Last updated: March 1, 2026
These Software Terms of Service (these “Software Terms”) govern access to and use of the Thallus software platform, applications, APIs, agent/workflow orchestration features, and related subscription services made available by Thallus LLC. (“Thallus,” “Company,” “we,” “us,” or “our”) (collectively, the “Software” or the “Services”). These Software Terms are intended to be posted at https://thallus.ai/TermsOfService.
1.1 Website Terms of Use. Use of Thallus’s public-facing website, marketing pages, and other informational sites (collectively, the “Website”) is governed by the Thallus Website Terms of Use available at https://thallus.ai/TermsOfUse (the “Website Terms”), not these Software Terms. If there is a conflict between these Software Terms and the Website Terms with respect to the Services, these Software Terms control.
1.2 Privacy Policy. Thallus’s Privacy Policy is available at https://thallus.ai/privacy (the “Privacy Policy”) and describes how we process personal information. The Privacy Policy is incorporated by reference as it relates to our processing of personal information in connection with the Services. If there is a conflict between these Software Terms and the Privacy Policy regarding the parties’ contractual rights and obligations with respect to Customer Data (defined below), these Software Terms (and any applicable DPA) control.
1.3 Order Forms; Enterprise Terms. If Customer (defined below) enters into an order form, statement of work, or other ordering document referencing these Software Terms (each, an “Order Form”), the Order Form may specify additional terms (including pricing, plan, support, service levels, deployment options, and permitted usage). If there is a conflict between an Order Form and these Software Terms, the Order Form controls solely with respect to its subject matter.
1.4 Data Protection Addendum / BAA-Equivalent. The Thallus Data Protection Addendum (including, where applicable, business associate agreement terms) (the “DPA”) is incorporated by reference and forms part of these Software Terms. The DPA is made available in-product and/or as an attachment to an Order Form (and may also be provided by Thallus upon request). If there is a conflict between the DPA and these Software Terms with respect to data protection, confidentiality, security, or HIPAA-related terms, the DPA controls.
1.5 Definitions. Capitalized terms used but not defined in these Software Terms have the meanings given in the DPA (if applicable) or the relevant Order Form (if applicable). In addition, the following definitions apply: (a) “Documentation” means user guides, technical documentation, and policies made available by Thallus for the Services (including in-product or at thallus.ai), as updated from time to time; (b) “Fees” means subscription fees, usage-based fees, overage charges, and other fees payable for the Services as described in an Order Form or at checkout/in-product; (c) “Subscription” means the right to access and use a plan of the Services for a specified term in exchange for Fees; and (d) “Term” means the period during which Customer has an active Subscription or is otherwise authorized to use the Services (including any trial).
2.1 Eligibility. You must be at least 18 years old to use the Services.
2.2 Acceptance; Clickwrap. By clicking “I agree,” “Accept,” “Continue,” or a similar button, checking a box indicating acceptance, executing an Order Form that references these Software Terms, creating an account, or otherwise accessing or using the Services, Customer accepts and agrees to be bound by these Software Terms. If you do not agree, you may not access or use the Services.
2.3 Acceptance on Behalf of Customer. If you use the Services on behalf of an organization, entity, or other group (each, a “Customer”), you represent and warrant that you have authority to bind that Customer to these Software Terms. In that case, “you” and “your” refer to that Customer, except where these Software Terms expressly refer to individual end users.
2.4 Individual End Users. If you are an individual end user using the Services under a Customer account, your access is subject to these Software Terms and the Customer’s policies and administrator controls.
3.1 Account Types; Workspaces. The Services may allow creation of one or more accounts and workspaces, projects, agents, memories, workflows, and related configurations (each a “Workspace”). A Workspace may be administered by one or more users with administrative permissions (“Admins”).
3.2 Ownership and Control. As between Thallus and Customer, Customer owns and controls its Workspace(s) and associated administrative decisions, including adding/removing users, assigning roles and permissions, configuring integrations, selecting retention settings (if available), enabling automation, and managing data sources.
3.3 Admin Rights. Admins may have the ability to access, modify, export, share, delete, or restrict Customer Data and settings within the Workspace, and to enable features that send Customer Data to Third-Party Services (defined below). Customer is responsible for Admins’ and Authorized Users’ (defined below) actions and omissions.
3.4 Authorized Users. “Authorized Users” means individuals permitted by Customer to access and use the Services under Customer’s account (including employees, contractors, and agents). Customer is responsible for ensuring Authorized Users comply with these Software Terms and any applicable Order Form.
3.5 Account Security. Customer (and its Authorized Users) must maintain the confidentiality of login credentials, API keys, tokens, and secrets, and must promptly notify Thallus of any suspected unauthorized access. Customer is responsible for all activity under its account except to the extent caused by Thallus’s breach of these Software Terms.
3.6 Customer Responsibilities. Customer is responsible for: (a) maintaining accurate and complete account information; (b) using reasonable security measures for Authorized Users (including appropriate password management and access controls); (c) ensuring its Authorized Users are aware of and comply with these Software Terms and applicable Documentation; and (d) all activity conducted through its account and Workspaces (including actions performed by agents/workflows configured by Customer), except to the extent caused by Thallus’s breach of these Software Terms.
