Terms of Service

1. Acceptance of terms

These Terms of Service (“Terms”) constitute a binding agreement between you (“Customer” or “you”) and GLACIS Technologies, Inc. (“GLACIS”, “we”, or “us”) and govern your access to and use of the GLACIS platform, its associated products and services, websites, command-line tools, APIs, and documentation (collectively, the “Services”). By accessing or using the Services, creating an account, executing an order form, or instructing GLACIS to begin work, you agree to be bound by these Terms. If you are entering into these Terms on behalf of an organization, you represent that you have authority to bind that organization, and “Customer” refers to that organization.

If you do not agree to these Terms, do not access or use the Services. Continued use of the Services following publication of updated Terms constitutes acceptance of those updates, subject to the notice provisions in Section 22.

2. Definitions

• Account. The record identifying an authorized user or organization permitted to access the Services.
• Customer Content. Any data, text, prompts, responses, inferences, model metadata, configuration, policies, or other information Customer submits to, processes through, or stores within the Services, including data processed by Customer’s AI systems while covered by the Services.
• Documentation. GLACIS’s published user and technical documentation for the Services, as updated from time to time.
• Evidence Pack. A curated, audit-ready collection of OVERT-format attestation receipts and supporting artifacts produced for Customer.
• Order Form. An ordering document signed by the parties, online order, or plan selection that incorporates these Terms and specifies the Services, term, and fees.
• OVERT Receipt. A cryptographic attestation record conforming to the open OVERT 1.0 standard (see overt.is) produced by the Services.
• Subprocessor. A third party engaged by GLACIS to process Customer Content on its behalf, as listed at trust.glacis.io.
• Trust Center. GLACIS’s public compliance and security documentation portal at trust.glacis.io, including the SOC 2 Type II attestation report, subprocessor list, security questionnaire, and other artifacts.

3. Description of services

GLACIS provides AI runtime assurance. The Services include three integrated capabilities:

1. Scan — behavioral assessment of AI systems using the open-source autoredteam toolkit, licensed separately under the Apache License 2.0 available at autoredteam.com.
2. Enforce — runtime policy evaluation and enforcement across Customer’s AI systems, typically deployed as a sidecar or gateway inside Customer’s perimeter.
3. Notarize — cryptographic receipts (OVERT Receipts) generated for every in-scope AI decision, producing a tamper-evident evidence chain suitable for regulators, auditors, insurers, and other third parties. Notarize receipts are issued as a core property of any paid Enforce deployment. Evidence Packs and compliance artifact exports (framework mapping, OSCAL, ISO 42001 evidence) are a separately priced capability.

GLACIS may offer additional products, features, and capabilities under separate Order Forms or plan tiers.

4. Eligibility and accounts

To use paid Services, you must be at least 18 years old (or the age of majority in your jurisdiction) and legally capable of entering into a binding contract. You may not use the Services if you are prohibited from doing so under applicable law, are a Competitor accessing the Services for benchmarking, or have had an account previously suspended or terminated by GLACIS.

For purposes of these Terms, “Competitor” means any entity that, within the prior twelve (12) months, has marketed, developed, or represented to prospective customers a commercial product or service competing with GLACIS’s runtime AI attestation, AI behavioral red-teaming, or cryptographic AI-receipt capabilities. Access by a Competitor for legitimate journalism, academic research, or interoperability testing is permitted under a separate written agreement.

You are responsible for maintaining the confidentiality of your account credentials, enabling multi-factor authentication where offered, and promptly notifying GLACIS of any suspected unauthorized access. You are responsible for all activity that occurs through your account.

5. License grant and restrictions

Subject to these Terms and any applicable Order Form, GLACIS grants Customer a limited, non-exclusive, non-transferable, non-sublicensable right during the subscription term to access and use the Services for Customer’s internal business purposes.

