Terms of Service

Effective Date: April 22, 2026 Last Updated: May 13, 2026

1. Acceptance of These Terms

1.1 Binding Agreement. These Terms of Service (the "Terms") are a binding legal agreement between Vindicara, Inc., a California corporation with its principal place of business at 696 S New Hampshire Ave, Los Angeles, CA 90005, United States ("Vindicara," "we," "us," or "our") and the individual or entity accessing or using the Services described below (the "Customer," "you," or "your"). By accessing the website at https://vindicara.io (the "Site"), downloading, installing, or using the open-source projectair Python package distributed on PyPI and GitHub (the "OSS Software"), creating an account on AIR Cloud, executing a Vindicara Enterprise subscription or service order, or otherwise using any Service (defined below), you acknowledge that you have read, understood, and agree to be bound by these Terms.

1.2 Capacity. You represent that (a) you are at least eighteen (18) years old, (b) you have the legal capacity to enter into binding contracts under the laws of your jurisdiction, and (c) if you accept these Terms on behalf of an entity, you have authority to bind that entity, in which case "you" refers to that entity.

1.3 No Acceptance. If you do not agree to any provision of these Terms, you must not access the Site, download or use the OSS Software, subscribe to AIR Cloud, or use any Service. Continued use after a change to these Terms constitutes acceptance of the revised Terms.

1.4 Other Agreements. Certain Services (Enterprise, custom integrations, professional services) may be governed by a separate written agreement between Vindicara and you (a "Master Services Agreement," "Enterprise Agreement," or "Order Form"). To the extent of a conflict between those separate agreements and these Terms, the separate agreement controls for the Services covered by it.

2. Definitions

2.1 "Services" means, collectively, (a) the Site; (b) the OSS Software; (c) the AIR Cloud hosted offering (the "Team Tier"); (d) the AIR Enterprise offering (the "Enterprise Tier"); (e) any documentation, tutorials, blog content, or technical content published under the Vindicara or Project AIR™ name; and (f) any related tools, APIs, or deliverables Vindicara may make available from time to time.

2.2 "Intent Capsule" means a signed forensic record in the AgDR format written by the OSS Software for an agent action.

2.3 "Customer Data" means any data, content, records, files, configurations, traces, or other information that Customer or Customer's authorized users upload to, transmit to, or generate within the Services, including agent traces, signed Intent Capsule chains, agent registries, payloads, tool arguments and outputs, prompts, LLM responses, and forensic reports.

2.4 "Personal Data" has the meaning given in the Privacy Policy and the applicable data protection laws of your jurisdiction.

2.5 "Documentation" means the official documentation Vindicara publishes at https://vindicara.io, in the Project AIR™ GitHub repository, and in the admissibility architecture document at https://vindicara.io/admissibility/.

2.6 "Intellectual Property Rights" means all rights under patent law, copyright law, trademark law, trade-secret law, moral rights law, and all other rights of a similar nature, worldwide, whether registered or unregistered.

3. Description of the Services

3.1 OSS Software. The projectair Python package, including the air command-line interface and the airsdk Python library, is published on PyPI and GitHub under the terms of the MIT License (see the LICENSE file in the repository). Your use of the OSS Software is governed primarily by the MIT License. These Terms apply to the extent they do not conflict with the MIT License, and in the event of any conflict with respect to use of the OSS Software, the MIT License controls.

3.2 Team Tier (AIR Cloud). A hosted, subscription-based service that provides incident dashboards, SIEM export integrations, alerting, shared agent-registry management, cloud retention, and cross-trace correlation. Access to the Team Tier is governed by these Terms and any applicable Order Form.

3.3 Enterprise Tier. Offered under a separately negotiated Master Services Agreement. The Enterprise Tier may include single-tenant or VPC deployment, SSO/SAML/RBAC, compliance evidence packaging, insurance-carrier integrations, dedicated incident-response contact, service-level agreements (SLAs), business associate agreements (BAAs) where applicable, and other enterprise features. Enterprise customers should refer to their executed Master Services Agreement for the terms of service.

3.4 Beta / Pre-Release Features. Vindicara may offer certain Services or features on a beta, alpha, preview, or early-access basis ("Beta Services"). Beta Services are provided on an "AS-IS" and "AS-AVAILABLE" basis, without any warranty whatsoever, may be discontinued at any time without notice, and are subject to additional restrictions Vindicara may communicate at the time of access. The Team Tier (AIR Cloud) is currently offered as a closed beta to design partners, and any closed-beta features are Beta Services under this Section 3.4.

3.5 Documentation and Content. All documentation, blog posts, whitepapers (including the Admissibility by Design architecture document), and other publications on the Site are provided for informational purposes only. They are not legal, financial, medical, tax, engineering, or professional advice.

