Terms & Conditions

By accessing or using the Evidr platform at https://evidr.com and https://console.evidr.com (the "Platform") operated by Evidr LLC ("Company," "we," "us," or "our"), you agree to be bound by these Terms and Conditions ("Terms"). If you do not agree, you must not use the Platform. These Terms apply to all visitors, users, subscribers, team members, auditors, and any other person who accesses or uses the Platform in any capacity.

These Terms constitute a legally binding agreement between you and the Company. We reserve the right to modify these Terms at any time. Material changes will be indicated by updating the "Last updated" date above. Your continued use of the Platform after changes are posted constitutes acceptance of the revised Terms. We may also notify you of material changes via email to the address associated with your account or through an in-app notification within the Evidr console.

If you are using the Platform on behalf of a legal entity, you represent and warrant that you have the authority to bind that entity to these Terms. In such cases, "you" and "your" refer to both you individually and the entity you represent. If you do not have such authority, or if the entity does not agree with these Terms, you must not accept these Terms and must not use the Platform. The individual accepting these Terms on behalf of an entity will be personally responsible for any breach if they lacked actual authority.

These Terms incorporate by reference our Privacy Policy, our Acceptable Use Policy, and any order forms, service-level documentation, or supplemental terms presented to you during onboarding or subscription. In the event of a conflict between these Terms and a supplemental agreement, the supplemental agreement will control with respect to the subject matter of that agreement.

You must be at least 16 years of age to use this Platform. By using the Platform, you represent and warrant that you are at least 16 years old and have the legal capacity to enter into these Terms. The Platform is designed for business use and is intended for organizations seeking compliance automation. Individual consumer use is not the intended purpose of this Platform.

If you are located in the European Economic Area (EEA), the United Kingdom, or another jurisdiction that sets a higher minimum age for digital services, you must meet the applicable minimum age requirement in your jurisdiction. Organizations using the Platform must ensure that all individuals they grant access to - including team members, contractors, and auditors - also meet these eligibility requirements.

You further represent that you are not located in, or a national or resident of, any country that is subject to comprehensive U.S. trade sanctions, and that you are not listed on any U.S. government list of prohibited or restricted parties. We reserve the right to verify your eligibility at any time and to refuse service to anyone at our sole discretion.

Evidr is an AI-powered compliance automation platform designed to help organizations achieve, maintain, and demonstrate compliance with major regulatory frameworks and industry standards. The Platform provides a centralized workspace where teams can manage evidence, generate policies, monitor controls, and collaborate with auditors. Evidr supports multiple compliance frameworks including SOC 2 (Type I and Type II), ISO 27001, HIPAA, GDPR, PCI DSS, FedRAMP, and others as they become available.

The Platform includes the following core capabilities:

• AI-powered compliance onboarding - When you create a workspace, Evidr guides you through an intelligent onboarding flow that assesses your organization's industry, size, data handling practices, and compliance goals. Based on your responses, the Platform recommends applicable frameworks, identifies control gaps, and generates a prioritized roadmap. This onboarding process is designed to reduce the weeks of manual scoping work traditionally required at the start of a compliance program.
• Evidence collection and AI-assisted review - You can upload documents, screenshots, configuration exports, and other artifacts as compliance evidence. The Platform's AI engine analyzes each piece of evidence and assigns a confidence score indicating how well it satisfies the associated control requirement. The AI also provides specific feedback on what may be missing or how to strengthen the evidence. Evidence can be mapped to multiple controls across different frameworks simultaneously.
• Policy document generation - Evidr provides a library of customizable policy templates aligned to major frameworks. You can generate complete policy documents pre-populated with your organization's details, then edit and customize them to reflect your actual practices. Generated policies are stored within the Platform and can be exported as PDF or other standard formats.
• Continuous monitoring and reminders - The Platform tracks evidence expiry dates and sends automated reminders when evidence needs to be refreshed. Continuous monitoring dashboards provide real-time visibility into your compliance posture, including control coverage percentages, upcoming deadlines, and areas requiring attention. Integration-based evidence can be refreshed automatically on configurable schedules.
• Vendor risk management - Evidr includes tools for tracking and assessing third-party vendor risk. The Platform can perform automated web scanning of vendor domains, collect vendor security questionnaire responses, and maintain a centralized vendor inventory with risk ratings. This helps organizations satisfy vendor management requirements common across SOC 2, ISO 27001, and other frameworks.
• Integrations with cloud and SaaS providers - The Platform connects to AWS, GitHub, Google Workspace, Okta, and other services to automatically pull compliance evidence such as IAM configurations, access logs, encryption settings, and security policies. Integrations reduce manual evidence collection and enable continuous compliance monitoring.
• Team collaboration with role-based access - Workspaces support multiple team members with role-based access control. Owners have full administrative privileges, while Members can be assigned granular permissions. All activity is logged in an immutable audit trail for accountability and compliance purposes.
• Auditor access portal - You can invite external auditors to your workspace with read-only access. Auditors can review evidence, policies, and control mappings without the ability to modify any data. Auditor access can be revoked at any time by the workspace Owner.

Feature availability may vary based on your subscription plan. We continuously develop and improve the Platform, and features may be added, modified, or removed over time. We will provide reasonable notice before removing features that are material to your use of the Platform.

