Veklom Vendor Agreement

Last updated: May 2, 2026 · Effective date: May 2, 2026 · Governing Law: Ontario, Canada

VENDOR SERVICES AGREEMENT FOR VEKLOM SUPPLIERS, CONTRACTORS, AND SERVICE PROVIDERS

This Vendor Services Agreement ("Agreement") governs the provision of services, software, deliverables, support, consulting, infrastructure, development, security, compliance, or other vendor services provided to Veklom Inc. ("Veklom") by the vendor, contractor, supplier, consultant, service provider, or other counterparty accepting this Agreement ("Vendor").

This Agreement is designed to protect Veklom's self-hosted, sovereign AI control-plane business model. Veklom's customer promise depends on strict control over source code, credentials, infrastructure access, security controls, regulated-data handling, audit artifacts, and intellectual property. Vendor must not access, process, store, transmit, disclose, or retain Veklom Confidential Information or Customer Data except as expressly authorized in writing by Veklom.

By providing services to Veklom, accessing Veklom systems, accepting a purchase order, signing an order form or statement of work, or otherwise performing work for Veklom, Vendor agrees to be bound by this Agreement.

Table of Contents

1 Scope and Engagement Documents

1.1 Agreement Scope

This Agreement applies to all services, deliverables, software, documentation, work product, technical support, infrastructure support, security services, compliance work, consulting, design, development, marketing, sales support, operational assistance, and other work provided by Vendor to Veklom.

1.2 Statements of Work and Purchase Orders

Specific services may be described in one or more statements of work, purchase orders, order forms, insertion orders, invoices, emails, tickets, or other written engagement documents approved by Veklom ("SOW"). Each SOW is incorporated into this Agreement. If there is a conflict between this Agreement and an SOW, this Agreement controls unless the SOW expressly states that it amends a specific section of this Agreement.

1.3 No Implied Authorization

Vendor may perform only the work expressly authorized by Veklom. Access to a system, repository, credential, dataset, customer environment, workspace, or communication channel does not authorize Vendor to use, copy, export, retain, transmit, disclose, or access information beyond what is necessary to perform the approved work.

2 Vendor Responsibilities

2.1 Standard of Performance

Vendor will perform all services in a professional, competent, secure, and workmanlike manner using personnel with appropriate skill, training, and experience. Vendor will comply with Veklom's reasonable instructions, security requirements, repository policies, development standards, and documentation requirements.

2.2 No Customer-Facing Commitments

Vendor may not make commitments, warranties, representations, pricing statements, roadmap promises, service-level commitments, compliance statements, or legal statements to any Veklom customer, prospect, regulator, auditor, or partner unless expressly authorized in writing by Veklom.

2.3 No Production Changes Without Approval

Vendor may not deploy code, modify production infrastructure, rotate credentials, change security controls, access customer environments, modify DNS, alter billing systems, or change compliance artifacts without prior written approval from Veklom.

2.4 Documentation

Vendor will document material work performed for Veklom, including code changes, configuration changes, infrastructure changes, security-relevant decisions, access granted, dependencies added, incidents discovered, and known limitations.

3 Confidentiality

3.1 Confidential Information

Vendor may receive or access Veklom Confidential Information, including source code, product architecture, security controls, business plans, pricing, customer information, vendor lists, credentials, audit artifacts, model-routing logic, compliance materials, financial information, technical documentation, repository contents, issue trackers, and non-public communications.

3.2 Confidentiality Obligations

Vendor will:

3.3 Publicity Restrictions

Vendor may not use Veklom's name, logo, trademarks, customer names, screenshots, architecture diagrams, source code, product references, or relationship with Veklom in marketing, case studies, social media, investor materials, resumes, portfolios, or public statements without prior written approval from Veklom.

3.4 Compelled Disclosure

If Vendor is legally required to disclose Veklom Confidential Information, Vendor will, to the extent legally permitted, provide prompt written notice to Veklom and reasonably cooperate with Veklom's efforts to seek confidential treatment or limit disclosure.

4 Data Protection and Customer Data

4.1 No Customer Data Access by Default

Vendor is not authorized to access, process, store, transmit, export, retain, or view Customer Data unless Veklom expressly authorizes such access in writing for a specific purpose. Customer Data includes prompts, model outputs, logs, audit artifacts, customer configuration, regulated data, PHI, personal information, API keys, secrets, and environment data.

4.2 Data Processing Addendum

If Vendor processes personal information, personal data, PHI, customer data, or regulated data on behalf of Veklom, Vendor must sign Veklom's Data Processing Addendum or another written data protection agreement approved by Veklom before processing begins.

