Terms of Service - DefenseEye

CMMCLens Terms of Service

1. ACCEPTANCE OF TERMS

Welcome to CMMCLens, a cybersecurity compliance automation platform operated by DefenseEye (“we,” “our,” or “us”). By accessing or using CMMCLens (the “Service”), whether through Azure Marketplace, direct deployment, or any other means, you (“Customer,” “you,” or “your”) agree to be bound by these Terms of Service (“Terms”).

IF YOU DO NOT AGREE TO THESE TERMS, DO NOT ACCESS OR USE THE SERVICE.

These Terms constitute a legally binding agreement between you and DefenseEye. If you are using the Service on behalf of an organization, you represent and warrant that you have the authority to bind that organization to these Terms, and references to “you” in these Terms will refer to that organization.

2. SERVICE DESCRIPTION

2.1 CMMCLens Platform

CMMCLens is an AI-powered compliance automation platform designed to help defense contractors and organizations in the Defense Industrial Base (DIB) prepare for CMMC (Cybersecurity Maturity Model Certification) Level 2 certification. The Service provides:

Automated Compliance Assessment: Real-time scanning of Azure environments (Commercial and Government) against NIST 800-171 controls and 320 NIST 800-171A assessment objectives
Evidence Collection: Automated capture of C3PAO-acceptable evidence from Azure Resource Manager, Microsoft Graph API, and Azure Monitor
Gap Analysis: Identification of security control gaps and prioritized remediation guidance
Automated Remediation: One-click application of security configurations for common compliance gaps
Document Generation: Automated creation of System Security Plans (SSP), Plan of Action & Milestones (POA&M), and security policies
Continuous Monitoring: Ongoing compliance tracking and SPRS score calculation
C3PAO Readiness Assessment: Preparation tools and evidence packages for third-party assessments

2.2 Deployment Models

CMMCLens is available through multiple deployment models:

Azure Marketplace Managed Application: Deployed in Customer’s Azure subscription with isolated infrastructure
Azure App Service: Direct deployment to Customer’s Azure environment
Hosted SaaS: DefenseEye-hosted instance (available for select customers)

2.3 Service Limitations

IMPORTANT DISCLAIMER: CMMCLens is a preparation and readiness tool. It does NOT:

Provide official CMMC certification (only authorized C3PAOs can certify)
Guarantee certification success or compliance
Replace the need for formal third-party assessment
Serve as legal or regulatory advice
Automatically maintain compliance without customer action

Customers must engage a Cyber-AB authorized C3PAO (CMMC Third-Party Assessment Organization) for official CMMC Level 2 certification. CMMCLens assists with preparation but does not substitute for formal assessment.

3. AZURE MARKETPLACE TERMS

3.1 Marketplace Purchase

If you purchase CMMCLens through Azure Marketplace:

Your use is also governed by the Microsoft Customer Agreement and Azure Marketplace Terms
Billing is processed through your Azure subscription
Microsoft is the merchant of record for Marketplace transactions
DefenseEye provides the Service and technical support

3.2 Azure Subscription Requirements

To use CMMCLens, you must have:

An active Azure subscription (Commercial or Government)
Sufficient resource quota for deployment (App Service, Cosmos DB, Container Registry)
Appropriate Azure permissions (Contributor or Owner role)
For CUI/ITAR workloads: Azure Government (GCC High) subscription

3.3 Managed Application Data Residency

When deployed as an Azure Marketplace Managed Application:

All Customer data remains in Customer’s Azure subscription
DefenseEye does NOT have access to Customer’s compliance data, evidence, or assessments
Customer controls all data access through Azure RBAC
Data residency is determined by Customer’s chosen Azure region

4. ACCOUNT AND ACCESS

4.1 Account Registration

To use CMMCLens, you must:

Provide accurate, current, and complete registration information
Maintain and promptly update your account information
Authenticate using Microsoft Entra ID (Azure Active Directory)
Comply with all applicable export control regulations (ITAR, EAR)

4.2 Account Security

You are responsible for:

Maintaining the confidentiality of your account credentials
All activities that occur under your account
Implementing multi-factor authentication (MFA) for all users
Notifying DefenseEye immediately of any unauthorized access
Ensuring users comply with these Terms

4.3 User Roles and Permissions

CMMCLens supports role-based access control:

Administrator: Full access to configuration, scans, remediation, and document generation
Compliance Officer: Access to assessments, evidence, and reporting
Viewer: Read-only access to compliance dashboards and reports

Customers are responsible for managing user access and ensuring least-privilege principles.

