Terms of Use

By using any Sylvan Assurance, LLC service — the GDPR Checklist, the SMB Security Assessment, the PSIRT Response toolkit (any edition), or any accompanying downloadable materials — you agree to the following terms. These terms form an agreement between you and Sylvan Assurance, LLC (the "Company"). If you do not agree, please do not use the service.

1. Nature of the Services

Each Sylvan Assurance product is a self-assessment and educational tool paired with downloadable templates, guides, and worksheets. The products help small business owners and small product teams identify common gaps and surface recommended practices drawn from widely recognised standards and frameworks — for example, the General Data Protection Regulation (GDPR), the National Institute of Standards and Technology (NIST) Cybersecurity Framework, the Center for Internet Security (CIS) Controls, and the Forum of Incident Response and Security Teams (FIRST) Product Security Incident Response Team (PSIRT) Services Framework.

Each product is general guidance. None is a professional security audit, a penetration test, a compliance certification, or a consulting engagement, and none is a substitute for advice tailored to your specific environment by a qualified security or legal professional.

2. Not Professional or Legal Advice

All content of the services — including questions, explanations, scores, priority lists, roadmaps, toolkits, templates, sample case files, and worked examples — is provided for educational and informational purposes only. It does not constitute professional security advice, legal advice, or compliance certification, and it does not create any advisory, consulting, attorney-client, or fiduciary relationship between the Company and the user.

Where any service refers to laws or regulations — for example, the GDPR, the California Consumer Privacy Act (CCPA), the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS), the European Union Cyber Resilience Act (CRA), or sector-specific rules — it does so for general awareness only. Confirm your specific regulatory obligations with qualified legal counsel or your competent supervisory authority.

3. The Recommendations Are Optional and Not a Guarantee

Every recommendation, priority action, and roadmap item across our services is an optional, recommended practice — a widely accepted way to reduce a common risk. None of it is a mandatory instruction and none is a one-to-one promise of safety, security, or compliance.

Security and compliance are context-dependent. The right measures for your organisation depend on your systems, your data, your resources, your jurisdiction, and your risk tolerance. You decide which recommendations to adopt, adapt, or decline.

Adopting recommended practices reduces exposure to common attack patterns and common compliance gaps, but it does not guarantee security, does not guarantee compliance, and does not prevent any particular breach, incident, fine, or loss. No measure or combination of measures can.

The methodologies, phase workflows, readiness checklists, templates, letter libraries, decision trees, and worked examples are illustrative and non-exhaustive. They describe approaches commonly used by other organisations. They are not represented to be a complete, sufficient, or correct programme for your organisation, and completing any suggested action — in whole or in part — does not mean your organisation is secure or compliant. You are solely responsible for determining what additional, different, or alternative measures your circumstances require, and for verifying any suggestion with a qualified professional before relying on it.

Responsibility for the security, products, data, and compliance of your business remains yours as the operator of your business.

4. No Warranty

The services are provided "as is" and "as available", without warranty of any kind, express or implied. The Company makes no representations or warranties regarding:

• The accuracy, completeness, or currentness of any content
• The fitness of any service for any particular purpose
• The continued availability of any service
• Any outcome, including that following the guidance will prevent or mitigate any security incident or regulatory action

Security threats, regulatory guidance, and best practices evolve. The content represents the Company's understanding at a point in time, and it is your responsibility to verify that guidance remains current when you apply it.

5. Limitation of Liability

To the maximum extent permitted by applicable law, the Company shall not be liable for any indirect, incidental, consequential, special, exemplary, or punitive damages, or for any loss of profits, revenue, or data, arising out of or related to your use of any service — including any security incident, breach, regulatory action, fine, or loss — even if the Company has been advised of the possibility of such damages.

The Company's total aggregate liability for any claim arising out of or related to any service shall not exceed the amount you paid to access that service in the twelve (12) months preceding the claim, or one hundred United States dollars ($100), whichever is greater.

You agree that you will not use any service to make decisions with material legal, financial, or operational consequences for your organisation without independent verification by qualified professionals.

6. Refund Policy

Every paid edition is offered with a 30-day money-back guarantee from the date of purchase. If you are not satisfied for any reason within 30 days of purchase, you may request a full refund by emailing support@sylvanassurance.com with your order reference. See the Refund Policy for the full procedure.

7. Intellectual Property

All content of the services — including questions, explanations, scoring logic, toolkits, templates, sample materials, slide decks, spreadsheets, and downloadable materials — is the property of the Company. You receive a non-exclusive, non-transferable licence to use the content for your own organisation's internal compliance, security, and incident-response purposes.

You may not:

• Resell, redistribute, or republish the content
• Use the content to provide compliance, security, or incident-response services to third parties on a commercial basis, except where you have purchased the Pro / Consultant / Enterprise edition (or an applicable add-on) and you are operating within its licensed scope
• Remove the Company's identification or disclaimers
• Use the content in a manner that misrepresents its origin or scope

8. Privacy of Your Use of the Services

Every free self-assessment runs entirely in your browser. Your answers, your score, and your category breakdown are not transmitted to the Company or any third party. Local browser storage is used only to remember that you have accepted these terms; on the GDPR full edition, local storage is also used to let you resume an in-progress assessment on the same device. Nothing is sent to us.

If you choose to enter your email address to receive a free guide, that email is transmitted to our email-service provider's form endpoint so we can send you the guide. The form on each free assessment expressly states that only your email is transmitted — never your answers or score.

If you purchase a paid edition, your name, email address, billing country, and any optional custom field you choose to fill in are processed by our payment provider (Lemon Squeezy) to complete the transaction, calculate applicable taxes, send your receipt, and deliver access to your purchase. The Company does not sell or share user data.

Our corporate website is served through Cloudflare. Cloudflare collects standard server-side request logs (page URL, response code, country inferred from Internet Protocol address, browser and operating-system family). We use Cloudflare's aggregated "Web Analytics" view of those logs to count page views and identify referring sources. We do not install any JavaScript-based analytics, tracking pixels, or third-party cookies. Cloudflare's logs are not used to identify individual visitors; they are aggregated for traffic-volume reporting only.

9. Acceptable Use

You agree not to:

• Use any service for any unlawful purpose
• Attempt to gain unauthorised access to any portion of any service
• Reverse engineer or attempt to extract source code except where permitted by mandatory law
• Use automated tools to scrape, copy, or interfere with any service

10. Changes to These Terms

The Company may update these terms from time to time. Material changes will be reflected in an updated effective date. Continued use of any service after a material change constitutes acceptance of the updated terms.

11. Governing Law

These terms are governed by the laws of the State of Vermont, United States. Any dispute arising out of or related to these terms shall be resolved in the courts of the State of Vermont.

12. Contact

Questions about these terms may be directed to support@sylvanassurance.com. A real person reads every email.

Document version 2.0 — Upon first publication. This is the umbrella Terms of Use for all Sylvan Assurance, LLC products and the corporate website. Where any per-product Terms of Use document is in effect, the substantive content is the same; this umbrella version is the single source of truth.