Version 2.0 · Effective date: April 15, 2026 · Last updated: March 30, 2026
VimyHQ is owned and operated by BluePeak Systems Inc., a corporation incorporated under the laws of British Columbia, Canada, with its principal office at Kelowna, BC, Canada.
These Terms constitute a legally binding agreement between BluePeak Systems Inc. and the Customer. If you are accepting these Terms on behalf of a company, organization, or other legal entity, you represent and warrant that you have the authority to bind that entity and its affiliates to these Terms. If you lack such authority, you may not accept these Terms or use the Service.
For questions regarding these Terms, contact us at [email protected].
VimyHQ is a cloud-based, AI-native cybersecurity detection and autonomous response platform. The Service includes:
All data processing and AI inference occurs on infrastructure located exclusively in Canada. Customer Data does not leave Canadian jurisdiction for processing or storage.
VimyHQ employs a multi-tenant architecture with database-per-tenant isolation. Customer Data is never co-mingled between tenants. All data is encrypted using AES-256 at rest and TLS 1.3 in transit.
BluePeak reserves the right, at its sole discretion, to modify, update, suspend, or permanently discontinue any feature, component, integration, or functionality of the Service or Agent at any time, with or without notice. The Customer acknowledges that VimyHQ is a continuously evolving platform and that the specific features available at any given time may differ from those available at the time of subscription. The Customer's sole remedy for dissatisfaction with a Service modification is to terminate the subscription in accordance with Section 21.
VimyHQ offers three subscription tiers: Sentinel, Bastion, and Citadel. Current plan details, pricing, and a full feature comparison are available at vimyhq.com/pricing. BluePeak reserves the right to modify pricing with 30 days' advance notice; changes apply at the next renewal cycle.
6.1 Nature of the Agent: The Agent is a lightweight, optional software component that runs in user-space on Customer infrastructure. It does not require kernel-level access. The Agent collects telemetry, logs, and security event data and transmits it to the Service for analysis.
6.2 Customer Responsibility: The Customer is solely responsible for the decision to install the Agent, the selection of systems on which the Agent is installed, and the proper installation, configuration, updating, and removal of the Agent.
6.3 Pre-Installation Obligations: Before installing the Agent, the Customer must ensure compatibility, perform testing in a non-production environment, maintain current backups, obtain all necessary internal approvals, and ensure sufficient system resources are available.
6.4 Customer Environment: The Customer Environment is exclusively owned, controlled, and managed by the Customer. BluePeak has no responsibility for the Customer Environment, including its availability, performance, security, configuration, or fitness for any purpose.
6.5 No Liability for Agent Impact: TO THE MAXIMUM EXTENT PERMITTED BY LAW, BLUEPEAK SHALL NOT BE LIABLE FOR ANY DAMAGE, LOSS, DOWNTIME, DATA LOSS, PERFORMANCE DEGRADATION, SYSTEM INSTABILITY, OR ANY OTHER ADVERSE EFFECT ARISING FROM OR RELATED TO THE INSTALLATION, OPERATION, MALFUNCTION, OR REMOVAL OF THE AGENT ON CUSTOMER INFRASTRUCTURE. This includes system crashes, software conflicts, data loss, network disruption, or business interruption of any kind related to the Agent.
6.6 Agent Updates: The Customer is responsible for applying updates in a timely manner. BluePeak does not push updates to Customer infrastructure without Customer action unless automatic updates have been explicitly enabled.
6.7 Removal: The Customer may remove the Agent at any time. Upon termination of these Terms, the Customer must remove the Agent from all systems within 30 days.
6.8 Agent License: The Agent is licensed, not sold. The Customer may not reverse engineer, decompile, modify, or create derivative works of the Agent.
You may use VimyHQ and the Agent only for lawful security operations within environments you own or are expressly authorized to monitor. You represent and warrant that you have obtained all necessary consents, authorizations, and legal rights to deploy monitoring software and collect data in your environment.
The following activities are strictly prohibited:
We reserve the right to suspend or terminate accounts that violate this policy immediately and without prior notice.
VimyHQ provides security monitoring and Compliance Evidence artifacts. VimyHQ is not a compliance tool, not a legal advisory service, not an audit firm, and does not provide legal, audit, or compliance advisory services of any kind.
Compliance Evidence, including reports, evidence exports, and framework mappings (including SOC 2, ISO 27001, PIPEDA, NIST CSF, Law 25, and others), are provided as informational tools to assist qualified auditors. They do not constitute certification, attestation, or verification of compliance with any regulatory framework, standard, or law.
BLUEPEAK EXPRESSLY DISCLAIMS ALL LIABILITY ARISING FROM THE CUSTOMER'S USE OF OR RELIANCE ON COMPLIANCE EVIDENCE FOR ANY PURPOSE, INCLUDING AUDIT FAILURES, REGULATORY PENALTIES, OR LEGAL PROCEEDINGS.