4. Eligibility and Restrictions on Use

4.1 Geographic Restrictions. You may not access or use the Services if you are located in, a resident of, or ordinarily resident in any jurisdiction subject to comprehensive sanctions administered or enforced by the United States Office of Foreign Assets Control ("OFAC"), the European Union, the United Kingdom, or the United Nations Security Council, including (as of the date of these Terms) Cuba, Iran, North Korea, Syria, the Crimea and Donetsk/Luhansk regions of Ukraine, and any other jurisdiction designated as comprehensively sanctioned from time to time. You may not access or use the Services if you are on any denied-parties, sanctioned-parties, or restricted-persons list maintained by any governmental authority of the foregoing jurisdictions. You represent and warrant that you are not such a person.

4.2 Prohibited Uses. You must not:

(a) Use the Services to violate any applicable law, regulation, or court order, including U.S. export-control laws, sanctions regimes, data-protection laws, and laws prohibiting unauthorized access to computer systems;

(b) Use the Services to generate, host, or distribute material that infringes the intellectual property rights of any third party, including trademark, copyright, or trade-secret rights;

(c) Reverse engineer, decompile, disassemble, or attempt to discover the source code of any closed-source component of the Services, except to the extent such restriction is prohibited by applicable law and then only to the minimum extent required;

(d) Remove, obscure, alter, or falsify any proprietary notice, including copyright, trademark, or other Intellectual Property Rights notices, affixed to or contained in the Services or the OSS Software;

(e) Interfere with, disrupt, or attempt to gain unauthorized access to the Services, other users' accounts, or the underlying systems, networks, or infrastructure;

(f) Use the Services to develop, test, deploy, or operate any product or service that competes directly with the Services (this restriction does not apply to use of the OSS Software, which is governed solely by the MIT License);

(g) Resell, sublicense, or commercially exploit access to the Services without Vindicara's prior written consent, except as permitted for the OSS Software under the MIT License;

(h) Use the Services to process data in violation of any applicable data-protection law, including by uploading Personal Data you are not authorized to process;

(i) Misrepresent the forensic records, Intent Capsules, or detector findings produced by the Services, including by tampering with signed chains, producing counterfeit Intent Capsules, or representing Vindicara-produced content as having been signed or verified when it was not;

(j) Claim or imply that Vindicara or Project AIR™ is certified, endorsed, or accredited by any standards body, regulator, court, or accreditation authority except where Vindicara has published a specific certification and such certification is current;

(k) Use the Services or Vindicara trademarks in any manner that is false, defamatory, misleading, or likely to cause public confusion about the source, sponsorship, or approval of any third-party product or service.

4.3 High-Risk Use Restrictions. The Services are general-purpose developer and security tools. They are not designed, tested, or certified for use in environments where a failure of the Services could directly cause death, personal injury, severe environmental damage, or catastrophic financial loss. You are solely responsible for determining whether the Services are appropriate for your use case. You must not use the Services in any application or decision-making process that would require certification under (without limitation) medical-device regulations, aviation-safety regulations, nuclear-facility regulations, life-support-system regulations, or financial-trading-authority regulations, unless you have independently validated that the Services meet the regulatory requirements for such use.

5. Account Registration (Team and Enterprise Tiers)

5.1 Account Information. To access the Team or Enterprise Tier, you must register for an account. You agree to provide accurate, current, and complete information during registration and to keep it accurate. You are responsible for all activities that occur under your account.

5.2 Credentials and Security. You are responsible for maintaining the confidentiality of your account credentials (passwords, API keys, signing keys, personal access tokens). You must not share credentials with unauthorized persons. You must notify Vindicara immediately upon becoming aware of any unauthorized access to or use of your account. Vindicara is not liable for losses arising from your failure to safeguard your credentials.

5.3 Authorized Users. If you purchase a multi-seat Team or Enterprise Tier subscription, you may grant access to your employees, contractors, and other authorized users ("Authorized Users"). You are responsible for all acts and omissions of your Authorized Users, and any reference to "you" or "Customer" in these Terms includes your Authorized Users with respect to their use of the Services.

5.4 Agent Identities. To enable Project AIR's Zero-Trust-for-agents enforcement (ASI03, ASI10), you may declare one or more software "agents" in an agent registry. Each declared agent is a Customer-controlled construct; Vindicara does not verify, validate, or audit the authenticity of any agent declared in your registry. You are responsible for the accuracy and maintenance of your agent registry, including rotating signing keys, removing decommissioned agents, and ensuring that declared privilege tiers match operational authorization.

