Maintruth Terms of Service

1. Agreement and Acceptance

These Terms of Service (the "Terms") are a binding agreement between RRG Labs LLC, a California limited liability company ("Maintruth," "we," "us," or "our"), and the company or other legal entity that orders or uses the Service ("Customer," "you," or "your"). The Terms govern your access to and use of the Maintruth trust desk and related services, software, and deliverables (together, the "Service").

You accept these Terms by signing an order form or statement of work that references them, by clicking to accept them, or by accessing or using the Service. If you accept these Terms on behalf of a company or other entity, you represent that you have authority to bind that entity, and "you" refers to that entity.

These Terms apply together with any order form, plan selection, or statement of work (each, an "Order") that references them. If there is a conflict, the Order controls for the specific matter it addresses, and these Terms control for everything else. Terms printed on a purchase order, vendor portal, or similar Customer document do not apply and have no effect, even if Maintruth accepts or processes that document.

We may update these Terms as described in the Changes to These Terms section. The version that applies to you is the one in effect when the dispute or question arises, except as that section provides.

2. Definitions

• "Authorized User" means an employee, contractor, or agent of Customer whom Customer permits to access or use the Service.
• "Customer Data" means the materials and information Customer or its Authorized Users submit to or generate through the Service, including SOC 2 reports, security policies, architecture details, buyer questionnaires, security answers, internal evidence, and personal data of Customer personnel.
• "Deliverables" means the buyer-facing answers, completed questionnaires, trust documents, policies, and reports that Maintruth prepares for Customer through the Service and that Customer reviews and approves.
• "Buyer" means a prospective or existing customer, partner, auditor, or other third party of Customer that requests or receives a security review, questionnaire response, or trust materials.
• "AI-Assisted Tooling" means the software, models, prompts, and automated workflows Maintruth uses to parse questionnaires, match questions to prior answers, find similar responses, and draft initial language.
• "De-Identified Data" means data derived from Customer Data or from use of the Service that has been de-identified, aggregated, or anonymized so that it does not identify, and cannot reasonably be used to identify, Customer, its personnel, or any Buyer.
• "Confidential Information" has the meaning given in the Confidentiality section.
• "Fees" means the amounts payable for the Service as set out in an Order or in Maintruth's published pricing.
• "Credit" means a unit of trust-desk capacity as described in the Fees, Credits, and Billing section.

3. The Service

Maintruth operates a customer trust desk that supports Customer in responding to enterprise security reviews. The Service combines Maintruth personnel with AI-Assisted Tooling.

Depending on the Order, the Service may include the following:

• Completing enterprise security questionnaires, whether delivered as spreadsheets or through a Buyer web portal.
• Building and maintaining answer libraries and importing prior questionnaires.
• Inventorying and organizing evidence and maintaining a gap register.
• Supporting Buyer security calls and supporting a Buyer portal or trust center.
• Drafting lightweight trust documents and policies.
• Providing monthly trust desk reporting.

AI-Assisted Tooling helps prepare initial drafts and match questions to prior answers. Human review by Maintruth personnel is required before any Deliverable is provided to Customer. Maintruth may modify, improve, or discontinue features of the Service from time to time, provided that Maintruth will not materially reduce the core functionality Customer has paid for during a paid term.

4. What Maintruth Does Not Provide

Maintruth provides security-review support. It is important that Customer understands the limits of that support.

• Maintruth does not provide legal advice, audit opinions, or certifications. Nothing in the Service is a legal opinion, an attestation, an audit, or a certification of any kind.
• The Service is not a substitute for Customer's own legal counsel, compliance auditors, penetration testers, internal security ownership, or executive approval of risk and commitments. Customer remains responsible for those functions.
• Maintruth does not guarantee that any Buyer will approve Customer, complete a security review favorably, or proceed with any transaction.
• Maintruth does not invent controls and does not make claims on Customer's behalf that are unsupported or that Customer has not approved.

Customer is always the final approver of buyer-facing answers and of any commitment, representation, or warranty made to a Buyer. Maintruth prepares drafts and support materials; Customer decides what is accurate, complete, and appropriate to send, and Customer is responsible for what it sends.

5. Customer Responsibilities and Acceptable Use

Final approval and accuracy

Customer must review and approve every Deliverable before it goes to a Buyer. Customer is responsible for the accuracy, completeness, and appropriateness of all answers, commitments, and materials it approves and delivers. Customer must provide accurate, current, and complete materials, and must promptly update materials that become inaccurate or outdated. Customer is responsible for routing any legal language, contractual commitment, or representation that calls for legal judgment to its own counsel.

