Lifetime Legal & Compliance Hub

Transparency as a Service.

At Lifetime Oy, we believe that legal clarity is the foundation of industrial trust. Our "Compliance First" architecture is designed to turn complex EU regulations—such as Fit for 55, the EU AI Act, the Digital Services Act (DSA), the EU Data Act, and GDPR—from liabilities into competitive assets for our clients.

Below you will find our complete legal framework, governing our software, services, and commercial relationships. Each policy carries an explicit effective date, last review, and named escalation channel to simplify vendor-risk assessments.

0. Compliance at a Glance

This overview summarises the key legal and compliance controls for Lifetime Group (Lifetime Oy, Finland & DWS IQ Oü, Estonia), the DWS IQ 6 Platform, the Firehorse product line, Lifetime Consulting & Advisory services, and Lifetime Studios services.

Policy	Applies to	Effective	Last reviewed
🛡️ Digital Sovereignty	All EU deployments	28 Jan 2026	01 Apr 2026
⭐ Privacy Policy & GDPR Statement	All visitors & data subjects	01 Jan 2023	01 Apr 2026
⭐ Data Security Policy	All business partners & clients	13 Dec 2025	01 Apr 2026
⭐ Data Handling Policy	Internal team & partners	13 Dec 2025	01 Apr 2026
⭐ Agreement & Project Terms	Enterprise & project clients	15 May 2024	01 Apr 2026
⭐ DWS IQ Terms of Service	DWS IQ SaaS users	30 Jun 2024	01 Apr 2026
⭐ Firehorse Terms of Service	Marketing & reporting automation users	02 Sep 2024	01 Apr 2026
⭐ Lifetime Fleet Terms	Robotics, drone & logistics partners	12 Feb 2025	01 Apr 2026
⭐ Professional Services Terms	Consulting & advisory engagements	20 Mar 2024	01 Apr 2026
⭐ Regulatory Notice for Investors	Prospective & current investors	18 Oct 2024	01 Apr 2026
⭐ Return & Performance Policy	Store & subscription customers	05 Jan 2024	01 Apr 2026
⭐ Lifetime Group Legal Notices 2026	Lifetime Oy corporate & group entities	01 Dec 2025	01 Apr 2026
Data Processing Agreement (DPA)	All customers processing Personal Data via DWS IQ	05 Feb 2026	01 Apr 2026
KYA Standard v1.1 — Know Your Agent	BYO agent governance, sandbox isolation, DWS IQ	09 Mar 2026	01 Apr 2026
AI Safety Report 2026 Analysis	Security Research — all AI deployments	06 Feb 2026	01 Apr 2026
Security & Trust	Security architecture, pentest program, responsible disclosure	18 Mar 2026	01 Apr 2026

Dates show when each control entered into force and the most recent audit or legal review. Earlier versions remain available upon request.

1. EU AI Act Self-Classification

Lifetime Oy maintains formal documentation of DWS IQ 6's classification under the EU AI Act (Regulation 2024/1689), enforceable from 2 August 2026.

Classification: Limited-Risk AI System EU AI Act 2024/1689

DWS IQ 6 and Firehorse modules are self-classified as limited-risk AI systems under Article 6 and Annex III. They do not qualify as prohibited AI practices (Article 5) or high-risk systems (Annex III categories: biometrics, employment scoring, law enforcement, safety components of critical infrastructure).

Primary function: automating ESG data into auditable compliance dashboards and 2030 simulation models — a decision-support tool, not an autonomous safety-critical actuator.

Documented Compliance Elements

EU AI Act Requirement	Our Implementation	Status
Technical Documentation (Art. 11)	Full system cards, model documentation, and architecture specs maintained in internal governance repository	✅ Active
Record-Keeping & Logging (Art. 12)	Automatic immutable logging of all AI events; 7-year retention; SIEM export available	✅ Active
Reasoning Lineage / Explainability	Every AI decision includes a traceable input → output chain; provenance metadata embedded in all AI-generated reports	✅ Active
Human-in-the-Loop Oversight	No autonomous safety-critical actions; human validation required before any actuation or compliance filing	✅ By design
AI Governance Framework	Internal risk assessment, incident audit trails, autonomy tiers (1–5), and quarterly internal review	✅ Active
Data Sovereignty & GDPR Art. 6	Private-cloud deployment; EU data residency (FI/DE); all processing bases documented per GDPR Article 6	✅ Active
Transparency Obligations (Art. 50)	Users are disclosed when interacting with AI-generated compliance reports or automated content	✅ Active
NIS2 Readiness	Incident reporting architecture; 24h early warning to Traficom; final report within 72 hours	✅ Compliant
Third-Party Conformity Assessment	Not required for limited-risk classification; ISO 27001 audit roadmap active (Q3 2026 target)	🔄 Roadmap

Deadline readiness: All limited-risk obligations are met ahead of the 2 August 2026 enforcement date. Preparatory elements for potential future reclassification — risk management controls, human oversight architecture, and full audit trails — are embedded in the product from day one.