6. License Grants

6.1 OSS Software. Your license to the OSS Software is the MIT License included in the projectair distribution. Nothing in these Terms restricts your rights under the MIT License with respect to the OSS Software. In the event of any conflict between these Terms and the MIT License as applied to the OSS Software, the MIT License controls.

6.2 Team Tier License (Proprietary, Hosted). Subject to your compliance with these Terms and payment of any applicable fees, Vindicara grants you a limited, non-exclusive, non-transferable, non-sublicensable license during your subscription term to access and use the Team Tier solely for your internal business purposes. This license does not grant you any right to copy, modify, distribute, or reverse-engineer the Team Tier software or infrastructure.

6.3 Enterprise License. The Enterprise Tier license is as set forth in your Master Services Agreement.

6.4 Feedback License. If you provide Vindicara with feedback, suggestions, feature requests, bug reports, or similar input regarding the Services ("Feedback"), you grant Vindicara a perpetual, irrevocable, worldwide, royalty-free, non-exclusive license to use the Feedback for any purpose, without obligation to you. You represent that the Feedback does not contain Personal Data of any person other than yourself or confidential information of any third party.

6.5 Trademarks. "Vindicara" and "Project AIR™" are trademarks of Vindicara, Inc. No trademark license is granted under these Terms. You may reference these trademarks for factual descriptive purposes (e.g., "we use Project AIR™ to generate forensic records") but you may not use them in a manner that implies endorsement, certification, partnership, or sponsorship by Vindicara unless Vindicara has specifically agreed to such use in writing. You may not register or attempt to register any Vindicara trademark or any confusingly similar mark in any jurisdiction. The Project AIR™ logo and brand guidelines, when published, must be followed for any permitted use.

7. Intellectual Property Rights

7.1 Vindicara's Rights. As between the parties, Vindicara owns and retains all right, title, and interest in and to the Services, the Site, the Documentation, all underlying software, algorithms, detector logic, detection patterns, cryptographic schemes, the AgDR-format-compatible Intent Capsule implementation, the air CLI, the airsdk library, the Project AIR™ name, the Vindicara name, all logos, designs, trade dress, and all Intellectual Property Rights therein. Except as expressly licensed in these Terms or in the MIT License for the OSS Software, no rights are granted to you.

7.2 Third-Party Rights. The Services incorporate certain third-party open-source software, including cryptography libraries (such as cryptography, blake3, pydantic, typer, PyYAML, and langchain-core). Each third-party library is governed by its own open-source license, which is available in the respective project's repository. Your use of the OSS Software is subject to compliance with these third-party licenses as well as the MIT License for Project AIR™.

7.3 No Implied Licenses. Nothing in these Terms is to be construed as granting, by implication, estoppel, or otherwise, any license or right under any Intellectual Property Rights of Vindicara except as expressly set forth.

8. Customer Data

8.1 Ownership. You retain all right, title, and interest in and to your Customer Data. No provision of these Terms transfers ownership of Customer Data to Vindicara.

8.2 License to Process. You grant Vindicara a limited, non-exclusive, worldwide, royalty-free license to host, store, transmit, display, process, and analyze your Customer Data solely (a) to provide, maintain, improve, secure, and operate the Services; (b) to comply with legal obligations; (c) in anonymized and aggregated form that does not identify you or any individual, to improve detector accuracy, publish industry research, and develop new Services. Section 8.2(c) does not apply to Enterprise customers except as specifically authorized in the Enterprise Master Services Agreement.

8.3 Responsibility for Customer Data. You are solely responsible for (a) the accuracy, legality, and appropriateness of your Customer Data; (b) obtaining all rights, licenses, consents, and authorizations necessary to upload and process your Customer Data through the Services; (c) notifying data subjects, obtaining their consent, and complying with all applicable data-protection laws when Customer Data contains Personal Data; (d) backing up Customer Data; and (e) the security of signing keys held under your control. Vindicara is not a business associate or processor of Personal Data except as may be specifically agreed in a Data Processing Agreement (DPA) or BAA.

8.4 Sensitive Data. Without limiting Section 8.3, you must not upload to or process through the Services any data subject to special protections under applicable law, including (without limitation) protected health information ("PHI") subject to HIPAA (unless a BAA is in place), Payment Card Industry data ("PCI Data"), financial account numbers, government-issued identifiers, or classified information, except with specific prior written authorization from Vindicara.

8.5 Deletion. Upon termination of your subscription or upon your written request, Vindicara will delete or return your Customer Data in accordance with its standard retention and deletion practices, subject to (a) Vindicara's legal obligations to retain certain records; (b) a reasonable backup-retention window not to exceed ninety (90) days; and (c) Vindicara's right to retain aggregated and anonymized data that does not identify you or any individual.