4.1 License Grant. Subject to timely payment of Fees (if applicable) and compliance with these Software Terms, Thallus grants Customer a limited, non-exclusive, non-transferable, non-sublicensable (except to Authorized Users) right during the Term to access and use the Services for Customer’s internal business purposes (or, if Customer is an individual, personal non-commercial purposes), in accordance with the applicable plan, Documentation, and Order Form (if any).
4.2 Restrictions. Customer will not, and will not permit any Authorized User or third party to: (a) reverse engineer, decompile, disassemble, or attempt to discover source code or underlying ideas or algorithms of the Services (except to the extent such restriction is prohibited by applicable law); (b) copy, modify, or create derivative works of the Services; (c) rent, lease, sell, resell, sublicense, or otherwise make the Services available to any third party (except as expressly permitted in an Order Form); (d) circumvent or disable security or access controls; (e) access the Services for the purpose of building a competitive product or service; (f) interfere with or disrupt the integrity or performance of the Services; or (g) use the Services in a manner that violates applicable law.
4.3 Prohibited Uses for AI / Workflow Automation. Without limiting Section 4.2, Customer will not use (and will not allow Authorized Users to use) the Services to: (a) generate, promote, or facilitate unlawful, harmful, infringing, or fraudulent activity; (b) perform unlawful surveillance, stalking, harassment, discrimination, or invasive profiling; (c) develop or deploy autonomous agents or workflows intended to cause harm, to exploit vulnerabilities, or to conduct unauthorized security testing, penetration testing, or red-teaming of Thallus or third-party systems; (d) use the Services to process or transmit malware or to enable credential theft, phishing, spam, or other abusive communications; (e) perform or automate decisions that create a risk of serious harm to persons or property (including medical diagnosis or treatment, emergency response, life-critical infrastructure control, weapons control, or safety-critical industrial control) without appropriate human review, approvals, and safeguards commensurate with the risk; (f) submit, upload, or transmit Customer Data that Customer does not have the right to use and provide to Thallus and (as applicable) Third-Party Services; or (g) use the Services in a manner that materially exceeds rate limits, plan limits, or usage restrictions, or that otherwise imposes unreasonable load or burden on the Services.
4.4 Suspension. Thallus may suspend or restrict access to the Services (in whole or in part) to the extent reasonably necessary to prevent or address (a) a security incident, (b) actual or suspected fraud or abuse, (c) material violation of these Software Terms, (d) non-payment of Fees, or (e) harm to the Services, Thallus, Customer, other customers, or third parties. Where practicable, Thallus will provide notice and an opportunity to cure; however, Thallus may suspend immediately if necessary to protect the Services or others, comply with law, or stop ongoing harm.
5.1 Customer Data Defined. “Customer Data” means data, content, prompts, documents, files, records, messages, metadata, configurations, workflows, memories, and other materials that Customer or its Authorized Users submit, upload, transmit, generate, or otherwise make available to or through the Services (including via integrations), excluding Thallus’s technology and any Third-Party Services.
5.2 Customer Data Ownership. As between the parties, Customer retains all right, title, and interest in and to Customer Data.
5.3 License to Process. Customer grants Thallus and its affiliates a worldwide, non-exclusive, royalty-free, fully paid-up right to host, store, back up, reproduce, process, transmit, display, and otherwise use Customer Data solely as necessary to: (a) provide, operate, maintain, secure, support, and troubleshoot the Services; (b) execute workflows, actions, and automations configured by Customer (including sending data to Third-Party Services as configured by Customer); (c) prevent, detect, and respond to service, security, support, and technical issues; (d) comply with applicable law, regulation, legal process, or enforceable governmental request; and (e) enforce these Software Terms.
5.4 Aggregated/De-Identified Data. Thallus may create and use de-identified, anonymized, or aggregated data derived from Customer Data and from use of the Services (“Aggregated Data”) for lawful purposes, including analytics, service improvement, benchmarking, and product development, provided that Aggregated Data does not identify Customer, Authorized Users, or any individual, and is created and used consistent with applicable law and the DPA.
5.5 Customer Responsibilities for Customer Data. Customer is responsible for (a) the legality, integrity, and accuracy of Customer Data; (b) obtaining all rights, permissions, and consents needed to provide Customer Data to Thallus and to enable processing by the Services and any Third-Party Services; and (c) configuring the Services (including permissions and approvals) in a manner appropriate for Customer’s intended use cases and compliance obligations.
6.1 Confidential Information. “Confidential Information” means non-public information disclosed by one party to the other that is designated as confidential or that reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure. Customer Data is Customer’s Confidential Information. The Services (including non-public features, Documentation, and pricing not publicly posted) are Thallus’s Confidential Information.
6.2 Confidentiality Obligations. Each party will (a) use the other party’s Confidential Information solely to perform its obligations and exercise its rights under these Software Terms; (b) protect the Confidential Information using at least reasonable care; and (c) not disclose the Confidential Information to any third party except to its employees, contractors, and professional advisors who have a need to know and are bound by confidentiality obligations at least as protective as those in these Software Terms.
6.3 Exclusions. Confidential Information does not include information that: (a) is or becomes publicly available through no breach; (b) was known to the receiving party without confidentiality obligations before receipt; (c) is independently developed without use of the disclosing party’s Confidential Information; or (d) is rightfully received from a third party without confidentiality obligations.
6.4 Compelled Disclosure. The receiving party may disclose Confidential Information to the extent required by law or legal process, if permitted, after providing prompt notice (to allow the disclosing party to seek protective relief) and disclosing only the minimum required.
6.5 Security Program. Thallus will implement and maintain administrative, physical, and technical safeguards designed to protect Customer Data and the confidentiality, integrity, and availability of the Services, consistent with industry-standard practices for similar services and as further described in the DPA.
6.6 HIPAA-Grade Protections for All Customers. Regardless of whether Customer is subject to HIPAA, Thallus will maintain safeguards for Customer Data that are no less protective than those required of a business associate under HIPAA for protected health information, as described in the DPA.
6.7 DPA / BAA-Equivalent Attachment and Incorporation by Reference. The DPA (including business associate obligations where applicable) is incorporated by reference. Customer’s and Thallus’s rights and obligations regarding processing of personal data and (if applicable) protected health information are set forth in the DPA.
7.1 Termination/Cancellation. Customer may cancel its Subscription in accordance with the applicable plan, Order Form, or account settings. Thallus may terminate or suspend access as provided in these Software Terms.
7.2 Deletion from Active Systems. Following cancellation or termination of Customer’s account (or expiration of a trial without conversion), Thallus will delete Customer Data from Thallus’s active systems within thirty (30) days, except as set forth in Sections 7.3 and 7.4 or as otherwise required by law or agreed in an Order Form.
7.3 Backups. Customer acknowledges that Customer Data may persist in encrypted backups for up to ninety (90) days consistent with Thallus’s backup and disaster recovery practices. During backup retention, Customer Data will remain protected in accordance with the DPA and will not be restored or accessed except as necessary for disaster recovery, security, or compliance purposes.
7.4 Narrow Anti-Abuse Retention (Email Only). Notwithstanding Sections 7.2–7.3, Thallus may retain the email address associated with the account (and minimal associated metadata reasonably necessary) for the limited purpose of preventing fraud, abuse, and repeat violations, and to comply with legal obligations.
8.1 Third-Party Services. The Services may interoperate with third-party applications, services, APIs, data sources, or model providers (“Third-Party Services”), including via connectors, plugins, tools, or integrations enabled by Customer.
8.2 Customer Choice and Responsibility. Customer is solely responsible for (a) selecting, enabling, and configuring Third-Party Services; (b) obtaining and maintaining any required accounts, licenses, permissions, and consents; and (c) complying with Third-Party Services’ terms and policies.
8.3 BYOK / Customer-Provided Keys. The Services may permit Customer to use Customer-provided API keys, tokens, endpoints, or credentials (including for LLM providers) (“BYOK”). Customer is solely responsible for maintaining the confidentiality, scope, and security of BYOK credentials, and for charges incurred with the Third-Party Service provider.
8.4 No Responsibility for Third-Party Services. Thallus does not control Third-Party Services and is not responsible for their operation, availability, security, outputs, or data practices. To the extent Customer directs the Services to transmit Customer Data to a Third-Party Service (including an LLM provider), Customer instructs Thallus to do so on Customer’s behalf. Customer bears responsibility for that instruction and for the Third-Party Service’s processing, except to the extent the DPA expressly allocates responsibilities to Thallus.
8.5 Third-Party Terms. Third-Party Services may impose usage limits, safety requirements, or restrictions on categories of data (including personal data or PHI). Customer is responsible for ensuring its use complies with those requirements.
9.1 Thallus Models and Generalized Training. Thallus will not use Customer Data to train, retrain, or improve Thallus’s generalized models in a manner that would make Customer Data (or information derived from it) available to other customers.
9.2 Third-Party Models. Where the Services transmit Customer Data to Third-Party Services for inference or processing, Thallus will configure and contractually require (where available and commercially reasonable) restrictions intended to prevent those Third-Party Services from using Customer Data to train or improve their general models for other customers; however, Thallus does not provide an absolute guarantee regarding a Third-Party Service’s independent conduct, and Customer is responsible for selecting providers and settings that meet Customer’s requirements.
10.1 Customer Control. Customer controls whether and how to configure workflows, agents, triggers, and automations (including actions that write data, send messages, make purchases, or call external systems).
10.2 Authorization and Approvals. Customer is responsible for ensuring it has appropriate internal authorizations and approvals for automated actions and that appropriate human review is implemented for high-risk use cases.
10.3 Unattended Execution. If Customer enables unattended or autonomous execution, Customer is solely responsible for monitoring, testing, and validating the workflow logic, approval steps, and safeguards, and for the resulting actions and outcomes.
10.4 Output Review. Customer is responsible for reviewing AI-generated outputs and for determining whether and how to rely on outputs in Customer’s business processes. Outputs do not constitute legal, medical, financial, or other professional advice.
11.1 Plans. Thallus may offer free trials, self-serve paid plans, and enterprise plans. Enterprise use is governed by an Order Form (and may include negotiated terms).
11.2 Trials. If Customer registers for a trial, Customer may access the Services during the trial period described at signup or in the Services. Unless otherwise stated, trials may be limited in features, usage, or time. Thallus may modify or end trials at any time to the extent permitted by law.
11.3 Self-Serve Paid Plans; Stripe; Subscription + Usage/Overages. For self-serve paid plans, Customer will provide a payment method and authorize Thallus (and its payment processors, including Stripe) to charge Customer’s payment method for Fees, taxes, and any applicable overages in accordance with the plan and pricing presented at checkout or in-product. Fees may include: (a) recurring subscription Fees billed in advance on a monthly or annual cadence; and (b) usage-based charges and overage charges (including, where applicable, for seats, agents, workflows, tasks/runs, tokens, API calls, storage, or other metered units) billed in arrears or as otherwise described at checkout or in-product. Customer is responsible for all Fees incurred under its account, including Fees incurred by Authorized Users and by workflows/agents configured by Customer.
11.4 Enterprise; Order Forms. For enterprise plans, Fees and billing terms are governed by the Order Form. If an Order Form includes invoicing, payment is due within thirty (30) days of invoice date unless otherwise stated in the Order Form.
11.5 Taxes. Fees are exclusive of taxes. Customer is responsible for all applicable taxes, duties, and government assessments, excluding taxes based on Thallus’s net income. If Thallus has the legal obligation to pay or collect taxes for which Customer is responsible, Thallus will invoice Customer and Customer will pay that amount unless Customer provides a valid tax exemption certificate.
11.6 Late Payments; Suspension. For invoiced amounts, Thallus may charge interest on overdue amounts at the lesser of 1.5% per month or the maximum rate permitted by law, plus reasonable costs of collection. Thallus may suspend access for overdue amounts after providing notice and an opportunity to cure (which may be provided via email or in-product), except where prohibited by an Order Form.
11.7 No Refunds; Usage Counting (Investigations/Runs). Except as required by law or expressly stated in an Order Form, Fees are non-refundable and non-cancelable once paid. If Customer cancels a Subscription, cancellation will be effective at the end of the then-current billing period, and Customer will remain responsible for all Fees incurred through the effective date of cancellation (including usage/overages accrued through the end of the billing period or otherwise charged in arrears as described at checkout/in-product). For clarity, where Fees are based on usage (including investigations, tasks, jobs, workflow runs, or similar metered units), each investigation/run is counted and billable upon initiation (or when processing begins), regardless of whether it completes, and regardless of any cancellation, pause, interruption, timeout, failure, or user-initiated stop.
12.1 Availability. Thallus will use commercially reasonable efforts to make the Services available, subject to planned maintenance, emergency maintenance, and circumstances beyond Thallus’s reasonable control.
12.2 Support. Support terms (including response times and support channels) are as described in the applicable plan documentation or Order Form.
12.3 Updates and Modifications. Thallus may update, modify, or discontinue features of the Services from time to time. Thallus will not materially reduce core functionality of a paid plan during a paid term without commercially reasonable notice, except for security, legal, or abuse-prevention reasons.
13.1 Thallus IP. As between the parties, Thallus and its licensors retain all right, title, and interest in and to the Services, software, APIs, Documentation, templates, and underlying technology, including all improvements and derivative works thereof.
13.2 Feedback. If Customer provides suggestions, ideas, enhancement requests, or other feedback (“Feedback”), Customer grants Thallus a worldwide, perpetual, irrevocable, royalty-free license to use, modify, and incorporate Feedback into the Services without obligation.
13.3 Output; Customer Responsibility; No Guarantee. The Services may generate outputs, recommendations, summaries, code, or other results (“Outputs”). Outputs may be inaccurate, incomplete, or inappropriate. Customer is responsible for evaluating Outputs and ensuring they are suitable for Customer’s purposes, including for compliance, safety, and professional standards.
13.4 IP in Customer Data; No Transfer. Except for the limited rights granted in these Software Terms, neither party grants the other any rights or licenses to its intellectual property. Customer represents and warrants that it has all rights necessary to provide Customer Data to the Services and to permit Thallus to process Customer Data as contemplated by these Software Terms.
14.1 Mutual Authority Warranty. Each party represents and warrants that it has the power and authority to enter into these Software Terms.
14.2 Disclaimer. EXCEPT AS EXPRESSLY PROVIDED IN THESE SOFTWARE TERMS OR AN ORDER FORM, THE SERVICES ARE PROVIDED “AS IS” AND “AS AVAILABLE.” THALLUS DISCLAIMS ALL WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT, AND ANY WARRANTIES ARISING FROM COURSE OF DEALING OR USAGE OF TRADE. THALLUS DOES NOT WARRANT THAT THE SERVICES WILL BE UNINTERRUPTED, ERROR-FREE, OR THAT OUTPUTS WILL BE ACCURATE OR RELIABLE.
15.1 Exclusion of Damages. TO THE MAXIMUM EXTENT PERMITTED BY LAW, IN NO EVENT WILL THALLUS BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, OR FOR ANY LOSS OF PROFITS, REVENUE, DATA, GOODWILL, OR BUSINESS INTERRUPTION, ARISING OUT OF OR RELATING TO THESE SOFTWARE TERMS OR THE SERVICES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
15.2 Liability Cap. TO THE MAXIMUM EXTENT PERMITTED BY LAW, THALLUS’S TOTAL LIABILITY ARISING OUT OF OR RELATING TO THESE SOFTWARE TERMS OR THE SERVICES WILL NOT EXCEED THE AMOUNTS PAID OR PAYABLE BY CUSTOMER TO THALLUS FOR THE SERVICES IN THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO LIABILITY (OR, IF CUSTOMER IS IN A FREE TRIAL, US$100).
