users as if they were its own acts and omissions.
The Customer shall ensure that login credentials, API keys and other access methods are kept confidential and secure. The Customer shall promptly disable or remove access for any person who is no longer authorised to use the Platform.
The Customer shall notify Xertilox promptly if it becomes aware of any unauthorised access to the Platform, misuse of credentials, suspected security incident or other breach affecting the Services.
Fees, Billing and Monthly Active Users
The Customer shall pay the Fees in accordance with this Agreement and the relevant Order Form. Unless otherwise stated in the Order Form, Fees are calculated by reference to Monthly Active Users.
For each calendar month, a user counts as a Monthly Active User where that user’s profile has not been deleted and the user’s activity window overlaps that month. The activity window begins on profile creation and ends on the end of employment or, if earlier, suspension, archival or equivalent deactivation of the profile. This includes profiles created for future-dated hires. A user is not counted for a month only where there is no overlap between the activity window and that month.
Compliance Services, where enabled, are bundled into the HR Platform on a fair usage basis unless otherwise expressly stated in the Order Form. If usage materially exceeds reasonable, expected or recommended levels, Xertilox may, acting reasonably, introduce additional charges, suspend specific functionality pending agreement of revised charges, or require the parties to agree an amended commercial model.
All Fees are exclusive of VAT and any other applicable sales, use or similar taxes, which shall be payable by the Customer at the prevailing rate.
Payment Terms
Xertilox may invoice monthly in arrears unless the Order Form provides otherwise. The Customer shall pay all invoices in full, without set-off, counterclaim, deduction or withholding, within the payment period stated in the Order Form.
If any amount due remains unpaid after the due date, Xertilox may charge interest on the overdue amount at a rate of 4% per annum above the Bank of England base rate, accruing daily from the due date until payment is made in full.
Without prejudice to any other rights or remedies, Xertilox may suspend access to all or part of the Services where the Customer fails to pay undisputed amounts when due, having first given the Customer not less than 14 days’ written notice and an opportunity to pay.
Fair Usage
The Customer shall use the Platform and any bundled Compliance Services in a normal, proportionate and reasonable manner consistent with the intended use case and any implementation assumptions discussed between the parties.
Examples of usage which may be treated as exceeding fair usage include repeated or abnormal invocation of compliance checks, excessive automated calls to the API without prior agreement, or a pattern of use materially exceeding the assumptions underlying the agreed Fees.
Customer Obligations
The Customer shall: (a) comply with all applicable laws and regulations in connection with its use of the Services; (b) ensure that it has all necessary notices, consents, lawful bases and internal policies required to submit Customer Data to the Platform and to instruct Xertilox to process it; (c) ensure that Customer Data is accurate and up to date; and (d) use the Services only for lawful internal business purposes.
The Customer shall not, and shall not permit any third party to: (a) copy, modify or create derivative works from the Platform except as expressly permitted by law in England and Wales; (b) reverse engineer, decompile, disassemble or otherwise attempt to derive source code from the Platform; (c) interfere with, disrupt, probe or test the vulnerability of the Platform except as agreed in writing with Xertilox; (d) upload or transmit harmful code; or (e) use the Platform to build or support a competing product or service.
The Customer is solely responsible for its employment, compliance, hiring, onboarding and operational decisions and for how it uses outputs generated by the Platform or Compliance Services.
Trusted Network and Referrals
Xertilox may make available, within the Platform (excluding mobile applications), a curated network of third-party service providers ("Trusted Network") for business-to-business purposes.
Where enabled, the Customer may choose to access third-party services via referral links or introductions provided by Xertilox. Use of such services is entirely optional and at the Customer’s discretion. In particular:
limited business contact information (such as organisation name, contact name, and business email) may be shared with the relevant provider solely for the purpose of facilitating the requested introduction or service;
Xertilox may track referral activity for the purpose of administering the Trusted Network and calculating any applicable commercial commission or referral fee; and
Xertilox does not act as a party to any agreement between the Customer and the third-party provider and accepts no responsibility or liability for the services provided by such third parties.
The Customer acknowledges that all third-party services are governed by the terms and privacy policies of the relevant provider and that Xertilox does not control or assume responsibility for those services.
For the avoidance of doubt, Trusted Network functionality is not made available to individual end users via the Xertilox mobile applications and does not form part of the core HR or compliance services provided by Xertilox.
