Self-Service Subscription Terms

Alaska Arbitration Notice

NOTICE: THESE TERMS INCLUDE AN ARBITRATION CLAUSE. IF YOU ACCEPT THESE TERMS, YOU CAN BE COMPELLED TO SUBMIT ANY DISPUTE UNDER THESE TERMS TO MANDATORY BINDING ARBITRATION. HOWEVER, BY ACCEPTING THESE TERMS, YOU DO NOT WAIVE YOUR RIGHT TO OBTAIN A JUDICIAL DETERMINATION OF WHETHER A PARTICULAR DISPUTE IS ARBITRABLE. BY ACCEPTING THESE TERMS WITH AN ARBITRATION CLAUSE, YOU WILL BE OR MAY BE LIMITING OR WAIVING YOUR RIGHTS TO (1) HAVE A DISPUTE UNDER THESE TERMS RESOLVED IN A COURT OF LAW, EVEN WHERE THESE TERMS OR THE ARBITRATION AGREEMENT ARE VOID OR VOIDABLE DUE TO REPUDIATION, RESCISSION, FRAUD, DURESS, MISTAKE, OR OTHER GROUNDS; (2) APPEAL THE ARBITRATOR'S DECISION TO A COURT OF LAW; (3) EXERCISE STATUTORY REMEDIES, SUCH AS A LIEN, INJUNCTION, OR CLAIM FOR DAMAGES; (4) HAVE THE DISPUTE DECIDED BY A DECISION MAKER WITH APPROPRIATE TRAINING TO DECIDE THE DISPUTE; (5) USE DISCOVERY AND OTHER EVIDENCE-GATHERING PROCEDURES OTHERWISE AVAILABLE IN AN ACTION BEFORE A COURT OF LAW; (6) OBTAIN A DECISION CONSISTENT WITH THE LAW AND THE FACTS; (7) OBTAIN A WRITTEN STATEMENT OF THE LEGAL AND FACTUAL BASES OF THE DECISION; (8) RECOVER PUNITIVE DAMAGES IF THESE TERMS OR THE ARBITRATION AGREEMENT EXPRESSLY EXCLUDE A RIGHT TO RECOVER PUNITIVE DAMAGES; AND (9) RECOVER ATTORNEY FEES AND COSTS.

Commercial and Professional Boundaries

BUSINESS-USE ONLY. THE SELF-SERVICE PLAN IS OFFERED ONLY FOR INTERNAL BUSINESS USE, NOT FOR PERSONAL, FAMILY, OR HOUSEHOLD USE, AND NOT FOR PUBLIC-SECTOR OR OTHER SPECIAL-COMMITMENT USES UNLESS BOREALIS EXPRESSLY AGREES OTHERWISE IN WRITING.
NO LEGAL, TAX, ACCOUNTING, AUDIT, CERTIFICATION, OR MANAGED GOVERNANCE SERVICES. BOREALIS IS NOT CUSTOMER'S LAW FIRM, CPA FIRM, AUDITOR, ASSESSOR, INSURER, MANAGED SECURITY PROVIDER, MANAGED COMPLIANCE PROVIDER, OR OUTSOURCED CONTROL OPERATOR UNDER THIS SELF-SERVICE PLAN.
NO COMPLIANCE GUARANTEE. CUSTOMER MUST INDEPENDENTLY VALIDATE ITS PROGRAM, IMPLEMENT AND OPERATE ITS OWN CONTROLS, AND USE QUALIFIED LEGAL, COMPLIANCE, SECURITY, AUDIT, AND BUSINESS ADVISORS WHERE APPROPRIATE. BOREALIS DOES NOT GUARANTEE COMPLIANCE, AUDIT READINESS, CERTIFICATION, REVIEWER ACCEPTANCE, PROCUREMENT SUCCESS, OR INSURANCE OUTCOMES.

These Terms are designed for true clickwrap. References to the “Order Page” mean the final Borealis-controlled checkout review screen or in-product paid purchase or upgrade screen displayed immediately before the affirmative assent and purchase action.

1. Acceptance; Contracting Party; Eligibility; Business Use

1.1. These Self-Service Subscription Terms (these “Terms”) are a binding legal agreement between Borealis Security, Inc., an Alaska corporation (“Borealis”), and the customer identified as the contracting party in Borealis’s accepted self-service order record (“Customer”). These Terms govern Customer’s purchase of, access to, and use of Borealis’s self-service subscription plan for the Aurora Command platform, including related hosted services, software, setup services, support, websites used for account administration, Documentation, AI Features, and other functionality Borealis makes available under that self-service plan (collectively, the “Service”).

1.2. Customer accepts these Terms only by completing Borealis’s designated affirmative assent step on the final Order Page or on another Borealis-controlled in-product paid purchase screen that expressly states Customer is agreeing to these Terms. No other act—including browsing a website, creating a free account, submitting billing information, paying an invoice, or merely accessing or using any free, trial, or evaluation functionality—constitutes acceptance of these self-service Terms.

1.3. An order is deemed accepted by Borealis only when Borealis successfully processes the initial charge and provisions the paid plan, or otherwise expressly confirms the order in writing. Borealis may reject, suspend, hold, or cancel any attempted order before that time for fraud, sanctions, security, compliance, business-verification, product-fit, payment, or operational reasons. If Borealis rejects an order before any Setup Commencement Event occurs, Borealis’s sole obligation is to return any unearned amounts actually received for that order.

1.4. Customer must provide accurate and complete business-identifying information requested during checkout or account creation, including Customer’s legal entity name and current billing and contact information. If a person places an order without identifying a legal entity, that person is the contracting party until Borealis expressly approves transfer of the subscription to a legal entity in writing or through a Borealis-designated workflow.

1.5. The individual accepting these Terms or placing an order on behalf of Customer represents and warrants that the individual: (a) is at least the age of majority where the individual resides; (b) has legal capacity to enter into these Terms; and (c) has full power and authority to bind Customer to these Terms and the applicable order.

1.6. The Service is offered only for Customer’s internal business and commercial use. The Service is not offered for personal, family, or household use, and it is not tailored for federal, state, local, tribal, educational, or other public-sector entities. Customer represents and warrants that Customer is acquiring and using the Service solely for internal business purposes and not as a consumer. Borealis may require additional business verification, may refuse orders that appear to be consumer or public-sector purchases, and may suspend or terminate any account Borealis reasonably believes is being used outside the permitted scope.

1.7. If a court, arbitrator, or administrator determines that non-waivable consumer law applies notwithstanding Section 1.6, then the provisions required by that law will control solely to the minimum extent required for the affected dispute or transaction, and the remainder of these Terms will remain in effect to the fullest extent permitted by law.

1.8. Customer agrees that electronic contracts, electronic signatures, electronic notices, electronic records, and electronic archives are valid and enforceable to the fullest extent permitted by law. Borealis’s ordinary-course electronic records—including archived Order Pages, assent logs, payment records, notice logs, support records, and account event logs—are admissible to the fullest extent permitted by law and will be presumed authentic and accurate absent manifest error.

2. Definitions

2.1. “Account” means the account, workspace, tenant, or other logical instance of the Service established for Customer.

2.2. “Account Administrator” means an Authorized User designated by Customer with administrative rights over Customer’s Account, users, settings, billing, integrations, or sharing controls.

2.3. “AI Features” means any generative, predictive, assistive, summarization, drafting, classification, retrieval, scoring, mapping, extraction, or related functionality made available through the Service, whether branded as Aurora Copilot or otherwise.

2.4. “Authorized User” means an employee, contractor, advisor, or other individual authorized by Customer to access or use the Service on Customer’s behalf for Customer’s internal business purposes.

2.5. “Beta Feature” means any alpha, beta, preview, pilot, early-access, experimental, limited-release, or similarly designated feature, integration, or functionality.

2.6. “Borealis Materials” means the Service, software, architecture, interfaces, workflows, data models, prompts, system instructions, templates, taxonomies, Documentation, reports, generic content, and other technology or materials provided by or on behalf of Borealis, excluding Customer Data and Customer-specific Output only to the extent expressly provided in Section 12.2.

2.7. “Confidential Information” means any non-public information disclosed by one party (“Disclosing Party”) to the other party (“Receiving Party”) that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure. Borealis’s Confidential Information includes the Service, Borealis Materials, source code, non-public pricing, non-public security information, product roadmaps, and performance information. Customer’s Confidential Information includes Customer Data and Customer’s non-public business information disclosed to Borealis in connection with the Service.

2.8. “Customer Data” means data, content, documents, records, files, text, images, configurations, prompts, questionnaires, evidence, control information, policy materials, ticket references, infrastructure information, and other information submitted to, uploaded to, imported into, connected to, or otherwise made available to the Service by or on behalf of Customer, excluding Output, Service Data, Aggregated Data, Borealis Materials, and any public or third-party data that is not specific to Customer.

