MyReportVault Terms of Service

Effective date: 24 May 2026
Last updated: 24 May 2026

These Terms of Service ("Terms") govern access to and use of MyReportVault, an international, business-focused secure document-sharing software-as-a-service platform operated by Ian Paul Stapelberg t/a MyReportVault ("MyReportVault", "we", "us", or "our").

By creating an account, starting a trial, subscribing, uploading files, configuring a portal, using an API, accessing a customer portal, opening a secure link, viewing or downloading documents, or otherwise using the Service, you agree to these Terms. If you use the Service for a business, agency, company, client, employer, partnership, trust, body corporate, organisation, or other entity, you represent that you are authorised to bind that entity, and references to "you" include that entity.

If you do not agree to these Terms, do not use the Service.

1. Operator identity and contact details

The Service is operated by:

Ian Paul Stapelberg t/a MyReportVault
Cedarwood House
Ballywood Office Park
33 Ballyclare Dr
Bryanston
Johannesburg
2191
South Africa

Website: https://myreportvault.com
Application: https://app.myreportvault.com
Legal and support email: [email protected]

MyReportVault is operated by Ian Paul Stapelberg as a sole proprietor under the trading name "MyReportVault". It is not operated through a separate incorporated company unless we notify you otherwise in updated legal terms. The South African address above identifies the business operator and legal contact location; it is not a configured production hosting or storage location for the Service.

2. Agreement structure

These Terms include all schedules and policies incorporated by reference, including the Data Processing Terms in Schedule 1 and the MyReportVault Privacy Policy available at https://myreportvault.com/privacy.

If you purchase or activate a plan through a checkout page, order page, pricing page, billing portal, written order confirmation, or other order process, the plan-specific terms shown there also apply. If there is a conflict, the following order of priority applies unless expressly stated otherwise:

a signed written agreement between you and MyReportVault;
the Data Processing Terms, but only for personal data processing matters;
the applicable order, checkout, pricing, or subscription terms;
these Terms;
other policies or documentation referenced by these Terms.

3. Definitions

In these Terms:

"Access Controls" means security, permission, and access features of the Service, including account roles, workspace membership, client and group permissions, PIN requirements, password-protected file handling, expiry settings, pre-signed links, multi-factor authentication settings, API keys, and similar controls.
"Agency" or "Customer" means a business, agency, organisation, sole proprietor, professional, or other person or entity that creates, owns, controls, pays for, or administers a MyReportVault workspace, portal, account, trial, or subscription.
"Authorised User" means an owner, administrator, employee, contractor, representative, or other user authorised by a Customer to access or use the Service.
"Customer Content" means files, reports, documents, records, client data, personal data, portal configuration, branding, metadata, access settings, recipient details, and other content uploaded, submitted, configured, transmitted, stored, shared, or processed by or for a Customer through the Service.
"Invited Viewer" means a client, client contact, recipient, viewer, internal staff member, contractor, representative, or other person invited or authorised to access Customer Content through a portal, link, account, email notification, or other access method.
"Order" means the applicable checkout, subscription, pricing, order confirmation, plan selection, billing portal, or written purchase arrangement for the Service.
"Portal" means a branded, white-labelled, customer-configured, or otherwise controlled document access area made available through the Service.
"Service" means the MyReportVault website, web application, portals, APIs, hosting, storage, notification, access-control, logging, support, billing, and related functionality.
"Subscription" means a paid plan, trial plan, free plan, custom plan, or other commercial plan for use of the Service.
"Subprocessor" means a third-party provider used by MyReportVault to process Customer Content or personal data on behalf of Customers.
"Uploaded Files" means documents, spreadsheets, reports, PDFs, CSV files, text files, Word documents, Excel files, and other supported document or spreadsheet files uploaded to or processed through the Service. Uploaded Files do not include ZIP archives or general image files unless MyReportVault expressly enables those formats in the Service.

4. Who may use the Service

The Service is designed primarily for business, agency, and professional use. It is not intended for children, personal consumer file-sharing, unlawful file sharing, or public file-hosting.

You may use the Service only if you can lawfully enter into these Terms and are not prohibited from using the Service under applicable law, sanctions rules, export-control rules, payment-provider rules, or infrastructure-provider rules.

If you are an Invited Viewer, you may use the Service only to access documents, portals, links, and information that you have been authorised to access by the relevant Customer.

5. Description of the Service

MyReportVault helps Customers internationally distribute business documents, client reports, financial records, operational records, and related files through controlled portals, direct uploads, and API integrations. The Service is configured as an international SaaS product, with the primary production infrastructure described in Section 20 and Schedule 1.

Depending on the applicable plan and configuration, the Service may include:

branded or white-labelled client portals;
customer workspaces and agency subdomains;
upload, open, preview, download, replacement, and version-history workflows;
client, viewer, and group management;
role-based workspace and portal access;
PIN requirements and password-protected file handling for supported file types;
file expiry dates and deletion workflows;
access logs and audit exports;
email notifications, batched notifications, scheduled digests, and operational messages;
API keys and direct upload endpoints;
usage, storage, notification, API, client, and administrator limits;
trial, subscription, checkout, overage, and billing management.

The Service currently supports ordinary document, spreadsheet, CSV, text, PDF, Word, and Excel-style file workflows made available in the application or API documentation. ZIP archives, general image files, disguised files, and unsupported file formats must not be uploaded unless MyReportVault expressly enables them in the Service.

The features available to you depend on your plan, configuration, product stage, region, provider availability, and any limits shown in the Service, on the pricing page, at checkout, in the billing portal, or in an Order.

6. Customer administration and account security

Customers and Authorised Users are responsible for maintaining the confidentiality and security of account credentials, passwords, magic links, invite links, multi-factor authentication factors, API keys, portal access details, PINs, and other access mechanisms.

You must:

provide accurate account, organisation, billing, and contact information;
keep credentials, API keys, access links, and PINs secure;
use strong passwords and multi-factor authentication where available or required;
ensure that only authorised persons have access to the relevant workspace, portal, documents, and API credentials;
promptly remove Authorised Users and Invited Viewers who should no longer have access;
configure Access Controls appropriately for the sensitivity of Customer Content;
monitor account activity and access logs where appropriate;
promptly notify us at [email protected] if you suspect unauthorised access, credential compromise, API key exposure, data exposure, or misuse.

You are responsible for activity under your account, workspace, API keys, and access credentials, except to the extent caused by MyReportVault’s breach of these Terms.

7. Customer responsibilities

Customers are responsible for Customer Content and for how the Service is configured and used under their account. This includes responsibility for:

having all rights, permissions, authorisations, notices, consents, contracts, lawful bases, and instructions required to upload, store, process, access, and share Customer Content;
ensuring that uploaded documents and recipient details are accurate, lawful, appropriate, and up to date;
selecting the correct recipients, clients, groups, portals, links, expiry periods, and permissions;
configuring PINs, passwords, file expiry dates, notifications, groups, API access, optional client-delete permissions, and Access Controls appropriately;
ensuring that Invited Viewers are authorised to access the relevant files;
providing privacy notices and required disclosures to clients, contacts, employees, contractors, and other individuals whose data is processed through the Service;
complying with applicable privacy, data protection, financial services, professional secrecy, confidentiality, employment, consumer, export, sanctions, tax, recordkeeping, and sector-specific laws;
ensuring that Customer Content is not unlawful, infringing, malicious, misleading, disguised, harmful, unsupported, or prohibited;
maintaining appropriate backups, exports, and business-continuity procedures for Customer Content where required;
protecting API keys and third-party integration credentials;
ensuring that use of the Service does not breach any duty owed to a client, employer, regulator, court, contractual counterparty, professional body, or other third party.

MyReportVault does not independently verify the legality, accuracy, sensitivity, authorisation status, or suitability of Customer Content.

8. Invited Viewer responsibilities

Invited Viewers must:

access only documents, portals, links, and accounts they are authorised to access;
keep access links, login links, passwords, PINs, and credentials confidential;
not share secure links, portal access, or document access with unauthorised persons;
not attempt to bypass Access Controls;
not scrape, copy, redistribute, tamper with, reverse engineer, or misuse Customer Content except as authorised by the relevant Customer;
comply with applicable laws and these Terms.

If you believe you received access in error, contact the Customer who invited you or contact MyReportVault at [email protected].

Where a Customer enables optional client-delete access for a client or Invited Viewer, that person may be able to delete files they are authorised to access. Customers are responsible for deciding whether to enable this setting and for the consequences of file deletion by authorised clients or Invited Viewers.

9. Customer Content and ownership

Customers retain ownership and control of Customer Content. MyReportVault does not claim ownership of Uploaded Files or Customer Content.

You grant MyReportVault a limited, non-exclusive, worldwide, royalty-free licence to host, store, process, transmit, display, preview, secure, log, copy, back up, restore, delete, and otherwise handle Customer Content only as needed to:

provide, maintain, secure, monitor, troubleshoot, support, and improve the Service;
enforce Access Controls and Customer instructions;
process uploads, downloads, previews, replacements, expiries, notifications, and audit logs;
comply with law and lawful requests;
enforce these Terms;
prevent abuse, fraud, security incidents, and misuse;
exercise and defend legal rights.

MyReportVault will not sell Customer Content. MyReportVault will not use Customer Content for advertising or to train public or general-purpose artificial intelligence models.

Customers are solely responsible for Customer Content and for the consequences of uploading, sharing, granting access to, retaining, deleting, or failing to delete it.

10. Privacy and data protection

Use of the Service is subject to the MyReportVault Privacy Policy at https://myreportvault.com/privacy.

For personal data that MyReportVault processes for its own account, billing, support, security, website, legal, and business administration purposes, MyReportVault acts as a controller or responsible party.

For Customer Content and customer-controlled client/viewer data, MyReportVault normally acts as a processor, operator, or service provider, and the Customer normally acts as the controller or responsible party. The Customer is responsible for lawful basis, notices, consents, instructions, access decisions, file-expiry/deletion decisions, retention decisions, and data protection compliance for that data.

The Data Processing Terms in Schedule 1 apply automatically where MyReportVault processes personal data on behalf of a Customer as processor, operator, or service provider. A separate or signed data processing agreement may be provided on request where reasonably required for the Customer’s use of the Service.

11. Sensitive, confidential, and regulated data

The Service may be used to share sensitive business documents, financial records, operational records, client reports, and confidential information. You must not upload or share any data unless you have the legal right and appropriate basis to do so.

If Customer Content includes special category data, criminal offence data, children’s data, health data, financial account data, tax data, employment data, regulated professional records, privileged material, confidential records, or other high-risk data, the Customer remains responsible for:

confirming that use of the Service is lawful and appropriate for that data;
completing any required risk assessment, data protection impact assessment, transfer impact assessment, or vendor assessment;
selecting suitable Access Controls;
providing required notices and obtaining required consents, authorisations, or approvals;
ensuring that recipients are authorised;
complying with all sector-specific laws, professional duties, regulator requirements, and contractual obligations.

Unless expressly agreed in a signed written agreement, the Service is not designed for use as a system of record for raw payment card data requiring PCI DSS compliance, emergency services, life-critical operations, medical treatment decisions, regulated payment processing, consumer credit decisioning, public file hosting, or other use where failure of the Service could reasonably be expected to cause death, personal injury, severe financial loss, or unlawful denial of essential rights.