Data Protection
As between the parties, the Customer is the Controller of Customer Data containing Personal Data, and Xertilox is the Processor. The processing of Personal Data by Xertilox on behalf of the Customer is governed by the Xertilox HR Platform Data Processing Agreement (the "DPA"), which is incorporated into and forms part of this Agreement by reference. The current version of the DPA is provided with the Order Form and is available from Xertilox on request.
The DPA sets out the parties’ respective obligations in relation to security, sub-processors, data subject rights, breach notification, international transfers, and the return or deletion of Personal Data. In the event of conflict between the DPA and this Part 1 in relation to the processing of Personal Data, the DPA prevails.
Xertilox maintains its list of sub-processors separately. Xertilox may update the sub-processor list from time to time on not less than 30 days’ notice in accordance with the DPA. Updating the sub-processor list does not require re-execution of this Agreement or the DPA.
Where the Customer enables features that involve processing of special category data or biometric data, the Customer acknowledges that it is responsible for identifying and documenting the lawful basis and any additional condition required under applicable Data Protection Laws.
Certified Provider Status
Xertilox is a certified provider under the UK Digital Identity and Attributes Trust Framework and may carry out certain verification services in alignment with applicable government standards and certification scope.
Any certification or standards alignment held by Xertilox does not amount to legal advice and does not remove the Customer’s responsibility to determine whether the Services are suitable for the Customer’s own legal, regulatory, sector-specific or operational requirements.
AI-Assisted Functionality
Where AI-assisted or automated guidance features are made available within the Platform, such functionality is provided for general informational assistance only.
AI-assisted outputs do not constitute legal, HR, employment, immigration, compliance or professional advice. The Customer must not rely on them as a substitute for human judgement, internal approval processes or independent professional advice where required.
Unless separately agreed in writing, Xertilox does not use the Customer’s Personal Data to train general-purpose AI models.
Intellectual Property Rights
All intellectual property rights in and to the Platform, the Services, the underlying software, workflows, interfaces, documentation, know-how and materials supplied by Xertilox remain vested in Xertilox or its licensors.
Except for the limited rights expressly granted under this Agreement, no rights are granted to the Customer by implication, estoppel or otherwise.
The Customer retains ownership of Customer Data. The Customer grants Xertilox a non-exclusive right to host, copy, transmit, display and otherwise process Customer Data solely to the extent necessary to provide, secure, support and improve the Services for the Customer and to comply with applicable law.
Availability, Support and Changes
Xertilox shall use reasonable endeavours to make the Platform available on a continuous basis and targets 99.5% uptime, excluding planned maintenance, emergency maintenance and downtime caused by third party networks, internet failures or other matters outside Xertilox’s reasonable control. Service levels are set out in the Service Level Agreement Annex where one is agreed in the Order Form.
The Services are provided on an "as is" and "as available" basis. Xertilox does not warrant that the Services will be uninterrupted, error-free or free from delays.
Confidentiality
Each party shall keep the other party’s Confidential Information confidential and shall not use or disclose it except as necessary to perform this Agreement, to exercise its rights under it, or as required by law, regulation or court order.
Each party may disclose Confidential Information to its employees, professional advisers, contractors and group companies on a need-to-know basis, provided that such recipients are bound by obligations of confidence no less protective than those in this clause.
The obligations in this clause do not apply to information that: (a) is or becomes public other than through breach of this Agreement; (b) was lawfully known by the receiving party before disclosure; or (c) is lawfully received from a third party without restriction on use or disclosure.
Liability
Xertilox shall perform the Services with reasonable skill and care. However, except as expressly stated in this Agreement, all conditions, warranties, representations and other terms that might otherwise be implied by statute, common law or otherwise are excluded to the fullest extent permitted by law.
In particular, and without limitation, Xertilox does not warrant that: (a) the Platform will be uninterrupted or error-free; (b) any verification, screening or compliance result will be accurate, complete or suitable for a specific purpose; or (c) use of the Services will make the Customer compliant with any law, regulation, internal policy or third-party requirement.
The Customer must not rely on any output from the Services as the sole basis for employment, compliance, onboarding, access control, disciplinary, contractual or other business decisions.
Subject to the remaining provisions of this clause, Xertilox shall not be liable for any indirect, consequential or special loss, or for any loss of profit, revenue, business, contracts, goodwill, anticipated savings, use of data or business interruption.
Subject to the following clause, Xertilox’s total aggregate liability arising out of or in connection with this Agreement, whether in contract, negligence (including negligent acts or omissions), breach of statutory duty or otherwise, and including all liability relating to data protection, confidentiality and cyber security incidents, shall not exceed a sum equal to the total Fees paid by the Customer in the six (6) months immediately preceding the event giving rise to the claim.
Nothing in this Agreement excludes or limits liability for fraud or fraudulent misrepresentation, death or personal injury caused by negligence, or any other liability to the extent it cannot lawfully be excluded or limited.
Suspension and Termination
This Agreement continues until terminated in accordance with its terms. Unless the Order Form specifies a longer committed term, either party may terminate this Agreement on 30 days’ written notice.
Xertilox may suspend or terminate the Services immediately on written notice where: (a) the Customer fails to pay any undisputed amount when due and such failure continues for 14 days after notice; (b) the Customer commits a material breach of this Agreement which, if capable of remedy, it has failed to remedy within 30 days of written notice requiring it to do so; (c) Xertilox reasonably believes that the Customer’s use of the Services is unlawful, fraudulent, abusive or creates material security, legal or regulatory risk; or (d) continued provision of the Services would cause Xertilox to breach law or regulatory requirements.
Upon termination or expiry of this Agreement: (a) the rights granted to the Customer under it shall cease; (b) the Customer shall stop using the Services; (c) all outstanding Fees shall become immediately due and payable; and (d) Xertilox shall deal with Customer Data in accordance with the DPA.
Any provision which is expressed to survive, or which by implication is intended to survive, termination shall remain in full force and effect, including clauses relating to confidentiality, intellectual property, liability, accrued rights and payment obligations.
General
This Agreement constitutes the entire agreement between the parties in relation to its subject matter and supersedes all previous drafts, discussions, negotiations and understandings relating to it.
No variation to this Agreement is effective unless made in writing and agreed by both parties, except that Xertilox may update non-material operational or platform-specific terms on notice where reasonably necessary to reflect changes in the Services, provided no such update materially reduces the protections or commercial rights of the Customer without agreement.
The Customer may not assign, novate, transfer or otherwise dispose of any of its rights or obligations under this Agreement without Xertilox’s prior written consent. Xertilox may assign or transfer this Agreement to an affiliate or in connection with a corporate reorganisation, merger, acquisition or sale of all or substantially all of its business relating to the Services.
If any provision of this Agreement is held to be invalid, illegal or unenforceable, the remainder of the Agreement shall remain in effect.
A person who is not a party to this Agreement has no right under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of this Agreement, except that an affiliate of Xertilox may enforce any provision expressly stated to benefit it.
Any notice under this Agreement shall be in writing and sent by email to the contact details set out in the Order Form or otherwise notified by the relevant party for contractual notices. Notices shall be deemed received at the time of transmission if sent during business hours in England, otherwise at 9:00 a.m. on the next business day.
This Agreement and any dispute or claim arising out of or in connection with it, including non-contractual disputes or claims, shall be governed by the laws of England and Wales. The courts of England and Wales shall have exclusive jurisdiction.
The processing of Personal Data by Xertilox on behalf of the Customer in connection with the Platform and the Services is governed by the Xertilox HR Platform Data Processing Agreement (the "DPA"), a separate document which is incorporated into and forms part of this Agreement by reference.
Incorporation of the DPA
The DPA sets out the parties’ obligations in respect of the processing of Personal Data, including roles, processing instructions, security measures, sub-processors, assistance with data subject rights, personal data breach notification, international transfers, audit, and the return or deletion of Personal Data on termination. The DPA satisfies the requirements of Article 28 of the UK GDPR.
The current version of the DPA is provided with the Order Form and is available from Xertilox on request. The DPA may be updated to reflect changes in applicable law or Xertilox’s sub-processors in accordance with its terms; updates to the sub-processor list are made by notice and do not require re-execution of this Agreement or the DPA.
In the event of any conflict between the DPA and any other part of this Agreement in relation to the processing of Personal Data, the DPA prevails to the extent of the conflict.