9. Data Processing and Privacy

9.1 Privacy Policy. Vindicara's collection, use, disclosure, and retention of Personal Data is governed by the Vindicara Privacy Policy available at https://vindicara.io/privacy, which is incorporated into these Terms by reference.

9.2 Data Processing Agreement. If your use of the Services involves Vindicara acting as a processor of Personal Data (as defined in applicable data-protection law) on your behalf, you must execute a Data Processing Agreement ("DPA") with Vindicara. The DPA governs the parties' respective roles and responsibilities under the GDPR, UK GDPR, CCPA, and other data-protection laws.

9.3 International Transfers. Vindicara may process Customer Data in the United States and other countries where Vindicara or its subprocessors operate. Where such processing involves transfers of Personal Data from the European Economic Area, the United Kingdom, or Switzerland to countries not recognized as providing adequate protection, Vindicara will implement appropriate safeguards, including Standard Contractual Clauses issued by the European Commission and any necessary supplementary measures.

9.4 Subprocessors. Vindicara uses third-party service providers (including cloud infrastructure, payment processors, analytics providers, and customer-support tools) to provide the Services. A current list of Vindicara's subprocessors is maintained and will be made available upon request. By using the Services, you consent to Vindicara's use of subprocessors subject to the confidentiality and data-protection commitments outlined in the Privacy Policy and any applicable DPA.

10. Third-Party Services and Integrations

10.1 Third-Party Frameworks. The OSS Software includes instrumentation integrations for third-party frameworks (including LangChain, OpenAI SDK, and Anthropic SDK). Use of those third-party frameworks is governed by the terms and policies of the respective third-party provider. Vindicara is not responsible for the availability, accuracy, content, or policies of any third-party framework or service.

10.2 Export of Data to Third Parties. If you configure the Services to export forensic records to third-party destinations (including SIEM platforms like Datadog, Splunk, Sumo Logic, Microsoft Sentinel; alerting platforms like Slack or PagerDuty; or any other third-party service), the transfer of data to those destinations is subject to the third party's terms and privacy policies. Vindicara is not responsible for the handling of data after it is transferred to third-party destinations at your direction.

10.3 PyPI and GitHub. The OSS Software is distributed through the Python Package Index (PyPI) and GitHub. Your use of PyPI and GitHub is subject to their respective terms of service and privacy policies. Vindicara is not responsible for the availability, content, or security of PyPI or GitHub.

11. Payment, Subscription, and Billing (Team and Enterprise Tiers)

11.1 Fees. Fees for the Team Tier are specified at https://vindicara.io/pricing. Fees for the Enterprise Tier are set forth in the applicable Master Services Agreement or Order Form. All fees are stated in U.S. dollars unless otherwise specified and are exclusive of all applicable taxes, duties, and withholdings.

11.2 Payment Terms. Team Tier fees are billed in advance on a monthly or annual subscription basis through Vindicara's payment processor (Square). By providing payment information, you authorize Vindicara and its payment processor to charge your payment method for all fees and taxes due. Enterprise payment terms are set forth in the applicable agreement.

11.3 Auto-Renewal. Unless you cancel your subscription before the end of the then-current billing period, your Team Tier subscription will automatically renew at the then-current rate for successive periods equal in length to the previous period.

11.4 Non-Refundable. Except as required by applicable law, all fees are non-refundable. Vindicara may, in its sole discretion, offer pro-rata refunds for exceptional circumstances.

11.5 Taxes. You are responsible for all applicable taxes, including sales, use, value-added, goods-and-services, withholding, and similar taxes associated with your subscription. If Vindicara is required to collect tax, Vindicara will do so and remit it to the applicable authority.

11.6 Failed Payment. If Vindicara is unable to charge your payment method, Vindicara may suspend or terminate your access to the Team Tier. You remain responsible for all unpaid fees.

11.7 Price Changes. Vindicara may change its prices from time to time. Price changes will be communicated to you in advance and will take effect at the next renewal of your subscription.

12. Service Availability and Support

12.1 Team Tier Availability. Vindicara will use commercially reasonable efforts to provide the Team Tier with reasonable availability. No uptime or availability SLA applies to the Team Tier unless expressly stated in writing. Planned maintenance, third-party outages (including AWS or other cloud provider outages), distributed denial-of-service attacks, and other factors outside Vindicara's reasonable control may affect availability.

12.2 Enterprise SLA. Enterprise customers may be entitled to a service level agreement as set forth in the applicable Master Services Agreement.

12.3 Support. Support availability and response times are as stated on https://vindicara.io/pricing or in your Enterprise agreement. OSS Software is provided "as is" with community support only via GitHub issues; Vindicara has no obligation to provide support for the OSS Software.

