Your agreement with HASP

Terms of Service

HASP Terms of Service Last updated · May 12, 2026

Agreement to Terms

By accessing or using HASP ("the Service"), you agree to be bound by these Terms of Service ("Terms"). If you do not agree to these Terms, you may not use the Service. These Terms apply to all users of the Service, including individual users and organizations. Use of the Service constitutes your acceptance of these Terms on behalf of yourself and any organization you represent.

Description of Service

HASP provides a HIPAA-ready AI platform for regulated organizations. The Service comprises four product surfaces: a chat UI for AI conversations and document analysis, a public REST API drop-in compatible with the Anthropic SDK plus higher-level HASP-native workflow endpoints, an internal-app builder that publishes static team tools (HTML, CSS, JavaScript, and related assets) built directly in Studio, and a signed audit chain that records every action across the other three surfaces.

Real Protected Health Information (PHI) may only be sent through the Service after a Business Associate Agreement (BAA) has been countersigned by your organization. The Free Evaluation is restricted to non-PHI use; PHI mode unlocks per organization the moment the BAA is signed in-app.

Additional platform capabilities include: incoming and outgoing webhooks, record file attachments, SAML SSO and SCIM provisioning (Enterprise tier), per-org compliance data planes with their own vector indexes, HASP-owned AI-input PHI scanning at the gateway, and signed audit-export download. All features are subject to these Terms.

Account Registration and Individual Accounts

When you create an account, you agree to:

  • Provide accurate, current, and complete information — including your true legal name and organizational affiliation
  • Maintain and promptly update your account information to keep it accurate
  • Each user account must belong to one identifiable individual. Accounts represent a single, identifiable person. You may not create or use an account on behalf of another person, and you may not allow another person to access the Service using your account credentials.
  • Sharing login credentials is prohibited. You may not share your magic-link emails, OAuth sessions, identity-provider tokens, or any other authentication artifact with another person. Each person who needs access must have their own user account, even within the same organization. This applies to every tier of the Service, including Solo, Professional, Business, and Enterprise plans.
  • Why we require this. HASP is designed for organizations handling regulated data, including Protected Health Information (PHI) under HIPAA, confidential records under attorney-client privilege, and other sensitive data subject to applicable laws. Accurate identification of who took what action is a foundational requirement of the audit chain that makes the Service compliant under HIPAA, HITRUST, SOC 2, and similar frameworks. Sharing credentials breaks this audit chain and exposes your organization (and HASP) to compliance risk. For HIPAA-covered customers, credential sharing also constitutes a violation of 45 CFR § 164.308(a)(4) (Information Access Management) under the HIPAA Security Rule.
  • Keep your account credentials secure and do not share access with anyone — authorized or unauthorized — including coworkers, contractors, family members, or other individuals who may have legitimate need to use the Service. Each person needs their own account. If your organization uses enterprise SSO, you are responsible for the security of your identity provider credentials.
  • Accept full responsibility for all activity that occurs under your account
  • Notify us immediately at [email protected] of any unauthorized use of your account or any actual or suspected credential sharing

Account authentication is handled via third-party sign-in (Google, Microsoft), email-based magic link, or enterprise SSO. HASP does not store passwords. You are responsible for the security of the authentication method you use to access the Service, including the security of your email account and any third-party identity provider.

Enforcement. HASP may detect probable credential sharing through audit-log signals (concurrent sessions from inconsistent geographic locations, atypical user-agent patterns, or other indicators) and may, at our discretion: (a) require additional authentication on the affected account; (b) suspend the account pending investigation; (c) terminate the account; (d) for paid-plan customers, notify the organization administrator and applicable security and compliance contacts of the suspected violation. Detection mechanisms are documented in the audit chain available to your organization.

We reserve the right to suspend or terminate any account where we have reason to believe that registration information is false, misleading, provided with intent to deceive, or where credentials are being shared in violation of these terms.