4.3 HIPAA and BAA Requirement

Vendor may not access, process, store, transmit, or receive PHI unless Veklom has approved such access in writing and the parties have executed a Business Associate Agreement where required by HIPAA. Vendor must not use consumer AI tools, external SaaS tools, unmanaged storage, personal devices, or unapproved subprocessors for PHI or regulated data.

4.4 Data Minimization

Vendor will access only the minimum information necessary to perform authorized work. Vendor must not copy production data into development, testing, analytics, AI tools, or personal environments unless expressly approved in writing by Veklom.

4.5 AI Tool Restrictions

Vendor may not submit Veklom Confidential Information, source code, Customer Data, credentials, audit artifacts, security materials, or non-public business information into public or third-party AI tools unless Veklom has expressly approved the specific tool, account, data category, and use case in writing.

5 Security Requirements

5.1 Baseline Security Controls

Vendor will maintain administrative, technical, and physical safeguards appropriate to the sensitivity of Veklom systems and information. At minimum, Vendor will:

5.2 Security Incident Notice

Vendor must notify Veklom at security@veklom.com within 24 hours after discovering any actual or suspected security incident involving Veklom systems, Veklom Confidential Information, Customer Data, credentials, source code, audit artifacts, or Vendor systems used to perform services for Veklom.

5.3 Incident Cooperation

Vendor will reasonably cooperate with Veklom's investigation, containment, remediation, customer notification, regulator notification, evidence preservation, and root-cause analysis activities. Vendor will not make public statements about an incident involving Veklom without prior written approval.

5.4 Vulnerabilities

Vendor will promptly report any vulnerability, misconfiguration, exposed credential, insecure dependency, data leak, policy bypass, audit-log weakness, authentication issue, authorization issue, or compliance issue discovered in Veklom systems.

6 Credentials, Access, and Systems

6.1 Access Approval

Access to Veklom systems must be approved by Veklom. Vendor will use only Veklom-approved accounts, devices, networks, tools, and access methods.

6.2 Credential Handling

Vendor must not share, reuse, hardcode, print, log, commit, screenshot, email, or otherwise expose credentials, API keys, environment variables, SSH keys, signing keys, secrets, customer keys, or license keys. Vendor must immediately notify Veklom if any credential may have been exposed.

6.3 Access Termination

Vendor will stop using Veklom systems immediately upon termination, expiration of the relevant SOW, completion of the work, or Veklom's request. Vendor will cooperate with access removal, credential rotation, device wipe, and confirmation of deletion.

7 Intellectual Property and Work Product

7.1 Veklom Ownership of Work Product

All deliverables, code, documentation, designs, configurations, workflows, analyses, reports, inventions, discoveries, improvements, scripts, prompts, diagrams, playbooks, templates, and other work product created, developed, authored, conceived, or reduced to practice by Vendor for Veklom, alone or jointly with others, are "Work Product" and are owned exclusively by Veklom.

7.2 Assignment

Vendor hereby irrevocably assigns to Veklom all right, title, and interest in and to the Work Product, including all intellectual property rights, copyrights, patent rights, trade secret rights, database rights, moral rights to the extent waivable, and all rights to sue for past, present, and future infringement.

7.3 Further Assurances

Vendor will execute documents and take reasonable actions requested by Veklom to confirm, perfect, register, enforce, or evidence Veklom's ownership of the Work Product.

7.4 Pre-Existing Materials

Vendor retains ownership of materials Vendor created before the applicable SOW or independently of Veklom without use of Veklom Confidential Information ("Pre-Existing Materials"). Vendor may not incorporate Pre-Existing Materials into Work Product unless disclosed to and approved by Veklom in writing. To the extent approved Pre-Existing Materials are incorporated into Work Product, Vendor grants Veklom a perpetual, worldwide, irrevocable, transferable, sublicensable, royalty-free license to use, reproduce, modify, distribute, perform, display, make, sell, offer for sale, import, and otherwise exploit those materials as part of or in connection with Veklom products and services.

7.5 No Encumbrances

Vendor represents that Work Product will not be subject to liens, claims, license restrictions, third-party ownership claims, copyleft obligations, or contractual restrictions that prevent Veklom from using, commercializing, licensing, modifying, or distributing the Work Product.

8 Open Source and Third-Party Materials

8.1 Approval Required

Vendor may not add, embed, link, bundle, copy, or depend on open-source software, third-party code, datasets, models, fonts, media, packages, libraries, APIs, SDKs, or other third-party materials in Work Product unless approved by Veklom or already permitted by Veklom's repository policies.