To use the Platform, you must create an account by providing a valid email address and setting up authentication credentials. You are responsible for maintaining the confidentiality of your credentials and for all activity that occurs under your account. You agree to use strong authentication methods and to notify us immediately at [email protected] if you become aware of any unauthorized access to or use of your account.

We support WebAuthn/passkey authentication for enhanced security and strongly recommend enabling it. When passkeys are available, they provide phishing-resistant, hardware-backed authentication that significantly reduces the risk of account compromise. You are responsible for securing the devices on which your passkeys are stored. If you lose access to all registered authentication methods, you may request account recovery by contacting our support team with verification of your identity.

When you create a workspace, you become its Owner. Owners have full administrative control over the workspace, including the ability to invite and remove team members, manage integrations, control billing, and configure workspace settings. Team members invited to a workspace receive the role assigned by the Owner - either Owner or Member. You are responsible for ensuring that all individuals you invite to your workspace are authorized to access the compliance data contained within it. We recommend regularly reviewing your team roster and revoking access for individuals who no longer require it.

Sessions are managed with secure, time-limited tokens. For security purposes, sessions may expire after a period of inactivity, requiring re-authentication. We reserve the right to suspend or terminate accounts at our sole discretion for conduct that violates these Terms, poses a security risk, or is harmful to other users, third parties, or the integrity of the Platform. In the event of suspension, we will make reasonable efforts to notify you at the email address associated with your account.

Evidr offers multiple subscription plans with varying feature sets, usage limits, and support levels. Current plan details and pricing are published on our pricing page at https://evidr.com. Paid plans are billed monthly or annually through our payment processor, Stripe. By subscribing to a paid plan, you authorize us to charge your designated payment method on a recurring basis at the beginning of each billing cycle.

• Free plan - The free plan provides limited access to Platform features as described on our pricing page. The free plan is offered for evaluation purposes and may be subject to usage limits, feature restrictions, or time-based availability. We reserve the right to modify, limit, or discontinue the free plan at any time without prior notice.
• Paid plans - Paid subscriptions provide access to additional features, higher limits, priority support, and other benefits as described on our pricing page. Your subscription begins on the date you successfully complete payment and continues for the duration of the billing cycle you selected (monthly or annual).
• Plan changes - You may upgrade your plan at any time. Upgrades take effect immediately, and you will be charged the prorated difference for the remainder of your current billing cycle. Downgrades take effect at the end of your current billing cycle. If a downgrade causes your usage to exceed the limits of the new plan, you may need to reduce your usage before the downgrade takes effect.
• Cancellation - You may cancel your subscription at any time through the Platform's billing settings or by contacting [email protected]. Upon cancellation, your access to paid features continues through the end of the current billing period. No refunds are provided for partial billing periods, unused time, or any reason whatsoever. All sales are final.
• Failed payments and dunning - If a payment attempt fails, we will notify you and automatically retry the charge up to three (3) times over a fourteen (14) day grace period. During this grace period, your access to the Platform will continue uninterrupted. If all retry attempts fail, your account will be downgraded to the free plan and access to paid features will be suspended. Your data will be retained for thirty (30) days following suspension, during which you may reactivate your subscription by updating your payment method.
• Taxes - All prices listed on our pricing page are exclusive of applicable taxes unless otherwise stated. You are responsible for all applicable sales tax, use tax, VAT, GST, or other similar taxes or government charges associated with your subscription. If we are required to collect taxes in your jurisdiction, they will be added to your invoice.

We reserve the right to change our pricing at any time. For existing subscribers, price changes will take effect with at least thirty (30) days advance notice. If you do not agree with a price change, you may cancel your subscription before the new pricing takes effect. Your continued use of the Platform after the new pricing takes effect constitutes acceptance of the updated pricing.

Refund policy: Evidr does not offer refunds for any subscription payments, including but not limited to partial months, unused subscription time, plan upgrades, or annual plan payments. By subscribing, you acknowledge and agree to this no-refund policy.

You retain full ownership of all data, documents, evidence, policies, and other materials you upload to or create within the Platform ("Your Data"). Evidr LLC does not claim any ownership interest in Your Data. By uploading data, you grant us a limited, non-exclusive, worldwide license to process, store, transmit, cache, and analyze Your Data solely as necessary to provide, maintain, and improve the Services. This license terminates when Your Data is deleted from our systems.

