Terms of Service

This document, referred to as the "Terms of Service" (hereinafter, "these Terms"), governs your access to and use of the services and website provided by GSS Information Co., Ltd. (hereinafter, "the Company") through the Vital Cloud Services Portal (https://www.gsscloud.com) (hereinafter, "the Website"). 

If you are a minor or a person with limited or no legal capacity, you and your legal guardian (such as a parent or custodian) must carefully review these Terms and the Privacy Policy (https://www.gsscloud.com/policies-privacy) before you apply for an account. By clicking "Agree" to complete the application and beginning to use the services provided by the Website, you and your legal guardian agree to abide by these Terms and our Privacy Policy. 

Service Content

Service Description

The Website provides online software procurement services under these Terms to any end-user consumers (including individuals, enterprises, or government agencies) who wish to use cloud services. The Company may, based on business development and consumer needs, add, modify, or terminate related services as it sees fit. 

The Company is located in Taiwan. The infrastructure and some technical support services currently used for the cloud services are provided by third-party collaborators with professional cybersecurity capabilities. Information on the main partners is compiled in "V. Third-Party Collaborators" for user reference. 

Covered Services

The following services are covered under these Terms of Service: 

• • Vital Fundamental Cloud Services 
  
• • Human Capital Management (Vital HCM) 
  
• • Certificate Management (Vital CMP) 
  
• • Collaborative Knowledge Management (Vital Knowledge) 
  
• • Vital NetZero 
  
• • Customer Relationship Management (Vital CRM) 
  
• • Smart Forms (Vital BizForm) 
  
• • Financial Accounting Management (Vital Finance) 
  
• • Official Document Management (Vital OD) 
  

Information Security Controls

The Company's cloud services (SaaS: Software as a Service) provide information security protection mechanisms to maintain service availability and protect your personal data.

Account Management

Pursuant to Taiwan’s Personal Data Protection Act and Taiwan’s Management Regulations for the Maintenance of Personal Data Files in Digital Economy-Related Industries, information system service providers shall not arbitrarily modify system account data. You are responsible for the management, modification, or cancellation of the administrator account of the system you lease or any self-created accounts. You may not share, transfer, or sell your account and you bear full responsibility for it. To protect your account security, we also offer Multi-Factor Authentication (MFA). When enabled, this feature requires an additional form of verification (such as a code from a mobile app or an SMS verification code) in addition to your password to log in. It is recommended that you enable MFA to enhance account security and prevent unauthorized access.

For special requests such as account changes or cancellations, please contact customer service or leave a message through the Website's online customer service feature. The Company will proceed with the request after you submit the application and relevant supporting documents. The account cancellation feature is not currently available for self-service; if you need to terminate your account, please follow the aforementioned procedure. 

Encryption and Data Management

We use different cloud products to offer tiered access based on customer roles, providing corresponding access permissions. You can be assigned different functional scopes based on your responsibilities, from full management control to limited functional access, to protect sensitive information and enhance system security. 

We provide a flexible information classification and labeling mechanism that can be adjusted to different business needs, rather than using a single standardized method. Depending on the business scenario, we will selectively offer information classification and grading features such as tagging, sorting, and grouping. The specific combination of features will be based on actual needs, and not all features will be available in every scenario. 

The following information classification and grading features are provided based on different product lines: 

• • Tagging: Adding tags to data to identify its characteristics or purpose for quick retrieval and categorization. 
  
• • Sorting: Sorting data according to a specified field for visual presentation and management. 
  
• • Grouping: Grouping related data or users for batch operations based on business needs or data attributes. 
  
• • To-Do List: Generating reminders for important or upcoming tasks based on business priorities to help users improve work efficiency. 
  
• • Annotation/Notes: Adding supplementary explanations or notes to data to record additional information or important reminders for future reference and communication. 
  

These features help you manage complex information structures, improve data classification accuracy and management flexibility, and support diverse business needs. 

Information Access

The Company prioritizes information security and adopts the principle of minimal access management. We ensure that only necessary personnel are authorized to access data relevant to their duties, thereby reducing risk. We also adhere to the principle of data collection minimization, collecting only the most basic information required to provide services. This information is managed and used in accordance with our Privacy Policy. 

Password Controls

The account center and all cloud services use password hashing to protect passwords. 

• • Human Capital Management, Certificate Management, Collaborative Knowledge Management, and Financial Accounting Management services use symmetric encryption for specific personal data fields in the database. 
  
• • Customer Relationship Management services protect backup compressed files with a password. 
  