8.2 Prohibited Materials

Vendor may not introduce materials that require disclosure of Veklom source code, impose copyleft obligations on proprietary Veklom code, restrict commercial use, create data-sharing obligations, require attribution not approved by Veklom, or conflict with Veklom's self-hosted sovereign execution model.

8.3 Dependency Security

Vendor must use commercially reasonable efforts to avoid vulnerable, abandoned, malicious, typosquatted, or unmaintained dependencies. Vendor must report known vulnerabilities in dependencies used in Work Product.

9 Subcontractors

9.1 Prior Approval

Vendor may not subcontract, delegate, outsource, offshore, or otherwise transfer any work under this Agreement without Veklom's prior written approval.

9.2 Vendor Responsibility

Vendor remains fully responsible for all acts and omissions of approved subcontractors. Vendor must ensure approved subcontractors are bound by written obligations at least as protective as this Agreement.

9.3 No Unauthorized Access

Vendor may not grant subcontractors access to Veklom systems, repositories, credentials, Customer Data, or Confidential Information unless Veklom has expressly approved that access.

10 Compliance with Laws

Vendor will comply with all applicable laws, regulations, sanctions, export controls, privacy laws, anti-bribery laws, employment laws, tax laws, accessibility requirements, and industry-specific requirements applicable to Vendor's services. Vendor will not use Veklom systems or information for unlawful, harmful, infringing, deceptive, abusive, or unauthorized purposes.

11 Fees, Invoices, and Taxes

11.1 Fees

Veklom will pay Vendor the fees expressly stated in the applicable SOW or approved invoice. Vendor is not entitled to expenses, overages, pass-through costs, subscription charges, tool charges, or third-party fees unless approved in writing by Veklom in advance.

11.2 Invoices

Invoices must include sufficient detail to validate the work performed, applicable purchase order or SOW reference, payment instructions, taxes, and supporting documentation reasonably requested by Veklom.

11.3 Taxes

Vendor is responsible for all taxes, withholdings, assessments, employment obligations, insurance, benefits, and governmental charges arising from Vendor's personnel, business operations, and compensation, except taxes Veklom is legally required to withhold or remit.

12 Term and Termination

12.1 Term

This Agreement begins on the Effective Date and continues until terminated by either party or until all SOWs expire or terminate.

12.2 Termination for Convenience

Veklom may terminate this Agreement or any SOW for convenience upon written notice to Vendor. Unless otherwise stated in an SOW, Veklom will pay Vendor for authorized services properly performed before the effective termination date.

12.3 Termination for Cause

Either party may terminate this Agreement or an SOW if the other party materially breaches and fails to cure within 10 days after written notice. Veklom may terminate immediately if Vendor breaches confidentiality, security, data protection, IP assignment, credential-handling, subcontractor, or compliance obligations.

12.4 Effect of Termination

Upon termination or expiration, Vendor will stop all work, stop accessing Veklom systems, return or delete Veklom materials, deliver completed and in-progress Work Product, cooperate with transition, and certify deletion upon request.

13 Return and Deletion of Materials

Upon Veklom's request or upon termination, Vendor will promptly return or securely delete all Veklom Confidential Information, Customer Data, credentials, copies, extracts, notes, source code, documentation, logs, and other materials in Vendor's possession or control. Vendor may retain only copies required by law, provided they remain protected under this Agreement and are not used for any other purpose.

14 Warranties

Vendor represents and warrants that:

EXCEPT AS EXPRESSLY STATED IN THIS AGREEMENT, NEITHER PARTY MAKES ANY OTHER WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE.

15 Indemnification

15.1 Vendor Indemnity

Vendor will defend, indemnify, and hold harmless Veklom, its affiliates, officers, directors, employees, contractors, customers, and agents from and against any third-party claims, damages, losses, liabilities, penalties, costs, and expenses, including reasonable attorneys' fees, arising out of or relating to:

15.2 Indemnification Procedure

Veklom will provide prompt notice of a claim, reasonably cooperate in the defense, and allow Vendor to control the defense if Vendor accepts its indemnity obligations and uses counsel reasonably acceptable to Veklom. Vendor may not settle any claim in a way that imposes liability, admission, restriction, payment, or obligation on Veklom without Veklom's prior written consent.

