Legal

1. Terms of Service

1.1 Acceptance

By creating an account or using the COMMAND Agent Operations Center (“Service”), you agree to these Terms of Service (“Terms”). If you are entering into these Terms on behalf of a company or other legal entity, you represent that you have the authority to bind that entity. If you do not agree, do not use the Service.

1.2 Eligibility

You must be at least 18 years old and able to form a binding contract. The Service is intended for business use by professionals managing AI agent operations.

1.3 Account Terms

• You are responsible for maintaining the security of your account credentials and API keys.
• You are responsible for all activity under your account and workspace.
• You must provide accurate, current information during registration.
• One person or legal entity may maintain no more than one free account.

1.4 Intellectual Property

You retain all rights to content you submit to the Service, including task descriptions, agent configurations, and handoff context. GlobaLink LLC retains all rights to the Service itself, including its software, design, and documentation. The Service may not be copied, modified, or reverse-engineered.

1.5 Service Availability

We strive to maintain high availability but do not guarantee uninterrupted service. We may modify, suspend, or discontinue any part of the Service with 30 days' notice for material changes. Emergency maintenance may occur without prior notice.

1.6 Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY LAW, GlobaLink LLC SHALL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, OR ANY LOSS OF PROFITS OR REVENUES, WHETHER INCURRED DIRECTLY OR INDIRECTLY. OUR TOTAL LIABILITY FOR ANY CLAIM ARISING FROM THESE TERMS SHALL NOT EXCEED THE AMOUNT YOU PAID US IN THE 12 MONTHS PRECEDING THE CLAIM.

1.7 Indemnification

You agree to indemnify and hold harmless GlobaLink LLC, its officers, directors, employees, and agents from any claims, damages, or expenses arising from your use of the Service or violation of these Terms.

1.8 Governing Law

These Terms are governed by the laws of the State of Florida, without regard to conflict of law principles. Any disputes shall be resolved in the state or federal courts located in Miami-Dade County, Florida.

1.9 Termination

Either party may terminate at any time. You may cancel your account from Settings or by contacting support@globalinkservices.io. We may terminate or suspend your account for violation of these Terms with reasonable notice. Upon termination, your right to use the Service ceases immediately. Data deletion follows the retention policy below.

2. Privacy Policy

2.1 Data Controller

GlobaLink LLC, 66 W Flagler St, Miami FL 33130, is the data controller for personal data processed through the Service. For privacy inquiries, contact our Data Protection Officer at privacy@globalinkservices.io.

2.2 Data We Collect

• Account data: email address, name, workspace name, billing address
• Usage data: agent registrations, task routing events, handoff logs, audit ledger entries
• API keys (BYOK): stored encrypted via Supabase Vault, never logged in plaintext, never shared
• Payment data:processed exclusively by Stripe — COMMAND never stores card numbers
• Device and log data: IP address, browser type, operating system, referral URL, pages visited, timestamps

2.3 Legal Basis for Processing

• Contract performance: processing necessary to provide the Service you signed up for
• Legitimate interest: security monitoring, fraud prevention, product improvement
• Consent: optional analytics (Microsoft Clarity), marketing communications
• Legal obligation: tax records, compliance with lawful requests

2.4 How We Use Your Data

• To operate the COMMAND Agent Operations Center
• To provide the Agent Status Dashboard, Task Router, Canvas, and Context Bridge features
• To maintain the append-only audit ledger (SHA-256 chain) for your workspace
• To send transactional emails (billing, security alerts, product updates)
• We do not sell your data. We do not share your data with advertisers.

2.5 Data Subject Rights (GDPR)

If you are in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under GDPR:

• Access: request a copy of your personal data
• Rectification: correct inaccurate data
• Erasure:request deletion of your data (“right to be forgotten”)
• Data portability: receive your data in a structured, machine-readable format (JSON)
• Restriction: request we limit processing of your data
• Objection: object to processing based on legitimate interest
• Withdraw consent: where processing is based on consent, withdraw at any time

To exercise these rights, contact privacy@globalinkservices.io. We will respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority.

2.6 California Privacy Rights (CCPA)

If you are a California resident, you have the right to: (1) know what personal information we collect, use, and disclose; (2) request deletion of your personal information; (3) opt out of the sale of personal information (we do not sell personal information); (4) non-discrimination for exercising your rights. To exercise these rights, contact privacy@globalinkservices.io.

2.7 International Transfers

Data is processed in the United States. For transfers from the EEA/UK, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission. A copy of the SCCs is available upon request as part of our Data Processing Agreement.

