Terms of Service

These Terms of Service ("Terms" or "Agreement") constitute a legally binding agreement between you and OpenGRC, LLC, a Florida limited liability company ("OpenGRC," "Company," "we," "us," or "our"). These Terms govern your access to and use of the OpenGRC software-as-a-service platform, including any related websites, applications, APIs, and professional services (collectively, the "Service").

BY CLICKING "I AGREE," CREATING AN ACCOUNT, ACCESSING THE SERVICE, OR OTHERWISE INDICATING YOUR ACCEPTANCE, YOU ACKNOWLEDGE THAT YOU HAVE READ, UNDERSTOOD, AND AGREE TO BE BOUND BY THESE TERMS. If you are entering into this Agreement on behalf of a company, organization, or other legal entity ("Customer"), you represent and warrant that you have the authority to bind such entity to these Terms, in which case "you" and "your" shall refer to such entity.

IMPORTANT: These Terms contain a binding arbitration clause and class action waiver in Section 15, which affect your legal rights. Please read them carefully.

1. Definitions

• "Authorized User" means any individual who is authorized by Customer to access and use the Service under Customer's account.
• "Customer Data" means any data, information, content, or materials that Customer or its Authorized Users upload, submit, store, or transmit through the Service.
• "Documentation" means the user guides, help files, and other technical documentation made available by OpenGRC describing the features and functionality of the Service.
• "Fees" means the amounts payable by Customer for the Service as set forth in an Order Form or the applicable pricing page.
• "Intellectual Property Rights" means all patent rights, copyrights, trademark rights, trade secret rights, and any other proprietary rights recognized by law.
• "Order Form" means any ordering document, online subscription page, or written agreement that specifies the Service, subscription term, fees, and other terms applicable to Customer's use of the Service.
• "Professional Services" means implementation, configuration, training, consulting, or other professional services provided by OpenGRC as set forth in a Statement of Work or Order Form.
• "Service" means the OpenGRC software-as-a-service platform, including all features, functionality, updates, and improvements made available by OpenGRC.
• "Subscription Term" means the period during which Customer is authorized to access and use the Service, as specified in an Order Form.
• "Third-Party Services" means any third-party applications, integrations, APIs, or services that interoperate with the Service.

2. Account Registration and Eligibility

2.1 Eligibility

To use the Service, you must be at least eighteen (18) years of age and have the legal capacity to enter into binding contracts. By using the Service, you represent and warrant that you meet these eligibility requirements.

2.2 Account Registration

To access the Service, you must create an account by providing accurate, current, and complete information. You agree to update your account information promptly to keep it accurate and complete. OpenGRC reserves the right to suspend or terminate accounts that contain inaccurate or incomplete information.

2.3 Account Security

You are responsible for maintaining the confidentiality of your account credentials and for all activities that occur under your account. You agree to immediately notify OpenGRC of any unauthorized use of your account or any other breach of security. OpenGRC shall not be liable for any loss or damage arising from your failure to protect your account credentials.

2.4 Authorized Users

Customer is responsible for ensuring that all Authorized Users comply with these Terms. Customer shall be liable for any acts or omissions of its Authorized Users that would constitute a breach of these Terms if performed by Customer.

3. Grant of License

3.1 License Grant

Subject to Customer's compliance with these Terms and payment of all applicable Fees, OpenGRC grants Customer a limited, non-exclusive, non-transferable, non-sublicensable right to access and use the Service during the Subscription Term solely for Customer's internal business purposes in accordance with these Terms and any applicable Documentation.

3.2 Restrictions

Customer shall not, and shall not permit any third party to:

• Copy, modify, adapt, translate, or create derivative works based on the Service
• Reverse engineer, disassemble, decompile, or otherwise attempt to derive the source code or underlying algorithms of the Service
• Rent, lease, loan, sell, sublicense, distribute, or otherwise transfer the Service to any third party
• Remove, alter, or obscure any proprietary notices on the Service
• Use the Service to develop a competing product or service
• Share account credentials with unauthorized parties or allow multiple individuals to use a single account
• Access the Service through any automated means, including bots, scrapers, or similar technologies, except through approved APIs
• Interfere with, disrupt, or attempt to gain unauthorized access to the Service or its related systems
• Use the Service in violation of any applicable laws or regulations

4. Customer Data and Responsibilities

4.1 Ownership of Customer Data

As between OpenGRC and Customer, Customer retains all right, title, and interest in and to Customer Data. OpenGRC acquires no rights in Customer Data except the limited rights necessary to provide the Service.