5. ACCEPTABLE USE POLICY

5.1 Permitted Use

You may use CMMCLens solely for:

Preparing your organization for CMMC Level 2 certification
Assessing compliance with NIST 800-171 requirements
Collecting evidence from your Azure environment
Generating compliance documentation for C3PAO assessment
Internal compliance monitoring and reporting

5.2 Prohibited Use

You may NOT use CMMCLens to:

Violate Laws: Break any applicable federal, state, local, or international law
Fraudulent Activity: Falsify compliance status, forge evidence, or misrepresent SPRS scores
Unauthorized Access: Scan or assess Azure environments you do not own or have explicit permission to access
Reverse Engineer: Decompile, disassemble, or reverse engineer the Service or its algorithms
Competitive Intelligence: Use the Service to develop competing products or services
Resell Service: Redistribute, resell, or sublicense access to CMMCLens
Excessive Load: Generate excessive API calls or resource consumption that degrades Service performance
Security Threats: Upload malware, viruses, or malicious code
Data Scraping: Extract data using automated means beyond normal use

5.3 Enforcement

DefenseEye reserves the right to:

Suspend or terminate accounts that violate this Acceptable Use Policy
Report violations to appropriate authorities (including DoD Cyber Crime Center for CUI incidents)
Cooperate with law enforcement investigations

6. DATA PRIVACY AND SECURITY

6.1 Data Ownership

Customer Data Ownership: You retain all rights, title, and interest in and to your data, including:

Compliance assessment results
Azure configuration data
Evidence artifacts and logs
Generated documents (SSP, POA&M, policies)
User account information

DefenseEye claims no ownership rights to Customer Data.

6.2 Data Collection and Use

CMMCLens collects and processes the following data:

A. Compliance Data (Customer-Controlled):

Azure resource configurations (virtual machines, storage accounts, network settings)
Microsoft Graph data (users, groups, conditional access policies, audit logs)
Security assessments and evidence artifacts
Generated compliance documents

Storage: Stored in Customer’s Cosmos DB in Customer’s Azure subscription (for Managed Application deployments) or DefenseEye-managed infrastructure (for hosted SaaS)

B. Operational Data (DefenseEye-Controlled):

Usage telemetry (page views, feature usage, scan durations)
Performance metrics (API response times, error rates)
Anonymized compliance statistics (aggregate SPRS scores, control implementation rates)

Storage: Stored in DefenseEye’s Azure Application Insights (isolated from Customer Data)

C. Account Data:

User email addresses (via Entra ID)
Organization name and subscription details
Support tickets and communications

6.3 Data Processing Agreement

For detailed data processing terms, including GDPR/CCPA compliance, subprocessors, and data subject rights, see Section 7 and our separate Data Processing Agreement below.

6.4 Data Retention

Compliance Data: Retained as long as Customer maintains an active subscription. Deleted within 90 days of subscription termination (unless Customer requests earlier deletion or longer retention for audit purposes)
Operational Data: Retained for 24 months for service improvement and support
Account Data: Retained for 7 years to comply with financial and legal requirements

6.5 Data Security

DefenseEye implements industry-standard security measures:

Encryption: Data encrypted in transit (TLS 1.2+) and at rest (AES-256)
Access Control: Role-based access control (RBAC) and least-privilege principles
Authentication: Entra ID integration with MFA enforcement
Monitoring: 24/7 security monitoring and incident response
Compliance: SOC 2 Type II, Azure Government FedRAMP High authorization
Backups: Daily automated backups with 30-day retention

