END-USER LICENSE AGREEMENT (EULA) NEXAXT WECO
Version: 1.0 Effective date: 11 May 2026 Prior versions: v0.0.18 (25 April 2026, archival) — replaced in full by this version. Canonical URL: https://weco.nexaxt.com/pages/eula-en.html
PREAMBLE
This EULA (the "Agreement", the "EULA") is part of the Agreement Documents concluded between NEXA IKS TI LLP (the "Licensor") and the Client (the "Licensee") via the Public Offer (https://weco.nexaxt.com/pages/oferta-en.html). This EULA governs the operational aspects of using the compiled WECO product under a paid or trial license.
Two-tier licensing: WECO source code is licensed under FSL 1.1 / Apache 2.0 future; this EULA supplements but does not replace FSL.
1. DEFINITIONS
1.1. Section 1 of the Public Offer applies. In addition:
Software — the WECO admin + host runtime release (ff-admin-vX.Y.Z.tar.gz + install-admin.sh + vms/bootstrap.sh + everything published via GitHub Releases of the dist repository).
License JWT — Ed25519-signed JWT delivered to the billing email after payment or trial issuance; carries tier, max_hosts, max_admin_users, features, exp.
Release Artifact — a specific build of the Software identified by version, SHA-256 checksum and minisign signature.
2. GRANT OF LICENSE
2.1. On valid payment (or a valid trial) the Licensor grants the Client a non-exclusive, non-transferable, time-limited right to: (a) download Release Artifacts; (b) install and operate the Software on infrastructure under the Client's exclusive control; (c) use the License JWT to activate the Software; (d) make backup copies for business-continuity purposes.
2.2. The License is bounded by the License JWT: max_hosts (concurrently registered Host VMs), max_admin_users (active admin accounts), features (enabled functional modules), exp (term).
2.3. The License is non-transferable. Resale, sublicensing, leasing, hosting-as-a-service to third parties are strictly prohibited.
3. WHAT THE CLIENT MAY DO
3.1. Within FSL 1.1 — modify the source code for internal use.
3.2. Replace fonts, colour presets, block layouts; add custom block types by extending (not forking) the canonical shared/blocks.ts (forking breaks the schema-drift CI gate and support).
3.3. Operate the Software fully in air-gap (no outbound network) using the offline install path (Phase 2 Q3 2026). Until air-gap GA, operators may allowlist install-time outbound calls listed in the Security Statement (https://weco.nexaxt.com/pages/security-en.html).
3.4. Use own KMS / HSM / Vault for MASTER_SECRET; replace .env writing with a startup hook.
3.5. Generate audit-export bundles (.orxsite format) for backup, migration, regulatory retention.
4. WHAT THE CLIENT MAY NOT DO
4.1. Redistribute the Software to third parties (FSL governs source-code distribution; binary redistribution is prohibited).
4.2. Use the Software to provide a competing CMS / disclosure platform / website constructor to third parties as a service (separate commercial license required).
4.3. Disable, circumvent, modify or remove:
(a) the License JWT verifier;
(b) the bcrypt admin-password gate;
(c) AES-256-GCM encryption of MASTER_SECRET-derived fields;
(d) audit logging;
(e) HS256 tokenization of /pdf-stream;
(f) Referer checks on PDF streaming;
(g) 127.0.0.1:3001 host-api binding;
(h) PDF magic-bytes check (%PDF-);
(i) any other protective mechanism.
4.4. Reverse-engineer compiled Software beyond what is mandatorily permitted by RK Civil Code and FSL 1.1.
4.5. Create public SPV sites for sanctioned persons (see Public Offer, Section 15).
4.6. Upload to or publish through the Software illegal content (see AUP — https://weco.nexaxt.com/pages/aup-en.html).
5. TIER LIMITS
| Tier | Max hosts | Max admin users | Support | SLA uptime |
|---|---|---|---|---|
| Trial | 1 | 1 | community | best-effort, no credit |
| Starter | 2 | 2 | community | best-effort, no credit |
| Standard | 5 | 3 | NBD email | 99.0% |
| Premium | 10 | 5 | 4h business hours | 99.5% (aspirational) |
| Enterprise | bespoke | bespoke | dedicated, per Order Form | 99.9% (aspirational) |
5.1. max_hosts and max_admin_users are enforced at the admin database layer (HostVM, User tables) on every insert. Overage → HTTP 402 Payment Required.
