Skip to content
Ayliea — AI Security Assessment & Compliance Consulting

Terms of Service

Draft — not yet in effect

Draft under legal review — not yet in effect

These site terms are a draft and have not yet been reviewed or approved by legal counsel. They are not in effect and create no binding obligations. The binding terms for any engagement are set out in the individual signed engagement agreement you execute with Ayliea. Questions? legal@ayliea.com

1. Acceptance of Terms

By accessing or using Ayliea (the "Service"), including the marketing website at ayliea.com, the Ayliea mobile application (the "App"), and AI Security Assessment consulting services, you agree to be bound by these Terms of Service ("Terms"). If you do not agree to these Terms, do not use the Service.

2. Description of Service

Ayliea provides a security posture assessment platform and AI Security Assessment consulting services, including:

  • Security assessments across multiple compliance and AI security frameworks (including the Ayliea AI Security Standard, CIS Controls v8, NIST 800-53, NIST CSF 2.0, NIST AI RMF, ISO 42001, OWASP LLM Top 10, HIPAA, and SOC 2), conducted as part of a scoped engagement
  • AI-generated security improvement recommendations
  • Evidence attachment uploads and assessment reports
  • Organization-level collaboration within the client's provisioned portal
  • Optional two-factor authentication (TOTP) for enhanced account security
  • Organization-level MFA enforcement for team compliance
  • AI asset discovery and shadow AI identification (consulting)
  • Data flow mapping and analysis (consulting)
  • Compliance gap analysis against industry frameworks (consulting)
  • Risk scoring and prioritized remediation roadmaps
  • Executive and technical deliverable packages (consulting)

3. The Service

The Service is offered as fixed-scope assessment engagements with published floors — Focused (from $6,500, one-time), Comprehensive (from $15,000, one-time), and Enterprise (from $40,000, one-time) — plus an optional annual Monitoring Retainer(from $9,000/yr). Final scope and price are confirmed on a scoping call before any engagement begins. Results are delivered in a secure client portal during the engagement; the client's signed report and deliverables are exportable and owned by the client organization. Live portal access is provided during the engagement and continues with a Monitoring Retainer — otherwise it ends after a post-engagement export window (see §13.3). Accounts are provisioned with an engagement; the Service is not offered on a self-serve basis.

3.1 Platform Capabilities

The Service's platform capabilities include: multi-seat assessments across all supported compliance frameworks; historical score tracking and composite posture scoring across multiple frameworks; evidence attachment uploads; AI-generated remediation recommendations validated against framework controls; the AI System Registry and risk classification (EU AI Act risk tiers, NIST AI RMF assessments); branded PDF reports with compliance mapping; the Trust Center (basic and advanced); continuous network monitoring, real-time shadow AI alerts, and AI tool inventory with CSV export; Trust Gap scoring (self-reported vs. verified); AI vendor risk questionnaires; AI incident tracking; regulatory timeline and compliance tracking; AI-assisted narrative risk analysis (via Anthropic's Claude API); and custom branding. Specific capabilities included in your engagement are confirmed on the scoping call.

3.2 Advanced Features (Enterprise Engagement)

Advanced features — including SSO/SAML integration, REST API with scoped API keys, webhook events for incident status changes, advanced audit log with CSV export, SIEM streaming, custom compliance framework support, and white-labeled reports — are included in the Enterprise engagement and scoped to your environment as part of Enterprise onboarding. Specific integration timelines, identity provider compatibility, and framework definitions are confirmed in your engagement agreement. To evaluate the Enterprise engagement, contact sales@ayliea.com or use the inquiry form at /contact.

3.3 AI Governance Module

The AI System Registry — including per-system EU AI Act risk classification and NIST AI RMF impact assessment — and the full AI Governance Module — AI vendor risk questionnaires, AI incident tracking, regulatory timeline tracking, and the AI policy engine — are included in the assessment scope as confirmed on your scoping call.

3.4 Billing

Assessment engagements are billed per engagement at the published floor confirmed on the scoping call (one-time). The optional Monitoring Retainer is billed annually at the published floor confirmed in the engagement agreement. Accounts are provisioned by Ayliea; the Service has no self-serve checkout. All fees are non-refundable except as required by applicable law. We reserve the right to change published floor pricing; we will provide at least 30 days' written notice of any price change to clients with an active engagement or retainer before the change affects their renewal. For billing questions, contact sales@ayliea.com.

4. Consulting Engagements

Consulting engagements are governed by individual engagement agreements and non-disclosure agreements executed between Ayliea and the client organization.

Engagement scope, deliverables, timelines, and fees are defined in the engagement agreement. All engagements begin with a free scoping call to determine the right package for your organization.

Assessment methodologies, frameworks, tools, and deliverable templates are proprietary to Ayliea and may not be reproduced or distributed without written consent.

5. Assessment Results and Deliverables

5.1 Professional Services

Assessment deliverables — including executive summaries, technical reports, AI asset inventories, compliance gap matrices, remediation roadmaps, and risk registers — are produced by qualified security professionals and represent our expert assessment of your organization's AI security posture at the time of engagement.

5.2 AI-Generated Recommendations

The App generates security improvement recommendations using artificial intelligence (Anthropic's Claude). These AI-generated recommendations are informational only and are not a substitute for professional security audits, penetration testing, or legal advice. AI-generated content may contain inaccuracies or omissions. You are solely responsible for evaluating and implementing any recommendations. Ayliea does not guarantee the accuracy, completeness, or suitability of AI-generated recommendations for your specific environment.

5.3 Not Legal Advice

Our assessments, deliverables, and AI-generated recommendations do not constitute legal advice. You should consult qualified legal counsel for regulatory compliance determinations and legal obligations.

5.4 Point-in-Time Assessment

Assessment results reflect your organization's posture at the time of the engagement or self-assessment. Security posture changes over time as your organization adopts new tools, changes configurations, and responds to evolving threats. Regular reassessment is recommended.

5.5 Framework Accuracy

Our assessment framework is built on publicly available standards (NIST, CIS, ISO, etc.) extended with AI-specific control domains. Framework content is not created, endorsed, or maintained by the organizations that publish those standards (e.g., CIS, NIST, PCI SSC, ISO, AICPA, HHS). You are responsible for verifying that assessment content is current and applicable to your specific regulatory obligations.

5.6 Shared Responsibility

Security outcomes depend on your organization's implementation, operational practices, and ongoing diligence — not solely on assessment findings or the recommendations provided by Ayliea. You bear sole responsibility for the security decisions you make and the controls you implement.

5.7 Self-Assessment Disclaimer

Where the Service includes or in the future offers a self-directed assessment module — a feature where users complete assessment questions independently without a named Ayliea assessor — the following applies to that module only: scores produced by the self-directed module are based on self-reported answers and are not independently verified by Ayliea; they do not constitute a formal audit, compliance certification, or professional security engagement; users must not represent such results as equivalent to a certified audit or compliance certification; and Ayliea expressly disclaims liability for compliance decisions, regulatory submissions, or business representations made solely on the basis of self-directed module results. This disclaimer does not apply to professional consulting engagements described in §4 and §5.1, which are delivered by qualified security professionals and governed by the engagement agreement.

5.8 Generated Policy and Governance Documents

The App may in future offer the ability to generate draft governance documents — including AI acceptable use policies and similar templates — derived from your assessment responses. (This capability is planned and is not currently available.) If and when this feature is offered, the following will apply: generated documents are starting templates, not legal instruments. They will be provided for your convenience, may not reflect the requirements of any law, regulation, contract, or industry standard applicable to your organization, and are not a substitute for legal advice. Before adopting, publishing, or relying on any generated document, you are responsible for reviewing, customizing, and validating it for your organization, with qualified legal counsel where appropriate. Ayliea does not warrant the accuracy, completeness, adequacy, or enforceability of any generated document and is not responsible for your use of it.

6. File Uploads

6.1 Permitted Files

The App allows you to upload evidence attachments in the following formats: PDF, PNG, JPEG, TXT, and CSV. The maximum file size is 5 MB per file.

6.2 Malware Scanning

All uploaded files are automatically scanned for malware using VirusTotal. Files identified as malicious are deleted immediately without notice. By uploading files, you acknowledge that file hashes (and potentially full files) may be submitted to VirusTotal for analysis and that VirusTotal may retain submitted files. See our Privacy Policy for details on third-party data sharing.

6.3 Your Responsibility

You are solely responsible for the content of files you upload. You must not upload files that contain malware, illegal content, or content that violates the rights of any third party. We reserve the right to remove any uploaded file at our discretion.

7. Accounts and Organizations

Every account in the Service belongs to an organization. The number of portal users and role configuration are set during onboarding and confirmed in your engagement agreement.

7.1 Organization Owners

The individual designated as the organization owner during onboarding is responsible for managing organization membership, distributing invite codes and collaborator links, and ensuring that members comply with these Terms.

7.2 Member Access

On multi-seat organizations, members share access to assessments, recommendations, and scores within their organization. The organization owner controls who has access by managing invite codes and removing members as needed.

7.3 Portal Users

Collaboration happens within the client organization's provisioned portal. The number of portal users is agreed upon during the scoping call and confirmed in the engagement agreement; there are no fixed per-package seat caps. If Ayliea changes the default user-count terms for new engagements, existing clients will be notified in writing before any change takes effect for their organization.

8. User-Generated Content

Assessment answers, evidence notes, uploaded files, and other content you create within the App ("User Content") remain your property. By using the Service, you grant Ayliea a limited, non-exclusive license to store, process, and display your User Content as necessary to provide the Service (including generating AI recommendations and sharing within your organization).

You may export or delete your User Content at any time through the App or by contacting us. Upon account deletion, all User Content is permanently removed from our systems within 30 days.

When you provide vendor contact information for assessment invitations through the AI Governance Module, you represent that you have a legitimate business relationship with the vendor and that you have the authority to request the assessment. You are responsible for ensuring that your use of the vendor assessment feature complies with applicable privacy and anti-spam laws in your jurisdiction.

9. Acceptable Use

You agree not to:

  • Use the Service for any unlawful purpose
  • Reproduce, distribute, or publicly share Ayliea's proprietary assessment methodology, tools, or deliverable templates without written consent
  • Interfere with or disrupt the Service or its infrastructure
  • Misrepresent assessment results or deliverables as certifications, attestations, or formal audits
  • Upload files containing malware, viruses, or malicious code
  • Share account credentials or invite codes with unauthorized parties
  • Attempt to circumvent access controls or use the Service beyond the scope of your engagement
  • Use the vendor assessment portal to send unsolicited assessments to contacts who have not agreed to participate in a vendor risk assessment

10. Intellectual Property

10.1 Service Ownership

The Service, including its design, branding, assessment methodology, control framework, scoring algorithms, deliverable templates, and marketing content, is owned by Ayliea and protected by intellectual property laws.

10.2 Deliverable Ownership

Upon completion of an engagement and receipt of full payment, clients receive a non-exclusive, non-transferable license to use the deliverables produced during their engagement for internal business purposes. The underlying methodology and templates remain the intellectual property of Ayliea.

10.3 Feedback

If you provide feedback, suggestions, or ideas about the Service, you grant us a non-exclusive, royalty-free license to use that feedback to improve the Service.

11. Limitation of Liability

The Service is provided "as is" and "as available" without warranties of any kind, express or implied, including but not limited to merchantability, fitness for a particular purpose, and non-infringement.

To the maximum extent permitted by law, Ayliea shall not be liable for:

  • Security incidents that occur despite following recommendations produced during an engagement or generated by the App
  • Regulatory penalties or compliance failures based on assessment results or AI-generated recommendations
  • Loss of data beyond our reasonable control (force majeure, third-party provider outages)
  • Deletion of uploaded files that are identified as malicious by automated malware scanning
  • Inaccuracies or omissions in AI-generated recommendations
  • Any indirect, incidental, special, consequential, or punitive damages

Our total liability for any claim arising from the Service shall not exceed the fees paid for the specific engagement giving rise to the claim.

12. Indemnification

You agree to indemnify and hold Ayliea harmless from claims, damages, losses, and expenses (including reasonable legal fees) arising from your use of the Service, violation of these Terms, or infringement of any third-party rights.

13. Termination

13.1 Account Termination

You may delete your account at any time through the App or by contacting us. Upon account deletion, your assessment data, uploaded files, and recommendations will be permanently removed within 30 days.

13.2 Consulting Engagements

Either party may terminate an engagement as specified in the engagement agreement. Website access may be restricted if these Terms are violated.

13.3 Effect of Termination

Upon termination of an engagement, deliverables produced up to the point of termination remain subject to the engagement agreement terms. We will delete or return engagement data in accordance with our Privacy Policy and the engagement agreement. Upon conclusion of an engagement (or upon termination of a Monitoring Retainer, if one was active), your portal access will move to read-only for a 30-day export window during which you may download and export your signed report and other deliverables. After that window, live portal access ends and all portal-hosted User Content will be permanently removed in accordance with §8 above. The client retains whatever deliverables were exported during the export window.

14. Confidentiality

"Confidential Information" means non-public information one party (the "Disclosing Party") discloses to the other (the "Receiving Party") in connection with the Service or an engagement — whether oral, written, or electronic — that is identified as confidential or that a reasonable person would understand to be confidential given its nature and the circumstances of disclosure. The client's Confidential Information includes the systems, logs, data, assessment inputs, findings, and deliverables relating to its engagement.

Each party will use the other's Confidential Information only to perform or receive the Service and will protect it with at least the same degree of care it uses for its own confidential information of like kind, and in no event less than reasonable care. A Receiving Party may disclose Confidential Information only to its personnel and contractors who need it to perform under these Terms and who are bound by confidentiality obligations no less protective than these.

Confidential Information does not include information that: (a) is or becomes public without breach of these Terms; (b) was known to the Receiving Party without an obligation of confidentiality before disclosure; (c) is independently developed without use of the Disclosing Party's Confidential Information; or (d) is rightfully received from a third party without restriction. A Receiving Party may disclose Confidential Information if required by law or legal process, provided it gives the Disclosing Party reasonable prior notice where lawful. These obligations continue for three (3) years after disclosure and, for any information that is a trade secret or protected health information, for as long as it remains a trade secret or is required to be protected by law. These obligations supplement, and do not replace, any non-disclosure or engagement agreement between the parties.

15. Data Protection and Privacy

15.1 Client Data and No AI Training

As between the parties, the client owns all data, files, logs, and assessment inputs it provides ("Client Data"). Ayliea uses Client Data only to deliver the engagement and the Service and for no other purpose without the client's consent. Ayliea does not use Client Data, assessment answers, or deliverables to train, fine-tune, or develop machine-learning or AI models. This section supplements the license granted in §8.

15.2 Subprocessors

Ayliea uses a limited set of third-party providers to deliver the Service, which may include AI processing (Anthropic), file malware scanning (VirusTotal), and cloud hosting and infrastructure. Ayliea remains responsible for its subprocessors' handling of Client Data and imposes on them data-protection obligations no less protective than those in these Terms. Ayliea will make its current list of subprocessors that handle Client Data available on written request and will give affected clients notice before adding a new subprocessor that handles Client Data. Where an engagement involves protected health information (see §15.5), any subprocessor that handles that information will be bound by a business associate agreement as required by 45 CFR §164.308(b).

15.3 Third-Party AI Processing

AI-generated recommendations are produced using Anthropic's Claude API. Client Data submitted to that feature is processed by Anthropic under Anthropic's Commercial Terms of Service, which prohibit Anthropic from training its models on that data. Ayliea will not submit protected health information to any third-party AI provider unless a HIPAA-compliant arrangement for that provider is in place; where protected health information is involved, it is handled under the applicable business associate agreement and appropriate safeguards.

15.4 Security Incident Notification

If Ayliea confirms a security incident that compromises the confidentiality, integrity, or availability of a client's Client Data, Ayliea will notify the affected client without undue delay, describe the nature of the incident and the data involved to the extent known, and cooperate reasonably in the client's response. Where a business associate agreement applies, Ayliea will provide breach notification within the time and in the manner that agreement and 45 CFR §164.410 require.

15.5 Protected Health Information and Business Associate Agreements

Some engagements involve information that constitutes protected health information ("PHI") or electronic PHI under the HIPAA Rules (45 CFR Parts 160 and 164). Where Ayliea will create, receive, maintain, or transmit PHI on behalf of a client that is a covered entity or business associate, the parties will execute a Business Associate Agreement ("BAA") before Ayliea accesses any PHI, as required by 45 CFR §164.502(e) and §164.504(e). The BAA governs the permitted uses of PHI, required safeguards, breach notification, subcontractor obligations, and the return or destruction of PHI, and controls over these Terms with respect to PHI.

15.6 Data Return and Destruction

On conclusion or termination of an engagement, or on the client's written request, Ayliea will return or destroy Client Data in its possession in accordance with §13.3, the Privacy Policy, and any applicable BAA — except for copies it is required to retain by law, which remain subject to the confidentiality and security obligations of these Terms.

16. Authorization and Scope of Assessment

16.1 Authorization to Assess

The client represents and warrants that it owns, or has the authority to authorize Ayliea to access, review, and analyze, the systems, logs, data, and environments within the engagement scope, and the client authorizes Ayliea to do so for the purpose of the engagement. Ayliea will act only within the scope agreed in the engagement agreement and will not knowingly access systems or data outside that scope. The client is responsible for obtaining any third-party consents (for example, from cloud or hosting providers) needed for the authorized work.

16.2 No Guarantee of Comprehensive Findings

An assessment evaluates the systems, data, and timeframe within the agreed scope using professional methods. It does not guarantee that every risk, vulnerability, or instance of non-compliance has been identified. New risks may emerge after the engagement, and matters outside the agreed scope are not assessed.

16.3 No Warranty of Security

An engagement and its deliverables do notwarrant that the client's systems are secure or will remain secure, and following the recommendations does not guarantee that a security incident will not occur. Ayliea stands behind the findings it reports and the methodology used to reach them; it does not warrant that the assessed environment is free of all risk. Security outcomes depend on the client's implementation and ongoing diligence, as described in §5.6.

17. Payment Terms

17.1 Invoicing

Fees, invoicing schedule, and payment timing for an engagement are set out in the engagement agreement. Unless that agreement states otherwise, invoices are due on the terms stated on the invoice, and fees are exclusive of taxes; the client is responsible for applicable sales, use, and similar taxes, excluding taxes on Ayliea's income.

17.2 Late Payment

Undisputed amounts not paid when due may accrue interest at the lower of 1.5% per month or the maximum rate permitted by law, from the due date until paid. Ayliea may suspend work or portal access for materially overdue undisputed amounts after giving written notice and a reasonable opportunity to cure.

17.3 Disputed Invoices

If the client disputes an invoice in good faith, it will notify Ayliea in writing within the period stated in the engagement agreement (or, if none is stated, within fifteen (15) days of the invoice date), pay all undisputed amounts when due, and work with Ayliea in good faith to resolve the disputed portion.

18. General Provisions

18.1 Entire Agreement and Order of Precedence

These Terms, the Privacy Policy, the engagement agreement, and any BAA together form the entire agreement between the parties regarding the Service and supersede prior discussions and representations on that subject. If there is a conflict, the signed engagement agreement governs over these Terms, and any BAA governs over both with respect to PHI.

18.2 Survival

Provisions that by their nature should survive — including §§5, 8, 10, 11, 12, 14, 15, 16, and 18, and the governing-law provision — survive termination of these Terms or an engagement.

18.3 Notices

Legal notices under these Terms must be in writing. Notices to Ayliea must be sent to legal@ayliea.com; notices to a client will be sent to the contact designated in the engagement agreement. Notice is deemed given on confirmed delivery or, for email, on the business day after it is sent absent a delivery error.

18.4 Assignment

Neither party may assign these Terms or an engagement without the other party's prior written consent, except that Ayliea may assign them to a successor in connection with a merger, acquisition, or sale of substantially all of its assets, with notice to the client. These Terms bind and benefit the parties' permitted successors and assigns.

18.5 Waiver

A party's failure to enforce a provision is not a waiver of its right to enforce that or any other provision later. A waiver is effective only if made in writing.

18.6 Independent Contractor

Ayliea performs the Service as an independent contractor. Nothing in these Terms creates an employment, agency, partnership, or joint-venture relationship between the parties, and neither party may bind the other.

19. Dispute Resolution

Any disputes arising from these Terms or the Service will be resolved through binding arbitration in accordance with the rules of the American Arbitration Association. You agree to resolve disputes individually and waive the right to participate in class action lawsuits.

20. Governing Law

These Terms are governed by the laws of the State of Delaware, United States, without regard to conflict of law principles.

21. Severability

If any provision of these Terms is found to be unenforceable, the remaining provisions continue in full force and effect.

22. Changes to Terms

We may update these Terms from time to time. Material changes will be posted on this page with an updated effective date. Continued use of the Service after changes constitutes acceptance of the new Terms.

23. Contact

If you have questions about these Terms, contact us at legal@ayliea.com.