6.6 Data Breach Notification

In the event of a data breach affecting Customer Data, DefenseEye will:

Notify affected customers within 72 hours of discovery
Provide details of the breach (what data was affected, timeline, remediation steps)
Cooperate with Customer’s incident response and regulatory notification obligations

7. GDPR, CCPA, AND DATA SUBJECT RIGHTS

7.1 Roles and Responsibilities

Customer as Data Controller: Customer determines the purposes and means of processing personal data collected through CMMCLens
DefenseEye as Data Processor: DefenseEye processes personal data on Customer’s behalf in accordance with Customer’s instructions

7.2 Data Subject Rights

DefenseEye will assist Customer in responding to data subject requests, including:

Right of Access: Providing copies of personal data
Right to Rectification: Correcting inaccurate data
Right to Erasure: Deleting data upon request (subject to legal retention requirements)
Right to Data Portability: Exporting data in machine-readable format
Right to Object: Stopping certain processing activities

Customers must submit data subject requests through the CMMCLens admin portal or by emailing privacy@defenseeye.ai.

7.3 CCPA Compliance (California Customers)

For California residents, DefenseEye:

Does NOT sell personal information
Provides opt-out mechanisms for telemetry collection
Discloses categories of personal information collected (see Section 6.2)
Honors “Do Not Sell My Personal Information” requests

7.4 Cross-Border Data Transfers

For customers in the European Economic Area (EEA) or United Kingdom:

Data may be transferred to the United States for processing
DefenseEye relies on Standard Contractual Clauses (SCCs) approved by the European Commission
Customers may request a copy of applicable SCCs by emailing legal@defenseeye.ai

8. AZURE GOVERNMENT AND CUI COMPLIANCE

8.1 Azure Government (GCC High) Requirements

For customers handling Controlled Unclassified Information (CUI) or ITAR data:

CMMCLens MUST be deployed in Azure Government (GCC High) – not Azure Commercial
Deployment endpoints: *.azurewebsites.us, login.microsoftonline.us, management.usgovcloudapi.net
Data residency: US Government datacenters with FedRAMP High authorization
Screened personnel: DefenseEye support staff are US persons

8.2 CUI Handling

CMMCLens processes metadata about CUI controls but does NOT store actual CUI content. Customers are responsible for:

Classifying data as CUI per NIST 800-171 and DFARS 252.204-7012
Ensuring CUI remains in authorized Azure Government environments
Reporting CUI incidents to DoD within 72 hours per DFARS 252.204-7012
Maintaining audit trails of CUI access

8.3 ITAR Compliance

For customers subject to International Traffic in Arms Regulations (ITAR):

CMMCLens is U.S.-origin software eligible for ITAR compliance
DefenseEye personnel with access to ITAR environments are U.S. persons
No data transfers to foreign nationals or non-U.S. locations
Customers must ensure ITAR data remains in Azure Government

8.4 DFARS Clause Incorporation

The following DFARS clauses are incorporated by reference:

DFARS 252.204-7012: Safeguarding Covered Defense Information and Cyber Incident Reporting
DFARS 252.204-7019: Notice of NIST SP 800-171 DoD Assessment Requirements
DFARS 252.204-7020: NIST SP 800-171 DoD Assessment Requirements

9. INTELLECTUAL PROPERTY

9.1 DefenseEye Intellectual Property

DefenseEye retains all rights, title, and interest in and to:

The CMMCLens software, platform, and codebase
Proprietary algorithms, AI models, and compliance assessment methodologies
Trademarks, service marks, and branding (CMMCLens, DefenseEye logos)
Documentation, user guides, and training materials
Improvements, updates, and derivative works

Customers receive a limited, non-exclusive, non-transferable license to use CMMCLens during the subscription term.

9.2 Customer Intellectual Property

Customer retains all rights to:

Customer Data (compliance assessments, evidence, documents)
Customer-specific policies, procedures, and security configurations
Customer trademarks and branding

DefenseEye claims no ownership of Customer intellectual property.

