Terms & Conditions of Service

Effective Date: May 13, 2026 · Version 2.0 · Service: AI Governance Phase 0™ Assessment for Law Firms · Operator: Telcloud, LLC d/b/a KeaneAdvisors.AI

1. Acceptance of Terms

1.1 Parties. These Terms & Conditions ("Terms") constitute a legally binding agreement between you ("User," "you," or "your") and Telcloud, LLC, a South Carolina limited liability company, doing business as KeaneAdvisors.AI ("Company," "we," "us," or "our"), governing your access to and use of the AI Governance Phase 0™ Assessment for Law Firms, operated under the brand Defensible AI™ For Small & Midsize Law Firms (collectively, the "Service"), accessible at app.keaneadvisors.ai and related subdomains.

1.2 Incorporated Documents. These Terms incorporate by reference: (a) our Privacy Policy at app.keaneadvisors.ai/privacy; (b) the Data Processing Addendum ("DPA") set forth at Appendix A; (c) the Acceptable Use Policy ("AUP") set forth at Appendix B; and (d) the Service Level commitments set forth in Section 11B. In the event of a conflict between these Terms and any incorporated document, these Terms control unless the incorporated document expressly states otherwise with respect to a specific subject matter.

1.3 Assent. By registering for an account, clicking "I agree," or otherwise accessing or using any portion of the Service, you represent that you have read, understood, and agree to be bound by these Terms and the documents incorporated by reference.

1.4 Authority. If you are accessing the Service on behalf of a law firm or other organization, you represent that you have authority to bind that organization, and "you" and "your" refer to that organization as well.

2. Description of Services

The Service is a structured self-assessment platform that enables law firms to evaluate their artificial intelligence governance posture against the ABA Model Rules of Professional Conduct and organizational best practices. Core features include:

• A 100+ control AI governance assessment organized across multiple domains
• An interactive Defensibility Score™ dashboard with category-level scoring
• PDF Defensibility Report download (paid plans only)
• Progress Report — multi-assessment trend matrix tracking governance improvement over time (paid plans)
• Vendor inventory tracking and evaluation workflow (paid plans)
• Assessment cloning to track changes over time (paid plans)
• Optional Letter of Agency enabling Company to conduct vendor discussions on behalf of your firm (see Section 9)

We reserve the right to modify, enhance, or discontinue any feature of the Service at any time. Material reductions to paid plan features will be communicated at least thirty (30) days in advance and trigger the change rights described in Section 16.

3. Plans & Pricing

3.1 Subscription Tiers. The Service is offered under the tiers below. Pricing is in U.S. Dollars. Total minimum annual obligation is shown for transparency.

Plan	Firm Size	Annual — Paid Monthly	Annual — Paid Upfront	Minimum Annual Obligation
Starter (Free)	1–19 attorneys	$0 / month	$0 / year	None
Small Firm	20–49 attorneys	$19.95 / month	$199.50 / year (save ~17%)	$239.40 (monthly) or $199.50 (upfront)
Midsize Firm	50+ attorneys	$29.95 / month	$299.40 / year (save ~17%)	$359.40 (monthly) or $299.40 (upfront)

3.2 Inclusions. All paid plans include unlimited saved assessments, PDF report generation, Progress Report access, vendor inventory, and assessment cloning. The Starter plan is limited to one saved assessment and does not include PDF reports or the Progress Report.

3.3 Final Pricing. Pricing displayed at checkout is final and inclusive of all Service fees. Applicable taxes, if any, may be added depending on your jurisdiction.

3.4 Pricing Changes. We may change pricing with at least thirty (30) days' written notice to current subscribers. Price changes apply only at the start of the next Renewal Term and do not affect any active Commitment Period.

4. Billing & Payment

4.1 Payment Processor. All payments are processed securely through Stripe, Inc. By subscribing to a paid plan, you authorize Company to charge your designated payment method for the applicable subscription fee on a recurring basis.

4.2 Billing Cadence.

1. Annual — Paid Monthly: Your card is charged on the same date each month corresponding to the date your subscription began, for twelve consecutive months per Commitment Period.
2. Annual — Paid Upfront: Your card is charged the full annual amount on the date your subscription begins and at each annual renewal anniversary thereafter.

4.3 Failed Payments. If a payment fails, we will retry the charge and notify you by email. Failure to cure a payment delinquency within seven (7) days may result in suspension or downgrade of your account to the Starter plan. You remain responsible for any amounts owed during the delinquency period and for the remainder of any active Commitment Period.

4.4 Currency. All prices are quoted and charged in U.S. Dollars. Company is not responsible for foreign transaction fees or currency conversion charges applied by your financial institution.