4.2 License to Customer Data

Customer grants OpenGRC a limited, non-exclusive, worldwide license to access, use, process, copy, and display Customer Data solely as necessary to provide and maintain the Service, comply with Customer's instructions, and fulfill OpenGRC's obligations under this Agreement.

4.3 Customer Responsibilities for Data

Customer is solely responsible for:

• The accuracy, quality, integrity, and legality of all Customer Data
• Obtaining all necessary rights, consents, and permissions to collect, use, and process Customer Data through the Service
• Ensuring that Customer Data does not violate any applicable laws, regulations, or third-party rights
• Compliance with all applicable data protection and privacy laws with respect to Customer Data
• Maintaining appropriate backups of Customer Data independent of the Service

4.4 Prohibited Content and Uses

Customer agrees that it shall not upload, store, or transmit through the Service any content that:

• Is unlawful, harmful, threatening, abusive, harassing, defamatory, or otherwise objectionable
• Infringes any Intellectual Property Rights or other proprietary rights of any third party
• Contains any viruses, malware, or other harmful code
• Violates the privacy or publicity rights of any third party
• Is otherwise inappropriate for a governance, risk, and compliance platform

The Service is designed and intended for governance, risk, and compliance purposes. Customer shall not use the Service as a general-purpose file sharing or storage application.

4.5 Security Responsibilities

Customer is responsible for the security of its own systems, networks, and devices used to access the Service, including but not limited to endpoint security, access controls, and network security. OpenGRC is not responsible for any unauthorized access to Customer's account or data resulting from Customer's failure to maintain adequate security measures on its own systems.

5. Third-Party Services and Integrations

5.1 Third-Party Integrations

The Service may offer integrations with Third-Party Services. Customer's use of any Third-Party Services is governed by the terms and conditions and privacy policies of those third parties. OpenGRC does not control and is not responsible for Third-Party Services, and Customer's use of Third-Party Services is at Customer's sole risk.

5.2 APIs

OpenGRC may provide APIs to enable Customer to integrate the Service with other applications. Customer's use of APIs is subject to these Terms, any applicable API documentation, and any additional terms provided by OpenGRC. OpenGRC reserves the right to modify, deprecate, or discontinue APIs at any time with reasonable notice.

5.3 No Warranties for Third-Party Services

OpenGRC makes no warranties, express or implied, regarding any Third-Party Services, including but not limited to warranties of merchantability, fitness for a particular purpose, or non-infringement. Customer acknowledges that the availability, performance, and functionality of Third-Party Services are outside OpenGRC's control.

6. Professional Services

6.1 Scope

OpenGRC may provide Professional Services as described in a Statement of Work or Order Form. Professional Services may include implementation, configuration, training, consulting, and other services. The scope, deliverables, timeline, and fees for Professional Services shall be set forth in the applicable Statement of Work.

6.2 Customer Cooperation

Customer shall provide timely access to personnel, information, systems, and resources reasonably required for OpenGRC to perform Professional Services. Delays caused by Customer's failure to provide such cooperation may result in additional fees or schedule adjustments.

6.3 Professional Services Warranty

OpenGRC warrants that Professional Services will be performed in a professional and workmanlike manner consistent with industry standards. Customer must notify OpenGRC in writing of any claimed breach of this warranty within thirty (30) days of performance. Customer's sole remedy for breach of this warranty shall be re-performance of the deficient Professional Services at no additional charge.

7. Fees and Payment

7.1 Fees

Customer shall pay all Fees specified in the applicable Order Form or pricing page. All Fees are quoted in United States Dollars unless otherwise specified. Fees are exclusive of all taxes, levies, or duties imposed by taxing authorities, and Customer shall be responsible for payment of all such amounts.

