Legal · Terms of Service

Terms of Service

Effective June 12, 2026 · Version 2.0 · Bonterms-derivative

Bonterms-derivative. These Terms of Service incorporate standard B2B protections substantially modeled on the Bonterms Cloud Terms framework (CC-licensed, peer-reviewed by technology counsel). Customer-protective clauses (security warranties, data portability, indemnification, audit rights) are included. ElasticD3M, LLC has adapted this to its product set; this document does not constitute legal advice and Customer should consult its own counsel for material decisions.

1. Acceptance and Scope

These Terms of Service (the "Terms") constitute a binding agreement between ElasticD3M, LLC, a Texas limited liability company with a registered address at 7700 Broadway St, Ste 104 PMB1083, San Antonio, TX 78209 ("Provider", "we", "us"), and the entity or person identified during account creation, intake, or Stripe checkout ("Customer", "you"). By purchasing AIR™ (Automated Incident Response), submitting the AIR™ intake, or otherwise using the Services, Customer accepts these Terms.

If Customer is using the Services on behalf of an organization, Customer represents that it has authority to bind that organization, and references to "Customer" mean that organization. These Terms apply to all Services described at ai4air.pages.dev, including the AIR™ deliverable, a one-time engagement. There are no subscriptions offered at ai4air.pages.dev.

2. Definitions

3. Services Description

Provider operates AIR™ (Automated Incident Response), an Agent-as-a-Service incident response readiness product. From Customer's intake responses (a 16-question form; no cloud connections, no telemetry), the Services generate a single PDF deliverable containing: an incident response readiness assessment grounded in NIST CSF 2.0 subcategories consistent with NIST SP 800-61r3; an incident response plan covering roles, severity levels, activation criteria, communication order, and evidence rules; six scenario playbooks; a regulatory notification matrix with citations; a tabletop exercise kit; and a 30/60/90 remediation roadmap. The deliverable is emailed to Customer within hours of intake submission. Provider provides readiness software. Provider is not a law firm and does not provide legal advice; Provider is not a forensic investigator, insurance broker, or regulator. The deliverable, including its notification matrix and any deadlines stated in it, must be confirmed with Customer's counsel before reliance.

4. Account Terms

Customer is responsible for maintaining the security of any credentials it uses to access the Services and for all activity that occurs under its account. Customer must notify Provider promptly (at agents@ai4ciso.ai) of any unauthorized access. Customer must provide accurate and current information at intake and during account use.

5. Fees and Payment

AIR™ is a one-time charge of $1,495 (USD), processed at the time of order through Stripe. There are no subscriptions and no recurring charges on this site. All fees are non-refundable except as set forth in Provider's Cancellation Policy.

No Free Trial. There is no free trial. The one-time $1,495 fee is charged immediately at checkout. No card is stored by Provider; Stripe processes the payment.

Subscription Credit. If Customer purchases an Aegis AI™ subscription (a separate ElasticD3M, LLC product sold at ai4ciso.ai, under its own terms) within 30 days of the AIR™ purchase, Provider will credit the full $1,495 AIR™ fee against the first subscription month. The credit is applied once, is not transferable, and has no cash value.

Provider may adjust pricing prospectively at any time. Price adjustments do not apply to an Engagement already purchased.

6. Cancellation and Refunds

AIR™ is a one-time engagement. The fee is refundable in full if Customer requests cancellation in writing, by email to agents@ai4ciso.ai, before the deliverable PDF has been emailed to Customer. Once the deliverable has been delivered to Customer's inbox, the Engagement is complete and the fee is non-refundable. The Cancellation Policy governs.

7. Acceptable Use

Customer's use of the Services is governed by the Acceptable Use Policy. Without limiting the AUP, Customer agrees not to: (a) reverse engineer, decompile, or disassemble any part of the Services; (b) use the Services to develop a competing product; (c) interfere with the integrity or performance of the Services; (d) use the Services in violation of applicable law, including export control laws; or (e) submit regulated payload contents (PHI, cardholder data, GDPR Article 9 special categories) to the Services; the intake form is designed to collect business and security-program information, not regulated data contents.

8. Customer Data and Confidentiality

Customer retains all rights, title, and interest in Customer Data. Customer grants Provider a non-exclusive, worldwide, royalty-free license to use, store, process, and display Customer Data solely to provide the Services and as otherwise permitted by these Terms and the Privacy Notice. Provider's processing of Personal Data (as defined in the Data Processing Addendum) is governed by the DPA, which is incorporated into these Terms by reference.

