Terms of Service

1. Service Description

DropOps is a Zero Trust AI Execution platform with Just-in-Time Privileges and Local-First Audit Architecture (LFAA) that enables users to manage infrastructure through natural language interactions with an AI assistant. The Service consists of:

• Binary Operator: A software agent you deploy on your systems that executes commands and maintains local audit records
• Cloud Operator (AWS): A pre-configured EC2 AMI with Zero Standing Privileges that acquires AWS permissions only through explicit user approval via intent-based policies (Professional tier and above)
• AI Assistant: An AI-powered interface that interprets your requests and proposes operations
• Control Plane: Cloud infrastructure that facilitates communication between you, the AI, and your Operators using outbound-only connections
• Local-First Audit Architecture (LFAA): On-operator storage for command outputs, conversation history, and file mutations with cryptographic integrity verification

We may modify, suspend, or discontinue any aspect of the Service at any time. We will endeavor to provide reasonable notice for material changes, but reserve the right to make immediate changes for security or safety reasons.

2. User Responsibilities

You agree to:

• Review and understand all operations before approving execution
• Maintain the security and confidentiality of your account credentials
• Independently verify all AI-proposed actions for correctness, appropriateness, and safety
• Use the Service only on systems you own or have explicit authorization to manage
• Use the Service in compliance with all applicable laws, regulations, and third-party agreements
• Provide accurate and complete information during account setup and operation
• Notify us immediately of any unauthorized access, security breaches, or suspected compromise of your account
• Maintain appropriate backups of your systems and data before using the Service
• Ensure that anyone who accesses the Service through your account complies with these Terms
• Monitor command execution and intervene immediately if unexpected behavior occurs

You agree NOT to:

• Attempt to circumvent, disable, or interfere with governance or safety controls
• Use the Service to access systems without proper authorization
• Use the Service to violate laws, regulations, or third-party rights
• Attempt to reverse engineer, decompile, disassemble, or extract source code from the Service
• Use the Service to harm, threaten, harass, or defraud others
• Use the Service for any illegal, malicious, or unauthorized purpose
• Overload, disrupt, or interfere with the Service's operation or infrastructure
• Share your account credentials with unauthorized parties
• Resell, sublicense, or provide access to the Service to third parties without authorization
• Use the Service to transmit malware, viruses, or other harmful code
• Attempt to gain unauthorized access to other users' accounts or data
• Use the Service in a manner that could damage our reputation or goodwill

3. Human Oversight & Approval

As the user, you are solely responsible for:

• Reviewing and understanding all proposed operations before approval
• Verifying that proposed commands are correct and appropriate for your environment
• Understanding the potential impact and risks of approved operations
• Ensuring approved operations comply with your organization's policies and applicable regulations
• Monitoring execution and intervening immediately if issues arise
• Using emergency stop controls when necessary
• Maintaining the ability to manually remediate any issues caused by executed operations

3.5. Cloud Operator Terms (AWS)

Cloud Operators are pre-configured AWS EC2 instances that implement Zero Standing Privileges. By deploying a Cloud Operator, you agree to the following additional terms:

Two-Role Security Architecture:

• The Operator Role executes actions but cannot modify IAM policies (blocked by permission boundary)
• The Escalation Role can attach pre-defined intent policies but cannot access AWS resources
• This separation ensures the role executing actions cannot grant itself permissions

Intent-Based Permissions:

• Cloud Operators start with ZERO AWS permissions beyond self-discovery
• The AI requests specific permission intents when needed (e.g., "ec2_discovery", "s3_read")
• You must explicitly approve each intent before permissions are granted
• Only pre-defined managed policies can be attached; no custom policies can be created
• Granted intents persist across sessions but can be revoked at any time

Permission Boundary Protections:

The Operator Role includes a DENY-only permission boundary that blocks:

• IAM modifications (CreateRole, DeleteRole, AttachRolePolicy, etc.)
• Self-termination of the Cloud Operator instance
• Secrets Manager write operations
• Organizations and billing access
• KMS key management (CreateKey, ScheduleKeyDeletion)

Cloud Operators require Professional tier or above and consume cloud operator slots from your subscription. See our Pricing page for slot costs and tier limits.

