Terms of Service

Control+S is a product of ShadeSec Inc. and Everett & Co.. ShadeSec Inc.is a federal corporation incorporated under the Canada Business Corporations Act, with its principal office at Toronto, Ontario, M6K 3N4, Canada, and is the current service provider and contracting entity for these Terms unless a separate agreement states otherwise. References to "we", "us", or "our" mean ShadeSec Inc. in that capacity, together with the team behind Control+S. References to "you" or "Customer" mean the person or organization that accesses or uses the Service.

Everett & Co. is the venture studio supporting the broader product, go-to-market, publishing, and commercialization work around the Service. ShadeSec leads the engineering and operation of the application.

By creating an account, accessing, or using the Service, you agree to these Terms. If you are accepting on behalf of an organization, you represent that you have authority to bind that organization, and "Customer" means that organization. You must be of the age of majority in your jurisdiction to use the Service.

Control+S is a compliance audit platform that helps organizations manage security frameworks, collect and store evidence, and evaluate control maturity, including with AI-assisted analysis. The Service is organized around organizations, projects, frameworks, evidence, assessments, reports, and share links.

The Service is early-stage and will change over time. We may update, enhance, limit, replace, or discontinue features, workflows, models, integrations, and preview functionality as we learn, improve the product, address security or legal needs, or respond to third-party provider changes. Where practicable, we will give reasonable notice before changes that materially affect paid production use, but some changes may take effect immediately.

You are responsible for the accuracy of the information you provide, for maintaining the confidentiality of your credentials, and for all activity that occurs under your account. Notify us promptly at contact@controls.run if you suspect unauthorized access. Organization owners and administrators are responsible for the members they invite and the permissions they grant.

Organization owners control workspace-level decisions, including member access, project setup, evidence uploads, generated reports, share links, billing configuration where available, and organization deletion. You are responsible for reviewing access before sharing sensitive evidence, assessments, or reports with members or external recipients.

The Service may be offered through trials, self-serve usage credits, paid hosted plans, or separately agreed deployed instances. AI-assisted analysis and reassessment features are metered and may consume credits or other usage-based charges as described in the Service. Deployed customer instances may also carry fixed fees or separately agreed commercial terms.

Paid plans and usage are billed through our payment provider or under a separate agreement. Unless stated otherwise, fees are non-refundable, exclusive of taxes, and quoted in the currency shown at checkout or in the applicable order. We may change prices for future billing periods with reasonable notice where practicable.

You retain all rights to the evidence, assessments, configurations, and other materials you upload or generate using the Service ("Customer Content"). We do not claim ownership of Customer Content. You grant us a limited, non-exclusive licence to host, process, transmit, and display Customer Content solely to provide, secure, maintain, troubleshoot, support, and operate the Service for you, and to comply with law. We will not use Customer Content to train generative AI models.

You are responsible for having the rights to upload Customer Content and for ensuring that its collection and use via the Service complies with applicable law.

Customer Content may include sensitive security, compliance, and operational information. Customer Content is scoped to the organization or workspace where it is uploaded and access is controlled through the Service's permission model. We do not review Customer Content except as needed to provide, secure, troubleshoot, or support the Service, comply with law, or respond to your request.

You agree not to:

• upload malware, ransomware, or any code intended to damage, disable, or interfere with any system;
• upload content that infringes third-party rights, is unlawful, or violates another person's privacy;
• attempt to reverse engineer, decompile, or bypass the Service's security, sandboxing, or rate limits;
• use the Service to build a competing product, or to benchmark it for a competing product without our prior written consent;
• resell, sublicense, or provide the Service to third parties outside your organization without a written agreement with us;
• interfere with the integrity or performance of the Service, or other users' use of it.

We may suspend or limit access if we reasonably believe you have violated this section, with notice where practicable.

Parts of the Service use artificial intelligence to analyze evidence and suggest control mappings and maturity scores. AI output is probabilistic, may contain errors, and is not a substitute for professional judgement. You are responsible for reviewing AI output before relying on it for regulatory, audit, or business decisions. We describe the AI providers and data locations we use on our Trust page.

The Service may let organization owners or authorized users create reports, customer glimpse links, auditor access links, passwords, expiry settings, or other sharing mechanisms. You are responsible for choosing what to share, configuring access appropriately, sending links only to intended recipients, and revoking access when it is no longer needed.

Each party may receive confidential information from the other. The receiving party will use confidential information only to perform under these Terms, will protect it with at least the same care it uses for its own confidential information of similar sensitivity, and will not disclose it except to personnel and advisors who need to know and who are bound to confidentiality. This section does not apply to information that is or becomes public through no fault of the receiving party, was already known without a duty of confidence, or is independently developed.

THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE", WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. WE DO NOT WARRANT THAT THE SERVICE WILL BE UNINTERRUPTED, ERROR-FREE, FREE FROM HARMFUL COMPONENTS, OR THAT AI-GENERATED OUTPUTS WILL BE ACCURATE OR COMPLETE. WE DO NOT PROVIDE ANY SERVICE LEVEL COMMITMENT, UPTIME COMMITMENT, OR SUPPORT RESPONSE COMMITMENT UNLESS STATED IN A SEPARATE AGREEMENT. YOU USE THE SERVICE AT YOUR OWN RISK.

TO THE FULLEST EXTENT PERMITTED BY LAW, OUR TOTAL LIABILITY TO YOU FOR ANY CLAIM ARISING FROM OR RELATING TO THESE TERMS OR THE SERVICE WILL NOT EXCEED THE GREATER OF (A) THE AMOUNTS YOU PAID US IN THE 12 MONTHS BEFORE THE EVENT GIVING RISE TO THE CLAIM, OR (B) CAD $100. IN NO EVENT WILL WE BE LIABLE FOR INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, OR FOR LOST PROFITS, REVENUE, DATA, OR GOODWILL.

You will defend, indemnify, and hold harmless ShadeSec Inc. and its officers, directors, and employees from and against third-party claims and related damages, costs, and reasonable lawyers' fees arising from (a) your violation of these Terms, (b) Customer Content you upload, or (c) your use of the Service in violation of law or a third party's rights.

These Terms are governed by the laws of the Province of Ontario, Canada and the federal laws of Canada applicable there, without regard to conflict-of-laws rules. The courts located in Ontario, Canada have exclusive jurisdiction over disputes arising under these Terms, and each party consents to that jurisdiction and venue.

We may update these Terms from time to time. If changes are material, we will provide notice where practicable, for example by email, in-product notice, or posting an updated version. Changes may take effect immediately where needed for legal, security, operational, provider, or preview-feature reasons. Continued use of the Service after the effective date constitutes acceptance of the updated Terms. If you do not agree, you may stop using the Service and contact us about account closure.

These Terms, together with our Privacy Policy and, where applicable, the Data Processing Agreement, are the entire agreement between you and us about the Service and supersede prior agreements on the subject. If any provision is held unenforceable, the remainder remains in effect. A waiver in one instance is not a waiver of future rights. You may not assign these Terms without our consent; we may assign them in connection with a merger, acquisition, or sale of assets. Neither party is liable for delays or failures caused by circumstances beyond its reasonable control.

Questions about these Terms can be sent to contact@controls.run or by mail to ShadeSec Inc., Toronto, Ontario, M6K 3N4, Canada.