Terms of Service

01 / The agreement

1. Parties and Acceptance

Provider. Kolmogorov Stack, Inc., a Delaware corporation ("kolm," "we," or "us").

Customer. The individual or legal entity that submits an audit request, signs an order form, or uses the verification service ("you" or "Customer"). Where you accept on behalf of a company, you represent that you are authorized to bind that company to these terms.

Acceptance. You accept these terms by: (a) submitting an audit request at /contact; (b) signing an enterprise order form; (c) creating a kolm account and using any hosted feature; or (d) clicking through a checkout flow. Using the open-source verifier tool under its Apache-2.0 license does not require acceptance of these terms.

Notices. The email address on your account or order form is the canonical address for legal notices from us to you. Notices from you to us must be sent to dev@kolm.ai.

2. Service Description

kolm.ai provides agent-security audit services and signed evidence reports for AI applications: the agent under review and the tools, identities and data flows around it. The primary deliverable is a cryptographically signed (Ed25519) evidence report ("Evidence Report") that an enterprise security team can verify offline against kolm's published public key. The Evidence Report covers the scope agreed in the order form or audit request. Current audit modules include:

• API and permission posture. Static and dynamic review of the API surface, OAuth scopes, tool-call boundaries, and least-privilege adherence.
• Redaction and data-handling integrity. Verification that the agent redacts, masks, or withholds sensitive fields as claimed, and that the audit-trail log captures the correct events.
• Audit-trail integrity. Structural and cryptographic review of the agent's internal audit log: completeness, tamper-evidence, and retention compliance.
• Prompt-injection testing and reporting. Adversarial injection probes with findings reported in the Evidence Report. See Section 4 for the scope limitation on this module.
• Offline-verifiable evidence. The Evidence Report is signed with Ed25519 and structured as a SHA-256 Merkle log (RFC 6962 style). Verification requires only the open-source verifier and kolm's public key. It needs no account and no connection to kolm's servers.

Additional modules and engagement types (retainer, re-audit, continuous monitoring) may be described in a separate order form. That order form, together with these terms, constitutes the complete agreement for the engagement.

3. Accounts and Access

Account creation. You create an account with an email address. We issue a verification link. Free and professional accounts authenticate with an API key. Enterprise accounts add SSO via SAML 2.0 and directory sync via SCIM 2.0.

Key security. Your API key is your credential. Treat it as a password. Rotate it immediately if you suspect compromise. kolm will not be liable for unauthorized access that results from your failure to protect your key.

Audit portal access. The audit portal at https://kolm.ai allows you to submit agent metadata, track audit status, download signed Evidence Reports, and run the in-browser WebCrypto verifier. The portal requires a valid account or a one-time verification token issued at the time of report delivery.

Enterprise SSO. Enterprise order forms may include SSO and SCIM provisioning. The order form is the controlling document for enterprise seat counts and access controls.

4. Scope of the Audit Engagement

The Evidence Report attests to findings within the agreed audit scope. The following scope limitations apply to all engagements unless explicitly expanded in a signed order form:

4.1 What the Evidence Report covers

The Evidence Report attests to the findings produced by kolm's audit methodology applied to the agent artifact, API, and configuration provided by you. It covers: (a) the API and permission posture as observed during the audit window; (b) redaction and data-handling behavior as exercised by the audit test suite; (c) audit-trail structure and cryptographic integrity; and (d) injection probe findings as described in Section 4.2.

4.2 Injection testing: reported, not warranted

Prompt-injection and tool-abuse probes are performed and the findings are reported in the Evidence Report. kolm does not warrant that the agent is free from prompt-injection vulnerabilities, that the tested scenarios are exhaustive, or that the agent will resist injection attempts not covered by the audit scope. The injection module produces a findings report, not a certification of resistance. Customers are responsible for remediation and for independent re-testing following remediation.

4.3 Point-in-time nature

The Evidence Report reflects the agent as audited at the date shown on the report. Subsequent code changes, configuration changes, model updates, or dependency updates are not covered by the original report. A re-audit engagement is required to cover a materially changed agent.

4.4 Reliance scope

The Evidence Report is addressed to the Customer. Third parties (including the Customer's enterprise buyers and security reviewers) may verify the cryptographic signature and read the report but do so on their own assessment. kolm makes no warranty to any third party regarding the agent's security posture beyond what is stated in the signed report and these terms.

