Interim terms — under legal review. This document is a working draft prepared by the operator and has not yet been reviewed by qualified legal counsel. Cipher One Tech LLC reserves the right to revise these terms in their entirety at any time. By using the Service during this period, you acknowledge the terms are interim and may change without notice until the final reviewed version is published.

Terms of Service

Effective date: May 13, 2026 · Last updated: May 13, 2026

These Terms of Service ("Terms") form a binding agreement between Cipher One Tech LLC ("Cipher One", "we", "us") and the entity or individual ("Customer", "you") who accesses or uses Readyline GRC (the "Service"), whether through a free trial, paid subscription, or any other means. By creating an account, accessing the Service, or accepting these Terms during signup, you agree to be bound by them. If you do not agree, you must not use the Service.

1. The Service

Readyline GRC is a self-serve software-as-a-service platform that helps organizations pursuing compliance with the U.S. Department of Defense Cybersecurity Maturity Model Certification (CMMC) framework, NIST SP 800-171 Revision 2, and FAR 52.204-21 Basic Safeguarding requirements perform self-assessments, manage evidence artifacts, track Plans of Action & Milestones (POA&Ms), and generate System Security Plan (SSP) exports. The Service is a documentation and workflow tool only. It is not a certifying body, an authorized assessor, or a substitute for an assessment performed by a CMMC Certified Third-Party Assessor Organization (C3PAO).

2. Critical: Controlled Unclassified Information (CUI)

Readyline GRC is not authorized to store, process, or transmit Controlled Unclassified Information (CUI). The Service does not operate within a FedRAMP Moderate, FedRAMP High, DoD Impact Level 4, DoD Impact Level 5, or DoD Impact Level 6 boundary. The Service does not currently hold any authorization to handle CUI as defined under 32 CFR Part 2002 or implementing DoD policy.

You agree that you will not upload, paste, type, or otherwise transmit any CUI, classified information, controlled technical data, export-controlled information (ITAR / EAR), Personally Identifiable Information (PII) of third parties, Protected Health Information (PHI), or other sensitive regulated data into the Service. The Service is intended for non-sensitive compliance artifacts only — for example policies, procedures, screenshots of configurations, training records, organization charts, vendor questionnaires, and similar materials.

You upload such material at your own sole risk. Cipher One disclaims all liability for any consequences — regulatory, contractual, financial, reputational, or otherwise — arising from your decision to upload prohibited material in violation of this Section. If we discover that prohibited material has been uploaded, we may remove it, suspend your account, and notify the appropriate authorities.

You acknowledge that every upload surface in the Service displays an advisory notice and requires you to affirmatively check a box confirming that the file does not contain CUI. That acknowledgment is recorded in your tenant's audit log with a timestamp. Repeated affirmations of non-CUI status when CUI is in fact uploaded constitute material breach of these Terms.

3. Account & Registration

To use the Service you must create an account by providing an organization name, your name, a valid work email address, and a password. You agree to:

Provide accurate, current, and complete information.
Maintain the security of your password and accept all risks of unauthorized access using your credentials.
Enroll in the Service's mandatory two-factor authentication (2FA) on first login and keep your authenticator app and recovery codes secure.
Promptly notify Cipher One at hello@readylinegrc.com if you suspect your account has been compromised.

You must be at least 18 years old and authorized to bind your organization to these Terms. The first user to create an account for an organization (a "Tenant") becomes the Tenant administrator until access is reassigned through the Service.

4. Free Trial & Subscriptions

Cipher One may offer a free trial period (the "Trial") during which full access to paid features is provided at no charge and without requiring a payment method. The Trial is currently 14 days, measured from account creation. We may change the Trial duration or terminate the Trial program at any time.

Upon Trial expiration, continued access requires a paid subscription. Subscription terms — including pricing, billing cycle, renewal behavior, refund policy, and cancellation rights — will be presented to you at the point of purchase and form part of these Terms by reference. You are responsible for all applicable taxes unless otherwise stated.