15.3 Exceptions. Nothing in these Software Terms limits liability to the extent it cannot be limited under applicable law, or for a party’s fraud or willful misconduct.
16.1 Customer Indemnity. Customer will defend, indemnify, and hold harmless Thallus and its affiliates, officers, directors, employees, and agents from and against any third-party claims, damages, liabilities, costs, and expenses (including reasonable attorneys’ fees) arising out of or relating to: (a) Customer Data; (b) Customer’s or Authorized Users’ use of the Services in violation of these Software Terms, applicable law, or third-party terms; (c) Customer’s configurations, workflows, automations, or integrations (including actions taken through Third-Party Services); or (d) Customer’s products or services.
16.2 Process. Thallus will provide prompt notice of the claim (to the extent practicable), permit Customer to control the defense and settlement (provided settlement does not impose non-monetary obligations on Thallus without Thallus’s consent), and provide reasonable cooperation at Customer’s expense.
16.3 Thallus IP Indemnity. Thallus will defend Customer against any third-party claim that the Services, as provided by Thallus and used by Customer in accordance with these Software Terms, infringe or misappropriate such third party’s U.S. intellectual property rights, and will indemnify Customer for any damages finally awarded by a court of competent jurisdiction or paid in a settlement approved by Thallus. Thallus will have no obligation under this Section 16.3 to the extent a claim arises from: (a) Customer Data or Third-Party Services; (b) use of the Services in combination with products, services, or software not provided by Thallus where the claim would not have arisen but for such combination; (c) use of the Services not in accordance with these Software Terms, Documentation, or applicable law; or (d) any modification of the Services not made by Thallus. If the Services become, or in Thallus’s reasonable opinion are likely to become, subject to an infringement claim, Thallus may, at its option: (i) procure the right for Customer to continue using the Services; (ii) modify or replace the Services to make them non-infringing without materially reducing core functionality; or (iii) terminate the affected Services and refund any prepaid, unused subscription Fees for the terminated portion of the then-current paid term.
17.1 Term. These Software Terms begin when Customer first accesses or uses the Services and continue until terminated.
17.2 Termination by Customer. Customer may terminate in accordance with plan settings or an Order Form. 17.3 Termination by Thallus. Thallus may terminate or suspend access as permitted in these Software Terms, including for material breach.
17.4 Effect. Upon termination, Customer’s right to access the Services ceases. Sections that by their nature should survive will survive (including Sections 5, 6, 7, 8, 9, 11, 13, 14, 15, 16, 18, and 19).
18.1 Governing Law. These Software Terms are governed by the laws of the State of Colorado, without regard to conflict of law principles.
18.2 Venue. The parties agree to exclusive jurisdiction and venue in the state and federal courts located in Denver, Colorado, for any dispute arising out of or relating to these Software Terms, except where arbitration is elected or required.
18.3 Arbitration. At Thallus’s sole discretion, it may require Customer to submit any disputes arising from these Software Terms or use of the Services, including disputes arising from or concerning their interpretation, violation, invalidity, non-performance, or termination, to final and binding arbitration under the Rules of Arbitration of the American Arbitration Association applying Colorado law.
19.1 Changes. Thallus may revise these Software Terms from time to time. The “Last Modified” date will indicate when changes were posted. Thallus may provide notice of changes (for example, by email or in-product notice). Non-material changes will be effective as of the stated effective date and will apply prospectively. Material changes to these Software Terms will be effective only upon Customer’s affirmative acceptance via an in-product clickthrough or similar mechanism.
19.2 Continued Use; Material Updates Require Acceptance. Customer may be required to affirmatively accept material updates to these Software Terms (and any other terms and policies that govern use of the platform, including the Website Terms of Use and the Privacy Policy) in order to continue accessing or using the Services. If Customer does not accept such material updates when presented, Thallus may suspend, terminate, or limit Customer’s access to or use of the Services until Customer accepts (or until the Services are terminated in accordance with these Software Terms or an applicable Order Form). For avoidance of doubt, Customer’s continued access to or use of the Services after the effective date of a non-material change constitutes acceptance of that non-material change, except to the extent prohibited by applicable law or superseded by an Order Form during its then-current term.
19.3 Notices. Thallus may provide notices via email, in-product notifications (including clickthrough prompts where acceptance is required), or by posting on the Services. Customer is responsible for keeping account contact information current.
Questions about these Software Terms should be sent to: legal@thallus.ai.
(Including Business Associate Agreement Terms (When Applicable))
1.1 This Data Protection Addendum (this "DPA") supplements and forms part of the Thallus Software Terms of Service (the "Software Terms") between Thallus LLC ("Thallus," "Company," "we," "us," or "our") and the entity or individual agreeing to the Software Terms ("Customer," "you," or "your"). This DPA is incorporated by reference into the Software Terms and may also be made available in-product or attached to an Order Form. Section 8 (Business Associate Agreement Terms) applies only when and to the extent expressly stated in Section 1.3.
1.2 This DPA applies to all processing of Customer Data (as defined in the Software Terms) by Thallus in connection with the Services, including personal data and, where applicable, Protected Health Information (“PHI”) processed pursuant to Section 8.
