1. Acceptance of Terms
By accessing or using the CompliRun platform at complirun.com (the "Platform"), you agree to be bound by these Terms of Service ("Terms"), our Privacy Policy, and our Cookie Policy, which are incorporated herein by reference. If you do not agree to these Terms, do not access or use the Platform.
If you are accessing or using the Platform on behalf of a company, organization, or other legal entity ("Organization"), you represent and warrant that: (a) you have the authority to bind that Organization to these Terms; (b) you have read and understood these Terms; and (c) you agree to these Terms on behalf of the Organization. In that case, "you" and "your" refer to both you individually and the Organization. If you lack such authority, do not use the Platform.
CompliRun, Inc. ("CompliRun," "we," "us," or "our") may update these Terms from time to time. Material changes will be communicated via email or in-Platform notice at least 30 days before taking effect. Continued use of the Platform after the effective date constitutes acceptance of the revised Terms.
2. Service Description
CompliRun provides a software-as-a-service (SaaS) platform for compliance monitoring, evidence collection, and audit preparation. The Platform connects to your infrastructure and third-party systems through read-only API access and generates compliance evidence, gap reports, and readiness dashboards mapped to SOC 2 Trust Services Criteria and ISO 27001:2022 Annex A controls.
The Platform includes: infrastructure integration connectors for AWS, GCP, Azure, GitHub, Okta, Jamf, and additional supported integrations; automated evidence collection on a daily schedule; an evidence room for organizing and sharing evidence with auditors; gap detection and remediation task management; access review workflow automation; and policy document management with version control and acknowledgment tracking.
CompliRun provides a compliance enablement tool. The Platform does not provide legal, accounting, or professional compliance advice. Use of the Platform does not guarantee a specific audit outcome. Audit results depend on your auditor's independent professional judgment based on their assessment of your control environment.
3. Account Registration and Security
3.1 Account Creation
To use the Platform, you must register for an account by providing a valid work email address, creating a password, and providing your company name and billing information. You agree to provide accurate, current, and complete information during registration and to update it promptly if it changes.
3.2 Account Security
You are responsible for maintaining the security of your account credentials, including your password and any API keys or OAuth tokens generated within the Platform. You may not share your account credentials with any person outside your Organization. CompliRun recommends enabling multi-factor authentication for all accounts with access to the Platform.
You are responsible for all activity that occurs under your account, whether or not authorized by you. If you believe your account has been compromised, notify CompliRun immediately at contact@complirun.com. CompliRun is not liable for loss or damage arising from your failure to maintain account security.
3.3 User Roles and Permissions
The Platform supports multiple user roles with different permission levels: Owner (full administrative access including billing), Admin (administrative access excluding billing), Member (standard platform access), and Auditor (read-only Evidence Room access). You are responsible for assigning appropriate roles to users in your Organization and for promptly revoking access for users who no longer require it.
4. Acceptable Use
4.1 Permitted Use
You may use the Platform only for lawful compliance monitoring, evidence collection, and audit preparation purposes for systems and infrastructure that you own or are authorized to monitor on behalf of your Organization.
4.2 Prohibited Use
You may not:
- Use the Platform to monitor systems, infrastructure, or data that you do not own or have explicit legal authorization to monitor;
- Attempt to gain unauthorized access to other users' accounts, CompliRun's systems, or any third-party systems through the Platform;
- Reverse engineer, decompile, disassemble, or attempt to extract the source code of the Platform;
- Use the Platform in any way that violates applicable law, regulation, or the rights of third parties;
- Share your account credentials, API keys, or Evidence Room access with individuals outside your Organization without CompliRun's prior written consent;
- Use the Platform to collect, store, or process data in a manner that violates your obligations under applicable privacy laws;
- Circumvent any rate limits, access controls, or security features of the Platform;
- Use automated tools to scrape or extract data from the Platform in bulk beyond normal integration use.
5. Integration Authorization and Data Access
5.1 Authorization Warranty
By connecting a third-party integration to the Platform, you represent and warrant that: (a) you have the authority to grant CompliRun read-only API access to that system; (b) such access does not violate any agreement between you and the relevant third-party provider; and (c) you are authorized under applicable law to connect the integration for the purpose of compliance monitoring.
5.2 Read-Only Access
CompliRun connects to all third-party integrations through read-only access mechanisms. The Platform does not write to, modify, delete, or otherwise alter data in your infrastructure or third-party systems. If an integration requires any scope beyond read-only access due to a third-party API limitation, CompliRun will disclose this before you connect the integration.
5.3 Credential Storage
Integration credentials (API keys, OAuth refresh tokens, service account keys) provided to CompliRun are stored encrypted using AES-256. Credentials are accessible only to the automated collection systems that use them, not to CompliRun employees in plaintext. You are responsible for rotating credentials if you believe they have been compromised and for notifying CompliRun immediately in that event.
