This Terms of Service Agreement (“Agreement”) is between the person or entity agreeing to these terms (“Client,” “you,” or “your”) and After Action Security Inc., a California sole proprietorship (“After Action,” “we,” or “us”). If you are entering into this Agreement on behalf of an organization, that organization is the Client.
1. Definitions
1.1 “Platform” means After Action’s proprietary web-based application for managing cybersecurity engagements, tabletop exercise (TTX) design, incident response tracking, and after-action report (AAR) generation, accessible via app.afteraction.io.
1.2 “Services” means, collectively, the Platform, TTX facilitation, incident response consulting, AAR generation, and any related professional services provided by After Action to Client under this Agreement or a Statement of Work.
1.3 “Client Data” means all information, data, documents, and content submitted by Client or its Authorized Users through the Platform or in connection with the Services, including engagement details, scenario inputs, and exercise artifacts.
1.4 “Authorized Users” means Client’s employees, contractors, and agents who are authorized by Client to access the Platform on Client’s behalf.
1.5 “Deliverables” means after-action reports, TTX scenario packages, remediation roadmaps, and other written work product generated by After Action for Client as part of the Services.
1.6 “AI Features” means any generative artificial intelligence or machine learning functionality integrated into the Platform to assist with report drafting, scenario generation, risk analysis, or other features.
1.7 “Subscription Term” means the period during which Client has paid access to the Platform as set forth in the applicable Order Form.
1.8 “Statement of Work” or “SOW” means a written document executed by both Parties that describes specific professional services, scope, timeline, and fees.
2. Access to the Platform and Services
2.1 Platform License
Subject to this Agreement and timely payment of fees, After Action grants Client a limited, non-exclusive, non-transferable right for Authorized Users to access and use the Platform during the Subscription Term solely for Client’s internal cybersecurity preparedness purposes.
2.2 Professional Services
After Action will perform professional services (TTX facilitation, incident response consulting, AAR generation) as described in a mutually executed SOW. Each SOW is incorporated into and governed by this Agreement.
2.3 AI Features
The Platform includes AI Features to assist with drafting and analysis. Client acknowledges that:
- •AI-generated content is a starting point, not a final product, and may contain inaccuracies.
- •Client is responsible for reviewing and validating all AI Output before use or distribution.
- •After Action will not use Client Data to train third-party AI models without Client’s written consent.
- •AI Output generated from Client Data is assigned to Client upon delivery, subject to Client’s payment obligations.
2.4 Restrictions
Client shall not, and shall not permit any Authorized User to:
- •Share Platform access credentials with unauthorized third parties.
- •Reverse engineer, copy, or attempt to extract the source code of the Platform.
- •Use the Platform to develop a competing product or service.
- •Upload content that violates applicable law or third-party rights.
- •Exceed the number of Authorized Users or engagements specified in the applicable Order Form.
3. Client Obligations
3.1 Accounts
Client is responsible for maintaining the confidentiality of all account credentials. Client is liable for all activity under its account, whether authorized or not. Client shall notify After Action immediately of any suspected unauthorized access.
3.2 Client Data
Client grants After Action a limited, non-exclusive license to use Client Data solely as necessary to provide the Services. Client represents that it has all rights necessary to submit Client Data and that doing so does not violate any law or third-party rights.
Client is solely responsible for the accuracy, legality, and completeness of Client Data. After Action is not responsible for errors or omissions in Deliverables caused by inaccurate or incomplete Client Data.
3.3 Cooperation
Client agrees to provide reasonable cooperation, access, and information as needed for After Action to perform the Services, including timely participation in scheduled exercises and timely review of draft Deliverables.
3.4 Government and Regulatory Compliance
If Client is a government agency or federal contractor, Client is responsible for ensuring use of the Platform complies with applicable federal data handling and procurement requirements. Client shall not submit data subject to classified, controlled unclassified information (CUI), or ITAR/EAR restrictions without prior written agreement from After Action.
4. Fees and Payment
4.1 Subscription Fees
Client shall pay the fees set forth in the applicable Order Form. Subscription fees are due in advance. Professional services fees are due as set forth in the applicable SOW.
4.2 Payment Terms
Invoices are due and payable within 30 days of receipt. Overdue amounts accrue interest at 1.5% per month. After Action reserves the right to suspend Platform access for accounts more than 15 days past due after written notice.
4.3 No Refunds
All fees paid are non-refundable except as expressly provided in Section 6 (Termination) or required by applicable law.
4.4 Taxes
All fees are exclusive of applicable taxes. Client is responsible for all sales, use, or similar taxes arising from the Services.
5. Intellectual Property
5.1 After Action Property
After Action retains all right, title, and interest in the Platform, its underlying technology, methodologies, frameworks, templates, and any improvements thereto. No license is granted to Client except as expressly stated in this Agreement.
5.2 Deliverables
Upon full payment of applicable fees, After Action assigns to Client all right, title, and interest in the Deliverables specifically prepared for Client under an SOW. After Action retains the right to use general methodologies, frameworks, and non-client-specific know-how developed in connection with the Services.
5.3 Usage Data
After Action may collect anonymized, aggregated data about Platform usage (e.g., feature usage patterns, performance metrics) for the purpose of improving the Platform. This data will not identify Client or any individual.
5.4 Feedback
If Client provides feedback or suggestions about the Platform or Services, After Action may use such feedback without compensation or attribution, and Client grants After Action a perpetual, irrevocable license to do so.