1.3 Thallus provides HIPAA-grade data protection safeguards to all customers regardless of whether Customer is a Covered Entity, Business Associate, or otherwise subject to HIPAA. The safeguards and security standards described in this DPA apply to all customers as a baseline standard of care. The Business Associate Agreement terms in Section 8 apply when and to the extent (i) Customer is a Covered Entity or Business Associate under HIPAA and (ii) Thallus receives, creates, maintains, or transmits PHI on Customer’s behalf.
1.4 If there is a conflict between this DPA and the Software Terms with respect to data protection, confidentiality, security, or HIPAA-related terms, this DPA controls.
2.1 Capitalized terms not defined in this DPA have the meanings given in the Software Terms. In addition:
(a) "Applicable Data Protection Law" means all laws and regulations applicable to the processing of Customer Data under this DPA, which may include (as applicable) HIPAA and the HITECH Act, U.S. state privacy laws, and their implementing regulations.
(b) "Breach" means (i) a Breach of Unsecured Protected Health Information as defined in 45 CFR § 164.402 (when Section 8 applies) and/or (ii) a confirmed Security Incident involving Customer Data that materially compromises the confidentiality, integrity, or availability of such Customer Data.
(c) "HIPAA" means the Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations.
(d) "Protected Health Information" or "PHI" means protected health information as defined under HIPAA, to the extent received by Thallus from or on behalf of Customer or otherwise processed by Thallus on Customer’s behalf where Section 8 applies.
(e) "Security Incident" means any actual unauthorized access, acquisition, use, disclosure, modification, or destruction of Customer Data, or interference with system operations in a system that contains Customer Data, that compromises the confidentiality, integrity, or availability of Customer Data.
(f) "Subprocessor" means any third party engaged by Thallus to process Customer Data on Thallus’s behalf in connection with the Services.
(g) "Unsecured PHI" means PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified in guidance issued by the Secretary of HHS under 42 U.S.C. § 17932(h)(2).
3.1 Where Customer is a Covered Entity or Business Associate under HIPAA and Thallus receives, creates, maintains, or transmits PHI on Customer’s behalf, Thallus acts as a Business Associate with respect to such PHI.
3.2 For all other personal data, Thallus acts as a data processor or service provider (as applicable) processing Customer Data on Customer’s behalf and in accordance with Customer’s documented instructions, except for limited processing as described in the Software Terms and this DPA (e.g., security, fraud prevention, and legal compliance).
3.3 Customer is responsible for: (a) determining the lawful basis for processing; (b) ensuring it has obtained all necessary consents and authorizations; (c) configuring the Services and integrations appropriately for its compliance obligations; and (d) providing instructions to Thallus that comply with Applicable Data Protection Law.
4.1 Purpose Limitation. Thallus will process Customer Data only as necessary to provide the Services, as documented in the Software Terms, and in accordance with Customer’s instructions. Thallus will not process Customer Data for any other purpose unless required by law, in which case Thallus will inform Customer (unless legally prohibited from doing so).
4.2 No Selling or Use for Third-Party’s Own Purposes. Thallus will not sell Customer Data or disclose Customer Data to any third party for the third party’s own marketing or advertising purposes.
4.3 No Model Training. Consistent with Section 9 of the Software Terms, Thallus will not use Customer Data to train, retrain, or improve Thallus’s generalized models in a manner that would make Customer Data (or information derived from it) available to other customers.
4.4 Aggregated and De-Identified Data. As described in the Software Terms, Thallus may create and use de-identified, anonymized, or aggregated data for lawful purposes, provided such data does not identify Customer, its Authorized Users, or any individual, and is created and used consistent with Applicable Data Protection Law. Where such data is derived from PHI, de-identification will comply with HIPAA requirements.
4.5 Customer Instructions. The Software Terms (including this DPA), together with Customer’s use and configuration of the Services, constitute Customer’s complete and final instructions to Thallus for the processing of Customer Data.
5.1 Security Program. Thallus will implement and maintain a written information security program with administrative, technical, and physical safeguards designed to protect Customer Data against unauthorized access, acquisition, use, disclosure, modification, or destruction, consistent with industry-standard practices for similar services. The security program includes, at a minimum, the following measures (or materially equivalent measures), which may be updated from time to time as the Services evolve:
6.1 Authorized Subprocessors. Customer authorizes Thallus to engage Subprocessors to process Customer Data in connection with the Services. A current list of Subprocessors is available upon request or may be made available by Thallus via a webpage or in-product listing, and may be updated from time to time.
6.2 Subprocessor Obligations. Thallus will: (a) enter into a written agreement with each Subprocessor imposing data protection obligations no less protective than those in this DPA; (b) remain responsible for each Subprocessor’s compliance with the obligations of this DPA; and (c) be liable for the acts and omissions of its Subprocessors to the same extent Thallus would be liable if performing the services directly, subject to the limitations of liability set forth in the Software Terms.
6.3 New Subprocessors. Thallus will notify Customer of any new Subprocessor before authorizing such Subprocessor to process Customer Data (notification may be via email or in-product notice). If Customer objects to a new Subprocessor on reasonable data protection grounds within fourteen (14) days of notification, the parties will discuss Customer’s concerns in good faith. Where reasonably practicable, Thallus will use commercially reasonable efforts to make available an alternative to the objected-to Subprocessor for the affected processing. If the parties cannot resolve the objection, Customer may terminate the affected Services without penalty by providing written notice to Thallus.