Customer will not, and will not permit any third party to: (a) reverse-engineer, decompile, disassemble, or otherwise attempt to derive the source code of the Services (except to the extent expressly permitted by law); (b) modify or create derivative works of the Services; (c) resell, sublicense, rent, lease, or otherwise commercially exploit the Services except as expressly authorized; (d) use the Services to develop a competing product or service; (e) remove or obscure any proprietary notices or labels; (f) access the Services to perform penetration testing, load testing, or vulnerability scanning without GLACIS’s prior written consent; or (g) use the Services in violation of any applicable law.

6. Acceptable use

Customer will not use the Services to:

• violate any law, regulation, order, or third-party right;
• transmit material that is unlawful, infringing, defamatory, harassing, or harmful;
• send unsolicited communications or engage in spamming;
• upload, attest to, or process any payment card data, protected health information (PHI), government-issued identifier, biometric identifier, or similarly sensitive data categories except under a signed Business Associate Agreement (BAA), Data Processing Agreement (DPA), or equivalent addendum executed between the parties;
• interfere with or disrupt the integrity, performance, or availability of the Services or the infrastructure on which they operate;
• introduce malware, worms, time bombs, or other harmful code;
• attempt to gain unauthorized access to any account, system, network, or data;
• use the Services to train competing AI foundation models on data that GLACIS, its Subprocessors, or Customer’s counterparties have not authorized for that purpose;
• falsify, tamper with, forge, alter, or attempt to alter any OVERT Receipt, attestation chain, or evidence artifact produced by the Services.

GLACIS may suspend or terminate access to the Services (without prior notice where necessary to protect the Services or other customers) for violation of this Section, giving prompt post-suspension notice where possible.

7. Customer data and inputs

As between the parties, Customer retains all right, title, and interest in and to Customer Content. Customer grants GLACIS a worldwide, non-exclusive, royalty-free license to access, copy, transmit, process, display, and otherwise use Customer Content solely as necessary to (a) provide, maintain, and support the Services; (b) comply with applicable law; (c) prevent or address fraud, abuse, or security incidents; and (d) generate aggregated, de-identified insights that cannot reasonably be used to identify Customer or any individual.

The GLACIS architecture is designed for zero egress: prompts, responses, and other Customer Content remain inside Customer’s perimeter during runtime evaluation. Only cryptographic commitments (OVERT Receipts) and the minimum metadata necessary for attestation and billing cross the trust boundary to GLACIS systems. Detailed data-flow, residency, and retention provisions are set out in the Data Processing Agreement available at trust.glacis.io.

Customer represents and warrants that it has all rights, consents, and permissions necessary to make Customer Content available to GLACIS for processing under these Terms, including any rights required under the EU GDPR, UK GDPR, CCPA/CPRA, HIPAA, and any applicable sector-specific legislation.

8. AI-specific provisions

8.1 AI transparency and attestation

The Services observe and attest to the behavior of Customer’s AI systems. Attestations are produced as OVERT Receipts; Customer is responsible for the AI systems themselves and the decisions they make. Nothing in the Services constitutes a certification of Customer’s AI system’s fitness for any particular purpose.

8.2 AI management system alignment (ISO 42001)

GLACIS operates an AI management system aligned with ISO/IEC 42001, including AI risk assessment, AI impact assessment, lifecycle governance, human-oversight controls, and continuous improvement procedures. Customer’s use of the Services may form part of Customer’s own ISO 42001 evidence base; GLACIS does not represent that use of the Services alone is sufficient for Customer’s own certification.

8.3 Customer obligations for AI inputs

Customer warrants that (a) any training data, model weights, prompts, or inferences submitted to or processed through the Services have been obtained lawfully; (b) Customer has in place the human-oversight, bias-testing, and risk-assessment procedures required by law for the relevant AI applications (including, where applicable, the EU AI Act, Colorado AI Act, and sector-specific medical-device or financial-services regulation); and (c) Customer will not use the Services to circumvent, obscure, or misrepresent the behavior of AI systems that fall under regulatory-transparency obligations.

8.4 No automated legal decisions by GLACIS

The Services do not make legally significant decisions about any data subject. Attestations describe what an AI system did; they do not constitute a legal verdict, medical diagnosis, credit determination, employment decision, or other decision having legal effect on any person.

9. GLACIS intellectual property

GLACIS retains all right, title, and interest in and to the Services, including all software, algorithms, witness-network topology, policy models, templates, documentation, trademarks (including “GLACIS”, “autoredteam”, “OVERT”, “Enforce”, “Notarize”, and associated logos), and any derivatives, improvements, or modifications thereof. No rights are granted by implication, estoppel, or otherwise except those expressly set out in these Terms.

OVERT 1.0 is published as an open standard. Use of the OVERT data format and reference implementations is governed by the terms published at overt.is, including the OVERT IPR Policy.

Feedback Customer provides to GLACIS about the Services is given on a royalty-free, worldwide basis; GLACIS may use Feedback without restriction.

10. Confidentiality

“Confidential Information” means non-public information disclosed by one party to the other that is marked as confidential or that a reasonable person would understand to be confidential. Confidential Information does not include information that (a) is or becomes publicly available without breach; (b) was known to the recipient without confidentiality obligation before disclosure; (c) is rightfully received from a third party without confidentiality obligation; or (d) is independently developed without use of the discloser’s Confidential Information.

Each party will protect the other’s Confidential Information using no less than a reasonable standard of care, limit access to personnel and advisors who have a need to know and are bound by comparable confidentiality obligations, and use Confidential Information only to perform its obligations under these Terms or to exercise rights expressly granted. Confidentiality obligations survive termination for five (5) years; Customer Content is treated as Confidential Information indefinitely while in GLACIS’s possession.

11. Security and availability

11.1 Security program

GLACIS maintains a written information security program that includes administrative, physical, and technical safeguards reasonably designed to protect Customer Content against unauthorized access, disclosure, alteration, or destruction. The program is aligned with the SOC 2 Trust Services Criteria (Security, Availability, Confidentiality) and is subject to continuous third-party attestation. GLACIS’s current SOC 2 Type II report, ISO 27001 certification status, ISO 42001 alignment documentation, penetration-test summaries, and internal policy library are published at trust.glacis.io.

11.2 Zero-egress architecture

For the Enforce and Notarize capabilities, Customer Content (prompts, responses, payloads) is evaluated inside Customer’s perimeter. Only cryptographic commitments cross the trust boundary. This is an architectural control, not a promise of network isolation; Customer remains responsible for hardening its own deployment environment.

11.3 Availability

GLACIS will use commercially reasonable efforts to make the Services available 24x7, excluding scheduled maintenance announced at least seventy-two (72) hours in advance and force-majeure events. Specific availability commitments (SLA), service credits, and measurement methodology are set out in the applicable Order Form or the Service Level Agreement published at trust.glacis.io.

11.4 Incident response and notification

GLACIS will, following the confirmation of a Security Incident affecting Customer Content, notify Customer without undue delay and in any event within the timeframes required by the applicable DPA (generally seventy-two (72) hours). Notification will describe the nature of the incident, categories and approximate number of affected records, likely consequences, measures taken, and contact information. “Security Incident” means a breach of GLACIS’s security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Content.

11.5 Audit rights

Customer may review GLACIS’s SOC 2 Type II report, ISO certifications, and public penetration-test summaries under the Trust Center’s standard NDA. On-site or bespoke audits are available under the conditions and at the rates set out in the DPA, with reasonable advance notice, at Customer’s expense, and no more than once per twelve-month period except following a confirmed Security Incident.

12. Privacy and data processing

GLACIS’s collection and processing of personal information is governed by the GLACIS Privacy Policy. Where GLACIS processes personal data on Customer’s behalf as a processor or service provider, such processing is governed by the GLACIS Data Processing Agreement (“DPA”) available at trust.glacis.io, which is incorporated into these Terms. The DPA includes the EU Standard Contractual Clauses, the UK International Data Transfer Addendum, and Swiss addenda as applicable, and identifies whether GLACIS relies on the EU–US Data Privacy Framework or the 2021 SCCs.

Where Customer processes protected health information, a Business Associate Agreement is available on request and must be executed before such data may be submitted to the Services.