13. Term and Termination

13.1 Term. These Terms apply from your first access to the Services and continue until terminated as permitted herein.

13.2 Termination by You. You may terminate these Terms at any time by ceasing use of the Services, canceling your subscription (Team Tier), or as set forth in your Enterprise agreement.

13.3 Termination by Vindicara. Vindicara may suspend or terminate your access to the Services, in whole or in part, immediately and without refund if:

(a) You materially breach these Terms or your Enterprise agreement;

(b) Your use of the Services poses a security, legal, or reputational risk to Vindicara, its customers, or its infrastructure;

(c) You fail to pay fees when due;

(d) Vindicara is required to do so by applicable law or by an order of a court or governmental authority; or

(e) Vindicara decides, in its reasonable discretion, to discontinue the Services in whole or in part, with reasonable advance notice to you.

13.4 Effect of Termination. Upon termination, (a) all licenses granted to you terminate immediately (except as expressly provided in the MIT License for the OSS Software, which remains in effect for previously distributed copies); (b) you must cease using the Services; (c) you must delete any Vindicara-proprietary materials in your possession, except as required to operate records already produced by the OSS Software; (d) Section 8.5 (Deletion) applies to Customer Data. The following sections survive termination: 2, 4.2, 4.3, 6.4, 6.5, 7, 8 (with respect to obligations that survive), 9, 14, 15, 16, 17, 18, 19, 20, 21, 23, 24.

14. Disclaimers and Limitations on Warranties

14.1 "AS IS" and "AS AVAILABLE". EXCEPT AS EXPRESSLY SET FORTH IN A WRITTEN ENTERPRISE AGREEMENT, THE SERVICES, THE OSS SOFTWARE, THE DOCUMENTATION, AND ALL CONTENT MADE AVAILABLE BY VINDICARA ARE PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NON-INFRINGEMENT, QUIET ENJOYMENT, AND ANY WARRANTIES ARISING OUT OF COURSE OF DEALING OR USAGE OF TRADE. WITHOUT LIMITING THE FOREGOING, VINDICARA DOES NOT WARRANT THAT THE SERVICES WILL BE UNINTERRUPTED, ERROR-FREE, SECURE, OR THAT ANY DEFECT WILL BE CORRECTED.

14.2 Detector Accuracy. The Services include detector logic (heuristics, pattern matches, and structural checks) that attempts to identify potential security issues in AI agent traces. Vindicara makes no representation or warranty that the detectors will identify all malicious, unauthorized, or harmful agent activity. The detectors are imperfect and will produce both false positives (flagging benign activity as suspicious) and false negatives (failing to flag genuinely suspicious activity). The detectors operate on heuristic patterns, not on comprehensive behavioral analysis or learned baselines. You are solely responsible for validating the adequacy of the detectors for your use case, and for implementing additional defensive controls.

14.3 Admissibility of Forensic Records. The Services produce cryptographically signed forensic records (Intent Capsules). The Vindicara admissibility architecture documentation at https://vindicara.io/admissibility/ describes how these records are designed to align with evidentiary frameworks including U.S. Federal Rules of Evidence 901, 902(13), 803(6), and 1001-1004; EU eIDAS Regulation Articles 25 and 26; EU AI Act Article 72; and GDPR Article 30. Vindicara makes no representation or warranty that any specific Intent Capsule, forensic record, forensic report, Article 72 report, or other output will be admitted as evidence in any specific proceeding. Admissibility is decided on a case-by-case basis by the court, tribunal, regulator, or other decision-maker hearing the matter, based on the facts, the applicable rules, and the procedural record of the specific case, including chain-of-custody procedures that are the sole responsibility of the Customer. You are solely responsible for maintaining chain of custody, complying with procedural requirements, and obtaining qualified counsel before relying on any Vindicara output in any legal, regulatory, or insurance proceeding.

14.4 EU AI Act Article 72 Evidence Generator. The air report article72 command and associated output is a template generator that produces a populated Markdown template. The generated template is not a filed compliance artifact, is not certified by any regulator or notified body, and is not legal advice. The Customer is solely responsible for reviewing, adapting, supplementing with deployer-contributed data, having a qualified person execute any attestation, and consulting qualified counsel before filing or relying on the generated template as evidence of compliance with the EU AI Act or any other regulatory regime.

14.5 No Legal, Medical, Financial, or Professional Advice. The Services, the Documentation, and all Vindicara publications are provided for informational and technical purposes only. They are not legal advice, medical advice, financial advice, tax advice, engineering advice, or any other form of professional advice. You must not rely on the Services or the Documentation as a substitute for advice from a qualified professional in the relevant field.