2. Digital Sovereignty (New)

🛡️ EU-Sovereign by Design

For All Customers: Understand your deployment options — EU-sovereign infrastructure is the default; US hyperscalers are an available secondary option.
Deployment Options (EU-first):
- Sovereign Private Cloud ⭐ Recommended: On-premise or dedicated infrastructure with customer-managed encryption. Maximum EU sovereignty and data residency guarantee.
- European Cloud ⭐: Hetzner (Helsinki), Scaleway (Paris/Amsterdam/Warsaw), OVHcloud (EU regions) — no CLOUD Act exposure, GAIA-X aligned, 100% EU jurisdictions
- US Hyperscalers (secondary option): AWS, Google Cloud, Azure — EU region data residency available, but CLOUD Act jurisdiction may apply. Suitable where EU-sovereign clouds do not meet performance or tooling requirements.
Product Defaults: Firehorse local installations preferred for maximum sovereignty. Edge AI on NVIDIA Jetson keeps sensitive data on-premise. Google Cloud Run europe-north1 (Finland) used for managed EU Cloud deployments.

August 2026 EU AI Act: High-risk AI systems require EU data governance. DWS IQ Platform is Article 12 compliant with full reasoning lineage documentation for all AI decisions.

2. Investor Security

⭐ Why Your Investment in Lifetime Oy is Secure

For Investors: A direct guide for US and International investors on how EU compliance and Finnish stability protect your capital.
Quick Summary:
- World-Class Data Security: GDPR ensures your investor data and our IP are protected by strict legal frameworks.
- Transparency by Design: Finnish corporate law and CSRD alignment give you clear visibility into governance.
- Stable Foundation: Finland ranks #1 globally for rule of law and political stability.
- Future-Proofed Standards: Compliance with EU sustainability regulations positions your investment for long-term growth.

3. Privacy & Data Governance

⭐ Privacy Policy & GDPR Statement
- For Everyone: How we handle data, cookies, and your rights.
- Key Assurance: We do not use your private industrial data to train our public models. We deploy Private Cloud instances to ensure full data sovereignty.
- Data Subject Requests: Export, correction, and deletion requests are acknowledged within 2 business days and fulfilled within 30 days.
⭐ Data Security Policy
- For Business Partners: How we protect confidential data with zero-knowledge encryption.
- Key Features: Proton Mail E2EE, Proton Drive encryption, EU data residency options.
- Compliance: GDPR, EU AI Act, NIS2, EU Data Act documented.
⭐ Data Handling Policy
- For Team & Partners: Data classification (CONFIDENTIAL/INTERNAL/PUBLIC), AI tools usage policy, storage guidelines.
- Key Rules: No cloud AI for confidential data, encrypted local database, Proton Drive backups.
Data Processing Agreement & SCCs: Our modular DPA aligns with IT2022 EHK terms. View the full DPA or request a signed copy via legal@lifetime.fi.
Data Protection Officer: Acting DPO – Risto Anton Päärni, CEO (dpo@lifetime.fi).
AI Act Compliance: DWS IQ and Firehorse are classified as limited-risk systems with full technical documentation.

Data Portability & Sovereignty: Industrial telemetry can be exported in NDJSON/Parquet format. EU-based customers default to Helsinki or Frankfurt regions.

4. Digital Services & Platform Accountability

Digital Services Act alignment: Lifetime Oy operates below the VLOP threshold but voluntarily complies with Articles 14–24.
Transparency Digest: Quarterly metrics available upon request at legal@lifetime.fi.
Notice & action channel: Report suspected illegal content or AI misuse via legal@lifetime.fi. We reply within 48 hours.
NIS2 & incident reporting: 24-hour early warning to Traficom, final report within 72 hours.

