Legal

Terms of Service

Effective date: 1 May 2026 · Last updated: 1 May 2026

These Terms of Service (the “Terms”) govern your access to and use of the TractionGRC platform and related services (the “Service”) provided by TractionGRC, Inc., a Washington corporation (“TractionGRC,” “we,” “us,” or “our”). By creating an account, accessing the Service, or clicking to accept, you agree to these Terms. If you do not agree, do not use the Service.

If you are entering into these Terms on behalf of an organization, you represent that you have authority to bind that organization. In that case, “you” means that organization.

1. Definitions

  • “Account” means a registered account on the Service.
  • “Customer Content” means any data, file, document, record, response, message, or other material you, your authorized users, or your suppliers submit to or generate within the Service, including content generated by TractionAI from your prompts.
  • “Documentation” means the user-facing documentation we make available for the Service.
  • “TractionAI” means our AI assistant feature.
  • “Order” means a paid subscription you have purchased online or under a separate ordering document.
  • “Plan” means the tier of the Service you are subscribed to (e.g., Free, Starter, Professional, Enterprise).

2. Eligibility and accounts

You must be at least 18 years old to use the Service. You must provide accurate and current account information and keep it updated. You are responsible for maintaining the confidentiality of your credentials and for all activity under your Account. Notify us immediately at security@tractiongrc.com of any unauthorized access.

3. Plans, billing, and renewal

3.1 Plans

The Service is offered in multiple Plans with different features and limits. Plan details, pricing, and usage limits are described on our pricing page or in your Order. We may change Plans, features, or pricing from time to time; changes will not affect a paid Plan during its current billing term except as expressly provided here.

3.2 Free Plan

The Free Plan is provided at no charge, subject to use limits we set. The Free Plan is provided “as is” without any service-level commitment. We may change, limit, suspend, or terminate the Free Plan, in whole or in part, at any time and without liability.

3.3 Paid plans, fees, and taxes

Paid Plans are billed in advance on the cycle stated in your Order (typically monthly or annual). Fees are stated in U.S. dollars and are exclusive of taxes; you are responsible for all applicable taxes other than taxes on TractionGRC’s net income.

3.4 Auto-renewal

Paid Plans automatically renew at the end of each subscription term for a successive term of the same length, at the then-current rate, unless either party gives written notice of non-renewal at least 30 days before the end of the current term. You may cancel auto-renewal at any time through your Account settings.

3.5 Late payment

If we do not receive payment when due, we may suspend the Service after providing notice and a reasonable opportunity to cure. Past-due amounts may accrue interest at the lesser of 1.5% per month or the maximum rate permitted by law.

3.6 Refunds

Fees are non-refundable except as expressly required by applicable law or expressly stated in your Order.

4. License to use the Service

Subject to your compliance with these Terms and timely payment of any applicable fees, TractionGRC grants you a non-exclusive, non-transferable, non-sublicensable, revocable right during your subscription term to access and use the Service for your internal business purposes.

5. The Service is not advice

The Service is a software tool. It is not a substitute for professional advice, certified auditor review, legal counsel, or independent compliance judgment.

  • Information, recommendations, scores, gap analyses, control mappings, findings, and other output produced by the Service (including by TractionAI) are informational. You are responsible for reviewing, validating, and acting on them.
  • Use of the Service does not, by itself, certify your organization against any framework (including ISO 27001, ISO 42001, SOC 2, NIST CSF, HITRUST, CMMC, SSPA, or any other), guarantee a successful audit, or establish legal compliance with any law, regulation, or contractual obligation.
  • Achieving and maintaining certification or compliance requires independent assessment by a qualified auditor or assessor and your organization’s own diligence.
  • The Service does not provide legal advice. If you need legal advice, consult a qualified attorney.

6. Acceptable use

6.1 General prohibitions

You agree not to, and not to permit any third party to:

  • Use the Service in violation of any law or third-party right.
  • Reverse engineer, decompile, or attempt to derive the source code of the Service, except to the extent expressly permitted by law.
  • Resell, sublicense, or provide the Service to a third party except as expressly authorized.
  • Circumvent or attempt to circumvent any usage limit, access control, or billing mechanism of the Service.
  • Submit content that is unlawful, infringing, defamatory, harassing, or that contains malware or other harmful code.
  • Interfere with or disrupt the Service or attempt to gain unauthorized access to any system or account.
  • Use the Service to develop a competing product, or to benchmark its performance for publication, without our prior written consent.
  • Use TractionAI or any other Service feature to generate output that infringes intellectual property, violates law, or that you intend to pass off as independently produced expert advice.