7.2 Billing and Payment

Fees are billed annually in advance. Payment is due within thirty (30) days of the invoice date unless otherwise specified in an Order Form. Customer shall provide accurate and complete billing information and promptly update such information as necessary.

7.3 Late Payment

If Customer fails to pay any Fees when due, OpenGRC may: (a) charge interest on the overdue amount at the rate of one and one-half percent (1.5%) per month or the maximum rate permitted by law, whichever is less; (b) suspend access to the Service until payment is received; and (c) pursue any other remedies available at law or in equity. Customer shall reimburse OpenGRC for all reasonable costs incurred in collecting overdue amounts, including attorneys' fees.

7.4 Price Changes

OpenGRC may increase Fees upon renewal of the Subscription Term by providing written notice to Customer at least sixty (60) days prior to the renewal date. The new Fees shall apply to the renewal term unless Customer provides written notice of non-renewal in accordance with Section 8.2.

7.5 No Refunds

All fees are non-refundable except as expressly set forth in this Agreement or as required by applicable law. Without limiting the foregoing, no refunds shall be provided for partial subscription periods, unused services, or early termination by Customer.

8. Term and Termination

8.1 Term

This Agreement commences on the date Customer first accepts these Terms or accesses the Service and continues until terminated in accordance with this Section 8. The initial Subscription Term shall be as specified in the Order Form. Subscription Terms are annual unless otherwise specified.

8.2 Automatic Renewal

Unless either party provides written notice of non-renewal at least thirty (30) days prior to the end of the then-current Subscription Term, the Subscription Term shall automatically renew for successive periods equal to the initial Subscription Term (or one year, whichever is shorter) at the then-current Fees.

8.3 Termination for Cause

Either party may terminate this Agreement immediately upon written notice if the other party: (a) materially breaches this Agreement and fails to cure such breach within thirty (30) days after receiving written notice thereof; or (b) becomes the subject of a bankruptcy, insolvency, receivership, liquidation, or similar proceeding.

8.4 Termination by OpenGRC

OpenGRC may terminate this Agreement or suspend access to the Service immediately without notice if: (a) Customer fails to pay Fees when due; (b) Customer violates Section 3.2 (Restrictions) or Section 4.4 (Prohibited Content and Uses); (c) continued provision of the Service would violate applicable law; or (d) OpenGRC reasonably determines that Customer's use of the Service poses a security risk.

8.5 Effect of Termination

Upon termination or expiration of this Agreement: (a) all rights and licenses granted to Customer shall immediately terminate; (b) Customer shall immediately cease all use of the Service; (c) each party shall return or destroy all Confidential Information of the other party; and (d) Customer shall pay all Fees accrued through the date of termination.

8.6 Data Retention and Export

Following termination or expiration, OpenGRC will retain Customer Data for ninety (90) days to allow Customer to export or retrieve such data. Customer may request earlier deletion of Customer Data by contacting OpenGRC at [email protected]. After the retention period, OpenGRC shall have no obligation to maintain or provide Customer Data and may delete all Customer Data in its systems or otherwise in its possession or control.

8.7 Survival

The following sections shall survive any termination or expiration of this Agreement: Sections 1, 4.1, 7 (with respect to amounts accrued), 9, 10, 11, 12, 13, 14, 15, 16, and 17.

9. Intellectual Property

9.1 OpenGRC Intellectual Property

OpenGRC and its licensors retain all right, title, and interest in and to the Service, including all software, technology, documentation, and other materials provided by OpenGRC, and all Intellectual Property Rights therein. Except for the limited license expressly granted in Section 3.1, no rights in the Service are granted to Customer.

9.2 Feedback

If Customer provides any suggestions, ideas, enhancement requests, recommendations, or other feedback regarding the Service ("Feedback"), Customer hereby grants OpenGRC a perpetual, irrevocable, worldwide, royalty-free, fully paid-up, non-exclusive license to use, reproduce, modify, create derivative works from, distribute, and otherwise exploit such Feedback for any purpose without compensation or attribution to Customer.