2.9. “Customer Personal Data” means personal information, personal data, or similar regulated information contained within Customer Data that Borealis processes on Customer’s behalf in connection with the Service.

2.10. “Customer-Supplied API Key” means an API key, credential, token, secret, or other authentication material provided by Customer for use with a third-party model provider, inference provider, or related service selected or approved by Borealis.

2.11. “Documentation” means the product-specific user guides, help-center materials, technical materials, and plan materials that Borealis designates for the self-service plan on its website or within the Service. Documentation excludes marketing pages, blogs, demos, roadmaps, trials, proposal materials, support chats, and public pricing pages other than the accepted Order Page.

2.12. “Order Page” means the final Borealis-controlled checkout review screen or in-product paid purchase or upgrade screen displayed immediately before Customer provides affirmative assent and completes the purchase action, and any immutable order-confirmation page generated from that accepted purchase record.

2.13. “Output” means reports, exports, summaries, answers, mappings, draft text, questionnaires, analyses, or other materials generated or produced for Customer through the Service in response to Customer Data or Customer instructions.

2.14. “Restricted Data” means any data category that Borealis prohibits or materially restricts under these Terms, the Documentation, the accepted Order Page, or Exhibit B.

2.15. “Service Data” means service usage information, logs, telemetry, operational metrics, technical data, billing-consumption data, support metadata, performance data, feature interaction data, and model-routing or infrastructure metadata concerning Customer’s or Authorized Users’ use of the Service that does not constitute Customer Data in raw or intelligible form.

2.16. “Aggregated Data” means Service Data or other data derived from Customer’s use of the Service that has been aggregated and/or de-identified so that it does not identify Customer, any Authorized User, or any natural person, except as may be permitted by applicable law.

2.17. “Setup Commencement Event” means the first Borealis-recorded event showing that Borealis has begun the standard onboarding or activation work for Customer, including paid workspace provisioning, reservation of onboarding capacity, scheduling or delivering an onboarding session, beginning document intake or import preparation, instantiating an initial assessment or template set, or beginning supported connector, environment, or configuration work.

2.18. “Setup Services” means the standard, non-custom onboarding and activation services Borealis may provide for the self-service plan, including onboarding of Customer’s existing materials, assistance with completion of initial onboarding tasks and an initial assessment, and setup of supported environment, connector, or related configuration components, solely to the extent included in the applicable self-service plan or Order Page.

2.19. “Subscription Term” means the initial monthly term and each monthly renewal term for Customer’s paid subscription under these Terms.

2.20. “Third-Party Service” means any third-party product, service, website, content, data source, model provider, cloud platform, repository, integration, connector, API, or software not owned by Borealis.

2.21. “Borealis-signed writing” means a written instrument or electronic document expressly approved by Borealis through an authorized officer or other expressly authorized signatory of Borealis. Automated emails, support messages, ticket comments, and unsigned order acknowledgments are not Borealis-signed writings.

3. Order Page; Scope; Document Hierarchy; No Other Terms

3.1. These Terms apply only to Borealis’s monthly recurring self-service subscription plan purchased through Borealis’s designated self-service flow. These Terms do not govern any enterprise agreement, managed-services engagement, professional-services statement of work, purchase order, negotiated order form, annual commitment, or other written agreement separately signed by Borealis.

3.2. The accepted Order Page is incorporated into these Terms by reference. The Order Page controls only with respect to the specific purchased plan, fees, setup fee, included usage, billing cadence, and other expressly stated commercial details of that accepted purchase. If there is a conflict between the Order Page and these Terms, the Order Page controls only for that specific commercial conflict.

3.3. The following documents may apply, solely as and to the extent stated in these Terms: (a) Documentation; (b) Borealis’s acceptable use, security, or product-use rules made available for the self-service plan; (c) Borealis’s Privacy Policy, solely with respect to Borealis’s handling of personal information about Customer personnel, website visitors, and other direct relationship data for which Borealis acts as an independent business or controller; and (d) if Borealis separately makes it available and Customer validly accepts it through a Borealis-designated process, Borealis’s standard data processing addendum (“DPA”).

3.4. Unless a separate Borealis-signed writing states otherwise, the order of precedence is: (a) the accepted Order Page, but only for the specific commercial details identified there; (b) the DPA, but only for the processing of Customer Personal Data to the extent the DPA applies; (c) these Terms; (d) Borealis’s acceptable use, security, and product-use rules for the self-service plan; and (e) Documentation. Borealis’s Privacy Policy does not expand Borealis’s rights in Customer Data, does not create product warranties or service levels, and does not override these Terms or any DPA.

3.5. Borealis may update Documentation and product-use rules from time to time for future operation of the Service. No such update will retroactively alter the commercial terms of an accepted order, materially expand Borealis’s rights in Customer Data, or materially reduce the core paid functionality committed for a current paid monthly term except as expressly permitted by Sections 7, 8.9, 10, or 20.4.

3.6. Any purchase order, procurement portal term, click-through term provided by Customer, invoice instruction, vendor-registration term, or other unilateral Customer term is void and has no force or effect, even if referenced in payment, onboarding, support, or administrative communications and even if Borealis does not expressly reject it.

3.7. No statement in a demo, sales conversation, support communication, road map, website copy, FAQ, marketing page, security questionnaire, trust-center material, or email exchange modifies these Terms unless that statement appears in the accepted Order Page, these Terms, a validly accepted DPA, or a separate Borealis-signed writing.

4. Subscription; Access Rights; Accounts

4.1. Subject to Customer’s timely payment of all fees and compliance with these Terms, Borealis grants Customer, during the applicable Subscription Term, a limited, non-exclusive, non-transferable, non-sublicensable right to access and use the Service solely for Customer’s internal business purposes and solely in accordance with the purchased plan, the Documentation, and these Terms.

4.2. Customer may permit only Authorized Users to access the Service. Customer is responsible for all acts and omissions of Authorized Users and any person using Customer’s credentials, Account, links, or environment, whether or not authorized by Customer. Customer must ensure that each Authorized User complies with these Terms.

4.3. Customer is responsible for: (a) maintaining the confidentiality and security of credentials, secrets, tokens, and devices used to access the Service; (b) promptly revoking access for departed or no-longer-authorized users; (c) maintaining accurate account, billing, and contact information; and (d) designating and supervising Account Administrators. Borealis may rely on instructions given through the Account by an Account Administrator and has no duty to verify internal authority within Customer’s organization.

4.4. The applicable limits for the purchased self-service plan—including seats, reviewer access, storage, AI usage, exports, integrations, frameworks, or other resources—are the limits stated on the accepted Order Page, the applicable plan description for that plan, and the in-product billing or usage interface made available for that plan. Documentation may explain how those limits operate, but it will not retroactively increase charges for prior usage. Borealis’s metering, billing, and usage records control absent manifest error.

4.5. Borealis may require multi-factor authentication, password resets, re-verification, rate limits, security restrictions, or other reasonable protective measures for access to the Service or any feature.

4.6. Customer receives no right to source code, object code, software copies, on-premises deployment, dedicated hosting, dedicated infrastructure, data residency commitments, custom development, bespoke implementation, or any service or deliverable not expressly included in the accepted self-service plan.

5. Setup Services

5.1. If Customer’s self-service plan includes Setup Services or Customer pays a setup fee, Borealis may provide only the standard Setup Services included with that plan. Setup Services are limited in scope, standardized, and remote unless Borealis expressly states otherwise in a separate Borealis-signed writing.

5.2. Customer will provide timely cooperation reasonably requested by Borealis for Setup Services, including timely attendance at onboarding sessions, timely provision of requested documentation or access, completion of prerequisite tasks, and timely responses to reasonable setup questions. Borealis is not responsible for delays caused by Customer or Customer’s providers.

5.3. A setup fee, if any, is charged for standard onboarding capacity, workspace activation, initial assessment setup, import preparation, supported configuration work, and other standard activation activities. Unless the accepted Order Page expressly states otherwise, Borealis may begin setup immediately after order acceptance. The setup fee becomes fully earned and non-refundable upon the first Setup Commencement Event reflected in Borealis’s records. If Borealis rejects an order before any Setup Commencement Event occurs, Borealis will return any unearned setup fee actually received for that rejected order.

5.4. Unless the accepted Order Page expressly states otherwise, any Setup Services included with the self-service plan expire sixty (60) days after the earlier of Customer’s purchase date or the date Borealis first makes the paid workspace available. Unused Setup Services do not roll over, convert to credits, or generate refunds.

5.5. Setup Services are intended to facilitate Customer’s use of the Service. They do not include custom professional services, legal review, audit preparation services, procurement assistance, remediation work, bespoke implementation, guaranteed readiness, or guaranteed completion dates or outcomes.

