Terms of Service
Last updated: July 2, 2026 · Effective: July 2, 2026
1. The Service
Heron is a continuous-transparency service for AI agents operated by Theona, Inc., a Delaware corporation ("Theona", "we", "us"). Heron connects to your agent platform through the platform's integration hooks, evaluates your agents' actions against your policies and session context before they execute, enforces the resulting decisions (allow, deny, modify, step-up, or defer), records each decision as a signed, tamper-evident receipt, and presents the accumulated record as an evidence page you can share with your own customers' security reviewers. The service is offered to businesses. These Terms govern your use of the hosted service at heron.ing.
2. What Heron Is Not
- Heron is not a security certification, formal audit, or compliance attestation, and the evidence record does not replace one
- The evidence record reflects the actions Heron observed and the decisions it made at the platform hook; it does not cover agent behavior outside the connected platform
- Policy evaluation is automated and may use LLM analysis; Heron does not guarantee that every noncompliant action will be prevented or that every enforcement decision is correct
- Regulatory and framework mappings are advisory — consult qualified legal counsel for compliance decisions
3. Your Account
The hosted service requires a Google account for authentication. You are responsible for the security of your account credentials and for all activity that occurs under your account, including the platform connections you configure. You must promptly notify us of any unauthorized access. We may suspend or terminate accounts that violate these Terms, the Acceptable Use Policy in §6, or are used for abusive purposes.
4. Your Data
You retain ownership of all data you submit to or generate through Heron, including agent action records, session context, receipts, policies, and evidence pages ("Customer Data"). You grant us a limited license to process Customer Data solely to provide the service to you. We do not use Customer Data to train AI models. We do not sell or share Customer Data with third parties except the sub-processors listed in the Privacy Policy. Where you choose to share an evidence page or export with a third party, that disclosure happens at your direction and you are responsible for who you share it with.
Your agents may handle personal data belonging to your own customers or users. For personal data contained in agent action records, you are the data controller and we act as your processor, as described in the Privacy Policy and any applicable DPA (§8). You are responsible for having a lawful basis to route that data through the service.
5. Intellectual Property
The hosted service, its software, the Heron and Theona trademarks, and our deployment infrastructure are and remain our property. These Terms grant you no rights in them except the right to use the hosted service as described here. Any open-source components we distribute separately are governed by their own licenses, not these Terms.
6. Acceptable Use
You agree not to use the hosted service to:
- Modify, translate, reverse engineer, decompile, disassemble, or attempt to derive source code of the hosted service
- Sublicense, sell, resell, rent, lease, transfer, or distribute the hosted service
- Remove or obscure any proprietary notices or branding
- Develop or train a competing product
- Misrepresent the evidence record, receipts, or an evidence page — including altering them or presenting them as a certification
- Introduce viruses, malware, or harmful code, or interfere with the integrity of the service
- Probe, scan, or test the vulnerability of the service without our prior written consent
- Use the service to violate any applicable law, regulation, or third-party right
- Submit personal data of third parties without a lawful basis to do so
7. LLM Providers
Heron may use third-party LLM providers (OpenAI, Anthropic, Google) for action evaluation. When the service evaluates an agent action, the action parameters and related session context may be sent to the configured provider under that provider's data handling terms; we use zero-retention endpoints where available.
8. Data Processing Agreement (DPA)
For business customers processing personal data of EEA, UK, Swiss, or California residents through Heron, a Data Processing Agreement is available on request via [email protected]. The DPA, once executed, forms part of these Terms and incorporates the EU Standard Contractual Clauses for international transfers where applicable.
9. Subscription & Fees
Paid plans are billed in advance for the subscription period stated in your order. Unless otherwise stated, fees are non-refundable and subscriptions auto-renew for successive periods of equal length unless either party gives at least 30 days' notice of non-renewal. Late payments have a 15-day grace period before suspension. Taxes are excluded from stated fees.
10. Termination
You may terminate your account at any time. Either party may terminate for material breach with a 30-day cure period. We may suspend your account immediately for serious abuse, security risk, or violation of §6.
Post-termination: (a) all rights granted to you cease; (b) you must discontinue use of the hosted service and disconnect the platform integration; (c) you may export Customer Data, including action records and receipts, within 30 days after termination; (d) we will delete Customer Data within 30 days after termination unless retention is required by law. Sections that by their nature should survive termination (Acceptable Use, IP, Disclaimer, Limitation of Liability, Indemnification, Governing Law) survive.
11. Disclaimer of Warranties
THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE", WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. AUTOMATED POLICY EVALUATION AND LLM OUTPUT MAY CONTAIN ERRORS. WE DO NOT WARRANT THAT THE SERVICE WILL PREVENT ANY PARTICULAR AGENT ACTION OR THAT THE EVIDENCE RECORD WILL SATISFY ANY THIRD PARTY'S SECURITY REVIEW. YOU REMAIN SOLELY RESPONSIBLE FOR YOUR AGENTS, YOUR POLICIES, AND DECISIONS MADE IN RELIANCE ON HERON RECORDS.
12. Limitation of Liability
THEONA'S TOTAL AGGREGATE LIABILITY UNDER THESE TERMS WILL NOT EXCEED THE FEES PAID BY YOU TO THEONA IN THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO LIABILITY (OR USD 100 IF YOU USE A FREE PLAN). IN NO EVENT WILL THEONA BE LIABLE FOR INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, OR FOR LOSS OF PROFITS, DATA, OR BUSINESS.
13. Indemnification
By you: you will indemnify, defend, and hold harmless Theona and its affiliates from claims, damages, or expenses arising from your Customer Data, the actions of your agents, or your use of the service in violation of these Terms.
By us: we will defend you against third-party claims that the hosted service, as provided and used in accordance with these Terms, infringes a third party's intellectual property rights, provided you (a) promptly notify us, (b) allow us sole control of the defense and settlement, and (c) reasonably cooperate.
14. Governing Law & Dispute Resolution
These Terms are governed by the laws of the State of Delaware, without regard to conflict-of-laws principles. Any dispute arising out of or relating to these Terms will be resolved through binding arbitration administered by the American Arbitration Association under its Commercial Arbitration Rules. The arbitration will be conducted in English in Wilmington, Delaware. Any dispute not subject to arbitration will be resolved exclusively in the state or federal courts located in Wilmington, Delaware.
Class-action waiver: disputes will be resolved on an individual basis only; class arbitrations and class actions are not permitted.
15. Changes to These Terms
We may update these Terms from time to time. Material changes will be notified at least 30 days in advance via email or a prominent in-product notice. Continued use after the effective date constitutes acceptance.
16. Contact
Theona, Inc. (Delaware, USA — remote-first)
Legal & DPA: [email protected]
Support: [email protected]