13. Subprocessors

GLACIS engages Subprocessors to provide portions of the Services. The current list of Subprocessors — including name, role, data categories processed, and processing location — is published at trust.glacis.io. GLACIS will provide at least thirty (30) days’ advance notice of the addition of any new Subprocessor via email or the Trust Center. Customer may object to a new Subprocessor on reasonable grounds related to the protection of Customer Content by notifying GLACIS within the notice period; the parties will cooperate in good faith to resolve the objection, and if unresolved, Customer may terminate the affected portion of the Services without penalty.

14. Third-party services

The Services may interoperate with third-party products, services, or platforms (“Third-Party Services”), including AI model providers, cloud infrastructure providers, and compliance tooling. Third-Party Services are provided by their respective owners under their own terms. GLACIS is not responsible for Third-Party Services and disclaims all warranties in connection with them. Customer’s use of Third-Party Services through the Services is at Customer’s sole risk.

15. Fees, billing, taxes

Fees for paid Services are set out in the applicable Order Form. Unless otherwise specified, fees are payable in US dollars, non-cancelable, and non-refundable. Invoices are due net thirty (30) days from issuance unless otherwise agreed. Overdue amounts accrue interest at the lesser of 1.5% per month or the maximum rate permitted by law. GLACIS may suspend the Services for non-payment following written notice and a cure period of at least ten (10) business days. All fees are exclusive of taxes; Customer is responsible for all applicable sales, use, value-added, and similar taxes other than taxes based on GLACIS’s net income.

16. Warranties and disclaimers

Each party represents and warrants that it has the full right, power, and authority to enter into these Terms and to perform its obligations hereunder.

GLACIS warrants that the Services will perform substantially in accordance with the Documentation. Customer’s sole and exclusive remedy for breach of this warranty is, at GLACIS’s option, (a) correction of the non-conformity or (b) termination of the affected Services and a pro-rata refund of prepaid, unused fees.

17. Limitation of liability

TO THE MAXIMUM EXTENT PERMITTED BY LAW, NEITHER PARTY WILL BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, OR FOR LOSS OF PROFITS, REVENUE, GOODWILL, DATA, OR BUSINESS OPPORTUNITIES, ARISING OUT OF OR RELATING TO THESE TERMS, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

EACH PARTY’S TOTAL CUMULATIVE LIABILITY ARISING OUT OF OR RELATING TO THESE TERMS WILL NOT EXCEED THE AMOUNTS PAID OR PAYABLE BY CUSTOMER TO GLACIS UNDER THE APPLICABLE ORDER FORM IN THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO LIABILITY. THE FOREGOING LIMITATIONS DO NOT APPLY TO: (a) CUSTOMER’S PAYMENT OBLIGATIONS; (b) EITHER PARTY’S INDEMNIFICATION OBLIGATIONS; (c) EITHER PARTY’S BREACH OF CONFIDENTIALITY OBLIGATIONS; OR (d) LIABILITY THAT CANNOT BE LIMITED AS A MATTER OF LAW.

18. Indemnification

By GLACIS. GLACIS will defend Customer against any third-party claim alleging that the Services, when used as permitted under these Terms, infringe that third party’s intellectual property right, and will indemnify Customer for amounts finally awarded or agreed in settlement, subject to Customer providing prompt notice, reasonable cooperation, and sole control of defense and settlement (with settlements not creating admissions of liability). GLACIS’s obligations do not apply to claims arising from (a) Customer Content, (b) modifications to the Services not made by GLACIS, (c) use of the Services in combination with products not provided by GLACIS where the claim would not arise but for the combination, or (d) use of the Services in violation of these Terms or applicable law. If the Services become, or in GLACIS’s opinion are likely to become, the subject of an infringement claim, GLACIS may (i) obtain a right for Customer to continue using the Services; (ii) modify the Services to be non-infringing while materially preserving functionality; or (iii) terminate the affected portion of the Services and refund any prepaid, unused fees.

By Customer. Customer will defend GLACIS against any third-party claim arising from (a) Customer Content; (b) Customer’s AI systems or decisions made by them; (c) Customer’s breach of Section 6 (Acceptable Use) or Section 8 (AI-Specific Provisions); or (d) Customer’s violation of applicable law; and will indemnify GLACIS for amounts finally awarded or agreed in settlement.

19. Term and termination

These Terms take effect on the date Customer first accesses the Services or executes an Order Form, whichever is earlier, and continue in effect until all Order Forms have expired or been terminated. Each Order Form has its own subscription term and renewal provisions.

Either party may terminate these Terms for material breach that is not cured within thirty (30) days of written notice. Either party may terminate immediately on written notice if the other party becomes insolvent, makes an assignment for the benefit of creditors, files for bankruptcy, or ceases to operate.

On termination or expiration: (a) Customer’s right to access the Services ceases; (b) accrued payment obligations survive; (c) GLACIS will, upon Customer’s request made within thirty (30) days after termination, make Customer Content available for export in a commercially reasonable format; and (d) GLACIS will delete or anonymize Customer Content in accordance with the retention schedule set out in the DPA.

Sections that by their nature should survive (including 2, 7, 9, 10, 16–18, 21, 22, and 23) will survive termination.

20. Export controls and sanctions

The Services are subject to United States and other applicable export-control and sanctions laws. Customer represents that it is not located in, and is not a national or resident of, any country that is subject to comprehensive US embargoes, and that it is not on any US government restricted-party list. Customer will not export, re-export, or transfer the Services in violation of applicable export-control or sanctions law.

21. Governing law and disputes

These Terms are governed by the laws of the State of Washington, USA, without regard to its conflict-of-laws principles. The parties consent to the exclusive jurisdiction of the state and federal courts located in King County, Washington for any action arising out of or relating to these Terms, subject to the arbitration provisions below.

Any dispute, claim, or controversy arising out of or relating to these Terms that cannot be resolved through good-faith negotiation within thirty (30) days will be settled by binding arbitration administered by JAMS under its Streamlined Arbitration Rules, before a single arbitrator, in Seattle, Washington. The arbitrator’s award will be final and may be entered in any court of competent jurisdiction. Notwithstanding the foregoing, either party may seek injunctive or equitable relief in court to protect its intellectual property or Confidential Information. Claims must be brought on an individual, non-class, non-representative basis.

22. Changes to these terms

GLACIS may update these Terms from time to time. For material changes, GLACIS will provide at least thirty (30) days’ advance notice by email to the account administrator and by posting the updated Terms on this page with a revised “Effective” date. Continued use of the Services after the effective date constitutes acceptance. If Customer objects to a material change, Customer’s sole remedy is to terminate the affected Services before the effective date and receive a pro-rata refund of any prepaid, unused fees for that portion.

23. Miscellaneous

• Entire agreement. These Terms, together with the DPA and any Order Forms, constitute the entire agreement between the parties and supersede all prior or contemporaneous agreements or understandings, whether written or oral.
• Order of precedence. In the event of conflict: (1) the Order Form; (2) the DPA; (3) these Terms.
• Assignment. Neither party may assign these Terms without the other party’s prior written consent, except that either party may assign to a successor in connection with a merger, acquisition, or sale of substantially all assets, subject to notice to the other party.
• Force majeure. Neither party is liable for failures or delays caused by events beyond its reasonable control, provided it gives prompt notice and uses reasonable efforts to resume performance.
• Severability. If any provision is held unenforceable, the remaining provisions will remain in full force, and the unenforceable provision will be modified to the minimum extent necessary to make it enforceable.
• Waiver. A party’s failure to enforce a provision is not a waiver of future enforcement.
• Notices. Notices to GLACIS must be sent to [email protected]; notices to Customer may be sent to the administrator email on file.
• Independent contractors. The parties are independent contractors; nothing in these Terms creates an agency, partnership, or joint-venture relationship.
• No third-party beneficiaries. Except as expressly stated, these Terms do not confer rights on any third party.

24. Contact

GLACIS Technologies, Inc.
Seattle, Washington, USA
Legal notices: [email protected]
Security: [email protected]
Privacy: [email protected]
Trust Center: trust.glacis.io