Legal

Terms of Service

Last updated: May 22, 2026

1. Acceptance of Terms

These Terms of Service ("Terms") constitute a legally binding agreement between you ("Customer," "you," or "your") and episki, llc, a Pennsylvania limited liability company ("episki," "we," "us," or "our"). By accessing or using the episki platform at app.episki.com or any related services (collectively, the "Service"), you agree to be bound by these Terms.

If you are accepting these Terms on behalf of an organization, you represent and warrant that you have the authority to bind that organization. If you do not agree to these Terms, do not use the Service.

2. Service Description

episki is a cloud-based, AI-first governance, risk, and compliance (GRC) platform. The Service includes a required Compliance Platform together with optional modules (such as Risk Management, Third-Party Risk Management, Trust, and AI Governance) and add-ons. The platform provides:

  • Programs, assessments, controls, policies, evidence, and audit-log workflows for one or more compliance frameworks.
  • An AI orchestration runtime: agents, skills, plans, step-runs, approvals, and safety floors.
  • Integrations with third-party systems and support for Model Context Protocol ("MCP") servers configured by you.
  • A Trust portal where you may publish security posture information to your customers and prospects.
  • The Operator Partner Program for partners managing the Service on behalf of multiple end customers.

The Service is provided on a software-as-a-service basis. These Terms grant you a limited, non-exclusive, non-transferable, revocable license to access and use the Service during your subscription term. No software is sold or transferred under these Terms.

3. User Accounts and Security

To use the Service, you must create an account with accurate and complete information. You are responsible for maintaining the confidentiality of your account credentials and for all activities that occur under your account.

You agree to notify us immediately at hello@episki.com if you become aware of any unauthorized use of your account. episki is not liable for losses arising from unauthorized access to your account where you have failed to safeguard your credentials.

4. Subscriptions, Billing, and Renewals

4.1 Subscription model

Use of the Service requires a paid subscription to the Compliance Platform and any modules or add-ons you select. Subscriptions are sold on a per-workspace basis. Users, frameworks, and (where applicable) vendors are not separately metered.

4.2 Billing cadence

You may select monthly or annual prepay billing for each priced item. Fees are billed in advance for the upcoming billing period. Monthly subscriptions renew automatically each month. Annual subscriptions renew automatically each year unless cancelled at least 30 days before the renewal date.

4.3 Mid-cycle changes

You may add modules or add-ons at any time; charges are prorated to the end of the current billing period. Removal of modules or add-ons takes effect at the end of the then-current billing period. We will not refund prepaid amounts for the removed item except as required by law.

4.4 Failed payments

If a payment fails, we may suspend access to the Service until payment is received. Accounts with overdue balances exceeding 30 days may be terminated.

4.5 Taxes

Fees are exclusive of any applicable taxes. You are responsible for any sales, use, value-added, withholding, or similar taxes other than taxes on our net income.

4.6 Refunds

Fees are non-refundable except as expressly stated in these Terms or required by applicable law.

5. AI Features and Tokens

5.1 What AI features do

The Service uses AI to draft policies, answer questionnaires, summarize evidence, propose risk language, plan agent work, and similar tasks. AI features are bounded by the safety floors and approvals you configure in your workspace. Agents propose work that requires human approval before sensitive actions are taken; you remain responsible for reviewing and approving agent output before relying on it.

5.2 Tokens

AI work is metered in tokens, a unit of computational consumption. Your workspace receives a monthly token allowance equal to the base allocation included with the Compliance Platform plus an additional allocation for each module you subscribe to. Unused tokens roll forward by twenty percent (20%) to the immediately following month. New customer workspaces receive a multiplier on their monthly allowance during the first twelve (12) months as an onboarding boost.

5.3 Overage and prepaid packs

If your workspace exhausts its allowance, additional AI work is metered at the then-current overage rate (currently $0.50 per 1,000 tokens) and added to your next invoice. You may also purchase prepaid token packs at the then-current rate; prepaid packs are valid for twelve (12) months from purchase and lock in the per-token rate of the pack at the time of purchase. AI features will continue to function during overage; we will not block legitimate Service use due to token consumption.

5.4 Right to adjust token economics

We may adjust token allocations, consumption rates, overage rates, and prepaid pack pricing on at least thirty (30) days' written notice. Adjustments take effect at your next billing cycle. Token economics are tied to the cost of underlying AI providers, which is outside our reasonable control.

5.5 AI sub-processors and training

We use third-party AI model providers as sub-processors to deliver AI features. Our current sub-processor list (including AI providers) is published on our trust center at trust.episki.com, or available on request at hello@episki.com. We will not use Customer Data to train any AI model, and our AI sub-processors are contractually bound to the same restriction.