Cipher One may modify subscription pricing with thirty (30) days' written notice (sent to the Tenant administrator's email of record). Continued use of the Service after the effective date of a price change constitutes acceptance.

5. Customer Data

"Customer Data" means content, files, evidence artifacts, assessment responses, POA&M entries, and other information you submit to the Service. As between you and Cipher One:

Ownership. You retain all rights, title, and interest in Customer Data.
License to operate. You grant Cipher One a worldwide, non-exclusive, royalty-free license to host, copy, transmit, display, and process Customer Data solely as necessary to provide the Service to you, perform backups, prevent abuse, and respond to lawful requests.
No use for AI training. Cipher One will not use Customer Data to train machine learning or generative AI models, whether our own or those of third parties.
Aggregated metrics. We may collect anonymized, aggregated usage metrics (e.g., total POA&M items created across all tenants) for product improvement and capacity planning. Such metrics are not Customer Data.
Export. You may export your Customer Data at any time during your subscription using the in-product CSV and PDF export functions, or by contacting support for a bulk export.

6. Acceptable Use

You agree not to, and not to permit any person to:

Upload prohibited material as defined in Section 2 (CUI, classified, ITAR/EAR, third-party PII/PHI, etc.).
Reverse engineer, decompile, or attempt to extract the source code of the Service.
Probe, scan, or test the vulnerability of any system or network without prior written authorization from Cipher One.
Use the Service to transmit malware, spam, or unsolicited commercial messages.
Interfere with or disrupt the integrity or performance of the Service or the data contained therein.
Attempt to gain unauthorized access to any part of the Service, accounts other than your own, or any related systems.
Use the Service to violate any applicable law, regulation, or third-party right.
Resell, sublicense, lease, or commercially exploit the Service except as expressly permitted under a separate written agreement with Cipher One.

We may suspend or terminate accounts that violate this Section without prior notice and without refund.

7. Security

Cipher One implements commercially reasonable administrative, physical, and technical safeguards designed to protect the confidentiality and integrity of Customer Data, including but not limited to:

Mandatory two-factor authentication (TOTP) for all user accounts.
Per-tenant database and filesystem isolation — your tenant data is stored in a dedicated MySQL database with a dedicated database user.
Encryption of data in transit via TLS 1.2 or higher.
An immutable, append-only audit log of significant actions in your tenant.
Email notifications on novel sign-ins from previously unseen IP addresses.

However: the Service has not been independently audited against FedRAMP, SOC 2, ISO 27001, or any other formal security framework as of the effective date of these Terms. We do not represent or warrant that the Service meets any specific regulatory or certification standard. See Section 11 (Disclaimers).

8. Compliance Disclaimer

The Service does not provide legal advice or guaranteed compliance. Marking a control as "Implemented" within the Service is a self-attestation by you or your designated user. It is not a determination of compliance under CMMC, NIST SP 800-171, FAR 52.204-21, or any other framework. A formal compliance determination requires:

For CMMC Level 1: an annual self-assessment with executive certification per 32 CFR 170.16.
For CMMC Level 2 (certification): an assessment by a CMMC Certified Third-Party Assessor Organization (C3PAO).
For CMMC Level 3: an assessment by the Defense Contract Management Agency Defense Industrial Base Cybersecurity Assessment Center (DCMA DIBCAC).

Use of Readyline GRC may help you organize evidence and prepare for these assessments, but it does not replace them. You are solely responsible for the accuracy of your self-attestations and any external assessments.

9. Intellectual Property

The Service, including all software, designs, logos, documentation, and other materials provided by Cipher One, is the exclusive property of Cipher One Tech LLC and its licensors and is protected by U.S. and international copyright, trademark, and other intellectual property laws. No rights are granted to you except the limited license to use the Service in accordance with these Terms.

"Readyline GRC", "Cipher One Tech", and the Readyline logo are trademarks of Cipher One Tech LLC. You may not use them without prior written consent except as required to identify the Service in your own compliance documentation.

10. Termination

Either party may terminate these Terms by closing the Customer's account at any time. Upon termination:

Your access to the Service will be revoked.
You may export your Customer Data for thirty (30) days following termination upon written request to hello@readylinegrc.com.
After the export window, Customer Data will be permanently deleted from active systems within ninety (90) days, subject to retention obligations under applicable law.
Sections 5 (Customer Data, ownership clauses), 9 (Intellectual Property), 11 (Disclaimers), 12 (Limitation of Liability), 13 (Indemnification), and 14 (Governing Law) survive termination.

11. Disclaimer of Warranties

THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, ACCURACY, RELIABILITY, OR THAT THE SERVICE WILL BE UNINTERRUPTED, ERROR-FREE, OR SECURE.

CIPHER ONE DOES NOT WARRANT THAT THE SERVICE WILL ENABLE YOU TO ACHIEVE OR MAINTAIN COMPLIANCE WITH ANY REGULATORY FRAMEWORK, INCLUDING BUT NOT LIMITED TO CMMC, NIST SP 800-171, FAR 52.204-21, DFARS 252.204-7012, OR ANY DOD IMPACT LEVEL. COMPLIANCE IS YOUR SOLE RESPONSIBILITY.

12. Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW:

CIPHER ONE'S TOTAL CUMULATIVE LIABILITY ARISING FROM OR RELATED TO THESE TERMS OR THE SERVICE — WHETHER IN CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, OR ANY OTHER LEGAL THEORY — WILL NOT EXCEED THE GREATER OF (a) ONE HUNDRED U.S. DOLLARS (USD $100), OR (b) THE AMOUNT YOU ACTUALLY PAID TO CIPHER ONE FOR THE SERVICE IN THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO THE CLAIM.
IN NO EVENT WILL CIPHER ONE BE LIABLE FOR INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES; LOSS OF PROFITS, REVENUE, BUSINESS, DATA, OR GOODWILL; OR THE COST OF SUBSTITUTE GOODS OR SERVICES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
WITHOUT LIMITING THE FOREGOING: CIPHER ONE WILL HAVE NO LIABILITY OF ANY KIND FOR LOSS, DISCLOSURE, OR REGULATORY EXPOSURE ARISING FROM YOUR DECISION TO UPLOAD CUI OR OTHER PROHIBITED MATERIAL IN VIOLATION OF SECTION 2.

13. Indemnification

You agree to indemnify, defend, and hold harmless Cipher One Tech LLC, its affiliates, officers, employees, and agents from and against any claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising out of or relating to: (a) your breach of these Terms; (b) your violation of any applicable law or regulation; (c) your upload of prohibited material under Section 2; (d) your infringement or misappropriation of any third party's intellectual property or other rights; or (e) any dispute between you and a third party arising from your use of the Service.

14. Governing Law & Dispute Resolution

These Terms are governed by the laws of the State of Maryland, United States, without regard to its conflict-of-laws principles. The parties consent to the exclusive jurisdiction of the state courts of Maryland and the U.S. District Court for the District of Maryland for any dispute arising out of or relating to these Terms or the Service, except that either party may seek injunctive relief in any court of competent jurisdiction to protect its intellectual property or confidential information.

15. Changes to These Terms

We may modify these Terms from time to time. The current version will always be posted at readylinegrc.com/terms with the "Last updated" date noted at the top. Material changes will be communicated to the Tenant administrator's email of record at least thirty (30) days before they take effect, except that changes required by law or to address security threats may take effect immediately. Your continued use of the Service after the effective date of any change constitutes acceptance.

16. Contact

Questions about these Terms? Contact us at hello@readylinegrc.com.

Cipher One Tech LLC
Maryland, United States

Reminder: these Terms are an interim draft. The final version, following review by qualified legal counsel, will be published at this URL and supersede this draft entirely. Material changes will be communicated to all Tenant administrators of record by email.