6.2 Domain and asset scanning

Some features of the Service (including the domain baseline scan and related features) query public information about domains and Internet assets. You may use these features only against domains and assets that you own or for which you have explicit, current, written authorization from the owner. Submitting a domain or asset to the Service is your representation that you have that ownership or authorization. Unauthorized scanning may violate the U.S. Computer Fraud and Abuse Act, analogous state and foreign laws, and other agreements you have with the asset owner. You are solely responsible for ensuring you have the necessary authorization. We may terminate Accounts engaged in unauthorized scanning without notice.

6.3 Cloud connectors

When you connect a third-party service to the Service (for example, Microsoft Azure or Google Workspace) through OAuth or another authorization mechanism, you represent that you are authorized to do so and that the permissions you grant during the consent flow are within the scope of your authority in that third-party service. You are responsible for the consequences of granting access on behalf of your organization. For Google Workspace specifically, the data we access, how we use it, and your right to revoke access are described in section 5 of our Privacy Policy.

7. Customer Content

7.1 Ownership

As between you and TractionGRC, you own all Customer Content. We do not claim ownership over your policies, evidence, gap analyses, supplier responses, scan results, or any other content you submit to or generate within the Service.

7.2 License to TractionGRC

You grant TractionGRC a non-exclusive, worldwide, royalty-free license to host, copy, transmit, display, and process Customer Content solely as necessary to provide, secure, and support the Service for you. This license does not include the right to use Customer Content to train AI models. Our commitment regarding AI training is set out in our Privacy Policy.

7.3 Your responsibility for Customer Content

You are responsible for the accuracy, legality, and appropriateness of Customer Content you submit, and for ensuring you have all necessary rights to submit it. If you submit personal data about other people (e.g., supplier contact details, employee information for control ownership), you represent that you have the necessary legal basis to do so and to authorize TractionGRC’s processing of it on your behalf.

7.4 Backups and export

You may export Customer Content using the export tools provided in the Service. We recommend maintaining your own backups. We are not liable for lost Customer Content except where the loss is caused by our gross negligence or willful misconduct.

8. TractionAI and AI features

The Service includes TractionAI, an AI assistant that helps draft policies, evaluate controls, generate POA&M items, and answer GRC questions. Use of TractionAI is subject to these additional terms:

  • Output is informational. TractionAI output is generated by a language model based on your prompt and your workspace context. It can be incorrect, incomplete, or out of date. You must review TractionAI output before relying on it.
  • Output is not professional advice. TractionAI does not provide legal advice, accounting advice, audit opinions, or certified assessor judgment. Output is not a substitute for review by a qualified professional or by a certified auditor.
  • You are responsible for output you adopt. If you publish, file, deliver to a customer, submit to an auditor, or otherwise act on TractionAI output, you do so as your own work product and at your own risk.
  • No training on your data. We do not use Customer Content to train any AI model. See our Privacy Policy for details.
  • Usage limits. AI usage may be subject to per-Plan rate limits or fair-use limits. We may adjust these to maintain Service availability.

9. Intellectual property

Other than Customer Content and your trademarks, TractionGRC and its licensors retain all right, title, and interest in and to the Service, including all software, models, prompts, templates, frameworks, mappings, control libraries, scoring methodologies, Documentation, and improvements. These Terms do not grant you any right in the foregoing other than the limited use rights expressly granted.

If you provide feedback or suggestions about the Service, you grant TractionGRC a perpetual, irrevocable, royalty-free, worldwide license to use that feedback for any purpose without obligation to you.

10. Privacy and security

Our processing of personal information in connection with the Service is described in our Privacy Policy, which is incorporated into these Terms by reference. If you connect a Google Workspace tenant to the Service, our use of data accessed via Google APIs is further governed by the Google API Services User Data Policy, including the Limited Use requirements, as described in section 5 of our Privacy Policy. Our standard Data Processing Addendum is available on our Trust Center; if you need a countersigned copy or a customer-specific DPA, email legal@tractiongrc.com. We maintain reasonable administrative, technical, and physical safeguards designed to protect Customer Content.

