Terms for veto.so

1. Scope and Contract Hierarchy

These Terms apply to all use of the hosted Veto platform, including the dashboard, REST and WebSocket APIs, authentication flows, policy management tooling, approval workflows, the managed MCP gateway, CLI authentication, and all related features.

If you execute a separate Master Services Agreement ("MSA"), Enterprise Subscription Agreement, Order Form, or Data Processing Agreement ("DPA") with us, that signed agreement controls to the extent of any conflict with these Terms. Our Acceptable Use Policy and Data Processing Addendum are incorporated by reference.

2. Eligibility and Account Security

• You must be at least 16 years old and legally able to enter into a binding contract.
• If you use the Services on behalf of an organization, you represent and warrant that you have authority to bind that organization to these Terms.
• You are responsible for all activity under your account, API keys, CLI tokens, and connected integrations, including activity by employees, contractors, and agents you authorize.
• You must use commercially reasonable security measures to protect your credentials and must promptly notify us at team@plaw.io if you suspect unauthorized access.
• We may require multi-factor authentication for administrative actions and reserve the right to suspend accounts that fail to meet minimum security standards.

3. Service Description

Veto provides runtime authorization controls for AI agent tool execution, including:

• Deterministic and AI-assisted policy validation of tool calls
• Policy management, versioning, compilation, and lifecycle tooling
• Human-in-the-loop approval workflows
• Decision audit logging and analytics
• Managed MCP gateway with upstream routing and authorization
• SDK libraries (TypeScript, Python) and CLI tools
• Dashboard for configuration, monitoring, and team management

Features may evolve over time and may include beta, preview, or experimental functionality clearly labeled as such. Beta features are provided "as is" without SLA commitments.

4. Customer Data and Responsibilities

"Customer Data" means all data submitted to the Services by you or your end users, including tool arguments, context metadata, policy text, approval payloads, MCP upstream configurations, and organization settings.

• You retain all rights to your Customer Data.
• You grant us a limited license to process Customer Data solely to operate, maintain, and improve the Services, and to comply with law.
• You are responsible for ensuring you have lawful basis and all necessary rights to submit Customer Data.
• You must not submit content that violates applicable privacy, employment, export-control, sanctions, or sectoral regulations.
• You should apply data minimization principles and avoid including unnecessary sensitive personal data in tool-call payloads and context.
• We do not use Customer Data to train machine learning models, except where you explicitly opt in to a feature that requires it.

5. Acceptable Use

Use of the Services is subject to our Acceptable Use Policy. Without limiting that policy, you must not:

• Use the Services to violate any law, regulation, sanctions regime, or third-party rights.
• Probe, scan, overload, reverse engineer, decompile, or bypass security controls.
• Use the Services to distribute malware, phishing, credential theft, or surveillance tools.
• Interfere with another customer's organization, data, traffic, or service availability.
• Use the Services for competitive benchmarking without prior written consent.
• Resell or sublicense access to the Services except as permitted by your plan or agreement.

6. AI and Automation Terms

Certain features use AI models (including third-party LLM providers such as Qwen, GLM, Kimi, MiniMax, or others configured by your policies) to assist with policy evaluation, generation, or compilation. When AI-assisted mode is enabled:

• Portions of policy content, tool arguments, and context may be transmitted to the configured model provider to generate a decision, explanation, or policy draft.
• AI-generated outputs are advisory aids, not guarantees of legal compliance, factual accuracy, or fitness for any particular regulatory requirement.
• You are responsible for human oversight, review of AI-assisted decisions, and final operational control of agent actions in production.
• Veto is a control and authorization layer. It does not replace legal counsel, compliance programs, or domain-specific risk assessments.

Under the EU AI Act, Veto's AI-assisted policy evaluation is classified as limited or minimal risk infrastructure. Customers deploying Veto in contexts that fall under Annex III high-risk categories (e.g., employment, credit, healthcare, law enforcement) bear deployer obligations under the Act, including transparency and human oversight requirements. Veto provides audit logs, decision explanations, and override capabilities to support these obligations.

7. API Usage and Rate Limits

API access is subject to rate limits, usage quotas, and payload size restrictions as published in our documentation or your order form. We may adjust limits with reasonable notice to maintain service quality and prevent abuse.

• You are responsible for implementing appropriate retry logic and respecting rate limit headers (429 responses).
• API keys are confidential credentials. You must not embed them in client-side code, public repositories, or shared environments without appropriate secret management.
• We may throttle or suspend API access if usage patterns indicate abuse, pose a security risk, or degrade service for other customers.

8. Fees, Billing, and Plan Limits

Paid features are subject to pricing, limits, and plan tiers displayed in the Services or your order form. Billing is handled by our payment infrastructure partners. You authorize us and our billing providers to charge applicable fees according to your selected plan.

• Subscriptions automatically renew at the end of each billing period unless cancelled before renewal. We will provide at least 30 days notice before any price increase takes effect on renewal.
• Unless otherwise stated in an order form, fees are non-refundable except where required by applicable law.
• If you exceed plan limits, we may restrict functionality, require a plan upgrade, or charge overage fees as described in your plan terms.
• You may cancel your subscription at any time through the dashboard or by contacting us. Cancellation takes effect at the end of the current billing period.

9. Third-Party Services and Integrations

The Services connect to and interoperate with third-party systems including identity providers, LLM providers, MCP upstreams, webhook destinations, and payment processors. Your use of those systems is governed by their separate terms and privacy policies.

If you configure outbound integrations (webhooks, MCP upstreams, external model providers), you are responsible for validating destination trust, access controls, data minimization, and compliance with applicable data protection laws for data transmitted to those endpoints.

10. Data Processing and Privacy

Our processing of personal data is governed by our Privacy Policy. For customers subject to GDPR, UK GDPR, LGPD, or equivalent data protection laws, our Data Processing Addendum applies to the processing of personal data on your behalf and forms part of these Terms.

A current list of sub-processors is available at veto.so/legal/subprocessors. We will notify you of material changes to our sub-processor list at least 30 days before engagement.

11. Security and Confidentiality

We implement commercially reasonable technical and organizational safeguards appropriate to the nature of the data processed, including:

• Encryption in transit (TLS 1.2+) for all service endpoints
• Hashed API key storage and scoped, least-privilege access controls
• Secret management for production credentials and encryption keys
• Operational monitoring, structured logging, and abuse-rate controls
• Encrypted-at-rest storage for sensitive configuration (e.g., MCP upstream headers)
• Regular security assessments and vulnerability management

You remain responsible for securing your own environments, credentials, downstream systems, and the configurations you create within the Services. Our current security posture is detailed at veto.so/security.

12. Intellectual Property

We retain all rights, title, and interest in the Services, platform software, documentation, APIs, trademarks, and related materials, excluding Customer Data and third-party content. Subject to these Terms, we grant you a limited, non-exclusive, non-transferable, non-sublicensable right to use the Services during your subscription term for your internal business purposes.

Open-source components (including the Veto SDK and CLI) are licensed under their respective open-source licenses. Nothing in these Terms restricts rights granted by those open-source licenses.

13. Feedback

If you provide suggestions, feature requests, or other feedback about the Services, you grant us a perpetual, worldwide, irrevocable, royalty-free license to use, modify, and incorporate that feedback for any lawful purpose without compensation or attribution to you.

14. Service Levels

We target high availability for the API and dashboard. Specific uptime commitments, credit mechanisms, and support response times are defined in your plan tier or order form. In the absence of a separate SLA, we will use commercially reasonable efforts to maintain service availability and will communicate scheduled maintenance in advance.

15. Suspension and Termination

We may suspend or restrict access if reasonably necessary to prevent abuse, enforce these Terms or the AUP, address security threats, comply with law or legal process, or resolve payment default. Where practicable, we will provide advance notice and an opportunity to cure.

You may stop using the Services and close your account at any time. On termination:

• Your right to access the Services ends immediately.
• We will make Customer Data available for export for 30 days following termination, after which we may delete it in accordance with our retention policies.
• Provisions that by their nature should survive termination will survive, including payment obligations, confidentiality, IP rights, indemnification, limitation of liability, and dispute resolution.

16. Disclaimer of Warranties

The Services are provided "as is" and "as available." To the maximum extent permitted by applicable law, Plaw disclaims all warranties, express or implied, including warranties of merchantability, fitness for a particular purpose, non-infringement, accuracy, and quiet enjoyment. We do not warrant that the Services will be uninterrupted, error-free, secure, or meet every compliance requirement of your specific use case or jurisdiction.

