Terms of Service.

1. Definitions

In these Terms:

• "Provider", "we", "us" means Kanonik LLC, organised under the laws of the State of Wyoming, United States of America.
• "Customer", "you" means the legal entity that has accepted these Terms and any individuals you authorise to use the Service on its behalf.
• "Service" means the Kanonik hosted software platform, including the MCP server, Verifier, audit-log subsystem, dashboard, REST API, and any related documentation.
• "Customer Data" means any data, content, configurations, and records that you, your authorised users, or your connected GRC tool input into the Service or that the Service generates from such inputs on your behalf.
• "Subscription" means your paid plan tier (Solo, Team, Business, or Enterprise) and any add-ons.
• "Documentation" means the technical and policy documents we publish at kanonik.ai, including this document and the Privacy Policy and Data Processing Addendum.

2. Acceptance of terms

By creating an account, signing an order form, or otherwise using the Service, you confirm that (a) you are at least 18 years old or the legal age of majority in your jurisdiction, (b) you have the authority to bind the Customer entity to these Terms, and (c) you accept these Terms together with the Privacy Policy and, where applicable, the Data Processing Addendum.

If you do not agree, do not use the Service.

3. The service

Kanonik provides an MCP-native intelligence layer that connects your AI assistant (Anthropic Claude, OpenAI, AWS Bedrock, Google Gemini, Azure OpenAI, or any MCP-compatible model - you provide and operate the account) to your governance, risk, and compliance (GRC) tooling. The Service includes a non-bypassable Verifier, a human-approval gate, a hash-chained audit log, and the Auditor Export bundle.

The Service is provided on a subscription basis. Available connectors, frameworks, capacity caps, and approval channels depend on your Subscription tier and are described on the Pricing page.

We may update, enhance, or modify features over time. We will not materially reduce the core functionality of your Subscription tier without notice. Where a change is material, we will give you reasonable prior notice via email or in-app notification.

4. Your account

You are responsible for the security of your account credentials and for all activity under your account. You agree to:

• Provide accurate, current, and complete information when signing up;
• Promptly update your information if it changes;
• Keep your login credentials confidential and not share them with anyone outside your authorised users;
• Enable multi-factor authentication for any account with privileged permissions;
• Notify us promptly at [email protected] of any suspected unauthorised access.

You are responsible for ensuring your authorised users comply with these Terms. Acts and omissions of your authorised users are deemed your acts and omissions.

5. Acceptable use

You agree not to, and not to permit anyone to:

• Use the Service in violation of any applicable law or regulation, including export control, sanctions, data protection, or intellectual property law;
• Attempt to bypass the Verifier, the approval gate, or any other security control of the Service;
• Reverse engineer, decompile, or disassemble the Service or any of its components, except to the extent expressly permitted by applicable law;
• Probe, scan, or test the vulnerability of the Service except under a written authorised testing arrangement with us;
• Submit Customer Data that infringes a third party's rights, contains malware, or that you are not authorised to process under applicable law;
• Use the Service to develop a competing product;
• Resell, sublicense, or otherwise transfer access to the Service to a third party without our prior written consent (vCISO and MSP licensing is permitted under specific Subscription terms);
• Generate excessive load that materially degrades the Service for other customers;
• Misrepresent the source, integrity, or audit-readiness of any output produced by the Service.

We may suspend or terminate access for material breach of this section, with notice where reasonable and immediately where the breach poses an imminent risk to the Service, other customers, or third parties.

6. Subscription & fees

6.1 Plans and tiers

Subscription tiers, prices, included usage caps, and feature differences are described on the Pricing page. Prices are in U.S. dollars unless otherwise stated and do not include applicable taxes, which will be added at checkout where required.

6.2 Billing

Subscriptions are billed in advance on a monthly or annual basis depending on your selection. Payment is processed through our payment provider, who acts as Merchant of Record for global tax compliance. By providing a payment method, you authorise us (and our payment provider) to charge that method for the applicable fees, including renewals.

6.3 Tier changes

You may upgrade your Subscription at any time through the dashboard; upgrades take effect immediately and are pro-rated. Downgrades take effect at the start of your next billing cycle. Tier limits (frameworks, users, daily capacity caps) apply from the effective date of the change.

6.4 Late payment

We may suspend access to the Service if a payment is more than fifteen (15) days overdue. We will give you reasonable notice before suspending and will reinstate access promptly upon receipt of payment.

6.5 No token meters

We absorb the cost of internal Verifier model calls in your tier price. We do not bill you for tokens consumed by the Verifier. You separately pay your model provider for your own model usage; the Service does not resell, meter, or mark up that usage.

7. Refund & cancellation

Self-serve cancellation. You may cancel your Subscription at any time from the dashboard or by emailing [email protected]. Cancellation takes effect at the end of your current billing cycle. You will retain access through that date.

30-day money-back. If the Service does not meet your team's needs in the first thirty (30) days of a new paid Subscription, email us within that window for a full refund. This applies once per Customer entity.

No refund for partial periods. Outside the 30-day window, fees paid for the current billing period are non-refundable. We may make exceptions in cases of confirmed Service unavailability or our own material breach.

8. Customer data & ownership

Your data is yours. As between the parties, you retain all right, title, and interest in and to Customer Data. We claim no ownership of Customer Data.

Licence to operate. You grant us a limited, non-exclusive, royalty-free licence to host, store, process, transmit, and display Customer Data solely as necessary to provide and improve the Service for you.

No training on Customer Data. We do not use Customer Data to train, fine-tune, or evaluate any general-purpose model. Server-side Verifier calls process Customer Data in-the-moment for verification and reasoning purposes only and are not retained beyond the operational windows described in our Privacy Policy.

Customer responsibilities. You are responsible for the legality of Customer Data and for ensuring you have all necessary rights, consents, and authorisations to submit it to the Service. You are responsible for complying with applicable laws (including data-protection law) when configuring the Service for your use.

Data export and deletion. You may export Customer Data at any time via the Auditor Export bundle and (where available on your tier) the REST API. On termination, we provide a 30-day grace period for export, after which we destroy the per-tenant encryption keys, rendering Customer Data inaccessible. Append-only audit log entries are retained for the period stated in the Privacy Policy.

9. Confidentiality

Each party will protect the other's Confidential Information using the same degree of care it uses for its own confidential information of a similar nature, and at minimum reasonable care. Confidential Information includes Customer Data, the non-public parts of the Service, and any other information designated confidential or that a reasonable person would understand to be confidential.

Confidential Information may be disclosed only to a party's personnel and contractors with a need to know and who are bound by confidentiality obligations no less protective than those set out here. The receiving party must promptly notify the disclosing party of any actual or suspected unauthorised disclosure.

Confidentiality obligations do not apply to information that (a) is or becomes publicly known without breach, (b) was rightfully known to the receiving party before disclosure, (c) is rightfully obtained from a third party without confidentiality restrictions, or (d) is independently developed without use of the disclosing party's Confidential Information.

10. Warranties & disclaimers

We warrant that the Service will perform materially in accordance with its published Documentation under normal use. As your sole and exclusive remedy for breach of this warranty, we will use reasonable efforts to correct the defect or, if we cannot do so within a reasonable period, refund the fees paid for the affected period.

EXCEPT FOR THE EXPRESS WARRANTY ABOVE, THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE". WE DISCLAIM ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND ANY WARRANTY ARISING FROM COURSE OF DEALING OR USAGE OF TRADE.

WE DO NOT WARRANT THAT THE SERVICE WILL BE UNINTERRUPTED, ERROR-FREE, OR THAT THE OUTPUTS OF AI-GENERATED OPERATIONS WILL BE CORRECT. The Verifier and approval gate are designed to reduce the risk of incorrect operations reaching your GRC tool, but you are responsible for reviewing outputs before approving them.