Rights in submitted materials

Customer represents that it has all rights, consents, and authority needed to submit Customer Data to the Service, including SOC 2 reports, security policies, evidence, questionnaires, and personal data of its personnel, and to allow Maintruth to process that material to provide the Service.

Accounts and Authorized Users

Customer is responsible for all use and misuse of the Service by its Authorized Users and by anyone who accesses the Service through Customer's accounts or credentials. Customer must keep credentials secure, must not share them outside its Authorized Users, and must promptly notify Maintruth of any suspected unauthorized access. Sharing credentials with anyone other than an Authorized User is a material breach of these Terms.

Acceptable use

Customer and its Authorized Users must not do any of the following:

• Reverse engineer, decompile, or attempt to derive the source code, models, or underlying methods of the Service, except to the extent this restriction is prohibited by law.
• Resell, sublicense, rent, or otherwise make the Service available to a third party except as expressly permitted.
• Scrape, crawl, or use automated means to extract data from the Service outside its intended interfaces.
• Use the Service to build or assist in building a competing product or service, or for competitive benchmarking.
• Probe, scan, or test the security of the Service without Maintruth's prior written authorization.
• Use the Service to submit unlawful, infringing, or harmful content, or to make any claim or representation to a Buyer that Customer knows or should know is false, misleading, or unsupported.
• Use the Service in violation of applicable law or the rights of any third party.

Maintruth may suspend access as described in the Term, Termination, and Suspension section if it reasonably suspects a material breach of this section.

6. AI-Assisted Services and Human Review

Maintruth uses AI-Assisted Tooling to parse questionnaires, match questions to prior answers, find similar responses, and draft initial language. AI-assisted drafts can contain errors, omissions, or language that does not fit Customer's facts, and they are not verified, endorsed, or guaranteed by the act of being generated.

Every AI-assisted draft is reviewed by Maintruth personnel before it is delivered to Customer. After delivery, Customer remains the final reviewer and approver. Customer must not rely on any AI-assisted draft or Deliverable as accurate, complete, or suitable for a Buyer until Customer has reviewed and approved it. Customer's approval of a Deliverable is Customer's confirmation that the Deliverable is appropriate to send, and Customer is responsible for it from that point forward.

7. Customer Data: Ownership and License

As between the parties, Customer owns all right, title, and interest in its Customer Data, and Customer owns the final buyer-facing answers, trust documents, and other Deliverables it reviews and approves.

Customer grants Maintruth a non-exclusive, worldwide, royalty-free license to access, host, store, process, and use Customer Data during the term to provide, support, secure, and improve the Service and to prepare Deliverables for Customer. This license also permits Maintruth to create and use De-Identified Data as described in the De-Identified and Aggregated Data section.

Customer is responsible for the lawfulness of the Customer Data it submits and for maintaining its own copies of materials it considers important. Maintruth is not a system of record and is not responsible for loss of Customer Data except as required by the data-handling commitments in these Terms.

8. De-Identified and Aggregated Data

This section reconciles Maintruth's public commitment with its right to improve its own Service. Maintruth maintains the public commitment that it does not use customer confidential materials to train public AI models, and these Terms make that commitment contractual while reserving a clearly bounded right to use De-Identified Data.

Identifiable confidential materials

Maintruth will not use Customer's identifiable confidential materials, including SOC 2 reports, security policies, architecture details, buyer questionnaires, security answers, internal evidence, and personnel personal data, to train public or third-party AI models. Where Maintruth uses third-party AI providers to deliver the Service, Maintruth maintains contractual commitments that restrict those providers from using Customer's identifiable materials to train or improve their own models for general use, and Maintruth prefers zero-retention configurations where available.

De-Identified Data

Notwithstanding the foregoing, Maintruth may create De-Identified Data derived from Customer Data and from Customer's use of the Service, and may use De-Identified Data for any purpose on a perpetual, irrevocable, royalty-free basis, both during and after the term. Permitted purposes include operating, analyzing, and improving Maintruth's own models, AI-Assisted Tooling, answer-library structure, and the Service. De-Identified Data is processed so that it does not identify, and cannot reasonably be used to identify, Customer, its personnel, or any Buyer.

Maintruth owns all right, title, and interest in De-Identified Data. De-Identified Data is not Customer Data and is not Customer's Confidential Information. This section survives termination or expiration of these Terms.

9. Confidentiality

"Confidential Information" means non-public information disclosed by one party (the "Discloser") to the other (the "Recipient") that is marked confidential or that a reasonable person would understand to be confidential given its nature and the circumstances. Customer Data, including SOC 2 reports, security policies, architecture details, evidence, security answers, and personnel personal data, is Customer's Confidential Information. Maintruth's software, AI-Assisted Tooling, answer-library structure, methods, and pricing are Maintruth's Confidential Information.

Confidential Information does not include information that the Recipient can show is or becomes public through no fault of the Recipient, was rightfully known to the Recipient without confidentiality obligation before disclosure, is rightfully received from a third party without confidentiality obligation, or is independently developed by the Recipient without use of the Discloser's Confidential Information.

The Recipient will use the Discloser's Confidential Information only to perform under these Terms, will protect it with at least reasonable care, and will not disclose it except to its personnel and advisors who need it and are bound by confidentiality obligations no less protective than these.

If the Recipient is legally compelled to disclose Confidential Information, it will, where legally permitted, give the Discloser prompt notice and reasonable cooperation so the Discloser may seek a protective order, and will disclose only what is legally required.

A party may seek injunctive or other equitable relief for a breach or threatened breach of this section without posting a bond, in addition to other remedies. Confidentiality obligations survive for three years after disclosure for information that is not a trade secret, and for as long as the information remains a trade secret under applicable law. Maintruth may work under a non-disclosure agreement Customer requires, and this section applies alongside any such agreement.

10. Intellectual Property

Maintruth owns and retains all right, title, and interest in and to its software, AI-Assisted Tooling, models, answer-library structure, templates, prompts, methodologies, know-how, and any generic or reusable components, including all improvements and derivatives, and anything that is not specific to Customer. No rights are granted to Customer except as expressly stated in these Terms.

Subject to payment of Fees and to these Terms, Maintruth grants Customer a non-exclusive, worldwide license to use the Deliverables Customer approves for Customer's own internal and business purposes, including providing them to its Buyers.

If Customer provides suggestions, enhancement requests, or other feedback about the Service ("Feedback"), Customer grants Maintruth a perpetual, irrevocable, royalty-free, worldwide, sublicensable license to use the Feedback for any purpose. Maintruth will use Feedback in a way that does not identify Customer.

11. Fees, Credits, and Billing

Fees and plans

Customer pays the Fees set out in its Order or in Maintruth's published pricing. Maintruth offers the Service through several plans, which currently include the Security Review Sprint, the Starter Pack, the Annual Trust Desk, and the Scale Trust Desk. The Fees, billing schedule, included Credits, and any setup fees for each plan are those stated in the applicable Order or in Maintruth's published pricing, which control and may change over time. Setup fees, where they apply, are non-refundable.

Credits

Certain plans include Credits, a prepaid unit Customer uses to access the Service. The number of Credits required for a given questionnaire, Buyer call, rush request, or other service, feature, or offering is determined by Maintruth and described in the applicable Order, published pricing, or product documentation; these amounts may differ between offerings and may change over time. Maintruth may introduce, modify, or retire services and features that consume or are denominated in Credits. How Credits are allocated, whether and when they expire, and the extent to which unused Credits roll over are as described in the applicable Order or published pricing. Credits have no cash value, are not transferable except as stated in an Order, and are not redeemable or refundable for cash.

Payment, taxes, and disputes

Except as expressly stated in these Terms, all Fees are non-refundable and non-cancelable, and payment obligations are not contingent on any future functionality or on any Buyer outcome. Fees are stated exclusive of taxes; Customer is responsible for all sales, use, value-added, and similar taxes, other than taxes on Maintruth's net income. Customer must dispute any invoice in good faith within 30 days of the invoice date; amounts not disputed within that window are deemed accepted.

Late payment and renewal pricing

Overdue amounts accrue interest at the lower of 1.5 percent per month or the maximum rate allowed by law. Maintruth may suspend the Service for non-payment as described in the Term, Termination, and Suspension section. Maintruth may change Fees for a renewal term by giving Customer at least 30 days' notice before the end of the then-current term.

12. Term, Termination, and Suspension

These Terms begin when Customer first accepts them or starts using the Service and continue for the term stated in the Order or plan. Subscription plans automatically renew for successive terms equal to the then-current term unless either party gives at least 30 days' notice of non-renewal before the end of the current term. A one-time Security Review Sprint ends when the engagement is complete.

Either party may terminate these Terms for an uncured material breach by the other party if the breach is not cured within 30 days after written notice describing it.

Customer may terminate for convenience, but termination takes effect at the end of the paid term, and Customer is not entitled to any early or partial refund. If Customer terminates for Maintruth's uncured material breach, Maintruth will refund any prepaid, unused Fees on a pro-rata basis as Customer's financial remedy for that termination.

Maintruth may suspend all or part of the Service if Customer fails to pay amounts when due (after notice and a short cure period) or if Maintruth reasonably believes Customer has committed a material acceptable-use or security violation. Maintruth will limit any suspension to what is reasonably necessary and will restore the Service promptly once the cause is resolved.

On termination or expiration, Maintruth will provide Customer a reasonable period of at least 30 days to export Customer Data, after which Maintruth will delete or, on request, return Customer Data, subject to legal-retention requirements and routine backup cycles. Provisions that by their nature should survive (including Confidentiality, Intellectual Property, De-Identified and Aggregated Data, Fees owed, Warranties and Disclaimer, Limitation of Liability, Indemnification, and Dispute Resolution) survive termination.

13. Warranties and Disclaimer

Maintruth will perform the Service in a professional and workmanlike manner. This is the only warranty Maintruth makes.

Except for the commitment above, and to the fullest extent permitted by law, the Service and all Deliverables are provided AS IS and AS AVAILABLE. Maintruth disclaims all other warranties, whether express, implied, or statutory, including the implied warranties of merchantability, fitness for a particular purpose, title, and non-infringement.

Maintruth does not warrant that the Service or any Deliverable will be error-free, uninterrupted, accurate, or complete, or that the Service will result in Buyer approval or any other outcome. AI-assisted drafts carry no warranty of accuracy. All Deliverables are subject to Customer's review and approval, and Customer is responsible for what it approves and sends.

14. Limitation of Liability

To the fullest extent permitted by law, neither party will be liable to the other for any indirect, incidental, consequential, special, or punitive damages, or for any lost profits, lost revenue, or lost or corrupted data, even if advised of the possibility of those damages and regardless of the theory of liability.

To the fullest extent permitted by law, each party's total aggregate liability arising out of or relating to these Terms and the Service will not exceed the total Fees Customer paid to Maintruth in the 12 months immediately before the event giving rise to the claim.

These limitations do not apply to Customer's payment obligations, to either party's indemnification obligations, or to a party's breach of its confidentiality obligations. The limitations in this section apply together with the warranty disclaimer and allocate risk between the parties as a basis of the bargain.

15. Indemnification

Customer will defend, indemnify, and hold harmless Maintruth and its officers, directors, employees, and agents from and against any third-party claim, and any resulting losses, damages, liabilities, costs, and reasonable attorneys' fees, arising out of or relating to:

• Customer Data and any other content or materials Customer or its Authorized Users provide.
• Customer's use or misuse of the Service.
• Any answer, claim, representation, or commitment that Customer directed, approved, or delivered to a Buyer, including any Deliverable Customer approved.
• Customer's breach of these Terms.
• Customer's violation of applicable law or of the rights of any third party.

Maintruth will give Customer prompt notice of the claim, reasonable cooperation at Customer's expense, and control of the defense and settlement, except that Customer may not settle a claim in a way that imposes a non-monetary obligation on Maintruth or admits fault on its behalf without Maintruth's prior written consent.

Maintruth does not provide an indemnity to Customer, except that, if stated in an Order, Maintruth will defend Customer against a third-party claim that Maintruth's own software, as provided by Maintruth and used in accordance with these Terms, infringes that third party's intellectual property rights. Any such indemnity excludes claims arising from Customer Data, Customer-directed content, any buyer-facing answer, combinations with non-Maintruth materials, or modifications not made by Maintruth; is subject to the Limitation of Liability cap; and is Customer's sole and exclusive remedy for any infringement claim relating to the Service.

16. Third Parties and Subprocessors

Maintruth may engage subcontractors and subprocessors, including AI providers and hosting providers, to help deliver the Service. Maintruth remains responsible for their performance and for their compliance with these Terms as if Maintruth had performed the work itself.

Maintruth maintains a list of subprocessors that handle Customer Data, available to Customer on request, and will provide notice of material new subprocessors that will handle Customer Data. Subprocessors are bound by confidentiality and data-protection obligations no less protective than these Terms.

Maintruth controls which subprocessors can access Customer Data and applies least-privilege access, separate per-customer workspaces, and multi-factor authentication to limit and protect that access.

17. Privacy and Data Practices

Maintruth collects and processes data to deliver the trust desk, provide support, secure and operate the Service, and improve the Service. Maintruth retains data for as long as needed for those purposes and then deletes or de-identifies it, subject to legal-retention requirements and routine backups.

Maintruth maintains reasonable, industry-standard technical and organizational security measures consistent with its security commitments, including working under a non-disclosure agreement when Customer requires one, least-privilege access, separate per-customer workspaces, and multi-factor authentication. No method of transmission or storage is perfectly secure, and Maintruth does not guarantee absolute security.

If Maintruth becomes aware of a security incident affecting Customer Data, Maintruth will notify Customer without undue delay, with a target of 72 hours after becoming aware, and will provide information reasonably available about the incident.

Processor-side data-processing terms, including a data processing addendum, are part of this agreement and are available to customers on request. For website, marketing, and account data, Maintruth's privacy practices are described in its Privacy Policy. Customer is responsible for the lawfulness of the materials and personal data it submits, and for providing any notices and obtaining any consents required for Maintruth to process that data.

Maintruth's Privacy Policy covers available statutory rights, including access, correction, deletion, objection, portability, and opt-out where applicable under GDPR, UK data protection law, and CCPA/CPRA-style laws; describes how international transfers are handled, including standard contractual clauses where relevant; addresses cookies; states that Maintruth does not sell personal information; and excludes use by children. Where Customer is the controller of personal data in Customer Data, Maintruth acts as processor, routes data-subject requests relating to that data to Customer, and assists Customer as processor. Notices and questions about privacy may be sent to privacy@maintruth.com.

18. Dispute Resolution

These Terms are governed by the laws of the State of California, without regard to its conflict-of-laws rules. The parties exclude the United Nations Convention on Contracts for the International Sale of Goods.

Before starting arbitration, a party must give the other written notice describing the dispute and the relief sought, and the parties will try in good faith to resolve it within 30 days. Notices for this purpose may be sent to legal@maintruth.com.

If the dispute is not resolved, it will be settled by binding individual arbitration administered by JAMS under its commercial rules, seated in California, before a single arbitrator. Judgment on the award may be entered in any court of competent jurisdiction. Each party waives any right to a jury trial.

Disputes will be arbitrated only on an individual basis. The parties waive any right to bring or participate in a class, collective, or representative action. The arbitrator may not consolidate claims or preside over any form of class or representative proceeding.

Notwithstanding the above, either party may bring an individual claim in small-claims court if it qualifies, and either party may seek injunctive or other equitable relief, including to protect its intellectual property or Confidential Information, in a court located in California. The parties consent to the exclusive jurisdiction and venue of the state and federal courts located in California for those matters and to enforce any arbitration award.

19. General Provisions

Changes to these Terms

Maintruth may change these Terms by giving Customer reasonable advance notice, generally at least 30 days before the change takes effect, except that changes required by law or regulation may take effect sooner. Changes are not retroactive. If Customer continues to use the Service after the effective date of a change, Customer accepts the updated Terms.

Force majeure

Neither party is liable for any delay or failure to perform caused by events beyond its reasonable control, including acts of God, natural disasters, labor disputes, internet or utility failures, and government actions. This does not excuse Customer's obligation to pay Fees for the Service provided.

Assignment

Customer may not assign or transfer these Terms or any rights under them, in whole or in part, without Maintruth's prior written consent. Maintruth may assign these Terms to an affiliate or in connection with a merger, acquisition, reorganization, or sale of all or substantially all of its assets. These Terms bind and benefit the parties and their permitted successors and assigns.

Entire agreement and order of precedence

These Terms, together with any Order and any documents they incorporate, are the entire agreement between the parties about the Service and supersede all prior or contemporaneous agreements and understandings about it. In a conflict, an Order controls for the matter it addresses, then these Terms. Terms in a Customer purchase order, vendor portal, or similar document do not apply. No modification is effective unless made as provided in the Changes to These Terms section or signed by both parties.

Publicity

Maintruth may identify Customer as a customer and use Customer's name and logo as a reference on its website and in marketing materials. Customer may revoke this right at any time by sending a request to legal@maintruth.com.

Notices

Legal notices to Maintruth must be sent to legal@maintruth.com. Notices to Customer may be sent to the contact or billing email associated with Customer's account. Notices are effective when sent, with delivery confirmation for email.

Severability and waiver

If any provision of these Terms is held unenforceable, the rest remain in effect, and the unenforceable provision will be modified to the least extent needed to make it enforceable while preserving its intent. A party's failure to enforce a provision is not a waiver of its right to enforce it later. No waiver is effective unless in writing.

Relationship of the parties

The parties are independent contractors. These Terms do not create a partnership, joint venture, agency, or employment relationship, and neither party may bind the other.

Contact

Questions about these Terms may be sent to legal@maintruth.com. The Service is operated at maintruth.com.