bigforceone
FORCE// LICENSE & SUBSCRIPTION AGREEMENT

License & Subscription Agreement

v1.0 · Effective April 27, 2026 · BigForgeOne LLC

The full agreement is in active legal review. This page presents Section 4A — Regulated Information Prohibition in full because automated rejection responses in the FORCE platform link directly to it. The remaining sections (Use Restrictions, Customer Data, Term & Termination, Limitation of Liability, etc.) will be published in their entirety following attorney review and formal sign-off.

4A. Regulated Information Prohibition

Inserted between Section 4 (Use Restrictions) and Section 5 (Customer Data).

4A.1 Definitions

For purposes of this Section, “Regulated Information” means: (a) Controlled Unclassified Information (CUI) as defined in 32 CFR Part 2002 and the CUI Registry maintained by the National Archives Information Security Oversight Office; (b) Federal Contract Information (FCI) as defined in FAR 52.204-21; (c) Covered Defense Information (CDI) as defined in DFARS 252.204-7012; (d) information subject to the International Traffic in Arms Regulations (ITAR), 22 CFR Parts 120-130; (e) information subject to the Export Administration Regulations (EAR), 15 CFR Parts 730-774; (f) classified information at any level; and (g) any other information that the United States Government or Customer's contracting partner has designated as requiring safeguarding or dissemination controls.

4A.2 Provider Environment Not Authorized

Customer acknowledges and agrees that the Provider environment, including but not limited to the FORCE platform, the FORGE platform, Provider's commercial Microsoft 365 tenant, Provider's Amazon Web Services accounts, and any communication channel operated by Provider including email, chat, voice, video, and ticketing systems, is not authorized, certified, or designed to receive, store, process, or transmit Regulated Information. Provider does not hold authorizations such as DFARS 252.204-7012 attestation, FedRAMP Moderate or High, IL-4 or higher, or CMMC Level 2 or higher for the receipt of Regulated Information.

4A.3 Customer Warranty

Customer represents, warrants, and covenants that Customer shall not, and shall ensure its personnel, agents, affiliates, and representatives do not, transmit, upload, attach, embed, paste, dictate, link, or otherwise convey any Regulated Information to Provider or to the FORCE platform, the FORGE platform, or any communication channel operated by Provider, whether intentionally or inadvertently. Customer is solely responsible for ensuring its evidence uploads, narrative text, configuration exports, screenshots, and any other content conveyed to Provider have been reviewed and confirmed not to contain Regulated Information.

4A.4 Inadvertent Transmission

If Customer becomes aware that Regulated Information has been transmitted to Provider, Customer shall immediately notify Provider at security@bigforgeone.com using a non-Regulated communication channel, identify the approximate date, channel, and nature of the transmission without including the Regulated Information itself in the notification, and cooperate with Provider's incident response procedure under Section 4A.5.

4A.5 Provider Response

Upon detection of suspected Regulated Information in Provider's environment, whether by Customer notification under Section 4A.4 or by Provider's automated detection systems, Provider shall: (i) cease processing of the affected content; (ii) isolate the content from further distribution including backups, indices, and analytics; (iii) return or destroy the content under cryptographic confirmation within four hours of detection; (iv) document the incident in an internal log retained for seven years; and (v) provide Customer a written confirmation of return or destruction. Provider shall not analyze, transcribe, summarize, or otherwise process the contents of suspected Regulated Information beyond what is necessary to complete the foregoing isolation and disposition.

4A.6 No Implied Authorization

Nothing in this Agreement, including any general data security commitments under Section 7 or any service description, shall be construed as Provider authorization, certification, or commitment to receive, store, process, or transmit Regulated Information. The receipt of Regulated Information by Provider is a breach of this Agreement by Customer regardless of any subsequent handling by Provider.

4A.7 Allocation of Compliance Obligations

Customer is solely responsible for compliance with all laws, regulations, and contractual obligations applicable to Regulated Information, including without limitation DFARS 252.204-7012, FAR 52.204-21, ITAR, EAR, and any prime contractor flow-down requirements. Provider expressly disclaims any obligation under such laws, regulations, or contractual obligations as a result of providing the FORCE or FORGE service to Customer.

Verify Our Disposition Signatures

Per Section 4A.5 above, when regulated information is destroyed or returned, BigForgeOne provides cryptographic confirmation signed with the founder PGP key. Verify any signed message we send you against this public key:

Key ID
7032C01A
Fingerprint
8BFD 7880 3A95 A67B 94AE FF8F DC22 CE74 7032 C01A
Type
RSA 4096-bit
UID
Chris Duncan <security@bigforgeone.com>
Expires
2028-04-27

Download the full ASCII-armored public key: bigforgeone-cui-disposition.asc

Always verify the fingerprint above matches the key you import before trusting any signature attributed to it.

For the contractual definition of Customer Data, see Section 5. For limitation of liability flowing from a breach of this section, see Section 11. For termination grounds, see Section 14. The full agreement publishes at this URL once legal review completes.