12. Security features and limitations

MyReportVault may provide security-related features such as HTTPS/TLS encrypted transport, authenticated workspaces and portals, role-based access, client and group permissions, PIN-protected access for selected files, password-protected file handling for supported file types, protected-file encryption workflows where configured, file expiry, pre-signed upload/open/preview/download links, access logging, audit exports, multi-factor authentication settings, API keys, anti-abuse checks, and provider-level infrastructure security.

These features reduce risk but do not eliminate it. No service can guarantee that data will never be accessed, disclosed, altered, lost, delayed, corrupted, interrupted, or misused.

Customers are responsible for configuring security features appropriately, reviewing permissions, using available file-expiry and deletion workflows appropriately, protecting credentials, protecting API keys, and training their own personnel. MyReportVault does not guarantee that use of the Service by itself makes a Customer compliant with GDPR, UK GDPR, POPIA, financial regulations, professional rules, industry standards, contractual duties, or any other law.

13. API access and direct uploads

Where API access is available, Customers are responsible for:

creating, naming, protecting, monitoring, rotating, and revoking API keys appropriately;
ensuring that API integrations are authorised, secure, documented, and lawful;
complying with rate limits, usage limits, plan limits, documentation, and technical requirements;
preventing API keys from being exposed in client-side code, public repositories, logs, screenshots, support tickets, browser storage, or other insecure locations;
promptly revoking compromised or unnecessary API keys.

MyReportVault may rate-limit, suspend, revoke, or restrict API keys or integrations where needed for security, reliability, legal compliance, abuse prevention, non-payment, plan-limit enforcement, or Terms enforcement.

14. Acceptable use

You must not use the Service to:

violate any law, regulation, court order, contractual duty, privacy right, confidentiality duty, intellectual property right, professional duty, sanctions rule, export-control rule, or payment/infrastructure provider rule;
upload, store, transmit, or share illegal content, prohibited content, contraband, child sexual abuse material, non-consensual intimate material, content that unlawfully exploits or endangers minors, or content that is unlawful to possess, process, transmit, or make available in any relevant jurisdiction;
upload unsupported file formats, including ZIP archives and general image files, or attempt to bypass file-type restrictions by renaming files, changing extensions, altering MIME types, embedding unsupported or prohibited payloads in supported files, or otherwise disguising the nature, format, source, contents, purpose, or risk of any file;
upload or distribute malware, ransomware, spyware, viruses, worms, backdoors, credential stealers, destructive code, or harmful code;
conduct phishing, spoofing, credential theft, impersonation, social engineering, spam, fraud, or misleading activity;
conceal, misrepresent, or falsify the nature of Customer Content, recipient authorisation, file contents, file type, sender identity, source system, or intended use;
bypass, probe, disable, overload, or interfere with authentication, security, rate limits, usage limits, provider systems, or Service integrity;
attempt to access accounts, portals, files, buckets, APIs, systems, or data without authorisation;
use the Service for public file hosting, mass distribution, spam distribution, malware hosting, or content delivery unrelated to legitimate customer report/document workflows;
upload content that infringes intellectual property, privacy, publicity, confidentiality, trade-secret, or contractual rights;
upload or share content that is defamatory, harassing, abusive, threatening, exploitative, or discriminatory where unlawful or harmful;
process sensitive, regulated, or high-risk data without required notices, lawful basis, authorisations, safeguards, and assessments;
send notifications to recipients who are not authorised or where the Customer lacks a lawful basis to contact them;
resell, rent, timeshare, white-label, or commercially exploit the Service outside your authorised customer use unless expressly agreed in writing;
reverse engineer, scrape, crawl, copy, benchmark for competitive purposes, or create derivative works from the Service except as permitted by law;
remove, obscure, or alter proprietary notices;
misrepresent affiliation with MyReportVault or another person;
use the Service in a way that could damage the Service, other customers, recipients, providers, or MyReportVault.

MyReportVault may investigate suspected violations and may suspend, restrict, remove, delete, or report content or accounts where reasonably necessary to protect the Service, Customers, Invited Viewers, providers, or legal rights.

15. Plans, trials, limits, and overages

Plans, features, limits, trial periods, pricing, storage allowances, notification allowances, API limits, client limits, administrator limits, and overage rates may be shown in the Service, on the pricing page, at checkout, in the billing portal, or in an Order.

You must comply with applicable plan limits. MyReportVault may enforce limits automatically, including by preventing uploads, delaying notifications, restricting API calls, suspending over-limit functionality, charging applicable overages, or requiring an upgrade.

Trial plans are temporary. Unless otherwise stated, trial access may be limited, may not include all features, and may expire automatically. Customer Content in a trial-expired workspace may be deleted after the applicable grace period described in the Service, Privacy Policy, or Order.

MyReportVault may modify plan names, features, limits, pricing, and overage rates prospectively. Material changes to paid plans will be handled as described in these Terms, the Order, or applicable law.

16. Billing, payment, taxes, and merchant of record

Paid Subscriptions, overages, renewals, and related charges may be processed by Lemon Squeezy or another payment provider. The payment provider may act as merchant of record, payment processor, tax processor, or independent controller for payment-related data.

You authorise MyReportVault and its payment providers to charge the applicable payment method for fees, renewals, overages, taxes, and other charges associated with your plan.

Fees are exclusive of taxes unless stated otherwise. You are responsible for applicable taxes, duties, levies, withholding, and similar charges, except for taxes based on MyReportVault’s income.

If payment fails, is reversed, is disputed, or becomes overdue, MyReportVault may suspend, restrict, downgrade, or terminate access to the Service, subject to applicable law and any mandatory notice requirements. For an unpaid Subscription, MyReportVault may restrict normal account functionality while allowing limited access solely to download or delete Customer Content where technically available and where continued limited access does not create a legal, security, abuse, payment, or infrastructure risk.

17. Renewals, cancellations, refunds, and chargebacks

Subscriptions may renew automatically unless cancelled before the renewal date through the available billing portal or other method specified by MyReportVault or the payment provider.

Cancellation stops future renewals but does not automatically entitle you to a refund for the current billing period unless required by law, stated in the applicable Order, or expressly approved by MyReportVault or the payment provider.

Refund requests are handled according to the applicable checkout terms, payment-provider terms, and mandatory law. Chargebacks or payment disputes may result in suspension or termination of the affected account, workspace, or subscription.

Customers should export needed Customer Content before cancelling or allowing a Subscription or trial to expire.

18. Notifications and email delivery

The Service may send account emails, login emails, invite emails, magic links, document notices, batched notifications, scheduled digests, billing notices, support messages, legal notices, and security notices.

Email delivery is not guaranteed. Messages may be delayed, blocked, filtered, quarantined, rejected, misdirected because of Customer-provided recipient information, or affected by provider limits and recipient mail systems.

Customers are responsible for recipient accuracy, lawful basis for notifications, unsubscribe/suppression configuration where applicable, and avoiding notification misuse.

19. Optional external viewers and Microsoft Office Online Viewer

The Service may include optional previewing or external viewing features for supported file types. Some file types may be previewed directly in the browser, downloaded, opened through a pre-signed link, or opened through an external viewer.

Where a Customer enables external Office/spreadsheet viewing, or where a user chooses an external viewer, supported unprotected files may be opened through Microsoft Office Online Viewer or similar Microsoft services. This may disclose a pre-signed file URL and the file contents to Microsoft for rendering, and Microsoft’s own terms, privacy notices, security measures, availability, and processing locations may apply.

Customers must not enable external viewing for files that must not be processed by Microsoft or other external viewers. Password-protected or protected-file workflows may disable or limit external viewer support for some file types.

MyReportVault is not responsible for Microsoft Office Online Viewer or any other third-party viewer except to the extent required by law or expressly stated in a signed written agreement.

20. Third-party services and configured regions

The Service depends on third-party providers, which may include Supabase, Vercel, Cloudflare, Cloudflare R2, Cloudflare Turnstile, Resend, Lemon Squeezy, Microsoft Office Online Viewer, and other hosting, storage, email, payment, security, support, monitoring, analytics, or infrastructure providers.

As of 24 May 2026, the primary configured production regions or locations are listed below. South Africa is the operator’s place of business and legal contact location; it is not a configured production hosting, database, object-storage, or email-dispatch region for the Service.

Provider	Purpose	Configured region / location	Important notes
Supabase	Database, authentication, backend services, account/session infrastructure, and related platform services	West EU, Ireland, `eu-west-1`	Provider account, support, security, telemetry, and control-plane processing may occur outside that region according to Supabase’s terms and infrastructure.
Vercel	Application hosting, deployment, serverless/application infrastructure, and related platform services	Dublin, Ireland, `dub1` / `eu-west-1`	Builds, logs, edge/network routing, platform analytics, support, and control-plane processing may occur outside that region according to Vercel’s terms and infrastructure.
Cloudflare	DNS, network, security, content delivery, anti-abuse, and related infrastructure services	Global network	Requests may be routed through Cloudflare’s globally distributed network.
Cloudflare R2	Object storage and related file storage infrastructure	Western Europe, `WEUR`	R2 bucket placement is configured with a Western Europe location hint/placement. Provider metadata, control-plane, support, and security processing may occur outside that location according to Cloudflare’s terms and infrastructure.
Resend	Transactional email delivery and related email infrastructure	Email dispatch from Ireland, `eu-west-1`	Region selection controls email dispatch/routing. Resend account data, email metadata, logs, and API records may be stored in the United States or other provider-controlled locations.
Lemon Squeezy	Checkout, billing, merchant-of-record functions, subscriptions, invoices, taxes, payment status, customer billing portal, refunds, chargebacks, and related payment administration	Provider-controlled	Payment data is processed under Lemon Squeezy’s own terms and privacy notice.
Microsoft Office Online Viewer / Microsoft 365 viewer services	Optional external rendering of supported unprotected Office/spreadsheet files when enabled by a Customer	Provider-controlled	A pre-signed file URL and file contents may be provided to Microsoft for rendering.

Third-party services may be subject to their own terms, privacy notices, security measures, availability, geographic processing, transfer mechanisms, and limitations. MyReportVault is not responsible for third-party services except to the extent required by law or expressly stated in a signed written agreement.

Configured regions are not an absolute guarantee that all related metadata, logs, support data, billing data, control-plane data, network traffic, or provider-side records remain in that region. In particular, transactional-email metadata/logs and billing or provider-control data may be processed outside the EU/Western Europe as described in the table above.

21. Intellectual property

MyReportVault and its licensors own the Service, software, code, design, workflows, user interface, documentation, branding, logos, trade names, domain names, and related intellectual property, except for Customer Content and third-party materials.

These Terms do not transfer ownership of MyReportVault intellectual property to any Customer, Authorised User, or Invited Viewer.

Subject to these Terms and the applicable plan, MyReportVault grants you a limited, non-exclusive, non-transferable, revocable right to access and use the Service for your internal business purposes or as otherwise allowed by the Service functionality.

You must not copy, modify, reverse engineer, decompile, disassemble, scrape, resell, sublicense, or create derivative works from the Service except as permitted by law or expressly authorised in writing.

If you provide feedback, suggestions, ideas, or improvement requests, MyReportVault may use them without restriction or obligation to compensate you, provided we do not misuse your confidential information or Customer Content.

