Legal Framework
Legal Architecture
How our legal documents interlock to minimize ambiguity and align with operational reality.
Overview
Manna Corp's legal framework is designed to minimize ambiguity and align with the operational reality of locally deployed software.
Three documents govern the relationship between Manna Corp and those who use the V2 Engine:
- Master Services Agreement (MSA): Commercial relationship, warranties, liability
- Terms of Service: Use of the V2 Engine and website
- Privacy Policy: Data handling and telemetry
Document Hierarchy
In the event of conflict:
- Licensed customers: The Master Services Agreement governs
- Trial or evaluation users: The Terms of Service govern
- Website visitors: The Terms of Service and Privacy Policy govern
All three documents are designed to be consistent. Where they reference the same topic, they reinforce rather than contradict each other.
Key Principles
1. No Operational Data by Default
The V2 Engine does not transmit data to Manna Corp unless you explicitly enable telemetry. This is consistent across all documents.
Where stated:
- • MSA § 5.2 (Data Usage and Privacy)
- • Terms § 7 (No Operational Telemetry)
- • Privacy Policy (Data Collection)
2. Opt-In Telemetry (When Enabled)
If you enable telemetry, the engine may transmit aggregated, anonymized usage metrics. This is defined in the Privacy Policy.
What this means:
- • No PHI, clinical data, or execution results
- • Aggregated across all licensees (cannot be attributed to your organization)
- • Anonymized (stripped of identifiers)
How to control it:
- • Default: Off
- • Enable: Set
TELEMETRY_ENABLED=truein deployment config - • Disable: Set
TELEMETRY_ENABLED=false - • Audit: Review telemetry settings with
./v2-engine config telemetry --show
See Privacy Policy § Telemetry for full details.
3. Audit Trail Is Yours
Audit artifacts generated by the engine are stored in your environment. Manna Corp does not have access unless you explicitly grant it (e.g., for support purposes).
Where stated:
- • MSA § 4 (Licensee Responsibilities)
- • Terms § 5 (Locally Deployed Software)
- • Audit Boundary Specification
4. No Accounts, No Portal
There is no hosted portal, no central authentication, and no Manna Corp-hosted storage of your data.
The licensing mechanism is cryptographic (offline license key verification), not account-based.
Where stated:
- • Terms § 3 (License Activation)
- • Trust Center § Data Flow
Data Flow Summary
This table clarifies what data moves where, and under what conditions:
| Data Type | Default Behavior | Opt-In Behavior |
|---|---|---|
| PHI / Clinical Data | Never leaves your environment | Never leaves your environment |
| Execution Results | Never sent to Manna Corp | Never sent to Manna Corp |
| Audit Artifacts | Stored locally only | Stored locally only |
| Usage Metrics | Not collected | Aggregated, anonymized metrics only |
For a visual representation, see the Trust Center § Data Flow diagram.
What "Aggregated, Anonymized" Means
The MSA and Privacy Policy reference "aggregated, anonymized data" as an opt-in possibility. This section clarifies what that means in technical terms.
Aggregated
Data is combined with data from other licensees and cannot be attributed to a specific organization.
Example: "1,247 executions occurred across all deployments in Q1 2026."
Anonymized
All identifiers (organization name, deployment ID, IP addresses, user names) are stripped before transmission.
Example: A metric might include engine version, rule set version, and execution count, but not the organization that generated it.
What We Never Collect (Even with Opt-In)
- PHI or patient-identifiable information
- Clinical data or inputs
- Execution results or outputs
- Organization names or identifiers
- User credentials or API keys
- Network topology or IP addresses
Licensing & Release Access Gating
V2 Engine binaries are distributed exclusively to authorized licensees. Release artifacts are never publicly available. License status controls access to the private GitHub Release repository.
Release Access Model
- Active License Required: Only organizations with active, valid licenses obtain GitHub Release repository access
- License Key Activation: The activation command (v2-engine activate --license-key) validates the license offline using cryptographic verification
- Traceability: Every deployment can be traced to a specific license holder, enabling accountability
- Revocation & Expiry: Expired or revoked licenses lose access to new releases; already-deployed instances continue to operate
Stripe Payment & License Issuance
License keys are issued upon successful Stripe payment. Payment processing is handled by Stripe directly; Manna Corp does not store credit card data.
Where addressed:
- • MSA § 3 (Licensing and Payment Terms)
- • Download page § Authorization Flow
Business Associate Agreements
Because the V2 Engine runs in your environment and Manna Corp does not access PHI by default, a Business Associate Agreement (BAA) may not be required in most deployment scenarios.
However, if your organization's legal counsel determines that a BAA is necessary (e.g., due to support access to environments containing PHI), Manna Corp will execute one.
Where addressed:
- • MSA § 6 (Compliance and Regulatory Matters)
- • Contact legal@mannacorp.com for BAA execution
Dispute Resolution & Governing Law
Both the MSA and Terms specify governing law and dispute resolution mechanisms.
Governing Law
All agreements are governed by the laws of [State to be specified in MSA], without regard to conflict of law principles.
Dispute Resolution
Disputes are resolved through binding arbitration as specified in the MSA.
Questions?
If you have questions about how these documents interact, or need clarification on data handling, telemetry, or compliance obligations, contact: