Legal · Terms of Service

Terms of Service

Effective May 12, 2026 · Version 2.0 · Bonterms-derivative

Bonterms-derivative. These Terms of Service incorporate standard B2B protections substantially modeled on the Bonterms Cloud Terms framework (CC-licensed, peer-reviewed by SaaS counsel). Customer-protective clauses (security warranties, data portability, indemnification, audit rights) are included. ElasticD3M, LLC has adapted this to its product set; this document does not constitute legal advice and Customer should consult its own counsel for material decisions.

1. Acceptance and Scope

These Terms of Service (the "Terms") constitute a binding agreement between ElasticD3M, LLC, a Texas limited liability company with a registered address at 7700 Broadway St, Ste 104 PMB1083, San Antonio, TX 78209 ("Provider", "we", "us"), and the entity or person identified during account creation, intake, or Stripe checkout ("Customer", "you"). By creating an account, purchasing the Multi-Framework Readiness Snapshot, starting an Aegis AI™ subscription, or otherwise using the Services, Customer accepts these Terms.

If Customer is using the Services on behalf of an organization, Customer represents that it has authority to bind that organization, and references to "Customer" mean that organization. These Terms apply to all Services described at ai4ciso.ai, including the Multi-Framework Readiness Snapshot (one-time engagement) and the Sentinel, Guardian, Vanguard, Fortress, and Sovereign monthly subscriptions.

2. Definitions

3. Services Description

Provider operates Aegis AI™, an Agent-as-a-Service virtual-CISO platform covering SOC 2, ISO 27001, HIPAA, PCI-DSS, NIST CSF, and GDPR. Provider's Services include automated drafting of compliance documentation (control matrix, evidence binder, risk register, POA&M, board narrative) generated from Customer's live cloud telemetry. Provider does not perform formal audits or certifications; those are performed exclusively by independent CPA firms, certification bodies, assessors, and QSAs. Provider is not an auditor and the Services do not substitute for an independent audit.

4. Account Terms

Customer is responsible for maintaining the security of any credentials it uses to access the Services and for all activity that occurs under its account. Customer must notify Provider promptly (at [email protected]) of any unauthorized access. Customer must provide accurate and current information at intake and during account use.

5. Subscription, Fees, and Payment

The Multi-Framework Readiness Snapshot is a one-time charge of $1,995 (USD), processed at the time of order through Stripe. Monthly subscriptions (Sentinel $4,500/mo, Guardian $8,500/mo, Vanguard $17,000/mo, Fortress $33,500/mo, Sovereign $60,000/mo) are billed monthly in advance via Stripe on the day of the calendar month corresponding to Customer's subscription start date. All fees are non-refundable except as set forth in Provider's Cancellation Policy.

No Free Trial. Subscriptions begin and are billed immediately upon Customer's purchase. Customer is charged on the day of subscription and recurring on that calendar day each month thereafter. Cancellation is via Stripe's billing portal; access continues through the end of the then-current paid month and no refund is issued for the period already paid.

Provider may adjust pricing on at least thirty (30) days' prior notice. Price adjustments do not apply retroactively to Customer's existing paid month.

6. Cancellation and Refunds

Customer may cancel any subscription at any time through its Stripe billing portal, by email to [email protected], or as otherwise provided in the Cancellation Policy. The Multi-Framework Readiness Snapshot is a one-time engagement; once the PDF report has been delivered to Customer's inbox, the engagement is complete and not refundable. Pre-delivery cancellations of the Snapshot are refundable in full if requested in writing before scan completion (7-day money-back window).

7. Acceptable Use

Customer's use of the Services is governed by the Acceptable Use Policy. Without limiting the AUP, Customer agrees not to: (a) reverse engineer, decompile, or disassemble any part of the Services; (b) use the Services to develop a competing product; (c) interfere with the integrity or performance of the Services; (d) use the Services in violation of applicable law, including export control laws; or (e) submit regulated payload contents (PHI, cardholder data, GDPR Article 9 special categories) to the Services other than the configuration metadata the Services are designed to read.

8. Customer Data and Confidentiality

Customer retains all rights, title, and interest in Customer Data. Customer grants Provider a non-exclusive, worldwide, royalty-free license to use, store, process, and display Customer Data solely to provide the Services and as otherwise permitted by these Terms and the Privacy Notice. Provider's processing of Personal Data (as defined in the Data Processing Addendum) is governed by the DPA, which is incorporated into these Terms by reference.

Each party will hold the other's Confidential Information in confidence and will not disclose it except to its employees, contractors, and advisors who have a need to know and who are bound by confidentiality obligations no less protective than those in these Terms.

9. Security Warranties

Provider warrants that it will: (a) maintain industry-standard administrative, physical, and technical safeguards designed to protect Customer Data, including encryption at rest (AES-GCM or stronger) and in transit (TLS 1.2 or stronger); (b) restrict access to Customer Data to personnel with a need to know; (c) implement least-privilege access controls for production systems; (d) notify Customer of any confirmed Personal Data Breach affecting Customer's data within seventy-two (72) hours of confirmation, as required by the DPA; and (e) maintain a documented incident response plan.

Customer connectors used to read configuration metadata (AWS read-only IAM roles, Azure / Microsoft 365 Service Principals with Reader scope, Okta read-only API tokens, CrowdStrike OAuth2 read-only API clients) are scoped to configuration metadata only and may be revoked by Customer at any time by removing the role, app registration, or token from the corresponding tenant. Provider does not retain a copy of any credential after the Services are revoked.

10. Intellectual Property

Provider retains all rights, title, and interest in the Services, including all related intellectual property rights. Customer's use of the Services does not transfer any ownership rights. Customer may use the deliverables (control matrix, evidence binder, risk register, POA&M, board narrative) for its own internal compliance purposes, including providing them to auditors, certification bodies, regulators, customers, and partners in connection with audits, certifications, due diligence, and contract performance. The deliverables may not be resold or distributed to third parties for compensation without Provider's written consent.

11. Disclaimers

EXCEPT FOR THE EXPRESS WARRANTIES IN SECTION 9, THE SERVICES ARE PROVIDED "AS IS" AND "AS AVAILABLE." PROVIDER DISCLAIMS ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND TITLE. PROVIDER DOES NOT WARRANT THAT THE SERVICES WILL BE UNINTERRUPTED, ERROR-FREE, OR THAT ALL DEFECTS WILL BE CORRECTED.

Compliance Disclaimer. The Services support Customer's audit-readiness preparation across SOC 2, ISO 27001, HIPAA, PCI-DSS, NIST CSF, and GDPR. Provider does not guarantee that Customer will pass any audit, certification, or regulator examination. Outcomes depend on factors outside Provider's control, including the auditor's professional judgment, the completeness of Customer's own remediation work, and the accuracy of information Customer provides at intake. The Services are decision-support tools; the final accountability for compliance and audit readiness remains with Customer.

12. Indemnification

Mutual Indemnification. Each party will defend the other against any third-party claim arising from the defending party's: (a) gross negligence or willful misconduct; (b) infringement of a third party's intellectual property rights through that party's own materials (Provider's Services or Customer Data, respectively); or (c) breach of these Terms. The indemnified party will: (i) promptly notify the indemnifying party of any covered claim; (ii) give the indemnifying party reasonable control of the defense and settlement; and (iii) provide reasonable cooperation at the indemnifying party's expense.

Provider IP Infringement Remedy. If Customer's use of the Services is enjoined or claimed to infringe a third party's intellectual property rights, Provider may, at its option and expense: (i) procure for Customer the right to continue using the Services; (ii) replace or modify the Services so they no longer infringe; or (iii) terminate the affected portion of the Services and refund any prepaid fees attributable to the affected period.

13. Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY LAW, NEITHER PARTY WILL BE LIABLE TO THE OTHER FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, OR FOR LOST PROFITS, REVENUES, DATA, OR BUSINESS OPPORTUNITIES, ARISING OUT OF OR RELATING TO THESE TERMS OR THE SERVICES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

EACH PARTY'S TOTAL CUMULATIVE LIABILITY UNDER THESE TERMS WILL NOT EXCEED THE GREATER OF: (A) THE FEES PAID OR PAYABLE BY CUSTOMER TO PROVIDER IN THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO THE CLAIM, OR (B) ONE HUNDRED THOUSAND DOLLARS ($100,000 USD).

Exclusions. The limitations in this Section 13 do not apply to: (i) either party's indemnification obligations under Section 12; (ii) Customer's payment obligations; (iii) either party's gross negligence or willful misconduct; or (iv) breaches of confidentiality obligations.

14. Term and Termination

These Terms remain in effect for so long as Customer has an active account or any unpaid balance. Either party may terminate these Terms for material breach by the other if the breach is not cured within thirty (30) days after written notice. Either party may terminate immediately upon the other party's bankruptcy or insolvency.

