Core Access Technologies
CoreRisk
by Core Access Technologies
Version 1.0 · Effective 2026-05-14

CoreRisk Terms of Service

Effective Date: 2026-05-14 Version: 1.0

These Terms of Service ("Terms") govern your access to and use of the CoreRisk application, website, assessments, reports, generated documents, guided runbooks, remediation offerings, and related services provided by Core Access Technologies ("Core Access," "CoreRisk," "Company," "we," "us," or "our").

By creating an account, starting the CoreRisk assessment, purchasing a CoreRisk product, downloading a report, using the CoreRisk portal, or clicking "I Agree," you agree to be bound by these Terms.

If you are using CoreRisk on behalf of a company, organization, or other legal entity, you represent that you have authority to bind that entity to these Terms. In that case, "you" and "Customer" refer to that entity.

If you do not agree to these Terms, do not use CoreRisk.


1. Important Cybersecurity Disclaimer

CoreRisk is designed to help small businesses identify potential cybersecurity gaps, organize security documentation, and prepare to improve their security posture.

CoreRisk does not guarantee that your business will be secure.

CoreRisk does not guarantee that you will avoid a cyberattack, ransomware event, data breach, business interruption, regulatory investigation, insurance denial, lawsuit, financial loss, or other security incident.

Cybersecurity risk cannot be eliminated. Threats change, attackers adapt, systems fail, users make mistakes, third-party vendors may be compromised, and security controls may be misconfigured, bypassed, or insufficient for a particular environment.

CoreRisk helps you prepare. It does not provide absolute protection.


2. What CoreRisk Provides

CoreRisk may include some or all of the following products or service tiers:

2.1 Free Assessment

The free CoreRisk assessment is a questionnaire-based cybersecurity risk assessment. You answer questions about your business, systems, policies, technology, and security practices.

Based on your self-reported answers, CoreRisk may display an exposure score, risk level, weak areas, recommendations, and estimated breach-cost ranges.

The free assessment is informational only. It is not a technical audit, penetration test, security certification, compliance certification, vulnerability scan, insurance assessment, or legal opinion.

2.2 Paid CoreRisk Report

The paid CoreRisk Report is a downloadable or emailed report generated from your self-reported assessment answers.

The report may identify potential control gaps, provide prioritized recommendations, estimate potential breach costs, and map certain responses to potentially relevant cybersecurity or regulatory frameworks.

The report does not implement any security control. The report tells you what you may need to address. You remain responsible for deciding whether and how to act on the report.

2.3 Done For You Documentation

The Done For You documentation tier uses your structured inputs to automatically generate documents such as cybersecurity policies, incident-response playbooks, business continuity plans, and related documentation.

These documents are generated by automated software based on the information you provide.

Unless we expressly agree otherwise in a separate written agreement, these documents are not custom legal advice, are not reviewed by an attorney, are not guaranteed to satisfy any law, regulation, insurance requirement, vendor requirement, contractual obligation, audit requirement, or industry standard, and do not implement any technical security control.

2.4 Do It Yourself Runbooks

The Do It Yourself tier provides guided runbooks, instructions, and templates that help you assemble your own cybersecurity policies, plans, procedures, and related documentation.

The DIY tier is educational and documentation-focused. It does not include hands-on implementation, technical configuration, system administration, security monitoring, incident response, or managed IT services unless separately purchased and agreed in writing.

2.5 Gap-Closing / Remediation Services

Core Access may offer optional hands-on remediation services, sometimes referred to as "Assist," "Gap-Closing," or similar terms.

Remediation services may include help implementing security controls in your live systems, such as Microsoft 365 configuration, backup setup, email authentication, access-control improvements, security policy configuration, or other technical work.

Remediation services are materially different from the assessment, report, documentation, and runbook tiers. Remediation services involve access to your live systems and may involve changes to production environments.

Unless otherwise stated in a separate written statement of work, remediation services are limited to the specific controls, systems, tasks, and deliverables expressly agreed to by both parties.

Remediation services do not guarantee complete security, full compliance, uninterrupted business operations, prevention of future incidents, or elimination of all risks.

2.6 Ongoing Managed Services

Ongoing managed IT, managed security, monitoring, helpdesk, backup management, endpoint management, or similar recurring services are not included in CoreRisk unless expressly stated in a separate managed services agreement, order form, or statement of work.