9.3 Aggregated Data

Notwithstanding anything to the contrary, OpenGRC may collect and use aggregated, anonymized, or de-identified data derived from Customer's use of the Service for purposes of improving the Service, developing new products and services, and conducting research and analytics, provided that such data does not identify Customer or any individual.

10. Confidentiality

10.1 Definition

"Confidential Information" means any information disclosed by one party to the other that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and circumstances of disclosure. Confidential Information includes, but is not limited to, business plans, pricing, technical data, and Customer Data.

10.2 Obligations

Each party agrees to: (a) maintain the confidentiality of the other party's Confidential Information using at least the same degree of care it uses to protect its own confidential information, but no less than reasonable care; (b) not disclose Confidential Information to any third party except as permitted herein; and (c) use Confidential Information only for purposes of performing its obligations or exercising its rights under this Agreement.

10.3 Exceptions

Confidential Information does not include information that: (a) is or becomes publicly available through no fault of the receiving party; (b) was rightfully in the receiving party's possession prior to disclosure; (c) is rightfully obtained by the receiving party from a third party without restriction; or (d) is independently developed by the receiving party without use of the disclosing party's Confidential Information.

10.4 Required Disclosures

A party may disclose Confidential Information to the extent required by law or legal process, provided that such party gives the other party prompt written notice (to the extent legally permitted) and reasonable assistance in contesting such disclosure.

11. Disclaimers

11.1 As-Is Basis

The Service is provided "as is" and "as available" without warranty of any kind, express or implied. To the maximum extent permitted by applicable law, OpenGRC expressly disclaims all warranties, including but not limited to implied warranties of merchantability, fitness for a particular purpose, title, non-infringement, and any warranties arising from course of dealing or usage of trade.

11.2 No Guarantee

OpenGRC does not warrant that: (a) the Service will meet Customer's requirements; (b) the Service will be uninterrupted, timely, secure, or error-free; (c) any errors or defects in the Service will be corrected; (d) the Service will be compatible with Customer's systems or other software; or (e) the results obtained from use of the Service will be accurate or reliable.

11.3 No Service Level Agreement

Unless otherwise agreed in writing, OpenGRC does not provide any service level agreements or uptime guarantees. OpenGRC shall use commercially reasonable efforts to maintain availability of the Service but shall not be liable for any downtime, interruptions, or performance issues.

11.4 Security Disclaimer

While OpenGRC implements reasonable security measures, including maintaining SOC 2 compliance and conducting annual penetration testing, no security measures are perfect or impenetrable. OpenGRC does not guarantee that the Service will prevent all security breaches, unauthorized access, or data loss. Customer acknowledges that it is solely responsible for determining whether the Service meets Customer's security requirements.

11.5 Compliance Disclaimer

The Service is a tool to assist Customer with governance, risk, and compliance activities. OpenGRC does not guarantee that use of the Service will result in compliance with any law, regulation, or industry standard. Customer is solely responsible for determining its compliance obligations and ensuring that its use of the Service satisfies such obligations.

12. Limitation of Liability

12.1 Exclusion of Consequential Damages

To the maximum extent permitted by applicable law, in no event shall OpenGRC, its affiliates, officers, directors, employees, agents, or licensors be liable for any indirect, incidental, special, consequential, punitive, or exemplary damages, including but not limited to damages for loss of profits, revenue, goodwill, data, or other intangible losses, even if OpenGRC has been advised of the possibility of such damages.

12.2 Cap on Liability

To the maximum extent permitted by applicable law, OpenGRC's total cumulative liability to Customer for all claims arising out of or relating to this Agreement, whether in contract, tort (including negligence), or otherwise, shall not exceed the total fees paid by Customer to OpenGRC during the twelve (12) months immediately preceding the event giving rise to the claim.

