Free Risk Evaluation

Your software
is leaking your business.

Right now, while you read this.

Your CRM is selling behavioral data to the highest bidder. Your AI vendor is training the next model on every confidential conversation you put in the prompt box. Your "cloud" is someone else's computer, with someone else's lawyers, under someone else's subpoena. Your customer list, your pricing, your strategy, your patient files, your client matters, your donor history, every one of them lives somewhere you cannot audit, on terms you did not write, with no way out that does not cost you everything you built.

You signed up for a tool. You got a tenant relationship. Your data is the rent. The eviction clause is in section 14, sub-paragraph C, and it says they get to keep the data even after you leave.

And the open source software you depend on? Half of it is maintained by one exhausted person in a country you cannot find on a map, who pushed a commit last Thursday that nobody read. The supply chain attacks that took down Fortune 500 companies last quarter started exactly there. You are downstream of decisions you never knew were being made.

This is the cost of not knowing. You will not see the bill until it arrives as a ransomware demand, a regulator subpoena, a class action, a vendor that doubled their price overnight, or an AI hallucination that leaked into a client deliverable and ended a relationship. By then, the evaluation you should have run this week is a forensic investigation that costs sixty thousand dollars and a year of your life.

Skip ahead, book the call now → Just give me the facts ↓

Justified, named, sourced.

Everything above is fear. Fear is sometimes manipulation. Sometimes it is the honest sound of a fire alarm. Here is the fire.

Threat 1: 20 state privacy laws now in force, with the floor rising.

California's CPRA, Maryland's MODPA, and 18 others now create overlapping compliance surfaces. MODPA in particular is stricter than California on sensitive data, minors, and data minimization. Small and mid-sized businesses default to the strictest common denominator or take per-state legal exposure. Penalties run into the millions, with private rights of action in several states.

Sources: IAPP US State Privacy Tracker 2026; Maryland Online Data Privacy Act, effective October 2025; CPRA enforcement actions Q4 2025 to Q1 2026.

Threat 2: AI vendor training-on-your-data clauses are the default.

OpenAI, Anthropic, and Google's enterprise terms each contain provisions for using customer prompts and outputs to improve their systems unless you opt out, and the opt-out is often only available on annual contracts above a price floor most small businesses cannot reach. For attorneys, this collides with ABA Model Rule 1.6 on client confidentiality and with ABA Formal Opinion 512's specific guidance on generative AI; the vertical-specific assessment for solo and small-firm attorneys sizes that surface to the actual vendor stack a firm operates today. For behavioral health, it collides with HIPAA, with 42 CFR Part 2 for SUD-touching services, and with the clinical confidentiality ethics every behavioral health profession names as a foundational obligation; the vertical-specific assessment for behavioral health practices and clinics sizes that surface to the actual vendor stack a practice operates today. For nonprofits and religious institutions, it collides with the fiduciary duty of care owed to donors, beneficiaries, and the people in your records, a duty that state attorneys general enforce on tax-exempt organizations and that every tradition names in its own language. The duty is the same across the board: the people in your database came to you because they trusted you, not your vendor. The vertical-specific assessment for religious institutions and diaspora community organizations sizes that surface to the actual vendor stack and tradition-specific stewardship obligation an institution carries today. For nonprofits and tax-exempt organizations more broadly — public charities, private foundations, fraternal 501s, veterans organizations, social welfare and advocacy organizations, and the multi-entity 501c clusters that operate as the underlying organizational reality of most of them — the vertical-specific assessment for nonprofits and tax-exempt organizations sizes that surface to the cluster's actual vendor stack and the stewardship-of-public-trust-across-the-cluster duty the IRS, state attorneys general, and donors each hold the cluster to.

How the duty is named in each tradition

Catholic apostolates: the dignity owed to every person in your database.
Jewish federations and chevras: shmirat ha-lashon and the dignity of every person made b'tzelem Elohim.
Muslim awqaf, zakat foundations, and Islamic relief organizations: amanah, the trust owed to those whose data is in your custody.
Eastern Orthodox jurisdictions and parish networks: the duty of stewardship owed to the faithful.
Protestant missionary societies and evangelical networks: the duty of care owed to congregants and the people they serve.
Dharmic temple and seva institutions: the principle of selfless service rendered without harm.
Chinese benevolent associations and diaspora mutual-aid societies; Latino faith and mutual-aid networks: the duty of trust that holds those communities together.