11. Limitation of liability

EXCLUSION OF INDIRECT DAMAGES. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, NEITHER PARTY WILL BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR EXEMPLARY DAMAGES, OR FOR ANY LOSS OF PROFITS, REVENUES, GOODWILL, OR DATA, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

CAP ON DIRECT DAMAGES. EACH PARTY'S AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THESE TERMS WILL NOT EXCEED THE FEES PAID BY THE CUSTOMER TO THE PROVIDER FOR THE SERVICE IN THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO THE LIABILITY.

EXCEPTIONS. The exclusions and cap above do not apply to (a) either party's indemnification obligations under Section 12, (b) the Customer's breach of its confidentiality obligations, (c) fees owed by Customer, or (d) liability that cannot be excluded or limited by applicable law (such as for fraud, gross negligence, or wilful misconduct).

12. Indemnification

By Provider. We will defend you against any third-party claim alleging that the Service, when used in accordance with these Terms and the Documentation, infringes such third party's intellectual property rights, and we will pay damages or settlement amounts finally awarded against you in such a claim. We will have no obligation under this Section to the extent the claim arises from (a) your use of the Service in violation of these Terms, (b) Customer Data, (c) combination of the Service with anything not provided by us, or (d) modifications to the Service not made by us. If the Service becomes, or in our reasonable opinion is likely to become, the subject of such a claim, we may at our option and expense (i) procure the right for you to continue using the Service, (ii) modify the Service so that it is non-infringing while materially preserving its functionality, or (iii) if (i) and (ii) are not commercially reasonable, terminate the affected Service and refund any prepaid, unused fees. This Section states our entire liability and your exclusive remedy for any claim of intellectual-property infringement.

By Customer. You will defend us against any third-party claim arising from (a) Customer Data, (b) your use of the Service in violation of these Terms or any applicable law, or (c) the configurations or instructions you provide to the Service that cause it to interact with your GRC tool. You will pay damages or settlement amounts finally awarded in such a claim.

Process. The indemnified party must promptly notify the indemnifying party of the claim, give it sole control of the defence and settlement, and provide reasonable cooperation. The indemnifying party may not settle a claim that imposes obligations on the indemnified party without its prior written consent.

13. Term & termination

These Terms apply from the date you first accept them and continue while you have an active Subscription or use the Service.

Either party may terminate for material breach if the breach is not cured within thirty (30) days of written notice. We may suspend or terminate immediately for cause where the breach poses an imminent risk to the Service or other customers, or for non-payment past the cure window in Section 6.4.

Upon termination: (a) your right to use the Service ends; (b) you remain liable for fees accrued through the termination date; (c) we provide a 30-day grace period for data export; (d) at the end of the grace period, we destroy your tenant's encryption keys, rendering Customer Data inaccessible; (e) audit-log entries are retained for the period in the Privacy Policy; (f) Sections 8 (Customer data and ownership), 9 (Confidentiality), 10 (Warranties), 11 (Liability), 12 (Indemnification), 15 (Governing law), and 16 (Contact) survive.

14. Changes to these terms

We may update these Terms from time to time. We will post the updated version at this URL with a new "Last updated" date. For material changes that affect your rights, we will give you reasonable advance notice (at least thirty days for adverse material changes) by email or in-app notification. Continued use of the Service after the effective date constitutes acceptance.

15. Governing law & venue

These Terms are governed by the laws of the State of Wyoming, United States of America, without regard to its conflict-of-laws rules. The exclusive venue for any dispute arising out of or related to these Terms or the Service is the state and federal courts located in Cheyenne, Wyoming, and the parties consent to the personal jurisdiction of those courts.

Where applicable consumer-protection law gives a Customer the right to bring proceedings in the Customer's place of residence, this clause does not limit that right.

The United Nations Convention on Contracts for the International Sale of Goods does not apply.

16. Contact

Questions about these Terms? Email [email protected].

Security or vulnerability reports: [email protected].

Privacy / data-protection requests: [email protected].

Postal address: available on request via [email protected].

↑ Back to top