Terms of Service

1. Definitions

For purposes of these Terms:

• “CMMC” means Cybersecurity Maturity Model Certification, the U.S. Department of Defense program for verifying contractor cybersecurity practices.
• “CUI” or Controlled Unclassified Information has the meaning given in 32 CFR Part 2002 and refers to information requiring safeguarding or dissemination controls under applicable law, regulation, or government-wide policy.
• “DIB” or Defense Industrial Base means the worldwide industrial complex that enables research and development, design, production, delivery, and maintenance of military weapons systems, subsystems, and components.
• “DoD” means the United States Department of Defense.
• “DoW” means the United States Department of War, also known as the Department of Defense.
• “FAR” means the Federal Acquisition Regulation.
• “FCI” or Federal Contract Information has the meaning given in FAR 52.204-21 and generally includes non-public information provided by or generated for the Government under a contract.
• “NIST SP 800-171” means the National Institute of Standards and Technology Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.
• “POA&M” means Plan of Action and Milestones.
• “SPRS” means the Supplier Performance Risk System used by DoD to record certain contractor assessment scores.
• “SSP” means System Security Plan.
• “C3PAO” means a CMMC Third-Party Assessment Organization authorized to conduct CMMC certification assessments.
• “Subscription” means your paid access to the Service for a 12-month term, with the option to pay annually or in 12 monthly installments.

2. Service Description

2.1 What the Service Is

The Service is an AI-powered compliance management platform that helps organizations in the Defense Industrial Base prepare for CMMC-related assessments and maintain cybersecurity documentation. It provides tools, templates, and AI-assisted workflows to support self-assessments, documentation, and tracking of cybersecurity controls.

Current features and capabilities are described on our Features page at https://confidentcompliance.ai/features, and feature availability varies by subscription tier and may change over time.

We may add, modify, or discontinue features at any time. Material reductions in core functionality for your tier will be communicated with at least 30 days' notice, and your Subscription entitles you to features available at the time of use, not to any future roadmap items.

2.2 What the Service Does Not Provide

The Service does not:

• Store, process, or transmit CUI, FCI, or classified information.
• Provide a CUI-compliant or FCI-compliant enclave or environment.
• Perform C3PAO assessments or issue certifications.
• Provide legal advice or professional cybersecurity consulting.
• Submit data directly to SPRS or any government system.
• Guarantee CMMC certification, assessment outcomes, or contract eligibility.
• Act as a Registered Provider Organization (RPO) or equivalent.

The Service helps you manage and document your compliance program; your actual sensitive data must remain in your own appropriately secured environment.

2.3 Information Types Supported

The Service is designed to support organizations handling:

• FCI, which generally triggers CMMC Level 1 requirements.
• CUI, which generally triggers CMMC Level 2 requirements.

You are responsible for determining which information types you handle and selecting the appropriate Service tier and CMMC level.

3. Compliance Disclaimers and Responsibilities

3.1 No Guarantee of Compliance or Certification

The Service is a tool to assist with compliance preparation and documentation and does not guarantee that you will achieve CMMC certification, pass a C3PAO assessment, or meet any DoD or contractual requirements. Compliance outcomes depend on your technical implementation, governance, and the judgment of third-party assessors or government officials.

3.2 Your Responsibility for Decisions and Attestations

You acknowledge that:

• All compliance decisions, attestations, and representations to DoD, prime contractors, contracting officers, C3PAOs, or other third parties are made solely by you.
• You are responsible for verifying the accuracy and completeness of all documentation and outputs generated with or through the Service.
• Senior officials who sign affirmations in SPRS or other systems bear personal liability under the False Claims Act for inaccurate representations.
• The Service does not review, validate, or audit your actual implementation of security controls.
• AI-generated or template-based content must be reviewed by qualified personnel before use in any official submission.

3.3 False Claims Act Notice

3.4 No Legal or Professional Advice

The Service does not provide legal advice or create an attorney-client relationship. For legal questions regarding CMMC, DFARS, False Claims Act exposure, or government contracting, you must consult a qualified attorney.