Acceptable Use

You agree not to use the Service to:

  • Publish or host content that is illegal, harmful, obscene, defamatory, or violates the rights of others
  • Distribute malware, ransomware, spyware, viruses, Trojans, or any other harmful or malicious code
  • Attempt to gain unauthorized access to any part of the Service, its infrastructure, or any other user's account or data
  • Use the Service for public-facing websites or applications (the Service is designed exclusively for internal team tools)
  • Interfere with or disrupt the integrity, performance, or security of the Service or its underlying infrastructure
  • Scrape, data mine, reverse engineer, or otherwise extract data from the Service through automated or manual means without our express written consent
  • Use the Service in any way that could expose HASP or its users to legal liability
  • Circumvent, disable, or otherwise interfere with security-related features of the Service
  • Resell, sublicense, or otherwise commercialize access to the Service without our written authorization, or use the Service to build a competing platform or product
  • Configure webhooks to send requests to internal network addresses, loopback addresses, cloud metadata endpoints (e.g. 169.254.169.254), or any target not under your ownership or control; or use webhooks to relay, proxy, or amplify traffic to third-party services without authorization from those services
  • Use the Data API or record storage to store content that violates these Terms, to build an unauthorized database or storage backend, or to exfiltrate or relay data outside your organization without authorization
  • Abuse the Free Evaluation by creating multiple accounts or organizations to circumvent the one-evaluation-per-organization limit. We reserve the right to determine, in our sole discretion, that multiple accounts or organizations are operated by the same person or entity, and to consolidate, suspend, or terminate those accounts and recover any unpaid fees across them

Prohibited Content

The following categories of content are strictly prohibited on the Service. Uploading, publishing, or distributing any of the following may result in immediate account suspension, permanent termination, content removal, and referral to law enforcement authorities:

  • Child sexual abuse material (CSAM) — any content that sexually exploits or depicts minors in any form, without exception
  • Phishing and credential harvesting — tools or content designed to deceive users into submitting sensitive information such as passwords, financial details, or personal identification
  • Fraud and financial deception — tools designed to facilitate financial fraud, money laundering, unauthorized payment processing, or deceptive financial practices
  • Hate speech and incitement — content that promotes, glorifies, or incites violence, discrimination, or hatred against individuals or groups based on race, ethnicity, religion, gender, sexual orientation, disability, or national origin
  • Harassment and targeted abuse — tools or content designed to harass, stalk, threaten, or intimidate specific individuals
  • Illegal surveillance — tools designed to covertly monitor, intercept, or collect data from individuals without their knowledge or lawful authorization
  • Weapons and dangerous materials — content that facilitates or provides instructions for the creation, acquisition, or use of illegal weapons, explosives, or dangerous substances
  • Impersonation — see the Identity and Impersonation section below
  • Prohibited file attachments — files uploaded as record attachments via the Data API are subject to these same prohibitions. The file attachment pipeline is not a mechanism for bypassing content restrictions that apply to uploaded tools.

Identity and Impersonation

HASP takes impersonation and identity fraud extremely seriously. The following conduct is strictly prohibited:

  • Creating tools, interfaces, or content that falsely represent, impersonate, or are designed to be mistaken for a real organization, business, government body, financial institution, or brand — including but not limited to reproducing their logos, trademarks, domain names, UI patterns, or official communications without authorization
  • Creating tools that impersonate or falsely represent a real individual, including public figures, executives, or private persons
  • Using account names, organization names, or app names that misleadingly imply affiliation with, endorsement by, or authorization from a real third-party entity
  • Building tools intended to deceive end users into believing they are interacting with a legitimate organization when they are not

Enforcement and Remediation. If HASP determines, in its sole discretion, that a user or app violates this section, we may take any or all of the following actions without prior notice:

  • Immediately suspend or disable the offending app and any associated access links
  • Permanently terminate the account responsible
  • Preserve and provide relevant account data, content, and access logs to the affected organization or individual, law enforcement agencies, or legal counsel upon valid legal request
  • Proactively notify the impersonated organization or individual that their identity was misused on our platform
  • Refer the matter to appropriate law enforcement or regulatory authorities

Reporting Impersonation. If you believe your organization, brand, or identity is being impersonated on HASP, please contact us immediately at [email protected]. Include your contact information, the nature of the impersonation, and any supporting evidence. We will acknowledge your report and take appropriate action as quickly as practicable.

Abuse Reporting and Content Removal

We maintain a dedicated abuse reporting channel for reporting violations of these Terms, including illegal content, harmful tools, impersonation, and other policy violations.

To report abuse, contact us at [email protected] with a description of the violation and any relevant evidence. Our process:

  • Acknowledgment: We will acknowledge all reports promptly
  • Investigation: We will investigate each report in good faith, which may include reviewing app content, account history, and access logs
  • Action: Where a violation is confirmed or reasonably suspected, we will take appropriate action, which may include content removal, account suspension, or termination
  • Escalation: For matters involving illegal content (including CSAM, threats of violence, fraud, or identity theft), we will escalate to the appropriate authorities without requiring a user report

HASP reserves the right to remove any content and suspend any account at any time, with or without a third-party report, where we determine that content violates these Terms or poses a risk to the safety or integrity of the Service or its users.

Your Content

You retain ownership of all tools and content you upload to the Service. By publishing content on HASP, you grant us a limited, non-exclusive license to host, store, and serve your content to your authorized team members solely for the purpose of providing the Service. We do not claim ownership over your content and will not use it for any purpose other than hosting, serving, and enforcing these Terms.

You represent and warrant that: (a) you own or have the necessary rights to all content you upload; (b) your content does not infringe any third-party intellectual property, privacy, or other rights; (c) your content complies with all applicable laws and regulations; and (d) your content does not violate these Terms. You are solely responsible for your content and any consequences arising from its publication.

You may export your personal data at any time through your account settings. Organization administrators on Business and Enterprise plans may additionally export full organization data — including members, apps, schemas, and records.

Indemnification

You agree to defend, indemnify, and hold harmless HASP, its affiliates, officers, directors, employees, and agents from and against any and all claims, damages, obligations, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising from: (a) your use of the Service; (b) your content; (c) your violation of these Terms; (d) your violation of any third-party rights, including intellectual property, privacy, or publicity rights; or (e) any claim that your content caused damage to a third party. This obligation survives the termination of your account and these Terms.

Custom Domain (Coming Soon)

Custom domain support is not yet available but is planned for a future release. When available, Business and Enterprise accounts will be able to map one custom domain per organization to their hosted apps. By configuring a custom domain, you will represent and warrant that:

  • You own or have lawful authority to use the domain, and that its use does not infringe any third-party trademark, brand, or other intellectual property rights
  • You will not configure a domain that is intended to deceive users into believing they are interacting with a different organization or brand
  • You are solely responsible for maintaining valid DNS configuration and renewing domain registration for the custom domain you associate with the Service

HASP reserves the right to disable any custom domain that we determine, in our sole discretion, is being used for phishing, impersonation, brand abuse, or any other violation of these Terms. Custom domain configuration does not transfer liability for content hosted under that domain from you to HASP.

Protected Health Information and Business Associate Agreements

This rule applies to every account — Free Evaluation, paid individual plans, and Enterprise alike.

  • You may not send real PHI into HASP without a signed BAA. HASP is not a HIPAA Business Associate until a Business Associate Agreement (BAA) has been countersigned by your organization. Until that happens, you must not input, upload, or transmit real Protected Health Information (PHI) — patient records, clinical notes, insurance data, or any other individually identifiable health information — through any surface of the Service: the chat UI, the public API, the internal-app builder, or any agent or webhook integration.
  • How to sign the BAA. The BAA is available in-app under your organization settings. PHI mode unlocks automatically the moment your organization countersigns it. No support ticket or manual step is required.
  • Sending PHI before the BAA is countersigned is a material breach of these Terms and may result in immediate account suspension, termination, and notification to your organization's compliance contacts.
  • Free Evaluation accounts. The Free Evaluation does not include a BAA. PHI is prohibited for the entire duration of your evaluation, across every surface. If you need to test with real patient data, sign the BAA first — which requires selecting a paid plan.

