Terms of Service

1. Acceptance of Terms

By creating an account on or accessing the BrickGRC platform ("Service"), operated by BrickGRC ("we," "us," or "our"), you ("Customer," "you," or "your") agree to be bound by these Terms of Service ("Terms"). If you are accepting these Terms on behalf of a company, organization, or other legal entity, you represent and warrant that you have the authority to bind that entity to these Terms. If you do not agree to these Terms, you must not access or use the Service.

These Terms constitute a legally binding agreement between you and BrickGRC. They govern your access to and use of the Service, including all features, content, and functionality offered through the platform, the marketplace, APIs, and any related services.

2. Description of Service

BrickGRC is a modular Governance, Risk, and Compliance (GRC) platform. The Service provides tools for managing compliance engagements against frameworks such as ISO 27001, SOC 2, GDPR, HIPAA, and NIST CSF. Core capabilities include guided work items, document management, evidence linking, maturity scoring, report generation, and AI-powered compliance assistance.

The Service uses a "Bricks" architecture that allows you to connect third-party integrations including, but not limited to: AI processing engines, document storage backends, notification services, project management tools, employee directory synchronization (e.g., Google Workspace, Microsoft Entra ID), SSO and identity providers, calendar integrations, webhook endpoints, and organization folder scanning for automated evidence collection.

The Service also includes: a Marketplace for buying and selling compliance templates and content; API key access for programmatic integration; two-factor authentication (2FA) for account security; and configurable webhook integrations for event-driven workflows.

3. User Accounts & Roles

You are responsible for maintaining the confidentiality of your account credentials and for all activities that occur under your account. You must use a strong password and must notify us immediately at [email protected] of any unauthorized access or security breach.

BrickGRC supports role-based access within organizations. The Organization Owner has ultimate administrative control, including user management, billing, API key provisioning, and integration configuration. Additional roles include Administrators, Auditors, Editors, and Viewers. The Organization Owner is responsible for managing user roles and permissions and for ensuring that access is granted in accordance with the principle of least privilege.

Two-factor authentication (2FA) is available for all accounts and is strongly recommended. You may enable 2FA through your account security settings. BrickGRC may enforce mandatory 2FA for Organization Owner and Administrator accounts at its discretion.

Accounts may be subject to temporary lockout after repeated failed authentication attempts. API keys issued to your account carry the same access level as the issuing user and must be treated with the same confidentiality as account credentials. You are solely responsible for any actions performed using your API keys.

4. Data Ownership

You retain full ownership of all data you upload, create, or store within the Service, including compliance records, uploaded documents, engagement configurations, and report outputs ("Customer Data"). BrickGRC does not claim any intellectual property rights over your Customer Data.

You grant BrickGRC a limited, non-exclusive, royalty-free license to process your Customer Data solely as necessary to operate and provide the Service — including transmitting data to AI providers for AI-powered features you elect to use, storing documents in configured storage backends, generating embeddings for search and evidence linking, and producing reports you request.

5. AI Features & Third-Party AI Providers

BrickGRC integrates with third-party AI providers (including Google, Anthropic, OpenAI, Cohere, Mistral, and others) to power features such as document intelligence, evidence auto-linking, maturity scoring, embedding generation for semantic search, and the AI compliance assistant. When you configure your own AI provider through the Bricks system using your API key ("BYO LLM"), your data is processed under your own agreement with that provider. You are solely responsible for reviewing and complying with their terms of service and data processing policies.

If you do not configure an AI provider, the Service uses Google Gemini as its default AI engine under BrickGRC's API key. For embedding generation, the Service may fall back to Anthropic if the primary embedding provider is unavailable. By using AI features without configuring your own provider, you acknowledge that your compliance data will be processed by Google (and potentially Anthropic for embeddings) in accordance with their respective API terms of service. See our Privacy Policy for details on what data is transmitted.

You may opt out of the default AI engine at any time by configuring your own AI provider through the Bricks settings, or by not using AI-powered features.