The Service also does not replace professional cybersecurity consulting, penetration testing, or architecture design. For complex environments, you may need to engage a qualified RPO, CCA, or other cybersecurity professional.

3.5 FCI/CUI and Level Determinations

You are solely responsible for:

• Determining whether information you handle is FCI, CUI, or neither.
• Identifying where such data resides in your environment.
• Understanding that misclassification can create non-compliance and False Claims Act risk.
• Selecting the correct CMMC level (e.g., Level 1 if only FCI; Level 2 if any CUI).

Guidance provided by the Service is general and does not constitute a definitive determination for your specific contracts or data.

4. Account Registration and Security

To use certain features, you must create an account and provide accurate, current, and complete information. You agree to maintain the security of your credentials, notify us promptly of any unauthorized access at security@confidentcompliance.ai, and accept responsibility for all activities under your account.

You must be at least 18 years old and, if signing on behalf of an organization, have authority to bind that organization to these Terms. We may refuse service, terminate accounts, or cancel Subscriptions for violations of these Terms or other reasons at our discretion.

5. Subscription and Billing

5.1 Subscription Tiers

We offer subscription tiers tailored to different data types and organization sizes. Current pricing, features, and limits for tiers such as Level 1 (FCI only), Level 2 (CUI), and Level 2 Enterprise (multi-site) are described on our Pricing page at https://confidentcompliance.ai/pricing.

IMPORTANT: If you handle any CUI, you must select a Level 2 tier; using a Level 1 tier when you handle CUI does not satisfy your compliance obligations.

5.2 Subscription Commitment and Term

5.3 Billing and Payment

By subscribing, you authorize us (and our payment processor) to charge your selected payment method for Subscription fees, taxes, and any additional usage-based charges for the full 12-month commitment, including remaining monthly installments if you select monthly billing.

Payments are processed securely through Stripe, Inc., and by providing payment details you represent that you are authorized to use the payment method and agree to Stripe's terms and privacy policy. We do not store full payment card numbers on our systems.

5.4 Renewal, Cancellation, and Refunds

Your Subscription will automatically renew for successive 12-month terms unless you cancel at least 30 days before the end of the then-current term using the billing portal or by contacting us in writing.

Upon cancellation:

• You retain access to the Service through the end of the current 12-month term.
• No refunds are provided for any portion of the current term after the first 15 days.
• If you are on monthly billing, you remain responsible for all unpaid installments for that term.
• Onboarding and setup fees remain non-refundable.

We may, at our sole discretion, issue credits or partial refunds only in instances of documented billing errors or significant service outages.

5.5 Price Changes

We may change pricing with at least 30 days' notice. Price changes will apply at the next renewal term and will not alter fees already committed for the current 12-month term.

5.6 Onboarding and Setup Fees

6. Data and Information Restrictions

6.1 Prohibited Information – No FCI or CUI

Prohibitions: You are strictly prohibited from uploading or inputting:

• FCI, CUI, or Classified Information of any level.
• Export-controlled data subject to ITAR, EAR, or similar regulations.
• Protected Health Information (PHI) under HIPAA (absent a separate BAA).
• Payment card data subject to PCI DSS.
• Sensitive PII (e.g., Social Security numbers or financial account numbers).

6.2 Permitted Content and Sanitization

The Service is intended solely for descriptive compliance management metadata, including:

• Security control descriptions, implementation status, and SSP narratives.
• Policy and procedure documents sanitized of all FCI, CUI, and Prohibited Data.
• POA&Ms, risk assessments, gap analyses, and compliance scores.
• Sanitized information about your operations and systems. Example: Sanitized network diagrams (e.g., describing segments/boundaries without including specific IP addresses, server names, or credentials).

6.3 Your Data Obligations

You are solely responsible for:

1. Ensuring no Prohibited Data is uploaded;
2. Reviewing and sanitizing all documents prior to upload;
3. Training all personnel on these restrictions;
4. Maintaining CUI/FCI only in compliant environments you control; and
5. Confirming that your government contracts permit the use of cloud-based compliance tools.

6.4 Spillage Remediation, Indemnity, and Unlimited Liability

6.4.1 Spillage Notification & Handling

If Prohibited Data is uploaded, you must notify us immediately at security@confidentcompliance.ai. Upon discovery or notification, we may: (i) immediately delete such content; (ii) suspend or terminate your account without refund; and (iii) pursue all available legal remedies.

Because Company is not authorized to possess such data, our “Incident Response” is limited to the permanent erasure of data from production and backup environments.

6.4.2 Comprehensive Indemnity

Client shall indemnify, defend, and hold harmless Company, its officers, directors, and employees from and against all claims, government fines, regulatory penalties, damages, and costs (including reasonable internal and external attorney fees) arising from a Spillage Incident. This applies whether the spillage was caused by Client, its employees, subcontractors, or any third party accessing the Service via Client's account.

This indemnity specifically includes liability arising from False Claims Act (FCA) investigations, ITAR/EAR violations, or debarment proceedings resulting from Client's breach.

6.4.3 Remediation Fees

Client shall reimburse Company for all costs incurred in connection with a Spillage Incident, including:

• Internal Personnel Time: Billed at a liquidated rate of $250.00 per hour for incident response, government communication, and data verification.
• Third-Party Costs: The actual cost of forensic consultants, data destruction services, and outside legal counsel.
• Payment Terms: Invoiced fees are due and payable within fifteen (15) days.

6.4.4 UNLIMITED LIABILITY

6.5 Security Measures and Retention

We implement commercially reasonable controls (TLS encryption, encryption at rest, secure cloud hosting). These controls are designed for general business data and do not satisfy FCI or CUI-specific requirements.

We generally retain active account data for the duration of your Subscription and delete it within 90 days after cancellation, subject to the retention of anonymized analytics data.

7. Acceptable Use

You agree not to misuse the Service, including by:

• Generating or distributing illegal, harmful, or defamatory content.
• Violating any applicable laws or regulations.
• Attempting unauthorized access, reverse engineering, or interference with the Service.
• Using bots, scrapers, or automation without permission.
• Reselling or redistributing the Service without written consent.
• Using the Service to build competing products.

In the defense context, you further agree not to misuse outputs to mislead DoD, primes, C3PAOs, auditors, or other stakeholders about your cybersecurity posture, CMMC level, SPRS score, or compliance status.

We may monitor usage and enforce these restrictions through warnings, suspension, termination, and, where appropriate, reporting to authorities.

8. User Content and Intellectual Property

You retain ownership of the content you input into the Service (“User Content”), and you grant us a license to process and store it to provide the Service and to use aggregated, anonymized data to improve the platform.

You represent that you have all necessary rights to your User Content and that it complies with these Terms and applicable law.

Content generated by AI features (“Generated Content”) is provided for your use, but may contain errors or omissions and must be reviewed and validated by qualified personnel before reliance. We do not guarantee that Generated Content is accurate, complete, current, or suitable for your specific compliance needs.

The Service, its software, and associated branding are owned by DIT4E, LLC and protected by intellectual property laws, and you may not copy, modify, distribute, or create derivative works except as expressly permitted.

9. Privacy and Data Protection

Your use of the Service is also governed by our Privacy Policy, which explains how we collect, use, and protect personal information. By using the Service, you consent to the practices described in the Privacy Policy, including any cross-border transfers where applicable.

We aim to comply with applicable data protection laws such as GDPR and CCPA, and you are responsible for your own compliance obligations as a data controller or business under those frameworks.

10. Disclaimers

The Service is provided on an “as is” and “as available” basis without warranties of any kind, express or implied, including implied warranties of merchantability, fitness for a particular purpose, or non-infringement.