Compliance Data Planes

Enterprise accounts may provision an isolated compliance data plane — a dedicated managed database cluster — for storing application data. The following terms apply:

  • All data stored in your compliance data plane remains subject to these Terms, including all Prohibited Content restrictions. Isolated infrastructure does not create different or additional rights regarding the nature of the data you may store.
  • You are responsible for ensuring that any data you store complies with all applicable laws and regulations, including data protection and privacy laws governing the data subjects whose information you store.
  • If your subscription is terminated or your compliance data plane is decommissioned, we will provide reasonable notice and an opportunity to export your data before the cluster is destroyed. Data that cannot be exported within the notice period may be permanently deleted.
  • PHI may only be stored in your compliance data plane after your organization has countersigned a BAA. See the Protected Health Information and Business Associate Agreements section above.

Cryptographic Modules

Security-load-bearing cryptographic operations performed inside the HASP platform container — outbound TLS handshakes (managed database, third-party APIs, internal load balancer), application-layer encryption (AES-256-GCM via PHP's openssl extension), password hashing (PBKDF2-HMAC-SHA-256 via openssl_pbkdf2), audit-chain hashing and security-relevant token hashes (SHA-256 via openssl_digest), and audit export signing (Ed25519 via openssl_sign) — are performed inside the OpenSSL FIPS Provider 3.1.2, holding NIST CMVP certificate #4985 (FIPS 140-3 Level 1, Active, sunset 2030-03-10). The validated module is built into the platform container image from the OpenSSL Project's source pinned by SHA-256 hash; deployment refuses to start unless the FIPS provider is enforcing.

Customers building workflows that require a NIST CMVP-validated cryptographic module (including DEA Electronic Prescription of Controlled Substances under 21 CFR Part 1311, which references FIPS 140-2 Level 1; FIPS 140-3 supersedes and satisfies that reference) may reference our certificate number in their own audit submissions. HASP's compliance correspondence will provide a written attestation referencing the certificate, module version, and the platform image digest on request.

The cryptographic-module claim is bounded to security-load-bearing operations performed inside the HASP platform via FIPS 140-3 validated OpenSSL. It does not extend to: (a) inbound user-facing TLS, which is terminated at the substrate's edge load balancer using a separately-validated cryptographic module; (b) operational fingerprints (cache keys, idempotency keys, advisory-lock derivation) and webhook HMAC signature verification, which use FIPS-approved algorithms but routines outside the validated module; (c) any environment-level FIPS validation. HASP does not claim Federal Risk and Authorization Management Program (FedRAMP) authorization, Criminal Justice Information Services (CJIS) compliance, IRS Publication 1075 authorization, or any environment-level FIPS validation. Each downstream sub-processor (inference provider, payment processor, identity provider, infrastructure substrate) maintains its own separate compliance trail and is documented at the Trust Center.

The full compliance reference — including the verification recipe an auditor can run against the running container — is available in the FIPS modules reference.

Enterprise SSO

Enterprise accounts may enable single sign-on (SSO) via SAML or other identity providers through our WorkOS integration. By enabling SSO:

  • Your organization assumes full responsibility for the security configuration of your identity provider (IdP), including access controls, multi-factor authentication requirements, and the integrity of your user directory.
  • A compromise of your IdP may result in unauthorized access to your HASP organization. HASP is not liable for unauthorized access that results from a compromise of your identity provider.
  • You are responsible for promptly revoking access for users who leave your organization or who should no longer have access to the Service, both in your IdP and within HASP.