3. Self-Reported Information

CoreRisk relies heavily on information you provide.

You are responsible for ensuring that your answers, business information, technical information, contact information, and other inputs are accurate, complete, current, and authorized to be shared.

CoreRisk does not independently verify your assessment answers unless we expressly agree to perform separate verification services in a signed statement of work.

If your answers are incomplete, inaccurate, outdated, misunderstood, or based on assumptions, the resulting score, report, recommendations, documents, breach-cost estimates, or action plan may be incomplete, inaccurate, or unsuitable for your business.

You should not present CoreRisk scores, reports, estimates, or documents as verified audit findings, verified compliance evidence, security certifications, penetration-test results, insurance certifications, or proof that your environment is secure.


4. No Audit, Certification, Penetration Test, or Legal Compliance Opinion

Unless we expressly agree otherwise in a separate signed agreement, CoreRisk is not:

CoreRisk may reference frameworks, regulations, or standards such as HIPAA, IRS Publication 4557, FTC Safeguards Rule, state privacy laws, cybersecurity best practices, or similar materials. Those references are for informational and planning purposes only.

You are responsible for determining which laws, regulations, contracts, insurance obligations, industry standards, and security requirements apply to your business.

You should consult qualified legal, compliance, insurance, and cybersecurity professionals before relying on CoreRisk materials for legal, regulatory, insurance, audit, or contractual purposes.


5. No Attorney-Client, Insurance, or Compliance Advisor Relationship

CoreRisk does not provide legal advice.

Using CoreRisk does not create an attorney-client relationship, insurance-advisor relationship, auditor relationship, fiduciary relationship, or compliance-consultant relationship between you and Core Access.

Any policies, procedures, incident-response plans, business continuity plans, or other documents generated through CoreRisk should be reviewed by your own legal counsel, compliance advisor, insurance advisor, and qualified security professionals before adoption or use.


6. Customer Responsibilities

You are responsible for:

  1. Providing accurate and complete information.
  2. Maintaining the confidentiality of your account credentials.
  3. Ensuring that only authorized users access your CoreRisk account.
  4. Reviewing all reports, documents, policies, and recommendations before use.
  5. Deciding whether to implement any recommendation.
  6. Implementing, testing, monitoring, and maintaining your own security controls unless you separately purchase implementation services.
  7. Maintaining backups of your systems and data.
  8. Maintaining appropriate cyber insurance, professional liability insurance, and other insurance.
  9. Complying with all laws, regulations, contracts, and industry requirements applicable to your business.
  10. Obtaining required approvals before giving Core Access access to any system, account, tenant, data, or environment.
  11. Removing unnecessary access after any remediation or service engagement ends.
  12. Ensuring your users, employees, contractors, and vendors follow your security policies and procedures.

7. Authorization for Remediation Services

If you purchase remediation services, you authorize Core Access and its personnel or approved contractors to access the systems, accounts, tenants, devices, applications, or environments reasonably necessary to perform the agreed services.

You represent and warrant that:

  1. You have legal authority to grant such access.
  2. You have obtained all necessary internal approvals.
  3. You have the right to authorize changes to the applicable systems.
  4. Providing access to Core Access will not violate any law, contract, policy, or third-party obligation.
  5. You will provide accurate administrative credentials, access instructions, and system information when needed.
  6. You will maintain current backups before any material system changes are made.

Core Access may decline, pause, or stop remediation work if we believe access is unauthorized, unsafe, incomplete, unlawful, outside scope, or likely to create unreasonable risk.


8. Scope of Remediation Services

Remediation services are limited to the specific tasks listed in the applicable order, proposal, invoice, service description, ticket, statement of work, or written confirmation.

Unless expressly stated in writing, remediation services do not include:

Any services outside the agreed scope require a separate written agreement or written approval.


9. Production System Risk

You acknowledge that technical remediation work may involve changes to live production systems.

Even when performed carefully, system changes may cause unexpected issues, including downtime, user access problems, email delivery issues, application errors, data synchronization issues, permission changes, backup failures, configuration conflicts, or other business interruptions.

You are responsible for maintaining backups, recovery options, vendor support, administrative access, and internal change approval processes.