9.3 Feedback and Suggestions

If Customer provides feedback, suggestions, or feature requests, DefenseEye may use such feedback without restriction or compensation. Feedback does not create confidentiality obligations for DefenseEye.

9.4 Open Source Components

CMMCLens incorporates open-source software components governed by their respective licenses (MIT, Apache 2.0, BSD). A complete list of open-source dependencies is available at https://cmmclensgov.azurewebsites.us/licenses.

10. FEES, BILLING, AND PAYMENT

10.1 Subscription Fees

CMMCLens is offered on a subscription basis with the following pricing tiers:

Basic: $X/month – For small organizations (<100 Azure resources)
Professional: $Y/month – For medium organizations (100-500 resources)
Enterprise: Custom pricing – For large organizations (500+ resources, multiple subscriptions)

Pricing is available at https://azuremarketplace.microsoft.com/marketplace/apps/defenseeye.cmmclens

10.2 Azure Marketplace Billing

For Marketplace purchases:

Charges appear on Customer’s Azure invoice
Billing is processed monthly in arrears
Microsoft handles payment collection and remittance
DefenseEye does not store Customer payment information

10.3 Direct Billing (Non-Marketplace)

For direct subscriptions:

Payment by credit card, ACH, or wire transfer
Invoices issued monthly/annually based on subscription term
Payment due within 30 days of invoice date
Late payments subject to 1.5% monthly interest charge

10.4 Free Trial

DefenseEye may offer free trials (typically 14-30 days). Free trials:

Provide full feature access during the trial period
Automatically convert to paid subscriptions unless canceled before trial end
Are limited to one per organization (based on Azure tenant ID)

10.5 Taxes

Subscription fees do NOT include applicable taxes (sales tax, VAT, GST). Customer is responsible for all taxes except those based on DefenseEye’s net income.

10.6 Refunds

Subscription fees are non-refundable except:

Within 7 days of initial purchase if no usage occurred
If DefenseEye fails to provide the Service for 30+ consecutive days due to DefenseEye error
As required by law

11. SUBSCRIPTION TERM AND TERMINATION

11.1 Subscription Term

Monthly Subscriptions: Renew automatically on a monthly basis
Annual Subscriptions: Renew automatically on an annual basis
Trial Subscriptions: Convert to paid subscriptions unless canceled before trial end

11.2 Termination by Customer

Customer may terminate at any time by:

Canceling through Azure Marketplace (for Marketplace subscriptions)
Contacting support@defenseeye.ai (for direct subscriptions)
Deleting the Azure Managed Application deployment

Termination is effective at the end of the current billing period (no prorated refunds).

11.3 Termination by DefenseEye

DefenseEye may terminate Customer’s access immediately for:

Breach of these Terms (including Acceptable Use Policy violations)
Non-payment of fees (after 30-day grace period)
Fraudulent activity or misrepresentation
Violation of export control laws
Upon Customer’s request

11.4 Effect of Termination

Upon termination:

Customer’s access to CMMCLens is immediately revoked
For Managed Application deployments: Customer retains all data in their Cosmos DB (Customer-controlled)
For hosted SaaS: Customer has 30 days to export data before deletion
Outstanding fees remain due and payable
Sections 6 (Data Privacy), 9 (Intellectual Property), 12 (Warranties), 13 (Limitation of Liability), and 16 (Miscellaneous) survive termination

11.5 Data Export

Before termination, Customer may:

Export all compliance assessments, evidence, and documents via the CMMCLens UI
Download evidence packages (ZIP format)
Request bulk data export by contacting support@defenseeye.ai

DefenseEye will provide reasonable assistance with data export at no additional charge.

12. WARRANTIES AND DISCLAIMERS

12.1 Service Warranty

DefenseEye warrants that:

CMMCLens will perform substantially in accordance with its documentation
DefenseEye has the authority to provide the Service
The Service will not infringe third-party intellectual property rights

12.2 Disclaimer of Warranties

EXCEPT AS EXPRESSLY PROVIDED IN SECTION 12.1, THE SERVICE IS PROVIDED “AS IS” AND “AS AVAILABLE” WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO:

IMPLIED WARRANTIES: Merchantability, fitness for a particular purpose, non-infringement, title
COMPLIANCE GUARANTEES: DefenseEye does NOT guarantee that using CMMCLens will result in CMMC certification or compliance
ACCURACY: While DefenseEye strives for accuracy, automated assessments may not capture all compliance nuances
AVAILABILITY: DefenseEye does not guarantee uninterrupted or error-free Service (target uptime: 99.5% excluding scheduled maintenance)
SECURITY: No system is 100% secure – DefenseEye implements reasonable security measures but cannot guarantee absolute security

12.3 C3PAO Assessment Disclaimer

IMPORTANT:

CMMCLens is a preparation tool, NOT a substitute for formal C3PAO assessment
DefenseEye is NOT a C3PAO or certification authority
Automated evidence collection does NOT replace C3PAO’s independent verification
C3PAO assessors may reach different conclusions than CMMCLens automated assessments
Final CMMC certification is issued by Cyber-AB authorized C3PAOs, not DefenseEye

12.4 Third-Party Services

CMMCLens integrates with third-party services (Microsoft Azure, Microsoft Graph, Cosmos DB). DefenseEye is not responsible for:

Availability or performance of third-party services
Changes to third-party APIs or pricing
Third-party security breaches or data loss

12.5 Beta Features

Features marked as “Beta,” “Preview,” or “Experimental”:

Are provided without warranty
May be modified or discontinued without notice
Should not be used for production compliance assessments
May have limited support

13. LIMITATION OF LIABILITY

13.1 Liability Cap

TO THE MAXIMUM EXTENT PERMITTED BY LAW, DEFENSEEYE’S TOTAL LIABILITY ARISING OUT OF OR RELATED TO THESE TERMS OR THE SERVICE SHALL NOT EXCEED THE GREATER OF:

The total fees paid by Customer in the 12 months preceding the claim, OR
$10,000 USD

This cap applies regardless of the theory of liability (contract, tort, negligence, strict liability, or otherwise).

13.2 Excluded Damages

DEFENSEEYE SHALL NOT BE LIABLE FOR:

INDIRECT DAMAGES: Loss of profits, revenue, business opportunities, goodwill, or data
CONSEQUENTIAL DAMAGES: Including but not limited to:
- Failed CMMC assessments or certification denials
- Lost DoD contracts or business relationships
- Regulatory fines or penalties
- Cost of alternative procurement
- Security breaches resulting from Customer misconfiguration
INCIDENTAL DAMAGES: Including but not limited to staff time or consultant fees
PUNITIVE OR EXEMPLARY DAMAGES

THIS LIMITATION APPLIES EVEN IF DEFENSEEYE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

13.3 Exceptions to Limitation

The liability limitations in Sections 13.1 and 13.2 do NOT apply to:

DefenseEye’s gross negligence or willful misconduct
Death or personal injury caused by DefenseEye’s negligence
DefenseEye’s breach of confidentiality obligations
Infringement of Customer’s intellectual property rights
Violations of applicable law where limitation is prohibited

13.4 Customer Responsibilities

Customer acknowledges that:

CMMCLens is a tool to assist compliance preparation, not a guarantee of certification
Customer is ultimately responsible for achieving and maintaining CMMC compliance
Customer must independently verify all automated assessments and evidence
Customer must engage a qualified C3PAO for official certification

13.5 Allocation of Risk

These limitations reflect an allocation of risk between DefenseEye and Customer. The Service pricing is based on these limitations, and Customer agrees this allocation is fair and reasonable.

