Legal
Legal
Section 1
1.1 Regulatory Intelligence, Not Legal Services
VODR Nexus provides regulatory intelligence. It does not provide legal advice, legal analysis, legal opinions, compliance certifications, or compliance assessments of any kind. The Service analyzes software repositories and system descriptions against publicly available regulatory texts across 136 frameworks. Outputs are generated by automated pattern matching and regulatory text analysis — not by human legal experts. They are not legal opinions. They are not compliance certifications.
The Service does not practice law in any jurisdiction. Classifications, compliance scores, action plans, and other outputs are automated data correlations derived from publicly available regulatory texts. The Service is regulatory intelligence — organized information — not legal services.
1.2 Classification Accuracy and Reliance
All Service outputs — including risk classifications, compliance scores, action plans, vulnerability findings, PII detection results, and AI-BOM documents — are produced by automated analysis and subject to the following limitations:
1.3 No Professional Relationship
No attorney-client relationship, fiduciary relationship, advisor-client relationship, or professional services relationship of any kind is formed between you and Vodr through your use of the Service.
1.4 Your Professionals — Your Responsibility
You are responsible for engaging your own legal counsel, privacy professionals, cybersecurity experts, and compliance advisors. The Service provides the map. Your professionals interpret what the map means for you.
Section 2
2.1 What the Service Does
VODR Nexus analyzes software repositories and system descriptions to provide regulatory intelligence across 136 frameworks including the EU AI Act, GDPR, NIS2, ISO 27001, NIST CSF, SOC 2, and others. The Service classifies AI systems by risk level, maps regulatory obligations, generates compliance action plans, tracks evidence and control implementation, monitors dependencies for vulnerabilities, detects PII patterns in database schemas, generates AI Bills of Materials, delivers regulatory change notifications, and provides a CI/CD gate via GitHub Action.
2.2 What the Service Does NOT Do
The Service does not provide legal advice or legal opinions; certify compliance with any regulation; guarantee regulatory outcomes; act as a Data Protection Officer; replace qualified legal, regulatory, or compliance counsel; write, modify, or deploy code in your repository; or access any repository you have not explicitly connected.
2.3 AI-Assisted Service
The Service uses automated processing including rule-based analysis, pattern matching, semantic analysis, and — on paid tiers — LLM-backed classification via the Anthropic API for ambiguous or low-confidence classifications. Vodr's own regulatory self-assessment is available at vodr.ai/self-assessment.
Section 3
When you run nexus connect, the Service requests read-only OAuth access to the repository you specify through GitHub, GitLab, or Bitbucket. Access is limited to the specific repository you connect. The Service never writes to, modifies, forks, or creates pull requests in your repository.
What We Extract and Retain
From your repository, we extract and retain the following metadata signals: package names and versions, PII-pattern field names and table names, AI component library names and types, deployment region identifiers, vulnerability findings (CVE IDs), and generated AI-BOM documents. These are metadata signals, not source code.
What We Delete Immediately
We delete all raw source file contents, function implementations, variable names, class definitions, comments, docstrings, test file contents, git commit history, git metadata, environment variables, secrets, credentials, and any complete file contents from your repository. For snapshot uploads via nexus scan-snapshot, the snapshot file is deleted immediately after signal extraction.
Local Scanning
When you use nexus scan-local, repository analysis runs entirely on your machine. Only a package name list is transmitted to the VODR API. No source code, file contents, or schema data leaves your machine.
You may revoke repository access at any time by running nexus disconnect. Upon subscription cancellation, all repository access tokens are automatically revoked.
Section 4
You assume all responsibility and liability for all decisions made using the Service. You must provide accurate system descriptions and update them if your system's purpose changes materially.
You agree not to:
Vodr may suspend access for violation of these terms with notice. For egregious violations — including attempting to use the Service to evade regulation or generate fraudulent compliance documentation — Vodr may immediately suspend access without prior notice.
Section 5
The Service, including all software, algorithms, classification models, regulatory intelligence database, organism architecture, and related materials, is owned by Vodr. VODR Nexus is proprietary software. All rights reserved. The GitHub Action files in the .github/ directory are licensed under the MIT License for integration purposes only. All other materials remain the proprietary property of Vodr.
You own your code, your repository content, and your compliance data. Vodr claims no intellectual property rights over any customer code or repository content. Subject to these Terms, Vodr grants you a limited, non-exclusive, non-transferable, revocable license to access and use the Service for your internal business purposes during the term of your subscription.
Section 6
The Service is offered in five tiers: Free ($0/month), Starter ($39/month), Pro ($149/month), Team ($999/month), and Partner ($6,999/month). Features and limits for each tier are described at vodr.ai/#pricing. Payment is processed through Stripe. Vodr stores only the Stripe customer ID and subscription status — never credit card numbers, CVVs, or bank account details.
Paid subscriptions renew automatically at the end of each billing period unless you cancel before the renewal date via nexus billing cancel or by contacting support@vodr.ai. Upon cancellation, access to paid features continues through the end of the current billing period. Vodr does not provide refunds for partial billing periods.
