These Terms of Service (these "Terms") govern access to and use of the ArchRails platform, website at archrails.io, related documentation, and all software and services made available by ArchRails (collectively, the "Service"). By accessing the Service, registering for an account, or executing an order form, the entity on whose behalf access is sought ("Customer") agrees to these Terms.
If Customer has executed a separate Master Services Agreement ("MSA") with ArchRails covering the Service, the MSA controls and supersedes these Terms with respect to any conflicting provision. These Terms continue to apply for any matter not addressed by the MSA. An MSA and a Data Processing Agreement ("DPA") are available on request to legal@archrails.io.
The individual accepting these Terms represents that they are at least 18 years old and are authorized to bind the entity identified at signup.
Capitalized terms used in these Terms have the meanings set out below.
ArchRails is a federated cross-repo architecture governance platform built on the FINOS CALM v1 open standard. The Service:
The Service is licensed by module on annual contracts (see Section 6). Module availability and licensing details are described on the Licensing page at archrails.io/enterprise. Release Governance is scheduled for general availability in Q4 2026; until generally available, that module is not part of the Paid Subscription deliverable.
ArchRails holds a patent pending (filed March 2026) on its core architecture-governance technology that supports the Service.
Registration for Evaluation Access requires a corporate email address. Personal-email providers (including common consumer providers such as gmail.com, outlook.com, yahoo.com, proton.me, and similar) are not eligible. Exceptions are granted only via direct contact with ArchRails sales.
The individual registering for the Service represents that they (i) are at least 18 years old, (ii) have legal capacity to enter into these Terms, and (iii) are authorized to bind the legal entity identified at signup. The Service is intended for use by legal entities; individuals registering in a personal capacity are not the intended audience.
Customer is responsible for (a) maintaining the confidentiality of credentials issued to Authorized Users, (b) all activities that occur under Customer's account, and (c) promptly notifying ArchRails at security@archrails.io of any suspected unauthorized access.
ArchRails may refuse registration, terminate accounts, or remove Authorized Users at its reasonable discretion, including where registration appears non-corporate, abusive, or otherwise inconsistent with these Terms.
Evaluation Access is provided at no fee for a 14-day period from the date the account is provisioned. Evaluation Access includes full access to features then generally available on the Service. Evaluation Access does not include features that are scheduled for future availability (including, as of the Last Updated date, the Release Governance module).
On the 15th day following provisioning, the Evaluation Access workspace transitions to read-only. Customer continues to have access to the workspace, the dashboard, CALM Files, the cross-repo graph, and Audit Artifacts generated during the evaluation, but new pull-request reviews, new repository onboarding, new MCP tool calls, and other write operations are disabled until Customer executes a Paid Subscription order form.
Evaluation Access is for evaluation and assessment purposes only. Customer agrees not to use Evaluation Access for production architecture governance, production change-management decisions, or as the primary control supporting any external compliance attestation. Production use requires a Paid Subscription.
No service-level commitments apply during Evaluation Access. The Service is provided on an "as is" basis as described in Section 12.
If Customer does not convert Evaluation Access to a Paid Subscription within 90 days of read-only transition, ArchRails may delete the workspace and associated Customer Data. ArchRails will provide reasonable advance notice before deletion. See the Privacy Policy for the full retention schedule.
Paid Subscriptions are sold on annual terms via an executed order form referencing an MSA. ArchRails does not offer monthly billing, pay-per-use billing, or self-serve checkout for the Service.
The current licensing ladder — Paid POC, Team, Module (Federation, Compliance Enforcement, or Release Governance), Platform Bundle, and Platform+ — is described on archrails.io/enterprise. Pricing on that page is indicative; final pricing, scope, and entitlements are set in the order form. Release Governance is scheduled for general availability in Q4 2026 and is not part of any Paid Subscription deliverable prior to that date.
Each Paid Subscription is governed by an order form that incorporates by reference an MSA executed between Customer and ArchRails. The MSA addresses service-level commitments, professional services, custom integrations, indemnification mechanics, data protection, security, audit rights, and other matters specific to Paid Subscriptions. To the extent the MSA conflicts with these Terms, the MSA controls for the affected Customer.
Invoicing terms are set in the applicable order form. The Service is sold on a contract / invoice basis; ArchRails does not charge a credit card or process recurring payments for the Service itself.
The primary deployment model for Paid Subscriptions is BYOC Deployment. Customer is responsible for (a) providing the cloud account in which the Service control plane will operate, (b) authorizing the IAM roles required for the Service to function as documented, and (c) all cloud-provider charges incurred within Customer's account in connection with the Service.
In a BYOC Deployment, Customer Data — including CALM Files, the cross-repo architecture graph, Audit Artifacts, and merge metadata — resides in Customer-owned cloud storage (Customer's S3 buckets, GCS buckets, or Azure Blob containers), encrypted with Customer-managed keys (Customer's AWS KMS, GCP KMS, or Azure Key Vault keys). ArchRails does not maintain a copy of Customer Data outside Customer's cloud perimeter except as needed to provide the Service (for example, transient processing of pull-request diffs as described in Section 10).
Customer is responsible for the security configuration of its cloud account, for IAM hygiene of the principals to which the Service is granted access, for managing its KMS keys (including key rotation), and for the availability of the cloud-provider services on which the Service depends. ArchRails is responsible for the correctness and operation of the Service software running within Customer's account.
Evaluation Access is provided as a hosted, multi-tenant offering operated by ArchRails (not BYOC). Customer Data submitted during Evaluation Access is stored in ArchRails-operated infrastructure (subject to the controls described in the Privacy Policy) and is not migrated automatically to BYOC infrastructure upon conversion. Migration is addressed at Paid Subscription onboarding.
Customer agrees that it will not, and will not permit any Authorized User or third party to:
ArchRails may suspend access (with or without notice in the case of suspected abuse or security risk) for breaches of this Section 8, with a right to cure where the breach is curable.
The Service, including all underlying software, models, algorithms, user interfaces, documentation, branding, and trademarks (collectively, the "ArchRails IP"), is and remains the exclusive property of ArchRails and its licensors. These Terms do not grant Customer any right, title, or interest in the ArchRails IP except for the limited right to use the Service as expressly set out in these Terms or an applicable order form. ArchRails reserves all rights not expressly granted. ArchRails holds a patent pending (filed March 2026) on its core architecture-governance technology supporting the Service.
As between the parties, Customer owns all right, title, and interest in Customer Data (including CALM Files, the cross-repo architecture graph generated from Customer Data, Audit Artifacts, merge metadata, and Customer source code). Customer source code is never stored by the Service; ownership is acknowledged here for completeness even though no copy is held by ArchRails.
Customer grants ArchRails a non-exclusive, worldwide, royalty-free license to host, copy, transmit, display, and process Customer Data solely to the extent necessary to (a) provide and maintain the Service, (b) generate Audit Artifacts and operational telemetry, and (c) comply with applicable law. ArchRails will not use Customer Data to train or improve any model, including any model used by the Service, except (i) aggregated or de-identified data that cannot reasonably be re-associated with Customer or any individual or (ii) as expressly permitted in an executed MSA.
If Customer provides suggestions, enhancement requests, or other feedback regarding the Service, ArchRails may use such feedback for any purpose without obligation to Customer.
ArchRails does not store Customer source code. The Service processes pull-request diffs in memory only, for the duration necessary to generate the review verdict and post the corresponding review comments, and discards the diff thereafter. Customer source code never leaves Customer's source-control system (GitHub, GitLab, or other supported provider).
The Service stores CALM Files (architecture definitions, not source code), the derived cross-repo graph and graph metadata, Audit Artifacts, merge metadata (pull-request identifiers, branch names, timestamps, approver identities, rule results), and operational telemetry. In a BYOC Deployment, these are stored in Customer-owned cloud storage under Customer-managed keys (see Section 7).
Audit Artifacts generated by the Compliance Enforcement and Release Governance modules are retained for seven (7) years from generation to support SOX ITGC change-management evidence requirements. In a BYOC Deployment, retention is enforced by S3 Object Lock in compliance mode (or the cloud-provider equivalent) configured on Customer-owned storage. The full retention schedule for all data categories appears in the Privacy Policy.
On termination of the Service, Customer Data stored in ArchRails-operated infrastructure (i.e., Evaluation Access workspaces) is deleted in accordance with the schedule in the Privacy Policy. In a BYOC Deployment, Customer Data continues to reside in Customer-owned storage, under Customer control, after termination; ArchRails will revoke its access and provide reasonable assistance with operational handover.