5. Term, Commitment Period, Renewal, and Plan Changes

5.1 Commitment Period. All paid subscriptions — whether billed monthly or annually — include a one (1) year minimum commitment period ("Commitment Period") beginning on the date of your first successful payment ("Contract Start Date").

5.2 Auto-Renewal. After the initial Commitment Period, your subscription will automatically renew for successive one-year Renewal Terms at the then-current price for your plan, unless you cancel auto-renewal at least one (1) day before the next renewal date through the billing portal or by contacting support@keaneadvisors.ai. We will send you a renewal reminder email at least thirty (30) days before each auto-renewal date.

5.3 Upgrades. You may upgrade to a higher plan at any time. Upgrades take effect immediately. If you are on an Annual — Paid Upfront plan, your unused prepaid balance will be applied as a prorated credit toward the upgraded plan and you will be charged only the difference. A new twelve-month Commitment Period begins on the date of the upgrade.

5.4 Downgrades. You may request a downgrade to a lower plan at any time. Your current plan remains active and fully billed through the end of your Commitment Period. The downgrade takes effect on the first billing date following the end of your Commitment Period. No partial-period refunds are issued.

5.5 Plan Changes from Free. Selecting any paid plan while on the Starter (Free) plan initiates a new subscription and a new twelve-month Commitment Period. No trial period is offered for new paid subscriptions initiated from the platform.

6. Cancellation & Service Credits

6.1 Cancellation of Auto-Renewal. You may cancel auto-renewal at any time through the billing portal accessible from your account dashboard (a method as simple as the signup process) or by contacting support@keaneadvisors.ai. Cancellation of auto-renewal stops future billing but does not terminate your current Commitment Period. You will retain full access to your paid plan features through the end of your Commitment Period.

6.2 No Refunds. Except as expressly provided in Sections 6.3 and 16.4, all subscription fees are non-refundable. No refund or credit will be issued for unused time within a billing period or Commitment Period.

6.3 Service Credits. Service credits available under the Service Levels in Section 11B are issued as account credits applied to the next billing cycle. Credits have no cash value and expire on termination.

6.4 Starter Plan. The Starter plan is free and may be terminated by either party at any time without notice or penalty.

7. Intellectual Property

7.1 Company IP. The Service, including its methodology, scoring framework, control library, user interface, reports, and all associated content, is the proprietary property of Company and is protected by United States and international copyright, trademark, and trade secret laws. The following are trademarks and/or service marks of Company:

• AI Governance Phase 0™
• Defensible AI™
• Defensibility Score™

The methodology, control library, scoring algorithms, and report formats are confidential and proprietary trade secrets of Company. Unauthorized reproduction, reverse engineering, decompilation, scraping, derivative-work creation, or commercial use of the methodology or framework is prohibited.

7.2 Customer Data. You retain ownership of all assessment data and responses that you input into the Service ("Customer Data"). By using the Service, you grant Company a limited, non-exclusive, royalty-free, worldwide license to process Customer Data solely to provide the Service to you and to fulfill obligations under these Terms.

7.3 No Model Training. Company will not use Customer Data to train, fine-tune, benchmark, evaluate, or otherwise improve any artificial intelligence or machine learning model, whether for Company's own use or for any third party. This restriction applies to foundation models, retrieval-augmented systems, and any other form of model adaptation.

7.4 Aggregate Data. Company may derive aggregate, anonymized benchmarking data from the platform and use it for product improvement and industry reporting, provided that such data does not identify your firm, any client of your firm, or any individual user, and is not reversible to identify any such party.

7.5 Feedback. If you provide suggestions, ideas, or feedback regarding the Service, Company may use such feedback without restriction or compensation, provided that Company does not identify you as the source.

8. Disclaimer of Legal Advice

8.1 Informational Tool. The Service is an informational self-assessment tool only. It does not constitute legal advice, legal services, or the practice of law, and no attorney-client relationship is created by your use of the Service.

8.2 No Compliance Certification. Assessment results, Defensibility Scores, and any reports generated by the Service reflect self-reported data provided by your firm and are intended to support internal governance planning only. They do not represent a legal opinion, a compliance certification, or a guarantee of compliance with any law, regulation, court rule, or professional conduct standard, including the ABA Model Rules of Professional Conduct or any state analog.

8.3 Independent Counsel. You should consult qualified legal counsel for advice regarding compliance with applicable rules of professional conduct, data protection laws, court rules, and any other legal obligations relevant to your firm's use of artificial intelligence.

9. Letter of Agency (Optional Feature)

9.1 Activation. The Letter of Agency ("LOA") is activated only through a separate, dedicated assent flow within the Service. Activation is not effected by acceptance of these Terms alone. By completing the LOA assent flow, you authorize Company to act as your limited agent for the purposes and within the scope described below.

