Effective Date: [TO BE SET AT LAUNCH] Version: 1.0
Third Division Labs LLC A Massachusetts Limited Liability Company
IMPORTANT NOTICE: These Terms of Service govern your use of Mallcop Pro, a managed AI inference service. Mallcop Pro provides compute capacity ("Donuts") that the Mallcop open-source software consumes when performing security monitoring operations. Mallcop Pro is a compute service, not a security guarantee. Read Section 8 carefully before using this Service.
The following terms have these meanings throughout this Agreement:
"Agreement" means these Terms of Service, together with any Order Forms, pricing schedules, and policies incorporated by reference.
"Anomaly Detection Service" means the feature of the Mallcop open-source software that compares observed events against a learned baseline to identify potential security anomalies. Mallcop Pro provides inference compute to support this feature but does not operate, control, or guarantee the outputs of this feature.
"BYOK Mode" or "Bring Your Own Key Mode" means the Free tier configuration in which you provide your own API keys to third-party model providers, and Mallcop Pro provides no inference services. In BYOK Mode, Third Division Labs LLC does not process, route, or bear any cost for inference operations.
"Company," "we," "us," or "our" means Third Division Labs LLC, a Massachusetts limited liability company.
"Connector" means a software plugin in the Mallcop open-source software that polls a specific third-party platform's API for event data. Connectors are components of the open-source CLI, not of Mallcop Pro.
"Customer Data" means the account information (name, email address, billing details) and usage telemetry (Donut consumption, operation counts, tier information) associated with your account. Customer Data does not include your security event data, findings, baseline data, or investigation results, which are stored in your own git repository and are not transmitted to or stored by Mallcop Pro.
"Diesel Model" or "Self-Improvement Feature" means the optional Mallcop feature that uses AI inference to propose modifications to your local Mallcop configuration files, detection rules, prompt instructions, or software code. See Section 9.
"Donut" means one unit of managed AI inference capacity provided by Mallcop Pro, equivalent to 5,000 tokens of compute capacity as metered server-side by Mallcop Pro. Donuts are a unit of compute, not a unit of security monitoring coverage.
"Finding" means an anomaly detected by the Mallcop open-source software and stored in your git repository as a JSONL record. Findings are generated by software running on your systems or infrastructure, not by Mallcop Pro.
"Mallcop CLI" or "Open-Source CLI" means the Mallcop open-source software distributed under the Apache License, Version 2.0, available at [https://github.com/3dl-dev/mallcop]. The Open-Source CLI is a separate product from Mallcop Pro.
"Mallcop Pro" or "Service" means the managed AI inference service operated by Third Division Labs LLC at mallcop.app, including the subscription management portal, Donut allocation, inference routing, and related account services. Mallcop Pro does not include the Mallcop CLI.
"Managed Inference" means the AI inference compute capacity provided by Mallcop Pro through Donut allocations, routed to third-party model providers via AWS Bedrock on your behalf. Third Division Labs LLC acts as an inference intermediary; it does not operate the underlying AI models.
"Modification" means any change to your Mallcop deployment's configuration files, detection rules, prompt instructions, actor definitions, or Python code proposed or applied through the Self-Improvement Feature.
"Order Form" means a written or electronic order specifying your subscription plan, sovereignty tier, and associated pricing.
"Sovereignty Tier" means your selected model-provider constraint: Open (any provider), Allied (US + EU + Five Eyes + allied nations), or US-Only (US-headquartered providers only). See Section 7.
"Subscription Donuts" means Donuts included with your subscription plan that reset to the plan allocation on each billing date. Unused Subscription Donuts do not roll over.
"Third-Party Platforms" means the cloud, SaaS, and infrastructure platforms that the Mallcop CLI's connectors poll for security event data, including but not limited to Microsoft Azure, Amazon Web Services, GitHub, Microsoft 365, and Vercel.
"You" or "your" means the individual or entity that has accepted this Agreement and registered for a Mallcop Pro account.
2.1 Agreement to Terms. By creating a Mallcop Pro account, activating a subscription, purchasing Donuts or credits, or using any feature of Mallcop Pro, you agree to be bound by this Agreement. You must affirmatively acknowledge your acceptance of this Agreement during the account creation or subscription activation flow. If you are entering into this Agreement on behalf of an organization, you represent that you have authority to bind that organization to these terms.
2.2 Age Requirement. You must be at least 18 years old and capable of forming a binding contract to use Mallcop Pro.
2.3 Business Use. Mallcop Pro is designed for use by businesses, developers, and technical operators. If you are a consumer (an individual using the Service primarily for personal, family, or household purposes), additional consumer protection rights may apply in your jurisdiction that cannot be waived by contract. Nothing in this Agreement limits rights that cannot be waived by law.
2.4 Changes to Terms. We may modify this Agreement from time to time. We will provide at least 30 days' advance notice of material changes by email to your registered address. Your continued use of the Service after the effective date of changes constitutes acceptance of the modified Agreement. If you disagree with changes, you may terminate your account before the effective date of the changes.
3.1 What Mallcop Pro Is. Mallcop Pro provides managed AI inference capacity (Donuts) that the Mallcop open-source software may consume when performing security monitoring operations on your systems. Mallcop Pro is a compute allocation service. We act as an inference intermediary: we receive API calls from your locally-running Mallcop CLI, route them to third-party AI model providers via AWS Bedrock, and meter the compute consumed as Donuts against your account balance.
3.2 What Mallcop Pro Is Not. Mallcop Pro is NOT:
(a) A managed security service provider (MSSP);
(b) A security operations center (SOC) or SOC-as-a-service;
(c) A guarantee, warranty, or assurance of security monitoring outcomes;
(d) A replacement for penetration testing, security audits, incident response, or professional security consulting;
(e) An operator of the Mallcop CLI or any Connector, Detector, or Actor running on your systems.
3.3 Where Processing Occurs. Security event data collected by the Mallcop CLI (logs, events, findings, baseline data, investigation results) is processed and stored locally on your systems in your git repository. That data does not pass through Mallcop Pro servers. What Mallcop Pro receives is inference API traffic: the prompt inputs your locally-running Mallcop CLI generates when it invokes a triage, investigation, or self-improvement operation.
3.4 Prompt Content Warning. Your Mallcop CLI may include security event details in inference prompts sent to Mallcop Pro as part of triage and investigation operations. You are responsible for reviewing your Mallcop configuration to understand what data is included in prompts. Do not configure Mallcop to include sensitive personal data, credentials, private keys, regulated health information, or classified information in inference prompts unless you have appropriate authorization and your selected Sovereignty Tier satisfies your data handling requirements.
3.5 Service Availability. We will use commercially reasonable efforts to maintain Mallcop Pro availability. We do not guarantee any specific uptime level. Scheduled maintenance, third-party provider outages, and force majeure events may cause interruptions. We are not liable for service interruptions except as expressly stated in this Agreement.
4.1 Account Creation. You must provide accurate and complete information when creating a Mallcop Pro account. You are responsible for maintaining the accuracy of your account information.
4.2 Account Security. You are responsible for maintaining the confidentiality of your Mallcop Pro API keys, account credentials, and any access tokens. You are responsible for all activity that occurs under your account, including unauthorized use that results from your failure to keep credentials secure. You must notify us promptly at security@mallcop.app if you suspect unauthorized access to your account.
4.3 API Key Security. Mallcop Pro issues API keys that authorize your locally-running Mallcop CLI to consume Donuts from your account. These keys should be treated as passwords. Do not commit them to version control, expose them in logs, or share them with unauthorized parties. If a key is compromised, rotate it immediately in the Mallcop Pro dashboard.
4.4 One Account Per User. Each account may be used by the authorized users associated with that subscription tier. You may not share accounts or API keys across separate organizations. Team tier subscribers may add multiple authorized users as permitted by their plan.
5.1 Subscription Plans. Mallcop Pro offers the following subscription tiers as described in the current pricing schedule at mallcop.app/pricing. Pricing, Donut allocations, and tier features are subject to change with 30 days' notice:
5.2 Donut Mechanics.
(a) Conversion Rate. One Donut equals 5,000 tokens of AI inference compute as metered server-side by Mallcop Pro. This conversion rate may be adjusted with 30 days' notice.
(b) Subscription Donuts Reset. Subscription Donuts reset to the full plan allocation on each billing date. Unused Subscription Donuts do not roll over and have no cash value.
(c) Dollar Credits. Dollar Credits are separate from Subscription Donuts. You may purchase Dollar Credits to cover Donut consumption beyond your subscription allocation. Dollar Credits are priced at $0.05 per Donut (or current rate at mallcop.app/pricing). Dollar Credits persist across billing cycles until consumed.
(d) Consumption Order. Subscription Donuts are consumed before Dollar Credits.
(e) Auto-Refill. If you enable Auto-Refill, we will automatically purchase Dollar Credit packages when your Dollar Credit balance falls below a threshold you configure. Auto-Refill can be disabled at any time.
(f) Explicit Model Requests. If you configure Mallcop to request a specific AI model (e.g., Claude Sonnet), that model may consume Donuts at a higher rate than the default lane model for your Sovereignty Tier. The premium rate reflects the higher inference cost and maintains our margin targets. Donut consumption for explicit model requests is metered server-side and shown in your account dashboard.
5.3 Payment and Billing.
(a) Payment Processor. Mallcop Pro payments are processed by Polar (polar.sh), which acts as Merchant of Record. We do not receive, store, or process your payment card information. Your billing relationship for payment card data is with Polar, and Polar's terms of service apply to payment processing.
(b) Billing Cycle. Subscriptions are billed monthly in advance. Your billing date is the date you first activated your paid subscription.
(c) Payment Failure. If a payment fails, we will attempt to retry and notify you. If payment is not received within 7 days of the due date, we may suspend your account's Donut consumption until payment is resolved. Suspended accounts retain their account data.
(d) Taxes. Prices are exclusive of applicable taxes. Polar collects and remits applicable sales tax, VAT, and GST as Merchant of Record. Tax treatment depends on your jurisdiction.
5.4 Refund Policy.
(a) Subscription Fees. Monthly subscription fees are non-refundable except as required by applicable law or as expressly stated in this section.
(b) Refunds for Service Unavailability. If Mallcop Pro experiences more than 72 consecutive hours of complete service unavailability (measured as inability to process any inference API calls) due to factors within our control, you may request a prorated credit for the affected period. This is your sole remedy for service unavailability.
(c) Dollar Credits. Dollar Credits that have not been consumed are refundable within 30 days of purchase if you are terminating your account. Consumed Dollar Credits are non-refundable.