Upon termination: (a) Customer's access to the Services ends at the end of the then-current paid period; (b) Provider will, at Customer's written request made within thirty (30) days after termination, return or delete Customer Data in accordance with the DPA; and (c) provisions that by their nature should survive termination (including Sections 8, 10, 11, 12, 13, 15, 15A, 16, 17, 18, and 19) will survive.

15. Modifications

Provider may modify these Terms or the Services from time to time. For material modifications adverse to Customer's rights, Provider will provide at least thirty (30) days' prior notice via email or in-platform notice. Customer's continued use of the Services after a modification effective date constitutes acceptance of the modification. If Customer does not accept a material modification, Customer may terminate its subscription by written notice before the modification effective date and receive a pro-rata refund of unused prepaid fees.

15A. Trade Compliance (OFAC, Export Controls, Sanctions)

Customer represents and warrants that (a) Customer and its principals are not listed on the OFAC SDN, SSI, or any other U.S. government denied-party list; (b) Customer is not located in or organized under the laws of a country or region subject to a comprehensive U.S. embargo (currently Cuba, Iran, North Korea, Syria, Crimea, Donetsk, and Luhansk); (c) Customer will not use the Services in violation of U.S. export-control laws (Export Administration Regulations / International Traffic in Arms Regulations) or sanctions regulations administered by the U.S. Treasury Office of Foreign Assets Control. Breach of this Section 15A permits ElasticD3M, LLC to suspend or terminate the Services immediately, without refund of fees previously paid. Customer agrees to notify Provider at [email protected] promptly if Customer's eligibility status changes during the term.

16. Governing Law and Venue

These Terms are governed by the laws of the State of Texas, United States, without regard to conflict-of-laws principles. The exclusive venue for any dispute arising under these Terms is the state or federal courts located in Bexar County, Texas, and each party consents to personal jurisdiction in those courts.

17. Dispute Resolution and Arbitration

The parties will first attempt to resolve any dispute through good-faith negotiations between business leaders. If unresolved after thirty (30) days, either party may refer the dispute to binding arbitration administered by JAMS under its Streamlined Arbitration Rules, conducted in San Antonio, Texas, in English, before a single arbitrator. Each party bears its own attorneys' fees; arbitration costs are split equally. Judgment on the arbitration award may be entered in any court of competent jurisdiction.

Class-Action Waiver. Each party waives any right to participate in a class, collective, or representative action against the other arising out of these Terms or the Services. Disputes must be brought on an individual basis only.

Notwithstanding the foregoing, either party may seek injunctive or equitable relief in court for breach of intellectual property rights or confidentiality obligations.

18. Force Majeure

Neither party will be liable for any delay or failure to perform (except for payment obligations) due to causes beyond its reasonable control, including acts of God, war, terrorism, civil unrest, government action, internet or utility outages, cyberattacks affecting upstream infrastructure, pandemics, or natural disasters. The affected party will notify the other party promptly and use reasonable efforts to resume performance.

19. General Provisions

Notices. Notices to Provider must be sent to [email protected] with a copy to Provider's registered address. Notices to Customer will be sent to the email address on file. Notices are effective on receipt by email.

Assignment. Neither party may assign these Terms without the other's prior written consent, except that either party may assign these Terms in connection with a merger, acquisition, or sale of substantially all of its assets, provided the assignee assumes all obligations.

Entire Agreement. These Terms, together with the Privacy Notice, DPA, AUP, SLA, Cancellation Policy, and the Subprocessors List, constitute the entire agreement between the parties and supersede all prior agreements and understandings.

Severability. If any provision of these Terms is held unenforceable, the remaining provisions remain in effect, and the unenforceable provision will be modified to the minimum extent necessary to make it enforceable.

No Waiver. Failure to enforce any provision is not a waiver of future enforcement.

Independent Contractors. The parties are independent contractors; no agency, partnership, joint venture, or employment relationship is created.

U.S. Government End Users. The Services are commercial computer software under FAR 12.212 and DFARS 227.7202; U.S. government end users acquire only the rights set forth herein.

20. Contact

Questions about these Terms: [email protected]
Service questions: [email protected]
Privacy questions: [email protected]

Effective Date: May 12, 2026 · Version: 2.0 (Bonterms-derivative) · Customer: Standard B2B
Replaces all prior versions of the Terms of Service published at ai4ciso.ai before this date.

Terms of Service Privacy Notice DPA AUP SLA Subprocessors Cancellation
ElasticD3M, LLC · 7700 Broadway St, Ste 104 PMB1083 · San Antonio, TX 78209 · United States · [email protected]