Skip to main content
Legal

Terms of Service

Last updated: April 22, 2026

1. Acceptance of Terms

By accessing or using LukaGRC ("Service"), you agree to be bound by these Terms of Service ("Terms"). If you do not agree to these Terms, do not use the Service.

2. Description of Service

LukaGRC provides a cloud-based Governance, Risk, and Compliance (GRC) platform. The Service is a subscription-based SaaS offering that includes, without limitation:

  • Security program management with multi-framework support (SOC 2, ISO 27001, NIST CSF, HIPAA, and others)
  • Evidence library with cryptographic chain-of-custody (SHA-256 hashing)
  • Policy authoring, AI-assisted generation, distribution, and acknowledgment tracking
  • Risk register and third-party/vendor risk management (TPRM)
  • Questionnaire automation with AI-assisted answers sourced from your own knowledge base and evidence
  • Incident management, vulnerability tracking, and change control workflows
  • Compliance calendar, review scheduling, and audit-ready reporting
  • Public trust center for sharing compliance posture with prospects and auditors
  • Integration and evidence-collection connectors

We operate the Service. You use it. These Terms govern that relationship. The specific features available to you depend on your selected plan; see lukagrc.com/pricing for details.

3. Account Registration

To use the Service, you must:

  • Create an account with accurate information
  • Be at least 18 years of age
  • Maintain the security of your account credentials
  • Notify us immediately of any unauthorized access

You are responsible for all activities that occur under your account.

4. Acceptable Use

You agree not to:

  • Violate any laws or regulations
  • Infringe on intellectual property rights
  • Upload malicious code or viruses
  • Attempt to gain unauthorized access to the Service
  • Reverse engineer or decompile the platform
  • Use the Service to harm, harass, or impersonate others
  • Resell or redistribute the Service without authorization

5. Your Data and Content

Ownership

You retain all rights to data and content you upload to the Service. You grant us a limited license to process this data to provide the Service.

Responsibilities

You are responsible for:

  • Ensuring you have the right to upload data to the Service
  • The accuracy and legality of your content
  • Backing up your data
  • Compliance with applicable data protection laws

6. Our Confidentiality Commitment

We treat the data you enter into the Service as your confidential information. This section is our contractual promise to you about how we handle it.

What's Covered

"Your Confidential Information" means all data, files, content, and metadata you or your authorized users submit to, upload into, or generate through the Service, including without limitation:

  • Policies, procedures, standards, and implementation documentation
  • Evidence artifacts (reports, screenshots, configuration exports, audit attestations)
  • Risk registers, assessments, and findings
  • Vendor lists, assessments, and correspondence
  • Incident and vulnerability records
  • Knowledge-base articles and internal notes
  • Questionnaire responses and answer rationale
  • Employee rosters, access review data, and any personnel data uploaded
  • API keys, access tokens, and system credentials stored in the platform
  • Audit logs and activity data derived from the above

Our Obligations

We will:

  • Keep your information confidential. We will not disclose Your Confidential Information to any third party except as strictly necessary to deliver the Service (see "Permitted Disclosures" below) or with your prior written consent.
  • Not sell, rent, license, or monetize your data, ever. We make no money from your data beyond the subscription fee you pay us.
  • Not use your data to train third-party AI/ML models. AI processing happens within our controlled AWS Bedrock environment using Anthropic models that, per Anthropic's API terms, do not use API inputs for model training.
  • Not read, browse, or access your data for any purpose other than (a) providing the Service, (b) investigating a specific security or abuse incident affecting your tenant, or (c) responding to an explicit support request from you. Access is logged and auditable.
  • Enforce tenant isolation. Each tenant's data is logically segregated at the database row level by a mandatory tenant_id filter on every query. No tenant can see or access another tenant's data through any API, UI, or support channel.
  • Protect your data with commercially reasonable technical and organizational measures, including AES-256 encryption at rest, TLS 1.3 in transit, SHA-256 audit-chain integrity, multi-factor authentication options, IP allowlisting, role-based access controls, password pepper + bcrypt hashing, and continuous security monitoring. See our Security page for current details.
  • Use personnel bound by written confidentiality obligations materially equivalent to those in these Terms. Contractors and service providers are held to the same standard.