(d) No Security Outcome Refunds. We do not offer refunds based on Mallcop's failure to detect security incidents, false positives, false negatives, or any other security monitoring outcome. See Section 8. Security monitoring results are produced by the Mallcop open-source software running on your systems, not by Mallcop Pro.
5.5 Plan Changes.
(a) Upgrades. Plan upgrades take effect immediately. You will be charged a prorated amount for the remainder of the current billing cycle.
(b) Downgrades. Plan downgrades take effect at the next billing cycle. Unused Subscription Donuts are not credited or refunded when downgrading.
(c) Cancellation. You may cancel your subscription at any time. Your subscription remains active through the end of the current billing period. We do not prorate cancellations.
6.1 No Managed Inference. In BYOK Mode (Free tier), you provide your own API keys to third-party AI model providers. Mallcop Pro does not process, route, or intermediate your inference calls in BYOK Mode. Your inference traffic flows directly from your systems to your chosen model provider.
6.2 Zero Inference Liability. In BYOK Mode, Mallcop Pro provides no inference services. We have no liability for the behavior, availability, output quality, cost, or data handling of your chosen model provider. Your relationship with your model provider is governed solely by that provider's terms of service.
6.3 BYOK Donut Tracking. Even in BYOK Mode, the Mallcop CLI uses Donuts as an operation tracking metric (so you can monitor your operation volume). In BYOK Mode, these Donuts are not billed to Mallcop Pro — they are a local accounting mechanism only.
6.4 Cost Comparison. Mallcop Pro may display estimated BYOK costs versus managed subscription costs in its mallcop status --costs output. These estimates are illustrative based on typical usage patterns and should not be relied upon as exact billing predictions for your model provider.
7.1 Available Tiers. Mallcop Pro offers three Sovereignty Tiers that constrain which AI model providers your Donut allocation may route to:
7.2 Model Provider Disclaimer. Regardless of Sovereignty Tier, all inference is routed through AWS Bedrock infrastructure hosted in US AWS regions. Sovereignty Tier governs the corporate headquarter location of the model provider, not the physical location of compute. We make no representations about the data handling, security, or compliance posture of any model provider. The Sovereignty Tier is a model selection constraint, not a compliance certification or data localization guarantee.
7.3 No Compliance Guarantee. Sovereignty Tier selection does not constitute compliance with any regulatory requirement, including but not limited to ITAR, EAR, FedRAMP, CMMC, HIPAA, SOC 2, GDPR, or any other standard. You are responsible for determining whether Mallcop Pro's model routing is appropriate for your compliance obligations.
7.4 Model Catalog Changes. We may add, remove, or change default models in the Mallcop Pro catalog at any time, subject to 30 days' notice for changes that materially affect your selected Sovereignty Tier. If a model you have explicitly configured is removed, you will be notified and the affected operations will fall back to the default lane model for your Sovereignty Tier.
7.5 No Model Performance Warranty. We make no warranty that any model in our catalog will produce accurate, complete, or useful outputs for security monitoring operations. Detection quality depends on model capability, prompt quality, connector data quality, baseline accuracy, and many other factors outside our control.
READ THIS SECTION CAREFULLY. It defines the core scope of what Mallcop Pro provides and what it does not.
8.1 Mallcop Pro Is Compute, Not Security. Mallcop Pro provides AI inference tokens (Donuts) that the Mallcop open-source software may consume. Mallcop Pro does not perform security monitoring, does not analyze your security events, does not generate findings, and does not protect your systems. All detection, analysis, triage, and investigation occurs in the Mallcop CLI running on your own systems.
8.2 No Guarantee of Detection. We do not warrant, represent, or guarantee that the Mallcop CLI (or any combination of Mallcop CLI and Mallcop Pro) will:
(a) Detect any particular security threat, breach, unauthorized access, vulnerability, malware, or other security incident;
(b) Prevent any security incident from occurring;
(c) Alert you before damage occurs from any security incident;
(d) Detect security incidents affecting systems, platforms, or services not covered by your configured Connectors;
(e) Detect security incidents that occurred before events were made available through a third-party platform's API (including API lag and retention limits);
(f) Operate free of false positives or false negatives;
(g) Replace, supplement, or substitute for professional security services.
8.3 Detection Limitations. The security monitoring capabilities of the Mallcop system are inherently limited by:
(a) The coverage, accuracy, completeness, and timeliness of event data provided by Third-Party Platform APIs;
(b) The accuracy of the learned baseline model, which requires a learning period and may not reflect all variations in normal activity;
(c) The scope of your configured Connectors — platforms without active Connectors are not monitored;
(d) The quality, completeness, and correctness of the Mallcop open-source software's detection logic, which is provided AS IS under Apache 2.0;
(e) The capability of the AI models used in inference operations, including known limitations of large language models (hallucination, context window limits, inconsistent reasoning);
(f) Modifications to the Mallcop CLI or its configuration, including Modifications applied through the Self-Improvement Feature;
(g) Your system's configuration, network architecture, and the threat actor's sophistication.
8.4 Security Is Your Responsibility. You remain solely responsible for the security of your systems, data, and infrastructure. Mallcop is a tool to assist your security monitoring program. It is not a substitute for:
(a) A security operations center (SOC) or incident response team;
(b) Penetration testing and vulnerability assessments;
(c) Security audits and compliance reviews;
(d) Professional security consulting;
(e) Comprehensive security practices, including access controls, patch management, backup, and incident response planning.
