Terms of Service

Master Subscription Agreement

1. Definitions

1.1 “Agreement” means this Master Subscription Agreement, together with each Order Form incorporated by reference.

1.2 “Authorized Users” means Customer’s internal personnel, including attorneys, employees, and contractors, whom Customer permits to access and use the Services under Customer’s account. Authorized Users are limited to the number of paid seats purchased under the applicable Order Form. Customer may permit more than one individual to use a single Authorized User account (a “Shared Account”), and Customer remains responsible for all activity conducted through any Shared Account.

1.3 “Client Users” means Customer’s clients and other external persons invited by Customer to access client-facing features of the Services (e.g., a client portal). Client Users do not count toward paid seats unless an Order Form expressly states otherwise.

1.4 “Confidential Information” means non-public information disclosed by or on behalf of a party that (a) is designated as confidential, or (b) reasonably should be understood to be confidential given the nature of the information and the circumstances of disclosure. Confidential Information includes Customer Data and the non-public aspects of the Services. Confidential Information does not include information that the receiving party can demonstrate: (i) is or becomes publicly available through no breach of this Agreement; (ii) was rightfully known to the receiving party without restriction before receipt from the disclosing party; (iii) is independently developed by the receiving party without use of the disclosing party’s Confidential Information; or (iv) is rightfully received from a third party without a duty of confidentiality.

1.5 “Customer” means the entity identified as the customer in an Order Form.

1.6 “Customer Data” means all data, content, and materials submitted to, stored in, transmitted through, or otherwise processed by the Services on behalf of Customer or its users, including matter information, contact information, messages, notes, documents, and billing-related data.

1.7 “Fees” means the subscription fees and any other charges payable by Customer as set forth in an Order Form.

1.8 “Order Form” means an ordering document or online checkout/acceptance flow that references this Agreement and identifies Customer, the subscription plan, the paid seat quantity (if applicable), the subscription term, and Fees.

1.9 “Provider” means Thistle Software.

1.10 “Services” means Provider’s hosted software-as-a-service platform known as Thistle, including the web application, any Provider-provided APIs made available to Customer, and related documentation and updates.

1.11 “Term” means the subscription term specified in the applicable Order Form, including any renewal terms.

2. Agreement Structure And Order Of Precedence

2.1 Incorporation. Each Order Form is governed by and incorporates this Agreement by reference.

2.2 Order of Precedence. If there is a conflict among the documents comprising the Agreement, the following order will control: (a) the applicable Order Form; (b) this Agreement; and (c) any policies or exhibits incorporated by reference (if any), solely to the extent of the conflict.

3. Subscription; License; Use Of The Services

3.1 Subscription Grant. Subject to payment of all Fees and Customer’s compliance with this Agreement, Provider grants Customer a limited, non-exclusive, non-transferable, non-sublicensable right during the Term to access and use the Services for Customer’s internal business purposes.

3.2 Authorized Users; Seats. Customer may permit access to the Services only by Authorized Users, up to the number of paid seats specified in the applicable Order Form. Customer is responsible for all actions taken by its Authorized Users and for ensuring their compliance with this Agreement.

3.3 Client Users (No Seat Charge). Customer may invite Client Users to access client-facing features of the Services. Client Users do not count toward Customer’s paid seat quantity and are not permitted to access non-client-facing areas of the Services.

3.4 Shared Accounts (Permitted). Customer may allow multiple individuals to use a Shared Account. Customer acknowledges that Shared Accounts may reduce security, auditability, and feature effectiveness within the Services. Customer remains responsible for all activity and outcomes associated with any Shared Account.

3.5 Credentials; Email/Password Authentication. Authorized Users authenticate using email address and password credentials. Customer is responsible for maintaining the confidentiality of all credentials, including for Shared Accounts, and for promptly notifying Provider of any suspected unauthorized access.

3.6 Restrictions. Customer will not, and will not permit any user to:

  1. access or use the Services except as expressly permitted by this Agreement and the applicable Order Form;
  2. sell, resell, rent, lease, sublicense, distribute, or otherwise make the Services available to any third party, except that Customer may allow Client Users to access client-facing features as permitted under Section 3.3;
  3. reverse engineer, decompile, disassemble, or attempt to derive the source code, underlying ideas, or algorithms of the Services, except to the extent such restriction is prohibited by applicable law;
  4. bypass, disable, or interfere with security- or access-related features of the Services, or probe, scan, or test the vulnerability of the Services without Provider’s prior written authorization;
  5. use the Services to transmit malware or to engage in unlawful, infringing, or abusive conduct; or
  6. remove or obscure proprietary notices in the Services or documentation.

