EmtoMe Platform - Terms and Conditions of Usage
Last Updated: 22 April 2026
These Terms and Conditions of Usage ("Terms") govern the access to and use of the EmtoMe platform (the "Platform"), a secure communication service provided by Emto Max Ltd ("the Company," "we," "us," or "our"). By accessing or using the Platform, you ("the User" or "the Client") agree to be bound by these Terms.
1.1. Platform Description: EmtoMe is a Matrix-based secure communication platform built on the Matrix protocol and provided by Emto Max Ltd (the "Company," "we," "us," or "our"). It is designed to provide end-to-end encrypted (E2EE) messaging, VoIP, and data exchange services tailored for the UK defence and aerospace SME sector.
1.2. Purpose and Positioning: The Platform is intended as a secure alternative to consumer-grade applications and is engineered to facilitate compliance with sensitive communication requirements in professional environments.
2.1. Restricted User Group / Professional Use Only: Use of the Platform is strictly limited to UK-based small and medium-sized enterprises (SMEs) operating in the defence and aerospace sectors (and closely related supply chains) for professional, business-to-business purposes only. Use for personal or consumer purposes is strictly prohibited.
2.2. Vetting: The Company reserves the right to vet all prospective Clients and Users. Access may be denied or revoked if the User cannot demonstrate a legitimate professional requirement for secure defence-related communication or if eligibility requirements are no longer met.
2.3. Account Security: Users are responsible for maintaining the confidentiality of their cryptographic keys and account credentials. Loss of recovery keys may result in permanent loss of access to encrypted data.
3.1. Shared Responsibility: Users acknowledge that security and compliance are a shared responsibility. The Client remains responsible for determining whether the Platform is appropriate for the Client’s intended use, classification level, contractual obligations, and risk appetite.
3.2. UK MOD Standards: The Platform is intended to support environments requiring alignment with UK Ministry of Defence (MOD) standards and guidance, including:
Cyber Essentials Plus; andJSP 440 (Defence Manual of Security) requirements relevant to the Client’s use and deployment.3.3. US DoD Requirements: Where relevant to the Client’s operations and contractual obligations, the Platform is intended to support requirements including:
DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting); andCMMC Level 2 readiness (implementation and operational maturity appropriate to the Client’s CUI-handling needs).3.4. No Certification Warranty: Unless expressly agreed in writing (e.g., in an Order Form or Statement of Work), the Company does not warrant that the Platform or any specific deployment is certified, accredited, or authorised for any particular classification, assurance level, or regulatory framework.
4.1. Hosting Options: The Company offers multiple deployment models:
Managed Cloud: Hosted by the Company within UK-sovereign data centres.Self-Hosted (On-Premise): The Client may elect to host their own Matrix homeserver on infrastructure controlled by the Client.4.2. UK Data Residency (Managed Cloud): Unless otherwise agreed in writing, all data processed through the Company’s managed nodes shall reside within the United Kingdom. The Client acknowledges that certain metadata and routing information may be processed as necessary to provide the service, subject to the deployment model and configuration.
4.3. Self-Hosting Responsibility (On-Premise): Where a Client chooses to self-host, the Client assumes full responsibility for (i) information security controls, (ii) configuration hardening, (iii) access control, (iv) patching and vulnerability management, (v) logging/monitoring, and (vi) business continuity and disaster recovery. The Company is not liable for data breaches, outages, or compliance failures resulting from misconfigured or poorly maintained self-hosted instances.
5.1. Identity Verification and Access Control: The Client must ensure that Users are appropriately verified and authorised prior to account provisioning (including leavers/movers controls) and that access rights reflect least-privilege principles aligned to the Client’s internal security policies.
5.2. Encryption Key Management (Matrix E2EE): Users are responsible for secure handling of end-to-end encryption keys, recovery keys, and verification methods (including cross-signing/verification where used). The Client is responsible for implementing appropriate key escrow, recovery, and device verification procedures consistent with its policies and applicable obligations. Loss of recovery keys may result in permanent loss of access to encrypted data.
5.3. Device and Endpoint Security: Users must ensure that all devices used to access the Platform are secured, kept up to date, protected against malware, and configured in accordance with the Client’s security policies (including full-disk encryption, strong authentication, secure backups, and prompt incident reporting).
5.4. Client Oversight: Due to the end-to-end encrypted nature of the Platform, the Company cannot access or monitor the content of messages. Consequently, the Client is responsible for implementing its own internal oversight and compliance auditing using available Matrix administrative tools and Client-side controls.
6.1. Ownership: Emto Max Ltd retains all rights, title, and interest in the EmtoMe brand, custom integrations, and proprietary software layers.
6.2. User Data: The Client retains all intellectual property rights and ownership of the data, files, and communications transmitted through the Platform.
7.1. Security Disclaimer: While EmtoMe utilises industry-standard encryption (Olm/Megolm) and security controls, no system is entirely impenetrable. The Company does not warrant that the Platform is immune to sophisticated or state-sponsored cyber-attacks, supply chain compromise, or endpoint/device compromise.
7.2. High-Stakes Use / CUI and Sensitive Data: The Client acknowledges that the Platform may be used for the transmission of sensitive information, including (where relevant) Controlled Unclassified Information (CUI) or other regulated data. The Client remains solely responsible for (i) determining what information may be transmitted via the Platform, (ii) ensuring appropriate authorisations and handling controls are in place, and (iii) configuring and operating the Platform (including identity, access control, retention, and device security) in a manner consistent with applicable laws, regulations, and contractual obligations (including DFARS 252.204-7012 where applicable).
7.3. Limitation of Liability: To the maximum extent permitted by English law, Emto Max Ltd shall not be liable for any indirect, incidental, special, punitive, or consequential damages, or for loss of profits, loss of revenue, loss of contracts (including defence contracts), loss of goodwill, loss of security clearances, loss of opportunity, or loss/compromise of data, arising out of or in connection with the use of or inability to use the Platform.
7.4. Aggregate Liability Cap: To the maximum extent permitted by law, the Company’s aggregate liability arising out of or in connection with these Terms (whether in contract, tort (including negligence), breach of statutory duty, or otherwise) shall be limited to the fees paid by the Client to the Company for the Platform in the 12 months preceding the event giving rise to the claim.
7.5. Indemnity: The Client agrees to indemnify and keep indemnified the Company against any claims, losses, liabilities, costs, and expenses (including reasonable legal fees) arising from or in connection with: (i) the Client’s or Users’ breach of these Terms; (ii) the Client’s breach of defence export controls, official secrets obligations, CUI handling requirements, or other data handling regulations; or (iii) the Client’s self-hosted configuration, security controls, or operational practices.
7.6. Non-Excludable Liability: Nothing in these Terms excludes or limits liability for death or personal injury caused by negligence, fraud or fraudulent misrepresentation, or any other liability that cannot be excluded or limited under applicable law.
8.1. Right to Suspend: The Company reserves the right to suspend or terminate access immediately if there is a suspected breach of security or a violation of these Terms.
8.2. Data Deletion: Upon termination of a managed service, the Company will delete all Client metadata and stored encrypted fragments within 30 days, unless a longer retention period is required by law.
9.1. These Terms shall be governed by and construed in accordance with the laws of England and Wales. Any disputes arising under these Terms shall be subject to the exclusive jurisdiction of the courts of England.
Contact Information:
Emto Max Ltd
Website: www.emtodigital.com
Email: legal@emtodigital.com