This Part 3 applies only where the Customer elects to use Compliance Services. If the Customer does not accept this Part 3, Compliance Services will not be made available and any discount or pricing assumption linked to them will not apply.
Scope
This Part 3 governs the Customer’s access to and use of Compliance Services through the Platform, including any API, embedded workflow, user interface, or other delivery method made available by Xertilox.
Except as varied by this Part 3, the provisions of Part 1 continue to apply to Compliance Services.
Nature of Compliance Services
Compliance Services may include identity verification, document verification, Right to Work checks, driving licence checks, endorsement checks, attribute verification, document capture workflows, fraud-prevention controls, and related services as made available by Xertilox from time to time.
The number, type and availability of checks, attributes and jurisdictions supported by the Compliance Services may change from time to time. Xertilox does not guarantee that any particular check, source, document type, workflow or jurisdiction will remain available.
Customer Responsibilities for Compliance Services
The Customer is solely responsible for ensuring that it has the legal entitlement, lawful basis and internal authority required to request and use Compliance Services in relation to any individual.
The Customer shall ensure that its own terms, notices, privacy information, internal policies and operational processes are sufficient for its intended use of Compliance Services and comply with all applicable laws and sector requirements.
The Customer remains solely responsible for any hiring, onboarding, employment, access, compliance, safeguarding, disciplinary, contracting or other business decisions taken by it, whether or not informed by outputs from the Compliance Services.
Use Restrictions
The Customer shall use Compliance Services only for proper and lawful business purposes and only in accordance with this Agreement.
The Customer shall not: (a) resell, sublicense, lease, share or otherwise make available any output, result, attribute or report from the Compliance Services to any third party except where strictly necessary for the Customer’s own internal compliance process and permitted by law; (b) reverse engineer or attempt to discover the underlying logic or source code of the Compliance Services; (c) use the Compliance Services to build a competing product or service; (d) use the Compliance Services, or outputs from them, to train a machine learning model unless Xertilox expressly agrees otherwise in writing; or (e) use the Compliance Services in any unlawful, discriminatory, unfair or improper manner.
Verification Outputs and Reliance
Xertilox will perform Compliance Services with reasonable skill and care. However, Xertilox does not guarantee that any data, attribute, document check, verification result, endorsement result or other output is true, complete, accurate, current or suitable for the Customer’s specific purpose.
The Customer acknowledges that compliance and verification outputs may depend on information provided by third parties, public bodies, issuing authorities, data providers, document quality, device quality, user behaviour and other variables outside Xertilox’s direct control.
All outputs are provided to support the Customer’s own decision-making process and must not be treated as determinative or as a substitute for the Customer’s own assessment, human review or legal obligations.
Third Party Providers and Data Sources
Compliance Services may incorporate or depend upon third-party services, data sources, issuing authorities, infrastructure providers, identity technology providers, email providers or other external systems.
Xertilox does not guarantee the availability, performance, completeness or accuracy of any third-party service or data source and shall not be liable for any failure or inaccuracy arising from those dependencies, except to the extent caused by Xertilox’s own breach of this Agreement.
Charging Model
Unless otherwise stated in the Order Form, Compliance Services made available through the HR Platform are bundled on a fair usage basis.
If the Customer’s usage becomes materially excessive, abnormal, technically burdensome or commercially inconsistent with the agreed charging model, Xertilox may require the parties to agree revised Fees or may suspend the relevant Compliance Services on written notice if no revised commercial agreement is reached within a reasonable period.
Suspension of Compliance Services
Without affecting its rights under Part 1, Xertilox may suspend access to some or all Compliance Services immediately where it reasonably considers that: (a) the Customer is using them unlawfully or outside the agreed purpose; (b) payment obligations have not been met; (c) continued processing presents a security, fraud, legal or regulatory risk; (d) a third-party dependency has withdrawn or restricted service; or (e) suspension is necessary to protect Xertilox, the Customer, individuals or other users of the Services.
Where reasonably practicable, Xertilox shall notify the Customer of the suspension and the grounds for it.
Relationship with Part 1
This Part 3 forms a separate and conditional component of the Agreement. If the Customer does not agree to this Part 3, Compliance Services will not be made available and any discount or pricing concession linked to those services shall be removed.
If there is any inconsistency between Part 1 and this Part 3 in relation to Compliance Services, this Part 3 shall prevail to the extent of that inconsistency.
