Skip to main content

Terms of Service

Effective: February 24, 2026Version 1.0

1. Definitions

The following terms have the meanings set forth below when used in this Agreement:

  • “Agreement” means these Terms of Service, together with any Order Form, the Privacy Policy, the Acceptable Use Policy, and any other documents incorporated by reference.
  • “Ataraxia GRC,” “we,” “us,” or “our” means Ataraxia GRC, Inc., a Delaware corporation.
  • “Authorized User” means any individual authorized by Customer to access and use the Service under Customer’s account.
  • “Customer,” “you,” or “your” means the entity or individual that creates an account and agrees to this Agreement.
  • “Customer Data” means all data, content, and information uploaded, submitted, or generated by Customer or its Authorized Users through the Service, including assessment responses, implementation descriptions, evidence files, and organizational information.
  • “CUI” means Controlled Unclassified Information as defined by 32 CFR Part 2002.
  • “CMMC” means the Cybersecurity Maturity Model Certification as defined by 32 CFR Part 170.
  • “Documentation” means the user guides, help articles, API documentation, and other materials made available by Ataraxia GRC describing the features and functionality of the Service.
  • “Order Form” means any ordering document, online subscription page, or checkout flow through which Customer subscribes to the Service.
  • “Service” means the Ataraxia GRC cloud-based CMMC compliance management platform available at ataraxiagrc.com, including all features, tools, APIs, and related services.
  • “SPRS Score” means the Supplier Performance Risk System score as calculated by the NIST SP 800-171 DoD Assessment Methodology.
  • “Subscription Term” means the period during which Customer has paid for access to the Service, as specified in the applicable Order Form or subscription selection.

2. Service Description and Scope

2.1 Nature of the Service

Ataraxia GRC provides a cloud-based CMMC compliance management platform that assists defense contractors in assessing their cybersecurity posture, generating compliance documentation, tracking remediation activities, and preparing for CMMC assessments. The Service includes tools for SPRS score calculation, System Security Plan (SSP) generation, Plan of Action and Milestones (POA&M) management, evidence management, and AI-assisted compliance guidance.

2.2 The Service Is a Tool, Not a Guarantee

THE SERVICE IS A TOOL, NOT A GUARANTEE. The Service is designed to assist you in your compliance efforts. It does not and cannot guarantee:

  • Achievement of any CMMC certification level
  • Passing any C3PAO assessment
  • Accuracy of any SPRS score submitted to the Department of Defense
  • Compliance with NIST SP 800-171, DFARS 252.204-7012, 32 CFR Part 170, or any other regulation
  • Protection from False Claims Act (31 U.S.C. §3729–3733) liability or Department of Justice Civil Cyber-Fraud Initiative enforcement actions
  • Adequacy of any generated document, including but not limited to SSPs, POA&Ms, and security policies

2.3 AI-Generated Content Disclaimer

Certain features of the Service utilize artificial intelligence to generate content, including but not limited to SSP section descriptions, policy documents, remediation guidance, and copilot chat responses. All AI-generated content is provided for informational purposes only and may contain errors, omissions, or inaccuracies. Customer is solely responsible for reviewing, verifying, and approving all AI-generated output before use, submission, or reliance thereon. AI outputs do not constitute legal, compliance, or cybersecurity advice.

2.4 SPRS Score Calculation Disclaimer

CRITICAL: The accuracy of any SPRS score calculated by the Service depends entirely on the accuracy and completeness of the information provided by Customer. Ataraxia GRC does not independently verify Customer inputs, assess Customer’s actual security controls implementation, or audit Customer’s cybersecurity environment.

Customer acknowledges and understands:

  • Submitting a false or inaccurate SPRS score to the Department of Defense may result in False Claims Act liability, including treble damages and per-claim civil penalties exceeding $27,000 per violation.
  • The Department of Justice has actively pursued cybersecurity compliance fraud through the Civil Cyber-Fraud Initiative, resulting in significant settlements against defense contractors.
  • The senior official who affirms the SPRS score may bear personal accountability for the accuracy of that affirmation.
  • Customer should engage a qualified C3PAO, RPO, or legal counsel to independently validate compliance status and SPRS scores before submission to the Department of Defense.

3. Account Registration and Access

3.1 Account Creation

To use the Service, you must create an account by providing accurate, current, and complete information. You represent and warrant that all information provided during registration and throughout your use of the Service is truthful and accurate. You agree to promptly update your account information if it changes.

3.2 Authorized Users

Customer may designate Authorized Users within its organization to access the Service. Customer is responsible for ensuring that all Authorized Users comply with this Agreement. Customer is responsible and liable for all activities conducted through Authorized User accounts, including any data entered or actions taken.

3.3 Account Security

Customer is responsible for maintaining the confidentiality and security of all account credentials, including passwords and multi-factor authentication (MFA) tokens. Customer agrees to:

  • Use strong, unique passwords for all accounts
  • Enable and maintain MFA where available
  • Not share account credentials with unauthorized individuals
  • Immediately notify Ataraxia GRC at security@ataraxiagrc.com of any suspected unauthorized access or security breach

4. Subscription Terms and Payment

4.1 Subscription Plans

The Service is offered through tiered subscription plans as described on our pricing page. Features, usage limits, and support levels vary by plan. The specific plan and features available to Customer are determined by the applicable Order Form or online subscription selection.

4.2 Free Trial

If Ataraxia GRC offers a free trial, such trial access is provided “as is” with no service level commitments, no support guarantees, and no warranty of availability. Ataraxia GRC may terminate or modify any free trial at any time without notice.

4.3 Payment

All payments are processed through Stripe, Inc. Fees are quoted and payable in United States dollars. Subscription fees are billed on a recurring basis (monthly or annually, as selected). Customer authorizes Ataraxia GRC to charge the payment method on file for all applicable fees. All fees are exclusive of taxes, and Customer is responsible for all applicable taxes, duties, and government-imposed charges.

4.4 Price Changes

Ataraxia GRC may modify pricing with at least 30 days’ prior written notice via email. Price changes take effect at the beginning of the next Subscription Term following the notice period. Continued use of the Service after a price change constitutes acceptance of the new pricing.

4.5 Refund Policy

Monthly subscriptions: No refunds are provided for partial months. Cancellations take effect at the end of the current billing cycle.

Annual subscriptions: A pro-rata refund may be requested within 30 days of the initial purchase or renewal date. After 30 days, annual subscriptions are non-refundable and cancellations take effect at the end of the annual term.

5. Customer Data

5.1 Ownership

Customer retains all right, title, and interest in and to Customer Data. Nothing in this Agreement transfers ownership of Customer Data to Ataraxia GRC.

5.2 License Grant

Customer grants Ataraxia GRC a limited, non-exclusive, worldwide license to use, process, store, and display Customer Data solely for the purposes of (a) providing and maintaining the Service, (b) improving the Service, and (c) generating anonymized, aggregated insights that do not identify Customer or any individual. This license terminates upon deletion of Customer Data or termination of the Agreement, except for anonymized aggregate data.

5.3 CUI Warning

IMPORTANT — CONTROLLED UNCLASSIFIED INFORMATION: Customer shall NOT upload, store, or process actual Controlled Unclassified Information (CUI) through the Service unless Ataraxia GRC has confirmed in writing that the hosting environment meets applicable safeguarding requirements (including NIST SP 800-171 and any applicable DFARS requirements).

The Service is designed to manage compliance metadata, assessment data, and documentation — not to store or process CUI itself. If Customer uploads CUI in violation of this section, Customer does so at its own risk and sole liability.

5.4 Data Export

Upon termination of this Agreement, Customer will have 30 days to export Customer Data in standard formats through the Service’s export functionality. After the 30-day export window, Ataraxia GRC may delete Customer Data in accordance with its data retention policy.

5.5 Security Measures

Ataraxia GRC implements and maintains commercially reasonable security measures, including:

  • Encryption in transit using TLS 1.2 or higher
  • Encryption at rest using AES-256
  • Row-level security (RLS) policies in the database
  • Role-based access control (RBAC)
  • Comprehensive audit logging of access and state changes

6. Acceptable Use

6.1 Permitted Use

Customer may use the Service for its internal business purposes related to CMMC compliance management, assessment, documentation, and remediation tracking.

6.2 Prohibited Conduct

Customer shall not:

  • Submit false or knowingly inaccurate SPRS scores to the Department of Defense using information derived from the Service
  • Use the Service to facilitate fraud, including violations of the False Claims Act (31 U.S.C. §3729–3733)
  • Reverse engineer, decompile, disassemble, or otherwise attempt to derive the source code of the Service
  • Share, sublicense, or provide access to the Service to unauthorized third parties
  • Use the Service in violation of any applicable law or regulation
  • Interfere with, disrupt, or impose an unreasonable burden on the Service or its infrastructure
  • Attempt to gain unauthorized access to any part of the Service, other accounts, or related systems
  • Upload, transmit, or distribute malware, viruses, or other harmful code
  • Scrape, harvest, or collect data from the Service through automated means without prior written consent
  • Misrepresent compliance status or use the Service to create a false impression of cybersecurity posture

7. Intellectual Property

7.1 Service Ownership

The Service, including its software, algorithms, user interface, compilation of compliance data, scoring methodologies, AI models, documentation, and all related intellectual property, is and remains the sole property of Ataraxia GRC or its licensors. This Agreement does not convey to Customer any ownership interest in the Service.

7.2 Feedback

If Customer provides suggestions, enhancement requests, feedback, or other input regarding the Service (“Feedback”), Customer grants Ataraxia GRC a perpetual, irrevocable, worldwide, royalty-free license to use, modify, and incorporate such Feedback into the Service without obligation or compensation.

7.3 Government Content

NIST publications, CMMC assessment guides, CFR text, and other U.S. government publications incorporated into or referenced by the Service are in the public domain. Ataraxia GRC’s intellectual property resides in its methodology, algorithms, user interface, compilation of data, scoring engines, and the unique presentation and organization of such government content.

8. Confidentiality

Each party (“Receiving Party”) agrees to hold in confidence all non-public information disclosed by the other party (“Disclosing Party”) that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and circumstances of disclosure (“Confidential Information”).

The Receiving Party shall not disclose Confidential Information to any third party except to its employees, contractors, and advisors who have a need to know and are bound by confidentiality obligations at least as protective as those herein.

Confidentiality obligations do not apply to information that:

  • Is or becomes publicly available through no fault of the Receiving Party
  • Was rightfully in the Receiving Party’s possession prior to disclosure
  • Is independently developed by the Receiving Party without use of Confidential Information
  • Is rightfully received from a third party without restriction on disclosure
  • Is required to be disclosed by law, regulation, or court order, provided the Receiving Party gives prompt notice to the Disclosing Party

9. Warranties and Disclaimers

9.1 Limited Warranty

Ataraxia GRC warrants that the Service will perform materially in accordance with the Documentation during the Subscription Term. If the Service does not conform to this warranty, Customer’s sole and exclusive remedy is for Ataraxia GRC to, at its option, (a) repair or replace the non-conforming functionality, or (b) terminate the Agreement and provide a pro-rata refund of prepaid fees for the remaining Subscription Term.

9.2 Disclaimer of Warranties

EXCEPT FOR THE LIMITED WARRANTY IN SECTION 9.1, THE SERVICE IS PROVIDED “AS IS” AND “AS AVAILABLE.” ATARAXIA GRC DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND ANY WARRANTIES ARISING FROM COURSE OF DEALING OR USAGE OF TRADE.

9.3 Specific Compliance Disclaimers

ATARAXIA GRC MAKES NO WARRANTY OR REPRESENTATION THAT:

  • Use of the Service will result in compliance with any law, regulation, or standard, including CMMC, NIST SP 800-171, or DFARS
  • SPRS scores calculated by the Service will be accurate, complete, or accepted by the Department of Defense
  • Documents generated by the Service (including SSPs, POA&Ms, and policies) will be accepted by any assessor, auditor, or government agency
  • The Service will protect Customer from False Claims Act liability, DOJ enforcement actions, or loss of government contracts
  • AI-generated content will be accurate, complete, or suitable for Customer’s specific circumstances

10. Limitation of Liability

10.1 Exclusion of Consequential Damages

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL ATARAXIA GRC, ITS AFFILIATES, OFFICERS, DIRECTORS, EMPLOYEES, OR AGENTS BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, REGARDLESS OF THE THEORY OF LIABILITY. This includes, without limitation, damages for loss of profits, revenue, data, business opportunities, goodwill, or anticipated savings, even if Ataraxia GRC has been advised of the possibility of such damages.