Permitted Disclosures

We may disclose Your Confidential Information only when and to the extent necessary to:

  • Operate the Service through our vetted sub-processors (AWS, Anthropic via AWS Bedrock, Stripe). Each sub-processor is bound by a Data Processing Agreement and the same confidentiality standard. The current list is published in our Privacy Policy; we give at least 30 days' notice before adding a new sub-processor.
  • Comply with a valid legal process — subpoena, court order, or other legally binding demand. We will notify you before disclosing (unless legally prohibited from doing so) and will challenge overbroad or improper requests at our expense.
  • Investigate a security incident or fraud that directly involves your tenant — limited to what's necessary to contain and remediate.
  • Provide the support you request (e.g., you email us asking us to look at a specific record).

We will never disclose Your Confidential Information for marketing, research, business development, training third-party AI models, or any other purpose not listed above, full stop.

Exclusions

Information is not Your Confidential Information if you can demonstrate it (a) was already publicly available without breach of these Terms; (b) was rightfully known to us before you disclosed it; (c) was independently developed by us without reference to Your Confidential Information; or (d) was lawfully received from a third party without confidentiality restrictions.

Survival

This Section 6 survives termination of these Terms. Our confidentiality obligations continue for as long as we retain Your Confidential Information and for five (5) years after final deletion, with the sole exception of trade secrets, for which confidentiality continues indefinitely.

Breach Notification

If we become aware of an actual or reasonably suspected unauthorized disclosure of Your Confidential Information, we will notify you without undue delay (and in any event within seventy-two (72) hours of discovery), provide available details of the incident, and cooperate in good faith with your investigation and any regulatory notification obligations you may have.

7. AI Features

AI-powered features are provided to assist your compliance efforts but should not be solely relied upon. You are responsible for:

  • Reviewing all AI-generated content before use
  • Ensuring accuracy of automated questionnaire responses
  • Validating control mappings and gap analysis
  • Making final decisions about your security program

AI outputs are suggestions and do not constitute professional advice.

8. Payment Terms

Fees and Billing

Pricing is available at lukagrc.com/pricing. Fees are billed in advance on a subscription basis through our payment processor, Stripe, Inc. By subscribing, you authorize us to charge your payment method for the applicable fees, including any renewals.

Auto-Renewal

Subscriptions renew automatically at the end of each billing period (monthly or yearly, as selected) at the then-current rate, unless cancelled before the renewal date. You may cancel future renewals at any time from your account's Billing settings or via the Stripe Customer Portal.

Free Trial

New accounts receive a 7-day free trial of the Professional plan. A payment method is collected at signup and will be charged at the end of the trial unless you cancel first. During the trial, AI usage is subject to reduced limits to prevent abuse. Only one free trial is permitted per company email domain.

Pay-As-You-Go Overages

Professional and Enterprise plans include pay-as-you-go billing for AI requests beyond the included monthly quota, charged per request at the rate listed on the pricing page. Overage usage is metered by Stripe and billed on your next invoice. We enforce a monthly hard cap to prevent unexpected charges; contact support to raise the cap for legitimate high-volume use.

Cancellation and Refunds

You may cancel your subscription at any time. Cancellations take effect at the end of the current billing period, and you retain access until that date. We do not offer refunds for partial periods or unused time. Metered overage fees accrued before cancellation remain due.

Failed Payments

If a payment fails, we will attempt retries per Stripe's smart retry schedule and notify you via email. If payment is not resolved within a reasonable window, access to paid features (including AI) may be paused until the account is brought current.

Taxes

Fees are exclusive of taxes. Where required by law, applicable sales or use taxes are calculated and collected by Stripe based on your billing address and added to your invoice.

Changes to Pricing

We may change pricing with 30 days' notice. Continued use after price changes constitutes acceptance. Existing subscriptions are honored at their current rate until the next renewal after the notice period.

9. Service Availability

We target 99.9% monthly uptime, measured as successful HTTP responses from the application excluding:

  • Scheduled maintenance windows, announced in advance
  • Emergency security patches
  • Downtime caused by your acts, your integrations, or force majeure
  • Upstream provider outages (AWS, CloudFront, Stripe, Anthropic) where we cannot reasonably mitigate

We may suspend your access without notice to investigate credible security or abuse concerns; we will restore access promptly once resolved. This Section is a target, not a warranty — see Section 12 for the authoritative disclaimer.

10. Intellectual Property

The Service, including all software, interfaces, designs, trademarks, compiled framework libraries, prompts, and underlying models, is owned by LukaGRC or licensed to us. You may not copy, modify, reverse-engineer, or create derivative works except as expressly permitted by these Terms or applicable law.

You retain all rights to Your Confidential Information (see Section 6). Nothing in these Terms transfers ownership of your data to us.

Feedback

If you send us product feedback, feature requests, or improvement suggestions, we may use them without restriction or compensation. This explicitly does not cover Your Confidential Information.

11. Termination

Either party may terminate these Terms at any time. You cancel by clicking "Cancel subscription" in Settings → Billing or through the Stripe customer portal. We may suspend or terminate your account if you:

  • Materially breach these Terms and fail to cure within 10 days of written notice
  • Fail to pay fees after reasonable notice
  • Engage in fraudulent, illegal, or abusive activity

Upon any termination, you retain read-only access and the ability to export your data for thirty (30) days. After that window, we delete or anonymize Your Confidential Information within sixty (60) days, except backup copies that roll off on their normal schedule (we do not restore from backup to access your deleted data). Sections that by their nature should survive termination (including Section 6 Confidentiality, Section 10 IP, Section 12 Disclaimers, Section 13 Liability, Section 14 Indemnification, Section 15 Governing Law) do so.

12. Disclaimers

THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED. WE DISCLAIM ALL IMPLIED WARRANTIES, INCLUDING MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT.

We do not warrant that the Service will meet every compliance requirement you have, that AI-generated content will be free of errors, or that the Service will be uninterrupted. Your use of compliance frameworks within the Service does not constitute legal or audit advice. You remain responsible for the correctness and sufficiency of your compliance program.

13. Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY LAW, LUKAGRC AND ITS OFFICERS, EMPLOYEES, AND AGENTS SHALL NOT BE LIABLE FOR:

  • Indirect, incidental, special, consequential, or punitive damages
  • Loss of profits, data, goodwill, or business opportunities
  • Cost of substitute services

Our aggregate liability arising out of or related to these Terms, regardless of the form of action, shall not exceed the amount you paid us in the twelve (12) months preceding the claim. This cap does not apply to our breach of Section 6 (Confidentiality), willful misconduct, or gross negligence — for those, liability is limited to two (2) times the fees paid in the preceding 12 months, except where law prohibits any such limit.

14. Indemnification

By You

You will defend, indemnify, and hold harmless LukaGRC from third-party claims arising from (a) your breach of these Terms, (b) your data or content that infringes a third party's rights, or (c) your unlawful use of the Service.

By Us

We will defend, indemnify, and hold harmless you from third-party claims alleging that the Service, as provided by us and used in accordance with these Terms, infringes a U.S. patent, copyright, or trademark. Our obligation does not apply to claims arising from (a) your modifications to the Service, (b) your combination of the Service with products we did not supply, or (c) your continued use after we notify you of a potentially infringing version.

Indemnification requires the indemnified party to (a) promptly notify the other of the claim, (b) give the indemnifying party sole control of defense and settlement (no settlement imposes liability on the indemnified party without consent), and (c) reasonably cooperate at the indemnifying party's expense.

15. Governing Law and Disputes

These Terms are governed by the laws of the State of Florida, United States, without regard to conflict-of-laws principles. The exclusive venue for any dispute that is not subject to arbitration is the state and federal courts located in Miami-Dade County, Florida, and both parties consent to that jurisdiction.

Disputes arising from or related to these Terms will be resolved by binding arbitration administered by the American Arbitration Association (AAA) under its Commercial Arbitration Rules, with the arbitration seated in Miami-Dade County, Florida, unless the parties agree otherwise in writing. Either party may seek injunctive relief in court without waiving the right to arbitration (e.g., to stop an ongoing breach of Section 6 Confidentiality).

Class Action Waiver: To the extent permitted by law, any dispute will be brought in each party's individual capacity and not as part of a class, consolidated, or representative action.

16. Changes to Terms

We may update these Terms from time to time. For material changes, we will notify you at least thirty (30) days before the effective date via email and platform banner. Non-material updates (typo fixes, clarifying edits that do not change meaning) may take effect when posted. Continued use of the Service after the effective date constitutes acceptance. You may reject material changes by terminating under Section 11 before they take effect.

17. Contact

For questions about these Terms:

Email: hello@lukagrc.com