Terms of Service.
Drafted for review by CISOs, Heads of Risk, audit-firm technologists, and legal/compliance teams at firms operating under SOC 2 Type II, ISO 27001, NYDFS Part 500, DORA, or SR 11-7. Designed for review by counsel at firms such as KPMG, Deloitte, EY, PwC, BDO, Grant Thornton, and independent firms during procurement.
This document contains placeholder language written by Déjà's product team, not lawyers. Sections marked [NEEDS LEGAL REVIEW] require attorney input before publication. Do not publish this page to production until counsel has reviewed and signed off on the final language.
Acceptance of terms
These Terms of Service govern your use of Déjà's incident attribution platform (the "Service"), operated by Déjà, Inc. ("Déjà," "we," "us," or "our"). By accessing or using the Service, creating a Déjà vault (including a trial vault), or clicking to accept these Terms during signup, you agree to be bound by these Terms.
If you are entering into these Terms on behalf of a company, organization, or other legal entity, you represent that you have the authority to bind that entity to these Terms, and "you" refers to that entity and its authorized users.
If you do not agree to these Terms, do not create a vault and do not use the Service.
The Service
Déjà provides a platform for deterministic incident attribution. The Service ingests signal data from third-party tools you connect (such as error tracking, monitoring, and source control systems), applies attribution logic to derive the causal commit for each incident, and produces cryptographically signed receipts conforming to the DSR/1.0 standard.
The Service includes both production features (for paying customers bound to a legal entity by a Master Services Agreement) and trial features (for evaluation). Trial vaults are functionally similar to production vaults but produce receipts signed with a distinct trial key. Trial receipts are watermarked as non-production and are not valid as audit evidence.
We may modify, suspend, or discontinue features of the Service at any time, provided that material changes affecting paying customers will be communicated with reasonable advance notice under our Service Level Agreement (where applicable).
Accounts and vaults
To use the Service, you must create a vault. Creation requires a valid business email address, a chosen password (minimum 12 characters) or a supported OAuth provider, and acceptance of these Terms. Consumer email domains (including but not limited to gmail.com, outlook.com, and yahoo.com) are not permitted for vault creation because vaults are bound to domain-level identity for compliance purposes.
Trial vaults are created self-serve and are bound to the domain of the email address used at signup. Trial vaults are subject to usage caps (including a 500-receipt limit) and expire 14 days from creation unless converted to a production vault.
Production vaults are provisioned by Déjà and are bound to a specific legal entity named in a Master Services Agreement. Production vaults are assigned a production signing key and produce defensible DSR/1.0 receipts.
You are responsible for maintaining the confidentiality of your credentials and for all activity that occurs under your account. You must notify us immediately of any unauthorized access.
Fees and billing
Trial vaults are provided at no cost for the duration of the trial period. Production vaults are subject to tier-based fees as described in your Master Services Agreement or applicable order form.
Specific billing terms — invoice timing, payment terms (net 30 vs net 45), late payment interest, accepted payment methods, tax responsibility, currency, prorated cancellation, auto-renewal mechanics — require counsel review. The language here is placeholder-level and does not reflect Déjà's final billing policies.
Fees are payable in advance unless otherwise specified in your order form. Déjà may adjust pricing with at least sixty (60) days' written notice prior to your renewal date. Price changes do not apply to prepaid annual commitments until the next renewal.
Acceptable use
You agree not to:
- Use the Service in violation of any applicable law or regulation
- Use the Service to process data you do not have the legal right to process
- Attempt to gain unauthorized access to any other customer's vault, receipts, or data
- Reverse-engineer, disassemble, or attempt to extract the source code of the Service (except where prohibited from restricting such activity by applicable law)
- Use trial receipts in contexts that represent them as production audit evidence
- Submit materially false or misleading data to induce incorrect attribution outcomes
- Circumvent rate limits, usage caps, or other technical restrictions
- Use the Service to develop a competing product or service
We may suspend or terminate access for violations at our discretion, with or without notice depending on severity.
Your data
The Service processes data from the third-party tools you connect (webhooks from error trackers, commit data from source control, etc.). This data is described in our Privacy Policy.
You retain ownership of your data. You grant Déjà a limited license to process your data solely for the purpose of providing the Service — including deriving attributions, producing receipts, delivering notifications, and maintaining the governance log. We do not sell your data, do not use it to train machine learning models, and do not share it with third parties except as required to operate the Service (subprocessors are listed in our Privacy Policy) or as required by law.
Data processing specifics — GDPR data controller/processor roles, CCPA business/service provider distinctions, cross-border transfer mechanisms (Standard Contractual Clauses, adequacy decisions), data residency commitments, subprocessor change notification procedures, data subject request handling, breach notification timelines — require counsel review and likely a separate Data Processing Agreement for enterprise customers.
Upon termination of your subscription or deletion of your vault, your data will be retained for up to thirty (30) days to allow for export, then permanently deleted. Signed receipts remain verifiable against the DSR/1.0 standard independently of your continued subscription — the cryptographic signatures do not expire.