8.5 Not a Security Guard. Marketing materials may use analogies such as "the guy on the Segway who notices when something's off" to describe Mallcop's scope. These analogies are intended to communicate limited scope — observation and notification, not protection, intervention, or guarantee. Mallcop reduces the window between a security event occurring and you becoming aware of it. It does not eliminate security risk.
8.6 Industry Context. The limitation of liability for missed security detections is industry-standard practice across all security software vendors, including antivirus vendors, SIEM providers, and endpoint detection products. You acknowledge that you are aware of this industry practice and that the pricing of this Service reflects the absence of detection guarantees.
9.1 Feature Description. The Self-Improvement Feature ("Diesel Mode") is an optional capability of the Mallcop CLI that uses AI inference to propose changes to your local Mallcop deployment. Self-improvement operations may propose Modifications to: YAML configuration files, Markdown prompt instructions, detector rules, actor definitions, and (with appropriate approval settings) Python code.
9.2 Modifications Occur on Your Systems. All Modifications are made to software and configuration files running on your systems or infrastructure. Mallcop Pro provides the inference tokens that the self-improvement operation consumes. Mallcop Pro does not receive, store, review, validate, or control Modifications.
9.3 User Approval and Responsibility. The Mallcop CLI's self-improvement approval levels are:
mallcop
always: Automatically applies Modifications that pass regression testing.gated: Applies Modifications only after all validation gates pass.autonomous: Applies all Modifications without waiting for gates.yolo: Applies all Modifications without validation. Use at your own risk.You are solely responsible for:
(a) Selecting your approval level and understanding its implications;
(b) Reviewing proposed Modifications before they are applied;
(c) Testing your Mallcop deployment after Modifications are applied;
(d) The behavior of your Mallcop deployment after Modifications — including any increase in false positives, false negatives, detection gaps, or resource consumption — regardless of how those Modifications were proposed or validated.
9.4 No Liability for Post-Modification Behavior. We are not liable for any security impact, missed detections, false positives, false negatives, system behavior, or other consequences arising from Modifications applied through the Self-Improvement Feature, regardless of whether those Modifications were automatically applied or human-approved. This limitation applies whether the Modification was beneficial, neutral, or harmful.
9.5 Regression Testing Is Not a Guarantee. The Mallcop CLI's built-in regression testing validates that Modifications do not break basic functionality as measured by defined test cases. Passing regression tests does not guarantee that Modifications improve security monitoring effectiveness, do not introduce new detection gaps, or are appropriate for your environment.
9.6 Novel Legal Territory. You acknowledge that the self-modification of AI-assisted security detection logic is a novel practice and that the legal frameworks governing liability for autonomous AI modification are unsettled. You accept the risks associated with enabling this feature, including risks that may not be fully understood at the time you accept these terms.
10.1 Dependency on APIs We Do Not Control. The Mallcop CLI's detection capability depends on data provided by Third-Party Platforms through their published APIs. We do not control those APIs, their data quality, their rate limits, their authentication requirements, their data retention policies, or their availability.
10.2 No Liability for Third-Party Data Deficiencies. We are not liable for:
(a) Security incidents resulting from gaps, delays, inaccuracies, or errors in data provided by Third-Party Platform APIs;
(b) Platform API changes, outages, or deprecations that affect Mallcop CLI functionality;
(c) Retention limits that cause security events to age out of the API before Mallcop polls for them;
(d) Platforms, services, or infrastructure that lack an active Connector — unmonitored platforms are your responsibility.
10.3 Third-Party Terms. Your use of Third-Party Platforms, including your use of their APIs with the Mallcop CLI, is governed by those platforms' terms of service. You are responsible for obtaining and maintaining appropriate API credentials and permissions.
10.4 AWS Bedrock. Managed inference routing is performed via AWS Bedrock. AWS Bedrock's availability, performance, and data handling terms apply to inference operations processed through Mallcop Pro. Third Division Labs LLC is an AWS customer and is not affiliated with Amazon.
10.5 Polar Payments. Billing is processed by Polar (polar.sh). Polar's terms of service govern the payment relationship. We are not responsible for Polar's payment processing, refund decisions, or data handling beyond our obligations under this Agreement.
11.1 Our Rights. Mallcop Pro, including its infrastructure, portal, APIs, billing logic, inference routing systems, and all associated documentation, is owned by Third Division Labs LLC. We grant you a limited, non-exclusive, non-transferable, revocable license to access and use Mallcop Pro during the term of this Agreement, solely for your internal security monitoring operations.
11.2 Open-Source CLI. The Mallcop open-source CLI is licensed under the Apache License, Version 2.0. Your rights to use, modify, and distribute the CLI are governed by that license, not by this Agreement. This Agreement does not grant or restrict any rights under the Apache 2.0 license.
11.3 Feedback. If you provide feedback, suggestions, or ideas about Mallcop Pro, you grant us a non-exclusive, royalty-free, perpetual license to use that feedback for any purpose, including improving the Service.
11.4 Your Data. You retain all rights to Customer Data and to the security event data, findings, and other data stored in your git repository. We claim no ownership over your data.