Core Access is not responsible for pre-existing issues, unsupported systems, vendor outages, third-party platform limitations, inaccurate customer-provided information, undocumented configurations, customer delays, customer misuse, or issues caused by changes made by you or third parties.


10. Generated Documents

CoreRisk may generate documents using automated systems, templates, rules, questionnaires, and customer-provided information.

Generated documents are starting points for your review and adoption. They are not guaranteed to be complete, legally sufficient, compliant, enforceable, accepted by auditors, accepted by insurers, accepted by regulators, or suitable for every business.

You are responsible for reviewing, editing, approving, adopting, implementing, distributing, training on, and maintaining any generated document.

A policy that is generated but not implemented, followed, tested, updated, and enforced may not reduce your risk.


11. Scores, Estimates, and Breach-Cost Ranges

CoreRisk may provide exposure percentages, risk levels, breach-cost ranges, estimated business impact, remediation priorities, or similar outputs.

These outputs are estimates only.

They are based on your self-reported answers, general risk assumptions, available models, and the information available at the time of generation.

They are not financial advice, insurance advice, actuarial analysis, legal advice, guaranteed loss predictions, or verified measurements of your actual risk.

Actual losses, costs, downtime, recovery expenses, legal fees, regulatory penalties, ransom demands, customer losses, reputational harm, and insurance outcomes may be higher or lower than any estimate provided by CoreRisk.

You should not rely on CoreRisk estimates as the sole basis for financial planning, insurance decisions, regulatory filings, board reports, investor disclosures, customer representations, or legal obligations.


12. Payment Terms

Certain CoreRisk products require payment.

You agree to pay all fees shown at checkout, in an order form, invoice, proposal, or service agreement.

Fees are due at the time stated during purchase or on the applicable invoice.

Unless otherwise stated in writing, fees are non-refundable once the applicable report, document, portal access, runbook, or service has been delivered or made available.

We may use third-party payment processors. Your payment information may be processed by those providers under their own terms and privacy policies.

You are responsible for all applicable taxes, payment fees, chargebacks, and collection costs.


13. Refund Policy

Because CoreRisk provides digital reports, automated documents, templates, runbooks, assessments, and professional services, all sales are final unless we expressly state otherwise in writing.

We may, in our sole discretion, offer a refund, credit, correction, or replacement if there is a technical error, duplicate charge, failed delivery, or other issue we determine warrants a remedy.

A refund, credit, correction, or replacement in one case does not require us to provide the same remedy in another case.


14. Account Access and Security

You are responsible for maintaining the confidentiality of your login credentials.

You are responsible for all activity under your account.

You must notify us promptly if you believe your account has been compromised.

We may suspend or restrict access if we believe your account is being misused, accessed without authorization, used to harm others, used unlawfully, or used in violation of these Terms.


15. Acceptable Use

You may not use CoreRisk to:

  1. Violate any law or regulation.
  2. Infringe the rights of others.
  3. Upload malicious code.
  4. Attempt to gain unauthorized access to any system.
  5. Reverse engineer or copy the CoreRisk platform.
  6. Interfere with the operation of CoreRisk.
  7. Resell, sublicense, or commercially exploit CoreRisk without written permission.
  8. Submit false, misleading, unlawful, or unauthorized information.
  9. Use CoreRisk to assess or store information about a business you are not authorized to represent.
  10. Use CoreRisk to develop a competing product or service.
  11. Circumvent payment, usage limits, or access controls.
  12. Abuse, harass, threaten, or defraud any person.

We may suspend or terminate access for violations of this section.


16. Customer Data

CoreRisk may collect and process information you provide, including:

Some assessment answers may reveal sensitive information about your security posture. You should only provide information you are authorized to share.

You should not submit protected health information, financial account numbers, Social Security numbers, full payment card numbers, passwords, private keys, confidential customer records, or other highly sensitive information unless we have expressly agreed in writing that such information is required and appropriate for the service.


17. Use of Customer Data

We may use customer data to:

  1. Provide the CoreRisk assessment.
  2. Generate scores, reports, documents, runbooks, recommendations, and action plans.
  3. Deliver purchased products and services.
  4. Contact you about your assessment results.
  5. Contact you about remediation services, managed services, or related offerings.
  6. Provide support.
  7. Improve CoreRisk.
  8. Maintain security and prevent abuse.
  9. Process payments.
  10. Comply with legal obligations.
  11. Enforce these Terms.
  12. Maintain business records.

