← Back to Heron

Terms of Service

Last updated: April 25, 2026 · Effective: April 25, 2026

1. The Service

Heron is an AI agent access auditing tool operated by Theona, Inc., a Delaware corporation ("Theona", "we", "us"). It provides structured interviews of AI agents, risk analysis, and compliance reporting. Heron is available as open-source software (MIT-licensed, self-hosted) and as a hosted platform. These Terms govern your use of the hosted platform; the open-source distribution is governed by the MIT License.

2. What Heron Is Not

  • Heron is not a formal security audit, penetration test, or compliance certification
  • Reports are based on agent self-reported information and have not been independently verified
  • Regulatory compliance flags are advisory — consult qualified legal counsel for compliance decisions
  • Heron does not guarantee the accuracy of agent responses or LLM analysis

3. Your Account

The hosted service requires a Google account for authentication. You are responsible for the security of your account credentials and for all activity that occurs under your account. You must promptly notify us of any unauthorized access. We may suspend or terminate accounts that violate these Terms, the Acceptable Use Policy in §6, or are used for abusive purposes.

4. Your Data

You retain ownership of all data you submit through Heron, including interview transcripts and audit reports ("Customer Data"). You grant us a limited license to process Customer Data solely to provide the service to you. We do not use Customer Data to train AI models. We do not sell or share Customer Data with third parties except the sub-processors listed in the Privacy Policy.

5. Open Source

The Heron audit engine is open source under the MIT License. You may self-host, modify, and distribute it freely subject to that license. The hosted dashboard, enterprise features, Heron and Theona trademarks, and proprietary deployment infrastructure are not covered by the MIT License and remain our property.

6. Acceptable Use

You agree not to use the hosted service to:

  • Modify, translate, reverse engineer, decompile, disassemble, or attempt to derive source code (other than the open-source components)
  • Sublicense, sell, resell, rent, lease, transfer, or distribute the hosted service
  • Remove or obscure any proprietary notices or branding
  • Use the service to develop or train a competing AI or audit product
  • Introduce viruses, malware, or harmful code, or interfere with the integrity of the service
  • Probe, scan, or test the vulnerability of the service without our prior written consent
  • Use the service to violate any applicable law, regulation, or third-party right
  • Submit personal data of third parties without a lawful basis to do so

7. LLM Providers

Heron uses third-party LLM providers (OpenAI, Anthropic, Google) for transcript analysis. When using the hosted service, interview transcripts and related metadata are sent to the configured provider for analysis under each provider's data handling terms; we use zero-retention endpoints where available. When self-hosting, you control which provider is used and how data is routed.

8. Data Processing Agreement (DPA)

For business customers processing personal data of EEA, UK, Swiss, or California residents through Heron, a Data Processing Agreement is available on request via [email protected]. The DPA, once executed, forms part of these Terms and incorporates the EU Standard Contractual Clauses for international transfers where applicable.

9. Subscription & Fees

Paid plans are billed in advance for the subscription period stated in your order. Unless otherwise stated, fees are non-refundable and subscriptions auto-renew for successive periods of equal length unless either party gives at least 30 days' notice of non-renewal. Late payments have a 15-day grace period before suspension. Taxes are excluded from stated fees.

10. Termination

You may terminate your account at any time from the dashboard. Either party may terminate for material breach with a 30-day cure period. We may suspend your account immediately for serious abuse, security risk, or violation of §6.

Post-termination: (a) all rights granted to you cease; (b) you must discontinue use of the hosted service; (c) you may export Customer Data within 30 days after termination; (d) we will delete Customer Data within 30 days after termination unless retention is required by law. Sections that by their nature should survive termination (Acceptable Use, IP, Disclaimer, Limitation of Liability, Indemnification, Governing Law) survive.

11. Disclaimer of Warranties

THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE", WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. LLM OUTPUT MAY CONTAIN ERRORS; YOU ARE SOLELY RESPONSIBLE FOR VERIFICATION AND FOR ACCESS-CONTROL DECISIONS MADE IN RELIANCE ON HERON REPORTS.

12. Limitation of Liability

THEONA'S TOTAL AGGREGATE LIABILITY UNDER THESE TERMS WILL NOT EXCEED THE FEES PAID BY YOU TO THEONA IN THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO LIABILITY (OR USD 100 IF YOU USE A FREE PLAN). IN NO EVENT WILL THEONA BE LIABLE FOR INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, OR FOR LOSS OF PROFITS, DATA, OR BUSINESS.

13. Indemnification

By you: you will indemnify, defend, and hold harmless Theona and its affiliates from claims, damages, or expenses arising from your Customer Data or your use of the service in violation of these Terms.

By us: we will defend you against third-party claims that the hosted service, as provided and used in accordance with these Terms, infringes a third party's intellectual property rights, provided you (a) promptly notify us, (b) allow us sole control of the defense and settlement, and (c) reasonably cooperate.

14. Governing Law & Dispute Resolution

These Terms are governed by the laws of the State of Delaware, without regard to conflict-of-laws principles. Any dispute arising out of or relating to these Terms will be resolved through binding arbitration administered by the American Arbitration Association under its Commercial Arbitration Rules. The arbitration will be conducted in English in Wilmington, Delaware. Any dispute not subject to arbitration will be resolved exclusively in the state or federal courts located in Wilmington, Delaware.

Class-action waiver: disputes will be resolved on an individual basis only; class arbitrations and class actions are not permitted.

15. Changes to These Terms

We may update these Terms from time to time. Material changes will be notified at least 30 days in advance via email or a prominent in-product notice. Continued use after the effective date constitutes acceptance.

16. Contact

Theona, Inc. (Delaware, USA — remote-first)
Legal & DPA: [email protected]
Support: [email protected]