3.6. Operator Terminal

The Operator Terminal provides browser-based CLI access to bound Operators, enabling remote command execution without SSH, VPNs, or inbound ports. By using the Operator Terminal, you acknowledge:

• No SSH or VPN Required: All communication uses outbound-only HTTPS connections initiated by your Operators
• Zero Inbound Ports: Your systems never accept inbound connections; no firewall changes required
• Human-in-the-Loop: Every command requires explicit user approval before execution
• mTLS Transport: Mutual TLS with certificate pinning prevents man-in-the-middle attacks
• Full Audit Trail: All commands, approvals, and outputs logged via LFAA

4. Account Security

You are solely responsible for maintaining the security of your account:

• Keep your authentication credentials confidential and secure
• Do not share your account access with unauthorized individuals
• Use strong, unique passwords and enable multi-factor authentication when available
• Log out of the Service when not in use, especially on shared devices
• Regularly review account activity for unauthorized access

Operator API Key Security:

• Each Operator has a unique API key tied to a specific operator slot
• API keys can be refreshed at any time, which immediately invalidates the old key and terminates the old Operator
• You must redeploy Operators with the new API key after refresh
• Treat API keys as sensitive credentials; do not commit them to version control or share them publicly
• System fingerprints are tracked for audit purposes (but not enforced, allowing operator mobility)

Security Architecture Protections:

• Replay Protection: All requests include timestamps validated within a 5-minute window; duplicate nonces are rejected
• Rate Limiting: Per-API-key and per-IP rate limits protect against abuse
• Session Binding: Operators must be explicitly bound to your web session before command execution
• Command Blacklist: Dangerous operations are blocked regardless of user approval
• Outbound-Only: Operators never accept inbound connections; all communication is outbound over TLS

If you suspect unauthorized access to your account:

• Immediately notify us at security@dropops.ai
• Stop all Operators connected to your account
• Refresh all Operator API keys to immediately invalidate old keys
• Change your authentication credentials
• Review local Audit Vault logs for unauthorized activity

5. Data & Privacy

We collect and process data necessary to provide the Service. Our data architecture prioritizes your privacy through Local-First Audit Architecture (LFAA):

Data That Stays on Your Operators (LFAA - Default):

• Full command stdout and stderr outputs (stored in local Audit Vault)
• Conversation history and AI reasoning
• File mutation history with git-backed versioning (Ledger Mirror)
• Execution logs with timestamps and context

Data Transmitted to Our Cloud (Metadata Only):

• Account and authentication information
• Operation requests and approval decisions
• Command metadata (hashes, sizes, timestamps, exit codes) for integrity verification
• System fingerprints and performance metrics

All data handling is subject to our Privacy Policy. Key principles:

• Audit records are immutable, timestamped, and stored locally on your Operators by default
• We do not sell your operational data to third parties
• Data is encrypted in transit (TLS 1.3) and at rest (AES-256-GCM)
• Local audit data uses API key-derived envelope encryption
• You maintain ownership of your infrastructure and data
• Your conversations are used only to improve YOUR personal AI agent experience, not to train models for other users
• We may share data with third-party service providers necessary to operate the Service (Google Cloud, Stripe)
• PII is automatically redacted from application logs

View our full Privacy Policy →

6. Disclaimer of Warranties

We do not warrant that:

• The Service will meet your specific requirements or expectations
• The Service will be uninterrupted, timely, secure, or error-free
• AI-generated suggestions, commands, or recommendations will be accurate, complete, or appropriate
• Any errors or defects in the Service will be corrected
• The Service will be compatible with your systems or infrastructure
• Results obtained from the Service will be accurate or reliable

Any reliance on the Service, including AI-generated content, is at your own risk. You are solely responsible for determining the appropriateness of using the Service and assume all risks associated with its use.