12.3 Basis of the Bargain

Customer acknowledges that OpenGRC has set its prices and entered into this Agreement in reliance upon the limitations of liability and disclaimers of warranties set forth herein, and that the same form an essential basis of the bargain between the parties. The parties agree that the limitations and exclusions of liability and disclaimers specified in this Agreement will survive and apply even if found to have failed of their essential purpose.

12.4 Exceptions

The limitations of liability in this Section 12 shall not apply to: (a) Customer's breach of Section 3.2 (Restrictions); (b) Customer's indemnification obligations under Section 13; (c) either party's breach of Section 10 (Confidentiality); or (d) either party's gross negligence, willful misconduct, or fraud.

13. Indemnification

13.1 Indemnification by Customer

Customer shall defend, indemnify, and hold harmless OpenGRC and its affiliates, officers, directors, employees, and agents from and against any and all claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising out of or relating to: (a) Customer's use of the Service; (b) Customer Data, including any claim that Customer Data infringes or violates any third-party rights; (c) Customer's breach of this Agreement; (d) Customer's violation of any applicable law or regulation; or (e) any dispute between Customer and its end users or third parties.

13.2 Indemnification by OpenGRC

OpenGRC shall defend, indemnify, and hold harmless Customer from and against any third-party claim alleging that the Service, as provided by OpenGRC and used in accordance with this Agreement, directly infringes a valid United States patent or copyright, provided that: (a) Customer promptly notifies OpenGRC in writing of such claim; (b) Customer grants OpenGRC sole control of the defense and settlement; and (c) Customer provides reasonable cooperation at OpenGRC's expense.

13.3 Limitations on OpenGRC Indemnification

OpenGRC's indemnification obligations under Section 13.2 shall not apply to claims arising from: (a) modifications to the Service made by anyone other than OpenGRC; (b) combination of the Service with third-party products, services, or data not provided by OpenGRC; (c) Customer's continued use of the Service after being notified of allegedly infringing activity; (d) Customer Data; or (e) Customer's breach of this Agreement.

13.4 Infringement Remedies

If the Service becomes, or in OpenGRC's reasonable opinion is likely to become, the subject of an infringement claim, OpenGRC may, at its sole option and expense: (a) procure for Customer the right to continue using the Service; (b) replace or modify the Service to make it non-infringing while maintaining substantially equivalent functionality; or (c) if neither (a) nor (b) is commercially practicable, terminate this Agreement and refund to Customer any prepaid Fees for the unused portion of the Subscription Term.

13.5 Cap on OpenGRC Indemnification

Notwithstanding anything to the contrary, OpenGRC's total liability under this Section 13 shall not exceed the total fees paid by Customer to OpenGRC during the twelve (12) months immediately preceding the claim.

13.6 Exclusive Remedy

This Section 13 states OpenGRC's entire liability and Customer's sole and exclusive remedy for any claims of intellectual property infringement.

14. Force Majeure

Neither party shall be liable for any failure or delay in performing its obligations under this Agreement (except for payment obligations) to the extent such failure or delay results from circumstances beyond the party's reasonable control, including but not limited to acts of God, natural disasters, war, terrorism, riots, embargoes, acts of civil or military authorities, fire, floods, epidemics, pandemics, strikes, power outages, internet or telecommunications failures, or cyberattacks. The affected party shall promptly notify the other party and use reasonable efforts to mitigate the effects of the force majeure event.

15. Dispute Resolution

15.1 Informal Resolution

Before initiating any formal dispute resolution proceeding, the parties agree to first attempt to resolve any dispute, claim, or controversy arising out of or relating to this Agreement ("Dispute") through good faith negotiations. Either party may initiate negotiations by sending written notice describing the Dispute to the other party. The parties shall negotiate in good faith for at least thirty (30) days before initiating arbitration.

15.2 Binding Arbitration

If the parties are unable to resolve a Dispute through negotiation, such Dispute shall be resolved exclusively through final and binding arbitration, rather than in court, except that either party may seek injunctive or other equitable relief in court to protect its Intellectual Property Rights or Confidential Information.

