Terms of Service

1. Introduction

Welcome to el2FA. These Terms of Service (“Terms”) govern your access to and use of the el2FA platform, including our website, applications, APIs, and any related services (collectively, the “Service”). By creating an account or using the Service, you agree to be bound by these Terms.

If you are using the Service on behalf of an organisation, you represent and warrant that you have the authority to bind that organisation to these Terms. In that case, “you” and “your” refer to that organisation.

If you do not agree to these Terms, do not use the Service. We encourage you to read this document carefully before getting started.

2. Definitions

“Service” means the el2FA platform, including all web applications, browser extensions, mobile applications, APIs, and documentation provided by el2FA.
“User” means any individual who creates an account or is granted access to the Service.
“Team” means a group of Users who share access to one or more Workspaces under a single billing account.
“Workspace” means a logical container within the Service where 2FA codes, vaults, and team configurations are stored and managed.
“Admin” means a User with administrative privileges over a Team or Workspace, including the ability to invite or remove members and manage permissions.
“Vault” means a collection of 2FA codes that can be shared with specific Users or groups within a Team.
“Content” means any data, 2FA secrets, configuration, or other information you store within the Service.

3. Account Registration

To use el2FA, you must create an account. When registering, you agree to the following:

Accurate information. You must provide truthful, current, and complete information during registration and keep it up to date.
One account per person. Each individual may maintain only one personal account. Creating multiple accounts to circumvent limits or restrictions is not permitted.
Account security. You are responsible for maintaining the confidentiality of your login credentials. You must notify us immediately at legal@el2fa.com if you suspect unauthorised access to your account.
Admin responsibility. If you are the Admin of a Team, you are responsible for the activity of all Users within that Team. This includes ensuring that members comply with these Terms and managing access permissions appropriately.
Age requirement. You must be at least 16 years of age to use the Service. If you are under 18, you must have the consent of a parent or legal guardian.

4. Acceptable Use

You agree to use el2FA responsibly and in compliance with all applicable laws. The following activities are strictly prohibited:

Abuse of the Service. Do not attempt to disrupt, degrade, or interfere with the operation of the Service, including through denial-of-service attacks, excessive API calls, or automated scraping.
Reverse engineering. You may not decompile, disassemble, reverse engineer, or attempt to derive the source code of any part of the Service, except where expressly permitted by applicable law.
Illegal use. The Service may not be used for any unlawful purpose, including storing credentials for accounts you do not have authorised access to.
Circumventing controls. You may not bypass or attempt to bypass any security measures, rate limits, access controls, or authentication mechanisms within the Service.
Resale without authorisation. You may not resell, sublicense, or redistribute access to the Service without prior written consent from el2FA.

We reserve the right to suspend or terminate accounts that violate these terms, with or without prior notice depending on the severity of the violation.

5. Service Description

el2FA is a team-based two-factor authentication management platform. The Service enables teams to:

Generate and manage TOTP (Time-Based One-Time Password) codes in shared vaults.
Grant and revoke access to 2FA codes based on roles and permissions.
Sync codes securely across multiple devices within a team.
Store 2FA secrets using end-to-end encryption so that only authorised Users can access them.
Maintain audit logs of code access and team activity.

We continuously improve the Service and may add, modify, or remove features over time. We will make reasonable efforts to communicate significant changes in advance, but the availability of specific features is not guaranteed.

6. Subscription and Billing

el2FA offers both free and paid subscription plans. By subscribing to a paid plan, you agree to the following billing terms:

Per-user pricing. Paid plans are billed on a per-user basis. You will be charged for each active User in your Team during each billing period.
Billing cycles. Subscriptions are available on a monthly or annual billing cycle. Annual plans are billed upfront for the full year.
Auto-renewal. Subscriptions renew automatically at the end of each billing period unless you cancel before the renewal date.
Cancellation. You may cancel your subscription at any time through your account settings. Cancellations take effect at the end of the current billing period. No partial refunds are issued for unused time within a billing period.
Price changes. We may adjust pricing from time to time. We will provide at least 30 days' notice before any price increase takes effect. Continued use of the Service after a price change constitutes acceptance of the new pricing.
Payment failure. If a payment fails, we will attempt to notify you and retry the charge. If payment remains unsuccessful after a reasonable period, we may downgrade or suspend your account.

7. Free Plan

el2FA offers a free plan with limited functionality. The free plan is provided as-is and is subject to the following conditions:

The free plan includes restrictions on the number of Users, Vaults, and stored 2FA codes. Current limits are detailed on our pricing page.
Free plan features, limits, and availability may change at any time. We will make reasonable efforts to notify existing free-plan users of material changes.
The free plan does not include access to premium features such as advanced audit logs, priority support, or custom integrations.
el2FA reserves the right to discontinue the free plan entirely, with 30 days' prior notice to affected users.