3.7 Provider Rights Reserved. Provider retains all right, title, and interest in and to the Services, documentation, and all related intellectual property. No rights are granted to Customer other than as expressly set forth in this Agreement.

4. Seat Overages; Temporary Grace; Billing Treatment

4.1 Temporary Grace. If Customer exceeds the paid seat quantity specified in an Order Form, Provider may allow temporary continued access during a grace period, in Provider’s discretion. During any grace period, Customer must promptly either (a) reduce the number of Authorized Users to the paid seat quantity, or (b) purchase additional seats effective as provided in Section 4.2.

4.2 Effective Date of Seat Changes; No Proration. Unless the applicable Order Form states otherwise, changes to the paid seat quantity take effect at the beginning of the next billing cycle. Fees are not prorated. Customer is billed for the paid seat quantity for the full billing month, including where seats are added or removed during that month.

4.3 Customer Responsibility. Customer is responsible for monitoring its Authorized User count and usage. Provider may implement reasonable technical measures to display usage, prompt Customer to true-up seat counts, or limit creation of additional Authorized Users after any grace period.

5. Account Administration

5.1 Firm Administrators. Customer will designate one or more Authorized Users as firm administrators (“Admins”). Admins may configure tenant settings, create and manage users, assign roles/permissions available in the Services, and manage integrations.

5.2 User Provisioning and Deprovisioning. Customer is solely responsible for (a) onboarding Authorized Users and Client Users (if enabled), (b) maintaining accurate user information, and (c) promptly disabling access for any user who no longer requires access (including upon termination of employment or engagement).

5.3 Credential Security. Customer is responsible for maintaining the confidentiality and security of all login credentials, including credentials for any Shared Accounts. Customer will ensure that credentials are not exposed, reused insecurely, or transmitted in an unsafe manner. Customer will promptly notify Provider of any suspected unauthorized access or security incident involving Customer accounts.

5.4 Audit Logs. The Services may provide logs or activity history. Customer acknowledges that use of Shared Accounts may reduce auditability and attribution of actions to individuals. Provider does not guarantee that any particular audit log will be available, complete, or retained for any minimum period unless expressly stated in an Order Form.

5.5 Onboarding Support (If Any). Any onboarding, data migration, or configuration assistance provided by Provider will be as described in the applicable Order Form or support policy, and Customer remains responsible for verifying the accuracy and completeness of all Customer Data after onboarding.

6. Fees, Billing, And Taxes

6.1 Fees; Seat Pricing. Customer will pay the Fees specified in the applicable Order Form. Fees are based on the paid seat quantity (Authorized Users) and any add-ons or usage-based items described in the Order Form.

6.2 Billing Cycle; Payment Method. Fees are billed in advance on the billing cycle stated in the Order Form (e.g., monthly). Customer authorizes Provider (or its payment processor) to charge the payment method Customer provides for all amounts due.

6.3 No Proration; Seat Changes. Except as expressly stated in an Order Form, Fees are not prorated. Customer is billed for the paid seat quantity for the full billing month. Changes to the paid seat quantity take effect at the beginning of the next billing cycle.

6.4 Overages; Grace. If Customer exceeds the paid seat quantity, Provider may allow a temporary grace period as described in Section 4.1. Provider may restrict creation of additional Authorized Users after any grace period until Customer reduces usage to the paid seat quantity or purchases additional seats.

6.5 Late Payments; Suspension. Amounts not paid when due may accrue interest at the lesser of (a) 1.5% per month, or (b) the maximum rate permitted by law, from the due date until paid. Provider may suspend access to the Services for nonpayment after providing reasonable notice (which may be by email).

6.6 Taxes. Fees are exclusive of all taxes, levies, and duties imposed by governmental authorities, including sales, use, VAT, GST, and similar taxes. Customer is responsible for all such taxes, except taxes based on Provider’s net income. If Customer is required by law to withhold any amounts, Customer will gross up payments so Provider receives the full amount invoiced unless prohibited by law.

6.7 Payment Processor. Provider may use third-party payment processors. Customer’s payment transactions are subject to the processor’s terms, and Provider is not responsible for the processor’s acts or omissions. Provider does not store full payment card details except as handled by the payment processor.

7. Term And Termination

7.1 Term. This Agreement begins on the Effective Date and continues until all Order Forms have expired or been terminated.

7.2 Initial Term; Renewals. Each Order Form will have an initial term stated in the Order Form and will renew automatically for successive renewal terms of the same length unless either party provides notice of non-renewal at least thirty (30) days before the end of the then-current term (or such other period stated in the Order Form).

7.3 Termination for Cause. Either party may terminate an Order Form (or this Agreement if no Order Forms remain) upon written notice if the other party materially breaches and fails to cure the breach within thirty (30) days after receiving notice (ten (10) days for nonpayment).

7.4 Termination for Convenience. Unless an Order Form expressly allows earlier cancellation, Customer may terminate only at the end of the then-current term by giving timely notice of non-renewal under Section 7.2. Provider may terminate for convenience only if expressly permitted in an Order Form.

7.5 Effect of Termination. Upon termination or expiration of an Order Form: (a) Customer’s and its users’ rights to access the Services under that Order Form cease; (b) Customer remains responsible for all Fees owed through the end of the applicable term; and (c) each party will return or destroy the other party’s Confidential Information as required by Section 10, except as permitted below.

7.6 Data Export Window. For a period of thirty (30) days following termination or expiration (the “Export Period”), Provider will make Customer Data available for export using Provider’s standard export functionality, provided Customer is current on all Fees.

7.7 Deletion. After the Export Period, Provider may delete Customer Data from production systems within a commercially reasonable timeframe, except to the extent retention is required by law or necessary for backups, disaster recovery, dispute resolution, or enforcement of this Agreement. Backup copies may persist for a limited period consistent with Provider’s backup practices.

8. Customer Responsibilities

8.1 Lawful Use; Professional Obligations. Customer will use the Services only for lawful purposes and in compliance with all applicable laws, rules of professional conduct, court rules, confidentiality obligations, and client engagement terms. Customer is responsible for determining whether and how the Services may be used in connection with specific matters and jurisdictions.

8.2 Customer Systems Security. Customer is responsible for the security of its own systems, networks, devices, and credentials used to access the Services, including endpoint protection, timely updates, and reasonable access controls.

8.3 Data Accuracy. Customer is responsible for the accuracy, quality, and legality of Customer Data, including matter dates, deadlines, filings, and communications. Provider is not responsible for errors in Customer Data entered or maintained by Customer or its users.

8.4 Notices and Consents. Customer is responsible for providing any required notices and obtaining any required consents from its clients or other individuals whose data is processed through the Services, including consents related to electronic communications, client portal access, and use of third-party integrations.

9. Acceptable Use

9.1 Prohibited Conduct. Customer will not, and will not permit any user to:

  1. upload, transmit, or store illegal content or content that infringes or misappropriates third-party rights;
  2. upload, transmit, or store malware, ransomware, or other malicious code;
  3. interfere with or disrupt the Services, including through abusive traffic, excessive automated requests, or denial-of-service behavior;
  4. scrape, crawl, or harvest data from the Services except as expressly enabled by the Services’ intended functionality;
  5. perform penetration testing, vulnerability scanning, or security testing without Provider’s prior written authorization;
  6. use the Services for high-risk activities where failure could lead to death, personal injury, or physical property damage, including operation of critical infrastructure or emergency services;
  7. attempt to gain unauthorized access to any systems or accounts, or bypass access controls; or
  8. use the Services in a manner that violates court rules or lawful orders.

9.2 Enforcement. Provider may suspend access to the Services for violations of this Section 9 after providing reasonable notice when practicable.

10. Data Ownership; Access; Processing

10.1 Ownership. As between the parties, Customer owns all right, title, and interest in and to Customer Data. Provider does not acquire ownership of Customer Data.

10.2 Processing Authorization. Customer instructs Provider to host, process, transmit, and display Customer Data solely to provide and support the Services, including for maintenance, backups, troubleshooting, security, and customer support, and as otherwise permitted by this Agreement.

10.3 Support Access. Provider personnel may access Customer Data only as reasonably necessary to provide support, maintain the Services, comply with law, or prevent or address security, fraud, or abuse, and subject to confidentiality obligations.

11. Confidentiality

11.1 Obligations. The receiving party will (a) use the disclosing party’s Confidential Information only to perform under this Agreement, (b) protect it using at least reasonable care (and no less than the receiving party uses for its own similar information), and (c) not disclose it to any third party except to its employees, contractors, and agents who have a need to know and are bound by confidentiality obligations at least as protective as this Agreement.

11.2 Compelled Disclosure. If the receiving party is required by law to disclose Confidential Information, it will (to the extent legally permitted) provide prompt notice to the disclosing party and reasonably cooperate with efforts to seek a protective order or limit disclosure.

11.3 Remedies. Unauthorized disclosure or use of Confidential Information may cause irreparable harm. The disclosing party may seek injunctive relief in addition to other remedies.

12. Privacy; Data Processing Addendum

12.1 DPA. To the extent Provider processes personal data on behalf of Customer, the parties will comply with Provider’s Data Processing Addendum (“DPA”), if provided, which is incorporated by reference. The DPA will address processing instructions, subprocessors, security measures, breach notification, and cross-border transfers (if applicable).

12.2 Subprocessors. Provider may use subprocessors to provide the Services. Provider will remain responsible for subprocessors’ performance of their obligations to the extent required by applicable law and the DPA.

13. Security

13.1 Safeguards. Provider will maintain administrative, physical, and technical safeguards designed to protect Customer Data against unauthorized access, disclosure, alteration, and destruction.

13.2 Encryption. Provider will use encryption in transit (e.g., TLS) for access to the Services and will maintain encryption at rest for Customer Data where supported by Provider’s hosting environment.

13.3 Access Controls; Logging. Provider will maintain access controls for Provider systems and will log administrative access and security-relevant events in a commercially reasonable manner.

13.4 Vulnerability Management. Provider will maintain a vulnerability management process, including applying security patches in a commercially reasonable manner.

13.5 Incident Response. Provider will maintain an incident response process and will notify Customer of a confirmed breach of Customer Data without undue delay and consistent with the DPA (if applicable).

14. Legal Practice Disclaimers

14.1 No Legal Advice. Provider is not a law firm and does not provide legal advice. The Services are provided as a general-purpose case management and productivity tool.

14.2 Customer Responsibility. Customer is solely responsible for (a) compliance with all professional obligations and court rules, (b) supervision of its personnel, (c) all filings, deadlines, calendaring, and legal work product, and (d) verifying the accuracy and appropriateness of outputs generated through the Services.

15. Ai And Automation Features (If Applicable)

15.1 Optional Features. If Provider offers automation or AI-assisted features, Provider will describe the feature and any data usage disclosures in the Services or documentation.

15.2 No Model Training (Default). Provider will not use Customer Data to train generalized models for other customers without Customer’s express opt-in consent.

15.3 Human Review. Customer is responsible for human review of any AI-assisted outputs and will not rely solely on such outputs for legal conclusions, filings, deadlines, or client advice.

16. Integrations And Third-Party Services

16.1 Third-Party Services. The Services may interoperate with third-party services (e.g., email, calendar, payment processors, SMS, e-signature providers). Customer’s use of third-party services is governed by the third party’s terms, and Provider is not responsible for third-party services.

16.2 API Limits. Provider may impose reasonable API or usage limits to protect the Services, and will use commercially reasonable efforts to provide notice of material changes.

17. Support And Maintenance

17.1 Support. Provider will provide support as described in Provider’s then-current support policy or the applicable Order Form.

17.2 Updates and Maintenance. Provider may update the Services from time to time. Provider may perform scheduled maintenance and will use commercially reasonable efforts to provide notice when maintenance may materially impact availability.

18. Availability; Force Majeure

18.1 Availability. Provider will use commercially reasonable efforts to make the Services available, excluding downtime due to (a) scheduled maintenance, (b) force majeure events, (c) Customer’s systems or internet connectivity, or (d) misuse or unauthorized access.

18.2 Force Majeure. Neither party is liable for failure or delay due to events beyond its reasonable control, including natural disasters, acts of government, labor disputes, internet or hosting failures not caused by the party, or denial-of-service attacks.

19. Warranties; Disclaimers

19.1 Limited Warranty. Provider warrants that during the Term the Services will materially conform to Provider’s published documentation under normal use.

19.2 Disclaimer. EXCEPT AS EXPRESSLY PROVIDED, THE SERVICES ARE PROVIDED “AS IS” AND PROVIDER DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. BETA OR PRE-RELEASE FEATURES ARE PROVIDED “AS IS” WITHOUT WARRANTY.

20. Limitation Of Liability

20.1 Liability Cap. EXCEPT FOR EXCLUDED CLAIMS, EACH PARTY’S TOTAL LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT WILL NOT EXCEED THE FEES PAID OR PAYABLE BY CUSTOMER UNDER THE APPLICABLE ORDER FORM IN THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO LIABILITY.

20.2 Exclusion of Damages. EXCEPT FOR EXCLUDED CLAIMS, NEITHER PARTY WILL BE LIABLE FOR INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, OR FOR LOST PROFITS, LOST REVENUE, OR LOSS OF DATA, EVEN IF ADVISED OF THE POSSIBILITY.

20.3 Excluded Claims. “Excluded Claims” means (a) Customer’s breach of Sections 3.6 or 9, (b) a party’s breach of Section 11 (Confidentiality), or (c) amounts payable under Section 21 (Indemnities), in each case subject to applicable law.

21. Indemnities

21.1 Provider IP Indemnity. Provider will defend Customer from and against any third-party claim alleging that the Services infringe a U.S. patent, copyright, or trademark, and will pay damages awarded or settlement amounts approved by Provider, provided Customer promptly notifies Provider, cooperates, and allows Provider sole control of the defense. Provider may modify the Services, procure a license, or terminate the affected Services with a pro-rata refund of prepaid Fees for the unused portion of the term as Customer’s exclusive remedy for such claims.

21.2 Customer Indemnity. Customer will defend Provider from and against any third-party claim arising out of (a) Customer Data, (b) Customer’s or its users’ use of the Services in violation of this Agreement or law, or (c) Customer’s breach of professional obligations, and will pay damages awarded or settlement amounts approved by Customer, provided Provider promptly notifies Customer, cooperates, and allows Customer control of the defense.

22. Compliance

22.1 Privacy Laws. Each party will comply with applicable privacy and data protection laws. Customer is responsible for determining its role (e.g., controller) and for providing required notices and obtaining consents.

22.2 Subpoenas and Legal Process. Provider will respond to valid legal process as required by law. To the extent legally permitted, Provider will provide Customer notice of requests for Customer Data and reasonably cooperate with Customer’s efforts to seek protective treatment.

23. Intellectual Property; Feedback

23.1 Provider IP. Provider retains all rights in the Services and documentation.

23.2 Feedback. If Customer provides suggestions or feedback, Customer grants Provider a non-exclusive, worldwide, royalty-free license to use and incorporate the feedback into the Services without restriction or obligation.

24. Publicity

24.1 Customer Name and Logo. Provider may identify Customer as a customer of Provider (including use of Customer’s name and logo) only with Customer’s prior written consent, which may be granted or withheld in Customer’s sole discretion.

25. Assignment

25.1 Assignment. Customer may not assign or transfer this Agreement without Provider’s prior written consent, except to an affiliate or in connection with a merger or sale of substantially all assets, provided the assignee agrees in writing to be bound by this Agreement. Provider may assign this Agreement without Customer’s consent in connection with a merger, acquisition, corporate reorganization, or sale of substantially all assets.

26. Governing Law; Venue; Disputes

26.1 Governing Law. This Agreement is governed by the laws of the State of Michigan, excluding its conflict-of-laws rules.

26.2 Venue. The state and federal courts located in Bay County, Michigan will have exclusive jurisdiction, and each party consents to such jurisdiction and venue.

26.3 Injunctive Relief. Either party may seek injunctive relief for unauthorized use of the Services or breach of confidentiality without posting bond.

27. Order Of Precedence (Confirmation)

27.1 Precedence. The parties agree to the order of precedence in Section 2.2. If a DPA is executed, it will control solely with respect to privacy and data processing matters to the extent of any conflict.

28. Notices

28.1 Notices. Notices under this Agreement must be in writing and will be deemed given: (a) when delivered by hand; (b) one business day after being sent by nationally recognized overnight courier; or (c) when sent by email to the notice email address specified in the Order Form, provided that notices of breach, termination, indemnity claims, or legal process must also be sent by overnight courier to the physical address specified in the Order Form.

28.2 Notice Addresses. Each party’s notice addresses (email and physical) will be set forth in the applicable Order Form. Provider’s default notice email is thistleltd@protonmail.com, unless otherwise stated in an Order Form.