Intellectual property
The Service — including its software, user interface, documentation, and branding — is owned by Déjà and protected by copyright, trademark, and other intellectual property laws. These Terms grant you a limited, non-exclusive, non-transferable right to use the Service subject to these Terms and your applicable order form.
The DSR/1.0 standard is published under the Apache License 2.0 at standard.deja.dev. You may verify receipts, implement verifier tools, and build integrations using the DSR/1.0 specification without a Déjà subscription. The receipt format is open; the Service that produces receipts is proprietary.
Feedback, suggestions, and improvement ideas you provide to Déjà regarding the Service may be used by Déjà without obligation or compensation to you. Feedback is not considered confidential unless explicitly designated as such under a separate agreement.
Receipts and cryptographic signing
The Service produces DSR/1.0 receipts signed with cryptographic keys managed by Déjà. Production receipts are signed with a production key pair; trial receipts are signed with a separate trial key pair and are watermarked as trial.
Receipt portability. Signed receipts remain cryptographically verifiable using any DSR/1.0-compliant verifier, including the open-source verifier at standard.deja.dev. If you terminate your subscription, existing production receipts signed during your active subscription period remain verifiable. Déjà does not retroactively invalidate receipts.
The legal status of signed receipts as evidence — specifically whether a DSR/1.0 receipt constitutes admissible evidence under the Federal Rules of Evidence, applicable state laws, or international equivalents — requires counsel review. The authoritative answer depends on jurisdiction and use case. Déjà makes no warranty about admissibility.
Signing key compromise procedures, key rotation policies, and customer obligations in the event of a suspected key compromise require counsel review.
Warranties and disclaimers
Déjà warrants that the Service will perform materially in accordance with its documentation during active subscription periods. This warranty is contingent on your compliance with these Terms and does not apply to trial vaults.
Except as expressly stated, the Service is provided needs legal review on an "AS IS" and "AS AVAILABLE" basis. Déjà disclaims all other warranties, whether express or implied, including warranties of merchantability, fitness for a particular purpose, non-infringement, and any warranties arising from course of dealing or usage of trade.
Déjà does not warrant that the Service will be uninterrupted, error-free, or secure against all threats; that attribution outputs will be accurate in every case; or that the Service will meet your specific regulatory or audit requirements without additional measures on your side.
Limitation of liability
Limitation of liability language is highly jurisdiction-specific and directly affects Déjà's risk exposure. Placeholder language below is structurally typical but must be reviewed and adjusted by counsel before publication. Specific dollar caps, carve-outs (indemnification, gross negligence, IP infringement), and consequential-damages waivers require explicit attorney input.
To the maximum extent permitted by applicable law, Déjà's aggregate liability arising out of or relating to these Terms or the Service, whether in contract, tort, or any other theory, is limited to the greater of (a) the fees paid by you to Déjà in the twelve months preceding the event giving rise to the claim, or (b) one hundred U.S. dollars ($100). needs legal review
In no event will Déjà be liable for indirect, incidental, consequential, special, or exemplary damages, including lost profits, lost revenue, or loss of goodwill, even if advised of the possibility of such damages. needs legal review
Indemnification
Mutual indemnification terms depend on the customer segment and regulatory context. Enterprise and Charter customers typically negotiate custom indemnification language in their Master Services Agreement. Placeholder language is omitted here to avoid setting expectations that are not yet legally vetted.
Termination
Termination by you. You may cancel your subscription at any time through your vault's admin settings or by contacting Déjà. Trial vaults may be deleted immediately. Production vault termination is governed by your Master Services Agreement, including any notice requirements and refund terms.
Termination by Déjà. We may suspend or terminate your access for material breach of these Terms, non-payment of fees (after reasonable cure period), or misuse as described in Section 5. In such cases, we will provide notice to the extent reasonably practical.
Effect of termination. Upon termination, your access to the Service ends. Your data is retained for up to thirty (30) days to allow export, then deleted. Production receipts issued during your active subscription remain cryptographically verifiable via the DSR/1.0 standard.
Governing law and disputes
Choice of law, venue, arbitration vs. litigation, class action waivers, and jurisdictional specifics require counsel review. These decisions have significant operational and cost implications (where you have to defend a lawsuit, whether class actions are permitted, etc.). Do not publish placeholder language in this section.
Changes to these Terms
We may update these Terms from time to time. For material changes, we will notify you by email and/or by posting a notice in your vault at least thirty (30) days before the changes take effect. Continued use of the Service after the effective date constitutes acceptance of the revised Terms.
For enterprise customers with a signed Master Services Agreement, these online Terms are subordinate to the MSA. In the event of a conflict, the MSA controls.
Contact
Questions about these Terms can be directed to legal@deja.dev. Contract and procurement inquiries go to sales@deja.dev. General support inquiries go to support@deja.dev — see also our support page.
Mailing address: needs legal review