6.4 BYOK and Third-Party Services. As set forth in the Software Terms, where Customer configures the Services to connect to Third-Party Services (including via BYOK) (including third-party LLM/model providers), those Third-Party Services are not Subprocessors of Thallus. Customer is responsible for its selection of and relationship with Third-Party Services.
7.1 Retention During Subscription. Thallus will retain Customer Data for the duration of Customer’s active Subscription, unless Customer requests earlier deletion of specific data.
7.2 Deletion Upon Termination. Following cancellation or termination of Customer’s account, Thallus will delete Customer Data from active systems within thirty (30) days, except as provided in Sections 7.3 and 7.4, as otherwise required by law, or as otherwise agreed in an Order Form.
7.3 Backup Retention. Customer Data may persist in encrypted backups for a limited period consistent with Thallus’s backup and disaster recovery practices following deletion from active systems. During this period, Customer Data in backups will remain encrypted and will not be accessed or restored except as necessary for disaster recovery, security, or compliance purposes.
7.4 Anti-Abuse Retention. As set forth in the Software Terms, Thallus may retain the email address associated with the account and minimal metadata solely for the purpose of preventing fraud, abuse, and repeat violations, and to comply with legal obligations.
7.5 Certification of Deletion. Upon Customer’s written request, Thallus will certify in writing that Customer Data has been deleted from active systems in accordance with this Section 7.
7.6 Return of Data. Prior to termination, Customer may export Customer Data using the export functionality available in the Services or by written request to Thallus. Thallus will provide reasonable assistance, upon Customer’s request, to facilitate data export in a commercially reasonable manner.
This Section 8 constitutes a Business Associate Agreement (“BAA”) as required by HIPAA only when Customer is a Covered Entity or Business Associate and Thallus receives, creates, maintains, or transmits PHI on Customer’s behalf. For avoidance of doubt, Thallus’s security safeguards described in this DPA are intended to be HIPAA-grade for all customers regardless of HIPAA applicability.
8.1 Permitted Uses and Disclosures
(a) Thallus will use and disclose PHI only as permitted or required by this DPA, the Software Terms, or as required by law.
(b) Thallus will not use or disclose PHI in a manner that would violate Subpart E of 45 CFR Part 164 if done by Customer (to the extent Thallus knows of such restriction).
(c) Thallus may use PHI for the proper management and administration of Thallus or to carry out its legal responsibilities, provided that: (i) the disclosures are required by law; or (ii) Thallus obtains reasonable assurances from the person to whom the PHI is disclosed that it will be held confidentially, used or further disclosed only as required by law or for the purposes for which it was disclosed, and that the person will notify Thallus of any instances of which it becomes aware in which the confidentiality of the information has been breached.
(d) To the extent applicable and agreed in writing by the parties that Thallus will carry out any obligation of Customer under the HIPAA Privacy Rule or Security Rule, Thallus will comply with the requirements of such Rules that apply to Thallus in the performance of such obligation.
8.2 Safeguards
Thallus will use appropriate administrative, physical, and technical safeguards, and comply with Subpart C of 45 CFR Part 164 with respect to ePHI, to prevent use or disclosure of PHI other than as provided for by this DPA. The safeguards described in Section 5 of this DPA are intended to address this requirement.
8.3 Reporting
(a) Thallus will report to Customer any use or disclosure of PHI not provided for by this DPA of which Thallus becomes aware, including any Security Incident or Breach of Unsecured PHI.
(b) Thallus will report any Breach of Unsecured PHI to Customer without unreasonable delay and in no case later than fifteen (15) days after Thallus confirms the Breach.
(c) Thallus’s Breach notification to Customer will include, to the extent reasonably available:
(d) Thallus will cooperate with Customer in Customer's performance of its own Breach notification and mitigation obligations under HIPAA.
8.4 Subcontractors In accordance with HIPAA requirements, Thallus will ensure that any Subprocessor that creates, receives, maintains, or transmits PHI on behalf of Thallus agrees to the same restrictions, conditions, and requirements that apply to Thallus under this DPA with respect to such PHI.
**8.5 Access to PHI ** To the extent Thallus maintains PHI in a Designated Record Set on behalf of Customer, Thallus will make such PHI available to Customer as necessary for Customer to meet applicable access obligations. Thallus will respond to Customer’s access requests within fifteen (15) business days.
8.6 Amendment of PHI To the extent Thallus maintains PHI in a Designated Record Set on behalf of Customer, Thallus will make such PHI available for amendment and incorporate any amendments to PHI as directed by Customer in accordance with applicable law.
8.7 Accounting of Disclosures Thallus will make available to Customer information reasonably available to Thallus and required for Customer to provide an accounting of disclosures of PHI under applicable law. Thallus will maintain records of disclosures of PHI for a period of six (6) years from the date of disclosure, to the extent required and applicable.
8.8 Government Access Thallus will make its internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of the U.S. Department of Health and Human Services to the extent required by HIPAA and limited to information relevant to such determination; provided that, to the extent permitted by law, Thallus may satisfy such request through production of responsive materials on a confidential basis and without providing access to information of other customers.
8.9 Minimum Necessary Thallus will, to the extent practicable, limit its use, disclosure, and requests for PHI to the minimum necessary to accomplish the intended purpose, consistent with the HIPAA minimum necessary standard.