Free Evaluation

New accounts begin in Free Evaluation mode at no charge and with no time limit, subject to the following conditions:

  • No BAA, no PHI. Real Protected Health Information is prohibited until your organization countersigns a Business Associate Agreement in-app. Inputs are restricted to non-PHI use during evaluation. This restriction is contractual (this section of the Terms) and audit-enforced; it is not a technical guarantee.
  • Allotments. The Free Evaluation includes 100,000 credits (~200,000 tokens), 5 document uploads, an API key, and full access to the chat UI and the public API. Allotments may be revised at any time per these Terms.
  • No payment method required. You may evaluate every surface without entering billing details.
  • Upgrade path. When your organization is ready to handle PHI or exceeds the evaluation allotments, sign the BAA in-app and select a Platform or API tier. Your dedicated compliance data plane is provisioned on first paid use; existing evaluation data carries forward.
  • Abuse. The Free Evaluation is intended for good-faith product evaluation. We may rate-limit, suspend, or terminate accounts that create multiple organizations to circumvent allotments, send real PHI before BAA countersign, or otherwise misuse the evaluation tier.

Payment and Billing

  • Authorization to charge. By providing a payment method, you authorize HASP to charge it for all fees incurred under your account, including subscription fees, add-on fees, and any other charges described in these Terms or on our pricing page.
  • Recurring billing. Subscriptions renew automatically on a monthly basis. By subscribing, you authorize recurring monthly charges to your payment method until you cancel. The renewal date is anchored to the date your first paid subscription began.
  • Prorated charges. When you publish a new app mid-cycle, you are charged a prorated amount for the remainder of the current billing period. The full monthly rate applies starting on your next renewal date.
  • App type upgrades. You may upgrade an app from Utility to Workflow type at any time. The price difference is prorated for the remainder of the current billing period.
  • Pricing changes. We may change our prices at any time. We will notify you at least 30 days before a price increase takes effect. If you do not cancel before the new price takes effect, your continued use of the Service constitutes acceptance of the updated pricing.
  • Taxes. All prices are stated in US dollars and do not include applicable taxes. You are responsible for all taxes, duties, and government assessments associated with your use of the Service, excluding taxes based on HASP's net income.
  • Failed payments. If a payment fails, we will attempt to charge your payment method up to 3 additional times over a 7-day period. During this period, your account remains active. If all retry attempts fail, your published apps will become read-only — no new publishes, updates, or record writes will be permitted until a valid payment method is provided and the outstanding balance is settled. After 30 days of continuous non-payment, we may terminate your account in accordance with the Termination section.
  • Outstanding balances. Termination or expiration of your account — whether initiated by you or by us — does not relieve you of the obligation to pay any fees or charges incurred before the effective date of termination. We reserve the right to pursue collection of outstanding balances through lawful means, including referral to a collection agency or legal action, and to recover reasonable costs incurred in the collection process.
  • Account suspension for non-payment. We reserve the right to suspend access to the Service, including making published apps inaccessible to your team, at any time while your account has an unpaid balance. Suspension does not terminate your account or relieve you of payment obligations.

Refunds and Disputes

  • No refunds. All subscription fees are non-refundable. When you cancel a subscription, your access continues through the end of the current billing period, but no prorated refund is issued for the remaining days. When an account is terminated for cause (violation of these Terms), no refund is issued for the current or any prior billing period.
  • Dispute resolution before chargeback. If you believe a charge is incorrect, you agree to contact us at [email protected] before initiating a dispute or chargeback with your payment provider or financial institution. We will work with you in good faith to resolve billing issues promptly.
  • Chargebacks. If you initiate a chargeback or payment dispute with your bank or payment provider without first attempting to resolve the issue with us as described above, we reserve the right to: (a) immediately suspend your account and all published apps; (b) terminate your account; (c) pursue recovery of the disputed amount, any chargeback fees imposed on us by our payment processor, and any reasonable costs incurred in the recovery process; and (d) report the dispute to fraud prevention services. A chargeback initiated without prior good-faith contact with HASP may be treated as a violation of these Terms.
  • Right to offset. We may offset any amounts you owe us against any amounts we may owe you, including but not limited to prepaid credits or deposits.

