Terms of Use

Terms of Service (Use & Sale)

Effective date: September 1, 2025

Provider: FortaRisks CyberSecurity Inc., 108 Rue Alfred Desrochers, Saint-Augustin-de-Desmaures (QC) G3A 2T1, Canada
Contact: legal@fortarisks.com | privacy@fortarisks.com | hello@fortarisks.com

These Terms of Service (the “Terms”) govern your access to and use of the FortaRisks cloud software-as-a-service platform (the “Platform”) and related services, including APIs, connectors, support, and professional services (collectively, the “Services”). These Terms apply to business customers only.

If you have executed a master services agreement (“MSA”) and/or an order form (“Order Form”) with FortaRisks, those documents control to the extent of any conflict. The Privacy Policy and Data Processing Addendum (“DPA”) form part of the agreement between the parties.

​

1. Eligibility; Acceptance; Changes

By creating an account, signing an Order Form, or using the Services, you agree to these Terms and confirm that you are acting on behalf of a business entity. The Services are not intended for consumers and may not be used by minors.

We may update these Terms from time to time. If we make material changes, we will notify you (for example, via an in-app notice and/or email to your admin or billing contact). Continued use after the effective date of the updated Terms constitutes acceptance. If you do not agree, you may stop using the Services and terminate at the end of your then-current term in accordance with your Order Form.

​

2. Definitions

“Customer” means the legal entity that subscribes to the Services under an Order Form.
“Authorized Users” means individuals authorized by Customer to access the Services.
“Customer Content” means data, files, evidence, logs, configurations, and reports submitted to or generated through the Services from Customer’s use.
“AI Output” means recommendations, scores, reports, or other outputs produced by FortaRisks AI features.
“Third-Party Services” means third-party products or services integrated with the Platform (e.g., EDR, IAM, ITSM).
“Sub-processors” means third parties engaged by FortaRisks to process data or provide parts of the Services.

​

3. The Services

FortaRisks provides a platform for cybersecurity risk management, continuous compliance, executive reporting, remediation orchestration, and an AI copilot. Your subscribed modules, options, data residency, and any MSSP or professional services scope are set out in the applicable Order Form and/or the Platform subscription page.

​

4. Accounts; Security; Access Controls

Customer is responsible for (i) ensuring account information is accurate, (ii) enabling SSO and/or MFA where available, (iii) administering roles and permissions (RBAC), and (iv) safeguarding credentials. Customer must promptly notify FortaRisks of any suspected unauthorized access or security incident affecting Customer accounts.

FortaRisks may restrict or suspend access to the Services (in whole or in part) if reasonably necessary to protect the security of the Services or Customer data. We will provide notice as soon as reasonably practicable.

​

5. Fees; Billing; Taxes; Usage-Based Adjustments

Fees and renewal. Subscription fees are billed in advance in the frequency and currency specified in the Order Form (default: annual; CAD). Subscriptions renew automatically unless the Order Form states otherwise.

Late payments. Past-due amounts may accrue interest at 1.5% per month (18% per year) or the maximum allowed by law, whichever is lower. We may suspend access for non-payment after notice.

Taxes. Fees are exclusive of applicable taxes, which Customer is responsible for.

Trials and beta. Trials/beta features are provided “as is” without any SLA and may be modified or discontinued. Except as required by law, fees are non-refundable.

Usage/true-up. If your plan includes usage metrics (e.g., named users, managed assets, events, API calls), overages may be billed and/or reconciled through a quarterly true-up based on usage logs.

​

6. License; Acceptable Use

Subject to these Terms and payment of applicable fees, FortaRisks grants Customer a limited, non-exclusive, non-transferable, non-sublicensable license for Authorized Users to access and use the Services solely for Customer’s internal business purposes during the subscription term.

Customer will not (and will not permit anyone to):

resell, rent, or make the Services available to third parties except as expressly permitted in an Order Form;

reverse engineer, decompile, or attempt to derive source code (except where prohibited by law);

bypass or defeat security controls;

perform unauthorized or intrusive testing, scanning, or probing;

extract data in bulk other than through documented APIs and features;

introduce malware, conduct denial-of-service attacks, or otherwise interfere with the Services;

use the Services to build or benchmark a competing product or service;

violate export controls, sanctions, or embargo laws.

External attack surface / OSINT (EASM/OSINT). Customer represents it has the legal right to monitor the domains, assets, and sources it configures and that it will use these features only within authorized perimeters.

​

7. Third-Party Services and Integrations

Third-Party Services are governed by their own terms and policies. FortaRisks does not control and is not responsible for Third-Party Services, including their availability, performance, security posture, or API changes.

​

8. Intellectual Property; Feedback

The Services, Platform, software, models, documentation, workflows, methodologies, and know-how are owned by FortaRisks and its licensors and are protected by intellectual property laws. No rights are granted except as expressly stated.

Customer retains all rights in Customer Content. Customer grants FortaRisks a worldwide, non-exclusive, royalty-free license during the term to host, process, transmit, display, and back up Customer Content solely to provide and support the Services.

If Customer provides feedback, suggestions, or ideas, FortaRisks may use them without restriction or obligation.

​

9. Data Protection; Privacy; Data Residency; Return & Deletion

Data protection. Where the Services process personal data, Customer is the controller and FortaRisks is the processor, as described in the DPA.