All AI-generated content within BrickGRC — including maturity scores, compliance recommendations, document analysis results, guided work suggestions, and AI assistant responses — is provided as informational guidance only and may contain errors, omissions, or inaccuracies. AI-generated content does not constitute and must not be relied upon as legal advice, regulatory guidance, professional audit opinion, or certification of compliance. You are solely responsible for reviewing, validating, and making decisions based on AI outputs. Consult qualified compliance professionals, auditors, or legal counsel for matters requiring professional judgment. BrickGRC makes no warranty regarding the accuracy, completeness, or fitness of any AI-generated content for your specific regulatory requirements.

6. Acceptable Use

You agree not to, and will not permit any third party to: (a) violate any applicable law, regulation, or third-party right; (b) upload malicious files, malware, or attempt to compromise the Service's security, availability, or integrity; (c) attempt unauthorized access to other organizations' data, accounts, or platform infrastructure; (d) use the Service to store content materially unrelated to governance, risk, or compliance activities; (e) reverse-engineer, decompile, disassemble, or attempt to derive the source code, algorithms, or data models of the Service; (f) scrape, crawl, or use automated means to extract data or content from the Service beyond what is provided through authorized APIs; (g) resell, sublicense, lease, or redistribute access to the Service or any portion thereof without prior written authorization; (h) conduct performance benchmarking or competitive analysis of the Service and publish or disclose the results without prior written consent; (i) circumvent any usage limits, rate limits, or access controls imposed by the Service; (j) use the Service to develop a competing product or service; or (k) interfere with or disrupt the Service or the servers or networks connected to the Service.

Violation of this section may result in immediate suspension or termination of your account without notice.

7. Payment & Billing

Subscription fees are billed in advance on a monthly or annual basis as specified in your selected plan. All fees are stated in the applicable currency and are exclusive of taxes unless otherwise noted. All fees are non-refundable except where required by applicable law.

New accounts are eligible for a seven (7) day free trial of the Professional plan. During the trial, you have access to all Professional plan features. At the end of the trial period, your account will automatically downgrade to the Free plan unless you subscribe to a paid plan. No payment information is required to start a trial.

We reserve the right to modify pricing with at least thirty (30) days' written notice. Price changes take effect at the start of your next billing cycle. If you do not agree with a price change, you may cancel your subscription before the new pricing takes effect.

If payment fails, we will notify you and provide a seven (7) day grace period to update your payment method. If payment is not received within the grace period, your account will be downgraded to the Free plan and features exclusive to paid plans will become inaccessible. Your data will be retained for thirty (30) days following downgrade, after which data exceeding Free plan limits may be archived or deleted. You may restore full access at any time by subscribing to a paid plan within this period.

8. Marketplace Terms

For Sellers: By listing content on the BrickGRC Marketplace, you represent and warrant that you have the right to sell or distribute such content and that it does not infringe any third-party intellectual property rights. You retain ownership of your original content. By listing content on the Marketplace, you grant BrickGRC a non-exclusive license to display, distribute, and promote the content within the Service. BrickGRC retains a commission of thirty percent (30%) on all Marketplace sales. Payouts to sellers are processed via Stripe Connect in accordance with Stripe's terms of service. You are responsible for providing accurate payout information and for any tax obligations arising from Marketplace revenue.

For Buyers: Content purchased from the Marketplace is licensed for use within your BrickGRC organization. You may not redistribute, resell, or share purchased content outside of your organization without the seller's express written permission. BrickGRC does not guarantee the accuracy, completeness, or regulatory suitability of any Marketplace content. All purchases are final unless the content is materially defective or substantially not as described.

Content Moderation: BrickGRC reserves the right to review, remove, or refuse any Marketplace listing that violates these Terms, infringes intellectual property rights, contains misleading or harmful content, or is otherwise objectionable at our sole discretion. Repeated violations may result in permanent removal of selling privileges.

9. API Access

BrickGRC provides API access for programmatic integration with the Service. API keys are issued per user and carry the permissions of the issuing account. You are responsible for securing your API keys and for all actions performed through them. Do not embed API keys in client-side code, public repositories, or otherwise expose them to unauthorized parties.

API usage is subject to rate limits as published in our API documentation. BrickGRC reserves the right to modify rate limits at any time with reasonable notice. Excessive or abusive API usage that degrades the Service for other customers may result in temporary or permanent restriction of API access.

BrickGRC may update or deprecate API endpoints with reasonable notice. We will make commercially reasonable efforts to maintain backward compatibility and provide migration guidance for breaking changes.

10. Data Processing & Privacy

With respect to personal data processed through the Service, you (the Customer) act as the data controller and BrickGRC acts as the data processor. BrickGRC processes personal data solely on your instructions and as necessary to provide the Service in accordance with these Terms and our Privacy Policy.

A Data Processing Agreement (DPA) is available upon request for customers who require one under applicable data protection legislation, including the EU General Data Protection Regulation (GDPR), the UK GDPR, or equivalent frameworks. To request a DPA, contact us at [email protected].

BrickGRC implements appropriate technical and organizational measures to protect Customer Data, including encryption in transit and at rest, access controls, and regular security assessments. Details of our security practices are described in our Privacy Policy.

11. Security Breach Notification

In the event of a confirmed security breach affecting Customer Data, BrickGRC will notify affected customers without undue delay and in any event within seventy-two (72) hours of becoming aware of the breach, in accordance with Article 33 of the GDPR and other applicable data breach notification laws.

Notification will be provided via email to the Organization Owner and any designated security contacts on file. The notification will include, to the extent known: the nature of the breach, the categories and approximate number of records affected, the likely consequences, and the measures taken or proposed to address the breach and mitigate its effects. BrickGRC will cooperate with affected customers and relevant supervisory authorities as required by applicable law.

12. Service Availability & SLA

BrickGRC targets a service availability of ninety-nine point five percent (99.5%) measured on a monthly basis, excluding scheduled maintenance windows. Planned maintenance will be scheduled during low-usage hours and announced at least forty-eight (48) hours in advance via email or in-app notification.

This availability target does not constitute a guarantee and does not apply to: (a) downtime caused by factors outside BrickGRC's reasonable control, including force majeure events; (b) outages or degradation of third-party services and integrations (including AI providers, storage backends, identity providers, and calendar services); (c) connectivity issues between the customer's network and BrickGRC's infrastructure; or (d) features designated as beta or preview.

BrickGRC will use commercially reasonable efforts to restore the Service promptly in the event of unplanned downtime and will provide status updates through our status page and email notifications.

13. Intellectual Property

The BrickGRC platform, including its software, design, user interface, templates, guided workflows, framework content, APIs, documentation, and all related intellectual property, is and remains the exclusive property of BrickGRC. Your subscription grants you a non-exclusive, non-transferable, non-sublicensable, revocable license to use the Service for your internal governance, risk, and compliance management purposes during the term of your subscription.

Compliance framework templates provided within the Service (ISO 27001, SOC 2, GDPR, HIPAA, NIST CSF, etc.) are BrickGRC's interpretation and structuring of publicly available standards. They do not replace the official standard documents published by the respective standards bodies and should be used in conjunction with the original standards.

14. Indemnification

You agree to indemnify, defend, and hold harmless BrickGRC, its officers, directors, employees, agents, and affiliates from and against any and all claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising from or related to: (a) your use of the Service; (b) Customer Data you upload, store, or process through the Service; (c) your reliance on AI-generated content for compliance, legal, regulatory, or business decisions; (d) your violation of these Terms; (e) your violation of any applicable law or regulation; (f) your violation of any third party's rights, including intellectual property rights; or (g) any content you list or sell through the Marketplace.

BrickGRC will promptly notify you of any such claim and will provide reasonable cooperation in the defense thereof. You shall not settle any claim that imposes obligations on BrickGRC without our prior written consent.

15. Limitation of Liability

To the maximum extent permitted by applicable law, BrickGRC shall not be liable for any indirect, incidental, special, consequential, exemplary, or punitive damages — including but not limited to loss of profits, revenue, data, business opportunities, goodwill, anticipated savings, or cost of procurement of substitute services — arising from or related to your use of or inability to use the Service, reliance on AI-generated content, actions or omissions of third-party AI providers or integration partners, or any other matter relating to the Service, regardless of whether BrickGRC has been advised of the possibility of such damages.