11. Service availability and support

We work to keep the Service available and reliable, but we do not commit to a specific service level except where expressly stated in your Order. Free Plans receive no service-level commitment. Starter and Professional Plans receive standard support during business hours. Enterprise customers may receive a contractual service-level commitment as set out in their Order.

12. Confidentiality

Each party may have access to the other’s non-public information (“Confidential Information”). Confidential Information of TractionGRC includes the non-public portions of the Service, pricing, and roadmap. Confidential Information of yours includes Customer Content. Each party will protect the other’s Confidential Information with at least the same care it uses to protect its own (and no less than reasonable care), use it only to perform under these Terms, and disclose it only to personnel and contractors with a need to know who are bound by confidentiality obligations no less protective than these. These obligations do not apply to information that is or becomes publicly known without breach, was independently developed without reference to the other’s information, or is required to be disclosed by law (with notice where lawful).

13. Warranties and disclaimer

We warrant that we will provide the Service in a workmanlike manner and in accordance with these Terms.

EXCEPT AS EXPRESSLY STATED IN THESE TERMS, THE SERVICE IS PROVIDED “AS IS” AND “AS AVAILABLE,” WITHOUT WARRANTY OF ANY KIND. TO THE MAXIMUM EXTENT PERMITTED BY LAW, TRACTIONGRC DISCLAIMS ALL OTHER WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND ANY WARRANTY ARISING FROM COURSE OF DEALING OR USAGE OF TRADE. WE DO NOT WARRANT THAT THE SERVICE WILL BE UNINTERRUPTED, ERROR-FREE, SECURE, OR THAT IT WILL MEET ANY SPECIFIC AUDIT, CERTIFICATION, OR REGULATORY STANDARD. WE DO NOT WARRANT THE ACCURACY OR RELIABILITY OF ANY AI OUTPUT.

14. Indemnification

14.1 By you

You will defend, indemnify, and hold harmless TractionGRC, its affiliates, and their respective officers, directors, employees, and agents from and against any third-party claim, and pay any damages, costs, and reasonable attorneys’ fees finally awarded against them or paid in settlement, arising from or related to: (a) your or your authorized users’ use of the Service in violation of these Terms; (b) Customer Content, including any claim that Customer Content infringes or misappropriates a third party’s rights or violates law; (c) any domain or asset scanning conducted without authorization; or (d) your actual or alleged breach of section 6 (Acceptable Use).

14.2 By TractionGRC

We will defend, indemnify, and hold you harmless from and against any third-party claim, and pay any damages, costs, and reasonable attorneys’ fees finally awarded against you or paid in settlement, alleging that the Service, used in accordance with these Terms, infringes a third party’s United States patent, copyright, or trademark. We have no obligation under this section to the extent the claim arises from (i) Customer Content, (ii) modification of the Service not made or authorized by us, (iii) use of the Service in combination with software, data, or systems not provided by us where the infringement would not have arisen but for that combination, or (iv) use after we have advised you to stop or made a non-infringing alternative available. If a claim covered by this section is made or appears likely, we may, at our option and expense, (A) procure the right for you to continue use, (B) modify or replace the Service to make it non-infringing, or (C) terminate the affected portion of the Service and refund any pre-paid unused fees. This section states our entire liability and your sole remedy for any claim of infringement.

14.3 Procedure

Each party’s indemnity obligations are conditioned on the other party (a) giving prompt written notice of the claim, (b) granting sole control of the defense and settlement (provided that the indemnifying party will not enter into any settlement that imposes liability or admission of wrongdoing on the indemnified party without consent), and (c) providing reasonable cooperation at the indemnifying party’s expense.

15. Limitation of liability

TO THE MAXIMUM EXTENT PERMITTED BY LAW, NEITHER PARTY WILL BE LIABLE TO THE OTHER FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, OR FOR LOST PROFITS, LOST REVENUE, LOST BUSINESS OPPORTUNITY, OR LOSS OF DATA, ARISING OUT OF OR RELATING TO THESE TERMS OR THE SERVICE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

EACH PARTY’S TOTAL CUMULATIVE LIABILITY ARISING OUT OF OR RELATING TO THESE TERMS OR THE SERVICE WILL NOT EXCEED THE AMOUNT YOU PAID TO TRACTIONGRC FOR THE SERVICE IN THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO THE CLAIM. FOR FREE-PLAN USERS WHO HAVE PAID NOTHING, EACH PARTY’S TOTAL CUMULATIVE LIABILITY WILL NOT EXCEED ONE HUNDRED U.S. DOLLARS (US$100).

