Terms of Service

1. Acceptance of Terms

By creating an account, accessing, or using the Service in any manner, you acknowledge that you have read, understood, and agree to be bound by these Terms, our Privacy Policy, and any additional policies referenced herein. If you are entering into this Agreement on behalf of a company, organization, or other legal entity ("Organization"), you represent and warrant that you have the authority to bind such Organization to these Terms, in which case "you" and "your" shall refer to such Organization. If you do not have such authority, or if you do not agree with these Terms, you must not accept this Agreement and may not use the Service.

You must be at least 18 years of age, or the age of legal majority in your jurisdiction, to use the Service. By using the Service, you represent and warrant that you meet this requirement.

2. Service Description

ComplianceHarbor is an external risk signal aggregation platform designed for IT change management and change advisory board (CAB) workflows. The Service provides:

• Risk Assessment Engine — Automated analysis of change requests against nineteen external intelligence sources including CISA Known Exploited Vulnerabilities (KEV), NIST National Vulnerability Database (NVD), Microsoft Security Response Center (MSRC) Patch Tuesday data, Oracle Critical Patch Updates, NOAA weather alerts, GDACS/USGS disaster alerts, SEC EDGAR filings, AlienVault OTX threat intelligence, endoflife.date product lifecycle data, Cloudflare Radar ISP and routing health, Statuspage.io developer toolchain monitoring (GitHub, NPM, PyPI, GitLab, Docker Hub), cloud service provider health dashboards (AWS, Azure, GCP), MITRE ATT&CK threat framework, compliance and regulatory calendars, domain health and certificate transparency (crt.sh, DNS, TLS), dark web exposure intelligence, vendor security ratings, supply chain risk analysis, and geopolitical risk monitoring.
• MCP Tool Interface — Forty-one Model Context Protocol (MCP) tools for AI-assisted change risk evaluation: assess_change_risk, get_patch_calendar, check_datacenter_weather, get_kev_exposure, get_nvd_exposure, suggest_change_windows, get_current_cyber_threat_level, check_regional_isp_health, check_toolchain_status, check_csp_health, check_software_eol, check_disaster_alerts, get_vulnerability_summary, check_regulatory_calendar, compare_change_windows, explain_risk_score, batch_assess, get_risk_trend, assess_vendor_risk, assess_risk_posture, monitor_risk, check_compliance_calendar, check_domain_health, check_dark_web_exposure, get_threat_ttp_mapping, check_vendor_security_rating, check_supply_chain_risk, check_geopolitical_risk, generate_report, tune_score_weights, and update_score_config.
• REST API — Programmatic access to all platform capabilities via authenticated API endpoints.
• Shareable Reports — HTML-based risk assessment reports with unique URLs for stakeholder distribution.
• Webhook Integrations — Inbound webhook support for ServiceNow, Jira, and generic JSON payloads.

The Service queries publicly available and third-party data sources to generate risk assessments. We do not guarantee the accuracy, completeness, timeliness, or availability of external data feeds. Risk scores and recommendations are advisory in nature and should not be the sole basis for change management decisions.

3. Account Registration & Security

To access the Service, you must create an account by providing accurate, current, and complete registration information, including a valid email address and a strong password. You agree to:

• Maintain the accuracy of your account information and update it promptly if it changes.
• Keep your password and API keys strictly confidential and not share them with unauthorized individuals.
• Accept responsibility for all activities that occur under your account, whether or not authorized by you.
• Notify us immediately at security@complianceharbor.ai upon discovering any unauthorized access to or use of your account.
• Use unique, strong passwords (minimum 8 characters) for your account.

We reserve the right to suspend or terminate accounts that we reasonably believe have been compromised, are being used in violation of these Terms, or pose a security risk to the Service or other users.

Passwords are hashed using bcrypt with appropriate cost factors. API keys are generated using cryptographically secure random values and stored as SHA-256 hashes. We never store plaintext credentials.

4. Subscription Plans & Billing

The Service is offered under the following subscription tiers, billed monthly via Stripe:

Subscription fees are charged at the beginning of each billing cycle. Overage charges are calculated and billed at the end of each billing period based on metered usage beyond your plan's included allocation. All amounts are in U.S. dollars (USD) unless otherwise specified.

You authorize us (via our payment processor, Stripe) to charge your designated payment method for all applicable fees. If your payment method fails, we will attempt to collect payment for up to 7 days. If payment remains unsuccessful, your account may be downgraded or suspended until the outstanding balance is resolved.

All fees are non-refundable except as required by applicable law or as otherwise expressly stated in these Terms. You may cancel your subscription at any time through the customer portal or by contacting support. Upon cancellation, your access continues until the end of the current billing period, after which your account reverts to an inactive state.