14. INDEMNIFICATION

14.1 Customer Indemnification

Customer agrees to indemnify, defend, and hold harmless DefenseEye, its affiliates, officers, directors, employees, and agents from and against any claims, liabilities, damages, losses, costs, and expenses (including reasonable attorneys’ fees) arising out of or related to:

Customer’s use or misuse of the Service
Customer’s breach of these Terms
Customer’s violation of applicable laws or regulations
Customer’s infringement of third-party rights
Customer’s misrepresentation of compliance status or SPRS scores
Customer Data or content uploaded by Customer

14.2 DefenseEye Indemnification

DefenseEye agrees to indemnify, defend, and hold harmless Customer from and against any claims that the Service infringes a third party’s intellectual property rights, provided that:

Customer promptly notifies DefenseEye of the claim
Customer grants DefenseEye sole control of the defense and settlement
Customer provides reasonable assistance in the defense

If the Service is found to infringe, DefenseEye may (at its option):

Obtain a license for Customer to continue using the Service
Modify the Service to make it non-infringing
Replace the Service with a non-infringing alternative
Terminate the subscription and refund prorated fees

14.3 Indemnification Process

The indemnified party must:

Provide prompt written notice of any claim
Grant the indemnifying party sole control of defense and settlement
Cooperate reasonably in the defense
Not settle or compromise the claim without indemnifying party’s consent

15. SUPPORT AND SERVICE LEVEL AGREEMENT

15.1 Technical Support

DefenseEye provides technical support during business hours (9 AM – 5 PM US Eastern Time, Monday-Friday, excluding US federal holidays):

Support Channels:

Email: support@defenseeye.ai
Support Portal: https://support.defenseeye.ai
Documentation: https://cmmclensgov.azurewebsites.us/docs

Response Times:

Critical Issues (Service unavailable): 4 hours
High Priority (Major feature broken): 8 hours
Medium Priority (Minor feature issues): 24 hours
Low Priority (General questions): 48 hours

15.2 Service Level Agreement (SLA)

DefenseEye commits to:

Uptime Target: 99.5% monthly uptime (excluding scheduled maintenance)
Scheduled Maintenance: Maximum 4 hours/month with 72-hour advance notice
Incident Communication: Status updates via https://status.defenseeye.ai

SLA Credits (for downtime exceeding 99.5%):

99.0-99.5% uptime: 10% monthly fee credit
95.0-99.0% uptime: 25% monthly fee credit
Below 95.0% uptime: 50% monthly fee credit

SLA Exclusions (downtime not counted):

Scheduled maintenance windows
Issues caused by Customer’s Azure environment
Third-party service outages (Azure, Microsoft Graph)
Force majeure events
Customer’s breach of Acceptable Use Policy

SLA Credit Process:

Customer must request credits within 30 days of incident
Credits applied to future invoices (not cash refunds)
Maximum total credits per year: 50% of annual subscription fees

15.3 Professional Services

DefenseEye offers optional professional services:

C3PAO Matchmaking: Introduction to qualified C3PAOs in your region
Pre-Assessment Readiness Review: Expert review of SSP and evidence packages
Custom Policy Development: Tailored security policies beyond automated generation
Training: Administrator training and compliance workshops

Professional services are billed separately and not included in subscription fees.

16. UPDATES AND MODIFICATIONS

16.1 Service Updates

DefenseEye continuously improves CMMCLens and may:

Add new features and capabilities
Update compliance mappings for NIST 800-171 revisions
Improve automated remediation capabilities
Enhance evidence collection and documentation generation

Major updates (breaking changes, API modifications) will be announced 30 days in advance via email and in-app notifications.

Minor updates (bug fixes, UI improvements) may be deployed without advance notice.

16.2 Updates to Terms

DefenseEye may modify these Terms at any time. When modifications are made:

Updated Terms will be posted at https://cmmclensgov.azurewebsites.us/terms
Customers will be notified via email at least 30 days before effective date
Continued use of the Service after effective date constitutes acceptance of modified Terms

Material changes (price increases, liability cap reductions, new restrictions) require Customer’s affirmative consent. If Customer does not consent, Customer may terminate without penalty within 30 days of notification.

16.3 CMMC Framework Updates

If the DoD or Cyber-AB publishes updates to CMMC requirements:

DefenseEye will update CMMCLens to reflect new requirements within 90 days
Customers will be notified of compliance framework changes
Transition guides will be provided to help Customers adapt to new requirements

17. EXPORT COMPLIANCE

17.1 Export Control Laws

CMMCLens and related technical data are subject to U.S. export control laws, including:

Export Administration Regulations (EAR): 15 CFR Parts 730-774
International Traffic in Arms Regulations (ITAR): 22 CFR Parts 120-130
Office of Foreign Assets Control (OFAC): Sanctions and embargoes

17.2 Customer Obligations

Customer represents and warrants that:

Customer is not located in, under the control of, or a national or resident of any embargoed country (Cuba, Iran, North Korea, Syria, Russia, Belarus)
Customer is not on any U.S. government denied party list (Entity List, SDN List, Unverified List)
Customer will not export, re-export, or transfer CMMCLens or technical data to prohibited destinations or persons
Customer will comply with all applicable export control laws

17.3 Sanctions Compliance

DefenseEye will not provide the Service to:

Persons or entities in OFAC-sanctioned countries
Specially Designated Nationals (SDNs)
Denied persons or entities

If Customer becomes subject to sanctions, DefenseEye may immediately suspend or terminate the Service without liability.

18. GOVERNMENT RIGHTS

18.1 U.S. Government End Users

CMMCLens is “commercial computer software” and “commercial computer software documentation” as defined in FAR 2.101 and DFARS 227.7202.

If Customer is a U.S. government agency, Customer’s rights are governed by:

FAR 52.227-19 (Commercial Computer Software – Restricted Rights)
DFARS 252.227-7015 (Technical Data – Commercial Items)

U.S. government end users acquire CMMCLens with only those rights set forth in these Terms, consistent with FAR 12.211 and DFARS 227.7202.

18.2 Government Contract Compliance

For customers under government contracts, DefenseEye will reasonably cooperate with:

Government audits and inspections related to the Service
Requests for documentation supporting compliance claims
Flow-down clause requirements (provided Customer gives DefenseEye reasonable notice and reimburses costs)

19. FORCE MAJEURE

DefenseEye shall not be liable for any failure or delay in performance due to events beyond its reasonable control, including but not limited to:

Acts of God (earthquakes, floods, fires, hurricanes)
War, terrorism, civil unrest, or government actions
Pandemic or public health emergencies
Labor disputes, strikes, or lockouts
Internet or telecommunications failures
Power outages or utility failures
Cyberattacks or denial of service attacks
Third-party service provider outages (Azure, Microsoft Graph)

During a force majeure event:

DefenseEye will make reasonable efforts to resume Service
Subscription fees will be prorated for extended outages (exceeding 7 consecutive days)
Either party may terminate if force majeure continues for 30+ days

20. DISPUTE RESOLUTION

20.1 Informal Resolution

Before filing any formal action, the parties agree to:

Provide written notice of the dispute to the other party
Engage in good-faith negotiations for 30 days
Escalate to senior executives if negotiations fail

Notices should be sent to:

For DefenseEye:
Legal Department
DefenseEye, Inc.
[Address to be provided]
Email: legal@defenseeye.ai

For Customer:
Primary contact email on file

20.2 Arbitration Agreement

If informal resolution fails, disputes shall be resolved by binding arbitration under the Commercial Arbitration Rules of the American Arbitration Association (AAA), except:

Either party may seek injunctive relief in court for intellectual property infringement or confidentiality breaches
Small claims court claims (under $10,000) may be filed without arbitration

Arbitration Terms:

Location: Arbitration held in Washington, D.C. or remotely (by agreement)
Arbitrator: Single arbitrator mutually agreed upon or appointed by AAA
Costs: Each party bears its own attorneys’ fees; arbitration fees split equally (unless arbitrator awards otherwise)
Confidentiality: Arbitration proceedings and awards are confidential
Award: Arbitrator’s decision is final and binding (limited appeal rights under FAA)

20.3 Class Action Waiver

YOU AND DEFENSEEYE AGREE THAT EACH MAY BRING CLAIMS AGAINST THE OTHER ONLY IN YOUR OR ITS INDIVIDUAL CAPACITY, AND NOT AS A PLAINTIFF OR CLASS MEMBER IN ANY PURPORTED CLASS OR REPRESENTATIVE PROCEEDING.

