Enterprise MSA Addendum

Draft version: 10 May 2026

The short version

Where the Customer has executed this Addendum together with the standard Terms of Service, the liability cap is two times annual contract value (ACV) for breaches of confidentiality, security, or data-protection obligations, with a per-claim cap and an aggregate cap as set out below. Standard self-serve customers (Free, Dev, Pro) remain on the £100 floor in section 13 of the Terms of Service. This Addendum is intended for Business and Enterprise plan customers whose procurement requires a higher cap and who have executed a written agreement with Treehouse in Valhalla Ltd.

1. Definitions

Capitalised terms have the meanings given in the Terms of Service and the Data Processing Agreement. In addition:

• "ACV" or "Annual Contract Value" means the total recurring fees payable by the Customer to deny.sh under the executed order form for the 12-month period preceding the event giving rise to the claim, excluding usage-based overages, one-off charges, taxes, and Service Credits issued under the SLA. Where the Customer's contract is less than 12 months old at the date of the claim, ACV is annualised based on fees paid to date.
• "Order Form" means a written order document executed by both parties incorporating these terms by reference.
• "Confidential Information", "Personal Data Breach", and "Sub-Processor" have the meanings given in the Data Processing Agreement.
• "Carve-out Claim" means a claim arising from any of the categories listed in section 3.2 of this Addendum.

2. Scope and incorporation

This Addendum supplements the Terms of Service and the Data Processing Agreement. It applies only where:

• The Customer has executed a written Order Form referencing this Addendum, and
• The Customer is on a paid Business or Enterprise plan

For all other Customers, the standard Terms of Service apply unmodified.

This Addendum forms part of the Master Services Agreement between the parties (the Order Form, the Terms of Service, the Data Processing Agreement, and this Addendum, taken together, the "MSA"). In the event of conflict between this Addendum and the standard Terms of Service, this Addendum prevails.

3. Limitation of liability

3.1 Standard liability cap (replaces section 13 of the Terms of Service)

Subject to section 3.2 and to the matters that cannot be limited or excluded by law, each party's total aggregate liability for any and all claims arising under or in connection with the MSA is limited, per claim and in aggregate during any 12-month period, to one (1) times the Customer's ACV at the date of the first event giving rise to the claim.

3.2 Elevated cap for breach carve-outs

For claims arising from any of the following categories ("Carve-out Claims"), each party's total aggregate liability is limited, per claim and in aggregate during any 12-month period, to two (2) times the Customer's ACV at the date of the first event giving rise to the claim:

• Breach of section 4 of this Addendum (Confidentiality)
• Breach of the security obligations in section 5 of the Data Processing Agreement, where the breach is the proximate cause of a Personal Data Breach affecting the Customer or its Data Subjects
• Breach of section 5 of this Addendum (Data Protection) where the breach results in a notifiable Personal Data Breach to a Supervisory Authority
• Breach of the indemnification obligations in section 6 of this Addendum (intellectual property indemnity), excluding amounts that would otherwise be uncapped under section 3.3
• Wilful misconduct or gross negligence (to the extent recognised by applicable law)

3.3 Uncapped liability

Nothing in this Addendum or the MSA limits or excludes either party's liability for:

• Death or personal injury caused by negligence
• Fraud or fraudulent misrepresentation
• Amounts due under the Customer's payment obligations to deny.sh
• Either party's indemnification obligations to the extent expressly stated in section 6 of this Addendum to be uncapped
• Any other liability that cannot be limited or excluded under English law

3.4 Excluded damages

To the maximum extent permitted by law, neither party is liable for any indirect, incidental, special, consequential, or punitive damages, including loss of profits, loss of revenue, loss of goodwill, loss of anticipated savings, or loss of business opportunity, arising under or in connection with the MSA, even if advised of the possibility of such damages. Loss of, or damage to, Customer Personal Data is treated as direct loss for the purposes of section 3.2 to the extent caused by a Carve-out Claim.

3.5 Worked example

For a Customer with an ACV of $25,000:

• Standard cap (section 3.1): $25,000 per claim and in aggregate per 12-month period
• Elevated cap for Carve-out Claims (section 3.2): $50,000 per claim and in aggregate per 12-month period

For an Enterprise Customer with an ACV of $200,000:

• Standard cap: $200,000 per claim and in aggregate per 12-month period
• Elevated cap for Carve-out Claims: $400,000 per claim and in aggregate per 12-month period

4. Confidentiality

Each party (the "Receiving Party") agrees to protect the other party's (the "Disclosing Party's") Confidential Information using the same degree of care it uses to protect its own Confidential Information of similar sensitivity, and in any event no less than a reasonable standard of care. The Receiving Party may use Confidential Information only to the extent necessary to perform its obligations or exercise its rights under the MSA.

Confidential Information does not include information that:

• Was known to the Receiving Party without a duty of confidentiality before disclosure
• Is or becomes publicly available without breach of the MSA
• Is rightfully received from a third party without a duty of confidentiality
• Is independently developed without reference to the Disclosing Party's Confidential Information

The Receiving Party may disclose Confidential Information to the extent required by law, court order, or regulatory requirement, provided that, where legally permitted, it gives the Disclosing Party prompt written notice and a reasonable opportunity to seek a protective order or equivalent relief.

Confidentiality obligations survive termination of the MSA for a period of five (5) years from disclosure, except for trade secrets, which remain confidential for as long as they qualify as such under applicable law.

5. Data protection

The processing of Personal Data under this Addendum is governed by the Data Processing Agreement, which is incorporated by reference. In the event of conflict between this Addendum and the Data Processing Agreement on matters of data protection, the Data Processing Agreement prevails.

For Carve-out Claims arising under section 3.2 in connection with a Personal Data Breach, this Addendum's elevated cap applies in addition to, and not in substitution for, any rights of Data Subjects against either party under Article 82 UK GDPR.

6. Intellectual property indemnity

6.1 deny.sh indemnity

deny.sh will defend, indemnify, and hold the Customer harmless from and against any third-party claim alleging that the Customer's authorised use of the Service infringes any intellectual property right enforceable in the United Kingdom or the European Union, and will pay any damages and costs (including reasonable legal fees) finally awarded against the Customer or agreed in settlement, provided that the Customer:

• Promptly notifies deny.sh in writing of the claim
• Gives deny.sh sole control of the defence and settlement, except that deny.sh will not enter into any settlement that imposes a non-monetary obligation on the Customer without the Customer's prior written consent (not to be unreasonably withheld)
• Provides reasonable cooperation at deny.sh's expense

The indemnity in this section 6.1 does not apply where the alleged infringement arises from:

• Modifications to the Service made by the Customer or a third party on the Customer's behalf
• Combination of the Service with software, hardware, or data not provided or expressly approved by deny.sh
• Use of the Service in breach of the MSA or of applicable law
• Use of a version of the Service after deny.sh has provided a non-infringing replacement and the Customer has not adopted it within a reasonable period

6.2 Customer indemnity

The Customer will defend, indemnify, and hold deny.sh harmless from and against any third-party claim arising from:

• The Customer's breach of the MSA, including the acceptable-use restrictions in section 6 of the Terms of Service
• Personal Data submitted by the Customer in violation of Applicable Data Protection Law
• Any claim by an end user of the Customer's application that arises from the Customer's act or omission and not from a defect in the Service

6.3 Indemnity caps

The intellectual property indemnity in section 6.1 is capped at the amounts set out in section 3.2 (elevated Carve-out cap). The Customer indemnity in section 6.2 is capped at the amounts set out in section 3.2 except where the underlying claim is based on the Customer's wilful misconduct, in which case the indemnity is uncapped.

7. Audit rights

The Customer's audit rights are set out in section 11 of the Data Processing Agreement. The Customer may exercise those rights once in any 12-month period without cause, and additionally following a confirmed Personal Data Breach affecting the Customer's data or where required by a Supervisory Authority.

8. Insurance

Throughout the term of the MSA, deny.sh will maintain commercial insurance appropriate to the risks of the Service, which may include cyber liability, professional indemnity, and public liability cover. Certificates of insurance are available on request to hello@deny.sh.

9. Term and termination

This Addendum begins on the effective date of the Order Form and remains in force for the duration of the Order Form. Either party may terminate this Addendum for material breach by the other party, where the breach is not cured within 30 days of written notice describing the breach in reasonable detail.

Sections that by their nature should survive termination, including section 3 (Limitation), section 4 (Confidentiality), section 6 (Indemnity), and section 11 (Governing law), survive termination of this Addendum.

10. Order of precedence

If there is a conflict between the documents that make up the MSA, the order of precedence is:

1. The Order Form (for matters expressly addressed in the Order Form only)
2. This Addendum
3. The Data Processing Agreement (for data-protection matters)
4. The Service Level Agreement (for uptime and Service Credits)
5. The standard Terms of Service

11. Governing law and jurisdiction

This Addendum is governed by and construed in accordance with the laws of England and Wales. Disputes arising under or in connection with this Addendum are subject to the exclusive jurisdiction of the courts of England and Wales, save that either party may seek injunctive relief in any court of competent jurisdiction.

12. Notices

Notices under this Addendum must be in writing and sent to the email address listed for the receiving party in the Order Form. Notices to deny.sh must be copied to hello@deny.sh. A notice is deemed received on the next business day after sending.

13. General

If any provision of this Addendum is found to be unenforceable, the remaining provisions remain in full force. No waiver of any provision is effective unless in writing and signed by the waiving party. This Addendum, together with the Order Form, the Terms of Service, the Data Processing Agreement, and the Service Level Agreement, constitutes the entire agreement between the parties on the matters addressed and supersedes all prior agreements on those matters.

14. Signatures

This Addendum takes effect on signature of the corresponding Order Form. For executed counterparts, contact hello@deny.sh.

Treehouse in Valhalla Ltd
Company No. 15770209
Registered in England and Wales
Email: hello@deny.sh