• • Vital NetZero services use Azure Transparent Data Encryption on the database with a server-level encryption key. 
  
• • Official Document Management uses encryption technology for electronic exchange certificates to ensure the security and integrity of information during the exchange process. 
  

Application Security

To ensure the accuracy of data logs and system events, the Company performs time synchronization according to the default clock synchronization mechanism provided by the original cloud platform provider. The default synchronization source is a public time server (such as https://www.google.com/search?q=time.windows.com or a time server built into the cloud platform), and the actual source depends on the cloud platform used. For example, on the AWS cloud platform, the default time synchronization is done through a built-in internal time server, which is consistent with the global UTC standard time. 

We use secure development procedures and practices, including code review, vulnerability detection, and patch management, to ensure the stability and security of our cloud services. Based on service needs and disclosure policies, we will provide relevant information on a limited basis. If you need to know more about our control procedures and inspection records to verify and assess service security, please contact customer service or leave a message through the Website's online customer service feature. The Company will proceed with the request after you submit the application and relevant supporting documents. 

Network Security

We enable firewall access controls, database access controls, and network security control protections provided by the cloud platform provider. 

Operational Security

The cloud services provided by the Company use a standardized backup mechanism, storing your data redundantly across multiple data centers and performing regular backups to ensure data availability. We guarantee to keep backup data for 30 days and perform basic configurations based on the features provided by the original manufacturer. Backup management will be adjusted according to actual needs to ensure service stability. Although we provide basic recovery features, we still recommend that you back up your own data to ensure its completeness and security. 

The Company has established business continuity procedures for interruptions to critical business processes and activities to ensure services can be quickly restored or continued during an outage. A disaster recovery plan has also been established for major crises or disasters that could affect cloud service operations and is reviewed and tested annually by the cybersecurity team. All drill results are recorded and tracked until related issues are resolved. 

To ensure the operational security of the Company's cloud services, operation manuals and training videos will be provided for each service to reduce potential risks. Some information may be restricted due to security concerns. If you need to know more about operational security regulations or apply for related reports, please contact customer service or leave a message through the Website's online customer service feature and submit the application and relevant supporting documents. 

Compliance

The Company has established an information security management system and undergoes regular independent third-party audits to ensure compliance with international standards and security requirements. Because third-party audit reports are sensitive information, the Company does not provide them proactively. If you need to view the report content, please contact customer service or leave a message through the Website's online customer service feature and submit the application and relevant supporting documents. The Company will handle the request accordingly, provided you agree to treat the audit report as confidential. 

The Company's cloud services have a log record management feature. Log records are kept for a maximum of 6 months and are automatically deleted after they expire. We provide appropriate methods to help you save log records to comply with regulations and your internal management needs. The system records account-related changes, and you can track and manage historical operations through the system. Note that the scope of log records may vary for different cloud services and can include user operation records, system error logs, or security events, among others, with the content depending on the characteristics of each service. We recommend that you regularly download and save log records to ensure compliance. 

Service Hours

The Website offers 24/7 self-service. You can browse the purchasing platform at any time for information on various services and pricing. For order status or other assistance with an order you have purchased from the Website, please contact the support department through the Website's online customer service feature. 

Service Warranty

The services you purchase from the Website are continuous and maintained online software systems. If you encounter any system defects, you can report them to the technical support department via email at vital@gss.com.tw. If the technical support department confirms the defect, it will schedule a system patch (hotfix) according to its development and release timeline. 

You can choose to purchase more than one service item as needed. However, some services are value-added services and require the prior purchase of the basic Website. The termination of each service item must be handled separately. If the basic Website is terminated, its affiliated value-added services will be terminated as well. 

The default data backup and log retention periods for the Company's cloud services are described in the "Information Security Controls" section above. If you need to extend the retention period, you may be required to pay additional storage and management fees. We recommend that you assess your business needs and contact us for a customized solution. Details will be explained and confirmed based on your requirements. 

The Website is for normal and legal use by users only. 

Service Purchase and Payment

Service Purchase

You should use a valid email address to register on the Website and select the services you need. At checkout, we will obtain credit card authorization that you provide to the Website. Once credit card authorization is accepted, the service system will automatically send an activation notification email, which is considered the completion of the service purchase. 

Payment Certificate

When you complete a purchase, the Website will send an order confirmation email to you. 

Payment Method

When you make a purchase on the Website, you agree to authorize regular payments. The Website uses a third-party electronic payment method. 

Your paid account remains valid until it is canceled or terminated in accordance with these Terms. You can cancel the service at any time, but you must do so before the next billing date. If you do not pay your account fees on time, we reserve the right to suspend or remove paid account features. We may change subsequent fees, but you will be notified in advance via the email address you registered with. 

Taxes and Prices

The prices of all services on the Website are consistent and the order amount already includes the business tax required by Taiwanese tax law. Regardless of the service you have purchased, the Website adopts a try-before-you-buy mechanism. All fees are non-refundable otherwise required by applicable law. 

Agreement on the Use of These Terms

You should abide by the following: 

• • You shall abide by international internet usage conventions and shall not attempt to or engage in any behavior of stealing, altering, or destroying others' information, or unauthorized copying, resale, reprinting of others' information, or invading any system on the internet. 
  
• • You shall not disseminate computer viruses or engage in any behavior that could interfere with the normal operation of a computer, affect system operation, increase system burden, endanger communications, or affect the rights of other users. 
  
• • You shall not use the Website to engage in improper commercial behavior or for purposes that violate this agreement or relevant laws and regulations. 
  
• • If any of your activities through the Website involve the collection, processing, or use of a third party's personal data, you must strictly comply with the Personal Data Protection Act and other relevant regulations, and you shall bear all responsibility. 
  
• • The patents, copyrights, trademarks, trade secrets, proprietary technology, and other intellectual property rights of the Website's hardware, software, programs, and content (including but not limited to text, descriptions, drawings, pictures, graphics, files, page design, website planning, and arrangement) are owned by the Company or other rights holders. 
  
• • You should prevent unauthorized persons or minors from using the Website. If your account is used or accessed by another person without authorization, you must notify the Company immediately. 
  
• • You shall not use the services provided by the Website to publish or disseminate text, pictures, or images that are threatening, defamatory, personally abusive, invasive of others' privacy, or pornographic. You shall also not engage in any behavior that violates public order, good morals, or the laws of the Republic of China. 
  
• • You must comply with relevant regulations on information security, personal data protection, intellectual property rights, and international internet conventions. If you violate these regulations, you shall bear all responsibility. 
  

If you violate any of the above, the Company may immediately suspend your use of the Website and/or terminate your service rental without your consent to maintain service quality and may claim damages from you. 

Service Interruption

The Company is not liable for damages if a service failure occurs due to factors beyond the Website's control (such as equipment failure or network disruptions). However, if an unexpected service failure is attributable to the Website, the Company shall restore it within eight hours. If the failure lasts for more than 24 consecutive hours, the Company shall extend the service until the number of days the service was down is compensated. 

The time of service failure is determined by the earliest time the Company becomes aware of it or is notified by you. However, if there is sufficient evidence to prove the actual start time of the service failure, the actual start time shall prevail. 

You are responsible for maintaining your own equipment (such as installing antivirus software, updating software, and encrypting data transmissions). The Company is not responsible for any service interruptions or data leaks caused by your equipment failure or personnel operation. 

The Company may temporarily shorten or suspend operation hours for system maintenance or to improve service quality. The Company will notify you in advance of any service suspension through a website announcement, email, or other appropriate means. The rules for reducing service fees mentioned above do not apply during a service suspension. 

Cybersecurity/Personal Data Incident Response

To ensure effective incident response mechanisms for issues related to the confidentiality, integrity, availability, and privacy of the services provided by the Company and to reduce the impact of service interruptions, we have established the following: 

Incident Scope

The Company will notify you of the following incidents: 

• • Unauthorized access or data leaks. 
  
• • Service interruption or incidents affecting availability. 
  
• • Other incidents that may affect the integrity or confidentiality of your data. 
  

Information Disclosure

When an incident is detected, the Company will provide you with the following information: 

• • The nature and scope of the incident. 
  
• • The affected systems or data. 
  
• • The response measures that have been taken or are planned. 
  

Notification Time

The Company commits to notifying affected parties within 72 hours of confirming an incident. 

Notification Channels

Incident notifications will be sent through the following channels: 

• • Your designated contact person's information. 
  
• • Announcements on the customer dashboard or management interface. 
  
• • System status monitoring platform (https://app-vital-status.azurewebsites.net). 
  

Contact Information and Support

You can check the progress of an incident and contact the Company's incident management team (email: vital_event@gss.com.tw) through the contact channels or the system status monitoring platform. 

Service Termination

The Company may terminate your service and its additional features at any time under specific circumstances without prior notice: 

• • You have materially breached these Terms. 
  
• • You may cause harm to other users, third parties, or the Company. 
  