9.2 Authorized Activities. The LOA authorizes Company to: (a) initiate and participate in discussions with your AI-related vendors or potential replacement vendors; (b) request and review proposals, contracts, pricing, and configuration options; (c) provide and receive information necessary to evaluate or improve vendor terms; and (d) recommend courses of action to your firm.

9.3 Scope Limitations. The LOA does NOT authorize Company to: (a) execute or sign any contract on your firm's behalf; (b) make financial commitments on your firm's behalf; (c) accept or reject any vendor proposal without your firm's prior written approval; (d) make any representation regarding your firm's intent to purchase, renew, or terminate without your prior written approval; or (e) bind your firm to any non-disclosure or other agreement with a vendor without your prior written approval.

9.4 Vendor Confidentiality. Company will treat all information obtained from vendors under the LOA as confidential to the same standard as Customer Data under Section 11A. Company will not share vendor-side confidential information with other Company customers.

9.5 Customer Indemnity Carve-Back. You agree to indemnify Company against claims brought by a vendor arising from accurate representations made by Company within the scope of the LOA. This carve-back does not apply to claims arising from Company's negligent or unauthorized acts.

9.6 Billing Independence. All vendor billing continues to be paid directly by your firm. Any new or revised vendor agreement takes effect only after your firm has reviewed and expressly agreed to its terms in writing.

9.7 Revocation. The LOA may be revoked at any time by written notice to support@keaneadvisors.ai. Revocation is effective upon Company's acknowledgment of receipt, which Company will provide within two (2) business days. Activities undertaken in good faith by Company before acknowledgment remain authorized.

10. User Responsibilities & Acceptable Use

10.1 General Obligations. You agree that you will:

1. provide accurate, complete, and current information when creating your account and completing assessments;
2. maintain the confidentiality of your account credentials and notify us immediately of any unauthorized access;
3. use the Service solely for lawful purposes and in compliance with these Terms and the Acceptable Use Policy at Appendix B;
4. not share your account credentials with third parties outside your firm;
5. not misrepresent your firm's size, attorney count, or other account information to obtain a lower subscription tier.

10.2 Prohibited Conduct. The full list of prohibited uses is set forth in the Acceptable Use Policy at Appendix B. Without limiting that policy, you will not: reverse engineer the Service, conduct unauthorized security testing, use the Service to build a competing product, defame or harass Company or its customers, or use the Service in violation of U.S. export control or sanctions law.

10.3 Enforcement. We reserve the right to suspend or terminate accounts that violate these obligations or the Acceptable Use Policy, without refund of any fees paid for the remainder of the Commitment Period.

11. Data & Privacy

11.1 Privacy Policy. Our collection and use of personal and firm data is governed by our Privacy Policy at app.keaneadvisors.ai/privacy, which is incorporated by reference. By using the Service, you consent to the data practices described therein.

11.2 Data Processing Addendum. The DPA at Appendix A governs Company's processing of Customer Data on your behalf, including roles, sub-processor management, security measures, breach notification, audit rights, and data residency.

11.3 Storage. Customer Data is stored in encrypted databases located in the United States. Company implements administrative, technical, and physical safeguards designed to protect Customer Data against unauthorized access, loss, alteration, or disclosure.

11.4 Deletion. You may request deletion of your account and associated Customer Data at any time by contacting support@keaneadvisors.ai. Company will fulfill deletion requests within thirty (30) days, subject to any legal retention obligations and Company's right to retain de-identified aggregate data as permitted under Section 7.4.

11.5 Breach Notification. In the event of a confirmed security incident affecting Customer Data, Company will notify you without unreasonable delay and in no event later than seventy-two (72) hours after Company's confirmation of the incident, consistent with S.C. Code §39-1-90 and applicable federal and state breach notification laws.

11A. Confidentiality

11A.1 Definition. "Confidential Information" means any non-public information disclosed by one party (the "Disclosing Party") to the other (the "Receiving Party") that is identified as confidential or that a reasonable person would understand to be confidential given its nature and the circumstances of disclosure. Company's Confidential Information includes the methodology, control library, scoring algorithms, and product roadmap. Your Confidential Information includes Customer Data, your firm's identity and that of your clients (where disclosed), assessment responses, Defensibility Scores, and vendor inventory entries.

11A.2 Obligations. The Receiving Party will: (a) use Confidential Information solely to perform its obligations or exercise its rights under these Terms; (b) protect Confidential Information using at least the same degree of care it uses to protect its own confidential information, and in no event less than a reasonable degree of care; and (c) limit access to Confidential Information to its employees, contractors, and professional advisors who have a need to know and who are bound by written confidentiality obligations no less protective than this Section.