5. Commercial Agreements

⭐ Agreement & Project Terms
- For Clients: The master service agreement framework. We generally follow IT2022 terms.
- Scope: Confidentiality (NDA), IPR transfer, and general liability.
⭐ Professional Services Terms
- For Consulting Clients: Specific terms for advisory, implementation, and "Kickoff" packages.
Service Levels & Incident Credits: Baseline SLA provides 99.5% monthly uptime for DWS IQ. Enterprise tiers can extend to 99.9% uptime.
Procurement shortcut: Downloadable compliance summary included in each proposal pack. Request via compliance@lifetime.fi.

6. Product Terms of Service

⭐ DWS IQ Terms of Service
- For SaaS Users: Governs the use of the DWS IQ platform.
- Focus: SLA, uptime, and permissible use of AI agents.
- Autonomous Guardrails: AI agents cannot trigger safety-critical actions without human validation.
⭐ Firehorse Terms of Service
- For Automation Users: Terms for Firehorse reporting and marketing automation.
- Marketing Compliance: Unsubscribe, consent, and auditable templates for EU and US outreach.
⭐ Lifetime Fleet Terms
- For Logistics Partners: Terms for physical robotics, drone, and vehicle operations.
- Regulatory Alignment: EU Machinery Regulation, EASA drone operator requirements.

7. Investor Relations

⭐ Regulatory Notice for Investors
- For Investors: Details on our SAFE offering, compliance strategy, and risk factors.

SAFE Snapshot Updated Q1 2026

Instrument: Post-money SAFE (EUR) with optional MFN; governed by Finnish law.
Allocation: Open for professional investors; minimum ticket €25k.
Valuation & Discount: Disclosed in protected dataroom. Request access via invest@lifetime.fi.

8. Return & Performance Policy

⭐ Return Policy
- Digital services: SaaS subscriptions may be cancelled within 14 days for a full refund.
- Physical hardware: 14-day statutory withdrawal right plus 60-day performance guarantee.
- Professional services: Kickoff deposits refundable until the first milestone workshop.

9. Security Research

Independent research and analysis on AI safety, cybersecurity, and enterprise risk management informing our platform security posture and compliance architecture.

International AI Safety Report 2026 — DWS Field Note New
- Source: International AI Safety Report 2026 (Yoshua Bengio et al., 100+ experts, 30+ countries)
- Key Findings: Existing AI safety practices are insufficient. Three risk categories: misuse, malfunction, systemic risks. 60% of advanced economy jobs exposed to AI. Autonomous agent governance urgently needed.
- DWS Impact: Validates Article 12 compliance architecture, Firehorse human-in-the-loop model, and climate-AI convergence positioning.
- Full Report: internationalaisafetyreport.org

Security Research Policy: DWS IQ Platform security architecture is informed by continuous monitoring of international AI safety research, OWASP guidelines, and EU regulatory developments. Research summaries are published as field notes and, when validated, elevated to core compliance artifacts.

10. Security & Trust

Security is not a feature — it is the foundation of every DWS IQ deployment. Our security architecture is designed for EU-regulated industries where agent failures have legal, financial, and safety consequences.

Security Architecture

Layer	Technology	Purpose
Agent Identity	KYA Standard (Know Your Agent)	Cryptographic agent identity, capability gating, fault attribution
Behavioral Guardrails	Leash Snap Protocol (< 5ms)	Pre-execution controls enforced before every agent action
Trust Scoring	Agent Trust Score (ATS 0–100)	Real-time agent reliability scoring with automatic suspension
Forensic Audit	Firehorse Suite	Immutable audit trails, reasoning lineage, 7-year retention
Tool Isolation	MCP Colors Framework (RED/BLUE)	Destructive and read-only tools separated to prevent prompt injection escalation
Encryption	AES-256 at rest, TLS 1.3 in transit	All data encrypted in storage and during transmission
Data Residency	EU-only (Finland / Germany)	No data leaves EU jurisdiction; CLOUD Act exposure eliminated with EU-sovereign options

Continuous Security Testing

15 CI/CD security workflows — automated on every commit (SAST, dependency scanning, secret detection)
Automated penetration testing — internal pentest suite covering OWASP Top 10 and OWASP LLM Top 10 (auth bypass, CORS, SSRF, prompt injection, MCP tool poisoning, supply chain)
Weekly dependency audit — npm audit + Bandit/Safety for Python components
Pre-commit hooks — block credentials, secrets, and PII from entering version control

AI-Specific Security (OWASP LLM Top 10)

