Terms of Service

Danda is an AI-driven SOC 2 / HIPAA gap-analysis service operated by ProductLove, Inc. (Delaware C-Corp). You pay us; we analyze the repository and infrastructure you authorize us to look at; we deliver a signed gap-analysis artifact within the timeframe of the tier you purchased. We do not issue SOC 2 attestation reports — that requires a CPA-licensed firm, which we are not.

You must be authorized to grant Danda access to the repository and infrastructure you submit. Submitting a repo without owner consent is a breach of these terms and may also violate applicable law. We require a signed attestation as part of every Pro audit intake.

• The URL of a public or owner-authorized GitHub repository.
• Read-only access to your cloud account (gcloud / AWS / Azure) for verification probes — we never write, delete, or modify.
• SQL probe results that you execute yourself in Cloud SQL Studio (or equivalent) and paste back. We never receive your database credentials.
• A signed consent attestation confirming you are authorized to grant the above.

For Pro audits and above: a signed gap-analysis artifact bundle (PDF + ZIP, Ed25519 signature + SHA-256 manifest), readable as a pre-audit document by your CPA-qualified attestation auditor. For the free preview: 3 findings emailed to the address on file.

Turnaround targets: free preview in under 60 seconds; Pro audits within 2 business hours of intake submission. Targets, not guarantees — see Section 8 on liability.

• We do not issue SOC 2, HIPAA, ISO 27001, PCI, or any other attestation report. We are not a CPA firm.
• We do not connect to your production database. SQL queries are emitted as text; you execute them.
• We do not modify your repository, cloud configuration, or any other system. Read-only, always.
• We do not use your repository contents or audit results to train AI models.
• We do not retain inference traces beyond the engagement; they are purged at delivery.

• Your repository contents: yours. We process them in-memory during the engagement; we do not store them after delivery.
• The signed artifact bundle we deliver: yours. You own it. You can share it with auditors, regulators, customers, or attach it to a marketing page — your call.
• Danda's methodology, prompts, models, and software: ours. Buying an audit grants you a license to the deliverable, not to the underlying methodology.

We treat your repository contents and audit results as confidential. We will not disclose them to third parties except: (a) to subprocessors who help us deliver the service (model providers, infrastructure providers — listed in our Privacy Policy); (b) when required by law or court order; (c) when you explicitly authorize us in writing.

For healthcare engagements involving PHI, we sign a HIPAA Business Associate Agreement (BAA) on request. The BAA supplements these terms.

Liability cap. Our total liability to you for any claim arising from the engagement is capped at the amount you paid for that specific engagement. For a $1,500 Pro audit, our maximum liability is $1,500.

What we do not warrant. Danda's findings are AI-generated and reviewed by automated personas. We make a best-effort claim that findings are evidence-labeled with citations and reviewed before delivery. We do not warrant that the artifact will result in a successful auditor engagement, that it will surface every possible gap, or that downstream attestation outcomes will follow. The artifact is advisory.

What we do carry. Errors & Omissions (E&O) insurance through ProductLove, Inc. Certificate available on request.

Indemnification. We indemnify for direct damages caused by Danda's negligent acts in producing the artifact. You indemnify for damages caused by inaccurate inputs you provide (including SQL probe results you typed wrong, repo contents you did not have authorization to share, etc.).

You can cancel at any time. See the Refund Policy for what happens to fees paid. We can terminate your access if you breach these terms (notably: submitting repositories without authorization, attempting to reverse-engineer our methodology, or failing to pay).

These terms are governed by the laws of Delaware, USA. Disputes will be resolved in Delaware state or federal court. We waive jury trial; either party can elect binding arbitration in Delaware (AAA rules) for disputes over $10,000.

We may update these terms. Material changes will be posted at danda.sh/terms with a new "Last updated" date and emailed to active customers. Continued use of the service after changes constitutes acceptance.