5.6 AI output and accuracy

AI-generated content may be inaccurate, incomplete, or out of date. You are responsible for reviewing AI output before relying on it for any compliance, regulatory, security, or business decision. You retain ownership of AI output created from your Customer Data and prompts on the same terms as the rest of your Customer Data (see §9).

6. Integrations and Third-Party Services

6.1 Native integrations

The Service may connect to third-party services you authorize (for example, AWS, Google Workspace, Microsoft 365, Slack, GitHub, Jira). You are responsible for ensuring you have authority to connect those services and to grant the access scopes the integration requires. We will only use those credentials and the data they provide to deliver the Service.

6.2 Third-party terms

Third-party services are governed by their own terms and privacy policies. We are not responsible for the availability, accuracy, or behavior of any third-party service.

6.3 MCP servers

You may configure Model Context Protocol ("MCP") servers that agents in your workspace can call. You are solely responsible for the MCP servers you configure, the data sent to them, and the data they return. We do not endorse, certify, or vet third-party MCP servers. The AI Governance module (when subscribed) provides allowlisting, logging, and other controls; you remain responsible for using those controls appropriately.

6.4 Revocation

You may revoke any integration or MCP server connection at any time from the workspace settings. Following revocation, we will cease using the associated credentials and will delete or revoke any stored secrets within a reasonable time, except where retention is required for legal, billing, or audit-log integrity purposes.

7. Trust Portal and Customer-Published Content

The Service includes (with the Compliance Platform) a basic public trust page, and (with the Trust module) a fully branded trust center on a domain you specify. Content you publish through these surfaces — including control claims, certifications, subprocessor lists, policies, security whitepapers, and questionnaire responses — is Customer-published content.

  • You are solely responsible for the accuracy, currency, completeness, and lawfulness of Customer-published content.
  • You are responsible for ensuring Customer-published content does not violate any confidentiality, contractual, or privacy obligation you owe to a third party.
  • You are responsible for any NDA gating, watermarking, or access-control settings you configure for documents shared through the trust center.
  • We provide the publishing infrastructure but do not review, approve, or certify Customer-published content.

8. Operator Partner Program

The Operator Partner Program is available to firms (such as vCISO, vGRC, and MSP firms) that manage workspaces on behalf of end customers. A separate Operator Partner Agreement, executed between us and the partner, governs the program. The following applies to partners and their end customers:

  • Each end-customer workspace is a separate subscription subject to these Terms.
  • The partner is responsible for ensuring it has the authority to administer each end-customer workspace and to enter into these Terms (or pass through equivalent obligations) with each end customer.
  • Partner discounts apply to the partner's entire book of business as defined in the Operator Partner Agreement and may be adjusted prospectively in line with that agreement.
  • Tokens, integrations, and other workspace-scoped resources are not shared across workspaces.
  • We may treat the partner as the customer's authorized representative for routine workspace administration but reserve the right to communicate directly with the end customer on legal, billing, or security matters.

9. Data Ownership and Intellectual Property

Your Data. You retain all rights, title, and interest in the data you submit to or generate through the Service, including compliance programs, assessments, controls, policies, evidence, risks, vendors, agent plans and conversations, MCP server configurations, and AI output created from your prompts and Customer Data ("Customer Data"). episki does not claim ownership of Customer Data.

Our Platform. episki and its licensors retain all rights, title, and interest in the Service, including all software, technology, designs, trademarks, model orchestration logic, and documentation. Nothing in these Terms transfers any intellectual property rights in the Service to you.

Feedback. If you provide us with feedback, suggestions, or ideas about the Service, you grant us a perpetual, royalty-free, worldwide license to use that feedback to improve the Service, without obligation to you.

Aggregated and de-identified data. We may produce aggregated, de-identified, or anonymized data that does not identify you or any individual. We may use such data to operate, improve, benchmark, and market the Service.

10. Acceptable Use

You agree not to:

  • Use the Service for any unlawful purpose or in violation of any applicable law or regulation.
  • Attempt to gain unauthorized access to the Service, other customer accounts, or related systems.
  • Interfere with, disrupt, or degrade the performance of the Service.
  • Reverse-engineer, decompile, or disassemble any part of the Service, except to the extent expressly permitted by law.
  • Resell, sublicense, or make the Service available to third parties except as permitted by your subscription or the Operator Partner Program.
  • Upload content that is malicious, infringing, or violates the rights of others.
  • Use the Service or AI features to generate, distribute, or facilitate illegal, defamatory, or harmful content.
  • Use the Service to circumvent or evade legal, regulatory, or contractual obligations you owe to third parties.
  • Configure MCP servers or integrations to exfiltrate data from the Service in violation of these Terms or applicable law.