Each party (the "Receiving Party") will protect the other party's ("Disclosing Party") Confidential Information using at least the same degree of care that the Receiving Party uses for its own confidential information of like importance, and in any case no less than a reasonable degree of care. "Confidential Information" means any non-public information disclosed by the Disclosing Party that is identified as confidential at the time of disclosure or that a reasonable person would understand to be confidential given its nature. Confidential Information of Customer includes Customer Data; Confidential Information of ArchRails includes non-public information about the Service, including pricing, security architecture, and Audit Artifact schemas.
Confidential Information does not include information that (a) is or becomes public through no fault of the Receiving Party, (b) was known to the Receiving Party without restriction before disclosure, (c) is independently developed without use of the Disclosing Party's Confidential Information, or (d) is rightfully obtained from a third party without confidentiality restriction.
The Receiving Party may disclose Confidential Information to the extent required by law or court order, provided that the Receiving Party (where legally permitted) gives the Disclosing Party prompt notice and reasonable assistance to seek a protective order. These confidentiality obligations survive termination for five (5) years; obligations regarding trade secrets survive for as long as the relevant information remains a trade secret.
Each party warrants that it has the legal authority to enter into these Terms and that doing so does not breach any other agreement.
For Paid Subscriptions, ArchRails warrants that the Service will perform materially in accordance with its published documentation. Specific service-level commitments (uptime, response times, support SLAs) are set in the MSA and, where applicable, the Platform+ tier definition. The remedy for breach of this warranty is set in the MSA.
EXCEPT AS EXPRESSLY SET FORTH IN THIS SECTION 12 OR IN AN EXECUTED MSA, THE SERVICE IS PROVIDED ON AN "AS IS" AND "AS AVAILABLE" BASIS WITHOUT WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, OR STATUTORY, INCLUDING WITHOUT LIMITATION IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND ANY WARRANTIES ARISING FROM COURSE OF DEALING OR USAGE OF TRADE. ARCHRAILS DOES NOT WARRANT THAT THE SERVICE WILL BE UNINTERRUPTED OR ERROR-FREE.
The Service produces evidence designed to support Customer's own compliance program. ArchRails does not represent that use of the Service alone constitutes compliance with any specific regulation; compliance remains Customer's responsibility and depends on Customer's overall control environment.
ArchRails will defend Customer against any third-party claim alleging that the Service, when used in accordance with these Terms and any applicable MSA, infringes that third party's patent, copyright, or trademark, and will pay any damages finally awarded by a court of competent jurisdiction or amounts agreed in a settlement to which ArchRails consented in writing.
Customer will defend ArchRails against any third-party claim arising out of (a) Customer's use of the Service in breach of these Terms, (b) Customer's CALM Files or other Customer Data (including any claim that such data infringes a third party's rights or violates applicable law), or (c) Customer's failure to maintain the security of its cloud account in a BYOC Deployment, and will pay any damages finally awarded or amounts agreed in a settlement to which Customer consented in writing.
The indemnification obligations in this Section 13 are conditioned on the indemnified party (i) giving prompt written notice of the claim, (ii) granting the indemnifying party sole control of the defense and settlement (provided no settlement adverse to the indemnified party will be entered without consent), and (iii) providing reasonable cooperation at the indemnifying party's expense.
This Section 13 states each party's sole liability and the other party's exclusive remedy for the matters covered.
EXCEPT FOR LIABILITY ARISING FROM (A) A PARTY'S CONFIDENTIALITY OBLIGATIONS, (B) ARCHRAILS' INDEMNIFICATION OBLIGATIONS UNDER SECTION 13.1, (C) CUSTOMER'S PAYMENT OBLIGATIONS, OR (D) GROSS NEGLIGENCE, FRAUD, OR WILLFUL MISCONDUCT, IN NO EVENT WILL EITHER PARTY BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, OR FOR ANY LOSS OF PROFITS, REVENUE, DATA, OR BUSINESS OPPORTUNITY, ARISING OUT OF OR RELATING TO THESE TERMS OR THE SERVICE, WHETHER IN CONTRACT, TORT, OR ANY OTHER THEORY OF LIABILITY, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
EXCEPT FOR THE EXCLUDED LIABILITIES IDENTIFIED ABOVE, EACH PARTY'S TOTAL AGGREGATE LIABILITY ARISING OUT OF OR RELATING TO THESE TERMS WILL NOT EXCEED THE FEES PAID OR PAYABLE BY CUSTOMER TO ARCHRAILS UNDER THE APPLICABLE ORDER FORM IN THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO THE CLAIM. FOR EVALUATION ACCESS, ARCHRAILS' TOTAL AGGREGATE LIABILITY WILL NOT EXCEED ONE HUNDRED U.S. DOLLARS (US$100).