22. Confidentiality

Each party may receive non-public information from the other party. The receiving party must use reasonable care to protect confidential information and may use it only for purposes related to the Service, these Terms, support, security, billing, legal compliance, or the parties’ business relationship.

Confidential information does not include information that is public through no fault of the receiving party, already known without restriction, independently developed without use of the disclosing party’s confidential information, lawfully received from another source, or required to be disclosed by law.

MyReportVault will treat Customer Content as confidential except as needed to provide, secure, support, troubleshoot, bill for, enforce, or comply with legal obligations relating to the Service.

23. Suspension and termination

MyReportVault may suspend, restrict, or terminate access immediately or with notice where we reasonably believe that:

fees are unpaid or a payment fails;
a trial, free plan, or subscription has expired;
a user breached these Terms;
Customer Content or use of the Service is unlawful, harmful, or prohibited;
access creates a security, privacy, abuse, fraud, legal, payment, or infrastructure risk;
API keys, credentials, links, or accounts are compromised;
a Customer exceeds plan limits or abuses the Service;
a payment, hosting, security, email, storage, or infrastructure provider requires restriction;
suspension or termination is required by law, court order, regulator, payment provider, or infrastructure provider.

Customers may terminate by cancelling their Subscription and ceasing use of the Service.

Where access is suspended or restricted because fees are unpaid, a payment fails, or a Subscription becomes overdue, MyReportVault may allow limited access only to download or delete files. Other functionality, including uploads, sharing, previews, API use, notifications, workspace administration, and normal portal access, may remain unavailable unless and until the Subscription is restored or another arrangement is approved by MyReportVault.

24. Effect of termination and data export

When a Subscription, trial, workspace, or account ends:

access to the Service may stop or become read-only;
Customer Content may become unavailable;
Customers should export or download needed content before termination where the Service allows;
Customer deletion instructions, file expiry dates, backup cycles, provider limitations, and legal-hold limitations may apply;
MyReportVault may retain account, billing, security, audit, support, legal, and compliance records as described in the Privacy Policy;
Customer Content may remain in backups, security logs, audit logs, deletion queues, email logs, or provider systems for a limited period before deletion in the ordinary course;
soft-deleted files are kept for 30 days before they are permanently purged from active storage, subject to operational, backup, provider, legal, and security limitations;
trial-expired workspace files may be permanently purged after the applicable grace period, with the current operational purge window being approximately 14 days after trial expiry, subject to operational, backup, provider, legal, and security limitations;
MyReportVault may permanently delete Customer Content after account closure, subscription expiry, trial expiry, non-payment, or Customer deletion instructions, subject to legal, security, backup, and operational limitations;
when an account or workspace deletion process is initiated, the Customer may submit a request for an export or copy of all available Customer Content and account data where reasonably available and not restricted by law, security requirements, other users’ rights, or provider limitations;
Customer-facing audit logs may be accessed through the Service where available and are retained for 2 years, subject to legal, security, backup, and operational limitations;
outstanding fees, confidentiality obligations, data protection obligations, disclaimers, liability limits, indemnities, and provisions intended to survive will survive termination.

MyReportVault is not responsible for Customer Content that is lost because the Customer failed to export it before termination, cancellation, expiry, deletion, or suspension, except to the extent caused by MyReportVault’s breach of these Terms.

25. Disclaimers

To the maximum extent permitted by law, the Service is provided on an "as is" and "as available" basis.

MyReportVault does not guarantee that:

the Service will be uninterrupted, error-free, secure, or available at all times;
every file type will support password protection, previewing, scanning, encryption, metadata extraction, or access controls;
every upload, download, open event, preview, notification, email, API call, webhook, or integration will succeed;
Access Controls will prevent all unauthorised access if configured incorrectly or if credentials, devices, email accounts, links, PINs, or API keys are compromised;
use of the Service will by itself make a Customer compliant with GDPR, UK GDPR, POPIA, financial regulations, professional rules, industry standards, contractual duties, or any other law;
Customer Content is lawful, accurate, complete, authorised, non-infringing, or appropriate;
the Service is suitable for every category of sensitive, regulated, high-risk, confidential, or mission-critical data;
any configured provider region will prevent all provider metadata, logs, support data, billing data, control-plane data, email metadata, or network traffic from being processed outside that region.

Customers should obtain their own legal, compliance, security, and professional advice before using the Service for regulated, high-risk, or legally sensitive data.

26. Limitation of liability

To the maximum extent permitted by law, MyReportVault will not be liable for indirect, incidental, special, consequential, exemplary, or punitive damages, or for loss of profits, revenue, goodwill, business opportunity, data, use, contracts, savings, or reputation, whether based on contract, delict/tort, statute, negligence, strict liability, or any other legal theory.

To the maximum extent permitted by law, MyReportVault’s total aggregate liability arising out of or relating to the Service or these Terms will not exceed the greater of:

the amounts paid by the Customer to MyReportVault for the Service in the three months before the event giving rise to the claim; or
USD 100.

The limitations in this section apply even if a remedy fails its essential purpose. They do not limit liability that cannot lawfully be limited, including liability for fraud, wilful misconduct, or any other liability that applicable law does not allow to be excluded or limited.

27. Indemnity

To the maximum extent permitted by law, Customers will defend, indemnify, and hold harmless MyReportVault from and against claims, damages, losses, liabilities, penalties, costs, and expenses, including reasonable legal fees, arising out of or related to:

Customer Content;
the Customer’s configuration or use of the Service;
unauthorised or unlawful recipient selection, notifications, access grants, or API integrations;
breach of these Terms;
breach of applicable law;
breach of privacy, confidentiality, intellectual property, professional, employment, financial, tax, recordkeeping, or sector-specific obligations;
a dispute between a Customer and an Invited Viewer, client, employee, contractor, supplier, regulator, professional body, or third party.

MyReportVault will give reasonable notice of an indemnified claim and allow the Customer to control the defence where legally and practically appropriate, provided the Customer does not settle in a way that imposes obligations on MyReportVault without our written consent.

28. Mandatory rights

Nothing in these Terms excludes, restricts, or modifies any consumer, privacy, data protection, or other statutory right that cannot lawfully be excluded, restricted, or modified.

If any mandatory law applies despite the Service being designed for business and professional use, these Terms apply only to the maximum extent permitted by that law.

29. Changes to the Service and Terms

MyReportVault may modify, suspend, discontinue, replace, or limit features from time to time for security, reliability, legal, provider, business, product, or operational reasons.

MyReportVault may update these Terms from time to time. The updated version will be posted on the website or in the Service with a revised effective or last updated date. Where changes materially affect Customers, we will take reasonable steps to notify affected Customers, such as through the Service, by email, or by other appropriate means.

Continued use of the Service after updated Terms take effect means that the updated Terms apply from their effective date. If you do not agree to updated Terms, you must stop using the Service and cancel your Subscription where applicable.

30. Notices

MyReportVault may send notices by email, through the Service, through the billing portal, or by posting on the website. Notices to MyReportVault must be sent to [email protected] unless these Terms specify another method.

Customers are responsible for keeping account, billing, legal, and security contact details accurate and up to date.

31. Export controls, sanctions, and restricted parties

You must not use the Service in violation of applicable export-control, sanctions, anti-corruption, anti-money-laundering, counter-terrorist-financing, or restricted-party rules.

You represent that you are not located in, organised under the laws of, ordinarily resident in, or acting for a person or entity subject to sanctions or restrictions that prohibit use of the Service.

MyReportVault may restrict or terminate access where required by sanctions, export-control, payment-provider, infrastructure-provider, or legal requirements.

32. Governing law and South African courts

These Terms are governed by the laws of South Africa, without regard to conflict-of-law rules, except to the extent mandatory law provides otherwise.

Subject to any mandatory rights or procedures that cannot lawfully be waived, the South African courts with jurisdiction over Johannesburg, Gauteng, South Africa will have jurisdiction over disputes arising out of or relating to these Terms or the Service.

Before bringing formal proceedings, the parties should first try to resolve disputes in good faith by contacting [email protected], unless urgent relief is required.

33. General terms

You may not assign or transfer your rights or obligations under these Terms without MyReportVault’s prior written consent, except as part of a bona fide merger, acquisition, restructuring, or sale of substantially all relevant assets, provided the assignee agrees to these Terms and is not a competitor, restricted party, or unacceptable risk.

MyReportVault may assign or transfer these Terms as part of a merger, acquisition, restructuring, sale of assets, change of business form, or by operation of law.

If any provision of these Terms is invalid or unenforceable, the remaining provisions remain in effect, and the invalid or unenforceable provision will be interpreted to achieve its purpose as closely as legally possible.

Failure to enforce a provision is not a waiver. Headings are for convenience only. The words "including" and "includes" mean "including without limitation". These Terms do not create a partnership, joint venture, employment, franchise, or agency relationship between the parties.

34. Contact

Questions about these Terms may be sent to:

Ian Paul Stapelberg t/a MyReportVault
Cedarwood House
Ballywood Office Park
33 Ballyclare Dr
Bryanston
Johannesburg
2191
South Africa

Email: [email protected]
Website: https://myreportvault.com

Schedule 1: Data Processing Terms

These Data Processing Terms form part of the Terms where MyReportVault processes personal data on behalf of a Customer as processor, operator, or service provider. A separate or signed data processing agreement may be provided on request where reasonably required for the Customer’s use of the Service.

1. Roles

For Customer Content and customer-controlled client, viewer, recipient, employee, contractor, supplier, group, or third-party personal data, the Customer is normally the controller, responsible party, or business, and MyReportVault is normally the processor, operator, or service provider.

For MyReportVault account, billing, website, security, support, fraud-prevention, business administration, and legal compliance data, MyReportVault acts as controller or responsible party and processes that data under the Privacy Policy.

2. Customer instructions

MyReportVault will process processor personal data only:

to provide, maintain, secure, support, troubleshoot, monitor, and improve the Service;
in accordance with the Customer’s configuration, Access Controls, and documented instructions;
as required by these Terms, an Order, or the Privacy Policy;
as required by applicable law or a lawful authority;
as needed to protect the Service, Customers, Invited Viewers, MyReportVault, and providers from abuse, fraud, security threats, or unlawful activity.

The Customer’s documented instructions include these Terms, the applicable Order, the Customer’s configuration of the Service, and written instructions submitted through agreed support or account channels.

MyReportVault will notify the Customer if it believes an instruction infringes applicable data protection law, unless prohibited by law.

3. Processing details

The subject matter, nature, purpose, duration, categories of data subjects, and categories of personal data are set out in Appendix 1 to this Schedule.

4. Confidentiality

MyReportVault will ensure that persons authorised to process processor personal data are bound by confidentiality obligations or are subject to an appropriate statutory duty of confidentiality.

5. Security

MyReportVault will implement and maintain appropriate technical and organisational measures designed to protect processor personal data against unauthorised or unlawful processing and accidental loss, destruction, damage, alteration, or disclosure, taking into account the nature of the data, risks, implementation costs, and state of the art.

The measures may include the controls listed in Appendix 3, as applicable to the Service and plan.

The Customer is responsible for security measures under its control, including recipient selection, user permissions, API key handling, device security, email account security, endpoint security, identity management, staff training, access review, file expiry dates, deletion/export decisions, and optional client-delete permissions.