Each party will hold the other's Confidential Information in confidence and will not disclose it except to its employees, contractors, and advisors who have a need to know and who are bound by confidentiality obligations no less protective than those in these Terms.

9. Security Warranties

Provider warrants that it will: (a) maintain industry-standard administrative, physical, and technical safeguards designed to protect Customer Data, including encryption at rest (AES-GCM or stronger) and in transit (TLS 1.2 or stronger); (b) restrict access to Customer Data to personnel with a need to know; (c) implement least-privilege access controls for production systems; (d) notify Customer of any confirmed Personal Data Breach affecting Customer's data within seventy-two (72) hours of confirmation, as required by the DPA; and (e) maintain a documented incident response plan.

The Services do not connect to Customer's cloud services or internal systems and do not require credentials, API tokens, or access roles of any kind. The only Customer input is the intake form. Customer may request deletion of its intake responses at any time as described in the DPA.

10. Intellectual Property

Provider retains all rights, title, and interest in the Services, including all related intellectual property rights. Customer's use of the Services does not transfer any ownership rights. Customer may use the deliverable (readiness assessment, incident response plan, scenario playbooks, notification matrix, tabletop exercise kit, remediation roadmap) for its own internal purposes, including providing it to counsel, insurers, regulators, customers, auditors, and partners in connection with due diligence and contract performance. The deliverable may not be resold or distributed to third parties for compensation without Provider's written consent.

11. Disclaimers

EXCEPT FOR THE EXPRESS WARRANTIES IN SECTION 9, THE SERVICES ARE PROVIDED "AS IS" AND "AS AVAILABLE." PROVIDER DISCLAIMS ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND TITLE. PROVIDER DOES NOT WARRANT THAT THE SERVICES WILL BE UNINTERRUPTED, ERROR-FREE, OR THAT ALL DEFECTS WILL BE CORRECTED.

Readiness Disclaimer. The Services support Customer's incident response readiness. ElasticD3M, LLC provides readiness software; it is not a law firm and does not provide legal advice, and it is not a forensic investigator, insurance broker, or regulator. The deliverable, including its regulatory notification matrix and any deadlines stated in it, must be confirmed with Customer's counsel before reliance. Provider does not guarantee that Customer will detect, prevent, or recover from any incident, or achieve any particular regulatory outcome. Outcomes depend on factors outside Provider's control, including the accuracy of information Customer provides at intake and the completeness of Customer's own implementation work. The Services are decision-support tools; the final accountability for incident response remains with Customer.

12. Indemnification

Mutual Indemnification. Each party will defend the other against any third-party claim arising from the defending party's: (a) gross negligence or willful misconduct; (b) infringement of a third party's intellectual property rights through that party's own materials (Provider's Services or Customer Data, respectively); or (c) breach of these Terms. The indemnified party will: (i) promptly notify the indemnifying party of any covered claim; (ii) give the indemnifying party reasonable control of the defense and settlement; and (iii) provide reasonable cooperation at the indemnifying party's expense.

Provider IP Infringement Remedy. If Customer's use of the Services is enjoined or claimed to infringe a third party's intellectual property rights, Provider may, at its option and expense: (i) procure for Customer the right to continue using the Services; (ii) replace or modify the Services so they no longer infringe; or (iii) terminate the affected portion of the Services and refund any prepaid fees attributable to the affected period.

13. Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY LAW, NEITHER PARTY WILL BE LIABLE TO THE OTHER FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, OR FOR LOST PROFITS, REVENUES, DATA, OR BUSINESS OPPORTUNITIES, ARISING OUT OF OR RELATING TO THESE TERMS OR THE SERVICES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

EACH PARTY'S TOTAL CUMULATIVE LIABILITY UNDER THESE TERMS WILL NOT EXCEED THE GREATER OF: (A) THE FEES PAID OR PAYABLE BY CUSTOMER TO PROVIDER IN THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO THE CLAIM, OR (B) ONE HUNDRED THOUSAND DOLLARS ($100,000 USD).

Exclusions. The limitations in this Section 13 do not apply to: (i) either party's indemnification obligations under Section 12; (ii) Customer's payment obligations; (iii) either party's gross negligence or willful misconduct; or (iv) breaches of confidentiality obligations.

14. Term and Termination

These Terms remain in effect for so long as Customer has an active account or any unpaid balance. Either party may terminate these Terms for material breach by the other if the breach is not cured within thirty (30) days after written notice. Either party may terminate immediately upon the other party's bankruptcy or insolvency.