Sources: OpenAI Enterprise Terms 2026; Anthropic Acceptable Use Policy 2026; ABA Formal Opinion 512 on Generative AI tools, July 2024.

Threat 3: Supply chain attacks targeting open source maintainers are accelerating.

The xz-utils backdoor of 2024 was a years-long social engineering campaign against a single volunteer maintainer. It nearly compromised half the Linux servers on the internet. Since then, similar attacks have hit npm packages, Python libraries, and Docker base images. If your business runs on commodity software, you are downstream of every maintainer who carries that load alone.

Sources: CVE-2024-3094 disclosure; CISA Open Source Software Security Roadmap; OpenSSF supply chain attack registry 2025 to 2026.

Threat 4: SaaS vendor lock-in is structural extraction, not a side effect.

Most modern SaaS contracts designate behavioral and usage data as the platform's property, distinct from your customer data. Migration costs are intentionally engineered to exceed the cost of staying. When you sign a five-year deal at a low introductory rate, you are not buying software. You are renting the right to access data you generated, on terms that change without your consent. The credit union core-processing market is the sharpest version of this pattern in financial services: see the vertical-specific assessment for credit unions for the threat surface sized to that vendor stack.

Sources: PartnerStack SaaS Agreement clauses on "Usage Data"; Gartner SaaS Spend Management research 2025; vendor lock-in case studies in Sterling Solutions' anti-lock-in doctrine (success.build/ethos).

Two free evaluations. One conversation. Same instrument, two lenses.

Most small and mid-sized businesses sit at the intersection of these threats without knowing it. You may feel the exposure from one angle and not the other. That is normal. The two angles are complementary, and the answers compound.

Lens 1: Software Exposure Evaluation

What proprietary software do you run, and what does it cost you in sovereignty? Which vendors hold the keys to your customer list, your financial data, your client confidentiality, your patient records? Which contracts contain training-on-your-data clauses, automatic price escalators, arbitration carve-outs, or termination clauses that delete your data when you leave? What is your blast radius if any one of them goes hostile, bankrupt, or breached?

Output: a vendor inventory scored across seven dimensions, with concrete remediation paths for the highest-risk exposures.

Lens 2: Open Source Posture Evaluation

What open source software does your business depend on, directly and transitively? Which packages have a single maintainer, an unfunded sustainability problem, or known supply chain attack patterns? Where is your business one bad commit away from a real bad day? And conversely: what open source alternatives could replace your highest-risk proprietary dependencies, on infrastructure you actually control?

Output: a dependency posture report with prioritized hardening recommendations and named open source alternatives for the vendor relationships costing you most in sovereignty.

You do not have to pick one. They are the same conversation, viewed from two angles, covered in one ~2-hour cycle from first call to delivered document.

The 2-hour cycle, at a glance.

Most prospects want the simple version up front: about two hours of your time, spread across two scheduled video calls and a small amount of homework in between, and you walk out with a written evaluation document. No money changes hands. The whole cycle usually runs its course inside a week.

The detail below tells you exactly how each step works and what is expected of you and of me. Skim it or read it; either way, the cycle starts with the same button at the bottom of this page.

How this actually works.

Three steps. The shape is fair to both of us: shared time at the start, shared work in the middle, and you choose how long the working session runs at the end.

Step 1: 30-minute discovery call. You book a slot, we both get on video. I learn enough about your business to make the evaluation useful. You learn enough about how I work to decide if you want to spend the next two steps with me. We agree on the homework. If we are not the right fit, we both find out in 30 minutes and nobody wastes anybody's time.
Step 2: Homework. Between sessions, you do the gathering. Vendor inventory. Contract excerpts. Dependency manifest if you have one. Whatever we agreed on in step 1. This is work, and the evaluation is only as good as what you bring to step 3. People who skip the homework should not bother with step 3.
Step 3: Up to 60 minutes of working evaluation. You decide the length. We can do 30 minutes if your scope is narrow. We can do 60 if it is broad. Anything beyond 60 becomes a paid engagement, not a free evaluation, and that is a separate conversation. The evaluation session produces the written document.

The honest budget: 90 minutes of your time on calls with me, plus whatever the homework takes (usually 1 to 3 hours, depending on how organized your records already are). My side is the same 90 minutes, plus document drafting time after.

