Stella – User Terms

1. Scope & Parties

These User Terms (“Terms”) govern the relationship between Stella (“Stella”, “we”, “us”, “our”) and the entity or individual (“Customer”, “user”, “you”, “your”) using or accessing the Stella service (“Service”). Please read these Terms carefully together with our other applicable policies, which describe how we handle your data. Together, the Terms, Privacy Policy, and any applicable Order Form constitute the single binding agreement between you and Stella (“Agreement”).

The Service is provided by Datainsite Oy (“Company”).

Business ID: 3221367−6

Address: c/o Villageworks

Hämeentie 31

00500 HELSINKI

If you create a partner account or upload, publish, or share content (such as PDFs, reports, or other files) with other users or organizations through the Service, additional role-specific obligations apply. These obligations govern publishing, sharing, access control, and inter-organizational responsibilities and are set out in these Terms, including the sections on user roles, acceptable use, data protection, and liability.

You must be at least 18 years old to use the Service. If you are using the Service on behalf of a minor, you must be their parent or legal guardian, agree to these Terms, and understand that references to “you” in these Terms apply both to you personally and, where applicable, to the minor you represent.

2. Users & Roles

The Service supports multiple user roles, each with different permissions, responsibilities, and levels of access. Your rights and obligations under these Terms may vary depending on the role assigned to your account. Role-specific terms, permissions, and limitations are described in the sections below and form an integral part of these Terms.

Administrator is a user authorized by Datainsite Oy to manage, operate, and maintain the Service on behalf of the Company. Admins have elevated access to system-level features, which may include configuring platform settings, managing users and roles, monitoring system performance, providing support, enforcing policies, and maintaining the security and integrity of the Service.

Owner is a user with primary authority within a specific partner or organization on the Service. Partner Owners are granted elevated permissions to manage their partner’s users, content, and configuration, and to oversee access and activity within their own partner environment. Their authority is limited to the partner they represent and does not extend to other partners or to system-wide settings controlled by the Company.

A Super User is a user with advanced operational privileges within a specific partner or organization on the Service. Super Users are authorized to manage partner-level content and access permissions and to support the ongoing use and maintenance of reports and files within their partner environment. Their authority is limited to the partner they are assigned to and does not include partner ownership or system-level administration.

A Report-Level Super User is a user granted elevated permissions for one or more specific reports within a partner environment. This role allows the user to manage access, configuration, and maintenance of the assigned reports only. Report-Level Super User permissions are limited in scope and do not extend to other reports, partner-wide settings, or administrative functions.

A User is a standard user authorized to access and use reports or files that have been explicitly shared with them within a partner environment. Users may view content and interact with available features as permitted by their assigned access rights and report settings. This role does not include management, configuration, or administrative privileges.

Regardless of assigned role, all users of the Service are subject to the following system-wide behaviours and controls.

The Service applies uniform security measures to protect the integrity, availability, and confidentiality of the platform and its data. These measures include authentication requirements, encrypted communications, role-based access enforcement, and technical safeguards designed to prevent unauthorized access, misuse, or modification of the Service. User actions within the Service may be monitored, logged, and audited for security, operational, and compliance purposes.

The Service maintains logs and audit records related to user activity, which may include authentication events, access changes, content creation or modification, and administrative actions. These records are used to support security, compliance, troubleshooting, and operational oversight.

Records related to content, access, and user activity that are removed from active use within the Service may be retained for a limited period in accordance with Stella’s data retention policies.

Audit logs and security-relevant activity records are retained for up to 730 days to support security monitoring, compliance, auditing, and investigation obligations.

Other data, including uploaded files, reports, access records, and associated metadata, is retained for up to 30 days following deletion or deactivation to support operational integrity, error recovery, and account-related processes.

During the applicable retention periods, such data may remain technically recoverable. Permanent deletion occurs automatically upon expiration of the relevant retention period, after which recovery is no longer possible.

3. Fees and Payment

Certain roles within the Service, including the Super User role, are offered on a per-seat subscription basis (“Super User Seats”). Each Super User Seat allows one user to be assigned Super User privileges within an organization.

The applicable fees for Super User Seats are specified in the applicable order form, subscription agreement, or pricing plan agreed between the parties (“Fees”). Fees are charged based on the number of Super User Seats allocated to the partner account during the applicable billing period, regardless of whether the assigned users actively use the Service.

Partner Owners are responsible for allocating, managing, and reassigning Super User Seats within their organization. Assigning a user to a Super User Seat constitutes acceptance of the applicable Fees for that seat. Removing a user from a Super User Seat does not automatically reduce Fees unless and until the total number of licensed seats is adjusted in accordance with the applicable subscription terms.

Where the number of Super User Seats is increased or decreased during an active billing period, the applicable Fees may be adjusted on a prorated basis to reflect the portion of the billing period during which the seats were allocated, as reflected in the applicable invoice.

The Company reserves the right to modify pricing, seat limits, or role availability upon prior notice, in accordance with these Terms and any applicable subscription or order agreement.

4. Account, Eligibility & Security

Subject to these Terms, we grant you a limited, non-exclusive, non-transferable license to access and use our Service. We reserve the right to modify, suspend, or terminate any part of the Service at any time without prior notice. You agree not to use the Service in any way that could damage its functionality or accessibility.

You must provide accurate information and keep your credentials secure. You are responsible for activity under your account.

The Service is intended solely for business use. To the extent a user qualifies as a consumer under applicable law, nothing in these Terms limits mandatory rights under Finnish consumer protection legislation. No other consumer protection laws or regimes shall apply.

We may verify email ownership and require multi-factor authentication when available.

To access our Service, you must complete account registration on the website and ensure that the personal information you provide is accurate, up-to-date, and complete. You must promptly update any changes and must not impersonate others or provide false information. Your login credentials (e.g., username, password, access keys) must remain confidential, and you are responsible for all activities conducted under your account. If you detect unauthorized use or security breaches, you must notify us immediately. We reserve the right to disable your account if you violate these Terms or provide false information. By using our Service, you consent to our collection and use of information about you and your device to improve our products and provide Service. You are responsible for maintaining the confidentiality of your account and for activities under your account and agree to notify us immediately upon discovering unauthorized use or security issues.

5. Acceptable Use

5.1 User Responsibility for Configuration and Sharing

You are responsible for configuring and managing access rights, permissions, roles, and visibility settings within the Stella platform for your user accounts and Partner Account.

Stella provides technical tools that enable you to upload, share, and control access to content. However, Stella does not verify the correctness, appropriateness, or suitability of access configurations, permission settings, or sharing decisions selected by you.

Stella is not responsible for any disclosure, access, or use of Customer Content resulting from your configuration choices, including but not limited to granting access to unintended users, misinterpreting platform settings, or sharing content at an unintended time, except to the extent such disclosure or use is caused by Stella’s breach of these Terms or applicable law.

You remain solely responsible for ensuring that access configurations, sharing decisions, and use of the Service reflect your intended purposes and comply with your internal policies, contractual obligations, and applicable laws.

5.2 Prohibited Use

It is strictly prohibited to use the Service for any unlawful, harmful, infringing, privacy-violating activities or regulatory violations. Unauthorized access to the Service systems, user accounts, or related networks is forbidden. Additionally, you are prohibited from uploading or transmitting content containing viruses, malicious code, or anything that could harm computer system functionality. Attempts to bypass security, probe the systems, or disrupt the Service are prohibited. You may not upload content that you are not authorized to share. Users must also respect applicable export controls and confidentiality obligations.