We do not warrant that the Service will be uninterrupted, error-free, or fully secure, that defects will be corrected, or that the Service will meet your specific regulatory or contract requirements at any point in time. Regulatory programs such as CMMC, NIST standards, and DFARS clauses may change, and you are responsible for monitoring official government sources for updates.

11. Limitation of Liability

11.1 Liability Cap

To the maximum extent permitted by law, in no event will DIT4E, LLC or ConfidentCompliance.ai, or iATTEST be liable for any indirect, incidental, consequential, special, or exemplary damages arising out of or relating to the Service or these Terms.

Our total aggregate liability to you for all claims will not exceed the greater of (a) the amounts you paid for the Service in the 12 months preceding the event giving rise to the claim or (b) one thousand U.S. dollars (USD $1,000).

We specifically disclaim liability for loss of contracts, failure to obtain certification, False Claims Act penalties, CUI or FCI incidents in your environment, or government or prime contractor actions based on your compliance status.

11.2 Cap on Liability

The limitations in this Section 11 do not apply to: (a) Client's indemnification and reimbursement obligations under Section 6.4; (b) Client's breach of Section 6 (Data and Information Restrictions); (c) Client's gross negligence or willful misconduct; or (d) any liability that cannot be excluded under applicable law.

12. Indemnification

You agree to defend, indemnify, and hold harmless DIT4E, LLC and its officers, directors, employees, contractors, and agents from any claims, damages, losses, liabilities, and expenses (including reasonable attorneys' fees) arising out of your use of the Service, your User Content, your violations of these Terms, your misrepresentations to any third party, or your upload of prohibited content.

This includes claims related to inaccurate compliance statements, misuse of Generated Content, upload of FCI, CUI or other restricted data, and government or prime contractor actions tied to your use of the Service.

13. Termination

You may terminate your account at any time via the account settings, billing portal, or by contacting support@confidentcompliance.ai. We may suspend or terminate your access immediately for violations of these Terms, non-payment, data restriction violations, or other reasons at our discretion.

Upon termination, your right to use the Service ceases, but you remain responsible for all fees owed for the current 12-month term, and certain provisions (including those on compliance disclaimers, data restrictions, limitation of liability, and indemnification) will survive.

14. Governing Law and Dispute Resolution

These Terms are governed by the laws of the Commonwealth of Virginia, without regard to conflict of law rules. Any disputes arising out of or relating to these Terms or the Service will be resolved through binding arbitration administered by the American Arbitration Association in accordance with its Commercial Arbitration Rules, held in or near Virginia Beach, Virginia, unless the parties agree otherwise.

Arbitration will proceed on an individual basis only; class, collective, or representative actions are not permitted. If the arbitration agreement is found unenforceable, disputes will be resolved exclusively in the state or federal courts located in Virginia Beach, Virginia, and you consent to such jurisdiction.

15. Service Availability

We target, but do not guarantee, 99.5% monthly uptime excluding scheduled maintenance and events beyond our reasonable control. Support response times and channels may vary by tier as described on our site, and we do not provide SLA credits; your sole remedy for prolonged unavailability is cancellation.

16. Platform Compliance Status

ConfidentCompliance.ai is not certified to process FCI or CUI (e.g., CMMC Level 2 or FedRAMP authorization) and is intended for descriptive compliance management information only. Hosting locations, certifications, and control posture may change over time and will be disclosed on our site.

You remain responsible for ensuring that your use of the Service is consistent with your contract terms, regulatory obligations, and risk appetite.

17. General Provisions

These Terms, together with our Privacy Policy and any incorporated policies, constitute the entire agreement between you and DIT4E, LLC regarding use of the Service and supersede all prior agreements.

If any provision is found invalid or unenforceable, it will be limited to the minimum extent necessary so that the remaining provisions remain in full force and effect. You may not assign your rights or obligations under these Terms without our prior written consent; we may assign freely.

We are not liable for failures or delays caused by events beyond our reasonable control, including but not limited to natural disasters, war, terrorism, labor disputes, or internet failures.

18. Contact Information

For questions about these Terms, contact:

19. Acknowledgment