17. Limitation of Liability

To the maximum extent permitted by applicable law, Plaw and its affiliates, officers, directors, employees, and agents will not be liable for any indirect, incidental, special, consequential, exemplary, or punitive damages, or for loss of profits, revenue, data, goodwill, or business opportunity, however caused and under any theory of liability.

Except for excluded liabilities that cannot be limited by law, Plaw's aggregate liability arising out of or relating to these Terms or the Services will not exceed the greater of (a) the amounts paid by you to Plaw for the Services during the twelve (12) months preceding the event giving rise to the claim, or (b) one hundred U.S. dollars ($100).

Nothing in these Terms excludes or limits liability for death, personal injury caused by negligence, fraud, or any liability that cannot be excluded by applicable law. Consumers in jurisdictions that do not allow certain exclusions or limitations retain their statutory rights.

18. Indemnification

You agree to defend, indemnify, and hold harmless Plaw and its officers, directors, employees, and agents from and against all claims, liabilities, damages, losses, and expenses (including reasonable legal fees) arising from:

• Your use of the Services
• Your Customer Data and its processing
• Your integrations and downstream system configurations
• Your breach of these Terms or applicable law
• Your end users' actions within your organization's account

We will indemnify you against third-party claims alleging that the Services (excluding Customer Data) infringe a valid patent, copyright, or trademark, provided you promptly notify us, grant us sole control of the defense, and cooperate as reasonably requested.

19. Dispute Resolution and Arbitration

Before filing a formal claim, each party will attempt in good faith to resolve disputes through written notice and at least 30 days of informal discussion.

Except for claims that qualify for small claims court, claims seeking injunctive relief for IP misuse or security abuse, and disputes subject to mandatory consumer arbitration exemptions in your jurisdiction, disputes will be resolved by binding individual arbitration in San Francisco County, California, under JAMS Streamlined Arbitration Rules and Procedures.

You and Plaw each waive the right to a jury trial and to participate in class actions, collective actions, or representative proceedings. This waiver does not apply where prohibited by applicable law.

You may opt out of the arbitration provision within 30 days of first accepting these Terms by emailing team@plaw.io with subject line "Arbitration Opt-Out," including your full name and account email.

20. Governing Law

These Terms are governed by the laws of the State of California, United States, excluding its conflict-of-law provisions. If arbitration does not apply, exclusive venue is in the state or federal courts located in San Francisco County, California.

If you are a consumer in the European Economic Area, United Kingdom, or another jurisdiction with mandatory consumer protection laws, nothing in these Terms deprives you of the protection of the mandatory provisions of the laws of your country of residence, and you may bring proceedings in the courts of that country.

21. Export and Sanctions Compliance

You may not use the Services in violation of U.S. export controls (EAR), ITAR, or sanctions laws (OFAC). You represent that you are not located in, ordinarily resident in, or controlled by any restricted jurisdiction (currently Cuba, Iran, North Korea, Syria, and the Crimea, Donetsk, and Luhansk regions of Ukraine), and that you are not listed on any U.S. government restricted-party list.

22. Changes to These Terms

We may update these Terms from time to time. For material changes, we will provide at least 30 days advance notice via the email associated with your account or through the Services. If you do not agree to updated Terms, you may terminate your account before the changes take effect. Continued use after the effective date constitutes acceptance.

Non-material changes (formatting, clarification, typo corrections) may be made without advance notice.

23. General Provisions

• Entire Agreement. These Terms, together with the Privacy Policy, AUP, DPA, and any signed order forms, constitute the entire agreement between you and Plaw regarding the Services.
• Severability. If any provision is held unenforceable, the remaining provisions continue in full force and effect.
• Assignment. You may not assign these Terms without our prior written consent. We may assign in connection with a merger, acquisition, or sale of substantially all assets.
• No Waiver. Failure to enforce any right or provision is not a waiver of that right or provision.
• Force Majeure. Neither party is liable for delays or failures caused by events beyond reasonable control, including natural disasters, pandemics, war, terrorism, government actions, or internet infrastructure failures.
• Notices. Legal notices must be sent to team@plaw.io or to the email on your account. Notices are effective upon confirmed receipt.

24. Contact

Plaw, Inc.

• General inquiries: team@plaw.io
• Legal and compliance: team@plaw.io
• Security: team@plaw.io
• Privacy and data requests: team@plaw.io