Furthermore, according to our general usage standards, you may not use the Service to:

• Endanger Child Safety, including but not limited to: creating, distributing, or promoting child sexual abuse materials; facilitating human trafficking, sexual extortion, or any form of exploitation involving minors; facilitating grooming of minors, including generating content intended to impersonate minors; depicting or promoting any form of child abuse; advocating or promoting pedophilic relationships; or sexualizing minors.
• Disrupt Critical Infrastructure including but not limited to: promoting the destruction or disruption of critical infrastructure such as power grids, water treatment facilities, telecommunications networks, or air traffic control systems; unauthorized access to critical systems such as voting machines, medical databases, and financial markets; or interfering with the operations of military bases and related infrastructure.
• Incite Violence or Hate, including but not limited to: inciting, promoting, or advocating violent extremism, terrorism, or hateful conduct; expressing support for organizations or individuals associated with violent extremism, terrorism, or hateful conduct; promoting or advocating violence or intimidation against individuals, groups, animals, or property; or promoting discriminatory behavior based on race, ethnicity, religion, nationality, gender, sexual orientation, or any other identity characteristic.
• Violate Privacy or Identity, including but not limited to: manufacturing, modifying, designing, selling, or distributing weapons, explosives, hazardous materials, or other systems intended to cause harm; or engaging in any illegal activities, such as using, obtaining, or exchanging illegal and controlled substances.
• Create or Facilitate Illegal or Regulated Goods, including but not limited to: promoting or concealing any form of self-harm; promoting unhealthy or unattainable body images or beauty standards; shaming, insulting, intimidating, bullying, or harassing individuals; coordinating harassment or intimidation against individuals or groups; generating content depicting sexual violence; or generating content depicting animal cruelty.
• Create Psychologically or Emotionally Harmful Content, including but not limited to: creating and disseminating deceptive or misleading information about groups, entities, or individuals; creating and disseminating deceptive or misleading information about laws, regulations, procedures, practices, institutions, entities, or standards set by governing bodies; or providing false or misleading information related to medical, health, or scientific issues.
• Spread False or Misleading Information, including but not limited to: creating and disseminating deceptive or misleading information about groups, entities, or individuals; creating and disseminating deceptive or misleading information about laws, regulations, procedures, practices, institutions, entities, or standards set by governing bodies; or providing false or misleading information related to medical, health, or scientific issues.
• Engage in Political Activity or Election Interference, including but not limited to: advocating or supporting specific political candidates, parties, issues, or positions; engaging in political lobbying to actively influence decisions of government officials, legislators, or regulatory bodies; or inciting, glorifying, or promoting disruption of elections or civic processes.
• Use for Criminal Justice, Law Enforcement, Censorship, or Surveillance Purposes, including but not limited to: making decisions for criminal justice applications; tracking an individual’s physical location, emotional state, or communications without consent; or analyzing or identifying specific content for censorship purposes on behalf of governmental organizations.
• Engage in Fraud or Abuse, including but not limited to: facilitating forgery, acquisition, or distribution of counterfeit or illegally obtained goods; facilitating or promoting the generation or distribution of spam; or generating content for fraudulent activities, schemes, scams, phishing, or malware.
• Abuse the Platform, including but not limited to: coordinating malicious activities across multiple accounts; using automation to create accounts or engage in spam behaviour.

6. Intellectual Property

We and our licensors retain all rights in the Service. These Terms do not transfer ownership of our software or trademarks. Subject to your compliance with these Terms of Service and payment of any applicable fees, we grant you a global, revocable, non-exclusive, non-sublicensable, and non-transferable right to use the Service during the subscription term, in accordance with the provisions of these Terms of Service.

You retain rights in the content you lawfully upload, subject to these Terms.

7. Third-Party Services

The Service integrates or relies on third-party platforms, including:

• Microsoft Azure, used for cloud infrastructure and hosting, configured to use data center regions within the European Economic Area (EEA).
• Microsoft Power BI / Fabric, used for embedded analytics and report rendering. Microsoft Fabric is configured in accordance with the EU Data Boundary, and Customer Lockbox is enabled. Customer-Managed Encryption Keys (CMEK) are currently not supported in Microsoft Fabric.
• Mailgun, used for transactional email delivery. Email data may be processed in the European Union or the United States depending on configuration and routing.
• OpenAI API, used to power support chat and assistance features within the Service. OpenAI does not have direct access to Customer Content stored within Stella, and customer files, reports, and documents are not made available to OpenAI as part of normal Service operation.
• Stripe, used for payment processing, subscription management, and billing. Stripe processes and stores payment card information and subscription-related data in accordance with its own security standards and compliance obligations.

Use of third-party services is subject to the applicable terms and policies of those third-party providers.

8. Privacy, Storage & Retention

We process personal data in accordance with the EU General Data Protection Regulation (GDPR), UK GDPR and Finnish law. See our Privacy Policy and Data Processing Agreement for full details.

8.1 Storage & Location

Stella configures its core infrastructure to store and process customer content – including uploaded files, reports, documents, and other shared materials – within the European Economic Area (“EEA”), using EU-based data center regions operated by its cloud services providers.

While Stella does not own or operate the underlying data center infrastructure, it applies reasonable technical and organizational measures within its control to ensure that customer content remains stored and processed within the EEA. Such measures include, for example:

• Configuration of cloud services to use EU-based data center regions
• Use of locally redundant storage and controlled data replication within selected regions
• Encryption of data at rest and in transit using industry-standard encryption mechanisms provided by the cloud services provider
• Use of managed encryption key Service and restricted administrative access controls
• Limiting access to customer content to authorized Stella personnel and the applicable partner account, based on role-based access controls; and
• Logical separation of core customer content storage from third-party services such as email delivery and customer support tools.

Certain third-party services providers used for ancillary functions — such as email delivery, authentication support, billing, or customer support — may process limited personal data outside the EEA or the United Kingdom. Such personal data may include user identifiers (e.g. email addresses), account metadata, and support communications, but does not include customer content (e.g. uploaded files, reports, documents, or other shared materials).

Where personal data is transferred outside the EEA or the United Kingdom, Stella ensures that appropriate safeguards are in place in accordance with applicable data protection laws, including but not limited to:

• Adequacy decisions issued by the European Commission or the UK Government;
• Standard Contractual Clauses or International Data Transfer Agreements, as applicable; and
• Supplementary technical and organizational measures designed to protect personal data.

Stella processes personal data only for lawful purposes and in accordance with applicable data protection laws, including the EU General Data Protection Regulation (Regulation (EU) 2016/679), the UK General Data Protection Regulation, and other applicable privacy laws.

We implement reasonable administrative, technical, and physical safeguards to protect personal data against unauthorized access, loss, misuse, or disclosure. Personal data is retained only for as long as necessary to fulfil the purposes for which it was collected, to comply with legal obligations, or to resolve disputes, unless a longer retention period is required or permitted by law.

8.2 Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected and processed, including to provide our Service, comply with legal and regulatory obligations, resolve disputes, and enforce our agreements. Retention periods are determined based on the nature of the data, the purposes of processing, and applicable legal requirements. Personal data is securely deleted, anonymized, or otherwise disposed of when it is no longer required for these purposes, unless a longer retention period is required or permitted by law.

The following data is retained:

• Account records: for the duration of the account and a limited period after closure for security, auditing, and legal claims.
• Audit logs: retained for up to 730 days, unless extended due to investigations or legal obligations.
• Support tickets: retained as necessary to resolve and evidence support requests.

9. Security

We implement technical and organisational security measures designed in accordance with generally recognized information security best practices, including principles reflected in standards such as ISO/IEC 27001 and SOC 2. These measures include access controls, encryption, least privilege, and continuous monitoring.

10. Service Availability & Support

We strive for high availability but do not guarantee uninterrupted Service. Planned maintenance and urgent security work may occur. Support is available at support@stella-portal.com.

11. Warranties & Liability

The Service is provided “as is”. To the maximum extent permitted by applicable law, we disclaim warranties of merchantability, fitness for a particular purpose, and non-infringement. We are not liable for indirect or consequential losses, loss of profits, or loss of data, subject to mandatory law. Nothing excludes liability that cannot be excluded under Finnish law.