6. AI Features; Output; Customer-Supplied API Keys

6.1. The Service may include AI Features that draft, summarize, classify, extract, map, suggest, retrieve, score, or otherwise generate Output. AI Features may use Borealis technology, third-party model providers, or both. AI Features are probabilistic and may produce inaccurate, incomplete, misleading, outdated, biased, offensive, or non-unique results.

6.2. Customer is solely responsible for reviewing, validating, approving, editing, and deciding whether to use any Output, recommendation, mapping, generated text, or other result from an AI Feature. Customer will not rely on AI Features as a substitute for professional judgment, legal review, compliance review, security review, or audit judgment.

6.3. Included AI usage, if any, is limited to the amount and type stated on the accepted Order Page or in the in-product billing interface for the purchased plan. Borealis may count AI usage by prompt, response, token, model invocation, attachment, compute event, or other technical measure, provided Borealis discloses the then-current counting methodology on the Order Page, in the in-product billing interface, or in Documentation. Borealis may update the counting methodology prospectively for future periods with notice or in-product disclosure; Borealis will not retroactively re-price prior usage under a new methodology.

6.4. Output may not be unique, and the Service or third-party AI systems may generate the same or similar output for Borealis, other customers, or third parties.

6.5. If Borealis makes the feature available, Customer may connect a Customer-Supplied API Key solely for Customer-authorized use of supported AI workflows. Customer authorizes Borealis to use that key only to transmit Customer-authorized requests, prompts, attachments, and related context to the applicable third-party provider and to return the provider’s response through the Service. Borealis may store the key or a tokenized representation of it in encrypted or otherwise commercially reasonable secure form and may delete it in the ordinary course after Customer disconnects it or after termination of the applicable feature or subscription.

6.6. Customer is solely responsible for: (a) all fees, charges, usage, and liabilities associated with Customer’s use of any Customer-Supplied API Key or related third-party provider account; (b) all third-party provider terms, restrictions, retention practices, and privacy or security commitments applicable to Customer’s provider relationship; and (c) ensuring Customer has all rights and permissions needed for Borealis to transmit the requests and context Customer directs through that key. Borealis is not reselling the third-party provider’s service when Customer uses a Customer-Supplied API Key.

6.7. Borealis may disable, refuse, or limit any AI Feature or Customer-Supplied API Key at any time if Borealis reasonably suspects abuse, excessive use, incompatibility, fraud, legal risk, sanctions risk, security risk, or third-party provider changes that make continued support impracticable or unsafe.

7. Service Changes; Support; Beta Features

7.1. Borealis may modify, improve, update, replace, add, or remove parts of the Service from time to time. During a current paid monthly term, Borealis will not intentionally eliminate the core generally available functionality of the purchased plan in a manner that is materially adverse to Customer, except as reasonably necessary for security, legal or compliance requirements, fraud prevention, abuse prevention, system integrity, third-party provider changes, or issues involving Beta Features or Third-Party Services. If Borealis materially reduces core paid functionality during a paid monthly term in breach of this Section, Customer’s sole and exclusive remedy is to cancel the affected subscription and receive a pro rata refund of the unused prepaid subscription fees for the affected remainder of that paid monthly term.

7.2. Customer’s self-service plan includes only the support described on the accepted Order Page or in Documentation. Unless Borealis expressly states otherwise in a separate Borealis-signed writing, the self-service plan does not include any uptime commitment, service-level agreement, service credits, dedicated success manager, guaranteed response time, premium support, procurement package, or custom security review.

7.3. Borealis may designate certain features as Beta Features. Beta Features are offered “AS IS,” may be unavailable or unreliable, may change or terminate at any time, may have reduced or different support, and are excluded from any service warranty or operational commitment in these Terms.

7.4. Borealis may discontinue support for particular integrations, model providers, connectors, or dependent third-party functionality if the third party changes its technology, terms, economics, legal status, or security posture, or if Borealis reasonably determines continued support is inadvisable. Sections 7.1 and 13 govern the consequences of those changes.

8. Fees; Payment Authorization; Auto-Renewal; Taxes; Cancellation

8.1. Customer will pay all fees stated on the accepted Order Page and any validly accepted in-product purchase screen, including subscription fees, setup fees, add-on fees, overage fees, top-up fees, upgrade charges, taxes, and any other amounts properly incurred under these Terms.

8.2. Unless the accepted Order Page expressly states otherwise, the initial Subscription Term begins when Borealis processes the initial charge and provisions the paid plan. Subscription fees are billed in advance on a monthly recurring basis and renew automatically for successive monthly terms until canceled in accordance with these Terms. Borealis’s billing records determine the start and end timestamps of each paid term.

8.3. By providing a payment method, Customer authorizes Borealis and its payment processors to: (a) store Customer’s payment credentials or tokenized credentials; (b) charge the payment method for the initial fees, all recurring subscription fees, setup fees, add-ons, overages, top-ups, prorations, taxes, failed-payment recoveries, and other amounts due under these Terms; (c) submit charges for variable amounts when usage, taxes, proration, or add-ons cause the amount due to vary from cycle to cycle; (d) use issuer, network, or payment-processor account updater services; and (e) retry declined transactions using Borealis’s standard dunning logic. Customer authorizes these charges until the subscription is properly canceled and all amounts due are paid.

8.4. Customer must maintain current billing contacts, billing email addresses, and payment information. Borealis may send receipts, acknowledgments, renewal notices, price-change notices, failed-payment notices, suspension notices, and other billing notices to the billing or administrative email address associated with the Account, and those notices are effective when sent.

8.5. Only an Account Administrator or other authorized billing contact designated by Customer may upgrade, downgrade, or cancel a subscription. Unless the Service expressly states otherwise or non-waivable law requires another method, cancellation must be completed through the online billing interface or another Borealis-designated mechanism. Cancellation stops future renewals only and does not terminate the current paid term. If cancellation is submitted before Borealis’s billing system initiates the next renewal charge, the subscription will not renew. If Borealis’s billing system has already initiated the renewal charge when the cancellation request is submitted, cancellation applies to the following renewal unless Borealis elects otherwise. Account deletion, user deletion, workspace inactivity, or removal of a payment method does not itself cancel recurring billing unless the Service expressly states that it does.

8.6. Borealis may present optional retention offers, discounted offers, or information regarding the effects of cancellation before final confirmation, provided Customer remains able to bypass those offers and complete cancellation through Borealis’s designated process. Borealis may require reasonable online authentication before an online cancellation is processed if Customer has an account.

8.7. Except as expressly required by non-waivable law or expressly stated in these Terms: (a) all fees are non-cancelable and non-refundable; (b) subscription fees are not refundable in whole or in part once charged for a paid term; (c) setup fees are non-refundable once earned under Section 5.3; and (d) unused usage allotments, unused Setup Services, and unused portions of the Service do not create credits or refunds.

8.8. Additional purchases, including upgrades, add-ons, top-ups, additional seats, and feature expansions, are effective only after Customer completes Borealis’s designated in-product purchase flow or other Borealis-controlled purchase flow showing the applicable price, timing, and commercial effect. Borealis may charge those amounts immediately, on a prorated basis, or on the next renewal, as stated in the applicable purchase flow. Downgrades generally take effect on the next renewal unless Borealis expressly states otherwise and do not entitle Customer to refunds for the current paid term.

8.9. Borealis may change future pricing, plan packaging, included usage, billable metrics, or other commercial terms for future renewals by providing advance notice before the renewal on which the change will apply. For monthly business plans, Borealis’s default business practice is at least thirty (30) days’ prior notice, unless a different notice period is required or permitted by non-waivable law, or a change is required sooner for legal, security, tax, fraud-prevention, or third-party pass-through reasons. Customer’s sole remedy if Customer does not agree to a changed renewal price or package is to cancel before that changed renewal takes effect.

8.10. Fees are exclusive of all sales, use, value-added, goods and services, withholding, excise, and similar taxes, duties, or governmental assessments of any nature, except taxes based on Borealis’s net income. Customer is responsible for all such taxes associated with Customer’s purchase, excluding taxes that Borealis is prohibited by law from charging or collecting. If Customer claims an exemption, Customer must provide valid exemption documentation before the applicable charge.

8.11. Customer must notify Borealis in writing of any billing dispute or charge dispute within thirty (30) days after the date the disputed charge first appears or the invoice is issued, whichever occurs first, and must include reasonable supporting detail. If Customer does not do so, Customer waives the dispute to the fullest extent permitted by law. Initiating a chargeback or payment reversal does not relieve Customer of its obligations under these Terms. Customer will reimburse Borealis for reasonable collection costs, chargeback costs, and processing fees arising from unjustified reversals, without limiting Borealis’s other remedies.

8.12. If any charge is declined, returned, reversed, disputed, or unpaid, Borealis may retry payment, require an alternative payment method, suspend access, reduce or revoke features, convert the Account to read-only, or terminate the Account. Suspension or restriction for nonpayment does not relieve Customer of payment obligations. Borealis may condition reinstatement on payment of all past-due amounts and completion of additional verification or security steps.