10.2 Aggregate Liability Cap

ATARAXIA GRC’S TOTAL AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT SHALL NOT EXCEED THE GREATER OF: (A) THE TOTAL FEES PAID BY CUSTOMER TO ATARAXIA GRC DURING THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE CLAIM, OR (B) ONE HUNDRED UNITED STATES DOLLARS ($100).

10.3 Specific Exclusions

Without limiting the generality of the foregoing, Ataraxia GRC shall have no liability whatsoever for:

  • False Claims Act penalties, fines, or damages arising from inaccurate SPRS score submissions by Customer
  • Loss of government contracts or subcontracts resulting from non-compliance with CMMC or any other requirement
  • Failed C3PAO assessments or denial of CMMC certification at any level
  • Customer’s failure to independently review and verify Service outputs, including AI-generated content
  • Unauthorized access resulting from Customer’s failure to maintain adequate account security
  • Any liability arising from Customer’s uploading of CUI in violation of Section 5.3

10.4 Basis of the Bargain

Customer acknowledges that Ataraxia GRC has set its fees and entered into this Agreement in reliance upon the limitations of liability and disclaimers of warranties set forth herein, and that the same form an essential basis of the bargain between the parties. The parties agree that the limitations and exclusions of liability set forth in this Section 10 will apply even if any limited remedy is found to have failed of its essential purpose.

10.5 Carve-Outs

The limitations in this Section 10 do not apply to: (a) indemnification obligations under Section 11, (b) Customer’s payment obligations, (c) either party’s breach of confidentiality obligations, or (d) either party’s gross negligence or willful misconduct.

11. Indemnification

11.1 By Customer

Customer shall indemnify, defend, and hold harmless Ataraxia GRC and its affiliates, officers, directors, employees, and agents from and against any third-party claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys’ fees) arising from or related to:

  • Customer’s SPRS score submissions to the Department of Defense or any government agency
  • False Claims Act violations or other fraud allegations arising from Customer’s use of the Service
  • Customer’s breach of this Agreement
  • Intellectual property claims related to Customer Data
  • Customer’s uploading of CUI in violation of Section 5.3

11.2 By Ataraxia GRC

Ataraxia GRC shall indemnify, defend, and hold harmless Customer from and against any third-party claims alleging that the Service, as provided by Ataraxia GRC, infringes a valid United States patent, copyright, or trademark of a third party.

11.3 Procedure

The indemnified party shall: (a) promptly notify the indemnifying party in writing of any claim, (b) grant the indemnifying party sole control of the defense and settlement of the claim, and (c) provide reasonable cooperation at the indemnifying party’s expense. Failure to provide prompt notice shall not relieve the indemnifying party of its obligations except to the extent materially prejudiced by such failure.

12. Dispute Resolution

12.1 Informal Resolution

Before initiating any formal dispute resolution, the parties agree to attempt to resolve any dispute through good faith negotiation for a period of sixty (60) days following written notice of the dispute. Notice shall be sent to legal@ataraxiagrc.com.

12.2 Binding Arbitration

Any dispute not resolved through informal negotiation shall be finally resolved by binding arbitration administered by JAMS under its Streamlined Arbitration Rules and Procedures. The arbitration shall be conducted by a single arbitrator in Durango, Colorado (or by video conference at the arbitrator’s discretion). The proceedings shall be conducted in English. The arbitrator’s decision shall be final and binding, and judgment may be entered in any court of competent jurisdiction.

12.3 Exceptions

Notwithstanding Section 12.2, either party may seek injunctive or other equitable relief in any court of competent jurisdiction to protect its intellectual property rights or Confidential Information. Either party may also bring claims in small claims court if the claims qualify.

12.4 Class Action Waiver

ALL CLAIMS AND DISPUTES MUST BE BROUGHT IN THE PARTIES’ INDIVIDUAL CAPACITY AND NOT AS A PLAINTIFF OR CLASS MEMBER IN ANY PURPORTED CLASS, COLLECTIVE, OR REPRESENTATIVE PROCEEDING. THE ARBITRATOR MAY NOT CONSOLIDATE MORE THAN ONE PERSON’S CLAIMS AND MAY NOT PRESIDE OVER ANY FORM OF A REPRESENTATIVE OR CLASS PROCEEDING. BOTH PARTIES WAIVE ANY RIGHT TO A JURY TRIAL.

12.5 Governing Law

This Agreement shall be governed by and construed in accordance with the laws of the State of Delaware, without regard to its conflict of laws principles.

13. Term and Termination

13.1 Effective Date

This Agreement is effective as of the date Customer first accesses or uses the Service, or clicks to accept this Agreement, whichever occurs first.

13.2 Cancellation by Customer

Customer may cancel its subscription at any time through the Service’s account settings or by contacting support@ataraxiagrc.com. Cancellations take effect at the end of the current billing cycle.

13.3 Termination by Ataraxia GRC

Ataraxia GRC may terminate this Agreement:

  • For material breach by Customer, upon 30 days’ written notice if the breach remains uncured
  • For non-payment, upon 10 days’ written notice
  • Immediately if Customer’s use poses a security risk to the Service or other customers
  • Immediately if required by law, regulation, or court order
  • For convenience, upon 60 days’ written notice with a pro-rata refund of prepaid fees

13.4 Effect of Termination

Upon termination: (a) Customer’s access to the Service ceases immediately (except during the 30-day export window described in Section 5.4), (b) Customer shall pay any outstanding fees, and (c) each party shall return or destroy the other party’s Confidential Information.

The following sections survive termination: 1 (Definitions), 5.1 (Ownership), 7 (Intellectual Property), 8 (Confidentiality), 9.2 and 9.3 (Disclaimers), 10 (Limitation of Liability), 11 (Indemnification), 12 (Dispute Resolution), and 14 (General Provisions).

14. General Provisions

14.1 Entire Agreement

This Agreement, together with any Order Form, the Privacy Policy, and the Acceptable Use Policy, constitutes the entire agreement between the parties regarding the subject matter hereof and supersedes all prior agreements, understandings, and representations.

14.2 Amendments

Ataraxia GRC may update this Agreement by providing at least 30 days’ notice via email to the address associated with Customer’s account. Material changes will be highlighted in the notification. Continued use of the Service after the effective date of any amendment constitutes acceptance of the updated terms.

14.3 Severability

If any provision of this Agreement is held to be invalid or unenforceable, the remaining provisions shall continue in full force and effect, and the invalid provision shall be modified to the minimum extent necessary to make it valid and enforceable.

14.4 Waiver

The failure of either party to enforce any right or provision of this Agreement shall not constitute a waiver of such right or provision.

14.5 Assignment

Customer may not assign this Agreement without Ataraxia GRC’s prior written consent. Ataraxia GRC may assign this Agreement in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets without Customer’s consent.

14.6 Force Majeure

Neither party shall be liable for delays or failures in performance resulting from causes beyond its reasonable control, including natural disasters, war, terrorism, government actions, pandemic, internet disruptions, or infrastructure failures. Payment obligations are excluded from force majeure.

14.7 Independent Contractors

The parties are independent contractors. Nothing in this Agreement creates a partnership, joint venture, agency, or employment relationship.

14.8 Notices

All notices under this Agreement shall be sent via email with confirmation of delivery. Notices to Ataraxia GRC shall be sent to legal@ataraxiagrc.com. Notices to Customer shall be sent to the email address associated with Customer’s account.

14.9 Export Compliance

Customer shall comply with all applicable export control laws and regulations, including the Export Administration Regulations (EAR) and International Traffic in Arms Regulations (ITAR), in connection with its use of the Service.

14.10 Government Terms

The Service is a “commercial item” as defined under 48 CFR §2.101, consisting of “commercial computer software” and “commercial computer software documentation,” as such terms are used in 48 CFR 12.212. If acquired by a U.S. government agency, use, duplication, and disclosure are subject to the terms of this Agreement.

Contact

For questions about these Terms of Service, contact us at legal@ataraxiagrc.com.