Terms of Service

Effective date: [EFFECTIVE DATE]

Entity: [LEGAL ENTITY NAME], a [STATE OF INCORPORATION] [entity type — e.g., corporation], [REGISTERED ADDRESS] ("DVARA," "we," "us").

These Terms of Service ("Terms") govern access to and use of the DVARA AI governance platform, including the managed cloud service at platform.dvarahq.com (the "Cloud Service"), self-hosted software distributions (the "Self-Hosted Software"), our websites, documentation, and related services (collectively, the "Services"). By creating an account, accepting these Terms electronically, or using the Services, you ("Customer," "you") agree to these Terms. If you accept on behalf of an organization, you represent that you have authority to bind it.

1. The Services​

1.1 Description. DVARA is an AI governance platform that proxies, governs, and audits traffic between Customer applications and third-party large language model providers and MCP (Model Context Protocol) tool servers. Capabilities include policy enforcement, PII detection and redaction, immutable audit logging, and cost tracking, as described in the Documentation.

1.2 Delivery modes. The Services are available as (a) the Cloud Service, hosted and operated by DVARA, and (b) Self-Hosted Software deployed in Customer's own infrastructure under a license key. Some terms below apply differently to each mode, as indicated.

1.3 Third-party providers. The Services route Customer traffic to third-party LLM providers and tool servers selected and configured by Customer ("Providers"). Customer's use of Providers is governed by Customer's own agreements with those Providers. DVARA is not a party to those agreements, does not control Provider availability, output, or conduct, and is not responsible for Provider acts or omissions, including their handling of Customer Content.

1.4 Bring Your Own Keys (BYOK). Customer is responsible for obtaining, securing, and complying with the terms governing any Provider credentials supplied to the Services. DVARA stores supplied credentials encrypted, or references them from Customer's vault, as described in the Documentation.

2. Accounts and Eligibility​

2.1 Customer must provide accurate account information and keep it current. Customer is responsible for all activity under its account and API keys and must promptly notify DVARA of suspected unauthorized use.

2.2 The Services are offered to businesses and professional users. You must be at least 18 years old.

3. Trial​

3.1 Trial access is provided for 30 days (or as otherwise stated at signup), free of charge, for evaluation purposes. Trial use is provided "AS IS," without warranties, support commitments, or service-level commitments of any kind. DVARA may suspend or terminate trials at any time. Data from expired trials may be deleted 30 days after expiry.

4. Subscriptions, Fees, and Taxes​

4.1 Plans. Paid plans are described at dvarahq.com/pricing. Plans are billed monthly or annually in advance via our payment processor (Stripe). Fees are flat per plan; there are no per-request fees.

4.2 Usage limits. Each plan includes a monthly token volume and other limits described on the pricing page (for example, 10M tokens/month on Solo, 25M on Starter, 50M on Growth). Plans are flat-rate with no per-request overage charges. DVARA notifies Customer as its usage approaches and crosses plan limits. Sustained use materially over a plan's limit across consecutive billing periods may result in suspension or a required plan upgrade, as described in the Documentation.

4.3 Changes. Customer may upgrade at any time (prorated). Downgrades take effect at the next billing cycle. Price changes apply at the next renewal with at least 30 days' notice.

4.4 Refunds. Except where required by law, fees are non-refundable, including for partial billing periods and unused capacity.

4.5 Taxes. Fees exclude taxes; Customer is responsible for applicable taxes other than taxes on DVARA's income.

4.6 Non-payment. DVARA may suspend the Services for amounts overdue by more than 14 days, after notice.

5. Self-Hosted Software License​

5.1 Grant. Subject to these Terms and payment of applicable fees, DVARA grants Customer a non-exclusive, non-transferable, non-sublicensable license during the subscription term to install and run the Self-Hosted Software in Customer's own (or its contracted cloud) infrastructure, for Customer's internal business purposes, up to the limits of the purchased plan.

5.2 Restrictions. Customer must not: (a) resell, sublicense, or provide the Software as a service bureau or managed offering to third parties; (b) reverse engineer, decompile, or attempt to derive source code except where this restriction is prohibited by law; (c) remove proprietary notices; (d) circumvent license keys or technical usage limits; or (e) use the Services to build a competing product.