Data residency. Unless otherwise stated, the default data region is Canada. US/EU regions may be available at onboarding. Customer’s tenant is anchored in the selected region for primary data, backups, and operational logs, subject to the DPA and technical constraints.

Export and deletion. Customer may export Customer Content via the UI/API during the term and for 30 days after termination/expiration. FortaRisks will delete Customer Content within 30 days after the export window, with backups purged within 35 days and application logs within 180 days, unless retention is required by law. Evidence of deletion may be provided upon request.

​

10. AI Features

No cross-customer training by default. Unless otherwise agreed in writing, FortaRisks does not use Customer Content to train global models for other customers.

AI Output. As between the parties, Customer may use AI Output generated from Customer Content, subject to third-party rights. FortaRisks retains all rights in its AI systems, models, prompts, techniques, and know-how.

Customer responsibility. AI Output may be inaccurate or incomplete. Customer is responsible for reviewing and validating AI Output before relying on it for external communications, compliance assertions, or decisions. AI Output is for informational purposes and is not legal advice.

​

11. Availability; Maintenance; Deprecation

FortaRisks targets high availability, excluding scheduled maintenance, emergency maintenance, and force majeure events. Support levels and SLAs (if any) are described on the applicable SLA page and/or in the Order Form.

We may deprecate features or APIs. For a major API version or removal of a foundational feature, we will provide at least six (6) months’ notice and a reasonable migration path.

​

12. Security Reviews and Limited Audit Rights

Once per 12-month period, with 30 days’ prior written notice, Customer may (under NDA) review FortaRisks’ available security materials, which may include SOC 2 reports when available (noted as on the roadmap), a penetration test summary, and responses to a reasonable security questionnaire.

​

13. Disclaimers

EXCEPT AS EXPRESSLY STATED, THE SERVICES ARE PROVIDED “AS IS” AND “AS AVAILABLE.” FORTARISKS DISCLAIMS ALL WARRANTIES, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT, TO THE MAXIMUM EXTENT PERMITTED BY LAW.

Third-party data sources and AI Output may contain errors and are provided for informational purposes only.

​

14. Indemnification

By Customer. Customer will defend and indemnify FortaRisks against third-party claims arising from (i) Customer’s or Authorized Users’ breach of these Terms or applicable law, (ii) Customer Content, or (iii) Customer’s provision of data that infringes third-party rights.

By FortaRisks (IP). FortaRisks will defend and indemnify Customer against third-party claims alleging the Services, as provided, infringe a third party’s intellectual property rights. If infringement is alleged, FortaRisks may (at its option) (a) modify the Services, (b) obtain a license, or (c) terminate and refund prepaid, unused fees for the affected portion if no reasonable option is available.

​

15. Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY LAW, FORTARISKS’ TOTAL AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THE SERVICES WILL NOT EXCEED THE AMOUNTS PAID BY CUSTOMER FOR THE SERVICES IN THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO THE CLAIM.

IN NO EVENT WILL FORTARISKS BE LIABLE FOR INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, OR FOR LOSS OF PROFITS, REVENUE, BUSINESS, GOODWILL, OR DATA (EXCEPT TO THE EXTENT CAUSED BY FORTARISKS AND NOT OTHERWISE EXCLUDED), EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Nothing in these Terms limits liability for amounts that cannot be limited under applicable law, or for willful misconduct or gross negligence to the extent such limitation is prohibited.

​

16. Insurance; Compliance; Ethics

FortaRisks maintains commercially reasonable insurance coverage, including (i) general liability (≥ CAD $1,000,000), (ii) technology E&O (≥ CAD $2,000,000), and (iii) cyber liability (≥ CAD $2,000,000 per claim), with certificates available upon request.

Each party will comply with applicable anti-corruption laws and sanctions/embargo regimes.

​

17. Suspension; Termination; Effect of Termination

FortaRisks may suspend access for material breach, non-payment, unlawful use, or a credible security threat.

Customer may terminate at the end of the subscription term in accordance with the notice requirements in the Order Form. If Customer terminates early for convenience, remaining fees for the current term become immediately due and amounts paid are non-refundable.

Upon expiration/termination, Customer’s access ends, Customer may export during the export window described above, and FortaRisks will delete Customer Content as stated. Sections intended to survive will survive, including confidentiality, payment obligations, IP ownership, disclaimers, limitation of liability, and data return/deletion provisions.

​

18. Publicity

Unless Customer objects in writing, FortaRisks may identify Customer as a customer and use Customer’s name and logo in marketing materials in accordance with Customer’s brand guidelines.

​

19. Miscellaneous

Controlling language. The French version of these Terms is the controlling version.
Governing law; venue. These Terms are governed by the laws of Québec and Canada, and the courts located in the judicial district of Québec have exclusive jurisdiction.
Assignment. Customer may not assign these Terms without FortaRisks’ prior written consent (not unreasonably withheld). FortaRisks may assign to an affiliate or in connection with a merger, acquisition, reorganization, or sale of assets.
Force majeure. Neither party is liable for delays or failure due to events beyond its reasonable control.
Order of precedence. Order Form > MSA/Exhibits (DPA, SLA, AUP) > these Terms > Documentation.
Severability; waiver. If any provision is unenforceable, the remainder remains in effect. Failure to enforce a provision is not a waiver.

​

20. Contact

Legal: legal@fortarisks.com
Privacy / DPA: privacy@fortarisks.com (Privacy Policy)