Vertirite Terms of Service

Effective 2026-05-19. This page describes the Terms applicable to use of the Vertirite marketing site and to self-serve Team-tier accounts. Any paid pilot or annual contract is governed by a counter-signed Master Services Agreement (MSA) plus the Data Processing Addendum (DPA); where this page conflicts with the MSA or DPA, those agreements govern.

1. Definitions

• Vertirite — the enterprise control plane software and hosted service operated by SurgeXi, including the broker, capability registry, approval queue, audit ledger, agent daemon (surge-agentd), certificate authority (surgexi-ca), desktop shell, web dashboard, and command-line client.
• Open Source Components — the subset of Vertirite published under the Business Source License 1.1 at github.com/SurgeXi/Vertirite.
• Hosted Service — SurgeXi-operated Vertirite tenants on SurgeXi infrastructure.
• Protected System — any customer-owned system that Vertirite governs access to.
• Operator User — a named human account authorized by Customer to configure Vertirite, register capabilities, or act on the approval queue.

2. License

Open Source Components are licensed to you under the Business Source License 1.1. The full license text governs (see LICENSE in the repository); summary: free for non-commercial use and limited commercial use up to the threshold defined in the license; converts to Apache 2.0 four years after each release. Excluded uses include offering Vertirite or any substantially similar product to third parties as a managed service. Reach out to [email protected] if your use case is unclear.

The Hosted Service is licensed on a subscription basis under the tier the Customer has purchased. Subscription fees, term, and renewal mechanics are stated in the Order Form referencing the MSA.

3. Acceptable use

Customer will not (a) attempt to bypass the mode-authority gate or the approval queue from within an AI agent or other automated caller; (b) use Vertirite to govern systems Customer does not own or have written authorization to govern; (c) reverse-engineer or republish the Hosted Service code beyond what BSL 1.1 permits; (d) use Vertirite in any unlawful manner; (e) use Vertirite to facilitate the unauthorized exfiltration of personal data; or (f) introduce malware, scrape rate-limit-exceeding traffic, or otherwise harm the Hosted Service.

4. Data and privacy

The Privacy Notice describes our data handling. The Data Processing Addendum (DPA), which is incorporated into every paid contract, governs SurgeXi’s role as a processor of Customer-controlled data. The DPA includes Standard Contractual Clauses where applicable.

5. Confidentiality

Each party will protect the other’s confidential information using at least the same degree of care it uses for its own, and not less than a reasonable standard. Pricing, capability registry contents, audit ledger contents, and pilot success criteria are confidential.

6. Warranties and disclaimers

SurgeXi warrants that the Hosted Service will substantially conform to its published documentation. Open Source Components are provided AS IS, without warranty of any kind, to the maximum extent permitted by applicable law. The Hosted Service is not a substitute for the Customer’s own security program; Vertirite governs AI actions but does not replace identity providers, EDR, SIEM, or other layers of the Customer’s defense.

7. Limitation of liability

To the maximum extent permitted by law, neither party will be liable for indirect, incidental, consequential, special, exemplary, or punitive damages, or for lost profits or revenue, arising out of these Terms. Each party’s total liability arising from these Terms will not exceed the fees Customer paid SurgeXi in the twelve months preceding the claim. This section does not limit liability for breach of the confidentiality obligations, the data-protection obligations under the DPA, fraud, willful misconduct, or amounts owed under an executed Order Form.

8. Indemnities

Each party will defend the other against third-party claims as set forth in the MSA. Where Customer is using only the marketing site or a self-serve Team-tier account without an MSA, the indemnities are limited to intellectual property claims against the Hosted Service, and Customer’s remedy is termination plus refund of pre-paid unused fees.

9. Term and termination

Self-serve Team-tier accounts may be terminated by either party for convenience on 30 days’ notice. Paid Business and Enterprise engagements follow the term stated on the Order Form. Pilot engagements are 60-day fixed-term and convert on signature of an annual Order Form. Either party may terminate for material breach uncured after 30 days’ written notice.

10. Compliance

The current compliance posture — including SOC 2 status, BAA availability, FedRAMP roadmap, and sub-processor list — is published at /marketing/vertirite/security. SurgeXi will provide a SOC 2 Type 1 attestation or "in-flight" letter to procurement on request under NDA.

11. Modifications

These Terms may be revised. Material changes will be communicated to Customer at least 30 days before they take effect for paid accounts. Continued use after the effective date is acceptance.

12. Governing law and venue

These Terms are governed by the laws of the State of Alabama, United States, without regard to conflict-of-law principles. Exclusive venue for disputes is the state and federal courts located in Jefferson County, Alabama, and both parties waive any objection to jurisdiction or venue.

13. Contact

SurgeXi Business Intelligence
Legal: [email protected]
Sales: [email protected]
Headquarters: Birmingham, Alabama, United States

This is a draft starter document prepared in advance of formal legal review. It is the operator’s opinion, not legal advice. Before any paid Vertirite contract is signed, the operative document is a counter-signed MSA plus DPA prepared in consultation with qualified counsel.