8. Data Ownership

Your data belongs to you. el2FA does not claim ownership of any Content you store within the Service. Specifically:

Your Content. You retain all rights, title, and interest in the data, 2FA secrets, and other Content you upload or create within the Service.
Limited licence. By using the Service, you grant el2FA a limited, non-exclusive licence to store, process, and transmit your Content solely for the purpose of providing and improving the Service. This licence terminates when you delete your Content or close your account.
No sale of data. We do not sell, rent, or share your Content with third parties for advertising or marketing purposes.
Aggregated data. We may collect and use anonymised, aggregated data (which cannot identify you or your team) for analytics, service improvement, and reporting purposes.

9. Security Responsibilities

Security is a shared responsibility between el2FA and our users. We each have a role to play in keeping your data safe.

Our responsibilities

Encrypt your Content at rest and in transit using industry-standard encryption protocols.
Maintain secure infrastructure with regular security audits, vulnerability scanning, and penetration testing.
Implement access controls that ensure only authorised personnel can access production systems, and only in limited, audited capacities.
Respond promptly to security incidents and notify affected users in accordance with applicable law.
Implement client-side end-to-end encryption so that your 2FA secrets are encrypted on your device before transmission and cannot be read by el2FA staff or systems.
Issue short-lived access leases that gate code generation on current vault membership, ensuring that access revocation takes effect promptly even while devices are offline.
Rotate vault encryption keys when a member is removed, ensuring cryptographic revocation rather than permission-only revocation.

Your responsibilities

Use strong, unique passwords for your el2FA account and enable any additional authentication mechanisms we offer.
Keep your devices secure and up to date with the latest operating system and browser patches.
Manage your team's access permissions carefully. Remove users promptly when they leave your organisation or no longer require access.
Report any suspected security vulnerabilities or unauthorised access to legal@el2fa.com immediately.
Store your recovery codes safely. Recovery codes are the only way to regain access to your personal vault if you lose your password. el2FA cannot recover your personal vault data if both your password and recovery codes are lost.
If you designate trusted people as recovery trustees for your personal vault, ensure those people are trustworthy and reachable. You are responsible for the integrity of your own recovery configuration.
Manage shared vault membership actively. Remove members promptly when their access should end. While el2FA enforces cryptographic revocation, you are responsible for initiating that process in a timely manner.

9A. Encryption and Data Recovery

el2FA uses client-side end-to-end encryption for all 2FA secrets stored in the Service. The following terms apply specifically to this encryption architecture and are material to your use of the Service.

9A.1 How encryption works

Your 2FA secrets are encrypted on your device using keys that are derived from your password and never transmitted to el2FA servers.
el2FA stores only encrypted ciphertext. We do not hold, store, or have access to your encryption keys, Vault Keys, or plaintext 2FA secrets at any time.
Each vault member receives an individually encrypted copy of the Vault Key, exchanged using asymmetric cryptography (X25519). The server facilitates this exchange but cannot read the Vault Key.

9A.2 Recovery codes — critical user responsibility

When you create a personal vault, el2FA generates eight recovery codes and displays them once. These codes are the cryptographic key to your personal vault recovery.

el2FA does NOT store your recovery codes in readable form. We store only a one-way hash of each code, which cannot be reversed to produce the original code.

If you lose your account password AND all of your recovery codes, your personal vault contents CANNOT be recovered — not by you, and not by el2FA. This is an inherent consequence of the encryption architecture, not a service limitation.

You must save your recovery codes immediately upon generation. Acceptable storage methods include: printing and storing in a secure physical location, storing in a separate password manager, or securely sharing with trusted individuals.

el2FA accepts no liability for loss of personal vault data resulting from failure to preserve recovery codes. See Section 11 (Limitation of Liability).

9A.3 Shared vault recovery

Shared vaults (group vaults) do not rely on recovery codes. Any team Admin can restore vault access for a locked-out member by re-issuing that member's encrypted Vault Key share.
el2FA enforces that at least one Admin must remain in every shared vault. The last Admin of a shared vault cannot be removed or deleted without first transferring Admin status to another member.
If all Admins of a shared vault are permanently lost (e.g. all Admin accounts deleted), the vault's management functions (adding members, key rotation) will be frozen. Existing members will retain read access until their sessions expire. el2FA cannot restore Admin access to a vault in this state.

9A.4 Access revocation

Removing a member from a shared vault triggers an automatic cryptographic key rotation. The removed member's copy of the Vault Key is invalidated and all vault secrets are re-encrypted under a new key.
In addition to key rotation, el2FA's access lease system ensures that removed members can no longer generate codes within the lease TTL window (maximum 15 minutes on the Free plan, 5 minutes on Pro, and approximately 30 seconds on Enterprise plans).
Despite the above, a removed member may retain locally cached data or codes that were generated and stored prior to removal. el2FA cannot control data that has already left the encrypted system via code generation or export. You acknowledge this limitation and take appropriate operational steps (e.g. changing the underlying account passwords secured by the affected 2FA codes) when revoking access for sensitive accounts.

9A.5 Trusted people (Shamir recovery)

Personal vaults optionally support Shamir's Secret Sharing, allowing you to designate trusted individuals (trustees) who collectively hold cryptographic shares of your recovery key.
A minimum of 2 trustees must cooperate to initiate recovery. el2FA does not participate in trustee decisions and accepts no responsibility for trustee availability, cooperation, or conduct.
You are solely responsible for selecting appropriate trustees and for keeping trustee assignments up to date.

10. Intellectual Property

The Service, including its design, code, features, documentation, branding, and all related intellectual property, is owned by el2FA and protected by applicable copyright, trademark, and other intellectual property laws.

Trademarks. “el2FA”, the el2FA logo, and related marks are trademarks of el2FA. You may not use these marks without prior written permission, except as reasonably necessary to refer to the Service.
Licence to use. Subject to these Terms, we grant you a limited, non-exclusive, non-transferable, revocable licence to access and use the Service for its intended purpose.
Feedback. If you provide suggestions, ideas, or feedback about the Service, you grant el2FA a perpetual, irrevocable, royalty-free licence to use and incorporate that feedback without obligation to you.

11. Limitation of Liability

To the maximum extent permitted by applicable law:

No indirect damages. el2FA shall not be liable for any indirect, incidental, special, consequential, or punitive damages, including loss of profits, data, business opportunities, or goodwill, arising out of or related to your use of the Service.
Liability cap. el2FA's total aggregate liability for any claims arising from or related to these Terms or the Service shall not exceed the greater of (a) the amount you paid to el2FA in the 12 months preceding the claim, or (b) one hundred US dollars (USD $100).
As-is provision. The Service is provided on an “as is” and “as available” basis. el2FA makes no warranties, express or implied, including but not limited to warranties of merchantability, fitness for a particular purpose, and non-infringement.
No guarantee of uptime. While we strive for high availability, we do not guarantee uninterrupted or error-free operation of the Service. Scheduled maintenance and unforeseen outages may occur.
Recovery code loss. el2FA shall not be liable for any loss of access to personal vault data resulting from a user's failure to preserve their recovery codes. The inability to recover personal vault contents in the absence of recovery codes is a documented and disclosed consequence of the encryption architecture, not a service defect.

Some jurisdictions do not allow the exclusion or limitation of certain damages. In such jurisdictions, the limitations above shall apply to the fullest extent permitted by law.

12. Termination

Either party may terminate this agreement under the following conditions:

Termination by you. You may close your account at any time through your account settings or by contacting us at legal@el2fa.com.
Termination by el2FA. We may suspend or terminate your account if you breach these Terms, if your account remains inactive for an extended period, or if we discontinue the Service. We will provide reasonable notice where practicable.
Data export. Upon termination, you will have a 30-day grace period to export your data. During this period, your Content will remain accessible in a read-only state. After the grace period, we will permanently delete your Content from our systems in accordance with our data retention policies.
Survival. Sections relating to intellectual property, limitation of liability, dispute resolution, and any other provisions that by their nature should survive termination will remain in effect after termination.

13. Dispute Resolution

We hope disputes are rare, but if one arises, we prefer to resolve it quickly and fairly.

Informal resolution. Before initiating any formal proceedings, you agree to contact us at legal@el2fa.com and attempt to resolve the dispute informally for at least 30 days.
Arbitration preference. If informal resolution is unsuccessful, both parties agree to attempt to resolve the dispute through binding arbitration, rather than in court. Arbitration shall be conducted by a mutually agreed-upon arbitrator under rules consistent with commercial arbitration standards.
Governing law. These Terms are governed by the laws of England and Wales, without regard to conflict of law principles. If arbitration is not available or enforceable, the courts of England and Wales shall have exclusive jurisdiction.
Class action waiver. You agree that any dispute resolution proceedings will be conducted on an individual basis and not as part of a class, consolidated, or representative action.

14. Changes to Terms

We may update these Terms from time to time to reflect changes in our Service, legal requirements, or business practices. When we do:

We will provide at least 30 days' notice before material changes take effect. Notice may be given via email, an in-app notification, or a prominent notice on our website.
The updated effective date will be displayed at the top of this page.
Continued use of the Service after the effective date of updated Terms constitutes your acceptance of those changes.
If you do not agree with the updated Terms, you must stop using the Service and close your account before the changes take effect.

15. Contact

If you have questions about these Terms, your account, or anything else related to el2FA, you can reach us at:

Email: legal@el2fa.com

We aim to respond to all enquiries within two business days.