• Storage and encryption - Your Data is encrypted at rest using AES-256 encryption and in transit using TLS 1.2 or higher. Data is stored on Amazon Web Services (AWS) infrastructure in the United States. Backup copies are maintained in geographically separate AWS regions for disaster recovery purposes and are subject to the same encryption standards.
• Access controls - Only you, your authorized team members, and auditors you explicitly invite can access Your Data through the Platform. Evidr LLC personnel do not access Your Data except (a) as necessary to provide technical support at your request, (b) to investigate security incidents or potential Terms violations, or (c) as required by law. All access by Evidr LLC personnel is logged and auditable.
• AI processing - Uploaded evidence may be processed by AI systems to provide confidence scores, compliance suggestions, and automated review. We do not use Your Data to train, fine-tune, or improve general-purpose AI models. AI processing of Your Data is performed solely to deliver the specific functionality of the Platform to your workspace.
• Sub-processors - We use a limited number of sub-processors to provide the Services, including AWS for infrastructure and hosting, Stripe for payment processing, and AI model providers for evidence analysis. A current list of sub-processors is available upon request. We maintain data processing agreements with all sub-processors that impose obligations no less protective than those in these Terms.
• Deletion - You may delete individual evidence items, policies, or other data at any time through the Platform. Deleted data is removed from active systems within 24 hours and from all backup systems within 30 days. Upon account closure or workspace deletion, all Your Data is permanently deleted within 30 days. We will provide written confirmation of data deletion upon request.
• Data return obligations - Upon termination of your subscription for any reason, you have a thirty (30) day window to export Your Data through the Platform's export functionality. After this window closes, we will permanently delete all Your Data in accordance with our deletion procedures. We are not responsible for any data loss resulting from your failure to export data within this window.
• Right to audit - Enterprise customers may request information about our data handling and security practices. We will respond to reasonable audit requests within thirty (30) days and may provide SOC 2 reports, penetration testing summaries, or other relevant documentation in lieu of on-site audits.

You are responsible for ensuring that Your Data does not contain malware, viruses, or other harmful code, and that uploading Your Data does not violate any third-party rights, including intellectual property rights, privacy rights, or contractual obligations. Our automated systems scan uploads for known malware signatures, credentials, and sensitive data patterns (such as unencrypted API keys), but these scans are provided as a convenience and you remain solely responsible for the content you upload.

You represent and warrant that you have all necessary rights, licenses, and consents to upload Your Data to the Platform and to grant us the license described above. If Your Data contains personal information of third parties, you represent that you have a lawful basis for processing that information and that your use of the Platform complies with all applicable data protection laws.

To the extent that Evidr processes personal data on your behalf that is subject to the European Union General Data Protection Regulation (GDPR), the UK GDPR, or other applicable data protection laws, the terms of this section apply. Evidr LLC acts as a data processor on behalf of the customer (the data controller) with respect to personal data uploaded to or processed within the Platform.

A standalone Data Processing Agreement (DPA) compliant with GDPR Article 28 is available upon request by contacting [email protected]. The DPA covers the subject matter and duration of processing, the nature and purpose of processing, the types of personal data processed, the categories of data subjects, and the obligations and rights of the controller and processor.

As a data processor, Evidr LLC will: (a) process personal data only on your documented instructions; (b) ensure that persons authorized to process the personal data have committed themselves to confidentiality; (c) implement appropriate technical and organizational security measures; (d) assist you in responding to data subject requests; (e) assist you in ensuring compliance with security, breach notification, and data protection impact assessment obligations; (f) at your choice, delete or return all personal data upon termination of services; and (g) make available all information necessary to demonstrate compliance with processor obligations.

The customer, as data controller, retains full responsibility for determining the lawful basis of processing, responding to data subject rights requests, and ensuring that any personal data uploaded to the Platform is collected and transferred in compliance with applicable law. Evidr LLC will promptly notify the customer if it receives a data subject access request or similar request and will not respond to such requests without the customer's written instructions unless legally compelled to do so.

The Evidr Platform operates on a multi-tenant architecture where multiple customer workspaces share underlying infrastructure. However, strict logical isolation controls ensure that each workspace's data is completely separated from other workspaces. No customer can access, view, or interact with another customer's data under any circumstances during normal Platform operation.

Each workspace is assigned separate encryption keys for data-at-rest encryption. Database queries are scoped to individual workspace identifiers at the application layer, and our infrastructure enforces row-level security policies to prevent cross-tenant data access even in the event of application-level bugs. We conduct regular penetration testing and security audits specifically targeting tenant isolation boundaries.

While we employ robust isolation controls, you acknowledge that multi-tenant cloud architectures carry inherent shared-infrastructure risks. If your organization requires dedicated, single-tenant infrastructure, please contact [email protected] to discuss enterprise deployment options. Evidr LLC will not be liable for any data exposure resulting from vulnerabilities in shared infrastructure components, provided we have implemented industry-standard security controls.

All content on the Platform, including but not limited to text, source code, object code, graphics, logos, icons, images, audio clips, software, AI models, algorithms, user interface designs, compiled templates, documentation, and the compilation and arrangement thereof, is the exclusive property of Evidr LLC or its licensors and is protected by United States and international intellectual property laws, including copyright, trademark, patent, and trade secret laws.

You are granted a limited, non-exclusive, non-transferable, revocable license to access and use the Platform during your active subscription period, strictly in accordance with these Terms. This license does not include any right to:

• Copy, reproduce, distribute, publicly display, or create derivative works of the Platform or its content without prior written permission from Evidr LLC.
• Reverse engineer, decompile, disassemble, or otherwise attempt to derive the source code, algorithms, or data models of any part of the Platform.
• Use Evidr LLC's trademarks, logos, service marks, or branding in any manner without prior written consent, including in marketing materials, presentations, or public statements.
• Resell, sublicense, lease, lend, or redistribute access to the Platform to any third party, whether for compensation or otherwise.
• Remove, alter, or obscure any copyright notices, trademark notices, or other proprietary legends on the Platform.

Policy documents and other content generated by the Platform using your specific organizational data become your property upon generation. However, the underlying templates, frameworks, prompt structures, AI models, and generation methodologies used to create that content remain the exclusive intellectual property of Evidr LLC. You may use generated policy documents for your internal compliance purposes, including sharing them with auditors and regulators.