6. Term and Termination
6.1 Term
This Agreement commences on the Effective Date and continues until all Subscription Terms and SOWs have expired or been terminated. Subscription Terms automatically renew for successive equal terms unless either Party provides 30 days’ written notice of non-renewal before the end of the then-current term.
6.2 Termination for Cause
Either Party may terminate this Agreement or any SOW upon 30 days’ written notice if the other Party materially breaches this Agreement and fails to cure such breach within the notice period. After Action may terminate immediately if Client breaches Section 2.4 (Restrictions) or Section 3.4 (Government Compliance).
6.3 Effect of Termination
Upon termination, Client’s access to the Platform ceases. Client has 14 days from termination to export Client Data. After Action will delete Client Data within 60 days of termination, except as required by law. All outstanding fees become immediately due.
7. Confidentiality
Each Party may receive confidential information of the other (“Confidential Information”). Each Party agrees to: (a) protect the other’s Confidential Information with at least the same care it uses for its own, and no less than reasonable care; (b) use Confidential Information only to perform obligations under this Agreement; and (c) not disclose Confidential Information to third parties except as expressly permitted.
Confidential Information does not include information that is publicly known, already known to the recipient, independently developed, or lawfully obtained from a third party. Either Party may disclose Confidential Information as required by law with reasonable prior notice to the other Party.
After Action treats all Client Data and engagement details as Confidential Information. Client acknowledges that After Action’s pricing, methodologies, and platform architecture are Confidential Information of After Action.
8. Data Protection and Security
8.1 Security Measures
After Action implements and maintains industry-standard technical and organizational security measures designed to protect Client Data, including encryption at rest and in transit, access controls, and regular security assessments.
8.2 Personal Data
To the extent the Services involve processing personal data subject to applicable privacy laws (e.g., CCPA, GDPR), Client is the data controller and After Action is a data processor. After Action will process personal data only as necessary to provide the Services and in accordance with its Privacy Policy at afteraction.io/privacy.
8.3 Sensitive Data
Client shall not submit to the Platform: social security numbers, payment card data, biometric data, health information, classified information, or any data Client does not have the right to process. After Action has no liability for any such data submitted in violation of this Section.
8.4 Incident Notification
After Action will notify Client without undue delay if it becomes aware of a security incident involving unauthorized access to Client Data, and will cooperate with Client in investigating and remediating such incident.
9. Disclaimer of Warranties
10. Indemnification
10.1 By After Action
After Action will defend and indemnify Client against third-party claims alleging that the Platform, as used in accordance with this Agreement, infringes a third party’s intellectual property rights. After Action’s obligations do not apply to claims arising from Client Data, Client’s modifications, or use of the Platform in violation of this Agreement.
10.2 By Client
Client will defend and indemnify After Action against third-party claims arising from: (a) Client Data; (b) Client’s use of the Services in violation of this Agreement or applicable law; or (c) Client’s negligence or willful misconduct.
11. Limitation of Liability
EXCEPT FOR BREACHES OF SECTION 7 (CONFIDENTIALITY), INDEMNIFICATION OBLIGATIONS, OR A PARTY’S GROSS NEGLIGENCE OR WILLFUL MISCONDUCT, NEITHER PARTY WILL BE LIABLE FOR INDIRECT, INCIDENTAL, CONSEQUENTIAL, PUNITIVE, OR SPECIAL DAMAGES, INCLUDING LOST PROFITS OR LOSS OF DATA.
AFTER ACTION’S AGGREGATE LIABILITY FOR ANY CLAIMS ARISING UNDER THIS AGREEMENT WILL NOT EXCEED THE GREATER OF (A) THE TOTAL FEES PAID BY CLIENT TO AFTER ACTION IN THE 12 MONTHS PRECEDING THE CLAIM, OR (B) $10,000.
12. Governing Law and Disputes
This Agreement is governed by the laws of the State of California, without regard to its conflict of law provisions. Any disputes arising under this Agreement shall first be addressed through good-faith negotiation between the Parties. If unresolved after 30 days, disputes shall be submitted to binding arbitration administered by the American Arbitration Association in Santa Clara County, California.
Either Party may seek injunctive or equitable relief in a court of competent jurisdiction without first exhausting arbitration for matters involving intellectual property or confidentiality breaches.
13. General Provisions
13.1 Entire Agreement. This Agreement, together with all Order Forms and SOWs, constitutes the entire agreement between the Parties regarding its subject matter and supersedes all prior agreements.
13.2 Amendments. After Action may update this Agreement with 30 days’ prior written notice. Continued use of the Platform after the effective date constitutes acceptance.
13.3 Assignment. Client may not assign this Agreement without After Action’s prior written consent. After Action may assign this Agreement in connection with a merger, acquisition, or sale of substantially all assets.
13.4 Severability. If any provision is found unenforceable, the remaining provisions remain in full force.
13.5 Waiver. Failure to enforce any provision is not a waiver of future enforcement rights.
13.6 Independent Contractors. The Parties are independent contractors. Nothing in this Agreement creates a partnership, joint venture, or employment relationship.
13.7 Notices. Notices must be in writing and sent to legal@afteraction.io (for After Action) or the email on file for Client. Notices are effective upon confirmed delivery.
13.8 Force Majeure. Neither Party is liable for delays or failures caused by events beyond its reasonable control, including natural disasters, government actions, or infrastructure outages.
Agreed and Accepted:
After Action Security Inc.
Scotty Alford, Principal
Client
After Action Security Inc. · afteraction.io · hello@afteraction.io