9. Customer Obligations; Restrictions; Compliance

9.1. Customer represents, warrants, and covenants that: (a) Customer has all rights, consents, permissions, and lawful authority necessary to provide Customer Data to the Service and to authorize Borealis to process, transmit, share, and use it as permitted by these Terms; (b) Customer’s use of the Service, Customer Data, and Customer’s instructions to Borealis will not violate any law, regulation, contract, or third-party right; (c) Customer will use the Service only for lawful internal business purposes; and (d) Customer will comply with all laws applicable to Customer’s business, Customer Data, and Customer’s use of the Service.

9.2. Customer will not, and will not permit any third party to: (a) license, sublicense, sell, resell, rent, lease, transfer, assign, distribute, or otherwise commercially exploit the Service except as expressly permitted by these Terms; (b) reverse engineer, decompile, disassemble, copy, frame, mirror, scrape, or attempt to derive source code, underlying ideas, model prompts, or non-public components of the Service, except to the extent such restriction is prohibited by law; (c) use the Service to build or assist a competing product or service; (d) interfere with, disrupt, or circumvent any security feature, usage limit, authentication control, or technical restriction of the Service; (e) use the Service for benchmarking or public comparative testing without Borealis’s prior written consent; (f) upload Restricted Data except as expressly permitted by a separate Borealis-signed writing or applicable DPA; or (g) use the Service in any way prohibited by Exhibit B.

9.3. Customer is solely responsible for: (a) the substance, accuracy, completeness, legality, quality, and suitability of Customer Data; (b) Customer’s decisions, actions, policies, filings, attestations, reviewer communications, audit responses, procurement responses, and compliance activities; (c) all reliance on any Output or other Service result; and (d) retaining independent copies of any records Customer must preserve.

9.4. Customer will not present the Service or any Output as legal advice, an audit opinion, a regulatory certification, a guarantee of security posture, a guarantee of compliance, or a substitute for Customer’s own judgment and review.

9.5. Customer will not access or use the Service in violation of export-control, sanctions, anti-boycott, anti-corruption, or similar laws. Customer represents that neither Customer nor, to Customer’s knowledge, any person controlling Customer is the target of sanctions or located in a comprehensively sanctioned jurisdiction in a manner that would make Customer’s purchase or use of the Service unlawful. Borealis may suspend or terminate access if Borealis reasonably believes continued performance would violate law or expose Borealis to sanctions or export risk.

9.6. Customer will promptly notify Borealis if Customer becomes aware of unauthorized access to the Account, compromise of credentials, misuse of the Service, or submission of Restricted Data.

10. Customer Data; Privacy; Security; Sharing

10.1. As between the parties, Customer retains all right, title, and interest in and to Customer Data. Subject to these Terms, Customer grants Borealis a worldwide, non-exclusive, royalty-free right and license to host, copy, process, transmit, display, transform, index, store, and otherwise use Customer Data solely as reasonably necessary to provide, operate, secure, maintain, support, troubleshoot, monitor, bill for, and enforce the Service, to prevent fraud or abuse, to comply with law, and as otherwise directed by Customer through the Service.

10.2. Borealis may collect, generate, and use Service Data in connection with the Service. Borealis may use Service Data and Aggregated Data for lawful business purposes, including analytics, service administration, billing, support, security, fraud prevention, abuse prevention, benchmarking, performance optimization, feature development, and product improvement, provided Borealis does not disclose Customer Data in raw or intelligible form or identify Customer or any natural person through Aggregated Data except as permitted by law.

10.3. Unless Customer expressly opts in through a Borealis-approved written or in-product mechanism, Borealis will not use Customer Data or Customer-specific prompts, attachments, or responses derived from Customer Data to train generalized or shared machine-learning or generative-AI models made available to other customers or the public. Borealis may use Service Data, Aggregated Data, Feedback, and de-identified or synthetic materials that do not identify Customer or any natural person to improve the Service and related technologies.

10.4. Customer controls whether, to whom, and what Customer directs Borealis to share from the Service. If Customer directs Borealis to share materials, evidence, questionnaires, exports, links, or trust-center materials with reviewers, vendors, auditors, prospects, or other third parties, Customer is solely responsible for that direction and the consequences of the disclosure. Borealis may rely on instructions given through the Account by an Account Administrator or other authorized user of sharing functionality.

10.5. Borealis will implement and maintain commercially reasonable administrative, technical, and organizational safeguards designed to protect Customer Data in Borealis’s possession against unauthorized access, acquisition, use, or disclosure. Borealis may change those safeguards from time to time, provided Borealis does not materially reduce the overall security posture of the self-service plan except as reasonably necessary to respond to law, security threats, or operational changes.

10.6. If Borealis confirms a Security Incident involving unauthorized access to or acquisition of Customer Data in Borealis-controlled systems used to provide the Service, Borealis will notify Customer without undue delay, taking into account the time needed to determine the scope of the incident, prevent additional harm, and restore service. Borealis’s notice obligation does not apply to unsuccessful security events that do not result in unauthorized access to Customer Data, such as blocked scans, pings, or denial-of-service attempts. Borealis may provide information in phases as it becomes reasonably available.

10.7. If and to the extent Borealis processes Customer Personal Data on Customer’s behalf in a manner that makes Borealis a processor, service provider, or contractor under applicable privacy law, then Borealis will: (a) process that Customer Personal Data only for the limited and specified purposes described in Section 10.1 and as otherwise permitted by applicable law; (b) not sell or share that Customer Personal Data and not retain, use, or disclose it outside the direct business relationship between the parties except as permitted by applicable law and these Terms; (c) require personnel authorized to access that Customer Personal Data to protect its confidentiality; (d) notify Customer if Borealis determines it can no longer meet its obligations under this Section; (e) upon Customer’s written request no more than once per twelve (12) months and at Customer’s reasonable cost, provide commercially reasonable assistance with verified data-subject requests, data-protection obligations, and compliance assessments to the extent required by applicable law, which assistance may be satisfied through then-current summaries, certifications, reports, or questionnaires Borealis makes generally available for the self-service plan; (f) flow down materially similar obligations to subprocessors that process Customer Personal Data on Borealis’s behalf; and (g) delete or return Customer Personal Data in accordance with Section 14.6, subject to backup retention, legal retention, and security requirements. The self-service plan does not include negotiated privacy addenda, on-site audits, custom data-residency commitments, or bespoke security exhibits unless Borealis separately agrees in a Borealis-signed writing.

10.8. If Customer requires additional data-processing terms beyond Section 10.7, Customer must accept Borealis’s then-current standard DPA through Borealis’s designated process, if Borealis makes that process available, or enter into a separate Borealis-signed agreement. Borealis is not required to negotiate Customer paper or customized processor terms for the self-service plan.

10.9. Borealis may use subprocessors, hosting providers, model providers, support tools, payment processors, and other service providers in connection with the Service. Customer authorizes Borealis to disclose Customer Data to such service providers solely as reasonably necessary to provide, support, secure, or administer the Service, subject to Borealis’s obligations under these Terms. Borealis may satisfy any subprocessor-listing obligation for the self-service plan, if any, through a website posting or other reasonable disclosure method.

10.10. Borealis’s Privacy Policy describes Borealis’s handling of personal information relating to Customer personnel, website visitors, and other individuals with whom Borealis has a direct relationship. The Privacy Policy does not expand Borealis’s rights in Customer Data beyond these Terms or any applicable DPA.

10.11. The Service may include retention, deletion, export, or archival features, but Customer remains solely responsible for preserving any records Customer must retain. Borealis is not Customer’s records-management, archival, or e-discovery provider. Customer should maintain independent backups of Customer’s important data and exported materials.

10.12. Except to the extent expressly stated in a separate Borealis-signed writing, the self-service plan does not include commitments regarding data residency, data localization, sector-specific controls, or storage of Customer Data in any particular geography.

11. Confidentiality

11.1. The Receiving Party will: (a) use the Disclosing Party’s Confidential Information only as necessary to exercise its rights or perform its obligations under these Terms; (b) protect the Disclosing Party’s Confidential Information using at least reasonable care and no less than the care the Receiving Party uses to protect its own similar confidential information; and (c) disclose the Disclosing Party’s Confidential Information only to the Receiving Party’s employees, affiliates, contractors, advisors, insurers, financing sources, prospective acquirers, or service providers who have a need to know it for purposes consistent with these Terms and who are bound by confidentiality obligations at least as protective as those in this Section.

11.2. Confidential Information does not include information that the Receiving Party can demonstrate: (a) is or becomes publicly available without breach of these Terms; (b) was lawfully known to the Receiving Party without confidentiality obligation before disclosure; (c) is lawfully received from a third party without confidentiality obligation; or (d) is independently developed without use of the Disclosing Party’s Confidential Information.