• Will be provided without interruptions
• Will operate properly on any specific computer system or browser
• Will generate content that is always accurate, complete, reliable, secure, useful, or timely
• Is suitable for your or any third party’s use
• Fully complies with all applicable laws or regulations

12. Suspension & Termination

12.1 Suspension or Termination by the Company

We may suspend or terminate access to the Service, in whole or in part, where reasonably necessary due to:

• a material breach of these Terms;
• misuse of the Service or violation of applicable laws;
• security risks or technical threats;
• compliance with legal obligations or authority requests; or
• discontinuation of the Service, force majeure, or insolvency of the Company.

Where reasonably practicable, we will provide advance notice of suspension or termination and, where applicable, an opportunity to remedy the issue. Immediate suspension or termination may occur without prior notice where required to protect the Service, users, or comply with law.

12.2 Effect of Suspension or Termination

Upon suspension or termination, your right to access and use the Service will cease. Unless suspension or termination occurs due to unlawful use or security-critical reasons, reasonable efforts will be made to allow you to access or export your content for a limited period prior to account closure, in accordance with applicable retention policies.

Termination does not affect any rights or obligations that by their nature are intended to survive termination, including provisions relating to data retention, liability, and dispute resolution.

12.3 Termination by the User

You may terminate your use of the Service at any time by deleting your user account and/or Partner Account through the Service, where available, or by requesting account closure from the Company. Residual data and audit logs may be retained in accordance with Section 8.2 and applicable laws.

13. Indemnification

You agree to indemnify and hold harmless Datainsite Oy, its possible parent company, subsidiaries, affiliates, officers, and employees from any claims or demands (including but not limited to all damages, liabilities, settlements, costs, and attorney fees) arising from your access to or use of the Stella service, your violation of this agreement, or any infringement of intellectual property or other rights of any individual or entity by you or any third party using your account.

14. Limitation of Liability

Notwithstanding anything to the contrary and to the fullest extent permitted by law, under no circumstances shall either party, its affiliates, or any licensors or suppliers of Stella be liable for:

• Any consequential, indirect, special, incidental, or punitive damages;
• Any loss of profits, business, revenue, anticipated savings, or unnecessary expenses;
• Any loss, damage, or interruption of data, systems, reputation, or goodwill;
• The cost of procuring substitute goods or services.

To the fullest extent permitted by law, the aggregate liability of Datainsite Oy and its affiliates under or in connection with this agreement, the software, and the Service shall not exceed the total amount you actually paid to Datainsite Oy under this agreement in the three (3) months preceding the event giving rise to the liability (if any).

The above exclusions and limitations shall apply:

• To the fullest extent permitted by applicable law;
• Even if a party has been advised of, or should have been aware of, the possibility of such losses, damages, or costs;
• Even if any remedy provided in this agreement fails of its essential purpose;
• Regardless of the theory or basis of liability, whether in contract, tort (including negligence or breach of statutory duty), misrepresentation, restitution, or otherwise.

15. Changes to These Terms

We may update these Terms to reflect legal, technical, or business changes. Material changes will be notified in advance where practicable. The current version is identified at the top and requires acceptance upon next sign-in.

16. Governing Law & Disputes

This Agreement shall be governed by Finnish law, excluding the provisions regarding the Rules of Conflict.

Any dispute, controversy or claim arising out of or relating to this contract, or the breach, termination or validity thereof, shall be finally settled by arbitration in accordance with the Arbitration Rules of the Finland Chamber of Commerce.

The number of arbitrators shall be one. The seat of arbitration shall be Helsinki, Finland.

The language of the arbitration shall be English.

17. Contact

Datainsite Oy

c/o Villageworks

Hämeentie 31

00500 HELSINKI

Email: support@stella-portal.com

Business ID (Y-tunnus): 3221367-6

18. Acceptance

By creating an account, signing in, or clicking “I agree”, you acknowledge that you have read and agree to these User Terms. Your acceptance will be recorded (timestamp, IP address, user agent, version) for audit purposes.