These Terms commence on Customer's first access to the Service and continue until terminated as provided in this Section. Paid Subscriptions have the term set in the applicable order form (typically annual).
Either party may terminate these Terms (and any active Paid Subscription) for material breach if the breaching party has not cured the breach within thirty (30) days of written notice describing the breach in reasonable detail.
ArchRails may terminate or suspend Evaluation Access at any time, with or without cause, with reasonable notice. Customer may discontinue Evaluation Access at any time by ceasing use and requesting workspace deletion at hello@archrails.io.
Upon termination, all rights granted to Customer under these Terms cease, and Customer must stop accessing the Service. Sections that by their nature should survive (including Sections 9, 10, 11, 13, 14, 17, and 18) will survive termination.
ArchRails may modify, enhance, or discontinue features of the Service from time to time. For material adverse changes to features generally available to Paid Subscription customers, ArchRails will provide at least ninety (90) days' advance notice. For deprecation of a feature, ArchRails will provide at least one hundred eighty (180) days' notice and document the deprecation in the Service release notes. ArchRails may make non-material changes (including security patches, bug fixes, and additive enhancements) without prior notice.
For Evaluation Access, no notice obligation applies.
These Terms are governed by the laws of the State of Delaware, without regard to its conflict-of-laws provisions, and excluding the U.N. Convention on Contracts for the International Sale of Goods. [LAWYER REVIEW: confirm Delaware vs. Florida; Customer is based in South Florida — anchor to the state that best aligns with the corporate jurisdiction and any insurance-policy venue requirements.]
Any dispute arising out of or relating to these Terms or the Service that the parties cannot resolve through good-faith negotiation within sixty (60) days will be finally resolved by binding arbitration administered by the American Arbitration Association ("AAA") under its Commercial Arbitration Rules. The arbitration will be conducted in English by a single arbitrator (or three arbitrators where the amount in controversy exceeds US$1,000,000) and will take place in Wilmington, Delaware [LAWYER REVIEW: align venue with §17.1 outcome]. Judgment on the award may be entered in any court of competent jurisdiction.
Notwithstanding Section 17.2, either party may seek interim or injunctive relief in any court of competent jurisdiction to protect its confidential information or intellectual property pending the outcome of arbitration.
To the extent permitted by law, the parties waive any right to participate in a class, collective, or representative action arising from or relating to these Terms or the Service.
Neither party may assign these Terms without the other's prior written consent, except that either party may assign to an affiliate or in connection with a merger, acquisition, or sale of substantially all of its assets, on written notice to the other party. Any attempted assignment in violation of this Section is void.
Neither party is liable for any failure or delay in performance (other than payment obligations) due to causes beyond its reasonable control, including acts of God, natural disasters, war, terrorism, civil unrest, labor disputes, cloud-provider outages, denial-of-service attacks, or government action.
Notices to ArchRails must be sent to legal@archrails.io. Notices to Customer will be sent to the email associated with Customer's account or, for Paid Subscriptions, to the notice address in the applicable order form. Notices are effective upon receipt (for email) or upon delivery (for courier).
If any provision of these Terms is held to be unenforceable, the remaining provisions will continue in full force, and the unenforceable provision will be reformed to the minimum extent necessary to make it enforceable while preserving the parties' intent.
These Terms (together with any applicable MSA, DPA, and order forms) constitute the entire agreement between the parties regarding the Service and supersede all prior agreements and understandings, written or oral, regarding the same subject matter.
Failure or delay in exercising any right under these Terms does not waive that right. No waiver is effective unless in writing and signed by the waiving party.
These Terms do not create any third-party beneficiary rights.
The parties are independent contractors. These Terms do not create any partnership, joint venture, agency, or employment relationship.
For questions about these Terms, the Service, or to request an MSA or DPA:
For privacy-specific inquiries, see the Privacy Policy.