Terms of Service

Last Updated: February 14, 2026

These Terms of Service ("Terms") govern your access to and use of OHaaS (OpenClaw Hardening as a Service), a proprietary enterprise platform provided by Ask Sage, a Big Bear.ai company ("Ask Sage," "we," "us," or "our"). By accessing or using OHaaS, you ("Customer," "you," or "your") agree to be bound by these Terms.

1. Service Description

OHaaS is a multi-tenant Kubernetes platform that provides hardened deployment infrastructure for AI assistants based on the open-source OpenClaw framework. The Service includes:

• FIPS 140-3 validated container images
• Multi-tenant namespace isolation with security watcher sidecars
• Administrative dashboard and management tools
• Network egress firewall and policy management
• Identity portability and backup features
• User App deployment capability (optional): A dedicated web application space on port 3800 where you may deploy custom dashboards, automation interfaces, or other tooling subject to the Acceptable Use Policy

We reserve the right to modify, suspend, or discontinue any part of the Service at any time with or without notice.

2. Acceptable Use Policy

2.1 Prohibited Activities

You must NOT use the Service for any of the following purposes:

• Illegal Activities: Any activity that violates applicable federal, state, local, or international laws or regulations
• Hacking or Unauthorized Access: Attempting to breach security, access other tenants' data, or exploit vulnerabilities in the platform
• Cryptomining: Using platform compute resources for cryptocurrency mining or similar resource-intensive activities
• Abuse or Harassment: Generating, distributing, or facilitating abusive, harassing, defamatory, or threatening content
• Spam or DDoS: Sending unsolicited communications, launching distributed denial-of-service attacks, or conducting network scanning
• Malicious Software: Developing, distributing, or executing malware, ransomware, viruses, or other malicious code
• Data Exfiltration: Unauthorized extraction or transfer of data from other systems or tenants

2.2 User App Compliance

If you deploy a User App on port 3800, you must ensure that it complies with all provisions of this Acceptable Use Policy. We reserve the right to disable, quarantine, or remove any User App that violates these Terms or poses a security risk.

3. Your Responsibilities

3.1 Agent Behavior and Actions

You are solely responsible for:

• All actions taken by your AI assistants, including tool executions, external API calls, and data processing
• Monitoring agent behavior and outputs for accuracy, safety, and compliance
• Implementing appropriate guardrails, human-in-the-loop approvals, and validation workflows
• Ensuring agents comply with your organizational policies, security requirements, and applicable laws

Agents can and will make mistakes. AI models are probabilistic systems that may produce factually incorrect, biased, harmful, or unexpected outputs. You acknowledge these risks and agree to implement appropriate oversight and controls.

3.2 Data and Backups

You are responsible for:

• Maintaining your own backups of critical data using the identity export feature or other backup mechanisms
• Securing API keys, credentials, and secrets stored in your tenant environment
• Ensuring data residency and classification requirements are met for your workloads
• Complying with applicable data protection laws (GDPR, CCPA, etc.)

While OHaaS provides automated backup PVCs, we are not liable for data loss, corruption, or deletion under any circumstances.

3.3 Security Best Practices

You must:

• Use strong authentication mechanisms (mTLS, YubiKey, OIDC/SSO) as appropriate for your security posture
• Regularly review egress firewall rules and watcher findings in the admin dashboard
• Promptly rotate API keys and credentials if compromise is suspected
• Report suspected security incidents to security@asksage.ai within 24 hours of discovery

3.4 Government Users

If you are a government entity or contractor operating under government authority, you must:

• Comply with all applicable agency policies, directives, and security controls
• Ensure proper data classification markings and handling procedures are followed
• Coordinate with your agency's authorizing official for ATO/ATC processes
• Adhere to NIST 800-53 controls, STIG benchmarks, and other compliance frameworks as required

4. Security Monitoring and Watcher Sidecars

Each tenant deployment includes a security watcher sidecar that performs real-time monitoring, including:

• Process execution monitoring and anomaly detection
• Network traffic analysis and egress policy enforcement
• Filesystem integrity checking and configuration drift detection
• Resource usage profiling and abuse detection

By using the Service, you consent to this security monitoring. The watcher may automatically quarantine your tenant (apply deny-all network policies) if critical security findings are detected. You can review findings and remediate issues through the admin dashboard.

5. Data Isolation and Privacy

OHaaS implements defense-in-depth tenant isolation:

• Dedicated Kubernetes namespaces with NetworkPolicy enforcement
• Separate persistent volume claims (PVCs) per tenant
• Pod Security Admission (PSA) restricted mode
• Istio service mesh with L7 egress filtering

You own your data. We do not access, use, or analyze your tenant data for any purpose other than platform operations and security monitoring. You may export your data at any time using the identity portability feature.

However, we cannot guarantee absolute protection against all security breaches. While OHaaS is designed for high-security environments, no system is completely invulnerable. You acknowledge this risk.

6. Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY LAW, THE SERVICE IS PROVIDED "AS IS" WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED.

Ask Sage, Big Bear.ai, and their affiliates, officers, employees, and contractors ("Ask Sage Parties") are NOT liable for:

• Data Loss: Loss, corruption, deletion, or unauthorized access to your data
• Agent Behavior: Actions taken by AI assistants, including incorrect outputs, harmful decisions, or unintended tool executions
• Downtime: Service interruptions, maintenance windows, platform failures, or degraded performance
• Security Incidents: Breaches, intrusions, or unauthorized access despite security controls
• Third-Party Services: Failures or issues with AI model providers (Anthropic, OpenAI, Google, AWS, Azure, etc.)
• Compliance Violations: Failure to meet regulatory requirements or pass audits
• Consequential Damages: Lost profits, business interruption, reputational harm, or any indirect, incidental, special, or consequential damages

IN NO EVENT SHALL THE ASK SAGE PARTIES' TOTAL LIABILITY EXCEED THE AMOUNT PAID BY YOU IN THE 12 MONTHS PRECEDING THE CLAIM.

7. Indemnification

You agree to indemnify, defend, and hold harmless the Ask Sage Parties from and against any claims, liabilities, damages, losses, and expenses (including reasonable attorneys' fees) arising out of or related to:

• Your use or misuse of the Service
• Actions taken by your AI assistants or User Apps
• Violation of these Terms or applicable laws
• Breach of security or data protection obligations
• Infringement of third-party intellectual property or privacy rights

8. Suspension and Termination

We may immediately suspend, quarantine, or terminate your access to the Service without notice if:

• You violate the Acceptable Use Policy
• Your tenant is used for malicious, illegal, or abusive activities
• Security monitoring detects critical threats or compromise
• You fail to pay applicable fees (for paid tiers)
• We are required to do so by law or government order

Upon termination, you must immediately export your data using the identity portability feature. We are not obligated to retain your data after termination.

9. Modifications to the Service and Terms

We reserve the right to:

• Modify, update, or discontinue features, APIs, or platform capabilities at any time
• Change these Terms by posting updated versions (effective immediately upon posting)
• Implement new security controls, monitoring mechanisms, or compliance requirements
• Migrate your tenant to different infrastructure or cloud regions as needed

Continued use of the Service after changes constitutes acceptance of the modified Terms.

10. No Guarantees for Authorization

While OHaaS is designed to support FedRAMP, DoW IL4/IL5/IL6, and other compliance frameworks, we do not guarantee that your deployment will receive an Authority to Operate (ATO) or Authority to Connect (ATC). Authorization is the responsibility of your agency's authorizing official. We provide artifacts, documentation, and a hardened platform to facilitate your authorization process.

11. Export Control and ITAR

You are responsible for compliance with all applicable export control laws, including the International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR). You must not use the Service to process, store, or transmit controlled technical data without proper authorization and licensing.

12. Governing Law and Dispute Resolution

These Terms are governed by the laws of the State of Delaware, United States, without regard to conflict of law principles. Any disputes arising from these Terms or the Service shall be resolved exclusively in the state or federal courts located in Delaware.

13. Contact Information

For questions about these Terms or the Service, contact:

• Sales: sales@asksage.ai
• Security Incidents: security@asksage.ai
• General Support: support@asksage.ai

14. Entire Agreement

These Terms, together with any executed Order Form or Master Services Agreement, constitute the entire agreement between you and Ask Sage regarding the Service and supersede all prior agreements and understandings.

By using OHaaS, you acknowledge that you have read, understood, and agree to be bound by these Terms of Service.