11.5 Inference Output Ownership. The outputs of inference operations (triage conclusions, investigation annotations, proposed Modifications) are generated by third-party AI models at your direction. Ownership of those outputs is subject to the terms of the underlying model providers. We make no claims to inference outputs.
12.1 Separate Products. The Mallcop CLI and Mallcop Pro are separate products. The CLI is open-source software under Apache 2.0. Mallcop Pro is a commercial managed inference service. These Terms of Service govern Mallcop Pro only.
12.2 CLI Is AS IS. The Mallcop CLI is distributed under Apache 2.0, which disclaims all warranties and limits liability to the maximum extent possible. The Apache 2.0 disclaimer is in addition to, and not limited by, the disclaimers in this Agreement.
12.3 CLI Behavior Is Your Responsibility. Security outcomes depend on the Mallcop CLI's behavior, which is determined by the open-source software, your configuration, your deployed Connectors, Detectors, and Actors, and any Modifications you have applied. Mallcop Pro has no control over CLI behavior. We are not responsible for CLI bugs, misconfiguration, or unexpected behavior.
12.4 No Managed CLI Updates. Mallcop Pro does not automatically update the Mallcop CLI installed on your systems. You are responsible for updating to current versions and reviewing release notes for security-relevant changes.
13.1 Permitted Use and User Representations. You may use Mallcop Pro only for legitimate security monitoring of systems and infrastructure that you own or are authorized to monitor. By using Mallcop Pro, you represent and warrant that:
(a) You have lawful authority to monitor the systems, networks, and platforms you connect via Mallcop CLI Connectors;
(b) Your use of Mallcop Pro, including the security event data and inference prompts you generate, complies with all applicable laws, regulations, and third-party terms of service;
(c) You have obtained any required consents from individuals whose data may appear in security event logs that the Mallcop CLI collects and submits as inference prompts;
(d) The inference prompts you generate through Mallcop Pro do not contain information that you are prohibited from transmitting to third-party AI model providers by law or contract (such as classified information, export-controlled data, or information subject to an attorney-client privilege you wish to preserve).
Breach of any of the foregoing representations is a material breach of this Agreement.
13.2 Prohibited Uses. You may not use Mallcop Pro to:
(a) Monitor systems, networks, or infrastructure you do not own or are not authorized to monitor;
(b) Generate prompts that include unauthorized credentials, private keys, secrets, or data you do not have the right to process through third-party AI inference;
(c) Circumvent, disable, or interfere with Mallcop Pro's metering, authentication, or billing systems;
(d) Resell, sublicense, or provide Donut access to third parties without our written consent;
(e) Use Mallcop Pro in any way that violates applicable law, including export control laws, data protection regulations, or computer fraud and abuse statutes;
(f) Attempt to reverse-engineer, decompile, or extract the source code of Mallcop Pro's infrastructure;
(g) Conduct or facilitate attacks on Third-Party Platforms or any other systems using Mallcop infrastructure;
(h) Generate, store, or transmit content that is unlawful, harmful, fraudulent, or offensive.
13.3 Enforcement. We reserve the right to suspend or terminate accounts that violate this policy, with or without prior notice. We will provide notice when practicable and when doing so does not compromise security.
14.1 Privacy Policy. Our handling of Customer Data is governed by our Privacy Policy at mallcop.app/privacy, incorporated herein by reference.
14.2 Data We Collect. Mallcop Pro collects:
(a) Account information: name, email address, company name (optional);
(b) Payment information: processed and stored by Polar as Merchant of Record; we do not receive or store card numbers;
(c) Usage telemetry: Donut consumption, operation counts, tier, Sovereignty Tier, API call timestamps;
(d) Inference prompt content: the text your Mallcop CLI submits to inference operations.
14.3 Security Event Data Is Not Ours. Your security event data (raw events, findings, baseline data, investigation results) is stored in your git repository on your systems. This data does not pass through Mallcop Pro except as included in inference prompts (see Section 3.4). We do not claim ownership of, or responsibility for, your security event data.
14.4 Prompt Content and Third-Party Model Retention. Inference prompts submitted through Mallcop Pro may contain security event details. We route these prompts to model providers via AWS Bedrock as an intermediary. We do not analyze prompt content for purposes other than routing and metering. Third-party model providers may retain inference prompt content under their own data handling policies, and we have no control over such retention. You are solely responsible for ensuring that the content you permit Mallcop CLI to include in inference prompts is appropriate for transmission to third-party AI services. We recommend reviewing your Mallcop CLI configuration and the data handling policies of the model providers accessible via your selected Sovereignty Tier.
14.5 We Do Not Train on Your Data. We do not use your Customer Data or inference prompt content to train AI models.
14.6 CCPA / GDPR. If you are a California resident, you may have rights under the California Consumer Privacy Act (CCPA). If you are in the European Economic Area, you may have rights under the General Data Protection Regulation (GDPR). Our Privacy Policy describes these rights and how to exercise them.
14.7 Security. We implement commercially reasonable security measures to protect Customer Data. However, no system is completely secure. You acknowledge that transmitting data over the internet involves inherent security risks.
15.1 Mutual Confidentiality. Each party agrees to keep confidential the other party's non-public business information that is designated as confidential or that a reasonable person would understand to be confidential given the nature of the information and circumstances of disclosure.