5.3 License keys. Self-Hosted Software is activated by license keys that encode plan entitlements and validate offline. Keys expire at the end of the subscription term. After expiry there is a 14-day grace period during which the Software continues to operate; beyond the grace period the Software enters a degraded state in which data-plane requests are refused while the administrative console and existing audit records remain accessible, as described in the Documentation.

5.4 Open-source components. The Software includes open-source components governed by their own licenses, listed in the Documentation. Nothing in these Terms limits Customer's rights under those licenses.

6. Customer Content and Data​

6.1 Definitions. "Customer Content" means data submitted through the Services, including prompts, completions, tool-call arguments and responses, and content within audit records derived from them. "Usage Data" means telemetry, diagnostics, and aggregated or de-identified statistics about Service operation that do not reveal Customer Content.

6.2 Ownership. Customer retains all rights in Customer Content. DVARA obtains only the limited rights necessary to provide the Services: to process, transmit, scan (for example, for PII or policy enforcement), store (for example, audit records per plan retention), and display Customer Content to Customer.

6.3 Processor role (Cloud Service). For Customer Content processed through the Cloud Service, DVARA acts as a processor/service provider on Customer's behalf. A Data Processing Agreement ("DPA") is available to Cloud Service customers on request and, once executed, is incorporated into these Terms.

6.4 Self-Hosted. For Self-Hosted Software, Customer Content is processed entirely within Customer's environment. DVARA does not receive Customer Content from self-hosted deployments. Telemetry from Self-Hosted Software is opt-in and off by default.

6.5 No training. DVARA does not use Customer Content to train machine-learning models and does not sell Customer Content.

6.6 Customer responsibilities. Customer is responsible for: (a) the lawfulness of Customer Content and its instructions to the Services; (b) configuring policies, PII rules, retention, and residency appropriately for its obligations; (c) notices and consents required from its own users and data subjects; and (d) its Provider selections, including ensuring Provider terms permit Customer's use.

6.7 Data export and deletion. Customer may export audit records and configuration during the term through the administrative console and Automation API. Upon termination, DVARA will delete Cloud Service Customer Content within 30 days, except minimal records retained as required by law or for billing integrity.

7. Acceptable Use​

Customer must not use the Services to: (a) violate law or third-party rights; (b) transmit malware or conduct security attacks; (c) probe or test the vulnerability of the Cloud Service without written authorization; (d) misrepresent the origin of traffic or circumvent another platform's controls; (e) process data categories prohibited by the plan or Documentation (including Protected Health Information on the Cloud Service — see 7.1); or (f) use the Services in safety-critical systems where failure could cause death, injury, or severe damage.

7.1 Protected Health Information. The managed Cloud Service is not intended for, and Customer must not submit to it, Protected Health Information ("PHI") as defined under HIPAA. DVARA does not offer a Business Associate Agreement for the Cloud Service. Customers with PHI or other regulated-health obligations must use the Self-Hosted Software, where Customer Content — including any PHI — is processed entirely within Customer's own environment and never reaches DVARA. The audit evidence and controls the Services generate may support a Customer's own HIPAA program, subject to the Compliance Disclaimer in Section 8.

8. Compliance Disclaimer​

The Services generate audit evidence, reports, and controls that may support Customer's compliance programs (for example, SOC 2, HIPAA, GDPR). Use of the Services does not by itself make Customer compliant with any law, regulation, or framework, and DVARA makes no representation that Customer's use of the Services will satisfy any auditor, regulator, or certification requirement. Customer is solely responsible for its own compliance determinations and professional advice.

9. Intellectual Property; Feedback​

DVARA and its licensors own the Services, Software, and Documentation, including all improvements. No rights are granted except as expressly stated. If Customer provides feedback, DVARA may use it without restriction or obligation.

10. Confidentiality​

Each party will protect the other's non-public information disclosed in connection with the Services with reasonable care, use it only to perform under these Terms, and not disclose it except to personnel and advisors under confidentiality obligations, or as required by law with notice where permitted.

11. Security​

DVARA maintains administrative, technical, and physical safeguards designed to protect the Cloud Service and Customer Content, including encryption in transit (TLS) and at rest, access controls, and audit logging. Customer is responsible for the security of its own environment, including self-hosted deployments, account credentials, API keys, and Provider keys.

12. Warranties and Disclaimers​

12.1 Each party warrants it has authority to enter these Terms.

12.2 EXCEPT AS EXPRESSLY STATED, THE SERVICES ARE PROVIDED "AS IS" AND "AS AVAILABLE." DVARA DISCLAIMS ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND ANY WARRANTY THAT THE SERVICES WILL BE UNINTERRUPTED, ERROR-FREE, OR THAT ALL PII, INJECTION ATTEMPTS, OR POLICY VIOLATIONS WILL BE DETECTED. Detection and guardrail features are probabilistic and configuration-dependent; Customer should not rely on them as its sole control.

13. Limitation of Liability​

13.1 NEITHER PARTY WILL BE LIABLE FOR INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, OR LOST PROFITS, REVENUE, OR DATA, EVEN IF ADVISED OF THE POSSIBILITY.

13.2 EACH PARTY'S TOTAL AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THESE TERMS WILL NOT EXCEED THE FEES PAID OR PAYABLE BY CUSTOMER TO DVARA IN THE THREE (3) MONTHS PRECEDING THE EVENT GIVING RISE TO LIABILITY. For free trials and other no-charge use, each party's total aggregate liability will not exceed USD 100.

13.3 The caps above do not apply to: Customer's payment obligations; either party's breach of Section 10 (Confidentiality); Customer's breach of Section 5.2 (Restrictions) or Section 7 (Acceptable Use); or either party's gross negligence, willful misconduct, or liability that cannot be limited under applicable law.

14. Indemnification​

14.1 By DVARA. DVARA will defend Customer against third-party claims alleging that the Services, as provided by DVARA and used as authorized, infringe a third party's intellectual property rights, and will pay resulting damages finally awarded or settled, provided Customer gives prompt notice, control of the defense, and reasonable cooperation. DVARA may procure rights, modify the Services, or terminate and refund prepaid unused fees. This section states Customer's exclusive remedy for infringement.

14.2 By Customer. Customer will defend DVARA against third-party claims arising from Customer Content, Customer's Provider relationships, or Customer's use of the Services in violation of these Terms, under the same procedure.

15. Term, Suspension, Termination​

15.1 These Terms run for the subscription term and renew per the plan unless either party gives notice of non-renewal before renewal.

15.2 Either party may terminate for material breach uncured within 30 days of notice. DVARA may suspend immediately for security risk, unlawful use, or non-payment per 4.6.

15.3 On termination: Customer's access ends; Self-Hosted license keys expire per 5.3; Sections 6.7, 8–14, 15.3, 16, and 17 survive.

16. Modifications to Terms and Services​

DVARA may update these Terms with at least 30 days' notice for material changes (by email or in-product notice). Continued use after the effective date constitutes acceptance; if Customer objects, it may terminate and receive a pro-rata refund of prepaid fees for the unused period. DVARA may improve or modify Service features, provided the core functionality of the purchased plan is not materially reduced during a paid term.

17. Dispute Resolution; Governing Law​

17.1 Governing law. These Terms are governed by the laws of the State of Texas, USA, without regard to its conflict-of-laws rules.

17.2 Binding arbitration. Except as stated in 17.3, any dispute arising out of or relating to these Terms or the Services will be resolved by final and binding arbitration administered by [ARBITRATION ADMINISTRATOR — e.g., JAMS or AAA] under its commercial rules, before a single arbitrator, seated in Texas, USA, conducted in English. Judgment on the award may be entered in any court of competent jurisdiction.

17.3 Carve-outs. Either party may (a) bring an individual claim in small-claims court if it qualifies, and (b) seek injunctive or equitable relief in court to protect its intellectual property or confidential information.

17.4 Class-action waiver. Disputes will be resolved only on an individual basis. Customer and DVARA waive any right to bring or participate in a class, collective, consolidated, or representative action. The arbitrator may not consolidate more than one person's claims or preside over any form of representative proceeding.

18. General​

No waiver by conduct. If a provision is unenforceable, the remainder stands. Neither party may assign without consent, except to an affiliate or in connection with a merger or sale of substantially all assets, with notice. Export control: Customer will comply with applicable export and sanctions laws. Force majeure applies to events beyond reasonable control. These Terms, the order/plan selection, the DPA (if executed), and policies referenced herein are the entire agreement and supersede prior discussions. In case of conflict: DPA → order → these Terms → Documentation. Notices to DVARA: legal@dvarahq.com.

See also the Privacy Policy. Questions about these Terms: legal@dvarahq.com.