14.6 Cryptographic Primitives. The Services rely on industry-standard cryptographic primitives, including Ed25519 (RFC 8032) and BLAKE3. While these primitives are widely deployed and reviewed, no cryptographic system is invulnerable. Future cryptographic advances, undiscovered flaws, or quantum computing may weaken or break these primitives. Vindicara makes no warranty regarding the long-term cryptographic strength of any primitive used in the Services.

14.7 Third-Party Dependencies. The Services depend on third-party software libraries, cloud infrastructure, package registries, and internet infrastructure. Vindicara does not warrant the security, availability, or performance of any third-party component.

14.8 No Guarantee of Regulatory Compliance. Use of the Services does not guarantee that you or your operations are compliant with any law, regulation, or standard, including the EU AI Act, GDPR, CCPA, California SB 53, SOC 2, ISO 42001, NIST AI RMF, or any industry-specific regime. Regulatory compliance is your sole responsibility.

14.9 No Insurance or Indemnity. The Services do not include any insurance coverage for your agent-related losses, any Vindicara indemnity for agent-caused damages, or any guarantee that insurers will accept Vindicara-generated forensic records as proof of loss. Any insurance-carrier integrations offered in the Enterprise Tier are facilitative only; acceptance of claims remains at the sole discretion of the insurer.

14.10 Export of Warranties. Some jurisdictions do not allow the exclusion of certain warranties. In those jurisdictions, the foregoing exclusions apply only to the maximum extent permitted by law.

15. Limitation of Liability

15.1 Exclusion of Damages. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT WILL VINDICARA OR ITS AFFILIATES, OFFICERS, DIRECTORS, EMPLOYEES, AGENTS, OR LICENSORS BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR AGGRAVATED DAMAGES, OR FOR ANY LOSS OF PROFITS, REVENUE, BUSINESS OPPORTUNITY, GOODWILL, DATA, OR ANTICIPATED SAVINGS, ARISING FROM OR RELATED TO THESE TERMS OR THE SERVICES, REGARDLESS OF THE THEORY OF LIABILITY (CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY, OR OTHERWISE) AND REGARDLESS OF WHETHER VINDICARA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

15.2 Cap on Direct Damages. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, VINDICARA'S AGGREGATE LIABILITY TO YOU FOR ALL CLAIMS ARISING OUT OF OR RELATED TO THESE TERMS OR THE SERVICES, WHETHER IN CONTRACT, TORT, OR OTHERWISE, WILL NOT EXCEED THE GREATER OF (A) THE AMOUNT YOU PAID TO VINDICARA FOR THE APPLICABLE SERVICE IN THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE CLAIM, OR (B) ONE HUNDRED U.S. DOLLARS (USD $100). FOR USERS OF THE OSS SOFTWARE WHO ARE NOT ALSO PAID CUSTOMERS, THIS AGGREGATE CAP IS USD $100, CONSISTENT WITH THE WARRANTY AND LIABILITY DISCLAIMERS OF THE MIT LICENSE.

15.3 Essential Purpose. The limitations in this Section 15 apply even if any limited remedy fails of its essential purpose.

15.4 Exclusions Not Applicable to Certain Claims. Nothing in this Section 15 limits liability that cannot be excluded or limited under applicable law, including (where applicable) liability for death or personal injury caused by gross negligence, willful misconduct, or fraud.

16. Indemnification

16.1 By Customer. You will defend, indemnify, and hold harmless Vindicara, its affiliates, officers, directors, employees, agents, and licensors from and against any third-party claim, suit, action, proceeding, or demand, and any damages, liabilities, judgments, settlements, costs, and expenses (including reasonable attorneys' fees) arising from or related to (a) your use of the Services in violation of these Terms or applicable law; (b) your Customer Data, including any claim that your Customer Data infringes or misappropriates any third party's rights; (c) your breach of any representation, warranty, or obligation under these Terms; (d) your failure to obtain necessary rights, consents, or authorizations from data subjects; (e) your reliance on Vindicara-produced output in any legal, regulatory, or insurance proceeding; or (f) any claim arising from your operation of AI agents, including any claim that an agent took harmful action that you failed to prevent.

16.2 By Vindicara (Enterprise Only). Vindicara's indemnification obligations, if any, are as set forth in the Enterprise Master Services Agreement. No indemnity is provided for OSS Software use or for Team Tier use except as expressly agreed in writing.

16.3 Indemnification Procedure. The indemnified party must (a) notify the indemnifying party promptly in writing of any claim; (b) grant the indemnifying party sole control over the defense and settlement of the claim; and (c) provide reasonable cooperation in the defense. The indemnified party may participate in the defense at its own expense. The indemnifying party may not settle any claim that imposes any obligation on the indemnified party without the indemnified party's prior written consent (not to be unreasonably withheld).