15.2 Exclusions. Confidentiality obligations do not apply to information that: (a) is or becomes publicly available through no breach of this Agreement; (b) was known to the receiving party before disclosure; (c) is independently developed without reference to confidential information; or (d) is required to be disclosed by law, court order, or regulatory authority (with prompt notice to the disclosing party where permitted).
15.3 Our Obligations. We will not disclose your account details, usage patterns, or Customer Data to third parties except: (a) as necessary to provide the Service (including to Polar for billing and AWS for inference routing); (b) as required by law; (c) to protect our legal rights; or (d) with your consent.
16.1 Your Indemnification. You agree to indemnify, defend, and hold harmless Third Division Labs LLC, its members, officers, employees, contractors, and agents from and against any claims, damages, losses, costs, and expenses (including reasonable attorneys' fees) arising from or relating to:
(a) Your use of Mallcop Pro in violation of this Agreement or applicable law;
(b) Security event data or inference prompt content you submit that infringes third-party intellectual property rights or violates applicable law;
(c) Your Mallcop CLI deployment, configuration, or Modifications, including any harm caused by detection gaps or erroneous findings;
(d) Your failure to maintain adequate security practices independent of Mallcop;
(e) Claims by third parties (your customers, employees, partners, or affected parties) arising from security incidents affecting your systems.
16.2 Our Indemnification. We will indemnify, defend, and hold harmless you from and against any claims by third parties that Mallcop Pro (the managed inference service itself, not the open-source CLI) directly infringes a valid patent, copyright, or trademark. Our obligation is conditioned on: (a) you providing prompt written notice of the claim; (b) you granting us control of the defense; and (c) you providing reasonable cooperation. If a claim arises, we may, at our option, modify the Service to be non-infringing, obtain a license, or terminate the affected features and provide a prorated refund.
16.3 No Indemnification for Security Outcomes. We do not indemnify you for any claims arising from the failure of Mallcop (CLI or Cloud) to detect, prevent, or mitigate security incidents. Security outcome claims are your responsibility per Section 8.
17.1 AS IS Service. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, MALLCOP CLOUD IS PROVIDED "AS IS" AND "AS AVAILABLE." THIRD DIVISION LABS LLC MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING:
(a) ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT;
(b) ANY WARRANTY THAT THE SERVICE WILL BE UNINTERRUPTED, ERROR-FREE, OR FREE FROM SECURITY VULNERABILITIES;
(c) ANY WARRANTY REGARDING THE ACCURACY, COMPLETENESS, OR QUALITY OF INFERENCE OUTPUTS PRODUCED BY THIRD-PARTY AI MODELS;
(d) ANY WARRANTY THAT THE SERVICE MEETS YOUR SECURITY REQUIREMENTS OR COMPLIANCE OBLIGATIONS;
(e) ANY WARRANTY THAT DONUTS WILL BE AVAILABLE AT ALL TIMES OR THAT INFERENCE ROUTING WILL BE INSTANTANEOUS.
17.2 No Security Warranty. THIRD DIVISION LABS LLC MAKES NO WARRANTY, EXPRESS, IMPLIED, OR STATUTORY, THAT MALLCOP (IN ANY FORM — CLI, CLOUD SERVICE, OR COMBINED) WILL DETECT ANY SECURITY THREAT, PREVENT ANY BREACH, OR MAINTAIN THE SECURITY OF YOUR SYSTEMS. THE DISCLAIMER IN SECTION 8 IS AN ESSENTIAL ELEMENT OF THIS AGREEMENT AND REFLECTS THE PRICING OF THE SERVICE.
17.3 Third-Party Components. WE DISCLAIM ALL WARRANTIES WITH RESPECT TO THIRD-PARTY AI MODELS, AWS BEDROCK INFRASTRUCTURE, POLAR PAYMENT SERVICES, AND THIRD-PARTY PLATFORM APIs. THESE THIRD-PARTY COMPONENTS ARE PROVIDED SUBJECT TO THEIR OWN TERMS.
17.4 No Oral or Written Warranty. No statement, documentation, marketing material, support communication, or representation by any employee, contractor, or agent of Third Division Labs LLC — written or oral — constitutes a warranty beyond those expressly stated in this Agreement. Any statement describing detection capabilities, model performance benchmarks, or monitoring outcomes in marketing materials is provided for informational purposes only and does not create a warranty.
17.5 Jurisdictional Variation. Some jurisdictions do not allow the exclusion of implied warranties. In such jurisdictions, the foregoing exclusions apply to the maximum extent permitted by law.