Service Availability

We strive to maintain high availability of the Service but do not guarantee uninterrupted access. We may perform scheduled maintenance and will make reasonable efforts to notify users in advance. We reserve the right to modify, suspend, or discontinue any part of the Service at any time.

Cooperation with Law Enforcement

HASP cooperates fully with law enforcement agencies, regulatory authorities, and legal processes. We reserve the right — and in some cases are legally obligated — to disclose account information, content, and access records in response to valid legal requests including subpoenas, court orders, and government investigations. Where permitted by law, we will notify affected users of such requests. We will not notify users where doing so is prohibited by law or where notification would impede an active investigation or create a risk of harm.

Limitation of Liability

To the maximum extent permitted by law, HASP shall not be liable for any indirect, incidental, special, consequential, or punitive damages, or any loss of profits or revenues, whether incurred directly or indirectly, or any loss of data, use, goodwill, or other intangible losses resulting from your use of the Service. In no event shall HASP's aggregate liability to you exceed the greater of (a) the amounts paid by you to HASP in the twelve months preceding the claim, or (b) one hundred US dollars ($100). The limitations in this section do not apply to your payment obligations under these Terms, your indemnification obligations, or your liability for violations of the Acceptable Use or Prohibited Content sections.

Disclaimer of Warranties

The Service is provided on an "as is" and "as available" basis without warranties of any kind, either express or implied, including but not limited to implied warranties of merchantability, fitness for a particular purpose, non-infringement, or course of performance. HASP does not warrant that the Service will be uninterrupted, secure, error-free, or free of viruses or other harmful components, or that defects will be corrected.

Termination

We may terminate or suspend your account immediately, without prior notice or liability, for any reason, including if you violate these Terms. Grounds for immediate termination include but are not limited to: uploading prohibited content, impersonation, phishing, fraud, distribution of malware, or any conduct that poses an active risk to the Service or other users.

You may cancel your subscription at any time through your account settings. Cancellation takes effect at the end of the current billing period — your apps remain active and accessible until then. You may resume a cancelled subscription at any point before the billing period ends. Cancellation of a subscription is separate from deletion of your account.

You may delete your account at any time. Upon termination, your right to use the Service will cease immediately. We will make reasonable efforts to allow you to export your data before deletion, except where account termination is for cause, in which case we reserve the right to retain data as necessary for legal, compliance, or law enforcement purposes.

Certain audit and activity records are maintained as an immutable log for security, compliance, and legal integrity purposes. These records may be retained even after account deletion, and are not subject to erasure under data rights requests. See our Privacy Policy for details.

Sections covering Prohibited Content, Identity and Impersonation, Payment and Billing, Refunds and Disputes, Indemnification, Limitation of Liability, Disclaimer of Warranties, and Governing Law shall survive the termination of these Terms.

Changes to Terms

We reserve the right to update these Terms at any time. We will notify you of material changes by posting the updated Terms on this page, updating the "Last updated" date, and where practicable, by email or in-app notification. Continued use of the Service after changes constitutes acceptance of the revised Terms. If you do not agree to revised Terms, you must stop using the Service and may delete your account.

Governing Law and Dispute Resolution

These Terms shall be governed by and construed in accordance with the laws of the State of Delaware, United States, without regard to its conflict of law principles. Any dispute arising out of or relating to these Terms or the Service shall be resolved exclusively in the state or federal courts located in Delaware, and you consent to personal jurisdiction in those courts. Notwithstanding the foregoing, HASP reserves the right to seek injunctive or other equitable relief in any jurisdiction to protect its rights or prevent harm.

Contact

For general questions about these Terms, contact us at [email protected].

To report abuse, impersonation, illegal content, or policy violations, contact us at [email protected]. We treat all abuse reports as high priority.