11.3. The Receiving Party may disclose Confidential Information to the extent required by law, regulation, subpoena, court order, or governmental demand, provided that, unless legally prohibited, the Receiving Party uses commercially reasonable efforts to give the Disclosing Party prompt notice and a reasonable opportunity to seek confidential treatment or protective relief. Borealis may charge Customer its reasonable costs of responding to third-party legal demands directed to Borealis and seeking Customer Data or Customer-related records, except to the extent the demand arises from Borealis’s breach of these Terms.

11.4. A breach of this Section may cause irreparable harm for which monetary damages may be inadequate. The Disclosing Party may seek equitable relief, including injunctive relief and specific performance, in addition to any other remedies available at law or in equity.

11.5. The confidentiality obligations in this Section survive for five (5) years after termination of these Terms, except that obligations relating to trade secrets, Customer Data, non-public security information, and other information that remains confidential by its nature survive for so long as that information remains non-public.

12. Intellectual Property; Output Rights; Feedback; Publicity

12.1. As between the parties, Borealis and its licensors retain all right, title, and interest in and to the Service and Borealis Materials, including all intellectual-property rights therein and thereto. Except for the limited rights expressly granted to Customer under these Terms, no license or other right is granted by implication, estoppel, or otherwise.

12.2. As between the parties, Customer owns Customer Data. Subject to Customer’s compliance with these Terms, Borealis grants Customer a perpetual, worldwide, non-exclusive, royalty-free license to use, reproduce, modify, distribute, and otherwise exploit Output generated for Customer through the Service for Customer’s business purposes. To the extent Borealis owns copyright in any Customer-specific Output that is protectable and that does not constitute Borealis Materials, Borealis assigns that copyright to Customer upon creation. Borealis and its licensors retain all right, title, and interest in and to the Service, Borealis Materials, Service Data, Aggregated Data, models, prompts, taxonomies, templates, workflows, generic elements, and improvements embodied in or used to generate any Output.

12.3. Customer does not acquire any ownership interest in the Service or Borealis Materials by using or paying for the Service. Customer will not remove or obscure proprietary notices contained in the Service or Borealis Materials.

12.4. If Customer or any Authorized User provides ideas, suggestions, requests, recommendations, corrections, or other feedback regarding the Service (“Feedback”), Borealis may use, disclose, reproduce, modify, distribute, and otherwise exploit that Feedback for any purpose without restriction or compensation, and Customer hereby assigns to Borealis any rights Customer may have in such Feedback.

12.5. Borealis may identify Customer as a customer in private diligence, financing, or acquisition materials disclosed under confidentiality. Any public use of Customer’s name, logo, marks, quote, or case-study content requires Customer’s prior written consent.

13. Third-Party Services

13.1. The Service may interoperate with or enable access to Third-Party Services. Customer’s use of any Third-Party Service is governed solely by the applicable third party’s terms and policies. Borealis does not control and is not responsible for any Third-Party Service.

13.2. If Customer enables a Third-Party Service, Customer authorizes Borealis to access, exchange, transmit, retrieve, transform, store, or display Customer Data and other information as reasonably necessary to interoperate with that Third-Party Service at Customer’s direction.

13.3. Borealis is not liable for any unavailability, inaccuracy, outage, API change, suspension, termination, fee, retention practice, model behavior, security event, data corruption, or other act or omission of any Third-Party Service. Borealis may modify the Service, disable a Third-Party Service integration, or cease supporting a Third-Party Service without liability if the third party changes its technology, economics, legal status, terms, or security posture, or if Borealis reasonably determines continued support is inadvisable.

14. Term; Suspension; Termination; Effect

14.1. These Terms begin when Customer first validly accepts them under Section 1.2 and continue until all Subscription Terms have expired or been terminated. Each Subscription Term renews automatically until canceled or terminated in accordance with these Terms.

14.2. Borealis may suspend or restrict access to all or any part of the Service immediately, with or without notice, if Borealis reasonably determines that: (a) Customer has failed to pay amounts due; (b) Customer or any Authorized User has breached these Terms, including by using Restricted Data or violating Exhibit B; (c) Customer’s use presents a security risk, legal risk, fraud risk, sanctions risk, abuse risk, or material risk of harm to Borealis, the Service, other customers, or third parties; (d) Borealis is required to do so by law, court order, regulator, payment processor, or third-party provider; or (e) the Service or any component thereof is being modified, maintained, or protected. Suspension or restriction does not relieve Customer of payment obligations.

14.3. Either party may terminate these Terms upon written notice if the other party materially breaches these Terms and fails to cure the breach within ten (10) days after notice, except that Borealis may terminate immediately for nonpayment, fraud, sanctions risk, illegal use, misuse of Borealis Materials, unauthorized access, use of Restricted Data, or any breach that by its nature cannot be cured.

14.4. Customer may terminate these Terms by canceling the subscription in accordance with Section 8.5 and ceasing all use of the Service. Borealis may terminate these Terms or Customer’s subscription at any time: (a) for cause under Section 14.3; (b) if required for legal, sanctions, payment-processor, security, fraud, or risk reasons; or (c) for convenience on at least thirty (30) days’ prior notice. If Borealis terminates for convenience under clause (c), Borealis will refund the unused prepaid portion of subscription fees allocable to the remainder of the then-current paid monthly term. Borealis is not required to refund setup fees already earned under Section 5.3 or any other non-refundable charges.

14.5. Upon expiration or termination: (a) Customer’s rights to access and use the Service immediately cease, except to the extent Borealis expressly provides limited post-termination export access under Section 14.6; (b) Customer will stop all use of the Service; (c) any amounts owed to Borealis become immediately due and payable; and (d) Borealis may disable the Account and delete or deprovision credentials, integrations, and configurations in the ordinary course.

14.6. If Customer’s subscription ends, Customer’s access to the Service and Customer Data ends when the paid term ends unless Borealis expressly agrees otherwise in a Borealis-signed writing. Customer is responsible for exporting any data it wants to retain before the effective end of the paid term. After the paid term ends, Borealis may immediately disable ordinary access and, in the ordinary course, will target deletion of the terminated workspace from primary production systems within fourteen (14) days after the end of the paid term, subject to legal retention, backup retention, security logging, disaster-recovery media, fraud prevention, and other protected archival systems that are deleted later in the ordinary course. Borealis is not required to keep a terminated workspace accessible, recoverable, or downloadable after the paid term ends.

14.7. Termination or expiration does not limit either party’s rights or remedies that accrued before termination. Sections that by their nature should survive termination survive, including Sections 1.8, 2, 3, 5.3, 8, 9, 10.2 through 10.12, 11, 12, 14.5 through 14.7, 15.4, 16, 17, 18, 19, and 20.

15. Limited Warranty; Exclusive Remedy; No Reliance

15.1. Each party represents and warrants that it has the full right, power, and authority to enter into these Terms and to perform its obligations hereunder.

15.2. Borealis warrants that, during a paid Subscription Term, the generally available Service will perform in all material respects in accordance with the then-current Documentation applicable to the purchased self-service plan when used as permitted under these Terms. This warranty does not apply to Beta Features, Third-Party Services, AI output accuracy, unsupported use, misuse, Customer-Supplied API Keys, Customer Data issues, or issues caused by Customer systems or third parties.

15.3. Customer’s sole and exclusive remedy, and Borealis’s sole obligation, for breach of Section 15.2 is for Customer to notify Borealis in writing during the affected paid term or within thirty (30) days after the breach is discovered, provide reasonable supporting detail, and allow Borealis a reasonable opportunity to cure. If Borealis does not cure the verified material nonconformity within a reasonable period, Customer may terminate the affected subscription, and Borealis will refund the unused prepaid portion of the subscription fees allocable to the remainder of the then-current paid monthly term. This Section states Borealis’s entire liability and Customer’s exclusive remedy for any breach of warranty or service nonconformity.

15.4. Except for the express warranty in Section 15.2, Customer acknowledges that Customer is purchasing the Service based solely on the functionality expressly described in these Terms, the accepted Order Page, and applicable Documentation, and not in reliance on any statement, promise, road map, demo, marketing material, support communication, procurement response, or oral representation not expressly incorporated into these Terms.

16. Disclaimers

16.1. EXCEPT FOR THE EXPRESS WARRANTY IN SECTION 15.2, THE SERVICE, SETUP SERVICES, AI FEATURES, OUTPUTS, BETA FEATURES, DOCUMENTATION, THIRD-PARTY SERVICES, AND ALL RELATED MATERIALS ARE PROVIDED “AS IS” AND “AS AVAILABLE.” TO THE MAXIMUM EXTENT PERMITTED BY LAW, BOREALIS AND ITS LICENSORS DISCLAIM ALL WARRANTIES AND REPRESENTATIONS, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NON-INFRINGEMENT, QUIET ENJOYMENT, ACCURACY, AND ANY WARRANTIES ARISING OUT OF COURSE OF DEALING, USAGE, OR TRADE.