5. Free Trial

New accounts are eligible for a 14-day free trial period that includes 25 assessment units. No credit card or payment method is required to activate the trial. During the trial period:

• You have full access to all Service features within the trial allocation.
• Trial accounts that exhaust all 25 assessment units will be unable to perform additional assessments until upgrading to a paid subscription plan.
• At the end of the 14-day trial period, you must subscribe to a paid plan to continue using the Service.
• Trial accounts that do not convert to a paid plan will retain read-only access to any existing reports until the standard 24-hour retention period expires.

We reserve the right to modify or discontinue the free trial offer at any time without prior notice. Free trial availability may vary by region. Each individual or Organization is limited to one free trial.

6. API Usage & Rate Limits

Access to the Service via the REST API and MCP tools is subject to rate limits as specified in your subscription plan. Rate limits are enforced on a per-API-key basis and are measured in requests per minute.

If you exceed your rate limit, the API will return HTTP 429 (Too Many Requests) responses. Persistent or deliberate rate limit abuse may result in temporary or permanent suspension of API access.

API keys are confidential credentials. You must not embed API keys in client-side code, public repositories, or any location accessible to unauthorized parties. You are responsible for all API usage associated with your keys. Compromised keys should be revoked immediately via the customer portal, and a new key generated.

We reserve the right to adjust rate limits with 30 days' prior notice. Emergency rate limit reductions may be applied without notice to protect the stability and security of the Service.

7. Acceptable Use Policy

You agree to use the Service only for lawful purposes and in accordance with these Terms. You shall not, and shall not permit any third party to:

• Reverse-engineer, decompile, disassemble, or attempt to derive the source code, algorithms, or underlying architecture of the Service.
• Use the Service to build, train, or improve a competing product or service, whether directly or indirectly.
• Share, resell, sublicense, or transfer your API keys or account access to unauthorized third parties.
• Intentionally circumvent, disable, or interfere with rate limits, authentication mechanisms, or other security features of the Service.
• Submit deliberately malformed, oversized, or malicious requests designed to disrupt, degrade, or deny service to other users.
• Use the Service to store, transmit, or process any content that is unlawful, defamatory, obscene, or that infringes on the intellectual property rights of others.
• Attempt to gain unauthorized access to the Service, other user accounts, or the underlying infrastructure (including servers, networks, and databases).
• Use automated tools (bots, scrapers, crawlers) to access the Service in a manner that exceeds reasonable usage patterns or circumvents rate limits.
• Use the Service in any manner that could damage, disable, overburden, or impair the Service or interfere with any other party's use of the Service.

Violation of this Acceptable Use Policy may result in immediate suspension or termination of your account without notice or refund.

8. Intellectual Property

The Service, including all software, APIs, documentation, user interfaces, designs, trademarks, logos, and content created by us (collectively, "Company IP"), is and remains the exclusive property of ComplianceHarbor and its licensors. These Terms do not grant you any right, title, or interest in the Company IP except for the limited right to use the Service as expressly permitted herein.

You retain all rights to the data you submit to the Service ("Customer Data"), including change request details, configuration parameters, and organizational information. By submitting Customer Data, you grant us a limited, non-exclusive, worldwide license to process such data solely for the purpose of providing the Service to you.

Risk assessment outputs, scores, and reports generated by the Service ("Output Data") are derivative works produced from your Customer Data and publicly available intelligence sources. You are granted a non-exclusive, non-transferable license to use, copy, and distribute Output Data for your internal business purposes and to share reports via the Service's built-in sharing functionality.

Feedback, suggestions, or ideas you provide regarding the Service ("Feedback") may be used by us without restriction or obligation to you. You hereby assign to us all rights in any Feedback.

9. Data Processing & Retention

We process Customer Data in accordance with our Privacy Policy and applicable data protection laws, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA/CPRA).

Our data retention practices are as follows:

• Assessment Data: Risk assessment results, including submitted change details and generated reports, are retained for 24 hours following generation and then automatically and permanently purged from our systems.
• Account Data: Account registration information (email, hashed password, organization name) is retained for the duration of your active subscription.
• Post-Cancellation: Upon account cancellation or termination, we retain account data for 30 days to facilitate potential reactivation, after which it is permanently deleted.
• Billing Records: Transaction records and invoices are retained for 7 years as required by applicable tax and financial regulations.
• Audit Logs: API access logs and authentication events are retained for 90 days for security monitoring purposes.

For Enterprise and Enterprise Unlimited customers requiring a formal Data Processing Agreement (DPA), please contact legal@complianceharbor.ai.

10. Confidentiality

"Confidential Information" means any non-public information disclosed by either party to the other in connection with the Service, including but not limited to: business plans, technical data, API keys, assessment results, pricing information, customer lists, and trade secrets.

Each party agrees to: (a) hold the other party's Confidential Information in strict confidence; (b) not disclose Confidential Information to any third party except as necessary to perform obligations under this Agreement and only to individuals bound by confidentiality obligations at least as protective as those herein; and (c) use Confidential Information solely for the purposes of this Agreement.

Confidentiality obligations do not apply to information that: (i) is or becomes publicly available through no fault of the receiving party; (ii) was rightfully known to the receiving party prior to disclosure; (iii) is independently developed without reference to the disclosing party's Confidential Information; or (iv) is required to be disclosed by law, regulation, or court order, provided the receiving party gives reasonable prior notice to the disclosing party.

11. Warranties & Disclaimers

We warrant that: (a) the Service will perform materially in accordance with the applicable documentation; (b) we will provide the Service using commercially reasonable care and skill; and (c) to our knowledge, the Service does not infringe any third-party intellectual property rights.

Disclaimer

EXCEPT FOR THE EXPRESS WARRANTIES SET FORTH ABOVE, THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE. WE SPECIFICALLY DISCLAIM ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT. WE DO NOT WARRANT THAT THE SERVICE WILL BE UNINTERRUPTED, ERROR-FREE, SECURE, OR FREE OF VIRUSES OR OTHER HARMFUL COMPONENTS.

WE DO NOT WARRANT THE ACCURACY, COMPLETENESS, OR RELIABILITY OF ANY RISK ASSESSMENTS, SCORES, OR RECOMMENDATIONS GENERATED BY THE SERVICE. EXTERNAL DATA SOURCES QUERIED BY THE SERVICE ARE MAINTAINED BY THIRD PARTIES, AND WE HAVE NO CONTROL OVER THEIR AVAILABILITY, ACCURACY, OR TIMELINESS. RISK ASSESSMENTS ARE ADVISORY IN NATURE AND SHOULD NOT REPLACE PROFESSIONAL JUDGMENT IN CHANGE MANAGEMENT DECISIONS.

12. Limitation of Liability

Exclusion of Consequential Damages

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL EITHER PARTY BE LIABLE TO THE OTHER FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, INCLUDING BUT NOT LIMITED TO DAMAGES FOR LOST PROFITS, LOST REVENUE, LOSS OF DATA, LOSS OF BUSINESS OPPORTUNITIES, COST OF PROCUREMENT OF SUBSTITUTE SERVICES, OR BUSINESS INTERRUPTION, REGARDLESS OF THE THEORY OF LIABILITY (CONTRACT, TORT, STRICT LIABILITY, OR OTHERWISE) AND EVEN IF SUCH PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Aggregate Liability Cap

EXCEPT FOR OBLIGATIONS ARISING FROM SECTION 7 (ACCEPTABLE USE POLICY) OR SECTION 13 (INDEMNIFICATION), EACH PARTY'S TOTAL AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT SHALL NOT EXCEED THE TOTAL AMOUNTS PAID BY CUSTOMER TO COMPANY DURING THE TWELVE (12) MONTH PERIOD IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE CLAIM. FOR FREE TRIAL USERS, THE AGGREGATE LIABILITY CAP SHALL BE ONE HUNDRED U.S. DOLLARS ($100).

The limitations in this section apply regardless of whether any limited remedy specified in these Terms fails of its essential purpose. Some jurisdictions do not allow the exclusion or limitation of certain damages; in such jurisdictions, the above limitations shall apply to the maximum extent permitted by law.

13. Indemnification

By Customer: You agree to indemnify, defend, and hold harmless ComplianceHarbor, its officers, directors, employees, agents, and affiliates from and against any and all claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising out of or related to: (a) your use of the Service in violation of these Terms; (b) your violation of any applicable law or regulation; (c) your violation of any third-party rights; or (d) any Customer Data you submit to the Service.

By Company: We will indemnify, defend, and hold harmless Customer from and against any third-party claim that the Service, as provided by us, infringes any U.S. patent, copyright, or trademark, provided that Customer: (a) promptly notifies us in writing of the claim; (b) grants us sole control of the defense and settlement; and (c) provides reasonable cooperation at our expense. If the Service becomes the subject of an infringement claim, we may, at our option and expense: (i) obtain the right for you to continue using the Service; (ii) modify the Service to make it non-infringing; or (iii) terminate the affected portion of the Service and refund any prepaid fees for the unused subscription period.

14. Term & Termination

Term: This Agreement commences on the date you first access or use the Service and continues until terminated in accordance with this section.

Termination by Customer: You may terminate this Agreement at any time by canceling your subscription through the customer portal and ceasing all use of the Service. Your access continues until the end of the current billing period.

Termination by Company: We may terminate or suspend your access to the Service immediately, without prior notice or liability, if: (a) you breach any provision of these Terms; (b) you fail to pay applicable fees within 7 days of the due date; (c) your use of the Service poses a security risk to the Service or any third party; or (d) we are required to do so by law or regulation.

Effect of Termination: Upon termination: (a) your right to access and use the Service immediately ceases (or at the end of the billing period for customer-initiated cancellations); (b) all outstanding fees become immediately due and payable; (c) we will delete your Customer Data within 30 days following termination, except as required by law; (d) provisions that by their nature should survive termination shall survive, including Sections 8, 10, 11, 12, 13, 15, and 16.

15. Governing Law & Dispute Resolution

Governing Law: This Agreement shall be governed by and construed in accordance with the laws of the State of Delaware, United States, without regard to its conflict-of-law principles.

Informal Resolution: Before initiating any formal dispute resolution proceedings, you agree to first contact us at legal@complianceharbor.ai and attempt to resolve the dispute informally within 30 days.

Arbitration: Any dispute, claim, or controversy arising out of or relating to this Agreement that cannot be resolved informally shall be resolved by binding arbitration administered by the American Arbitration Association (AAA) under its Commercial Arbitration Rules. The arbitration shall be conducted in English, and the seat of arbitration shall be Wilmington, Delaware. The arbitrator's award shall be final and binding and may be entered as a judgment in any court of competent jurisdiction.

Class Action Waiver: YOU AND COMPANY AGREE THAT EACH MAY BRING CLAIMS AGAINST THE OTHER ONLY IN YOUR OR ITS INDIVIDUAL CAPACITY, AND NOT AS A PLAINTIFF OR CLASS MEMBER IN ANY PURPORTED CLASS, CONSOLIDATED, OR REPRESENTATIVE PROCEEDING.

Injunctive Relief: Notwithstanding the foregoing, either party may seek injunctive or other equitable relief in any court of competent jurisdiction to prevent the actual or threatened infringement, misappropriation, or violation of a party's intellectual property rights or Confidential Information.

16. Force Majeure

Neither party shall be liable for any failure or delay in performing its obligations under this Agreement (other than payment obligations) to the extent such failure or delay results from circumstances beyond the party's reasonable control, including but not limited to: acts of God, natural disasters, pandemics, epidemics, war, terrorism, riots, civil unrest, government actions or orders, labor disputes, power failures, internet or telecommunications outages, cyberattacks, failures of third-party service providers, or disruptions to upstream data sources relied upon by the Service.

The affected party shall: (a) promptly notify the other party of the force majeure event; (b) use commercially reasonable efforts to mitigate its effects; and (c) resume performance as soon as reasonably practicable. If a force majeure event continues for more than 60 consecutive days, either party may terminate this Agreement upon 15 days' written notice.

17. Modifications to Terms

We reserve the right to modify these Terms at any time. For material changes — including changes to pricing, liability limitations, or dispute resolution provisions — we will provide at least 30 days' prior notice via email to the address associated with your account and/or through a prominent notification within the Service.

Non-material changes (such as typographical corrections, formatting updates, or clarifications that do not alter your rights or obligations) may take effect immediately upon posting.

Your continued use of the Service after the effective date of any material changes constitutes acceptance of the modified Terms. If you do not agree to the modified Terms, you must discontinue use of the Service and cancel your subscription before the changes take effect.

We will maintain an archive of previous versions of these Terms, available upon request at legal@complianceharbor.ai.

18. Severability

If any provision of this Agreement is held to be invalid, illegal, or unenforceable by a court of competent jurisdiction, such provision shall be modified to the minimum extent necessary to make it valid, legal, and enforceable while preserving the original intent of the parties. If modification is not possible, the provision shall be severed from this Agreement. The invalidity or unenforceability of any provision shall not affect the validity or enforceability of the remaining provisions, which shall continue in full force and effect.

19. Entire Agreement

This Agreement, together with the Privacy Policy and any Order Forms, Statements of Work, or Data Processing Agreements executed between the parties, constitutes the entire agreement between you and ComplianceHarbor with respect to the subject matter hereof and supersedes all prior and contemporaneous understandings, agreements, representations, and warranties, both written and oral, with respect to such subject matter.

No waiver of any provision of these Terms shall be effective unless made in writing and signed by the waiving party. A party's failure to enforce any right or provision of these Terms shall not constitute a waiver of such right or provision. No amendment to these Terms shall be effective unless made in accordance with Section 17.

20. Assignment

You may not assign or transfer this Agreement, by operation of law or otherwise, without our prior written consent. Any attempted assignment without consent shall be null and void. We may assign this Agreement freely in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of our assets, provided that the assignee agrees to be bound by the terms of this Agreement. Subject to the foregoing, this Agreement binds and inures to the benefit of the parties, their successors, and permitted assigns.

21. Contact Information

For questions, concerns, or notices related to these Terms of Service, please contact us through the following channels:

We aim to respond to all inquiries within 2 business days. For urgent security matters, please include "URGENT" in your email subject line.