11A.3 Exclusions. Confidential Information does not include information that: (a) is or becomes publicly available through no breach of these Terms; (b) was rightfully in the Receiving Party's possession without confidentiality obligation prior to disclosure; (c) is independently developed without reference to the Disclosing Party's Confidential Information; or (d) is rightfully obtained from a third party without confidentiality obligation.

11A.4 Compelled Disclosure. If compelled by legal process to disclose Confidential Information, the Receiving Party will, where legally permitted, provide prompt notice to the Disclosing Party to allow the Disclosing Party to seek a protective order.

11A.5 Non-Identification of Firm. Without limiting the foregoing, Company will not disclose to any third party the identity of any firm using the Service, any firm's Defensibility Score, or any firm's specific assessment responses, except (a) with your prior written consent, (b) to sub-processors bound by written confidentiality and processing obligations consistent with the DPA, or (c) as required by legal process subject to Section 11A.4.

11A.6 Duration. Confidentiality obligations under this Section survive termination of these Terms for a period of five (5) years, except that obligations with respect to information constituting a trade secret survive for so long as such information remains a trade secret under applicable law.

11A.7 Rule 1.6 Acknowledgment. Company acknowledges that customers subject to the ABA Model Rules of Professional Conduct and state analogs have professional confidentiality obligations under Rule 1.6 and equivalent rules. Company's obligations under this Section and the DPA are intended to support customers' reasonable efforts to comply with those obligations.

11B. Security and Service Levels

11B.1 Security Measures. Company maintains administrative, technical, and physical safeguards as further described in the DPA at Appendix A, including encryption of Customer Data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent), role-based access controls, multi-factor authentication for administrative accounts, logging and monitoring, and annual security review.

11B.2 Uptime Commitment. Company will use commercially reasonable efforts to make the Service available at least 99.5% of the time, measured monthly, excluding: (a) scheduled maintenance announced at least forty-eight (48) hours in advance; (b) emergency maintenance; (c) force majeure events; (d) outages caused by Customer or third-party services not under Company's control; and (e) outages on the Starter (Free) plan, which is provided on an "as available" basis only.

11B.3 Service Credits. If monthly availability falls below 99.5% for paid plans, Customer may request a credit equal to 10% of that month's subscription fee for each 0.5% below 99.5%, up to a maximum credit of 50% of that month's fee. Credit requests must be submitted to support@keaneadvisors.ai within thirty (30) days of the end of the affected month. Service credits are Customer's sole and exclusive remedy for availability shortfalls.

12. Disclaimers & Limitation of Liability

12.1 "AS IS" Disclaimer. EXCEPT AS EXPRESSLY PROVIDED IN THESE TERMS, THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. COMPANY DOES NOT WARRANT THAT THE SERVICE WILL BE UNINTERRUPTED, ERROR-FREE, OR FREE OF VIRUSES OR OTHER HARMFUL COMPONENTS.

12.2 Exclusion of Indirect Damages. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL COMPANY, ITS OFFICERS, DIRECTORS, EMPLOYEES, OR AFFILIATES BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, INCLUDING LOST PROFITS, LOST DATA, OR BUSINESS INTERRUPTION, ARISING FROM YOUR USE OF OR INABILITY TO USE THE SERVICE, EVEN IF COMPANY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

12.3 Aggregate Cap. COMPANY'S TOTAL CUMULATIVE LIABILITY TO YOU FOR ALL CLAIMS ARISING OUT OF OR RELATED TO THE SERVICE SHALL NOT EXCEED THE TOTAL AMOUNT YOU PAID TO COMPANY IN THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE CLAIM.

12.4 Jurisdictional Limits. Some jurisdictions do not allow the exclusion or limitation of certain warranties or liabilities. In such jurisdictions, Company's liability is limited to the maximum extent permitted by law.

12.5 Carve-Outs. The limitations in this Section 12 do not apply to: (a) a party's indemnification obligations under Section 13; (b) a party's breach of Section 11A (Confidentiality); (c) Company's gross negligence or willful misconduct; or (d) liability that cannot be limited under applicable law.

13. Indemnification

13.1 By Customer. You agree to indemnify, defend, and hold harmless Company and its officers, directors, employees, agents, and affiliates from and against any third-party claims, liabilities, damages, judgments, awards, losses, costs, or expenses (including reasonable attorneys' fees) arising out of or relating to: (a) your use of or access to the Service; (b) your violation of these Terms; (c) your violation of any applicable law or the rights of any third party; (d) any Customer Data or other content you submit through the Service; or (e) any representations made by Company within the scope of an LOA you authorized.