18.1 Exclusion of Consequential Damages. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL THIRD DIVISION LABS LLC BE LIABLE TO YOU FOR ANY:
(a) INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, PUNITIVE, OR EXEMPLARY DAMAGES;
(b) LOST PROFITS, LOST REVENUE, OR LOST BUSINESS OPPORTUNITIES;
(c) LOSS OF DATA, DATA CORRUPTION, OR COST OF DATA RECOVERY;
(d) DAMAGES ARISING FROM A DATA BREACH, SECURITY INCIDENT, OR UNAUTHORIZED ACCESS TO YOUR SYSTEMS;
(e) BUSINESS INTERRUPTION OR COST OF SUBSTITUTE SERVICES;
(f) DAMAGES ARISING FROM MALLCOP'S FAILURE TO DETECT ANY SECURITY THREAT OR INCIDENT;
(g) LOSS OF GOODWILL OR REPUTATION;
REGARDLESS OF THE CAUSE OF ACTION OR THE LEGAL THEORY UNDER WHICH DAMAGES ARE SOUGHT (CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY, STATUTE, OR OTHERWISE), AND EVEN IF THIRD DIVISION LABS LLC HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
18.2 Aggregate Liability Cap. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THIRD DIVISION LABS LLC'S TOTAL AGGREGATE LIABILITY TO YOU FOR ALL CLAIMS ARISING OUT OF OR RELATED TO THIS AGREEMENT OR THE SERVICE SHALL NOT EXCEED THE GREATER OF:
(a) THE TOTAL FEES ACTUALLY PAID BY YOU TO THIRD DIVISION LABS LLC IN THE TWELVE (12) CALENDAR MONTHS IMMEDIATELY PRECEDING THE DATE ON WHICH THE CLAIM FIRST AROSE; OR
(b) ONE HUNDRED DOLLARS (USD $100.00).
18.3 Scope of Limitations. The limitations in Sections 18.1 and 18.2 apply regardless of the form of action, whether in contract, tort (including negligence), product liability, strict liability, or otherwise, and apply to all claims in the aggregate, not to each individual claim separately.
18.4 Essential Basis. You acknowledge that the limitations of liability in this Section 18 are an essential element of the basis of the bargain between you and Third Division Labs LLC, and that Third Division Labs LLC would not provide the Service at the stated prices without these limitations.
18.5 Exceptions. Nothing in this Agreement limits liability for: (a) death or personal injury caused by our gross negligence; (b) fraud or fraudulent misrepresentation; or (c) any liability that cannot be excluded or limited by applicable law.
18.6 Jurisdictional Variation. Some jurisdictions (including certain US states and EEA member states) do not allow exclusion or limitation of certain damages. In such jurisdictions, the limitations in this Section apply to the maximum extent permitted by law.
19.1 Informal Resolution First. Before initiating any formal dispute process, both parties agree to attempt in good faith to resolve disputes informally. You must send a written notice of your dispute to legal@mallcop.app describing the nature and amount of your claim. We will attempt to resolve the dispute within 30 days.
19.2 Binding Arbitration. If informal resolution fails, any dispute arising out of or relating to this Agreement, including its formation, interpretation, breach, or termination, shall be resolved by binding arbitration administered by the American Arbitration Association (AAA) under its Commercial Arbitration Rules. The arbitration shall be conducted in Massachusetts. The arbitrator's award shall be final and binding. Judgment on the award may be entered in any court of competent jurisdiction.
19.3 Class Action Waiver. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, YOU WAIVE YOUR RIGHT TO PARTICIPATE IN A CLASS ACTION LAWSUIT OR CLASS-WIDE ARBITRATION AGAINST THIRD DIVISION LABS LLC. All disputes must be brought in your individual capacity, not as a plaintiff or class member in any purported class, consolidated, or representative proceeding.
19.4 Small Claims Exception. Either party may bring a claim in a small claims court for disputes within that court's jurisdictional limit, provided the claim is brought individually and not as part of a class action.
19.5 Injunctive Relief Exception. Either party may seek injunctive or other equitable relief in any court of competent jurisdiction where necessary to prevent immediate irreparable harm without first engaging in informal resolution or arbitration.
19.6 AAA Consumer Rules. If you are an individual using Mallcop Pro primarily for personal purposes (not commercial), and if the AAA Consumer Arbitration Rules apply to your dispute, those rules govern the arbitration.
20.1 Governing Law. This Agreement and any disputes arising out of or relating to it shall be governed by the laws of the Commonwealth of Massachusetts, United States, without regard to its conflict of laws principles.
20.2 Jurisdiction. For any disputes not subject to arbitration under Section 19, each party irrevocably consents to the exclusive jurisdiction of the state and federal courts located in Suffolk County, Massachusetts.
20.3 Export Controls. Mallcop Pro may not be used in violation of US export control laws and regulations, including the Export Administration Regulations (EAR) and the Office of Foreign Assets Control (OFAC) sanctions programs. You represent that you are not located in, or a national of, a country subject to US embargo, and that you are not on any US government list of prohibited persons or entities.
21.1 Service Changes. We reserve the right to modify, discontinue, or suspend features of Mallcop Pro at any time, including modifying the Donut conversion rate, model catalog, tier pricing, or available Sovereignty Tiers. We will provide 30 days' notice of changes that materially affect your use of the Service, unless immediate changes are required for security, legal, or technical reasons.
21.2 Price Changes. Pricing changes take effect at the start of your next billing cycle after 30 days' advance notice. If you do not agree to a price change, you may cancel before the effective date and receive a prorated credit for the remainder of your billing period.
21.3 Terms Changes. We may update these Terms of Service from time to time. We will notify you by email at least 30 days before material changes take effect. Continued use of the Service after the effective date constitutes acceptance of the updated Terms.
21.4 Downgrade Clause. We will not make changes that retroactively reduce your Dollar Credit balance or that take effect within a current billing period for which you have already paid.
22.1 Term. This Agreement begins when you create a Mallcop Pro account and continues until terminated.
22.2 Termination by You. You may terminate this Agreement at any time by canceling your subscription and closing your account through the Mallcop Pro dashboard. Termination takes effect at the end of your current billing period for subscription services.