16.2. WITHOUT LIMITING THE FOREGOING, BOREALIS DOES NOT WARRANT OR REPRESENT THAT THE SERVICE OR ANY OUTPUT WILL: (a) BE ERROR-FREE, UNINTERRUPTED, OR SECURE FROM ALL THREATS; (b) BE ACCURATE, COMPLETE, CURRENT, OR FIT FOR CUSTOMER’S PARTICULAR PURPOSE; (c) SATISFY ANY LEGAL, REGULATORY, CONTRACTUAL, AUDIT, CERTIFICATION, PROCUREMENT, OR COMPLIANCE REQUIREMENT; (d) RESULT IN AUDIT READINESS, SECURITY READINESS, PROCUREMENT APPROVAL, FRAMEWORK CONFORMITY, OR ANY OTHER BUSINESS OUTCOME; OR (e) OPERATE WITH ANY PARTICULAR THIRD-PARTY SERVICE, MODEL PROVIDER, OR CUSTOMER ENVIRONMENT.

16.3. CUSTOMER IS SOLELY RESPONSIBLE FOR ITS COMPLIANCE PROGRAM, SECURITY PROGRAM, LEGAL AND REGULATORY OBLIGATIONS, HUMAN REVIEW, DISCLOSURES, FILINGS, ASSERTIONS, AND DECISIONS TO SHARE, SUBMIT, RELY ON, OR ACT ON ANY OUTPUT OR OTHER SERVICE RESULT.

16.4. Borealis is not responsible for delay, failure, or inadequacy caused by Customer, Authorized Users, Customer systems, Customer environments, Customer-Supplied API Keys, internet or telecommunications failures, cloud or hosting disruptions, model-provider issues, or Third-Party Services.

17. Indemnification

17.1. Customer will defend, indemnify, and hold harmless Borealis, its affiliates, and their respective officers, directors, employees, contractors, successors, and assigns from and against any and all third-party claims, demands, actions, suits, investigations, damages, liabilities, losses, judgments, settlements, penalties, fines, costs, and expenses (including reasonable attorneys’ fees) arising out of or relating to: (a) Customer Data, Output used by Customer, or Customer’s use, disclosure, or processing thereof; (b) Customer’s or any Authorized User’s use of the Service, AI Features, a Customer-Supplied API Key, or any Third-Party Service in violation of these Terms or applicable law; (c) Customer’s breach of Sections 1, 5, 8, 9, 10, 12, or Exhibit B; (d) allegations that Customer Data, Customer’s instructions, or Customer’s use of the Service infringes, misappropriates, or violates any third-party right or applicable law; or (e) Customer’s decisions, filings, statements, certifications, reviewer communications, procurement responses, or compliance actions.

17.2. Borealis will: (a) promptly notify Customer of any claim for which Borealis seeks indemnification, provided delay in notice does not relieve Customer except to the extent Customer is materially prejudiced; (b) permit Customer to control the defense and settlement of the claim with counsel reasonably acceptable to Borealis; and (c) provide reasonable cooperation at Customer’s expense. Borealis may participate in the defense with counsel of its choice at its own expense. Customer may not settle any claim in a manner that admits fault of Borealis, imposes obligations on Borealis, or fails to fully and unconditionally release Borealis without Borealis’s prior written consent. If Customer fails to promptly assume or diligently conduct the defense, Borealis may assume the defense at Customer’s expense, without waiving Customer’s indemnity obligations.

18. Limitation of Liability

18.1. TO THE MAXIMUM EXTENT PERMITTED BY LAW, IN NO EVENT WILL BOREALIS OR ITS AFFILIATES BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, OR FOR ANY LOSS OF PROFITS, REVENUE, GOODWILL, BUSINESS, DATA, OR USE, OR FOR THE COST OF SUBSTITUTE GOODS OR SERVICES, ARISING OUT OF OR RELATING TO THESE TERMS OR THE SERVICE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES AND EVEN IF A LIMITED REMEDY FAILS OF ITS ESSENTIAL PURPOSE.

18.2. TO THE MAXIMUM EXTENT PERMITTED BY LAW, THE AGGREGATE LIABILITY OF BOREALIS AND ITS AFFILIATES ARISING OUT OF OR RELATING TO THESE TERMS OR THE SERVICE WILL NOT EXCEED THE TOTAL AMOUNT OF FEES ACTUALLY PAID BY CUSTOMER TO BOREALIS UNDER THESE TERMS DURING THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE CLAIM.

18.3. The exclusions and limitations in this Section apply regardless of the form of action, whether in contract, tort (including negligence), strict liability, statute, or otherwise. Nothing in this Section limits Customer’s payment obligations, Customer’s indemnification obligations, Customer’s liability for breach of Sections 1, 8, 9, 11, 12, or Exhibit B, or either party’s liability to the extent such limitation is prohibited by non-waivable law.

18.4. Customer acknowledges that the pricing of the self-service plan reflects this allocation of risk and that Borealis would not enter into these Terms without the disclaimers and limitations in these Terms.

19. Dispute Resolution; Arbitration; Class Waiver

19.1. Informal Dispute Resolution. Before either party commences arbitration or court proceedings (except for the provisional relief expressly permitted below), the complaining party must provide the other party with a written notice of dispute describing the claim and the relief requested. The parties will attempt in good faith to resolve the dispute informally for at least sixty (60) days after that notice before commencing arbitration or court proceedings.

19.2. Agreement to Arbitrate. Except for disputes that qualify for small claims court and claims for provisional injunctive or other equitable relief necessary to protect a party’s Confidential Information, intellectual property, or service integrity pending completion of arbitration, any dispute, claim, or controversy arising out of or relating to these Terms or the Service will be resolved by binding arbitration on an individual basis.

19.3. Arbitration Rules; Seat; Forum. The arbitration will be administered by the American Arbitration Association (“AAA”) under its Commercial Arbitration Rules in effect when the arbitration is commenced, except as modified by these Terms. The seat and legal place of arbitration is Anchorage, Alaska, although either party may request that hearings occur remotely by video, teleconference, or document submission to the fullest extent permitted by the applicable rules. If the AAA, an arbitrator, or a court determines that the AAA’s Consumer Arbitration Rules or another fee schedule or rule set must apply because the claimant is an individual using or subscribing to the Service as an individual and not incorporated, or because non-waivable law so requires, then those rules will apply solely to that dispute to the minimum extent required.

19.4. Arbitrator; Authority. The arbitration will be conducted by one neutral arbitrator selected under the applicable AAA rules. The arbitrator will have exclusive authority to resolve all disputes arising out of or relating to the interpretation, applicability, enforceability, or formation of this arbitration agreement, except that a court of competent jurisdiction may determine the enforceability of the class-action waiver in Section 19.5 and may grant the provisional relief permitted by Section 19.2.

19.5. Individual Proceedings Only; Class and Consolidation Waiver. TO THE MAXIMUM EXTENT PERMITTED BY LAW, EACH PARTY MAY BRING CLAIMS AGAINST THE OTHER ONLY IN ITS INDIVIDUAL CAPACITY AND NOT AS A PLAINTIFF, CLAIMANT, CLASS MEMBER, REPRESENTATIVE, PRIVATE ATTORNEY GENERAL, OR RELATOR IN ANY PURPORTED CLASS, COLLECTIVE, CONSOLIDATED, MASS, REPRESENTATIVE, OR OTHER PROCEEDING. THE ARBITRATOR MAY NOT CONSOLIDATE MORE THAN ONE PERSON’S CLAIMS OR OTHERWISE PRESIDE OVER ANY FORM OF REPRESENTATIVE, CLASS, OR CONSOLIDATED PROCEEDING EXCEPT TO THE LIMITED STAGED EXTENT EXPRESSLY SET FORTH IN SECTION 19.6.

19.6. Coordinated Filings; Staged Bellwether Process. If twenty-five (25) or more arbitration demands asserting substantially similar claims are filed against Borealis or related parties within a one-hundred-eighty (180)-day period by or with the assistance of the same law firm, law firms acting in coordination, or coordinated counsel, the parties agree, to the fullest extent permitted by the applicable arbitral rules, to administer those demands in a staged process rather than proceeding with all demands at once. The parties will first select ten (10) demands as bellwethers, with Borealis selecting five (5) and claimants’ counsel selecting five (5). All remaining demands will be stayed pending completion of the bellwether arbitrations and a good-faith mediation. All applicable statutes of limitation, contractual filing deadlines, and limitation periods for the stayed demands will be tolled from the date those demands were first submitted to the administrator until the stay is lifted. If disputes remain after mediation, the remaining demands will proceed in successive batches of up to twenty-five (25) demands, unless the administrator or a court orders a different batch size for efficiency or to conform to applicable rules. If the applicable arbitral rules classify coordinated or mass filings differently, those rules govern administrative classification, but the parties still agree to the staged process in this Section to the fullest extent the administrator permits. Nothing in this Section authorizes class, collective, representative, or non-individual monetary relief. If the administrator declines to administer a staged process substantially consistent with this Section, either party may ask a court of competent jurisdiction to enforce this Section or appoint a substitute process or administrator to the maximum extent permitted by law.

19.7. Confidentiality of Dispute Process. The parties will maintain the confidentiality of any arbitration, including the demand, pleadings, discovery, testimony, hearing, and award, except as reasonably necessary to prosecute or defend the dispute, enforce an award or court order, comply with law, or disclose to attorneys, accountants, insurers, auditors, financing sources, or prospective acquirers who are bound by confidentiality obligations.

19.8. Fees. Each party will bear its own attorneys’ fees and costs, except as otherwise required by applicable law, the AAA rules, or these Terms. Borealis may seek recovery of attorneys’ fees and costs for collection actions, provisional equitable-relief actions, and any proceeding to enforce Sections 8, 9, 11, 12, 17, or 19, to the extent permitted by law or the applicable rules.

19.9. Limitation Period. To the maximum extent permitted by law, any claim or cause of action arising out of or relating to these Terms or the Service must be filed within one (1) year after the claim or cause of action arose, or it is forever barred. Section 19.6’s tolling rule applies to the extent stated there.

19.10. Jury Trial Waiver. If for any reason a dispute proceeds in court rather than arbitration, each party knowingly and irrevocably waives any right to a jury trial to the fullest extent permitted by law.

19.11. Severability; Fallback. If Section 19.5’s class or representative-action waiver is held unenforceable as to a particular claim or request for relief, then that claim or request for relief will proceed only in a court of competent jurisdiction in Anchorage, Alaska, and not in class or representative arbitration. If the arbitration agreement in this Section is otherwise held unenforceable, or the designated administrator declines to administer the arbitration and no substitute administrator is appointed, the parties agree that the exclusive forum for the dispute will be the state or federal courts located in Anchorage, Alaska, and each party irrevocably submits to that forum, subject to the other provisions of these Terms.

19.12. Opt-Out Not Available. Because these Terms govern a business-use self-service subscription offered on the basis of uniform, scalable commercial terms, Customer does not have a unilateral right to opt out of this arbitration agreement.

20. Miscellaneous

20.1. Governing Law. These Terms and any dispute arising out of or relating to these Terms or the Service will be governed by the laws of the State of Alaska and applicable federal law, without regard to conflict-of-laws rules that would require the application of another jurisdiction’s laws. The United Nations Convention on Contracts for the International Sale of Goods does not apply.

20.2. Notices. Except where these Terms expressly permit notice through the Service or email, legal notices under these Terms must be in writing and sent by nationally recognized courier, certified mail, or email to the address or email designated by the receiving party for legal notices. Borealis may provide legal notice details through the Order Page, the Service, invoice materials, or Borealis’s website. Customer’s legal notice address is the then-current billing or administrative address and email associated with the Account unless Customer designates another legal notice address in writing.

20.3. Changes to Terms. Borealis may modify these Terms from time to time. For existing accepted subscriptions, changes that materially increase Customer’s payment obligations, materially expand Borealis’s rights in Customer Data, materially expand Customer’s restrictions, or materially reduce Borealis’s core paid commitments will become effective no earlier than the next renewal term after Borealis provides notice, unless Borealis obtains earlier affirmative assent from Customer or a different timing is required sooner for legal, security, tax, fraud-prevention, or operational reasons. Borealis may require Customer to click through updated Terms in order to continue renewing or using the Service. Customer’s sole remedy if Customer does not agree to an update is to cancel before the update takes effect for the next renewal.

20.4. Assignment. Customer may not assign, transfer, delegate, or sublicense these Terms or any rights or obligations under them, whether by operation of law or otherwise, without Borealis’s prior written consent. Any purported assignment in violation of this Section is void. Borealis may assign or transfer these Terms without Customer’s consent in connection with a merger, acquisition, corporate reorganization, sale of assets, financing transaction, or by operation of law.

20.5. Subcontracting. Borealis may use affiliates, subcontractors, subprocessors, and other service providers in connection with the Service and performance of these Terms. Borealis remains responsible for their performance to the extent required by law, subject to the limitations of these Terms.

20.6. Force Majeure. Borealis is not liable for any delay, interruption, or failure to perform resulting from any cause beyond its reasonable control, including acts of God, labor disputes, internet or telecommunications failures, utility failures, denial-of-service attacks, cyberattacks, cloud provider failures, hosting failures, model-provider failures, changes in third-party services, epidemics, pandemics, war, terrorism, riots, civil unrest, governmental action, sanctions, embargoes, or natural disasters.

20.7. Independent Contractors. The parties are independent contractors. These Terms do not create any partnership, joint venture, agency, fiduciary, employment, or franchise relationship between the parties. Neither party has authority to bind the other.

20.8. Severability; Waiver. If any provision of these Terms is held unenforceable, that provision will be enforced to the maximum extent permitted and the remaining provisions will remain in full force and effect. A waiver of any breach or provision is effective only if in writing and signed by the waiving party. No failure or delay in exercising any right constitutes a waiver.

20.9. Interpretation; Language. Headings are for convenience only and do not affect interpretation. The words “including,” “include,” and similar terms mean “including without limitation.” These Terms will be interpreted fairly and not for or against either party based on authorship. Except as expressly stated otherwise, remedies are cumulative. The governing language of these Terms is English.

20.10. Entire Agreement. These Terms, together with the accepted Order Page and any validly accepted DPA, are the entire agreement between the parties regarding their subject matter and supersede all prior or contemporaneous proposals, statements, understandings, and agreements relating to that subject matter. No amendment or waiver is binding unless made in a manner permitted by these Terms or in a separate Borealis-signed writing.

20.11. Government and Regulated Customers. The self-service plan is not offered under terms tailored for government entities, higher-education institutions, regulated health-care uses, payment-card environments, export-controlled data environments, or other customers requiring sector-specific or negotiated obligations. Any such customer must have a separate Borealis-signed written agreement. Absent such an agreement, Borealis may reject or terminate the order or account.

20.12. Contact. Questions about these Terms may be directed to Borealis through the support or legal contact information Borealis makes available on its website or in the Service.

20.13. Relationship to Separate Borealis Managed Services Agreements. If Customer later enters into a separate Borealis-signed managed services, professional services, or annual invoiced agreement under which Borealis Security, Inc. provides managed governance, implementation, or other services and includes Aurora Command access as part of that relationship, that separate agreement controls with respect to those services and that included access to the extent of any conflict. These Terms continue to govern any self-service subscription purchased through Borealis’s designated self-service purchase flow unless and until Borealis expressly provides otherwise in a separate Borealis-signed writing.

20.14. No Third-Party Beneficiaries. These Terms are solely for the benefit of Borealis and Customer. No affiliate, Authorized User, reviewer, procurement recipient, insurer, auditor, regulator, counterparty, referral recipient, or other third party is an intended beneficiary of these Terms or has any right to enforce them, except to the extent a separate written agreement expressly states otherwise.

Exhibit A. Service Description and Commercial Terms

A.1. Self-Service Plan. These Terms govern only the Borealis self-service plan identified on the accepted Order Page. The specific plan name, included seats, storage, usage, setup fee, price, and other entitlements are those shown on the accepted Order Page and any later Borealis-controlled in-product purchase flow validly accepted by Customer.

A.2. Monthly Recurring Only. This version of the self-service plan is a monthly recurring subscription billed in advance and renewing automatically each month until canceled. Any annual, multi-month, prepaid, or nonstandard commitment is outside the scope of these Terms unless Borealis expressly authorizes it in a separate Borealis-signed writing or a Borealis-approved alternative order form.

A.3. Included Functionality. The self-service plan may include access to Borealis’s hosted workspace for organizing controls, evidence, mappings, documentation, questionnaires, reviewer sharing, exports, dashboards, AI Features, and other functionality generally made available within that plan tier. Sections 7 and 13 govern changes to included functionality.

A.4. No SLA; Standard Support Only. The self-service plan does not include any uptime guarantee, service credits, premium support, dedicated success manager, formal procurement package, or custom security review unless Borealis expressly states otherwise in a separate Borealis-signed writing.

A.5. No Managed Compliance or Legal Services. The self-service plan is a software subscription. It does not include outsourced governance, outsourced compliance operations, vCISO services, law-firm services, legal review, audit execution, assessor services, or any representation that Borealis acts as Customer’s CISO, compliance officer, attorney, accountant, or auditor.

A.6. Plan Limits. Seats, storage, AI usage, reviewer access, exports, integrations, connectors, frameworks, or other resources may be subject to plan-specific limits stated on the accepted Order Page, the applicable plan description for that plan, or the in-product billing interface for that plan. Borealis may enforce limits by warning, throttling, disabling over-limit use, restricting features, or requiring an upgrade.