Prompt Injection Defense: All MCP tool responses treated as untrusted input; no auto-installation of community skills
Sensitive Data Exposure: Agent sandbox isolation prevents cross-tenant data access; KYA session boundaries enforce data separation
Supply Chain Risk: No auto-install from community registries; all dependencies pinned with lockfiles; SRI hashes on CDN resources
Agent Autonomy Control: Five autonomy tiers (1–5) with human-in-the-loop required for safety-critical actions; no autonomous actuations without validation

Certifications & Compliance Roadmap

Standard	Status	Target Date
GDPR	Compliant	Active since 2023
NIS2	Compliant	Active — 24h early warning to Traficom
EU AI Act	Limited-Risk Certified	Article 12 active; full enforcement Aug 2026
KYA Standard v1.6	Production-Ready	Q2 2026 launch
ISO 27001	In Progress	Q4 2026
SOC 2 Type II	Planned	Q2 2027

Responsible Disclosure

We welcome security researchers who identify vulnerabilities in our platform. Please report findings responsibly:

Contact: security@lifetime.fi
Acknowledgment: Within 48 hours of report
Fix Timeline: Critical — 48 hours; High — 7 days; Medium — 30 days; Low — next release cycle
Scope: dws10.com, dws6.com, onelifetime.world, API endpoints, MCP servers
Out of Scope: Social engineering, physical attacks, denial of service

See our security.txt (RFC 9116) for machine-readable security contact information.

Trust Center: For a visual overview of our security controls and certification status, visit the DWS IQ Trust Center. For KYA governance framework details (agent identity, D&O safe harbor, performance guarantees), see the Legal & Governance Hub.

11. Customer Risk Disclosures

Lifetime Oy provides the following disclosures in the interest of full transparency. We encourage prospective customers, deployers, and investors to review these with their own legal and compliance teams before integration.

EU AI Act — Deployer Responsibility

Our limited-risk self-classification applies to DWS IQ 6 as designed and deployed by Lifetime Oy. Under Article 28 of the EU AI Act, deployers bear independent responsibility for their own use-case risk assessment. If you integrate DWS IQ 6 into operations that may constitute safety-critical infrastructure under Annex III — for example, energy grid control, transport critical infrastructure, or employment-decision systems — a higher-risk classification may apply to your specific deployment, regardless of our provider-level classification.

We have designed DWS IQ 6 with preparatory controls (human oversight, audit trails, risk management tiers) that ease any such reclassification. Contact compliance@lifetime.fi to discuss your specific integration scenario before go-live.

Product Maturity & Early Commercial Stage

DWS IQ 6 v1.0 launched on 23 February 2026 and is in an active pilot and early commercial phase. Real-world regulatory enforcement of AI Act claims across EU markets will mature after the August 2026 deadline. Enterprise customers should allow for a standard evaluation period. Our SLA (99.5% baseline uptime) and return policy protect your deployment commitment during this phase.

Third-Party Audit Status

As a limited-risk AI system, no notified-body review or CE marking is required or planned. ISO 27001 certification is targeted for Q4 2026. Internal automated penetration testing (OWASP Top 10 + LLM Top 10) was established Q1 2026 and runs continuously. Annual external third-party pentest is planned for H2 2026 (report will be available under NDA upon request). No independent AI conformity assessment has been conducted to date — this is consistent with the limited-risk regime.

Regulatory Interpretation Risk

EU AI Act interpretation — particularly for Annex III point 1 (critical infrastructure) and cross-sector industrial AI — is still evolving as the EU AI Office publishes implementation guidance. Lifetime Oy monitors EU AI Office communications and updates its compliance position accordingly. Our governance framework is designed to accommodate regulatory clarifications without architectural rework.

DPIA Recommendation: If you are evaluating DWS IQ 6 for regulated or safety-sensitive operations, we recommend conducting a Data Protection Impact Assessment (DPIA) for your specific use case. Request our AI Safety & Legal Pack (technical docs, AI governance framework summary, DPA template) at compliance@lifetime.fi.

12. Contact & Escalation

Data Protection Officer

Risto Anton Päärni
dpo@lifetime.fi
Requests processed within 30 days.

Legal & DPA Desk

legal@lifetime.fi
Contract redlines, SCC questions, notice-and-action.

Security / NIS2 Incidents

security@lifetime.fi
24/7 hotline for critical vulnerabilities.

Lifetime Oy (Finland)

Y-tunnus: 0772407-9
VAT: FI07724079
Laidunmaanraitti 2 A 25
02330 Espoo, Finland

DWS IQ Oü (Estonia)

DWS IQ Platform provider
Established Q2 2026
Subsidiary of Lifetime Oy