5.2. Premium / Enterprise SLAs are aspirational targets; full conditions in the SLA document.
6. POST-EXPIRY BEHAVIOUR
6.1. After License JWT exp:
(a) public SPV sites already published continue serving End Users — the Licensor has no physical access to disable them;
(b) the Admin UI blocks new site creation, new admin user creation and credential rotation;
(c) for 30 days of grace, all operations needed for regulatory correction of content remain available — editing existing-site text, replacing a defective PDF, removing inaccurate disclosure;
(d) after 30 days, admin mutations are fully blocked; reading and publishing via direct DB edit are unsupported.
6.2. To restore full operation, the Client must renew the License JWT before grace ends.
7. DATA OWNERSHIP AND NO TELEMETRY
7.1. All Client Content — site configs (/var/sites/<slug>/config.json), uploaded assets, PDFs, rendered HTML, audit logs, End-User data on the public SPV sites — remains the Client's exclusive property.
7.2. The Software contains no telemetry, no automatic error reports to the Licensor, no auto-update channel. Any outbound network calls happen only on Client action (loading the installer, pulling a release, etc.) and are listed in the Security Statement.
7.3. The Licensor never accesses Client data without express Client consent (e.g., when granting support access for a specific incident).
8. SECURITY — LICENSOR OBLIGATIONS
8.1. Disclose discovered critical and high vulnerabilities via GitHub Security Advisory in the dist repository.
8.2. Issue patches for critical / high CVSS findings (≥ 7.0) within 14 calendar days of confirmation.
8.3. Maintain minisign signatures and SHA-256 checksums on every release artifact.
8.4. Publish coordinated_disclosure_policy.md in the repository.
8.5. Maintain clear boundary statements (Section 9) in the Security document.
9. BOUNDARY STATEMENTS — WHAT THE LICENSOR DOES NOT COVER
9.1. Volumetric DDoS — the Client must place a WAF / CDN before the admin VM.
9.2. Full-disk encryption — the Client's responsibility on VM provisioning.
9.3. RTO / RPO — the Phase 1 single-VM design cannot guarantee these. Off-site backups and regular restore drills are the Client's responsibility.
9.4. Compliance with the Client's local law — issuer disclosure, AML/CFT, taxes, data protection, securities, SPV/SFO accounting — solely the Client's responsibility.
9.5. Antivirus / EDR / corporate proxy compatibility — not warranted.
9.6. Certifications (ISO 27001, SOC 2, PCI-DSS) — the Licensor does not hold these.
10. DISCLAIMER OF WARRANTIES
10.1. THE SOFTWARE IS PROVIDED "AS IS" AND "AS AVAILABLE", with no warranty of merchantability, fitness for purpose, non-infringement, uninterrupted operation, error-free operation, or regulatory fitness. See Public Offer §6.2.
11. LIABILITY CAP
11.1. Aggregate Licensor liability is capped at the lower of: (a) License Fees actually paid in the 6 months before the event; (b) USD 1,000. Trial = 0. Detail in Public Offer §12.
12. INDEMNITY
12.1. The Client indemnifies the Licensor broadly (see Public Offer §11). No reverse indemnity (Public Offer §10.5).
13. TERMINATION
13.1. See Public Offer §18.
13.2. On termination the Client:
(a) ceases new installations of the Software;
(b) retains the right to operate existing installations until License JWT expiry;
(c) may export audit data and .orxsite bundles.
14. GOVERNING LAW AND FORUM
14.1. Republic of Kazakhstan. Specialized Inter-District Economic Court of Almaty. See Public Offer §14.
15. GENERAL
15.1. This EULA is an integral part of the Agreement Documents. Where it conflicts with the Public Offer, the Public Offer prevails, except where this EULA expressly sets a more specific rule.
15.2. Acknowledgement: by installing the Software with an issued License JWT, the Client unconditionally accepts this EULA in full.
End of EULA v1.0.