13.2 By Company. Company will indemnify, defend, and hold harmless Customer from and against third-party claims alleging that the Service, as provided by Company and used in accordance with these Terms, infringes a U.S. patent, copyright, or trademark, or misappropriates a trade secret. Company's obligation does not apply to claims arising from: (a) Customer Data; (b) modifications to the Service not made by Company; (c) combination of the Service with products or services not provided by Company; or (d) use of the Service after Company has notified Customer to discontinue such use. Company's total liability under this Section 13.2 is subject to the cap in Section 12.3.

13.3 Procedure. The indemnified party will: (a) promptly notify the indemnifying party of the claim; (b) grant the indemnifying party sole control of the defense and settlement, provided that no settlement requiring an admission of liability or payment by the indemnified party may be entered without the indemnified party's consent; and (c) provide reasonable cooperation at the indemnifying party's expense.

14. Termination

14.1 By You. You may cancel auto-renewal at any time as set forth in Section 6.1.

14.2 By Company. Company may suspend or terminate your access to the Service, with or without notice, if you materially breach these Terms, if your account is involved in fraudulent activity, or if continuation of the Service to you would expose Company to legal liability. In the event of termination for cause, no refund will be issued.

14.3 Effect of Termination. Upon termination, your right to access the Service ceases. Customer Data associated with your account will be retained for thirty (30) days following termination, after which it may be permanently deleted. You may request an export of Customer Data before termination takes effect.

14.4 Survival. The following Sections survive termination: 4 (with respect to payment obligations accrued prior to termination), 7, 8, 10 (to the extent applicable to retained materials), 11 (including deletion obligations), 11A, 12, 13, 14, 15, and 17, together with the DPA at Appendix A and AUP at Appendix B to the extent applicable.

15. Governing Law, Arbitration, and Class Action Waiver

15.1 Governing Law. These Terms shall be governed by and construed in accordance with the laws of the State of South Carolina, without regard to its conflict of law provisions. The Federal Arbitration Act, 9 U.S.C. §§ 1 et seq., governs the interpretation and enforcement of Section 15.3 (Arbitration).

15.2 Informal Resolution. Before initiating arbitration, the parties will attempt in good faith to resolve any dispute through informal negotiation for at least thirty (30) days after written notice from one party to the other describing the dispute.

15.3 Binding Arbitration. Any dispute arising out of or relating to these Terms or the Service that is not resolved through informal negotiation shall be submitted to binding arbitration administered by the American Arbitration Association ("AAA") under its Commercial Arbitration Rules, conducted in English in Bluffton, Beaufort County, South Carolina. Judgment on the arbitration award may be entered in any court of competent jurisdiction.

15.4 Delegation. The arbitrator, and not any federal, state, or local court or agency, has exclusive authority to resolve any dispute concerning the interpretation, applicability, enforceability, or formation of this arbitration provision, including any claim that all or part of this arbitration provision is void or voidable.

15.5 Class Action Waiver. YOU AND COMPANY EACH WAIVE ANY RIGHT TO PARTICIPATE IN A CLASS ACTION LAWSUIT, CLASS-WIDE ARBITRATION, OR CONSOLIDATED ARBITRATION AGAINST THE OTHER PARTY. The arbitrator may not consolidate more than one person's claims and may not preside over any form of representative or class proceeding.

15.6 30-Day Right to Opt Out. You may opt out of the arbitration provisions in Sections 15.3 through 15.5 by sending written notice of your decision to opt out to support@keaneadvisors.ai within thirty (30) days after the date you first accept these Terms. The notice must include your name, email associated with the account, firm name, and a clear statement that you wish to opt out of arbitration. Opting out will not affect any other provision of these Terms.

15.7 Equitable Relief. Notwithstanding the foregoing, either party may seek injunctive or other equitable relief in any court of competent jurisdiction to prevent irreparable harm, including misappropriation of Confidential Information or intellectual property.

16. Changes to These Terms

16.1 Right to Modify. Company may modify these Terms from time to time. Modifications take effect as set forth below.

16.2 Non-Material Changes. Non-material changes (such as clarifications, contact information updates, or non-substantive edits) take effect when posted, with the effective date updated at the top of the Terms.

16.3 Material Changes. Company will provide at least thirty (30) days' advance email notice of any material change. A "material change" includes any change that materially reduces your rights, materially increases your obligations, alters pricing for an active Commitment Period, narrows Section 11A (Confidentiality), or modifies Section 15 (Arbitration).

16.4 Acceptance of Material Changes. To accept material changes, you must affirmatively re-accept the Terms at next login through a notice presented within the Service. If you do not accept, you may terminate your subscription effective immediately by notifying support@keaneadvisors.ai. In such case, Company will refund a prorated portion of any prepaid fees corresponding to the unused remainder of your current Commitment Period.

16.5 Versioning. Company maintains a public history of Terms versions at app.keaneadvisors.ai/terms/history.

17. Miscellaneous

17.1 Entire Agreement. These Terms, together with the Privacy Policy, the DPA at Appendix A, the AUP at Appendix B, and any applicable order forms or checkout confirmations, constitute the entire agreement between you and Company with respect to the Service and supersede all prior agreements regarding the same subject matter.

17.2 Severability. If any provision of these Terms is found to be unenforceable, the remaining provisions will continue in full force and effect, and the unenforceable provision will be modified to the minimum extent necessary to render it enforceable while preserving the parties' intent.

17.3 Waiver. Company's failure to enforce any right or provision of these Terms shall not constitute a waiver of that right or provision.

17.4 Assignment. You may not assign these Terms or any rights hereunder without Company's prior written consent. Company may assign these Terms in connection with a merger, acquisition, reorganization, or sale of substantially all of its assets, with notice to you.

17.5 Force Majeure. Neither party shall be liable for delays or failures in performance resulting from causes beyond their reasonable control, including natural disasters, acts of government, pandemics, civil unrest, cyber events not caused by the affected party's negligence, internet infrastructure failures, or failures of third-party services.

17.6 No Agency. Except as expressly set forth in Section 9 (LOA), nothing in these Terms creates a partnership, joint venture, employment, or agency relationship between the parties.

17.7 No Third-Party Beneficiaries. These Terms are for the sole benefit of the parties and do not confer any rights upon any third party.

17.8 Notices. Notices to Company shall be sent to support@keaneadvisors.ai. Notices to you shall be sent to the email address associated with your account. Notices are deemed delivered on the date of transmission, provided no bounce-back or delivery failure is received.

17.9 Headings. Section headings are for convenience only and do not affect interpretation.

17.10 Construction. These Terms have been drafted by both parties through arms-length negotiation and shall not be construed against either party as the drafter.

18. Contact Information

For questions about these Terms, billing inquiries, data deletion requests, arbitration opt-out, or LOA revocations:

Telcloud, LLC d/b/a KeaneAdvisors.AI
Email: support@keaneadvisors.ai
Website: keaneadvisors.ai

Appendix A — Data Processing Addendum

Forms part of, and is incorporated into, the Terms & Conditions of Service.

A.1 Definitions

For purposes of this DPA: "Applicable Data Protection Laws" means all U.S. federal and state laws and regulations applicable to the processing of Personal Data under these Terms, including state breach-notification laws and state consumer privacy laws to the extent applicable. "Controller" means the entity that determines the purposes and means of processing Personal Data; for purposes of this DPA, Customer is the Controller. "Processor" means the entity that processes Personal Data on behalf of the Controller; for purposes of this DPA, Company is the Processor. "Personal Data" means any information within Customer Data that identifies or could reasonably be used to identify a natural person. "Sub-processor" means a third party engaged by Company to process Personal Data on Customer's behalf. Capitalized terms not defined here have the meanings given in the Terms.

A.2 Roles and Scope of Processing

• Subject matter: Company's processing of Customer Data to provide the Service.
• Duration: The term of the Customer's subscription plus the data-retention period in Section 11.4 of the Terms.
• Nature and purpose: Hosting, storing, transmitting, displaying, and analyzing Customer Data solely to provide and support the Service, including assessment scoring, report generation, vendor inventory, and account administration.
• Categories of data subjects: Customer's personnel who use the Service (typically attorneys, IT staff, and firm administrators).
• Categories of Personal Data: Name, business email, business role, firm name and size, assessment responses, vendor inventory entries, and authentication and usage logs. Customer is responsible for ensuring that Customer Data does not contain client-confidential information beyond what is reasonably necessary for the assessment.

A.3 Processor Obligations

Company will: (a) process Personal Data only on documented instructions from Customer, including as set forth in the Terms and this DPA; (b) ensure that personnel authorized to process Personal Data are subject to written confidentiality obligations; (c) implement the technical and organizational measures described in Section A.6; (d) assist Customer, taking into account the nature of processing, in fulfilling Customer's obligations to respond to requests from data subjects and to cooperate with supervisory authorities; (e) notify Customer of any binding legal request for disclosure of Personal Data, except where prohibited by law; and (f) not sell Personal Data within the meaning of any Applicable Data Protection Law.