2.8 Data Retention

• Active accounts: data retained for the duration of your subscription
• After cancellation: workspace data purged within 30 days
• Audit ledger: retained for 90 days after workspace deletion for compliance
• Billing records: retained for 7 years per tax requirements
• Server logs: retained for 30 days, then automatically purged

3. Acceptable Use Policy

3.1 Prohibited Uses

You may not use the Service to:

• Violate any applicable law or regulation in any jurisdiction
• Generate, store, or transmit content that is unlawful, harmful, threatening, abusive, defamatory, or otherwise objectionable
• Attempt to gain unauthorized access to other users' workspaces or data
• Interfere with or disrupt the Service or servers or networks connected to the Service
• Use the Service for any form of automated decision-making that produces legal effects on individuals without human oversight
• Resell access to the Service without a written agency or white-label agreement

3.2 Rate Limits and Fair Use

The Service enforces per-workspace rate limits on API calls, task dispatches, and agent registrations as defined by your plan tier. Automated systems that exceed these limits may be throttled or suspended.

3.3 Enforcement

Violation of this policy may result in temporary suspension or permanent termination of your account. We will provide notice and an opportunity to cure when practicable, except in cases of severe or repeated violations.

4. Cookie Policy

We do not use advertising cookies or third-party tracking cookies. You can disable non-essential cookies in your browser settings. Disabling essential cookies will prevent you from using the Service.

5. Security Overview

5.1 Infrastructure

• Hosting: Vercel (edge network, automatic TLS, DDoS protection)
• Database: Supabase (managed PostgreSQL, AWS us-east-1)
• Encryption at rest: AES-256 (Supabase/AWS default)
• Encryption in transit: TLS 1.2+ on all connections
• Secrets management: API keys encrypted via Supabase Vault

5.2 Access Controls

• Row-Level Security (RLS) enforced on all database tables — workspace data is tenant-isolated
• Authentication via Supabase Auth (email/password, magic link)
• Service role keys restricted to server-side API routes only
• Workspace-scoped API keys — each workspace has its own MCP secret

5.3 Audit Trail

All workspace operations are logged to an append-only audit ledger with SHA-256 hash chain integrity. Audit entries cannot be modified or deleted. The ledger is available for export from Settings.

5.4 Compliance Roadmap

• SOC 2 Type II: planned upon reaching $25K MRR
• Penetration testing: annual third-party assessment planned
• Bug bounty: responsible disclosure to support@globalinkservices.io

6. Data Processing Agreement

GlobaLink LLC offers a Data Processing Agreement (DPA) for Pro, Studio, and Agency customers. The DPA covers:

• Standard Contractual Clauses (SCCs) for international transfers
• Technical and organizational measures for data protection
• Sub-processor management and notification obligations
• Data breach notification procedures
• Data return and deletion upon termination

7. Sub-Processors

The following third-party sub-processors are used to deliver the Service. We will notify customers with an active DPA at least 30 days before adding a new sub-processor.

8. Service Level Agreement

8.1 Uptime Commitment

8.2 Incident Severity

• P1 (Critical):Service completely unavailable — response within 1 hour
• P2 (Major):Core feature degraded (Router, Bridge, Dashboard) — response within 4 hours
• P3 (Minor):Non-critical feature issue — response within 1 business day
• P4 (Low):Cosmetic or documentation issue — response within 3 business days

8.3 SLA Credits

If monthly uptime falls below the committed target for paid plans, affected customers may request a service credit equal to 10% of that month's subscription fee for each full 0.1% below target, up to a maximum of 30% of the monthly fee. Credits must be requested within 30 days of the incident.

8.4 Exclusions

SLA commitments do not apply to: scheduled maintenance (announced 48 hours in advance), force majeure events, third-party provider outages (Supabase, Vercel, Stripe), or issues caused by customer actions.

9. Data Residency & Retention

Your workspace data is stored in Supabase (PostgreSQL, AWS us-east-1, North Virginia). Vercel edge functions process requests globally with no persistent storage. API keys are encrypted at rest using Supabase Vault.

9.1 Data Deletion

You can request account and workspace deletion from Settings or by contacting support@globalinkservices.io. Upon deletion: workspace data is purged within 30 days, audit ledger entries are retained for 90 days for compliance, billing records are retained for 7 years per tax requirements, and backups containing your data expire within 30 days.

9.2 Data Portability

You can export your workspace data in JSON format from the Settings page. Exports include: agent configurations, task history, audit ledger entries, and handoff records. API keys are excluded from exports for security.

10. Breach Notification

10.1 Notification Timeline

• GDPR: notification to supervisory authority within 72 hours of becoming aware of a breach involving personal data
• CCPA: notification to affected California residents in the most expedient time possible and without unreasonable delay
• Customers: notification to affected workspace owners via email within 72 hours

10.2 Notification Content

Breach notifications will include: nature of the breach, categories and approximate number of records affected, likely consequences, measures taken or proposed to address the breach, and contact information for follow-up questions.

10.3 Remediation

In the event of a data breach, GlobaLink LLC will: (1) contain and investigate the incident, (2) notify affected parties per the timeline above, (3) implement corrective measures to prevent recurrence, and (4) provide a post-incident report to affected customers within 30 days.

Contact

• General support: support@globalinkservices.io
• Data protection / privacy: privacy@globalinkservices.io
• DPA requests: jason@globalinkservices.io
• Entity: GlobaLink LLC, 66 W Flagler St, Miami FL 33130