We may use aggregated, de-identified, or anonymized data to improve our products, create benchmarks, analyze trends, and develop new services, provided such data does not identify you or your business.


18. Marketing Contact Consent

By submitting your contact information, you agree that Core Access may contact you by email, phone, text message, or other communication methods regarding your assessment, report, documents, recommendations, purchases, support requests, remediation opportunities, managed services, and related cybersecurity or IT services.

You may opt out of marketing communications at any time by using the unsubscribe link in an email, replying STOP to applicable text messages where supported, or contacting us directly.

Transactional, service-related, security-related, billing, and account communications may still be sent even if you opt out of marketing.


19. Data Retention

We may retain your account information, assessment answers, generated reports, documents, transaction records, support records, acceptance records, and related business records for as long as reasonably necessary to provide services, maintain records, comply with legal obligations, resolve disputes, enforce agreements, improve the platform, and support legitimate business purposes.

We may delete or anonymize data when it is no longer needed.

You may request deletion of certain information by contacting us, but we may retain information when required or permitted by law, contract, security needs, dispute resolution, accounting requirements, backup systems, or legitimate business purposes.


20. Privacy Policy

Our collection, use, storage, and sharing of personal information may also be described in a separate Privacy Policy.

If there is a conflict between these Terms and the Privacy Policy regarding your use of CoreRisk, these Terms control for contractual matters, and the Privacy Policy controls for privacy disclosures unless otherwise required by law.


21. HIPAA, Regulated Data, and Business Associate Agreements

CoreRisk is not intended to receive protected health information unless we expressly agree otherwise in a separate written agreement.

If you are a covered entity or business associate under HIPAA, you are responsible for determining whether your use of CoreRisk involves protected health information.

Unless we have signed a separate Business Associate Agreement with you, you must not submit protected health information to CoreRisk.

Similarly, you are responsible for determining whether your use of CoreRisk involves regulated financial information, tax information, employee information, consumer information, student information, or other regulated data.


22. Third-Party Services

CoreRisk may reference, integrate with, or depend on third-party platforms, vendors, frameworks, payment processors, cloud providers, email systems, identity providers, Microsoft 365, Google Workspace, backup providers, security tools, or other third-party services.

We do not control third-party services.

We are not responsible for third-party outages, errors, security incidents, policy changes, pricing changes, discontinued features, API changes, data loss, or third-party terms.

Your use of third-party services may be governed by separate agreements between you and those providers.


23. Intellectual Property

CoreRisk, including its software, workflows, questionnaires, templates, scoring methods, reports, designs, text, graphics, logos, prompts, automations, documentation, and related materials, is owned by Core Access Technologies or its licensors.

Subject to your compliance with these Terms and payment of applicable fees, we grant you a limited, non-exclusive, non-transferable, revocable license to use CoreRisk for your internal business purposes.

You may use reports and generated documents delivered to you for your own internal business purposes.

You may not copy, modify, resell, redistribute, sublicense, publish, reverse engineer, scrape, clone, or use CoreRisk materials to build a competing product or service without our written permission.


24. Customer Content License

You retain ownership of the information you submit to CoreRisk.

You grant Core Access a limited license to use, process, store, transmit, display, reproduce, modify, and create outputs from your submitted information as necessary to provide CoreRisk, deliver services, improve the platform, maintain records, comply with law, and enforce these Terms.

You represent that you have all rights and permissions necessary to submit your information to CoreRisk.


25. Confidentiality

Each party may receive non-public business, technical, security, financial, or operational information from the other party.

Each party agrees to use reasonable care to protect the other party's confidential information and to use it only for purposes related to CoreRisk or the applicable services.

Confidential information does not include information that is publicly available, independently developed without use of confidential information, lawfully received from a third party, or already known without confidentiality obligations.

We may disclose confidential information if required by law, subpoena, court order, regulator, or legal process, provided we use reasonable efforts to notify you when legally permitted.


26. Security of the CoreRisk Platform

We use reasonable administrative, technical, and organizational measures designed to protect the CoreRisk platform and customer information.

However, no system is completely secure.