The Platform may incorporate open-source software components, which are subject to their respective open-source licenses. A list of open-source components and their licenses is available upon request. Nothing in these Terms restricts your rights under applicable open-source licenses, and nothing in applicable open-source licenses restricts Evidr LLC's rights under these Terms with respect to its proprietary components.

You agree to use the Platform only for its intended purpose of compliance management and automation, and in compliance with all applicable laws, regulations, and these Terms. The following activities are strictly prohibited:

• Violating any applicable local, state, national, or international law or regulation, including data protection and export control laws.
• Uploading content that is unlawful, harmful, threatening, abusive, defamatory, obscene, or otherwise objectionable.
• Attempting to gain unauthorized access to other users' accounts, workspaces, systems, or networks connected to the Platform.
• Interfering with or disrupting the Platform, its servers, or its infrastructure, including through denial-of-service attacks, packet flooding, or deliberate overloading.
• Using automated means (bots, scrapers, crawlers, spiders) to access, scrape, harvest, or extract data from the Platform, except through our documented APIs with proper authorization.
• Introducing viruses, trojans, worms, ransomware, logic bombs, or other malicious material to the Platform.
• Misrepresenting your compliance status, fabricating evidence, or using the Platform to generate fraudulent compliance documentation.
• Sharing auditor access credentials with unauthorized parties or using auditor access for purposes other than legitimate compliance auditing.
• Attempting to circumvent any usage limits, rate limits, access controls, or security measures implemented by the Platform.
• Using the Platform to store data unrelated to compliance management, such as using evidence storage as general-purpose file hosting.
• Engaging in activity that imposes an unreasonable or disproportionately large load on our infrastructure.

Evidr LLC employs automated abuse detection systems that monitor for unusual usage patterns, excessive API calls, and other indicators of misuse. If our systems detect activity that appears to violate these Terms, we may automatically rate-limit, restrict, or temporarily suspend access to your account pending investigation. We will make reasonable efforts to notify you of any automated enforcement action.

In the event of a suspected violation, Evidr LLC reserves the right to investigate and take appropriate action, including but not limited to issuing warnings, temporarily suspending access, permanently terminating accounts, removing offending content, and reporting violations to law enforcement. For non-emergency violations, we will generally provide notice and an opportunity to cure before taking permanent action. However, we reserve the right to take immediate action without prior notice if we reasonably believe that a violation poses an imminent threat to the security, integrity, or availability of the Platform or its users.

The Platform may not be used by organizations or individuals engaged in illegal activities, or for purposes that would cause Evidr LLC to violate any applicable law or regulation. Without limiting the generality of the foregoing, you may not use the Platform if your organization is:

• Listed on any U.S. government sanctions list, including the Office of Foreign Assets Control (OFAC) Specially Designated Nationals (SDN) list, or equivalent lists maintained by the European Union, United Kingdom, or United Nations.
• Located in, or organized under the laws of, a country or territory subject to comprehensive U.S. economic sanctions (including Cuba, Iran, North Korea, Syria, and the Crimea, Donetsk, and Luhansk regions).
• Engaged in the development, production, stockpiling, or use of weapons of mass destruction, including nuclear, chemical, or biological weapons.
• Engaged in activities that would cause Evidr LLC to violate U.S. Export Administration Regulations (EAR) or International Traffic in Arms Regulations (ITAR).

You represent and warrant that your use of the Platform will comply with all applicable export control laws and that you will not use the Platform to process, store, or transmit data in violation of any export restrictions. If Evidr LLC determines that you are using the Platform in violation of this section, we will terminate your account immediately without notice or refund.

The Platform uses artificial intelligence and machine learning technologies to generate policy documents, review evidence, assign confidence scores, provide compliance recommendations, and automate various aspects of the compliance management process. AI is a core component of Evidr's value proposition, and you should understand the capabilities and limitations described in this section before relying on AI-generated output.

You acknowledge and agree that:

• AI-generated content, including policy documents, recommendations, and evidence assessments, is provided as a starting point and informational aid. All AI output should be reviewed, validated, and where appropriate customized by qualified compliance professionals before use in any official capacity.
• AI confidence scores are advisory indicators based on pattern matching and learned compliance criteria. They do not constitute a guarantee, certification, or professional opinion that any particular piece of evidence will satisfy an auditor or regulatory body.
• Evidr does not provide legal advice, accounting advice, or professional compliance consulting services. The Platform is a software tool, and its outputs are not a substitute for professional judgment.
• You are solely responsible for verifying the accuracy, completeness, and appropriateness of all AI-generated content before relying on it, submitting it to auditors, or presenting it to regulators.
• AI-generated policy documents are based on templates and your organizational inputs. They should be carefully reviewed and customized to accurately reflect your organization's actual practices, controls, and operating environment. Adopting a generated policy without review may result in inaccurate compliance documentation.
• AI technology is evolving rapidly and may occasionally produce inaccurate, incomplete, or inconsistent output. Evidr LLC does not warrant that AI-generated content will be error-free or suitable for any specific purpose.

Evidr LLC continually works to improve the accuracy and reliability of its AI systems, but you acknowledge that no AI system is perfect. You assume all risk associated with your use of and reliance on AI-generated content provided through the Platform.