17. Export Controls and Sanctions

17.1 Export Compliance. The Services, including the cryptographic primitives used in the OSS Software, may be subject to U.S. export-control laws, including the Export Administration Regulations (EAR) administered by the U.S. Department of Commerce Bureau of Industry and Security. The OSS Software is understood to contain publicly available open-source cryptographic code that qualifies for license-exception TSU (15 CFR § 740.13(e)) or as publicly available under 15 CFR § 734.7 and § 734.8, but the Customer is responsible for verifying export-classification and obtaining any licenses required for its particular use.

17.2 Sanctions Compliance. You will not export, re-export, transfer, or make available, directly or indirectly, any part of the Services to any country, person, or entity subject to U.S., EU, UK, or UN sanctions, including without limitation to the restricted-persons and sanctioned-jurisdictions lists referenced in Section 4.1.

17.3 No Prohibited End Uses. You will not use the Services in connection with the design, development, production, use, or stockpiling of nuclear, chemical, or biological weapons, or missiles or other delivery systems for such weapons.

18. Confidentiality

18.1 Scope. During your use of the Services, you and Vindicara may receive information that is identified as confidential or that a reasonable person would understand to be confidential given its nature and the circumstances of disclosure ("Confidential Information"). Vindicara's Confidential Information includes pre-release Services, pricing information (other than publicly posted pricing), internal roadmap communications, and any non-public detector logic or signatures. Your Confidential Information includes Customer Data and, where applicable, agent registries and related configuration.

18.2 Obligations. Each party will (a) use the other party's Confidential Information only to perform its obligations under these Terms or as otherwise expressly permitted; (b) protect Confidential Information using at least the same degree of care it uses to protect its own Confidential Information of similar nature, and in no event less than reasonable care; and (c) not disclose Confidential Information to any third party except to its employees, agents, and contractors who have a need to know and who are bound by confidentiality obligations no less protective than these Terms.

18.3 Exceptions. Confidential Information does not include information that (a) is or becomes publicly available through no breach of these Terms; (b) was lawfully in the receiving party's possession before disclosure; (c) was independently developed without use of the other party's Confidential Information; or (d) is lawfully received from a third party without confidentiality restrictions.

18.4 Compelled Disclosure. If either party is compelled by court order, subpoena, or other legal process to disclose Confidential Information, it will (where legally permitted) provide prompt written notice to the other party so that the other party may seek a protective order or other remedy.

19. Governing Law and Dispute Resolution

19.1 Governing Law. These Terms and any dispute arising out of or related to these Terms or the Services are governed by the laws of the State of California, without regard to its conflict-of-laws principles, except where mandatory consumer-protection laws of your country of residence (for individuals) or data-protection laws of the jurisdiction where Personal Data was collected require otherwise. Vindicara may re-domicile to Delaware in the future; these Terms will be updated at that time to reflect any change in governing law or venue.

19.2 Venue. Any litigation arising out of or related to these Terms will be brought exclusively in the state or federal courts located in Los Angeles County, California, and each party consents to the personal jurisdiction and venue of those courts.

19.3 Equitable Relief. Either party may seek injunctive or other equitable relief in a court of competent jurisdiction to prevent or enjoin any actual or threatened unauthorized disclosure of Confidential Information or infringement of Intellectual Property Rights.

19.4 Time Limitation. Any claim arising out of or related to these Terms must be brought within one (1) year after the cause of action accrues. Claims not brought within this period are permanently barred.

20. Changes to These Terms

20.1 Updates. Vindicara may update these Terms from time to time. If the update is material, Vindicara will provide notice through (a) the Services (e.g., an in-product notice), (b) email to the address associated with your account (if any), or (c) an update to the "Last Updated" date at the top of these Terms. Material changes take effect thirty (30) days after notice is provided, unless they must take effect sooner to comply with legal requirements.

20.2 Your Options. If you do not agree to a material change, your sole remedy is to cease using the Services. Continued use after the effective date of the updated Terms constitutes acceptance of the update.

21. General Provisions

21.1 Relationship. The parties are independent contractors. Nothing in these Terms creates an agency, partnership, joint venture, or employment relationship.

21.2 Assignment. You may not assign or transfer these Terms without Vindicara's prior written consent, and any attempted assignment without consent is void. Vindicara may assign these Terms without consent in connection with a merger, acquisition, reorganization, or sale of all or substantially all of its assets.