Upon termination: (a) any in-progress Engagement concludes as provided in the Cancellation Policy; (b) Provider will, at Customer's written request made within thirty (30) days after termination, return or delete Customer Data in accordance with the DPA; and (c) provisions that by their nature should survive termination (including Sections 8, 10, 11, 12, 13, 15, 15A, 16, 17, 18, and 19) will survive.

15. Modifications

Provider may modify these Terms or the Services from time to time. For material modifications adverse to Customer's rights, Provider will provide at least thirty (30) days' prior notice via email or in-platform notice. Customer's continued use of the Services after a modification effective date constitutes acceptance of the modification. Modifications do not retroactively change the terms applicable to an Engagement already purchased.

15A. Trade Compliance (OFAC, Export Controls, Sanctions)

Customer represents and warrants that (a) Customer and its principals are not listed on the OFAC SDN, SSI, or any other U.S. government denied-party list; (b) Customer is not located in or organized under the laws of a country or region subject to a comprehensive U.S. embargo (currently Cuba, Iran, North Korea, Syria, Crimea, Donetsk, and Luhansk); (c) Customer will not use the Services in violation of U.S. export-control laws (Export Administration Regulations / International Traffic in Arms Regulations) or sanctions regulations administered by the U.S. Treasury Office of Foreign Assets Control. Breach of this Section 15A permits ElasticD3M, LLC to suspend or terminate the Services immediately, without refund of fees previously paid. Customer agrees to notify Provider at legal@elasticd3m.com promptly if Customer's eligibility status changes during the term.

16. Governing Law and Venue

These Terms are governed by the laws of the State of Texas, United States, without regard to conflict-of-laws principles. The exclusive venue for any dispute arising under these Terms is the state or federal courts located in Bexar County, Texas, and each party consents to personal jurisdiction in those courts.

17. Dispute Resolution and Arbitration

The parties will first attempt to resolve any dispute through good-faith negotiations between business leaders. If unresolved after thirty (30) days, either party may refer the dispute to binding arbitration administered by JAMS under its Streamlined Arbitration Rules, conducted in San Antonio, Texas, in English, before a single arbitrator. Each party bears its own attorneys' fees; arbitration costs are split equally. Judgment on the arbitration award may be entered in any court of competent jurisdiction.

Class-Action Waiver. Each party waives any right to participate in a class, collective, or representative action against the other arising out of these Terms or the Services. Disputes must be brought on an individual basis only.

Notwithstanding the foregoing, either party may seek injunctive or equitable relief in court for breach of intellectual property rights or confidentiality obligations.

18. Force Majeure

Neither party will be liable for any delay or failure to perform (except for payment obligations) due to causes beyond its reasonable control, including acts of God, war, terrorism, civil unrest, government action, internet or utility outages, cyberattacks affecting upstream infrastructure, pandemics, or natural disasters. The affected party will notify the other party promptly and use reasonable efforts to resume performance.

19. General Provisions

Notices. Notices to Provider must be sent to legal@elasticd3m.com with a copy to Provider's registered address. Notices to Customer will be sent to the email address on file. Notices are effective on receipt by email.

Assignment. Neither party may assign these Terms without the other's prior written consent, except that either party may assign these Terms in connection with a merger, acquisition, or sale of substantially all of its assets, provided the assignee assumes all obligations.

Entire Agreement. These Terms, together with the Privacy Notice, DPA, AUP, SLA, Cancellation Policy, and the Subprocessors List, constitute the entire agreement between the parties and supersede all prior agreements and understandings.

Severability. If any provision of these Terms is held unenforceable, the remaining provisions remain in effect, and the unenforceable provision will be modified to the minimum extent necessary to make it enforceable.

No Waiver. Failure to enforce any provision is not a waiver of future enforcement.

Independent Contractors. The parties are independent contractors; no agency, partnership, joint venture, or employment relationship is created.

U.S. Government End Users. The Services are commercial computer software under FAR 12.212 and DFARS 227.7202; U.S. government end users acquire only the rights set forth herein.

20. Contact

Questions about these Terms: legal@elasticd3m.com
Service questions: agents@ai4ciso.ai
Privacy questions: privacy@elasticd3m.com

Effective Date: June 12, 2026 · Version: 2.0 (Bonterms-derivative) · Customer: Standard B2B
Replaces all prior versions of the Terms of Service published at ai4air.pages.dev before this date.

Terms of Service Privacy Notice DPA AUP SLA Subprocessors Cancellation
ElasticD3M, LLC · 7700 Broadway St, Ste 104 PMB1083 · San Antonio, TX 78209 · United States · agents@ai4ciso.ai