16 Limitation of Liability

16.1 General Cap

Except for Excluded Claims, each party's total aggregate liability arising out of or relating to this Agreement will not exceed the greater of: (a) the total fees paid or payable to Vendor under the applicable SOW during the 12 months preceding the event giving rise to liability; or (b) $25,000 CAD.

16.2 Excluded Claims

The liability cap and damages exclusion do not apply to: confidentiality breaches, data protection breaches, security incidents caused by Vendor's breach, credential mishandling, IP infringement or misappropriation, indemnification obligations, fraud, willful misconduct, gross negligence, payment obligations, or unauthorized use of Veklom systems or Customer Data.

16.3 Exclusion of Damages

Except for Excluded Claims, neither party will be liable for indirect, incidental, special, consequential, punitive, exemplary, or lost-profit damages, even if advised of the possibility of such damages.

17 Insurance

Upon Veklom's request, Vendor will maintain insurance appropriate to the services, which may include commercial general liability, professional liability/errors and omissions, cyber liability, workers' compensation, and employer's liability coverage. Vendor will provide certificates of insurance upon request.

18 Audit and Cooperation

Vendor will reasonably cooperate with Veklom's security reviews, compliance reviews, access reviews, customer diligence, audits, incident investigations, regulatory inquiries, and evidence requests relating to Vendor's services. Vendor will provide information reasonably necessary to verify compliance with this Agreement, including subcontractor use, security controls, data handling, dependency lists, and deletion certification.

19 Independent Contractor Relationship

Vendor is an independent contractor and not an employee, agent, partner, joint venturer, or legal representative of Veklom. Vendor has no authority to bind Veklom. Vendor is solely responsible for Vendor personnel, compensation, benefits, insurance, taxes, employment obligations, equipment, tools, and work methods.

20 General Terms

20.1 Assignment

Vendor may not assign this Agreement or any SOW without Veklom's prior written consent. Any attempted assignment in violation of this section is void. Veklom may assign this Agreement in connection with a merger, acquisition, corporate reorganization, financing, or sale of substantially all assets.

20.2 Governing Law

This Agreement is governed by the laws of the Province of Ontario and the federal laws of Canada applicable therein, without regard to conflict-of-law principles. The parties consent to the exclusive jurisdiction of the courts of Ontario for any dispute arising under this Agreement.

20.3 Notices

Legal notices must be sent in writing to the addresses or email contacts specified in the applicable SOW or otherwise designated by the receiving party. Security notices to Veklom must be sent to security@veklom.com. Legal notices to Veklom must be sent to legal@veklom.com.

20.4 Severability

If any provision is held invalid or unenforceable, it will be limited to the minimum extent necessary and the remainder of the Agreement will remain in effect.

20.5 Waiver

Failure to enforce any provision is not a waiver. A waiver is effective only if in writing and signed by the waiving party.

20.6 Entire Agreement

This Agreement, together with applicable SOWs, constitutes the entire agreement between the parties regarding Vendor's services and supersedes prior or contemporaneous agreements on that subject.

20.7 Survival

Sections relating to confidentiality, data protection, security, return and deletion, intellectual property, payment obligations, indemnification, limitation of liability, audit cooperation, governing law, and any provisions that by their nature should survive will survive termination or expiration.

21 Definitions

"Agreement" means this Vendor Services Agreement and all incorporated SOWs.

"Confidential Information" means non-public information disclosed by or on behalf of Veklom that is designated confidential or that a reasonable person would understand to be confidential, including source code, architecture, credentials, business plans, pricing, customer information, audit artifacts, security materials, and technical documentation.

"Customer Data" means data, prompts, model outputs, logs, audit artifacts, configuration data, regulated data, PHI, personal information, API keys, secrets, and other information belonging to or relating to Veklom customers or customer environments.

"Excluded Claims" means claims excluded from the limitation of liability as described in Section 16.2.

"PHI" means protected health information as defined by HIPAA.

"SOW" means any statement of work, purchase order, order form, invoice, ticket, email authorization, or other written engagement document approved by Veklom.

"Vendor" means the supplier, contractor, consultant, service provider, or other counterparty providing services or deliverables to Veklom.

"Veklom Confidential Information" means Confidential Information owned by or disclosed on behalf of Veklom.

"Work Product" means all deliverables and work product created, developed, authored, conceived, or reduced to practice by Vendor for Veklom.

© 2026 Veklom Inc. · veklom.com · Questions: legal@veklom.com · Security notices: security@veklom.com

This document is provided for informational purposes. For binding legal effect, execute an SOW, purchase order, or vendor onboarding document referencing this Agreement.