21.3 Force Majeure. Neither party will be liable for any failure or delay in performance due to causes beyond its reasonable control, including acts of God, natural disasters, war, terrorism, riot, civil disturbance, pandemic, government action, labor disputes, utility outages, internet outages, distributed denial-of-service attacks, supply-chain disruptions, or failures of third-party service providers. Payment obligations are not excused by force majeure.

21.4 Notices. Notices to Vindicara must be sent to legal@vindicara.io (with a copy to Kevin.Minn@vindicara.io) and, where physical notice is required, to Vindicara's registered business address at 696 S New Hampshire Ave, Los Angeles, CA 90005, United States. Notices to you will be sent to the email address on your account or posted in the Services.

21.5 Severability. If any provision of these Terms is held invalid or unenforceable, the remaining provisions remain in full force and effect, and the invalid provision will be modified to the minimum extent necessary to make it enforceable while giving effect to the parties' original intent.

21.6 No Waiver. Failure by either party to enforce any right or provision of these Terms does not constitute a waiver of that right or provision.

21.7 Headings. Section headings are for convenience only and have no legal effect.

21.8 Electronic Communications. You consent to receive communications from Vindicara electronically, including emails, in-product notifications, and other electronic communications, and you agree that all electronic communications satisfy any legal requirement that such communications be in writing.

21.9 Entire Agreement. These Terms (together with the Privacy Policy, any applicable Master Services Agreement, Order Form, DPA, and any other agreements incorporated by reference) constitute the entire agreement between you and Vindicara with respect to the Services and supersede all prior and contemporaneous agreements, proposals, or representations.

21.10 Language. These Terms are in English. Any translation of these Terms is provided for convenience only. In the event of any inconsistency between the English version and any translation, the English version controls.

22. U.S. Federal Government Customers

22.1 Government Use. If you are a U.S. federal, state, or local government entity, additional terms may apply. The Services are deemed "commercial computer software" and "commercial computer software documentation" under FAR 12.212 and DFARS 227.7202 (and any successor provisions), and your use, duplication, and disclosure of the Services is subject to the restrictions set forth in these Terms. No rights greater than those set forth in these Terms are granted by operation of government acquisition regulations.

22.2 Federal Compliance. Vindicara has not represented that the Services meet FedRAMP, FISMA, or any other specific federal-agency security requirement, except as specifically stated in a separate agreement. Government customers requiring FedRAMP authorization or similar controls must enter into a separate Enterprise agreement that addresses those requirements.

23. Consumer-Specific Provisions

23.1 No Intended Consumer Use. The Services are designed for business use and are not intended for consumer use. Nothing in these Terms constitutes an offer to consumers for purposes of consumer-protection law.

23.2 If Consumer Protection Applies. If applicable law classifies you as a "consumer" and provides you with mandatory rights that these Terms would otherwise limit, those mandatory rights prevail over these Terms to the extent required by law.

24. Contact Vindicara

Vindicara, Inc. Attn: Legal / Privacy

• Legal notices: legal@vindicara.io
• Privacy / data-protection: privacy@vindicara.io
• Security / vulnerability disclosures: security@vindicara.io
• General inquiries: Kevin.Minn@vindicara.io
• Website: https://vindicara.io
• Registered Office: 696 S New Hampshire Ave, Los Angeles, CA 90005, United States

Appendix A — Summary of Key Disclaimers (Customer-Facing Readable Version)

The following summary is provided as a reader-friendly overview. In the event of any conflict between this summary and the main body of these Terms, the main body controls.

1. The detectors are not perfect. They use heuristics. They will miss some attacks and flag some benign activity. Do not rely on them as your only defense.

2. Admissibility is decided by the court, not by Vindicara. Project AIR™ writes cryptographically strong forensic records designed to clear the technical bar for authenticity. Getting a record admitted as evidence in a specific case depends on the facts, the rules the court applies, and the chain-of-custody procedure you maintain, none of which Vindicara controls.

3. The Article 72 evidence generator produces a template, not a filing. The template is a starting point. You must review it, adapt it to your facts, have a qualified person sign the attestation, and consult counsel before filing anything under the EU AI Act.

4. Compliance is your job. Using Vindicara does not make you compliant with any law or regulation. It is a tool that helps you produce the evidence your compliance program needs.

5. Your agent actions are your responsibility. If your AI agent sends the wrong wire, leaks the wrong file, or approves the wrong thing, the responsibility for that action lies with you. Vindicara provides the forensic record; the decision and its consequences are yours.

6. The OSS Software is free and provided AS IS. Full stop. Use it at your own risk. If something breaks, send us a GitHub issue; we will do our best.

7. We do not endorse or represent OWASP, the EU AI Act, FRE, eIDAS, or any regulator. We cite them because they are the published standards our architecture maps to. Those bodies have not certified, reviewed, or endorsed Vindicara.