We do not guarantee that CoreRisk, our systems, our vendors, or your data will be free from unauthorized access, compromise, loss, misuse, or interruption.

You are responsible for using strong passwords, protecting your account, limiting access, and avoiding submission of unnecessary sensitive information.


27. Beta Features and Changes

We may update, modify, improve, remove, rename, or discontinue CoreRisk features at any time.

Some features may be experimental, beta, incomplete, or subject to change.

We are not liable for changes to the platform, except as expressly required by a separate written agreement.


28. Disclaimers of Warranties

To the maximum extent permitted by law, CoreRisk and all related services, reports, documents, assessments, estimates, recommendations, templates, runbooks, and outputs are provided "as is" and "as available."

We disclaim all warranties, whether express, implied, statutory, or otherwise, including warranties of merchantability, fitness for a particular purpose, title, non-infringement, accuracy, completeness, availability, security, compliance, and error-free operation.

We do not warrant that:

  1. CoreRisk will meet your specific needs.
  2. CoreRisk will identify every risk, gap, vulnerability, misconfiguration, or compliance issue.
  3. CoreRisk will prevent a cyberattack, data breach, ransomware event, business interruption, or financial loss.
  4. Any score, estimate, report, document, recommendation, or action plan will be accurate, complete, current, or sufficient.
  5. Generated documents will satisfy any law, regulation, contract, insurance requirement, auditor request, or regulator expectation.
  6. Remediation services will eliminate all risk or prevent future incidents.
  7. CoreRisk will be uninterrupted, secure, error-free, or available at all times.

Some jurisdictions do not allow certain warranty disclaimers, so some disclaimers may not apply to you.


29. Limitation of Liability

To the maximum extent permitted by law, Core Access Technologies, its owners, officers, employees, contractors, affiliates, vendors, and licensors will not be liable for any indirect, incidental, consequential, special, exemplary, punitive, or enhanced damages, including lost profits, lost revenue, lost business, lost data, loss of goodwill, downtime, business interruption, cost of replacement services, regulatory penalties, breach costs, ransom payments, forensic costs, notification costs, legal fees, insurance denial, reputational harm, or loss arising from or related to CoreRisk or these Terms.

To the maximum extent permitted by law, our total liability for any claim arising out of or related to CoreRisk, the assessment, reports, generated documents, runbooks, recommendations, or documentation-only tiers will not exceed the greater of:

  1. The amount you paid to Core Access for the specific CoreRisk product giving rise to the claim during the three months before the event giving rise to liability; or
  2. One hundred dollars ($100).

For paid remediation services, unless a separate written agreement states otherwise, our total liability for claims arising from a specific remediation service will not exceed the amount you paid for the specific remediation service giving rise to the claim.

The limitations in this section apply regardless of legal theory, including contract, tort, negligence, strict liability, warranty, statute, or otherwise, even if a remedy fails of its essential purpose.

Nothing in these Terms limits liability that cannot be limited by law.


30. No Responsibility for Uncontrolled Outcomes

You agree that Core Access is not responsible for outcomes outside our reasonable control, including:


31. Indemnification

You agree to defend, indemnify, and hold harmless Core Access Technologies, its owners, officers, employees, contractors, affiliates, vendors, and licensors from and against any claims, damages, losses, liabilities, costs, and expenses, including reasonable attorneys' fees, arising out of or related to:

  1. Your use of CoreRisk.
  2. Your submitted information.
  3. Your inaccurate or incomplete answers.
  4. Your failure to implement, maintain, test, or follow recommended controls, policies, or procedures.
  5. Your violation of these Terms.
  6. Your violation of law or third-party rights.
  7. Your unauthorized disclosure of third-party information.
  8. Your use of CoreRisk outputs for legal, insurance, audit, compliance, or certification purposes without appropriate professional review.
  9. Systems, accounts, environments, or data to which you grant us access.
  10. Claims brought by your customers, employees, vendors, regulators, insurers, or other third parties related to your business, systems, data, or security posture.

32. Suspension and Termination

We may suspend or terminate your access to CoreRisk if:

  1. You violate these Terms.
  2. You fail to pay amounts due.
  3. Your use creates security, legal, operational, or reputational risk.
  4. We suspect unauthorized access or misuse.
  5. We are required to do so by law or third-party provider.
  6. We discontinue the service.