5. Acceptable Use

The following uses are prohibited. kolm will suspend or terminate accounts that engage in them:

• Harm. Do not submit agent configurations intended to generate content targeting real people for harassment, sexual content involving minors, or operational instructions for weapons capable of mass casualties.
• Fraud. Do not use the Evidence Report or the kolm verification badge in a context designed to mislead a counterparty about the security posture of an agent that has been materially altered since the audit.
• Misrepresentation of scope. Do not represent the Evidence Report as covering a scope broader than the agreed audit modules or as a certification of production security where the audit was scoped to a staging environment.
• Privacy violations. Do not submit agent configurations or trace data that contain personal data without a lawful basis. Healthcare data governed by applicable privacy law requires a signed data-processing agreement before submission.
• Resource abuse. Do not run sustained automated traffic against the audit portal or the verification endpoint intended to map the infrastructure or exhaust shared capacity.
• Sanctions. Do not use kolm's services in or for the benefit of a person or country covered by United States, United Kingdom, or European Union sanctions regimes.

6. Fees, Payment, and Refunds

Fees. Audit fees are set out in the order form or on the pricing page at /pricing. All fees are in United States dollars unless the order form specifies otherwise.

Payment timing. Fixed-scope engagements are invoiced at signing (50%) and at report delivery (50%) unless the order form specifies a different schedule. Subscription and retainer plans are invoiced monthly or annually on the anniversary of the start date. Invoices are issued via Stripe and sent to the billing email on the order form.

Taxes. Fees exclude VAT, GST, and applicable sales tax. Where we are required to collect, taxes are added at checkout and shown on the invoice. Reverse-charge VAT applies in EU jurisdictions for business customers with a valid VAT ID.

Refunds. If you cancel a fixed-scope engagement before the audit kickoff call, we refund the deposit in full. After the kickoff call, work-in-progress fees are non-refundable but any unearned portion of the delivery payment is refunded pro-rata based on the audit modules not yet completed. For subscription plans, cancellation inside the first 14 days of the initial term earns a full refund; thereafter, the plan terminates at the end of the current billing cycle with no partial refund.

Disputed charges. Disputes about any charge must be raised in writing to dev@kolm.ai within 30 days of the invoice date. Disputed amounts are placed in hold while we review; undisputed amounts remain due.

7. Intellectual Property and License

kolm IP. The audit methodology, the Evidence Report template, the signing infrastructure, the open-source verifier, and all related tooling are owned by or licensed to kolm. These terms do not transfer any ownership of kolm IP to you.

Evidence Report license. Upon payment of all fees for an engagement, kolm grants you a worldwide, non-exclusive, royalty-free, sublicensable license to reproduce and distribute the Evidence Report for your legitimate business purposes, including sharing it with your enterprise buyers and security reviewers. You may not alter the cryptographic signature, the findings narrative, or the scope statement of the Evidence Report. An altered or truncated report will fail the open-source verifier's signature check.

Open-source verifier. The verifier tool is licensed under Apache-2.0. Anyone may use, modify, and redistribute it under those terms. No account is required to run the verifier against a signed report.

Your agent and materials. You retain all ownership of the agent code, configuration, model weights, and API credentials you provide for the audit. You grant kolm a limited, non-exclusive license to access and test those materials solely for the purpose of performing the agreed audit. We do not retain your agent's data beyond the engagement window; imported logs are redacted before storage and deleted when that window closes.

Upstream model licenses. If your agent uses an upstream model subject to a third-party license (including, without limitation, Llama, Qwen, DeepSeek, or any other model with a use-restriction clause), you are responsible for compliance with that license. kolm does not relicense upstream models and does not represent that an audit clears any upstream license obligation.

Trademarks. The kolm name, logo, and "verified by kolm" badge are trademarks of Kolmogorov Stack, Inc. Use of the badge is permitted only in connection with an unaltered Evidence Report issued by kolm for the specific agent version shown in the report. Use in any other context requires written permission from kolm.

8. Confidentiality

Definition. "Confidential Information" means non-public information disclosed by one party to the other in connection with these terms that is designated as confidential or that a reasonable person would understand to be confidential given the circumstances of disclosure. Your agent architecture, code, credentials, and security findings are Confidential Information. kolm's pricing, methodology documentation, and internal tooling are Confidential Information.