6. Subprocessors

The Customer gives MyReportVault general written authorisation to use Subprocessors to provide the Service. The Subprocessors known as of the effective date are listed in Appendix 2.

MyReportVault will require Subprocessors to protect processor personal data under written terms that are materially no less protective than these Data Processing Terms, to the extent applicable to the services provided by the Subprocessor.

MyReportVault may add, replace, or remove Subprocessors where reasonably necessary to provide, secure, support, or improve the Service. Where required by applicable law, MyReportVault will provide notice of material new Subprocessors and give Customers an opportunity to object on reasonable data protection grounds. If a Customer reasonably objects and MyReportVault cannot provide a commercially reasonable alternative, either party may terminate the affected Service to the extent required by applicable data protection law.

7. International transfers

The Customer authorises MyReportVault and its Subprocessors to process processor personal data in the countries and locations required to provide, secure, support, and maintain the Service, subject to applicable data protection law and the provider-region details in Appendix 2.

The Customer acknowledges that the Service is configured to use EU/Western Europe infrastructure for the primary production database/application/object-storage stack as described in Appendix 2, and that South Africa is not a configured production hosting or storage region for Customer Content. The Customer also acknowledges that provider metadata, support data, billing data, email metadata, logs, control-plane data, network traffic, and optional external viewer processing may occur outside the EU/Western Europe, including in the United States or other provider-controlled locations.

Where EU GDPR, UK GDPR, or another restricted-transfer regime applies, and a transfer of processor personal data requires a transfer safeguard, the parties will use appropriate safeguards to the extent required by law. These may include the European Commission Standard Contractual Clauses, the UK International Data Transfer Agreement, the UK Addendum to the European Commission Standard Contractual Clauses, adequacy decisions, or other lawful transfer mechanisms.

Where the European Commission Standard Contractual Clauses are required, the parties agree that the relevant module applies according to their roles, the details in Appendix 1 form the relevant annex information, and the technical and organisational measures in Appendix 3 apply. The Standard Contractual Clauses prevail over conflicting terms only to the extent of the conflict and only for the relevant restricted transfer.

8. Assistance

Taking into account the nature of processing and information available to MyReportVault, MyReportVault will provide reasonable assistance to the Customer, at the Customer’s cost where permitted by law, with:

responding to data subject requests;
security of processing;
personal data breach notifications;
data protection impact assessments;
prior consultation with supervisory authorities;
demonstrating compliance with processor obligations.

MyReportVault may decline or limit assistance that is excessive, technically impractical, legally prohibited, security-sensitive, or outside the Service’s normal functionality unless the parties agree to reasonable terms and fees.

9. Data subject requests

If MyReportVault receives a request from an individual relating to processor personal data, MyReportVault may refer the individual to the relevant Customer, respond where authorised by the Customer, or assist the Customer in responding where required by law.

The Customer is responsible for verifying the requester, determining whether the request is valid, and responding to requests relating to Customer-controlled data, except where MyReportVault is the controller or responsible party for the relevant data.

10. Personal data breaches

MyReportVault will notify the Customer without undue delay after becoming aware of a personal data breach affecting processor personal data. Where POPIA applies to MyReportVault as an operator, MyReportVault will notify the responsible party immediately where there are reasonable grounds to believe that personal information has been accessed or acquired by an unauthorised person, as required by POPIA.

Where reasonably practicable, the notice will include information available to MyReportVault about the nature of the breach, affected data, likely consequences, mitigation steps, and contact point.

The Customer is responsible for determining whether notice to regulators, data subjects, clients, insurers, professional bodies, contractual counterparties, or other parties is required for Customer-controlled data.

11. Deletion and return

During the Subscription, the Customer may access, export, download, delete, and set available file expiry dates for Customer Content using available Service functionality.

After termination or expiry, MyReportVault may delete or make unavailable processor personal data in accordance with these Terms, the Privacy Policy, backup cycles, deletion queues, provider limitations, legal obligations, and security requirements. MyReportVault may retain copies where required or permitted by law, necessary for legal claims, necessary for security, or stored in backups until overwritten or deleted in the ordinary course.

Soft-deleted files are kept for 30 days before they are permanently purged from active storage. When an account or workspace deletion process is initiated, the Customer may submit a request for an export or copy of all available Customer Content and account data where reasonably available and not restricted by law, security requirements, other users’ rights, or provider limitations. Trial-expired workspace files may be permanently purged after the applicable grace period, with the current operational purge window being approximately 14 days after trial expiry. Customer-facing audit logs may be accessed through the Service where available and are retained for 2 years, subject to legal, security, backup, provider, and operational limitations.

12. Audits and information

MyReportVault will make available information reasonably necessary to demonstrate compliance with these Data Processing Terms, subject to confidentiality, security, legal, and provider restrictions.

Any audit must be reasonable, proportionate, limited to processor personal data, avoid disruption, protect other customers and provider systems, and be conducted no more than once in any 12-month period unless required by law or following a confirmed material breach. MyReportVault may satisfy audit requests through security documentation, questionnaires, certifications, reports, written responses, or equivalent materials.

13. POPIA operator terms

Because MyReportVault is operated by a South Africa-based business, POPIA may apply to MyReportVault or to specific processing activities even though South Africa is not a configured production hosting or storage region for Customer Content. Where POPIA applies and MyReportVault acts as an operator for the Customer as responsible party:

MyReportVault will process personal information only with the Customer’s knowledge or authorisation, except where required by law;
MyReportVault will treat personal information as confidential and will not disclose it unless required by law or in the proper performance of its duties;
MyReportVault will establish and maintain appropriate security measures as contemplated by POPIA, taking into account the nature of the processing and risks;
MyReportVault will notify the Customer immediately where there are reasonable grounds to believe that personal information has been accessed or acquired by an unauthorised person.