10.1 Nature of AI Processing: VimyHQ uses artificial intelligence as a core component of its threat detection, severity scoring, investigation, and response capabilities. The AI analyzes security telemetry, identifies patterns indicative of threats, assigns severity scores, generates investigation summaries, and — when autonomous response is enabled — triggers defensive actions without human intervention.
10.2 Inherent Limitations of AI: The Customer acknowledges and agrees that AI-driven security analysis is inherently probabilistic and imperfect. No AI system, regardless of sophistication, can guarantee 100% accuracy in threat detection. Specifically, the Customer understands and accepts that:
10.3 AI Outputs Are Not Professional Advice: AI-generated outputs are advisory only. They do not constitute professional security advice, legal counsel, compliance guidance, or incident response planning. The Customer must exercise independent professional judgment before acting on any AI output.
10.4 — BLUEPEAK MAKES NO WARRANTY, EXPRESS OR IMPLIED, REGARDING THE ACCURACY, COMPLETENESS, TIMELINESS, OR RELIABILITY OF ANY AI-GENERATED OUTPUT. THE CUSTOMER ASSUMES ALL RISK ASSOCIATED WITH DECISIONS MADE IN RELIANCE ON AI OUTPUTS.
10.5 Data Sovereignty: All AI inference occurs on infrastructure located exclusively in Canada. Customer Data is not sent to any foreign AI provider. AI models are not trained or fine-tuned on Customer Data.
11.1 How Autonomous Response Works: VimyHQ offers three response modes configurable by the Customer: Supervised Response (human approval required), Supervised Automated Response (pre-approved action categories), and Fully Autonomous Response (AI detects, decides, and executes without human intervention). Automated actions may include session revocation, IP blocking, MFA enforcement, account disabling, process termination, and network segmentation.
11.2 Risk of False Positives: THE CUSTOMER ACKNOWLEDGES AND ACCEPTS THAT WHEN AUTONOMOUS OR AUTOMATED RESPONSE IS ENABLED, THE AI MAY TAKE DEFENSIVE ACTIONS BASED ON INCORRECT THREAT ASSESSMENTS (FALSE POSITIVES). THIS MEANS THE SYSTEM MAY BLOCK LEGITIMATE USERS, DISABLE VALID ACCOUNTS, TERMINATE LEGITIMATE PROCESSES, OR DISRUPT BUSINESS-CRITICAL SERVICES BASED ON AN AI DETERMINATION THAT IS LATER FOUND TO BE INCORRECT. Autonomous actions execute in real time and may cause immediate business impact before a human can review or intervene.
11.3 Customer Responsibility: The Customer is solely responsible for choosing the appropriate response mode, configuring rules of engagement, testing configurations in non-production environments, maintaining the ability to override and reverse automated actions, and implementing rollback procedures.
BluePeak strongly recommends that all customers begin with Supervised Response mode and only enable autonomous response after thoroughly testing their configuration and establishing rollback procedures.
11.4 — TO THE MAXIMUM EXTENT PERMITTED BY LAW, BLUEPEAK SHALL NOT BE LIABLE FOR ANY DAMAGE, LOSS, BUSINESS DISRUPTION, SERVICE OUTAGE, LOST REVENUE, REPUTATIONAL HARM, OR ANY OTHER ADVERSE CONSEQUENCE ARISING FROM AUTOMATED OR AUTONOMOUS RESPONSE ACTIONS, WHETHER TRIGGERED BY ACCURATE OR INCORRECT THREAT DETECTION, OR WHETHER THE ACTIONS WERE PROPORTIONATE OR NOT.
11.5 Audit Trail and Reversibility: All automated and autonomous actions are logged with full audit trails including the AI's threat assessment, severity score, action taken, timestamp, and triggering data. All actions are reversible via rollback functionality. BluePeak retains these audit logs for a minimum of 2 years.
Security is a shared responsibility. VimyHQ provides tools to detect, investigate, and respond to threats, but the Customer retains full responsibility for the security of the Customer Environment.
In the event BluePeak becomes aware of a confirmed unauthorized access to Customer Data stored on the VimyHQ platform, BluePeak will: notify the affected Customer within 72 hours; describe the nature and scope of the incident; describe measures taken to address it; and cooperate reasonably with the Customer's investigation. For clarity, BluePeak's breach notification obligations apply only to Security Incidents affecting VimyHQ platform infrastructure under BluePeak's control. The Customer is solely responsible for its own breach notification obligations under PIPEDA, Law 25, and any other applicable law.
12.3 Customer's Responsibilities:
VimyHQ is a tool to assist security teams. It is not a substitute for a comprehensive security program, qualified security personnel, or professional incident response capabilities.
The VimyHQ platform, the Agent, and all related software, algorithms, AI models, detection logic, user interfaces, APIs, documentation, trademarks, and other materials are and remain the exclusive property of BluePeak Systems Inc. and its licensors. All rights not expressly granted herein are reserved.
Your subscription grants you a limited, non-exclusive, non-transferable, non-sublicensable, revocable right to access and use the Service and Agent during your subscription term. You acquire no ownership interest in the Service, Agent, or any intellectual property of BluePeak.
Feedback, suggestions, or improvement ideas you provide regarding the Service or Agent may be used by BluePeak without obligation, compensation, or attribution to you.
Each party agrees to protect the other party's Confidential Information with the same degree of care it uses to protect its own confidential information, and no less than reasonable care. Confidential Information includes business data, technical specifications, security configurations, detection rules, pricing, and any information marked or reasonably understood to be confidential.
Confidential Information does not include information that: (a) is or becomes publicly available through no fault of the receiving party; (b) was known to the receiving party prior to disclosure; (c) is independently developed without use of the disclosing party's information; (d) is disclosed with prior written consent; or (e) is required by law or legal process.
Confidentiality obligations survive termination of these Terms for a period of three (3) years. For trade secrets, confidentiality obligations survive for as long as the information remains a trade secret under applicable law.
16.1 — TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE SERVICE, AGENT, AND ALL AI-DRIVEN CAPABILITIES ARE PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NON-INFRINGEMENT, AND ANY WARRANTIES ARISING FROM COURSE OF DEALING OR USAGE OF TRADE.
16.2 Assumption of Risk: THE CUSTOMER EXPRESSLY ASSUMES ALL RISK ARISING FROM THE USE OF THE SERVICE AND AGENT, including specifically:
BY ENABLING AUTONOMOUS RESPONSE, THE CUSTOMER ACKNOWLEDGES THAT IT HAS READ AND UNDERSTOOD SECTIONS 10 AND 11 OF THESE TERMS AND AGREES THAT BLUEPEAK IS NOT LIABLE FOR THE CONSEQUENCES OF AI-DRIVEN ACTIONS, WHETHER CORRECT OR INCORRECT.
The Customer agrees to indemnify, defend, and hold harmless BluePeak Systems Inc., its affiliates, officers, directors, employees, agents, and licensors from and against any and all claims, liabilities, damages, losses, costs, and expenses (including reasonable legal fees) arising out of or related to:
18.2 Indemnification Process: BluePeak will promptly notify the Customer of any claim, provide reasonable cooperation, and allow the Customer to control the defense and settlement. The Customer may not settle any claim in a manner that imposes obligations on BluePeak without BluePeak's prior written consent.
Data retention periods vary by subscription plan:
After termination, you have a 30-day window to export your data. Following the export window, Customer Data will be securely deleted. Certain data may be retained longer where required by law or legitimate legal interest.
VimyHQ uses third-party subprocessors to deliver the Service. All subprocessors that handle Customer Data process such data within Canada. The current list of subprocessors is available at vimyhq.com/subprocessors.
We will provide at least 30 days' advance notice before adding any new subprocessor that processes Customer Data. If you object to a new subprocessor, you may terminate your subscription by providing written notice within the 30-day notice period.
22.1 Governing Law: These Terms are governed by and construed in accordance with the laws of the Province of British Columbia and the federal laws of Canada applicable therein, without regard to conflict-of-law principles. The United Nations Convention on Contracts for the International Sale of Goods does not apply.
22.2 Dispute Resolution: In the event of a dispute, the parties agree to first attempt resolution through good-faith negotiation for 30 days. If unresolved, the dispute shall be submitted to final and binding arbitration administered in Kelowna, British Columbia, Canada, in accordance with the Arbitration Act (British Columbia).
22.3 Class Action Waiver: TO THE MAXIMUM EXTENT PERMITTED BY LAW, ALL CLAIMS AND DISPUTES MUST BE BROUGHT IN A PARTY'S INDIVIDUAL CAPACITY AND NOT AS A PLAINTIFF OR CLASS MEMBER IN ANY PURPORTED CLASS, CONSOLIDATED, OR REPRESENTATIVE PROCEEDING.
22.4 Injunctive Relief: Either party may seek injunctive or other equitable relief in any court of competent jurisdiction to prevent irreparable harm, including protection of intellectual property rights or Confidential Information.
22.5 Statute of Limitations: ANY CLAIM ARISING UNDER OR RELATING TO THESE TERMS MUST BE BROUGHT WITHIN EIGHTEEN (18) MONTHS AFTER THE CAUSE OF ACTION ACCRUES, OR SUCH CLAIM IS PERMANENTLY BARRED.
Neither party will be liable for any delay or failure to perform its obligations (other than payment obligations) due to causes beyond its reasonable control, including acts of God, natural disasters, pandemic, epidemic, war, terrorism, government orders, labor disputes, power outages, internet failures, cyberattacks against infrastructure providers, or failures of third-party service providers.
The affected party must provide prompt written notice, use reasonable efforts to mitigate effects, and resume performance as soon as practicable. If a force majeure event continues for more than 60 consecutive days, either party may terminate these Terms upon written notice.
We may update these Terms from time to time. We will provide at least 30 days' advance notice of material changes via email to your registered address or through an in-platform notification. The updated Terms will indicate a new effective date and version number.
Your continued use of VimyHQ after the effective date of updated Terms constitutes your acceptance of the changes. If you do not agree with the updated Terms, you must stop using the Service, remove the Agent from all systems, and may terminate your subscription in accordance with Section 21.