Terms of Service

• Customer: the legal entity that creates an account or signs an engagement agreement with Key 102.
• Authorized User: any natural person granted access to the platform on the Customer’s behalf.
• Engagement Agreement: the master services agreement (and any statement of work) executed between Key 102 and a Customer that supplements these Terms.
• Deliverables: the regulator-ready artifacts Key 102 produces, including Mission Briefs, readiness reports, SSPs, POA&Ms, SPRS affirmations, and similar documents.
• Customer Data: data, documents, evidence, intake answers, and other materials Customer or its Authorized Users submit to the Services.

Key 102 provides advisory and readiness services. Key 102 helps Customers organize, draft, and present compliance artifacts that they then submit to auditors, regulators, customers, insurers, and other recipients.

Key 102 does not act as an auditor, assessor, or certifying body and does not issue formal certifications. Where a Customer engagement requires an independent third-party assessor (for example, a PCI QSA, a CMMC C3PAO, or an HIPAA OCR investigator), the Customer is responsible for engaging that party separately. Specialty-credentialed sign-offs available on certain Deliverables (Cyber AB RP for CMMC, HIPAA Security Officer for HIPAA, PCI QSA for PCI) attest to Key 102’s professional review and the integrity of the Deliverable; they do not constitute a certification of compliance.

No outcome guarantee.Key 102 does not guarantee that any audit, assessment, or regulatory examination will be passed, that any certification will be issued, or that any specific regulatory determination will be made. Compliance outcomes depend on facts, evidence, and judgments outside Key 102’s control.

Customer is responsible for safeguarding account credentials, enforcing multi-factor authentication on Authorized Users, and ensuring that all use of its account complies with these Terms. The platform enforces session idle timeouts and other technical safeguards required by the frameworks Customer is engaged on.

Customer and its Authorized Users will not:

• Use the Services in a manner that violates applicable law or any third party’s rights.
• Upload malicious code, attempt to circumvent access controls, or interfere with the integrity of the audit log or any tenant’s isolation.
• Misrepresent the identity of any signer or attestor.
• Resell, sublicense, or white-label the Services without an executed reseller or partner agreement.
• Use the Services to develop a competing product.

The Services include an AI advisor (“Tammie”) that drafts preliminary scope, surfaces likely control gaps, and helps shape findings and policy text. All AI output is labeled as an automated draft. No Deliverable is issued on the AI’s authority — every regulator-facing artifact is reviewed and signed by a named Key 102 practitioner. Specialty-credentialed sign-offs (Cyber AB RP, HIPAA Security Officer, PCI QSA) restore as those credentials activate.

By using the Services, Customer authorizes Key 102 to submit Customer Data to its AI sub-processor (currently Anthropic, PBC) for inference. Anthropic does not train on data submitted through its API. Additional detail is in the Privacy Policy, section 4.

One-time engagements. The Mission Brief diagnostic is sold for a one-time fee disclosed at checkout. The Mission Brief credit converts 1:1 into any annual subscription within fourteen (14) days of purchase.

Subscriptions. Subscription tiers (Aegis, Vault, Fortress, Nexus) bill monthly or annually as selected at checkout. Subscriptions renew automatically at the end of each billing period at the then-current rate unless cancelled at least one (1) day before renewal. Customer may cancel at any time from the customer portal; cancellation takes effect at the end of the then-current paid period.

Refunds.Mission Brief fees are non-refundable once the diagnostic session has been delivered or after fourteen (14) days from purchase, whichever is earlier. Subscription fees for the current billing period are non-refundable; Customer retains access through the end of the paid period. Refunds for billing errors or duplicate charges are issued at Key 102’s discretion or as required by law.

Taxes.Fees are exclusive of sales, use, VAT, and similar taxes, which are Customer’s responsibility unless otherwise required by law.

Each party will protect the other’s confidential information using at least the same degree of care it uses for its own confidential information, and in any event no less than a reasonable degree of care. Customer Data is treated as Customer’s confidential information. Confidentiality obligations survive termination for three (3) years; for trade secrets, until they no longer qualify as such under applicable law.

Customer retains ownership of Customer Data. Key 102 retains ownership of the Services, the platform software, the underlying control libraries, AI prompt templates, and pre-existing Key 102 intellectual property. Deliverables produced for Customer become Customer’s property upon payment of the applicable fees, subject to Key 102’s retained right to use de-identified, aggregated learnings to improve the Services.

These Terms remain in effect while Customer uses the Services. Either party may terminate the Services for the other party’s material breach not cured within thirty (30) days of written notice. Upon termination, Customer’s access ends; Customer Data is retained per the schedule in the Privacy Policy so audit trails remain intact, then sentinel-rewritten per Key 102’s offboarding protocol.

The Services are provided “as is” and “as available.” Except as expressly stated in these Terms or an executed Engagement Agreement, Key 102 disclaims all warranties, express or implied, including warranties of merchantability, fitness for a particular purpose, non-infringement, and any warranty that the Services will be uninterrupted, error-free, or produce any particular regulatory or audit outcome.

[Placeholder pending counsel finalization.]To the maximum extent permitted by law, each party’s aggregate liability under these Terms will be capped at the fees paid by Customer to Key 102 in the twelve (12) months preceding the event giving rise to the claim. Neither party will be liable for indirect, incidental, consequential, special, exemplary, or punitive damages, including lost profits, regardless of the theory of liability and even if advised of the possibility of such damages. The liability cap and exclusions do not apply to (a) Customer’s payment obligations, (b) either party’s indemnification obligations, or (c) liabilities that cannot be limited by law.

[Placeholder pending counsel finalization — mutual indemnification with carve-outs for gross negligence and willful misconduct anticipated.] Each party will defend, indemnify, and hold the other harmless from third-party claims arising out of (a) the indemnifying party’s breach of these Terms, (b) the indemnifying party’s gross negligence or willful misconduct, and (c) for Customer specifically, Customer Data that infringes a third party’s rights or violates applicable law.

[Placeholder — Arizona anticipated; subject to counsel confirmation.] These Terms are governed by the laws of the State of Arizona, without regard to conflict-of-laws principles. The parties will first attempt to resolve any dispute through good-faith negotiation. Disputes that cannot be resolved through negotiation will be brought in the state or federal courts located in Maricopa County, Arizona, and each party consents to the personal jurisdiction and venue of those courts.

Where Customer’s engagement involves protected health information (PHI), the parties will execute a separate Business Associate Agreement (BAA) that controls in the event of conflict with these Terms for matters within its scope (use and disclosure of PHI, safeguards, breach notification, subcontractor flow-down, and return or destruction of PHI on termination).

Key 102 may update these Terms from time to time. Material changes will be communicated by email or in-platform notice at least thirty (30) days before taking effect. Continued use of the Services after the effective date constitutes acceptance of the updated Terms.

These Terms, together with any executed Engagement Agreement, the Privacy Policy, the Cookie Policy, and any applicable BAA, constitute the entire agreement between the parties on this subject. If any provision is held unenforceable, the remainder remains in effect. Neither party may assign these Terms without the other’s consent, except to a successor in connection with a merger or sale of substantially all assets.

Questions about these Terms: legal@key102consulting.com.