The Customer remains responsible for responsible-party obligations under POPIA, including openness, lawful basis, data subject notices, data subject requests, regulator notifications, and data subject notifications.

14. Service-provider restrictions

Where US state privacy laws or similar laws apply and MyReportVault acts as a service provider, contractor, or processor, MyReportVault will not sell or share processor personal data, retain/use/disclose it outside the business purposes of providing the Service, or combine it with personal data from other sources except as permitted by applicable law and these Terms.

15. Order of precedence

If there is a conflict between this Schedule and the main Terms, this Schedule controls only for processor, operator, service-provider, and data-protection processing matters.

Appendix 1: Processing details

Item	Details
Subject matter	Provision of secure document-sharing, portal, access-control, notification, upload, API, storage, audit, and related SaaS services.
Duration	For the term of the Customer’s use of the Service and thereafter as required for deletion, backup, security, legal, audit, dispute, and compliance purposes.
Nature and purpose	Hosting, storing, organising, securing, transmitting, previewing, opening, downloading, logging, notifying, deleting, and supporting Customer Content and related account/workspace data according to Customer configuration and instructions.
Categories of data subjects	Customer personnel, owners, administrators, employees, contractors, Invited Viewers, clients, client contacts, suppliers, recipients, group members, representatives, and other individuals whose data appears in Customer Content.
Categories of personal data	Names, email addresses, business contact details, account identifiers, client records, group membership, access permissions, IP addresses, device/browser data, login/access logs, file metadata, notification records, support communications, API metadata, document contents, and any personal data included in Uploaded Files.
Sensitive data	Customer Content may include confidential, financial, tax, employment, health-related, children’s, criminal-offence, privileged, or other sensitive/regulated data if uploaded by the Customer. The Customer is responsible for ensuring such processing is lawful and appropriate.
Processing operations	Collection, receipt, storage, hosting, organisation, structuring, retrieval, consultation, transmission, disclosure to authorised recipients, restriction, deletion, logging, backup, support, troubleshooting, and security monitoring.

Appendix 2: Subprocessors and provider-region details

As of 24 May 2026, MyReportVault uses or may use the following providers in connection with the Service. South Africa is not a configured production hosting, database, object-storage, or email-dispatch region for the Service; it is the operator’s place of business and legal contact location.

Provider	Role / purpose	Data involved	Configured region / location	Important notes
Supabase	Database, authentication, backend services, account/session infrastructure, and related platform services	Account data, workspace data, client/viewer records, file metadata, access logs, API metadata, authentication/session data	West EU, Ireland, `eu-west-1`	Provider account, support, security, telemetry, and control-plane processing may occur outside that region according to Supabase’s terms and infrastructure.
Vercel	Application hosting, deployment, serverless/application infrastructure, and related platform services	Requests, logs, application runtime data, limited Customer Content in transit as needed to provide the Service	Dublin, Ireland, `dub1` / `eu-west-1`	Builds, logs, edge/network routing, platform analytics, support, and control-plane processing may occur outside that region according to Vercel’s terms and infrastructure.
Cloudflare	DNS, network, security, content delivery, anti-abuse, and related infrastructure services	Request metadata, IP addresses, security data, traffic routing data, limited Customer Content in transit	Global network	Cloudflare operates a globally distributed network.
Cloudflare R2	Object storage and related file storage infrastructure	Uploaded files, protected-file copies, versions, generated exports, object metadata	Western Europe, `WEUR`	R2 bucket placement is configured with a Western Europe location hint/placement. Provider metadata, control-plane, support, and security processing may occur outside that location according to Cloudflare’s terms and infrastructure.
Cloudflare Turnstile	Bot detection, anti-abuse checks, and security verification	IP address, browser/device signals, challenge/verification data	Global / provider-controlled	Used for abuse-sensitive flows where enabled.
Resend	Transactional email delivery and related email infrastructure	Recipient emails, sender/domain data, subject lines, message bodies, notification metadata, API logs	Email dispatch from Ireland, `eu-west-1`	Region selection controls email dispatch/routing. Resend account data, email metadata, logs, and API records may be stored in the United States or other provider-controlled locations.
Lemon Squeezy	Checkout, billing, merchant-of-record functions, subscriptions, invoices, taxes, payment status, customer billing portal, refunds, chargebacks, and related payment administration	Billing contact data, payment metadata, invoice/tax data, subscription data	Provider-controlled	May act as independent controller/merchant of record for payment data and may not be a subprocessor for Customer Content.
Microsoft Office Online Viewer / Microsoft 365 viewer services	Optional external rendering of supported unprotected Office/spreadsheet files when enabled by a Customer	Pre-signed file URLs and file contents submitted for rendering	Provider-controlled	Optional feature. Customers should not enable it for files that must not be processed by Microsoft.

Appendix 3: Technical and organisational measures

The technical and organisational measures may include, as applicable to the Service, plan, and configuration:

HTTPS/TLS encrypted transport;
authentication and session management;
role-based workspace access;
customer-configured client and group permissions;
PIN protection for selected files where configured;
password-protected file handling and encrypted protected-file workflows for supported files where configured;
pre-signed upload/open/preview/download links with expiry windows;
file expiry dates and deletion workflows;
audit and access logs;
API key controls and rate limits;
multi-factor authentication settings where available;
anti-abuse and bot-prevention controls;
provider-level database, hosting, storage, email, network, and payment security controls;
restricted administrative access based on operational need;
backup, restore, deletion, and internal retention procedures appropriate to the Service;
security incident investigation and response procedures;
confidentiality obligations for persons authorised to process personal data;
customer support and troubleshooting processes designed to limit access to Customer Content to what is reasonably necessary.