• • The law prohibits it. For example, content related to child pornography, human trafficking, harassment, terrorism, fraud, and threats to cybersecurity, as well as content that infringes on others' intellectual property rights, will be removed immediately. 
  

Except for the above terms, if the Company needs to terminate your service, it will notify you 30 days in advance and provide an appropriate way for you to download or export your files. The prepaid fees will be refunded proportionally from the date of service termination. If you require additional assistance from the Company, the Company may charge related fees. 

The Company will notify you in an appropriate manner before the expiration of your service period. If you cancel the purchased service or after the service period expires, the Company is no longer obligated to maintain your data. However, to ensure your rights, relevant data will be retained for a maximum of 6 months, and any data exceeding this period will be deleted periodically. 

Other Agreements

For matters not covered in these Terms, you agree to abide by laws and regulations, the Company's business rules, the content of the Company's website announcements, quotations, or contractual terms. 

Before engaging third-party contractors, the Company conducts due diligence on their privacy, security, and confidentiality measures and signs contracts that cover related obligations. The Company will inform you in a timely manner if there is any updated information. 

For business or marketing needs, the Company may use your registered company name and website URL to compile a user directory. This does not apply if you have stated in advance that you do not wish for it to be published. 

The collection, processing, or use of your personal data will be handled in accordance with the Company's Privacy Policy (https://www.gsscloud.com/policies-privacy). 

Responsibilities

To ensure the security and integrity of cloud services, the following clarifies the information security responsibilities between the cloud service provider and the customer: 

Cloud Service Provider (CSP) Responsibilities

• • Provide a secure and reliable infrastructure, including networks, servers, storage devices, etc. 
  
• • Ensure the security of the virtualization layer to prevent data leakage across tenants. 
  
• • Provide necessary tools and features to help customers manage the security of their data and applications. 
  

Cloud Service Customer (CSC) Responsibilities

• • Comply with relevant laws and internal security policies to ensure that operations in the cloud environment meet compliance requirements. 
  
• • Manage and protect the data stored in the cloud service, including setting appropriate access controls and encryption measures. 
  
• • Ensure the security of user accounts and authentication information to prevent unauthorized access. 
  
• • Maintain user terminal equipment (such as installing antivirus software, updating software, and encrypting data transmissions). 
  

Joint Responsibilities

• • The Company performs platform backups to maintain service availability, but the backup scope is the overall system data. You should perform separate backups of your own data. 
  

• • Regularly monitor and review the security status of the cloud service, and promptly identify and handle potential security threats. 
  

• • Assist the customer in regularly retaining incident trails, and the customer should also retain sufficient incident trails themselves. 
  

• • Provide customers with password control measures, and the customer should check the appropriateness of these measures. 
  

Third-Party Collaborators

To ensure the stability and continuity of the service delivery process, the Company has entrusted third-party collaborators with professional capabilities to assist in providing infrastructure, network services, backup resources, or technical support for some cloud services. All collaborators have been evaluated by the Company and have signed contracts covering information security, privacy protection, and confidentiality clauses. 

The main partners are as follows: 

Collaborator Name	Provided Services	Other Information
Microsoft	Azure Cloud Platform	Data is stored in data centers in the East and West regions of Japan.
Amazon (AWS)	AWS Cloud Platform	Data is stored in the Tokyo region data center in Japan.
Quonli Technology Co., Ltd.	SMS Sending Service	SMS sending records are retained for a maximum of 12 months.
Text, Inc. (LiveChat)	Online Customer Service Feature	Instant text customer service platform that provides an interactive interface for visitors and support staff.
SendGrid	Email Sending Service	Used for sending system notifications and account operation emails.
LINE	Message Sending and Receiving Service	Uses the Messaging API to communicate with customers.
Crowdin	Translation Platform	Stores multi-language translation content used in the system.
Sentry.io	Error Message Collection	Notifies developers of unexpected errors during screen operations.
Google	FCM, Analytics	Provides Android APP push notifications and behavioral analysis.

Contact Information

If you have any questions or complaints about the services provided, you can use the Company's customer service email at vital@gss.com.tw or the Website's online customer service feature.

Entire Agreement

These Terms become effective after you complete a purchase. When the content is updated, the latest version you agree to will supersede any previous or concurrent agreements. However, written documents that both parties agree to as valid attachments to these Terms are still considered part of these Terms. 

Governing Law

The interpretation, validity, and any matters not covered by these Terms shall be governed by the laws of the Republic of China (or the laws and regulations of the country where the customer's data is stored). The parties agree that in the event of any dispute, the Taiwan Taipei District Court shall be the court of first instance jurisdiction.