These limitations apply to all claims, regardless of the theory of liability (contract, tort, statute, or otherwise) and even if a remedy fails of its essential purpose. They do not apply to (a) a party’s indemnification obligations, (b) breach of confidentiality, (c) infringement or misappropriation of the other party’s intellectual property rights, (d) fraud or willful misconduct, or (e) amounts you owe for the Service.

16. Suspension and termination

You may terminate your subscription at any time through your Account settings. Termination takes effect at the end of the then-current billing term unless we agree otherwise.

We may suspend or terminate your access to the Service if (a) you materially breach these Terms and (where the breach is curable) fail to cure within 10 days after written notice; (b) you fail to pay fees when due and the past-due amount remains unpaid 10 days after notice; (c) we reasonably believe your use of the Service exposes us or other users to legal, security, or operational risk; or (d) required by law.

We may terminate a Free Plan Account at any time, with or without notice and with or without cause.

On termination: your right to access the Service ends; we will provide a reasonable opportunity (typically up to 30 days) to export Customer Content; and we will then delete or de-identify Customer Content from production systems as described in our Privacy Policy. Sections that by their nature should survive termination will survive.

17. Governing law; disputes

These Terms are governed by the laws of the State of Washington, without regard to its conflict-of-laws principles. The United Nations Convention on Contracts for the International Sale of Goods does not apply.

[Option A — Arbitration.] Any dispute, claim, or controversy arising out of or relating to these Terms or the Service will be resolved by binding arbitration administered by the American Arbitration Association under its Commercial Arbitration Rules, before a single arbitrator, in Seattle, Washington (or by remote hearing as the arbitrator directs). Judgment on the award may be entered in any court of competent jurisdiction. Each party waives the right to bring or participate in a class, collective, or representative action. Either party may seek temporary or preliminary injunctive relief in court to protect its intellectual property or confidential information pending arbitration.

[Option B — Court.] Any dispute, claim, or controversy arising out of or relating to these Terms or the Service will be brought exclusively in the state or federal courts located in King County, Washington, and each party submits to the personal jurisdiction of those courts and waives any objection to venue. Each party waives the right to a jury trial.

18. Changes to the Terms

We may update these Terms from time to time. The “Last updated” date at the top reflects the most recent change. If a change is material, we will provide reasonable advance notice through the Service or by email. Continued use of the Service after a change becomes effective constitutes acceptance. If you do not agree to a change, you must stop using the Service before the change takes effect; for paid subscriptions, you may terminate the affected subscription and receive a pro-rata refund of pre-paid unused fees attributable to the period after the effective date of the change.

19. Notices

We may give notice through the Service, by email to your registered Account email, or by posting on our website. You may give us legal notice at:

TractionGRC, Inc.
Attn: Legal

Email: legal@tractiongrc.com

For general questions, sales, or support, please use our Contact page. The address above is for legal notices only.

20. Miscellaneous

  • Entire agreement. These Terms, together with any Order, our Privacy Policy, and any documents incorporated by reference, are the entire agreement between the parties regarding the Service and supersede all prior agreements on the subject.
  • Order of precedence. If there is a conflict between these Terms and an Order, the Order controls for the affected subscription.
  • Assignment. You may not assign these Terms without our prior written consent. We may assign these Terms to an affiliate or in connection with a merger, acquisition, or sale of all or substantially all of our assets.
  • Severability. If a provision is found unenforceable, it will be modified to the minimum extent necessary to make it enforceable, and the rest of the Terms will remain in effect.
  • No waiver. A failure to enforce a provision is not a waiver of the right to enforce it later.
  • Independent contractors. The parties are independent contractors. These Terms do not create a partnership, joint venture, agency, or employment relationship.
  • Force majeure. Neither party is liable for failure or delay in performance due to causes beyond its reasonable control, other than payment obligations.
  • Government users. The Service is “commercial computer software” and “commercial computer software documentation” under the FAR and DFARS. U.S. Government users receive only the rights set out in these Terms.
  • Export. You will comply with applicable export control and sanctions laws.