8.10 Mitigation Thallus will mitigate, to the extent practicable, any harmful effect known to Thallus of a use or disclosure of PHI by Thallus in violation of this DPA.
8.11 Return or Destruction of PHI Upon termination of the Software Terms, Thallus will return or destroy PHI received from or created on behalf of Customer in accordance with Section 7 of this DPA. If return or destruction is not feasible (including due to backup retention practices), Thallus will extend the protections of this DPA to such PHI and limit further uses and disclosures to those purposes that make return or destruction infeasible, for so long as Thallus retains such PHI.
9.1 For Customer Data that does not constitute PHI, Thallus will notify Customer of any confirmed Security Incident without unreasonable delay and in no case later than thirty (30) days after Thallus confirms the Security Incident.
9.2 Thallus will provide Customer with: (a) a description of the nature of the Security Incident; (b) the categories and approximate number of data records affected (if known); (c) the likely consequences of the Security Incident; and (d) the measures taken or proposed to be taken to address the Security Incident and mitigate its effects.
9.3 Thallus will cooperate with Customer’s reasonable requests to investigate and remediate the Security Incident.
10.1 Documentation Retention. Where Section 8 applies, Thallus will retain documentation required by HIPAA for a minimum of six (6) years. Thallus will otherwise retain security and compliance documentation in accordance with its record retention policies and applicable law.
10.2 Audit Rights. Upon Customer’s written request (not more than once per twelve-month period unless a Breach has occurred), Thallus will: (a) provide Customer with a copy of Thallus’s most recent SOC 2 Type II audit report (or equivalent third-party assessment) (subject to confidentiality restrictions); (b) upon request, respond in writing to a reasonable security questionnaire; and (c) provide reasonable written information describing Thallus’s compliance with the security measures described in this DPA.
10.3 On-Site Audit. If the information provided under Section 10.2 is not reasonably sufficient to confirm Thallus's compliance with the security measures described in this DPA, Customer may request an audit of Thallus's security controls and practices relevant to the processing of Customer Data. Any such audit will be: (a) at Customer's expense; (b) not more than once per twelve (12) months (unless a Breach has occurred or applicable law requires otherwise); (c) conducted upon at least thirty (30) days' prior written notice; (d) limited in scope to controls relevant to Customer Data and the Services; (e) conducted by Customer or an independent third-party auditor reasonably acceptable to Thallus; and (f) subject to reasonable confidentiality, security, and facility access requirements determined by Thallus. The audit will be conducted remotely unless on-site access is reasonably necessary. In no event will Customer or its auditor be permitted to access (i) other customers’ data, (ii) Thallus’s source code, or (iii) information that would unreasonably compromise Thallus’s security or the security of the Services.
10.4 Risk Assessment. Thallus will conduct periodic risk assessments of its security program and address identified risks in a timely manner.
11.1 For cloud-hosted deployments, Customer Data may be processed in the United States. Thallus may process Customer Data outside the United States only as necessary to provide the Services (including through Subprocessors) and in accordance with this DPA and the Software Terms. Upon Customer’s written request, Thallus will provide reasonable information regarding applicable Subprocessors and processing locations for the Services.
11.2 For self-hosted deployments, Customer Data remains within Customer’s own infrastructure and is not transferred to Thallus, except to the extent Customer configures the Services to transmit data to Thallus (e.g., for support, telemetry, or license verification, as described in the Software Terms).
12.1 This DPA is effective as of the date Customer accepts the Software Terms and will remain in effect for as long as Thallus processes Customer Data on Customer’s behalf.
12.2 Customer may terminate this DPA by terminating the Software Terms in accordance with their terms.
12.3 Upon termination, Thallus’s data deletion and return obligations in Section 7 will apply.
12.4 Sections 7 (Data Retention and Deletion), 8.3 (Reporting), 8.7 (Accounting of Disclosures), 8.11 (Return or Destruction of PHI), 9 (Breach Notification), 10 (Compliance Documentation and Audit), and 14 (Limitation of Liability) will survive termination.
12.5 Termination for Material Breach. If Thallus materially breaches any obligation under this DPA with respect to PHI (when Section 8 applies) and fails to cure such breach within thirty (30) days of receiving written notice from Customer, Customer may terminate this DPA and the affected Services. If cure is not feasible, Customer may terminate immediately upon written notice.
13.1 Governing Law. This DPA is governed by the laws of the State of Colorado, consistent with the Software Terms.
13.2 Amendments. Thallus may update this DPA from time to time to reflect changes in Applicable Data Protection Law, security practices, or the Services. Material changes will be communicated with reasonable notice via email or in-product notification. Changes that materially reduce Customer’s protections or materially increase Customer’s obligations will require Customer's affirmative acceptance (via clickthrough or equivalent mechanism) before taking effect. Customer’s continued use of the Services following acceptance constitutes agreement to the updated DPA. If Customer does not accept such changes, Customer may terminate the Services in accordance with the Software Terms.
13.3 Severability. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions will remain in full force and effect.
13.4 Entire Agreement. This DPA, together with the Software Terms and any applicable Order Form, constitutes the complete agreement between the parties regarding data protection in connection with the Services.
14.1 The limitations of liability set forth in the Software Terms apply to this DPA. Nothing in this DPA creates liability beyond what is set forth in the Software Terms, except to the extent required by Applicable Data Protection Law.