A.4 Sub-Processors

Customer authorizes Company to engage the Sub-processors listed below to process Personal Data in connection with the Service. Each Sub-processor is bound by written agreement to confidentiality and data-protection obligations consistent with this DPA.

Sub-processor	Purpose	Location
Stripe, Inc.	Payment processing	United States
Squarespace, Inc.	Marketing-site hosting and content delivery	United States
Google LLC (Google Workspace, Google Cloud)	Business email, document storage, form intake	United States
Zapier, Inc.	Workflow automation for form intake	United States
Anthropic, PBC	AI inference for in-product analysis features, where applicable, under a no-training contract	United States

Company maintains the current list of Sub-processors at app.keaneadvisors.ai/subprocessors and will provide thirty (30) days' advance notice of any new or replacement Sub-processor by email or in-product notice. If Customer reasonably objects to a new Sub-processor on data-protection grounds, Customer may terminate the Service for the affected functionality and receive a prorated refund of prepaid fees corresponding to the unused term.

A.5 No Model Training

Company reaffirms its obligation in Section 7.3 of the Terms: Personal Data and Customer Data will not be used to train, fine-tune, benchmark, evaluate, or otherwise improve any artificial intelligence or machine learning model. Sub-processors engaged for AI inference are contractually bound by no-training and zero-retention or short-retention conditions consistent with this restriction.

A.6 Security Measures

Company implements and maintains the following minimum technical and organizational measures:

• Encryption. TLS 1.2 or higher for data in transit; AES-256 or equivalent for data at rest.
• Access controls. Role-based access control, principle of least privilege, multi-factor authentication for administrative accounts, quarterly access reviews.
• Authentication. Secure password storage using industry-standard hashing; session management with idle and absolute timeouts.
• Network security. Logical isolation of production systems; perimeter and host-based controls; vulnerability monitoring.
• Logging and monitoring. Authentication, administrative, and security-relevant events logged and retained for not less than ninety (90) days.
• Personnel. Background checks where permitted by law; mandatory security and confidentiality training at onboarding and annually thereafter.
• Change management. Documented review and approval for changes affecting security or data handling.
• Incident response. Documented incident-response plan, reviewed at least annually, with defined roles, escalation, and customer-notification procedures.
• Business continuity. Daily encrypted backups with periodic restore testing.
• Vendor management. Written agreements with Sub-processors imposing confidentiality and security obligations consistent with this DPA.

A.7 Personal Data Breach Notification

Company will notify Customer without unreasonable delay, and in no event later than seventy-two (72) hours after Company's confirmation of a Personal Data breach affecting Customer Data, by email to the Customer's designated account contact. The notification will include, to the extent then known: (a) a description of the nature of the breach; (b) the categories and approximate volume of Personal Data affected; (c) likely consequences; and (d) measures taken or proposed to address the breach and mitigate its effects. Company will provide reasonable cooperation with Customer's investigation and any required regulatory notifications.

A.8 Data Subject Rights

Company will, taking into account the nature of processing and the information available, provide reasonable assistance to Customer in responding to requests from individuals to exercise their rights under Applicable Data Protection Laws, including rights of access, correction, deletion, and portability. Customer is responsible for responding to data-subject requests directly; Company will not respond on Customer's behalf except as directed by Customer in writing.

A.9 Audit Rights

Upon reasonable written request not more than once in any twelve-month period (except following a confirmed Personal Data breach), Company will provide Customer with: (a) its then-current security questionnaire (e.g., CAIQ or equivalent) and (b) summary information sufficient to demonstrate compliance with this DPA. Where Customer reasonably requires further assurance, the parties will agree on the scope and conduct of an on-premises or virtual audit, conducted during business hours, subject to confidentiality obligations, and at Customer's expense unless the audit reveals a material breach of this DPA. Audits will not extend to other Company customers' data or to Company's proprietary methodology, control library, or source code.

A.10 Data Return and Deletion

Upon termination or expiration of the Service, Customer may export Customer Data through in-product export functions or by request to support@keaneadvisors.ai prior to the effective date of termination. Following termination, Customer Data will be retained for thirty (30) days during which Customer may request export, after which Company will delete Customer Data from active systems within thirty (30) additional days. Encrypted backup copies will be retained for the standard backup-retention cycle (not to exceed ninety (90) days following deletion from active systems) and will be deleted in the ordinary course.

A.11 Data Residency and International Transfers

Customer Data is stored and primarily processed in data centers located in the United States. Company does not transfer Customer Data outside of the United States except as required for legitimate Service operations through Sub-processors that maintain appropriate safeguards. Company will not transfer Customer Data to any jurisdiction subject to comprehensive U.S. sanctions.

A.12 Term and Liability

This DPA takes effect upon Customer's acceptance of the Terms and remains in effect for the duration of the Service plus any retention period under Section A.10. Each party's liability under this DPA is subject to the limitations of liability in Section 12 of the Terms, including the carve-outs in Section 12.5.

A.13 Order of Precedence

In the event of conflict between this DPA and the Terms with respect to the processing of Personal Data, this DPA controls.

Appendix B — Acceptable Use Policy

Forms part of, and is incorporated into, the Terms & Conditions of Service.

B.1 Purpose

This Acceptable Use Policy ("AUP") describes the conduct that is prohibited in connection with the Service. Compliance with this AUP is a condition of access to and use of the Service. Capitalized terms not defined here have the meanings given in the Terms.

B.2 Lawful Use

You will not use the Service: (a) in violation of any applicable law, regulation, court rule, or rule of professional conduct; (b) in violation of any third party's intellectual property, privacy, publicity, contractual, or other rights; (c) to engage in or facilitate fraud, deceptive practices, or unauthorized practice of law; (d) in violation of U.S. export control laws (the Export Administration Regulations, 15 C.F.R. Parts 730–774) or economic sanctions administered by the U.S. Department of the Treasury Office of Foreign Assets Control (OFAC); or (e) from, or to transfer Service outputs into, any jurisdiction subject to comprehensive U.S. sanctions.

B.3 Prohibited Content and Inputs

You will not submit to the Service: (a) malware, viruses, worms, or other malicious code; (b) content that is defamatory, harassing, threatening, or that incites violence; (c) content that infringes any copyright, trademark, trade secret, or patent right; (d) sensitive personal information beyond what is reasonably necessary for the assessment (for example, do not enter Social Security numbers, account credentials, or specific client matter details); or (e) content protected by the attorney-client privilege of a third party where submission would waive that privilege.

B.4 Security and System Integrity

You will not: (a) attempt to gain unauthorized access to the Service, related systems, or other customers' data; (b) conduct security testing, penetration testing, vulnerability scanning, or red-team activity against the Service without Company's prior written authorization; (c) interfere with or disrupt the integrity or performance of the Service, including through denial-of-service activity, automated traffic floods, or use of bots, scrapers, or similar tools beyond officially documented APIs; (d) circumvent or attempt to circumvent any authentication, rate-limiting, security, or access-control mechanism; or (e) probe, scan, or test the vulnerability of any system associated with the Service.

B.5 Account Integrity

You will: (a) provide accurate registration information, including firm name and attorney count; (b) not misrepresent firm size to obtain a lower subscription tier; (c) maintain the confidentiality of account credentials; (d) not share account credentials with parties outside your firm; (e) promptly notify Company of any suspected unauthorized access; and (f) ensure that each individual user who accesses the Service under your account complies with these Terms and this AUP.

B.6 Intellectual Property Restrictions

You will not: (a) reverse engineer, decompile, disassemble, scrape, or otherwise attempt to derive the source code, methodology, control library, or scoring framework underlying the Service; (b) create derivative works of the Service or its documentation; (c) remove, obscure, or alter any proprietary notice, trademark, or watermark; (d) use the Service or its outputs to develop, train, benchmark, or evaluate any competing product or service; or (e) use the Defensible AI™, AI Governance Phase 0™, or Defensibility Score™ marks except as expressly permitted by Company in writing.

B.7 Conduct Toward Company and Others

You will not use the Service to defame, harass, disparage, or threaten Company, its personnel, or its other customers. You will not impersonate any person or entity or misrepresent your affiliation with any person or entity. You will not use the Service in any manner that exposes Company to legal liability or that brings the Service into disrepute.

B.8 Resource Usage

You will not use the Service in a manner that imposes an unreasonable or disproportionately large load on Company's infrastructure or that interferes with the use of the Service by other customers. Automated or programmatic access is permitted only through officially documented APIs and within published rate limits.

B.9 Reporting Violations

To report a suspected violation of this AUP, contact support@keaneadvisors.ai. Company will investigate reports in a manner proportionate to the alleged conduct.

B.10 Enforcement

Company reserves the right, in its sole discretion, to investigate suspected violations of this AUP and to take any of the following actions: (a) issue a written warning; (b) require remediation within a specified period; (c) suspend access to the Service in whole or in part; (d) terminate the Service for cause under Section 14.2 of the Terms; or (e) refer the matter to law enforcement or other appropriate authorities. No refund will be issued for fees paid for the remainder of the Commitment Period in the event of termination for AUP violation. Company's failure to enforce this AUP in any particular instance does not waive its right to enforce in other instances.

B.11 Updates to this AUP

Company may update this AUP from time to time. Material changes are subject to the change procedure in Section 16 of the Terms.