Obligations. Each party agrees to: (a) use the other party's Confidential Information only for the purposes of performing or receiving the services under these terms; (b) protect Confidential Information with at least the same care it uses for its own confidential information of similar sensitivity, and in no case less than reasonable care; and (c) not disclose Confidential Information to any third party other than employees, contractors, or advisors who need to know it and are bound by obligations at least as protective as these.

Evidence Report publication. You control whether and to whom you share the Evidence Report. kolm does not publish report contents without your written authorization. kolm may reference the existence of the engagement in aggregate statistics or marketing (e.g., "N agent audits completed") without identifying you unless you have given written consent for a named case study.

Exceptions. The confidentiality obligation does not apply to information that: (a) is or becomes publicly available through no breach of these terms; (b) was already known to the receiving party without restriction; (c) is independently developed by the receiving party; or (d) is required to be disclosed by law, regulation, or court order, provided the disclosing party gives prompt written notice to the other party to the extent legally permitted.

Survival. Confidentiality obligations survive termination of these terms for three (3) years, except for trade secrets, which remain protected for as long as they qualify as trade secrets under applicable law.

02 / Sections 9 to 16

9. Data Handling

Agent data you submit. Agent code, configuration files, trace samples, and API credentials you submit for audit are used solely to perform the agreed audit modules. kolm does not retain your agent's submitted materials beyond the engagement window (90 days post-report delivery by default; shorter on request).

Audit portal metadata. The hosted portal records timestamp, request type, token count where applicable, response status, and key fingerprint. Request bodies containing agent configuration are not stored in audit logs longer than the engagement retention period.

Evidence Report data. The signed Evidence Report is stored by kolm for the duration of the agreement and for a reasonable period after to support verification requests. The report contains only the findings, scope summary, and cryptographic attestation fields. It includes no raw agent code or credentials.

Sub-processors. kolm uses a limited set of sub-processors for infrastructure (compute, storage, signing key management) and business operations (billing, email). Sub-processors are listed at /subprocessors and are bound by data-processing agreements at least as protective as this section. kolm notifies customers of material sub-processor changes with at least 30 days advance notice.

Data minimization. Imported agent logs are redacted before storage, used solely to perform the agreed audit, and deleted at the end of the engagement window. Customer Content is never used to train any model, including kolm's own. Contact dev@kolm.ai with data-handling questions before submitting an audit request.

Deletion. Upon termination or at your written request, kolm deletes your agent materials from active systems within 30 days and from backups within 90 days. Account email is retained only for legal and tax record retention as required by applicable law.

Privacy policy. The full privacy policy at /privacy governs personal data kolm processes about your team members in connection with account management. The privacy policy and these terms are complementary; in the event of conflict, these terms govern the audit engagement data and the privacy policy governs personal data.

10. Warranties and Disclaimer

kolm's warranty. For paid audit engagements, kolm warrants that: (a) the audit will be performed in a professional and workmanlike manner consistent with the agreed scope; (b) the Evidence Report will accurately reflect the findings of the audit as performed; and (c) the Ed25519 signature on the Evidence Report is valid and verifiable against kolm's published public key.

Scope limitations are not warranty failures. The following are expressly outside the scope of kolm's warranty and do not constitute a breach: (a) injection vulnerabilities not covered by the agreed audit modules (see Section 4.2); (b) vulnerabilities introduced after the audit date (see Section 4.3); (c) the agent's fitness for any particular production use; (d) the completeness of the audit relative to any specific compliance framework beyond the modules tested.

Open-source verifier. The open-source verifier is provided as-is under Apache-2.0. kolm does not warrant its fitness for any particular verification use case beyond checking Ed25519 signatures on Evidence Reports issued by kolm.

Disclaimer. To the maximum extent permitted by applicable law, kolm disclaims all other warranties, express or implied, including warranties of merchantability, fitness for a particular purpose, and non-infringement, except as expressly stated in this Section 10.

11. Limitation of Liability

Liability cap. Each party's aggregate liability to the other arising out of or related to these terms, whether based on contract, tort, or any other theory, is limited to the greater of: (a) USD 1,000; or (b) the total fees paid or payable by you to kolm in the twelve (12) months immediately preceding the event giving rise to the claim.

Excluded damages. Neither party is liable for indirect, incidental, special, consequential, or punitive damages, including lost profits, lost revenue, lost data, reputational harm, or business interruption, even if advised of the possibility of such damages.

Carve-outs. The liability cap does not apply to: (a) your obligation to pay fees that are due; (b) either party's indemnification obligations under Section 12; (c) a party's fraud or willful misconduct; or (d) liability that cannot be excluded or limited under applicable law.