You can book step 1 within the hour. The whole arc is usually done within a week.

What the evaluation delivers.

A written evaluation document. Honest about what is working, what is exposed, what changes the risk profile most for the lowest cost.
No sales pitch in the document. If we work together afterward, the remediation engagement is its own conversation, its own scope, its own price.
Zero dollars. No catch. No setup fee. No "free trial that auto-renews." This is a free evaluation because the people who need it most cannot tell yet that they need it.
You own the document. Share it, file it, ignore it. Whether or not we work together afterward, the document is yours.

The cost of running this is the time noted above. The cost of not running it is whatever the next incident takes from you, and there is always a next incident.

Start now. 30 minutes.

The button below goes to my calendar. Pick a 30-minute slot for the discovery call. We agree on the homework on that call. The evaluation session and the written document follow from there.

The calendar is real. The 30 minutes are real. The homework is real. The evaluation session is real. The document at the end is real. If we never work together after, you still own the document. If we do, you already know what you are buying and why.

Book the 30-minute discovery call →

Or email [email protected] if calendar booking is not for you.

Who this is for.

Small and mid-sized businesses, professional practices, and mission-driven institutions that take their fiduciary, legal, or moral duty to the people in their database seriously.

Behavioral health practices and clinics stacking HIPAA, 42 CFR Part 2 for SUD-touching services, AI-vendor BAA gaps, and the clinical confidentiality ethics every behavioral health profession names as a foundational obligation. Click here for the assessment shaped for behavioral health practices and clinics.
Solo and small-firm attorneys protecting client confidentiality, work product, and the privileged channel that the whole practice rests on. Click here for the assessment shaped for solo and small-firm attorneys.
Home care agencies stacking HIPAA (when it applies), state DOH licensing for LHCSAs and equivalents, CMS Conditions of Participation for Medicare-certified HHAs, DOL wage-and-hour exposure through the 2013 Home Care Rule and the NY 13-hour live-in case law, and AI vendor BAA gaps as the clinical documentation platforms quietly activated AI features on PHI. Click here for the assessment shaped for home care agencies (Medicare-certified HHAs, LHCSAs, CDPAP fiscal intermediaries, and private-duty agencies, each with its own page).
Family-owned firms in the trades with customer lists worth more than the trucks, where dispatch-platform terms of service quietly license the performance data and the AI features just turned on. Click here for the assessment shaped for family-owned firms in the trades (electrical, plumbing and HVAC, lawncare and landscaping, each with its own page).
Religious institutions and diaspora community organizations holding membership rolls, donor records, beneficiary lists, and pastoral or relational records under a fiduciary and moral duty of care. Under US law, these records are governed by the same statutes that govern any nonprofit or small business: state data-breach notification laws, state privacy statutes where applicable, IRS recordkeeping rules for tax-exempt organizations, and any sector-specific overlay (HIPAA for clinical, FERPA for schools, donor-confidentiality expectations enforced by state attorneys general). The exposure shape is the same as any other small organization: vendor lock-in, training-data leakage, jurisdictional reach, and breach liability. The duty is heavier because the records often span generations and the people in them did not choose to be commercially intermediated. Click here for the assessment shaped for religious institutions and diaspora community organizations (single-congregation institutions, national federations and umbrella organizations, diaspora mutual-aid societies, and faith-based foundations and apostolates, each with its own page).
Traditions and community structures we work with
- Catholic apostolates, foundations, and missions with donor and beneficiary data that deserves better than vendor capture.
- Jewish federations, chevras, day schools, and burial societies stewarding member, donor, and family records under duties older than any privacy statute.
- Muslim awqaf, zakat foundations, and Islamic relief organizations holding donor and beneficiary data in trust (amanah), often across borders and jurisdictions.
- Eastern Orthodox jurisdictions and parish networks with sacramental, pastoral, and stewardship records that should never have been someone else's training data.
- Protestant missionary societies, evangelical networks, and faith-based NGOs with field-worker, congregant, and partner data crossing legal jurisdictions.
- Dharmic temple and seva institutions (Hindu, Buddhist, Jain, Sikh) stewarding devotee, donor, and service-recipient records.
- Chinese benevolent associations, family associations, and diaspora mutual-aid societies with membership, remittance, and intergenerational records that carry community memory.
- Latino faith communities, mutual-aid networks, and immigrant-serving organizations with congregant, beneficiary, and immigration-adjacent data under elevated risk.
Nonprofits and tax-exempt organizations broadly — public charities, private foundations, social welfare and advocacy organizations, fraternal organizations, veterans organizations, title-holding companies, and the multi-entity 501c clusters they typically operate as. A 501c3 holds the public-charity mission. A 501c2 holds the building. A 501c4 holds the advocacy capacity the c3 cannot carry. A fraternal 501c8 or 501c10, or a 501c19 for veterans organizations, holds the membership-and-fellowship-and-business operations. The donor sees one mission; the IRS sees multiple entities; the state attorney general reads the whole cluster. Click here for the assessment shaped for nonprofits and tax-exempt organizations (with type pages for 501c3 public charities and private foundations, 501c19 veterans organizations, fraternal 501s, and 501c2 title-holding plus 501c4 social welfare support structures).
Mutual carriers and cooperatives whose members trust them with everything. Click here for the assessment shaped for mutual carriers and cooperatives.
Credit unions where members own the institution by charter, sitting under FFIEC IT examination and either NCUA alone or NCUA stacked with NYDFS. Click here for the assessment shaped for credit unions.
Anyone running a real business on rented software who is tired of finding out what the rent actually costs after the lease auto-renews.