The Platform allows you to connect third-party services - including but not limited to AWS, GitHub, Google Workspace, Okta, Jira, and Slack - to automatically pull compliance evidence and configuration data. Integrations are a key feature of Evidr's continuous compliance monitoring capabilities. By connecting an integration, you authorize Evidr LLC to access the connected service on your behalf within the scope described in our integration documentation.

• You authorize us to access the connected third-party service using the credentials, API keys, OAuth tokens, or other authentication mechanisms you provide. We access only the data and endpoints specified in our integration documentation.
• You are responsible for maintaining valid credentials and ensuring that the permissions granted to the Evidr integration are appropriate and follow the principle of least privilege. If credentials expire or are revoked, the integration will stop functioning until new credentials are provided.
• We only access data necessary to pull compliance evidence, assess security configurations, and provide the monitoring functionality described in our documentation. We do not modify, delete, or write data to connected services unless a specific integration feature explicitly requires it and you have granted write permissions.
• You may disconnect any integration at any time through the Platform. Disconnecting an integration stops all future data collection from that service. Evidence previously collected through the integration remains in your workspace until you delete it.
• Third-party services are operated by independent companies with their own terms of service and privacy policies. Evidr LLC is not responsible for the availability, accuracy, or security of third-party services or the data obtained through them.

You are solely responsible for ensuring that connecting a third-party service to Evidr complies with the terms of service of that third-party service and with any internal policies of your organization regarding third-party access to your systems.

Evidr may provide application programming interfaces (APIs) that allow you to programmatically interact with the Platform. Access to APIs is subject to your subscription plan and the additional terms in this section. API documentation, if available, is incorporated into these Terms by reference.

• Rate limits - API access is subject to rate limits that vary by subscription plan. Rate limits are designed to ensure fair use and Platform stability. Current rate limits are documented in our API documentation. If you exceed rate limits, your requests may be throttled or temporarily rejected. Persistent or intentional rate limit abuse may result in API access suspension.
• Fair use - API access is provided for legitimate compliance management automation and integration purposes. You agree to use APIs only for their intended purpose and not to impose an unreasonable burden on our infrastructure.
• No scraping - You may not use the API or any other automated means to systematically extract, harvest, or copy data from the Platform for any purpose other than managing your own workspace data in accordance with these Terms.
• Credential security - API keys and tokens are sensitive credentials. You are solely responsible for keeping them secure and for all activity that occurs using your API credentials. Do not embed API keys in client-side code, public repositories, or other locations where they may be exposed. Rotate credentials immediately if you suspect they have been compromised.
• Changes and deprecation - We may modify, deprecate, or discontinue API endpoints with reasonable notice. We will make commercially reasonable efforts to maintain backward compatibility and to provide migration guidance when breaking changes are necessary.

Evidr LLC reserves the right to suspend or revoke API access at any time if we determine that your usage pattern violates these Terms, poses a security risk, or adversely impacts Platform performance for other users.

The Platform allows workspace Owners to invite external auditors to access the workspace for the purpose of conducting compliance audits. Auditor access is governed by the following terms:

• Read-only access - Auditors receive strictly read-only access to the workspace. They can view evidence, policies, control mappings, and audit trails but cannot create, modify, or delete any data within the workspace.
• Customer controls access - The workspace Owner retains full control over auditor access. The Owner decides which auditors to invite, can revoke access at any time, and is responsible for ensuring that only authorized auditors are granted access. Evidr LLC does not independently verify auditor credentials or certifications.
• Customer responsibility for auditor actions - You are responsible for the actions of any auditor you invite to your workspace. This includes ensuring that the auditor complies with these Terms, maintains the confidentiality of information accessed through the Platform, and uses the access only for legitimate auditing purposes.
• No liability for auditor actions - Evidr LLC is not liable for any actions taken by auditors within the Platform, including but not limited to misuse of information, unauthorized sharing of evidence, or any opinions, conclusions, or findings the auditor may reach based on information accessed through the Platform.
• Auditor credential management - The customer is solely responsible for managing auditor credentials, including ensuring that auditor access is revoked when the audit engagement ends. Evidr LLC recommends revoking auditor access promptly upon completion of each audit cycle.

Evidr LLC does not participate in, influence, or bear any responsibility for the audit process itself. The Platform is a tool that facilitates information sharing between organizations and their auditors, and the results of any audit are entirely between you and your auditor.

Evidr LLC targets 99.9% uptime for the Evidr Platform, measured on a monthly basis. This is an operational target and not a guaranteed service level agreement (SLA) unless you have a separate written SLA with Evidr LLC. We invest significant engineering effort into reliability, redundancy, and disaster recovery, but we do not warrant that the Platform will be available without interruption.

Scheduled maintenance windows are typically performed during off-peak hours (between 2:00 AM and 6:00 AM Eastern Time on weekends) and will be announced at least 48 hours in advance via our status page and, for extended maintenance, via email notification. Emergency maintenance required to address security vulnerabilities or critical bugs may be performed without advance notice.

Current Platform status and historical uptime data are available at our status page. We recommend subscribing to status page notifications for real-time updates on any service disruptions. In the event of unplanned downtime, we will post updates to the status page and work diligently to restore service as quickly as possible.

Evidr LLC shall not be liable for any damages, losses, or costs arising from Platform downtime, whether planned or unplanned. This includes but is not limited to lost revenue, missed audit deadlines, regulatory penalties, or any other consequential damages. If you require contractual uptime guarantees with financial remedies, please contact [email protected] to discuss enterprise SLA options.

Evidr is committed to data portability. You may export your data from the Platform at any time during your active subscription. Export functionality is accessible through the Platform's interface and includes the ability to download evidence files, policy documents, control mappings, and workspace configuration data.

• Available formats - Evidence files are exported in their original uploaded format. Policy documents are available as PDF. Structured data such as control mappings, vendor assessments, and compliance status reports are available as CSV or JSON.
• Completeness - The export functionality is designed to provide a complete copy of Your Data. This includes all uploaded evidence, generated policies, control configurations, compliance notes, and audit trail records associated with your workspace.
• Post-termination export - After your subscription ends - whether through cancellation, expiration, or termination - you have a thirty (30) day window to access the Platform in a read-only capacity for the sole purpose of exporting Your Data. After this 30-day window, all Your Data will be permanently deleted in accordance with our data deletion procedures and cannot be recovered.
• No vendor lock-in - We believe your compliance data belongs to you. We will not impose technical barriers to exporting your data, and we will maintain export functionality as a core feature of the Platform. However, certain Platform-specific metadata (such as AI confidence scores and internal identifiers) may not be meaningful outside the context of Evidr.

If you need assistance with data export or require a custom export format, please contact [email protected]. For enterprise customers, we can provide direct database export or API-based bulk export options upon request.

The Platform may contain links to third-party websites, services, or resources not owned or controlled by Evidr LLC. We have no control over and assume no responsibility for the content, privacy policies, terms of service, or practices of any third-party sites or services. We do not endorse or make any representations about the accuracy, reliability, or completeness of content on third-party sites.

You acknowledge and agree that Evidr LLC shall not be responsible or liable, directly or indirectly, for any damage or loss caused or alleged to be caused by or in connection with use of or reliance on any content, goods, or services available on or through any third-party sites or services. We strongly recommend reviewing the terms and privacy policies of any third-party site you visit.

Your use of the Platform is also governed by our Privacy Policy, which is incorporated into these Terms by reference. The Privacy Policy describes how we collect, use, store, and share your personal information and usage data. By using the Platform, you consent to the practices described in the Privacy Policy.

We are committed to protecting your privacy and handling your data responsibly. If you have questions about our data practices or wish to exercise your rights under applicable data protection laws, please contact us at [email protected].

Evidr is a software tool designed to assist organizations with compliance management and automation. It is critical that you understand the following:

• Evidr does not guarantee audit outcomes. Using the Platform does not guarantee that you will pass any audit, achieve any certification, or satisfy any regulatory requirement. Audit outcomes depend on many factors beyond the Platform's control, including the adequacy of your actual security controls, the completeness of your evidence, the judgment of individual auditors, and the specific requirements of your regulatory environment.
• Evidr does not provide legal or professional advice. The Platform, including all AI-generated content, policy templates, recommendations, and compliance assessments, is not a substitute for qualified legal counsel, certified public accountants, or professional compliance consultants. You should consult with qualified professionals before making compliance decisions that could have legal or regulatory consequences.
• Customer retains full responsibility. You are solely responsible for your organization's compliance posture, the accuracy of your evidence, the completeness of your controls, and the truthfulness of any representations you make to auditors or regulators. Evidr provides tools to help you organize and manage compliance activities, but the ultimate responsibility for compliance remains with you.
• Framework coverage is not exhaustive. While Evidr supports major frameworks such as SOC 2, ISO 27001, HIPAA, GDPR, PCI DSS, and FedRAMP, our control mappings and templates may not cover every requirement of every framework version in every jurisdiction. You should verify that the Platform's framework coverage is sufficient for your specific needs.

Evidr LLC expressly disclaims any and all liability for compliance failures, failed audits, regulatory penalties, fines, legal actions, or any other adverse outcomes related to your compliance program, even if you used the Platform diligently and followed all of its recommendations.

THE PLATFORM AND ALL CONTENT, MATERIALS, FEATURES, AI-GENERATED OUTPUT, AND SERVICES ARE PROVIDED ON AN "AS IS" AND "AS AVAILABLE" BASIS WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED. YOUR USE OF THE PLATFORM IS AT YOUR SOLE RISK.

TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, Evidr LLC DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NON-INFRINGEMENT, ACCURACY, RELIABILITY, COMPLETENESS, AND ANY WARRANTIES ARISING FROM COURSE OF DEALING OR USAGE OF TRADE.

WITHOUT LIMITING THE FOREGOING, Evidr LLC MAKES NO WARRANTY THAT: (A) THE PLATFORM WILL MEET YOUR REQUIREMENTS OR EXPECTATIONS; (B) THE PLATFORM WILL BE UNINTERRUPTED, TIMELY, SECURE, OR ERROR-FREE; (C) THE RESULTS OBTAINED FROM USE OF THE PLATFORM WILL BE ACCURATE, RELIABLE, OR COMPLETE; (D) ANY ERRORS OR DEFECTS IN THE PLATFORM WILL BE CORRECTED; (E) AI-GENERATED CONTENT WILL BE ACCURATE, APPROPRIATE, OR SUITABLE FOR YOUR PURPOSES; OR (F) THE PLATFORM WILL BE COMPATIBLE WITH ANY PARTICULAR HARDWARE, SOFTWARE, OR NETWORK CONFIGURATION.

Evidr IS A COMPLIANCE AUTOMATION TOOL AND DOES NOT GUARANTEE THAT YOU WILL PASS ANY AUDIT, ACHIEVE ANY CERTIFICATION, OR MEET ANY SPECIFIC COMPLIANCE REQUIREMENT. COMPLIANCE OUTCOMES DEPEND ON MANY FACTORS BEYOND THE PLATFORM'S CONTROL, INCLUDING YOUR ACTUAL SECURITY CONTROLS, THE ACCURACY OF YOUR EVIDENCE, AUDITOR JUDGMENT, AND REGULATORY CHANGES. NO INFORMATION OR ADVICE OBTAINED THROUGH THE PLATFORM SHALL CREATE ANY WARRANTY NOT EXPRESSLY STATED IN THESE TERMS.

SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES. IN SUCH JURISDICTIONS, THE ABOVE EXCLUSIONS MAY NOT APPLY TO YOU. IN THAT CASE, IMPLIED WARRANTIES ARE LIMITED TO THE MINIMUM PERIOD REQUIRED BY APPLICABLE LAW.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL Evidr LLC, ITS OFFICERS, DIRECTORS, EMPLOYEES, AGENTS, CONTRACTORS, LICENSORS, OR AFFILIATES BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, OR ANY LOSS OF PROFITS, REVENUE, DATA, GOODWILL, BUSINESS OPPORTUNITIES, OR ANTICIPATED SAVINGS, ARISING OUT OF OR RELATED TO YOUR USE OF OR INABILITY TO USE THE PLATFORM, REGARDLESS OF THE THEORY OF LIABILITY (CONTRACT, TORT, STRICT LIABILITY, OR OTHERWISE) AND EVEN IF Evidr LLC HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

WITHOUT LIMITING THE FOREGOING, Evidr LLC SHALL NOT BE LIABLE FOR: (A) FAILED AUDITS OR COMPLIANCE FAILURES; (B) REGULATORY FINES, PENALTIES, OR ENFORCEMENT ACTIONS; (C) LOSS OR CORRUPTION OF YOUR DATA; (D) UNAUTHORIZED ACCESS TO YOUR ACCOUNT RESULTING FROM YOUR FAILURE TO MAINTAIN CREDENTIAL SECURITY; (E) ACTIONS OR OMISSIONS OF AUDITORS YOU INVITE TO THE PLATFORM; (F) DOWNTIME, SERVICE INTERRUPTIONS, OR DATA LOSS; (G) INACCURACIES IN AI-GENERATED CONTENT; OR (H) ANY THIRD-PARTY CLAIMS ARISING FROM YOUR USE OF THE PLATFORM.

IN NO EVENT SHALL THE TOTAL AGGREGATE LIABILITY OF Evidr LLC FOR ALL CLAIMS ARISING OUT OF OR RELATED TO THESE TERMS OR YOUR USE OF THE PLATFORM EXCEED THE GREATER OF: (A) ONE HUNDRED U.S. DOLLARS ($100.00); OR (B) THE TOTAL AMOUNT YOU ACTUALLY PAID TO Evidr LLC IN THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE CLAIM.

THE LIMITATIONS IN THIS SECTION APPLY REGARDLESS OF WHETHER THE ALLEGED LIABILITY IS BASED ON CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY, OR ANY OTHER BASIS, AND EVEN IF A REMEDY SET FORTH IN THESE TERMS IS FOUND TO HAVE FAILED ITS ESSENTIAL PURPOSE. SOME JURISDICTIONS DO NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE ABOVE LIMITATIONS MAY NOT APPLY TO YOU IN THEIR ENTIRETY. IN SUCH JURISDICTIONS, Evidr LLC'S LIABILITY SHALL BE LIMITED TO THE FULLEST EXTENT PERMITTED BY LAW.

You agree to indemnify, defend, and hold harmless Evidr LLC and its officers, directors, employees, agents, licensors, and affiliates from and against any and all claims, liabilities, damages, losses, costs, and expenses (including reasonable attorneys' fees and court costs) arising out of or related to: (a) your use of or access to the Platform; (b) your violation of these Terms or any applicable law or regulation; (c) your violation of any third-party rights, including intellectual property, privacy, or contractual rights; (d) any content you upload to or generate through the Platform; (e) your misrepresentation of compliance status or fabrication of evidence; or (f) the actions of any auditor or third party you grant access to through your workspace.

Evidr LLC reserves the right, at your expense, to assume the exclusive defense and control of any matter for which you are required to indemnify us, and you agree to cooperate with our defense of such claims. You agree not to settle any such claim without Evidr LLC's prior written consent.

Any dispute, controversy, or claim arising out of or relating to these Terms, or the breach, termination, or invalidity thereof, shall first be resolved through good-faith negotiation between the parties for a period of at least thirty (30) days following written notice of the dispute. Notices should be sent to [email protected].

If the dispute cannot be resolved through negotiation within the 30-day period, it shall be submitted to final and binding arbitration administered by the American Arbitration Association (AAA) in accordance with its Commercial Arbitration Rules. The arbitration shall take place in New York County, New York. The arbitrator's award shall be final and binding and may be entered as a judgment in any court of competent jurisdiction.

YOU AND Evidr LLC AGREE THAT DISPUTE RESOLUTION WILL BE CONDUCTED ONLY ON AN INDIVIDUAL BASIS AND NOT IN A CLASS, CONSOLIDATED, OR REPRESENTATIVE ACTION. YOU WAIVE YOUR RIGHT TO PARTICIPATE IN OR BRING A CLASS ACTION LAWSUIT, CLASS-WIDE ARBITRATION, OR ANY CONSOLIDATED OR REPRESENTATIVE PROCEEDING AGAINST Evidr LLC. If this class action waiver is found to be unenforceable, then the entirety of this arbitration provision shall be null and void.

Notwithstanding the above, either party may seek injunctive or other equitable relief in any court of competent jurisdiction to prevent the actual or threatened infringement, misappropriation, or violation of intellectual property rights, confidentiality obligations, or data security requirements.

These Terms shall be governed by and construed in accordance with the laws of the State of New York, United States, without regard to its conflict of law provisions. Any legal action or proceeding not subject to the arbitration provisions above shall be brought exclusively in the state or federal courts located in New York County, New York, and you consent to the personal jurisdiction and venue of such courts.

The United Nations Convention on Contracts for the International Sale of Goods (CISG) does not apply to these Terms. If you are located outside the United States, you agree that these Terms are governed by New York law and that any disputes will be resolved in accordance with the dispute resolution procedures set forth in these Terms.

Evidr LLC shall not be liable for any failure or delay in performing its obligations under these Terms where such failure or delay results from circumstances beyond its reasonable control. Force majeure events include, but are not limited to, natural disasters, pandemics, epidemics, acts of war or terrorism, civil unrest, government actions or orders, power failures, telecommunications failures, internet service disruptions, cyberattacks (including distributed denial-of-service attacks), failures of third-party hosting providers, and supply chain disruptions.

In the event of a force majeure event, Evidr LLC will make commercially reasonable efforts to resume performance as soon as practicable and will keep affected customers informed of the status and expected duration of the disruption. If a force majeure event prevents Evidr LLC from performing its obligations for more than sixty (60) consecutive days, either party may terminate the affected subscription upon written notice.

If you provide Evidr LLC with any feedback, suggestions, ideas, feature requests, improvements, or other recommendations regarding the Platform ("Feedback"), you hereby grant Evidr LLC an unrestricted, irrevocable, perpetual, royalty-free, worldwide license to use, modify, distribute, incorporate, and otherwise exploit such Feedback for any purpose, without attribution, compensation, or obligation to you.

You acknowledge that Evidr LLC is under no obligation to implement any Feedback, and that Feedback may be similar to ideas or features already in development or received from other sources. Evidr LLC will not be restricted from using, developing, or marketing products or features that are similar to or competitive with any Feedback you provide.

By submitting Feedback, you represent and warrant that you have the right to grant the license above and that your Feedback does not infringe any third-party rights.

If any provision of these Terms is held by a court of competent jurisdiction to be invalid, illegal, or unenforceable, such invalidity, illegality, or unenforceability shall not affect any other provision of these Terms, which shall remain in full force and effect. The invalid or unenforceable provision shall be modified to the minimum extent necessary to make it valid and enforceable while preserving the original intent of the parties to the greatest extent possible.

The failure of Evidr LLC to enforce any right or provision of these Terms shall not constitute a waiver of such right or provision. No waiver of any term shall be deemed a further or continuing waiver of such term or any other term.

These Terms, together with our Privacy Policy, any applicable Data Processing Agreement, and any order forms or supplemental terms you have agreed to, constitute the entire agreement between you and Evidr LLC with respect to your use of the Platform. These Terms supersede all prior and contemporaneous written or oral communications, negotiations, proposals, representations, and agreements relating to the Platform.

No amendment or modification of these Terms shall be binding unless made in writing and signed by Evidr LLC, except that Evidr LLC may update these Terms by posting revised Terms to the Platform as described in the "Changes to These Terms" section below. Any terms and conditions in a purchase order or other document submitted by you that conflict with or are in addition to these Terms are hereby rejected and shall have no force or effect.

We reserve the right to modify, update, or replace these Terms at any time at our sole discretion. When we make material changes, we will update the "Last updated" date at the top of this page and may notify you via email or through an in-app notification. We encourage you to review these Terms periodically.

Material changes will not apply retroactively and will become effective no sooner than fourteen (14) days after posting, except for changes addressing legal requirements, which may take effect immediately. Your continued use of the Platform after the effective date of any changes constitutes your acceptance of the revised Terms. If you do not agree with the revised Terms, you must stop using the Platform and may cancel your subscription in accordance with the cancellation provisions above.

If you have questions, concerns, or requests regarding these Terms, our privacy practices, or any other legal matter, please contact us:

• Email: [email protected]
• Company: Evidr LLC
• Product: Evidr
• Website: https://evidr.com
• Console: https://console.evidr.com
• Location: New York, New York, United States

We aim to respond to all inquiries within five (5) business days. For urgent security matters, please include "URGENT" in your email subject line.