Allocation of risk. The fees for audit engagements reflect, in part, this allocation of risk. The parties acknowledge that kolm would not provide the services at the agreed price without these limitations.

12. Indemnification

kolm indemnifies you for: Third-party claims alleging that the Evidence Report format or the open-source verifier, as provided by kolm and used in accordance with these terms, infringes a valid United States patent, copyright, or registered trademark. Subject to the cap in Section 11.

You indemnify kolm for: Third-party claims arising from: (a) your agent's design, operation, or outputs; (b) your use of the services in violation of Section 5; (c) your sharing or misrepresentation of the Evidence Report beyond its stated scope; (d) claims by an upstream model provider arising from your use of model outputs in connection with the audited agent; or (e) your breach of applicable law. Subject to the cap in Section 11.

Process. The indemnified party must: (a) give the indemnifying party prompt written notice of the claim; (b) give the indemnifying party sole control of the defense and settlement; and (c) reasonably cooperate at the indemnifying party's expense. Any settlement that admits liability on behalf of the indemnified party requires the indemnified party's prior written consent, not to be unreasonably withheld.

13. Term, Suspension, and Termination

Term. These terms apply from the date of acceptance until the expiration or termination of all active engagements and subscriptions.

Termination for convenience. You may cancel any subscription plan at any time through the account dashboard or by written notice to dev@kolm.ai; cancellation takes effect at the end of the current billing cycle. Fixed-scope engagements may not be cancelled for convenience after the kickoff call except on terms agreed in writing. kolm may terminate a subscription plan with 30 days written notice without cause.

Termination for cause. Either party may terminate immediately upon written notice if: (a) the other party materially breaches these terms and fails to cure within 30 days of written notice specifying the breach; (b) the other party becomes insolvent, makes a general assignment for the benefit of creditors, or has an insolvency proceeding filed against it that is not dismissed within 60 days; or (c) the other party engages in fraud or willful misconduct. Section 5 violations and non-payment may be terminated without a cure period.

Suspension. kolm may suspend account access for: (a) a security incident requiring immediate containment; (b) a suspected Section 5 violation; or (c) a payment that is more than 15 days past due. kolm will provide reasonable notice before suspension except where immediate action is required for security reasons.

Effect of termination. On termination: (a) all licenses granted under these terms terminate except the license to the Evidence Reports already delivered; (b) each party returns or destroys the other party's Confidential Information; and (c) all accrued payment obligations remain due.

Survival. Sections 7 (IP, for reports already delivered), 8 (Confidentiality), 9 (Data handling, for the retention and deletion obligations), 10 through 12 (Warranty, Liability, Indemnification), and 15 (Governing law) survive termination.

14. Changes to These Terms

kolm may update these terms from time to time. The effective date at the top of this page reflects the most recent revision. For changes that materially reduce your rights or materially increase your obligations, kolm will send notice to the account email at least 30 days before the change takes effect. Continued use of any kolm service after the effective date of a change constitutes acceptance of the revised terms.

Every effective date corresponds to a tagged commit in the public site repository. Prior versions of this document can be retrieved from the repository history. The canonical version is the one at https://kolm.ai/terms.

15. Governing Law and Dispute Resolution

Governing law. These terms are governed by the laws of the State of Delaware, without regard to its conflict-of-laws principles.

Negotiation first. Before filing any formal claim, the parties agree to a 30-day period of good-faith negotiation. Either party initiates this period by written notice to the other party's contact address specifying the nature and amount of the claim. A genuine attempt to resolve is required, not a procedural checkbox.

Venue. Any dispute not resolved by negotiation is subject to the exclusive jurisdiction of the state and federal courts located in the State of Delaware. Each party irrevocably waives any objection to venue in those courts and waives any right to a jury trial.

Class action waiver. All claims under these terms are brought on an individual basis. Neither party may bring a class, collective, or representative action.

Equitable relief. Either party may seek injunctive or other equitable relief in any court of competent jurisdiction to prevent actual or threatened misappropriation of intellectual property or Confidential Information, without first completing the negotiation period.

16. Contact

For all questions about these terms, audit engagements, payment disputes, data requests, and legal notices, contact:

Kolmogorov Stack, Inc.
dev@kolm.ai

For verification of a signed Evidence Report, use the open-source verifier at /verify or run the verifier tool locally against kolm's published public key. Verification requires no account and no connection to kolm's servers.