6. Data Ownership and License
6.1 Your Data
You retain full ownership of all data you provide to CompliRun or that CompliRun collects from your infrastructure integrations ("Your Data"), including all compliance evidence, configuration data, audit logs, and policy documents. CompliRun does not claim any ownership interest in Your Data.
6.2 License to Process
By using the Platform, you grant CompliRun a limited, non-exclusive, worldwide license to access, process, store, and use Your Data solely for the purpose of providing the Platform to you. CompliRun does not use Your Data for any purpose other than providing the Platform and maintaining and improving CompliRun's systems in an aggregated, anonymized form.
6.3 Data Export
You may export Your Data from the Platform at any time during your active subscription using the Platform's export features. Upon account termination, you have 30 days to export Your Data before it is deleted in accordance with our data retention policies.
7. Subscription Plans and Pricing
7.1 Available Plans
CompliRun offers the following subscription plans: Starter ($499 USD/month or $4,788 USD/year), Growth ($1,499 USD/month or $14,388 USD/year), and Enterprise (custom pricing based on scope and integrations). Plan features, integration limits, and data retention periods are described on the Pricing page at complirun.com/price.html.
7.2 Billing Cycles
Monthly subscriptions are billed on the same calendar date each month. Annual subscriptions are billed annually in advance. All fees are in US Dollars (USD). Taxes are additional where required by law and will be shown separately on your invoice.
7.3 Payment Processing
Payments are processed by Stripe, Inc. By providing payment information, you authorize CompliRun to charge the applicable subscription fee on the billing cycle applicable to your plan. You represent that you are authorized to use the payment method provided.
7.4 Upgrades and Downgrades
You may upgrade your plan at any time. Upgrades take effect immediately and are prorated based on the remaining days in your billing cycle. Downgrades take effect at the start of your next billing cycle. Downgrading from Growth to Starter reduces your data retention period; evidence data from the prior Growth plan period will be retained under the longer Growth retention period until it naturally expires.
7.5 Annual Plan Cancellations and Refunds
Annual subscriptions may be cancelled within 14 days of the annual billing date for a full refund. After 14 days, annual subscriptions are non-refundable and will remain active through the end of the annual term. Monthly subscriptions may be cancelled at any time and will remain active through the end of the current monthly billing period, after which no further charges will be made.
7.6 Failed Payments
If a payment fails, CompliRun will retry the charge and notify you by email. If payment is not received within 14 days of the failed charge, CompliRun may suspend your account access. Evidence data will be retained during the suspension period. If payment is not received within 30 days of suspension, CompliRun may terminate the account and delete data per the data retention schedule.
8. Service Level and Availability
CompliRun targets 99.5% monthly Platform availability (excluding scheduled maintenance). Availability is measured as the percentage of minutes in the calendar month during which the Platform is accessible and functional, excluding scheduled maintenance windows communicated at least 48 hours in advance via the Platform status page at status.complirun.com.
Evidence collection jobs that fail due to temporary unavailability of a third-party integration are automatically retried up to three times within the collection window. If collection cannot be completed within the window, a collection failure alert is sent to account administrators.
CompliRun does not provide a service level credit or refund for availability incidents. If you require contractual SLA commitments with financial remedies, contact us at contact@complirun.com to discuss Enterprise plan terms.
9. Intellectual Property
9.1 CompliRun Intellectual Property
The Platform, including all software, algorithms, user interface designs, documentation, and trademarks, is owned by CompliRun or its licensors and is protected by copyright, trademark, trade secret, and other intellectual property laws. Nothing in these Terms grants you any ownership interest in CompliRun's intellectual property.
9.2 Feedback
If you provide CompliRun with suggestions, feedback, or ideas about the Platform ("Feedback"), you grant CompliRun a non-exclusive, royalty-free, perpetual, irrevocable license to use, reproduce, modify, and incorporate the Feedback into the Platform and CompliRun's other products without attribution or compensation to you. You represent that any Feedback you provide does not include confidential information belonging to third parties.
10. Confidentiality
Each party may have access to confidential information of the other party in connection with these Terms. Each party agrees to hold the other's confidential information in confidence using at least the same degree of care used to protect its own confidential information, and not to disclose confidential information to third parties without prior written consent except as required by law or to provide the services contemplated by these Terms.
CompliRun's confidential information includes its pricing, product roadmap, technical architecture, and the terms of any Order Form. Your confidential information includes Your Data and the content of your Evidence Room.