You may stop using CoreRisk at any time.

Termination does not affect payment obligations, limitations of liability, disclaimers, ownership rights, confidentiality obligations, indemnification obligations, or other provisions intended to survive termination.


33. Dispute Resolution

Before filing a lawsuit, either party must first attempt to resolve the dispute informally by providing written notice describing the issue and allowing thirty (30) days for good-faith resolution.

Written notice to Core Access must be sent to:

Core Access Technologies 807 Mango Loop Austin, AR 72007 United States Email: hello@coreaccesstechnologies.com

If the dispute is not resolved within thirty (30) days, either party may pursue available legal remedies, subject to the governing law and venue provisions below.


34. Governing Law and Venue

These Terms are governed by the laws of the State of Arkansas, without regard to conflict-of-law rules.

Any lawsuit or legal proceeding arising out of or related to these Terms or CoreRisk must be brought in the state or federal courts located in Lonoke County, Arkansas, unless applicable law requires a different venue.

You consent to the personal jurisdiction and venue of those courts.


35. Class Action Waiver

To the maximum extent permitted by law, disputes must be brought only on an individual basis.

You may not bring claims as a plaintiff or class member in any class action, collective action, representative action, consolidated action, or private attorney general action.

The court may not consolidate more than one person's claims or preside over any form of class, collective, or representative proceeding.


36. Changes to These Terms

We may update these Terms from time to time.

When we update the Terms, we will revise the effective date or version number.

For material changes, we may require you to accept the updated Terms before continuing to use CoreRisk.

We may keep records showing the version of the Terms you accepted, the date and time of acceptance, and related account information.

Continued use of CoreRisk after updated Terms become effective means you accept the updated Terms.


37. Electronic Acceptance

You agree that clicking "I Agree," checking an acceptance box, creating an account, starting an assessment, purchasing a product, or using CoreRisk constitutes your electronic signature and acceptance of these Terms.

You agree that electronic records of acceptance are legally binding.

We may record the date, time, account, IP address, email address, Terms version, and other information related to acceptance.


38. Notices

We may send notices by email, in-app notification, website posting, account message, or other reasonable method.

You are responsible for keeping your contact information current.

Notices to you are deemed given when sent to the email address associated with your account.


39. Assignment

You may not assign or transfer these Terms without our prior written consent.

We may assign these Terms in connection with a merger, acquisition, sale of assets, reorganization, change of control, or transfer of business operations.


40. Force Majeure

We are not liable for delays, failures, or interruptions caused by events beyond our reasonable control, including natural disasters, power failures, internet outages, labor disputes, cyberattacks, vendor failures, cloud provider outages, war, terrorism, civil unrest, government action, pandemics, or other force majeure events.


41. Severability

If any provision of these Terms is found unenforceable, the remaining provisions remain in effect.

The unenforceable provision will be modified to the minimum extent necessary to make it enforceable, or, if modification is not permitted, severed from these Terms.


42. Entire Agreement

These Terms, together with any applicable order form, invoice, statement of work, privacy policy, service agreement, or written addendum, make up the entire agreement between you and Core Access regarding CoreRisk.

If there is a conflict between these Terms and a signed statement of work or service agreement, the signed statement of work or service agreement controls for the specific services covered by that document.


43. Contact Information

Questions about these Terms may be sent to:

Core Access Technologies 807 Mango Loop Austin, AR 72007 United States Email: hello@coreaccesstechnologies.com Phone: 870-686-8053


44. Customer Acknowledgment

By using CoreRisk, you acknowledge and agree that:

  1. CoreRisk is based primarily on self-reported information.
  2. CoreRisk does not independently verify your answers unless separately agreed in writing.
  3. CoreRisk is not a technical audit, penetration test, compliance certification, or legal opinion.
  4. Scores and breach-cost estimates are estimates only.
  5. Reports, runbooks, and generated documents do not implement security controls.
  6. Documentation alone does not make your business secure.
  7. Remediation services are limited to the agreed scope.
  8. No cybersecurity product or service can guarantee prevention of all cyber incidents.
  9. You remain responsible for your own systems, users, data, vendors, compliance obligations, backups, insurance, and business decisions.
  10. You should obtain legal, compliance, insurance, and cybersecurity advice appropriate for your business.