Terms of Service

1. Agreement to Terms

These Terms of Service (the “Terms”) constitute a legally binding agreement between you (“User,” “you,” or “your”) and Identities AI, Inc. (“Identities AI,” “we,” “us,” or “our”) governing your access to and use of the Ratify platform, including the Ratify Protocol reference SDKs, the Ratify Verify managed control plane, admin console, adapters, and any related services (collectively, the “Service”). By accessing or using the Service, you agree to be bound by these Terms. If you do not agree, do not use the Service.

2. Description of Service

Ratify is a cryptographic identity and authorization platform for AI agents. The Service enables (a) creation and management of cryptographic identities for users and organizations; (b) delegation of scoped, time-limited authorization from humans to AI agents via signed delegation certificates; (c) real-time verification of agent authorization through proof-bundle validation; (d) revocation of delegations; (e) tamper-evident audit trails of verification decisions via signed VerificationReceipt chains; and (f) meeting platform adapters that verify AI agent participants in video conferences. The Service does not process, store, or access meeting audio, video, or transcript content.

3. Open Protocol vs. Verify Service

The Ratify Protocol specification (licensed CC-BY-4.0) and the reference SDKs in Go, TypeScript, Python, and Rust (licensed Apache-2.0) are free and open and are governed by their respective licenses, not by these Terms. These Terms govern your use of the commercial Service operated by Identities AI — Ratify Verify and its three commercial motions (Operational, Trust, Sovereign), the admin console, the hosted verifier endpoint, the Platform Registry, and any other paid product surface.

4. Account Registration and Security

You must provide accurate, complete information when creating an account. You are responsible for maintaining the confidentiality of your authentication credentials and for all activity that occurs under your account. Notify us immediately at security@identities.ai of any unauthorized use of your account. We are not liable for loss resulting from unauthorized use of your account. Organization owners and admins are responsible for managing member access, roles, and permissions within their organization.

5. Cryptographic Key Material

For custodial accounts, the Service generates and manages cryptographic key pairs (hybrid Ed25519 + ML-DSA-65) on your behalf. Private keys are envelope-encrypted using AES-256-GCM with keys managed by Cloud KMS and are never exposed to you or Identities AI personnel in plaintext. For self-custody accounts, you alone hold the private key; we never see it. You acknowledge that (a) delegation certificates signed with your organization’s keys represent authorized actions taken on your behalf; (b) you are responsible for revoking delegations when authorization should be withdrawn; (c) key rotation due to compromise should be initiated immediately via the SDK, API, or admin console; and (d) loss of access to your account does not affect the validity of previously issued delegation certificates until they are revoked or expire.

6. Delegation and Verification

Delegation certificates are cryptographic assertions that a specific principal authorized a specific AI agent to perform specific actions within a defined time window. By signing a delegation, you assert that you have the authority to grant the requested scopes and that the delegation reflects your genuine intent. The verification service checks the cryptographic validity of proof bundles, the revocation status of delegation certificates, and the scope of authorized actions. Verification results are deterministic: a valid proof bundle with an unrevoked, in-window delegation will always verify. The Service does not make subjective judgments about whether an action should be permitted — it reports cryptographic facts.

7. Meeting Platform Integration

The Service integrates with third-party meeting platforms (Zoom, Microsoft Teams, Google Meet) to verify AI agent participants. When you connect a meeting platform: (a) you authorize Identities AI to receive participant join/leave webhook events from the platform; (b) you authorize enforcement actions (participant removal, labeling) per your organization’s configured policy; (c) the Service does not access, record, transcribe, or store any meeting audio, video, or screen-sharing content; (d) the Service processes only participant metadata (name, email, participant ID) for the purpose of matching against verified meeting passes; and (e) meeting platform integrations are governed by each respective platform’s terms of use and developer agreements in addition to these Terms.

8. Data Processing and Audit Trails

The Service maintains tamper-evident audit trails of security-sensitive actions including verification decisions, delegation issuance and revocation, policy changes, and administrative actions. Audit records are hash-chained and, where enabled, signed with KMS-managed keys via the VerificationReceipt primitive. Audit retention is motion-dependent: 30 days searchable on Verify Operational; 90 days standard with optional 365-day retention on Verify Trust; customer-controlled on Verify Sovereign. You acknowledge that audit data may be required for regulatory compliance and cannot be selectively deleted while a legal hold is active.

9. Acceptable Use

You agree not to:

• use the Service to circumvent, disable, or interfere with security features of any system;
• forge, spoof, or falsify delegation certificates or proof bundles;
• attempt to gain unauthorized access to the Service, other users’ accounts, or the underlying infrastructure;
• use the Service to facilitate surveillance, unauthorized monitoring, or activity that violates applicable law;
• reverse-engineer the Service except as permitted by applicable law;
• use the Service in a manner that exceeds your motion’s rate limits or quotas; or
• register agent identities or Platform Registry records that impersonate or are confusingly similar to another entity.

10. Subscription Motions and Payment

The Service is offered in four motions:

• Open Protocol — the spec, SDKs, and reference implementations. Free, forever, governed by Apache-2.0 / CC-BY-4.0 and not by these Terms.
• Verify Operational — managed verifier, hosted Policy Studio, push revocation, pre-built adapters. Pay-as-you-go ($0.002 per verification, $50/month minimum).
• Verify Trust — compliance-grade audit chain, anchor-bound identity, custom-constraint registry, SAML/SSO Studio. Annual contract, from $30,000/year.
• Verify Sovereign — licensed self-hosted control plane with customer-owned keys, no phone-home. Annual license, from $50,000/year.

We reserve the right to modify Operational pricing with 30 days’ notice; Trust and Sovereign pricing is governed by the contract you sign. Fees are non-refundable except as required by applicable law. Exceeding your motion’s verification quota may result in throttling until the next billing cycle.

11. Intellectual Property

The Ratify Protocol specification (CC-BY-4.0) and reference SDKs in Go, TypeScript, Python, and Rust (Apache-2.0) are open source and freely usable. The commercial Service — the managed control plane, API, admin console, adapters, Policy Studio, Platform Registry, and audit infrastructure — is proprietary to Identities AI. You retain all rights to your data, including organization information, delegation configurations, and audit records. We claim no ownership of your data. You grant us a limited license to process your data solely to provide the Service. Ratify Protocol™ and identities.ai™ are trademarks of Identities AI, Inc.; U.S. patent application pending.

12. Account Deletion

You may request account deletion at any time via the admin console or API. Deletion requests are subject to a 30-day grace period during which you may cancel the request. Deletion is blocked while (a) you are the sole owner of any organization (transfer ownership first), or (b) any organization you belong to is under an active legal hold. Upon deletion: your personal data is removed, your custodial cryptographic keys are destroyed, and your audit-trail entries are pseudonymized. Previously issued delegation certificates remain valid until their expiry or revocation — deletion of the delegator’s account does not automatically revoke outstanding delegations.

13. Disclaimer of Warranties

THE SERVICE IS PROVIDED “AS IS” AND “AS AVAILABLE” WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. WE DO NOT WARRANT THAT THE SERVICE WILL BE UNINTERRUPTED, ERROR-FREE, OR SECURE. CRYPTOGRAPHIC VERIFICATION PROVIDES MATHEMATICAL ASSURANCE OF DELEGATION CHAIN VALIDITY; IT DOES NOT GUARANTEE THE IDENTITY, INTENT, OR TRUSTWORTHINESS OF THE DELEGATING HUMAN OR THE DELEGATED AGENT.

14. Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY LAW, IDENTITIES AI SHALL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, INCLUDING LOSS OF PROFITS, DATA, OR BUSINESS OPPORTUNITY, ARISING OUT OF OR RELATED TO YOUR USE OF THE SERVICE, REGARDLESS OF THE THEORY OF LIABILITY. OUR TOTAL AGGREGATE LIABILITY SHALL NOT EXCEED THE GREATER OF (A) THE AMOUNTS PAID BY YOU TO US IN THE TWELVE MONTHS PRECEDING THE CLAIM, OR (B) ONE HUNDRED US DOLLARS ($100).

15. Indemnification

You agree to indemnify and hold harmless Identities AI, its officers, directors, employees, and agents from any claims, damages, losses, or expenses (including reasonable attorneys’ fees) arising from (a) your use of the Service; (b) your violation of these Terms; (c) your violation of any rights of a third party; or (d) delegation certificates issued under your organization’s authority.

16. Governing Law and Dispute Resolution

These Terms are governed by the laws of the State of Delaware, without regard to conflict-of-law principles. Any dispute arising under these Terms shall be resolved through binding arbitration administered by the American Arbitration Association under its Commercial Arbitration Rules, conducted in Seattle, Washington. Either party may seek injunctive relief in any court of competent jurisdiction to protect intellectual-property rights.

17. Changes to Terms

We may modify these Terms at any time by posting updated Terms on the Service. Material changes are communicated via email to the address associated with your account at least 30 days before they take effect. Your continued use of the Service after changes take effect constitutes acceptance of the modified Terms.

18. Contact

Legal: legal@identities.ai
Security: security@identities.ai
Identities AI, Inc. · Seattle, Washington, United States.