If a payment fails, a 7-day grace period begins with three email warnings. If unresolved, the account is downgraded to the free tier.
Section 7
The Service collects and processes data as described in the VODR Privacy Policy, incorporated by reference. For customers whose repository metadata may contain references to personal data fields, the VODR Data Processing Agreement governs VODR's processing of that data as a processor under GDPR Article 28.
Vodr publishes a public regulatory intelligence dataset under the Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). Use of the public dataset is governed by CC BY-SA 4.0, not these Terms. Any derivative dataset built from the public dataset must also be released under CC BY-SA 4.0.
Section 8
Upon cancellation, data is retained for 90 days. You may export all data via nexus export during this period. After 90 days, data is permanently deleted. For systems classified as high-risk under the EU AI Act, audit trail data is retained for 3 years per Article 12 record-keeping requirements.
You may request immediate deletion of any system's data at any time via nexus delete, which triggers GDPR Article 17 erasure. Upon full account deletion, all repository access tokens are automatically revoked and Vodr provides written confirmation of deletion upon request.
Section 9
The Service and all outputs are provided on an "as is" and "as available" basis. Vodr expressly disclaims all warranties of any kind, whether express, implied, or statutory, including without limitation warranties of merchantability, fitness for a particular purpose, accuracy, completeness, timeliness, non-infringement, and that the Service will be uninterrupted, error-free, or secure. Vodr does not warrant that its classifications are accurate, that its vulnerability detection is comprehensive, that its PII detection identifies all personal data references, or that use of the Service will result in compliance with any law, regulation, directive, standard, or other legal requirement.
Section 10
To the maximum extent permitted by applicable law, Vodr and its affiliates, officers, directors, employees, agents, licensors, and suppliers shall not be liable for any indirect, incidental, special, consequential, punitive, or exemplary damages, including loss of profits, revenue, data, goodwill, business opportunity, regulatory fines, penalties, enforcement actions, data breach costs, or cybersecurity incident costs. Vodr shall not be liable for any loss arising from your reliance on any classification, compliance score, action plan, vulnerability finding, PII detection result, or other output of the Service, including any regulatory action taken against you by any authority in any jurisdiction. Vodr's total aggregate liability for all claims shall not exceed the total fees paid by you to Vodr in the twelve months preceding the event giving rise to the claim.
Section 11
You agree to indemnify, defend, and hold harmless Vodr from and against any claims, liabilities, damages, losses, costs, and expenses arising out of or relating to your use of the Service; any decision you make based on the Service; any representation you make about your compliance status; your violation of these Terms; or any claim by a third party arising from your use of the Service.
Vodr will indemnify, defend, and hold harmless the customer from and against any third-party claims that the VODR Nexus software infringes that third party's intellectual property rights, provided the customer promptly notifies Vodr of the claim and gives Vodr sole control of the defense.
Section 12
These Terms are effective upon your first use of the Service and continue until terminated. Either party may terminate with 30 days' written notice. Vodr may immediately suspend or terminate your access if you violate the acceptable use provisions in Section 4.
Upon termination, you may export all data via nexus export before the 90-day retention period begins. After 90 days, data is permanently deleted (subject to the high-risk audit trail exception). All repository access tokens are revoked upon termination. Sections 1, 5, 9, 10, 11, and 14 survive termination.
Section 13
Vodr may update these Terms. Material changes will be communicated via email to registered customers at least 30 days before taking effect. Continued use after the effective date constitutes acceptance. If you disagree, you may cancel before the effective date.
Section 14
These Terms shall be governed by the laws of the State of Minnesota, without regard to conflict of laws principles.
Non-EU users: Any dispute arising out of or relating to these Terms or the Service shall be resolved by binding arbitration administered by the American Arbitration Association under its Commercial Arbitration Rules. The arbitration shall be conducted remotely or in Minneapolis, Minnesota. Claims shall be brought in your individual capacity — not as a class member. A small claims court exception applies for claims within jurisdictional limits.
EU/EEA/UK/Swiss users: Nothing in these Terms restricts your right to bring proceedings before the courts of your country of residence or to file complaints with your local data protection authority. The arbitration clause above does not apply to you.
Section 15
You may not use the Service in violation of applicable export control laws or sanctions regulations. You represent that you are not located in, and will not use the Service from, any country or region subject to comprehensive US, EU, or UK sanctions.
Section 16
These Terms, together with the Privacy Policy, DPA, and any subscription agreement, constitute the entire agreement between you and Vodr. If any provision is found unenforceable, the remaining provisions continue in full force. Failure to enforce any provision is not a waiver. You may not assign these Terms without prior written consent from Vodr. Vodr may assign these Terms in connection with a merger, acquisition, or sale of assets.
Section 17
General support: support@vodr.ai
Privacy and data protection: privacy@vodr.ai
Web: vodr.ai
Acknowledgment