No arbitration or claim may be joined with any other unless all parties agree in writing.

20.4 Governing Law

These Terms are governed by:

Substantive Law: Laws of the State of Delaware, without regard to conflict of law principles
Federal Law: To the extent applicable (export controls, government contracts, intellectual property)
Exclusions: United Nations Convention on Contracts for the International Sale of Goods (CISG) does NOT apply

20.5 Venue

For any disputes not subject to arbitration:

Exclusive Venue: State and federal courts located in Wilmington, Delaware
Consent to Jurisdiction: Both parties consent to personal jurisdiction in Delaware courts

21. MISCELLANEOUS

21.1 Entire Agreement

These Terms, together with the Data Processing Agreement, Privacy Policy, and any Order Forms or Statements of Work, constitute the entire agreement between Customer and DefenseEye regarding the Service. These Terms supersede all prior agreements, proposals, and communications (oral or written).

Order of Precedence (in case of conflict):

Signed Statement of Work (if applicable)
Data Processing Agreement
These Terms of Service
Azure Marketplace Terms (for Marketplace purchases)

21.2 Assignment

Customer may not assign or transfer these Terms or any rights hereunder without DefenseEye’s prior written consent. DefenseEye may assign these Terms:

To an affiliate or subsidiary
In connection with a merger, acquisition, or sale of assets
To a successor entity

Any attempted assignment in violation of this section is void.

21.3 Severability

If any provision of these Terms is found to be invalid or unenforceable, the remaining provisions will remain in full force and effect. The invalid provision will be modified to the minimum extent necessary to make it valid and enforceable.

21.4 Waiver

Failure by DefenseEye to enforce any provision of these Terms does not constitute a waiver of that provision or any other provision. Any waiver must be in writing and signed by DefenseEye.

21.5 No Third-Party Beneficiaries

These Terms are for the benefit of the parties only. No third party (including C3PAOs, Azure, or Microsoft) has any rights under these Terms.

21.6 Notices

All notices under these Terms must be in writing and sent to:

For DefenseEye:
DefenseEye, Inc.
Attention: Legal Department
Email: legal@defenseeye.ai

For Customer:
Email address associated with Customer’s CMMCLens account

Notices are effective upon receipt.

21.7 Relationship of Parties

DefenseEye and Customer are independent contractors. These Terms do not create a partnership, joint venture, agency, or employment relationship.

21.8 Publicity

DefenseEye may:

List Customer’s name and logo as a customer (unless Customer objects in writing)
Issue press releases about the relationship (subject to Customer’s prior approval of specific content)
Use anonymized case studies (with identifying information removed)

Customer may not issue press releases or public statements about DefenseEye or CMMCLens without prior written consent.

21.9 Survival

The following sections survive termination or expiration of these Terms:

Section 6 (Data Privacy)
Section 9 (Intellectual Property)
Section 10 (Fees – for outstanding balances)
Section 12 (Warranties and Disclaimers)
Section 13 (Limitation of Liability)
Section 14 (Indemnification)
Section 20 (Dispute Resolution)
Section 21 (Miscellaneous)

21.10 Contact Information

For Support:
Email: support@defenseeye.ai
Portal: https://support.defenseeye.ai

For Legal/Compliance:
Email: legal@defenseeye.ai

For Privacy/Data Requests:
Email: privacy@defenseeye.ai

Mailing Address:
DefenseEye, Inc.
[Address to be provided]

22. ACCEPTANCE

BY CLICKING “I AGREE,” DEPLOYING CMMCLENS, OR USING THE SERVICE, YOU ACKNOWLEDGE THAT YOU HAVE READ, UNDERSTOOD, AND AGREE TO BE BOUND BY THESE TERMS OF SERVICE.

If you have questions about these Terms, please contact legal@defenseeye.ai before using the Service.