11. Disclaimer of Warranties
THE PLATFORM IS PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. COMPLIRUN DOES NOT WARRANT THAT THE PLATFORM WILL BE UNINTERRUPTED, ERROR-FREE, OR SECURE, OR THAT DEFECTS WILL BE CORRECTED.
COMPLIRUN DOES NOT WARRANT THAT USE OF THE PLATFORM WILL RESULT IN A SUCCESSFUL SOC 2 OR ISO 27001 AUDIT OUTCOME. AUDIT RESULTS ARE DETERMINED SOLELY BY YOUR AUDITOR'S OR CERTIFICATION BODY'S INDEPENDENT PROFESSIONAL ASSESSMENT AND ARE OUTSIDE COMPLIRUN'S CONTROL.
12. Limitation of Liability
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, COMPLIRUN'S AGGREGATE LIABILITY TO YOU FOR ANY CLAIMS ARISING FROM OR RELATED TO THESE TERMS OR THE PLATFORM SHALL NOT EXCEED THE TOTAL FEES PAID BY YOU TO COMPLIRUN IN THE THREE (3) MONTHS IMMEDIATELY PRECEDING THE CLAIM.
IN NO EVENT SHALL COMPLIRUN BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, INCLUDING LOSS OF PROFITS, LOSS OF DATA, BUSINESS INTERRUPTION, OR COST OF SUBSTITUTE SERVICES, ARISING FROM OR RELATED TO THESE TERMS OR YOUR USE OF THE PLATFORM, EVEN IF COMPLIRUN HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Some jurisdictions do not allow limitations on implied warranties or exclusions of certain damages. To the extent such laws apply, some of the above limitations may not apply to you.
13. Indemnification
You agree to indemnify, defend, and hold harmless CompliRun and its officers, directors, employees, and agents from and against any claims, liabilities, damages, losses, and expenses (including reasonable attorneys' fees) arising from: (a) your use of the Platform in violation of these Terms; (b) your violation of any applicable law or regulation; (c) your infringement of any third-party intellectual property rights; or (d) unauthorized access to or use of CompliRun's systems resulting from your failure to maintain account security.
14. Term and Termination
These Terms remain in effect for as long as you maintain an active subscription. Either party may terminate these Terms: (a) by providing 30 days' written notice to the other party; or (b) immediately upon written notice if the other party materially breaches these Terms and fails to cure such breach within 15 days of receiving written notice of the breach.
CompliRun may immediately suspend or terminate your account if you violate the Acceptable Use provisions in Section 4, or if CompliRun determines in good faith that your use of the Platform poses a security risk to CompliRun or other users.
Upon termination: (a) your right to access the Platform ceases immediately; (b) CompliRun will retain Your Data for 30 days during which you may request an export; (c) after 30 days, Your Data will be deleted per the data retention schedule.
15. Governing Law and Dispute Resolution
These Terms are governed by the laws of the Commonwealth of Massachusetts, United States, without regard to conflict of law provisions. The parties agree that the United Nations Convention on Contracts for the International Sale of Goods does not apply to these Terms.
Any dispute arising from or related to these Terms shall first be subject to good-faith negotiation between the parties for 30 days. If unresolved, disputes shall be resolved through binding arbitration administered by the American Arbitration Association under its Commercial Arbitration Rules, with the arbitration seated in Boston, Massachusetts. The arbitration shall be conducted in English. The arbitrator's decision shall be final and may be entered as a judgment in any court of competent jurisdiction.
Notwithstanding the above, either party may seek injunctive or other equitable relief in a court of competent jurisdiction to prevent irreparable harm without first participating in arbitration.
16. General Provisions
Entire Agreement: These Terms, together with the Privacy Policy, Cookie Policy, and any Order Form, constitute the entire agreement between you and CompliRun with respect to the Platform and supersede all prior agreements, understandings, and negotiations.
Severability: If any provision of these Terms is held invalid or unenforceable, the remaining provisions will remain in full force and effect, and the invalid or unenforceable provision will be modified to the minimum extent necessary to make it valid and enforceable.
Waiver: CompliRun's failure to enforce any provision of these Terms on one occasion shall not be deemed a waiver of its right to enforce the same provision in the future.
Assignment: You may not assign these Terms or any rights under them without CompliRun's prior written consent. CompliRun may assign these Terms to a successor in connection with a merger, acquisition, or sale of substantially all assets.
Force Majeure: Neither party shall be liable for failure to perform obligations under these Terms due to causes beyond their reasonable control, including natural disasters, acts of government, telecommunications failures, or third-party service outages.
17. Contact
For questions about these Terms, contact CompliRun at:
CompliRun, Inc.Attn: Legal
500 Boylston Street
Boston, MA 02116
United States
Email: contact@complirun.com
Phone: +1 (617) 384-5029