7. Limitations of Liability

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW:

• LATERALUS LABS SHALL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, INCLUDING BUT NOT LIMITED TO LOSS OF PROFITS, DATA, BUSINESS OPPORTUNITIES, OR GOODWILL
• LATERALUS LABS SHALL NOT BE LIABLE FOR ANY DAMAGES RESULTING FROM: (a) your use or inability to use the Service; (b) operations you approve or execute; (c) unauthorized access to your account; (d) errors, inaccuracies, or omissions in AI-generated content; (e) any third-party conduct or content; (f) data loss, corruption, or system failures; (g) security breaches or vulnerabilities; (h) service interruptions or outages
• OUR TOTAL AGGREGATE LIABILITY FOR ALL CLAIMS ARISING FROM OR RELATED TO THESE TERMS OR THE SERVICE SHALL NOT EXCEED THE GREATER OF (a) THE AMOUNTS YOU PAID TO US IN THE TWELVE (12) MONTHS PRECEDING THE CLAIM, OR (b) ONE HUNDRED U.S. DOLLARS ($100)

THE LIMITATIONS IN THIS SECTION APPLY REGARDLESS OF THE THEORY OF LIABILITY, WHETHER BASED ON WARRANTY, CONTRACT, STATUTE, TORT (INCLUDING NEGLIGENCE), OR OTHERWISE, AND REGARDLESS OF WHETHER WE HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Some jurisdictions do not allow the exclusion of certain warranties or limitation of liability for certain damages. In such jurisdictions, our liability shall be limited to the maximum extent permitted by law.

8. Service Modifications

We reserve the right to:

• Modify these Terms at any time; material changes will be communicated with reasonable notice
• Update, modify, or discontinue Service features, capabilities, and interfaces
• Adjust pricing with reasonable advance notice
• Suspend or terminate Service for violations of these Terms or for any reason at our discretion
• Implement new safety, security, or governance controls as needed
• Limit or restrict access to certain features or functionality

Continued use of the Service after modifications constitutes acceptance of updated Terms. If you do not agree to modified Terms, you must stop using the Service.

9. Account Termination

We reserve the right to:

• Refuse service to anyone for any reason
• Terminate or suspend accounts that violate these Terms, immediately and without notice
• Suspend service if governance or safety frameworks are circumvented or disabled
• Terminate service for use cases that present safety, security, or legal concerns
• Limit capabilities or access at our sole discretion
• Terminate service if we reasonably believe your account has been compromised

You may:

• Terminate your account at any time by contacting us
• Export your audit records before termination (where technically feasible)
• Request deletion of your data (subject to legal retention requirements and technical limitations)

Upon termination: (a) your access to the Service will cease immediately; (b) all Operators connected to your account will be disconnected; (c) you must uninstall all Operator software from your systems; (d) audit records may be retained for compliance, security, and legal purposes; (e) any outstanding fees become immediately due; (f) provisions that by their nature should survive termination will survive.

10. Refund Policy

You may cancel your subscription at any time to prevent future charges, but you will not receive a refund for any fees already paid. Upon cancellation, you will retain access to your paid tier until the end of your current billing period.

11. Intellectual Property

Ownership:

• You retain ownership of your infrastructure, data, and operations
• We retain all rights, title, and interest in the DropOps platform, AI models, software, documentation, and all related intellectual property
• Neither party gains ownership rights to the other's intellectual property through use of the Service
• All trademarks, service marks, and logos associated with the Service are our property

You grant us a limited, non-exclusive, worldwide license to process your data solely to provide and improve the Service. We grant you a limited, non-exclusive, non-transferable, revocable license to use the Service in accordance with these Terms.

You may not copy, modify, distribute, sell, or lease any part of the Service or included software, nor may you reverse engineer or attempt to extract the source code of the Service, unless laws prohibit these restrictions or you have our written permission.

12. Compliance & Export Controls

You represent and warrant that:

• You will comply with all applicable laws, regulations, and industry standards, including U.S. export controls and sanctions
• You are not located in, and will not use the Service from, a country subject to U.S. embargo or sanctions
• You are not on any U.S. government list of prohibited or restricted parties
• You will not use the Service to process, store, or transmit data in violation of applicable data protection laws
• Your use of the Service complies with industry-specific regulations applicable to your business

If you operate in a regulated industry (healthcare, finance, government, etc.), you are solely responsible for ensuring your use of DropOps complies with all applicable regulations, including but not limited to HIPAA, PCI-DSS, SOX, GDPR, and any other applicable frameworks. We do not represent that the Service meets the requirements of any specific regulatory framework.