11. No Compliance Guarantee

episki provides tools, workflows, and AI assistance to help you manage compliance programs, but the Service does not guarantee that you will achieve or maintain compliance with any specific framework, regulation, or standard, including (without limitation) SOC 2, ISO 27001, ISO 27701, ISO 42001, HIPAA, PCI DSS, NIST CSF, NIST AI RMF, CMMC, the EU AI Act, GDPR, CCPA/CPRA, or any other regulatory regime.

Compliance is ultimately your responsibility. The Service assists with organizing, drafting, tracking, and documenting your compliance activities, but the accuracy and completeness of your programs, controls, evidence, and AI-assisted output depend on the information you provide, the configuration you choose, and the actions you and your reviewers take.

12. Warranties and Disclaimers

episki warrants that the Service will perform materially in accordance with its documentation during your subscription term. If the Service does not meet this warranty, your sole remedy is for us to use commercially reasonable efforts to correct the non-conformity.

EXCEPT AS EXPRESSLY PROVIDED ABOVE, THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE." TO THE MAXIMUM EXTENT PERMITTED BY LAW, EPISKI DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. WE DO NOT WARRANT THAT THE SERVICE WILL BE UNINTERRUPTED, ERROR-FREE, OR SECURE, OR THAT AI OUTPUT WILL BE ACCURATE, COMPLETE, OR FIT FOR YOUR PURPOSE.

13. Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY LAW, EPISKI'S TOTAL LIABILITY ARISING OUT OF OR RELATED TO THESE TERMS WILL NOT EXCEED THE AMOUNTS PAID BY YOU TO EPISKI IN THE TWELVE (12) MONTHS PRECEDING THE CLAIM.

IN NO EVENT WILL EPISKI BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, INCLUDING LOSS OF PROFITS, DATA, OR BUSINESS OPPORTUNITIES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

14. Indemnification

You agree to indemnify, defend, and hold harmless episki and its officers, directors, employees, and agents from any claims, damages, losses, or expenses (including reasonable attorneys' fees) arising from: (a) your use of the Service; (b) Customer Data and Customer-published content; (c) MCP servers or integrations you configure; (d) your violation of these Terms; or (e) your violation of any applicable law or the rights of a third party.

15. Termination and Data Export

Either party may terminate these Terms by providing written notice in accordance with §4.2. Upon cancellation, your access to the Service will continue until the end of your current billing period.

Upon termination, you may request an export of your Customer Data within thirty (30) days. After this period, we may delete Customer Data in accordance with our data retention practices. episki is not obligated to retain Customer Data beyond thirty (30) days following termination, except where required by law.

episki may suspend or terminate your access immediately if you breach these Terms, fail to pay fees when due, or if continued provision of the Service would violate applicable law.

16. Governing Law and Dispute Resolution

These Terms are governed by and construed in accordance with the laws of the Commonwealth of Pennsylvania, without regard to conflict-of-law principles. Any dispute arising under these Terms will be resolved exclusively in the state or federal courts located in Pennsylvania, and each party consents to the personal jurisdiction of such courts.

17. Modifications

We may update these Terms from time to time. For material changes — including changes to billing structure, the AI/tokens framework, data processing, dispute resolution, or limitations of liability — we will provide at least thirty (30) days' written notice by email or by posting a prominent notice in the Service before the changes take effect. For non-material changes (clarifications, typos, formatting), we may update these Terms without advance notice and indicate the change by revising the "Last updated" date.

Your continued use of the Service after the effective date of revised Terms constitutes acceptance of those changes.

18. General Provisions

These Terms, together with the Privacy Policy, any Data Processing Agreement, any Operator Partner Agreement, and any order forms or service-specific terms, constitute the entire agreement between you and episki. If any provision is found to be unenforceable, the remaining provisions will remain in full force. Our failure to enforce any right or provision is not a waiver of that right. You may not assign these Terms without our prior written consent. episki may assign these Terms in connection with a merger, acquisition, or sale of assets.

We do not currently offer a contractual uptime service-level agreement (SLA) as part of these Terms. Any SLA must be separately agreed in writing on an order form or master agreement.

19. Contact

If you have questions about these Terms, contact us at hello@episki.com. Our sub-processor list is published at trust.episki.com; to request a Data Processing Agreement, see the Privacy Policy.

episki, llc · Pennsylvania, USA