Arbitration shall be administered by the American Arbitration Association ("AAA") in accordance with its Commercial Arbitration Rules then in effect. The arbitration shall be conducted by a single arbitrator selected in accordance with AAA rules. The arbitration shall take place in Seminole County, Florida, unless the parties agree otherwise. The arbitrator's decision shall be final and binding, and judgment on the award may be entered in any court of competent jurisdiction.

15.3 Class Action Waiver

Customer and OpenGRC agree that each may bring claims against the other only in an individual capacity and not as a plaintiff or class member in any purported class, collective, or representative action. The arbitrator may not consolidate more than one party's claims and may not otherwise preside over any form of class, collective, or representative proceeding. If this class action waiver is found to be unenforceable, then the entirety of this arbitration provision shall be null and void.

15.4 Arbitration Costs

Each party shall bear its own costs and attorneys' fees in any arbitration. The parties shall share equally the fees and expenses of the arbitrator and AAA, unless the arbitrator determines that a different allocation is appropriate.

15.5 Small Claims Exception

Notwithstanding Section 15.2, either party may bring an individual action in small claims court for Disputes within the jurisdiction of such court.

16. Governing Law and Venue

This Agreement shall be governed by and construed in accordance with the laws of the State of Florida, without regard to its conflict of laws principles. To the extent that any lawsuit or court proceeding is permitted hereunder, the parties agree to submit to the exclusive personal jurisdiction and venue of the state and federal courts located in Seminole County, Florida.

17. General Provisions

17.1 Entire Agreement

This Agreement, together with any Order Forms and Statements of Work, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior and contemporaneous agreements, proposals, or representations, written or oral, concerning such subject matter. In the event of any conflict between this Agreement and an Order Form, the Order Form shall control.

17.2 Modifications

OpenGRC may modify these Terms from time to time by posting the updated Terms on its website or notifying Customer by email. Such modifications shall become effective thirty (30) days after posting or notification, unless Customer objects in writing within such period. Customer's continued use of the Service after the effective date of any modifications constitutes acceptance of the modified Terms.

17.3 Waiver

No failure or delay by either party in exercising any right under this Agreement shall constitute a waiver of that right. Any waiver must be in writing and signed by an authorized representative of the waiving party.

17.4 Severability

If any provision of this Agreement is held to be invalid, illegal, or unenforceable, such provision shall be modified to the minimum extent necessary to make it valid, legal, and enforceable, or if such modification is not possible, such provision shall be severed from this Agreement, and the remaining provisions shall continue in full force and effect.

17.5 Assignment

Customer may not assign or transfer this Agreement or any rights or obligations hereunder without OpenGRC's prior written consent. Any attempted assignment in violation of this provision shall be void. OpenGRC may assign this Agreement without restriction. This Agreement shall bind and inure to the benefit of the parties and their respective permitted successors and assigns.

17.6 Independent Contractors

The relationship between the parties is that of independent contractors. Nothing in this Agreement shall be construed to create a partnership, joint venture, agency, or employment relationship between the parties.

17.7 Notices

All notices under this Agreement shall be in writing and shall be deemed given when delivered personally, sent by email with confirmation of receipt, or sent by certified mail, return receipt requested, to the addresses specified in the Order Form or to such other address as either party may specify in writing. Notices to OpenGRC shall also be sent to: [email protected].

17.8 Publicity

OpenGRC may identify Customer as a customer and use Customer's name and logo in marketing materials, customer lists, and on OpenGRC's website. Customer may opt out of such use by providing written notice to OpenGRC.

17.9 Export Compliance

Customer shall comply with all applicable export control laws and regulations of the United States and other applicable jurisdictions. Customer shall not export, re-export, or transfer the Service or any technical data obtained through the Service to any country, entity, or person prohibited by such laws.

17.10 Government Users

If Customer is a U.S. government entity or the Service is being used on behalf of a U.S. government entity, the Service is provided as "commercial computer software" and "commercial computer software documentation" as defined in 48 C.F.R. § 2.101, and the use, duplication, and disclosure of the Service is subject to the restrictions set forth in these Terms.

18. Contact Information

If you have any questions about these Terms, please contact us at:

---

Last Updated: January 1, 2026