13. Indemnification

You agree to indemnify, defend, and hold harmless Lateralus Labs, LLC and its officers, directors, employees, agents, affiliates, successors, and assigns from and against any and all claims, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees and court costs) arising from or related to:

• Your use or misuse of the Service
• Operations you approve, execute, or fail to properly review
• Your violation of these Terms or any applicable law or regulation
• Your violation of any third-party rights, including intellectual property, privacy, or contractual rights
• Unauthorized access to your account, regardless of cause
• Any data breach, security incident, or unauthorized disclosure involving your systems or data
• Claims by third parties arising from your use of the Service on systems you manage
• Your failure to maintain adequate security measures or backups
• Any content, data, or materials you submit to or through the Service

We reserve the right, at your expense, to assume the exclusive defense and control of any matter for which you are required to indemnify us, and you agree to cooperate with our defense of such claims.

14. Dispute Resolution

These Terms are governed by and construed in accordance with the laws of the State of Delaware, United States, without regard to its conflict of law principles.

Binding Arbitration: Any dispute, claim, or controversy arising out of or relating to these Terms or the Service shall be resolved exclusively through final and binding arbitration administered by the American Arbitration Association ("AAA") in accordance with its Commercial Arbitration Rules. The arbitration shall be conducted in Delaware, or another mutually agreed location. The arbitrator's decision shall be final and binding, and judgment on the award may be entered in any court of competent jurisdiction.

Class Action Waiver: YOU AND LATERALUS LABS AGREE THAT EACH MAY BRING CLAIMS AGAINST THE OTHER ONLY IN YOUR OR ITS INDIVIDUAL CAPACITY AND NOT AS A PLAINTIFF OR CLASS MEMBER IN ANY PURPORTED CLASS OR REPRESENTATIVE PROCEEDING. Unless both parties agree otherwise, the arbitrator may not consolidate more than one person's claims and may not preside over any form of representative or class proceeding.

Exceptions: Either party may seek injunctive or other equitable relief in any court of competent jurisdiction to prevent the actual or threatened infringement, misappropriation, or violation of intellectual property rights or confidential information.

Time Limitation: Any claim or cause of action arising out of or related to these Terms or the Service must be filed within one (1) year after such claim or cause of action arose, or it shall be forever barred.

15. Miscellaneous

Entire Agreement: These Terms, along with our Privacy Policy and any other policies referenced herein, constitute the entire agreement between you and Lateralus Labs, LLC regarding the Service and supersede all prior agreements and understandings.

Severability: If any provision of these Terms is found to be invalid, illegal, or unenforceable, the remaining provisions will continue in full force and effect. The invalid provision will be modified to the minimum extent necessary to make it valid and enforceable while preserving its intent.

Waiver: Our failure to enforce any provision of these Terms does not constitute a waiver of that provision or any other provision. Any waiver must be in writing and signed by us to be effective.

Assignment: You may not assign, transfer, or sublicense these Terms or any rights or obligations hereunder without our prior written consent. We may assign these Terms without restriction. Any attempted assignment in violation of this section is void.

Force Majeure: We are not liable for any failure or delay in performance due to circumstances beyond our reasonable control, including but not limited to acts of God, natural disasters, war, terrorism, riots, embargoes, acts of civil or military authorities, fire, floods, accidents, strikes, or shortages of transportation, facilities, fuel, energy, labor, or materials.

No Third-Party Beneficiaries: These Terms do not create any third-party beneficiary rights in any individual or entity that is not a party to these Terms.

Notices: We may provide notices to you via email, posting on the Service, or other reasonable means. You must provide notices to us in writing to the contact information provided below.

Headings: Section headings are for convenience only and do not affect the interpretation of these Terms.

Survival: Sections relating to intellectual property, limitation of liability, indemnification, dispute resolution, and any other provisions that by their nature should survive, will survive termination of these Terms.

Contact

Questions about these Terms? Contact us: