Compliance

License

TheTerms is released under the GNU Affero General Public License v3.0 (AGPL-3.0). Key implications:

You may use, modify, and distribute TheTerms freely
If you run a modified version as a network service, you must make your modifications available under AGPL-3.0
The full license is available at github.com/ashwineaso/theterms/blob/main/LICENSE

Audit Trail

Every signing event is recorded with an immutable audit trail:

Field	What is recorded
Timestamp	UTC time of the signing submission
IP address	The signer’s IP address at the time of signing
User agent	The browser/client user agent string
Signer decisions	Per-clause accept/reject for each clause
Document version	The exact version that was signed

The audit trail cannot be modified after creation.

Data Handling

What data is stored

User accounts: email address, hashed password (bcrypt), display name
Organisation data: containers, documents, clauses (your content)
Signing records: signer email, IP address, user agent, timestamp, clause decisions
Team data: members, roles, invitation records

Data residency

Self-hosted deployments store all data on your own infrastructure. No data leaves your server. This makes TheTerms suitable for organisations with strict data residency requirements.

Cloud-hosted deployments (app.theterms.app) store data in the hosting provider’s infrastructure.

For organisations processing EU personal data:

Right of access: User account data is available to the user in their profile settings.

Right to erasure: Users can delete their account from account settings. Organisation administrators can remove member accounts. Signing records associated with deleted accounts retain an anonymised record for audit integrity.

Data portability: Signing records and audit trails are accessible through the application interface.

Self-hosting for control: Running TheTerms on your own infrastructure gives you full control over data storage, processing, and retention policies.