22.3 Termination by Us. We may suspend or terminate your account:
(a) With 30 days' written notice, for any reason or no reason;
(b) Immediately, if you breach Sections 2, 13 (Acceptable Use), or 11 (Intellectual Property), or if your account is associated with illegal activity;
(c) Immediately, if required by law or regulatory authority;
(d) Immediately, if your account poses a security risk to Mallcop Pro or other users.
22.4 Effect of Termination. Upon termination:
(a) Your access to Mallcop Pro and your remaining Donut balance are terminated;
(b) Subscription Donuts are forfeited without refund;
(c) Unused Dollar Credits are refunded within 30 days if you request it;
(d) We will retain Customer Data for 90 days after termination, after which it will be deleted;
(e) Your security event data in your git repository is not affected — it remains on your systems.
22.5 Survival. Sections 8 (No Warranty of Detection), 9 (Self-Improvement User Responsibility), 11 (Intellectual Property), 16 (Indemnification), 17 (Disclaimer of Warranties), 18 (Limitation of Liability), 19 (Dispute Resolution), 20 (Governing Law), and 23 (General Provisions) survive termination.
23.1 Entire Agreement. This Agreement, together with the Privacy Policy and any Order Forms, constitutes the entire agreement between you and Third Division Labs LLC regarding Mallcop Pro and supersedes all prior agreements, representations, and understandings.
23.2 Order of Precedence. In case of conflict, Order Forms (if any) take precedence over these Terms of Service, which take precedence over the Privacy Policy.
23.3 Severability. If any provision of this Agreement is found unenforceable, that provision will be modified to the minimum extent necessary to make it enforceable, and the remaining provisions will continue in full force and effect.
23.4 Waiver. Failure to enforce any provision of this Agreement shall not constitute a waiver of future enforcement of that provision or any other provision.
23.5 Assignment. You may not assign this Agreement or any rights under it without our prior written consent. We may assign this Agreement in connection with a merger, acquisition, or sale of all or substantially all of our assets, with 30 days' prior notice to you. Any unauthorized assignment is void.
23.6 Force Majeure. We are not liable for delays or failures in performance resulting from causes beyond our reasonable control, including natural disasters, wars, terrorism, government actions, internet infrastructure failures, third-party service provider outages, or other force majeure events. We will notify you promptly and resume performance as soon as reasonably practicable.
23.7 No Third-Party Beneficiaries. This Agreement is for the benefit of you and Third Division Labs LLC only. It does not create any third-party beneficiary rights.
23.8 Notices. We will send notices to the email address associated with your account. You must send notices to us at legal@mallcop.app. Notices are deemed received when sent by email (subject to confirmation of delivery) or 3 business days after mailing by first-class mail.
23.9 Relationship of Parties. The parties are independent contractors. Nothing in this Agreement creates a partnership, joint venture, agency, employment, or franchise relationship.
23.10 No Legal Advice. This Agreement does not constitute legal advice. You are encouraged to seek independent legal counsel if you have questions about your rights and obligations under this Agreement or applicable law.
23.11 Language. This Agreement is written in English. If translated into other languages, the English version controls in case of conflict.
23.12 Contact. Third Division Labs LLC may be contacted at:
This appendix is for informational clarity only. It does not modify the Agreement.
| What Mallcop Pro Is | What Mallcop Pro Is Not |
|---|---|
| A managed AI compute service | A security guarantee |
| A subscription to inference tokens (Donuts) | A managed security service provider (MSSP) |
| Infrastructure that helps Mallcop CLI run AI operations | Protection against breaches |
| Billed by Polar as Merchant of Record | A replacement for a SOC or security team |
| Scenario | Our Liability |
|---|---|
| Mallcop misses a breach | None (Section 8) |
| Self-improvement breaks detection | None if you approved the Modification (Section 9) |
| A Third-Party Platform API provides bad data | None (Section 10) |
| Mallcop Pro is unavailable for >72 hours | Prorated credit only (Section 5.4) |
| Aggregate damages | Capped at 12 months of fees or $100, whichever is greater (Section 18.2) |
| Term | Defined In | Plain Meaning |
|---|---|---|
| Donut | Section 1 | One unit of inference compute (5,000 tokens) |
| Subscription Donuts | Section 1 | Donuts included monthly; expire at billing reset |
| Dollar Credits | Section 5.2 | Pay-as-you-go overage; persist until consumed |
| BYOK Mode | Sections 1, 6 | You bring your own API keys; no managed inference |
| Sovereignty Tier | Sections 1, 7 | Which model providers your Donuts can use |
| Self-Improvement / Diesel | Sections 1, 9 | AI-proposed changes to your local Mallcop config |
| Finding | Section 1 | Anomaly flagged by Mallcop CLI on your systems |
| Customer Data | Section 1 | Your account + usage data (NOT your security events) |
These Terms of Service were last updated: [DATE]
Third Division Labs LLC — mallcop.app
Attorney Review Status: This document was drafted with research-backed legal analysis. The following items should receive attorney review before launch: (1) Privacy Policy (required separately, not included here); (2) enforceability of arbitration clause and class action waiver in target jurisdictions; (3) CCPA/GDPR compliance obligations; (4) self-improvement liability framing under emerging AI product liability law. See counsel liability memo at
3dl/docs/legal/mallcop-liability-review.mdfor full context.