A.7. AI Usage Allotment. Any included AI usage allotment is limited to the monthly amount specified on the accepted Order Page or in the in-product billing interface. Unused monthly allotments expire at the end of the applicable monthly billing period and do not roll over.

A.8. Customer-Supplied API Key Option. If Borealis makes the feature available in the self-service plan, Customer may connect a Customer-Supplied API Key to obtain AI functionality using Customer’s own third-party provider account, subject to Sections 6, 10, and 13 of these Terms. Borealis may limit models, providers, throughput, regions, or workflows supported through a Customer-Supplied API Key.

A.9. Setup Services Scope. If Customer pays a setup fee or the Order Page indicates Setup Services are included, Borealis may provide standard activation and onboarding assistance that may include: (a) onboarding of Customer’s existing materials into the Service; (b) guidance and assistance aimed at helping Customer complete the standard onboarding process and an initial assessment within the Service; and (c) supported setup of Customer’s environment, connectors, or infrastructure-related configuration within the scope of the purchased plan. Setup Services do not include custom professional services, remediation work, bespoke implementation, or guarantees of timing or outcome.

A.10. No Data Residency; No Sector-Specific Terms. Unless Borealis expressly states otherwise in a separate Borealis-signed writing, the self-service plan does not include data residency, data localization, HIPAA, PCI, public-sector, or other sector-specific commitments.

A.11. Order Page Controls. If any commercial term in this Exhibit conflicts with the specific commercial details on the accepted Order Page, the accepted Order Page controls for that conflict.

Exhibit B. Acceptable Use and Prohibited Data

B.1. General Restrictions. Customer will not use the Service to store, process, transmit, or share any data or content that Borealis prohibits by these Terms, the accepted Order Page, the Documentation, or in-product notices.

B.2. Prohibited or Restricted Categories. Unless Borealis expressly agrees in a separate Borealis-signed writing or applicable DPA, Customer will not upload, input, transmit, or otherwise make available through the Service: (a) protected health information regulated by HIPAA or similar health privacy laws; (b) payment card data subject to PCI DSS, including full primary account numbers, magnetic stripe data, CVV/CVC values, or equivalent payment authentication data; (c) Social Security numbers, driver’s-license numbers, passport numbers, national-identification numbers, taxpayer-identification numbers, or similar government-issued identifiers, except in masked or truncated form where strictly necessary and lawful; (d) financial-account credentials, security answers, passwords, private keys, seed phrases, multifactor-authentication seeds, or other authentication secrets for third-party accounts; (e) biometric identifiers, biometric information, faceprints, voiceprints, or similar uniquely identifying biometric data; (f) personal data of children under sixteen (16) or data subject to COPPA or substantially similar child-privacy laws; (g) classified information, export-controlled technical data, ITAR-controlled data, controlled unclassified information, or data subject to national-security restrictions; (h) criminal-history data, union-membership data, precise geolocation history, or similar highly sensitive categories whose processing would require additional contractual protections or legal review that Borealis has not expressly agreed to provide; (i) data obtained unlawfully or without sufficient notice, consent, or authority; (j) malware, ransomware, spyware, malicious code, exploit code, or files intended to damage or gain unauthorized access to any system; (k) content that infringes, misappropriates, or violates any intellectual-property, privacy, publicity, confidentiality, employment, or other third-party right; or (l) any data that, by its nature or applicable law, would require Borealis to enter into obligations beyond those expressly set forth in these Terms for the self-service plan.

B.3. High-Risk Use Prohibition. Customer will not use the Service in connection with emergency response, law-enforcement decisioning, life-support systems, weapons systems, critical infrastructure control, or any use where inaccurate, delayed, or unavailable results could reasonably be expected to cause death, personal injury, or severe property or environmental damage.

B.4. Security Testing Restriction. Customer will not conduct or permit any penetration test, vulnerability scan, load test, denial-of-service test, or similar security or performance test against the Service without Borealis’s prior written approval.

B.5. Consequences. If Customer submits Restricted Data or otherwise violates this Exhibit, Borealis may remove or disable access to the affected data, suspend the Account, require remedial action, or terminate the subscription, in each case without liability and without limiting Borealis’s other rights or remedies.

Exhibit C. Trust Center, Governance Package, Professional Boundaries, and Required Validation

C.1. Trust Center and Live Trust Materials. Borealis may make security documentation, retention summaries, subprocessor information, audit-support materials, reviewer packages, questionnaire artifacts, policy summaries, state-requirement summaries, diligence materials, and other trust materials available through an authenticated trust center, reviewer portal, or successor system (collectively, the “Trust Center”). Access may be conditioned on identity verification, role-based permissions, separate clickwrap acceptance, confidentiality obligations, watermarking, monitoring, logging, rate limits, approval workflows, export controls, and revocation. Except to the extent a specific document is expressly identified in these Terms, the accepted Order Page, or a Borealis-signed writing as contractually incorporated, Trust Center content is informational only, may change over time, and does not create a warranty, service-level commitment, certification, legal opinion, audit opinion, or professional-services commitment.

C.2. Governance Package, Framework Content, Templates, and Similar Materials. Any governance package, readiness package, “Aurora package,” framework mapping, control library, sample policy, template response, maturity rubric, checklist, risk prompt, assessment workflow, suggested control statement, remediation note, reviewer package, state-law summary, breach-checklist item, or similar content made available through the Service or Trust Center is a generalized operational aid only. Such materials may reflect Borealis’s generalized understanding of public information, customer-supplied information, or reviewer expectations as of a point in time. They are not legal advice, regulatory advice, audit advice, attestation, certification, attorney work product, accounting advice, or virtual-CISO, managed-compliance, or other professional services unless Borealis separately agrees in a Borealis-signed writing outside the self-service plan.

C.3. Status Indicators, Freshness Labels, and Workflow Signals. Any status, label, reminder, flag, timer, due date, “current,” “fresh,” “ready,” “approved,” “reviewed,” “mapped,” “covered,” “complete,” “closed,” “green,” or similar designation in the Service or Trust Center is a workflow aid only. These labels do not certify factual accuracy, legal sufficiency, evidence completeness, control operation, auditor acceptability, reviewer acceptability, or ongoing compliance, and they may be wrong, delayed, stale, incomplete, or not reflective of changes in Customer’s environment, law, standards, reviewer expectations, or third-party conditions.

C.4. Required Customer Validation and Legal Review. Customer must independently evaluate and validate all framework mappings, governance content, policies, evidence selections, risk statements, questionnaires, reviewer packages, AI outputs, setup guidance, state-law summaries, and other materials before relying on, distributing, filing, publishing, certifying, or acting on them. Customer must use qualified internal or external legal, compliance, security, audit, privacy, insurance, and business personnel, as appropriate, to review and approve materials used for regulatory, contractual, procurement, underwriting, audit, or other consequential purposes. Borealis has no duty to interpret law for Customer, to tell Customer which controls are legally required, to verify that Customer’s program satisfies any framework or obligation, to ensure a review package is complete or up to date, or to monitor legal or standards changes for Customer’s benefit.

C.5. No Professional, Fiduciary, or Advisory Relationship. Under the self-service plan, Borealis is not Customer’s law firm, attorney, CPA firm, accountant, auditor, assessor, compliance officer, virtual CISO, consultant of record, fiduciary, broker, insurer, agent, MSP, MSSP, managed compliance provider, or outsourced control operator. Borealis does not undertake a professional duty of care to detect gaps, escalate omissions, design Customer’s governance or legal program, ensure evidentiary sufficiency, prevent Customer from making a mistaken statement, submission, or certification, or maintain Customer’s compliance obligations for Customer. Any setup assistance, onboarding help, framework guidance, state-law content, or product support remains limited product assistance and does not create a professional-advisory relationship.

C.6. Specific Risk Allocation for Compliance Outcomes and Interpretation Errors. Customer assumes all risk arising from stale or inaccurate Customer Data; omitted evidence; mistaken framework mappings; mistaken or changing legal, contractual, underwriting, procurement, or audit interpretations; reviewer disagreement; insurer, auditor, customer, or regulator rejection; control design failures; control operating failures; personnel errors; or Service, Trust Center, workflow, reviewer-access, or AI mistakes, outages, or delays. Without limiting Sections 16 or 18, Borealis is not liable for fines, penalties, remediation costs, audit costs, re-performance costs, breach-notification costs, procurement delays, lost business opportunities, increased insurance premiums, failed assessments, contractual breaches to Customer’s counterparties, or any other consequences of Customer’s compliance, governance, legal, underwriting, or disclosure decisions.

C.7. Precedence. This Exhibit is incorporated into and supplements these Terms. If there is a conflict between this Exhibit and a less specific statement elsewhere in the self-service package regarding Trust Center materials, governance content, professional boundaries, or required validation, this Exhibit controls to the maximum extent permitted by law.