In no event shall BrickGRC's total aggregate liability for all claims arising out of or related to these Terms or the Service exceed the greater of: (a) the total amount you paid for the Service in the twelve (12) months immediately preceding the event giving rise to the claim; or (b) one hundred euros (EUR 100). This limitation applies regardless of the theory of liability, whether in contract, tort (including negligence), strict liability, or otherwise.

Force Majeure: BrickGRC shall not be liable for any failure or delay in performing its obligations under these Terms to the extent such failure or delay results from circumstances beyond its reasonable control, including but not limited to: natural disasters, pandemics, acts of war or terrorism, government actions, labor disputes, power outages, internet or telecommunications failures, cyberattacks, or failures of third-party service providers. BrickGRC will use reasonable efforts to mitigate the effect of any force majeure event and will resume performance as soon as reasonably practicable.

16. Warranty Disclaimer

The Service is provided "AS IS" and "AS AVAILABLE" without warranties of any kind, whether express, implied, or statutory, including but not limited to implied warranties of merchantability, fitness for a particular purpose, non-infringement, and any warranties arising out of course of dealing or usage of trade. BrickGRC does not warrant that the Service will be uninterrupted, error-free, secure, or free of harmful components, or that AI-generated outputs will be accurate, complete, or suitable for any particular regulatory requirement or jurisdiction.

17. Termination

Either party may terminate this agreement at any time. You may cancel your subscription through the platform settings or by contacting us at [email protected]. Cancellation takes effect at the end of your current billing period, and you will retain access until that date.

Upon termination, you will have thirty (30) days to export your Customer Data. After this period, your data will be permanently deleted in accordance with our Privacy Policy. During the export period, your account will be in a read-only state.

Upon termination: (a) all active Marketplace listings you have published will be delisted; (b) purchased Marketplace content already delivered to buyers will remain accessible to those buyers; (c) any pending Marketplace payouts will be processed in accordance with the regular payout schedule; (d) third-party integrations and webhook configurations will be deactivated; (e) API keys will be immediately revoked; and (f) any outstanding fees for the current billing period remain due and payable.

We may suspend or terminate your access immediately without prior notice if you: (a) materially breach these Terms; (b) engage in activities that threaten the security, integrity, or availability of the Service; (c) fail to pay applicable fees after notice and a seven (7) day cure period; or (d) use the Service in a manner that exposes BrickGRC to legal liability. In the event of termination for cause, no refund of prepaid fees will be provided.

18. Governing Law & Disputes

These Terms shall be governed by and construed in accordance with the laws of the Portuguese Republic, without regard to its conflict-of-law provisions. Any disputes arising from or related to these Terms or the Service shall be submitted to the exclusive jurisdiction of the courts of Lisbon, Portugal.

Nothing in this section limits your rights under mandatory consumer protection laws of your jurisdiction, including any rights under the EU Consumer Rights Directive where applicable.

19. Changes to Terms

We may update these Terms from time to time. We will notify you of material changes via email to the Organization Owner and through a prominent notice in the Service at least thirty (30) days before they take effect. Continued use of the Service after changes take effect constitutes acceptance of the updated Terms. If you disagree with any changes, you may terminate your account before the changes take effect and receive a pro-rata refund for any unused prepaid subscription period.

20. Miscellaneous

Severability: If any provision of these Terms is found to be unenforceable or invalid, that provision shall be limited or eliminated to the minimum extent necessary, and the remaining provisions shall remain in full force and effect.

Entire Agreement: These Terms, together with the Privacy Policy, any applicable DPA, and any order forms or subscription agreements, constitute the entire agreement between you and BrickGRC regarding the Service and supersede all prior agreements and understandings.

Waiver: The failure of BrickGRC to exercise or enforce any right or provision of these Terms shall not constitute a waiver of such right or provision.

Assignment: You may not assign or transfer these Terms or your rights hereunder without BrickGRC's prior written consent. BrickGRC may assign these Terms in connection with a merger, acquisition, or sale of all or substantially all of its assets.

21. Contact

If you have questions about these Terms, please contact us at [email protected].