Mission-driven institutions across faiths and diasporas share the same exposure shape. The donor list, the beneficiary roster, the pastoral or relational record, the membership ledger that goes back three generations: these are assets of equal weight to any small business customer file, often with thinner technical coverage and a stronger moral claim. The duty is named differently in each tradition. The exposure is named the same way by every vendor contract.

A note on size.

This page is built for small and mid-sized organizations: the size where one person typically wears the operations, vendor, compliance, and "wait, what is our AI vendor doing with our data" hats simultaneously. The 2-hour cycle is shaped for that reality. The evaluation document is sized for that reality. The pricing of any follow-on work is sized for that reality.

If your organization is bigger than that, with full procurement, legal, and InfoSec teams already in-house, this specific free evaluation is not your fit. We work with larger organizations regularly, but the engagement looks different: longer scopes, contracted work, often around accessibility and privacy conformance programs, AI sovereignty deployments, or fractional-CTO advisory. Different shape, different surface, different conversation.

For that, start here instead:

success.build/conformance: our accessibility and privacy conformance work, the entry surface for larger organizations under regulatory exposure.
success.build/helm-and-crew: our on-premise AI stack, the entry surface for organizations sovereignty-deploying AI at scale.
success.build/risk/mutual: a vertical-specific Sovereignty Maturity Assessment shaped for mutual carriers and cooperatives (Article 66 fiduciary duty, DFS exam-readiness, vendor sovereignty, ~10 business days).
success.build/risk/credit-union: a vertical-specific Sovereignty Maturity Assessment shaped for credit unions in the $50M to $500M asset band (core-banking lock-in, ancillary vendor sovereignty, FFIEC IT exam-readiness, NCUA-alone or NYDFS-stacked, scope-selectable cycle).
success.build/risk/behavioral-health: a vertical-specific Sovereignty Maturity Assessment shaped for behavioral health practices and clinics (HIPAA + AI-vendor BAA gap, 42 CFR Part 2 for SUD-touching services, clinical confidentiality ethics, scope-selectable cycle for group practices through CMHCs).
success.build/risk/attorneys: a vertical-specific Sovereignty Maturity Assessment shaped for solo and small-firm attorneys in the $500K to $10M revenue band (Model Rule 1.6 client confidentiality, ABA Formal Opinion 512 on generative AI, state bar AI ethics opinions, IOLTA and trust-account vendor exposure, scope-selectable cycle).
success.build/risk/trades: a vertical-specific Sovereignty Maturity Assessment hub shaped for family-owned firms in the trades in the $500K to $20M revenue band (ServiceTitan-class dispatch platform lock-in, AI feature activation on inbound calls and customer messaging, state privacy law on residential service history, lead-generation marketplace and BNPL financing exposure, customer-list-as-business-equity frame), with type-specific pages for licensed electrical contractors, licensed plumbing and HVAC contractors, and lawncare and landscaping firms.
success.build/risk/home-care: a vertical-specific Sovereignty Maturity Assessment hub shaped for home care agencies in the $2M to $30M revenue band (HIPAA + AI vendor BAA gap, EVV vendor concentration risk centered on HHAeXchange in NY, DOL wage-and-hour and NY 13-hour live-in exposure, OIG enforcement surface, and the caregiver-family-patient trust at the most intimate distance the healthcare system reaches), with type-specific pages for Medicare-certified HHAs, NY LHCSAs and state-DOH-licensed equivalents, NY CDPAP fiscal intermediaries (post-2025 PPL transition), and private-duty home care agencies.
success.build/risk/religious-institutions: a vertical-specific Sovereignty Maturity Assessment hub shaped for religious institutions and diaspora community organizations (state Attorney General enforcement on tax-exempt organizations, donor confidentiality, multi-generational records, Church Management System and federation-platform AI feature activation, cross-tradition fiduciary and moral duty of care), with type-specific pages for single-congregation institutions, national federations and umbrella organizations, diaspora mutual-aid societies, and faith-based foundations and apostolates.
success.build/risk/nonprofits: a vertical-specific Sovereignty Maturity Assessment hub shaped for nonprofits and tax-exempt organizations operating as multi-entity 501c clusters in the $500K to $30M operating-budget band (state AG enforcement on charitable trust and cluster governance, IRS Form 990 and Schedule R related-organization disclosure, AI feature activation across donor management and membership management vendor stacks, donor-disclosure posture downstream of Americans for Prosperity Foundation v. Bonta, sectoral overlays where applicable, and the stewardship-of-public-trust-across-the-cluster frame), with type-specific pages for 501c3 public charities and private foundations, 501c19 veterans organizations, fraternal 501s (501c8 and 501c10), and 501c2 title-holding and 501c4 social welfare support structures.

Each of these pages has its own contact path. Or email [email protected] and tell us what you actually need; we will route you to the right shape.

Tire-kickers looking for a free consultation to extract advice without intent: the evaluation is honest work and we ask the same of you. That is not size-dependent.

Why us.

Sterling Solutions is a small firm. Intentionally. We build infrastructure, AI, and operational software for institutions that exist to serve, not to extract. We do not run on venture capital. We do not have a sales team pretending to be your friend. We do not have an exit horizon. We have published values (success.build/ethos) and an anti-lock-in doctrine, and the architecture of our own platform proves it: every layer is swappable, every export is clean, your data is yours from day one and on the day you leave.

We are also researching member-ownership and cooperative structures for our own firm. The goal is that as Sterling grows, the people we serve benefit alongside us, rather than the opposite (which is what every venture-backed SaaS model produces by structural necessity). A formal recommendation publishes later this year. If you run a member-owned cooperative, the question of whether your vendors are structurally aligned with you is the question. We take it seriously enough to ask it of ourselves. (See also the vertical-specific assessments shaped for mutual carriers and cooperatives and for credit unions.)

The same standard applies to professional practice. In behavioral health the asset is the therapeutic alliance, and the alliance is built on confidentiality. The vendor stack a practice operates should reflect the same standard the clinician holds themselves to in the room with a patient. (See also the vertical-specific assessment shaped for behavioral health practices and clinics.)

The same shape repeats in the practice of law. The privilege belongs to the client; the lawyer holds it in trust. Model Rule 1.6 names the obligation, and ABA Formal Opinion 512 already drew the line for generative AI use. The vendor stack a firm operates should reflect that hierarchy, not invert it. (See also the vertical-specific assessment shaped for solo and small-firm attorneys.)

The shape changes in the trades, and the change is worth naming. The duty in a fraternal or cooperative or professional context is to the member, the patient, or the client. In a family-owned trades business the asset is the customer list itself, built by the owner's hands over a generation or two, and the question is one of ownership rather than duty. The crews build the work, the trucks carry the work, and the license authorizes the work, but the customer list and the service- call history are what the shop is worth at the moment of sale, succession, or rebuild. The dispatch platform's terms of service decide who actually owns the performance data underneath that customer list. The same anti-lock-in question applies, with the moral weight sitting on ownership and equity rather than on fiduciary or confidential duty. (See also the vertical-specific hub and type pages shaped for family-owned firms in the trades — electrical, plumbing and HVAC, and lawncare and landscaping each have their own page.)

The shape changes again in home care, and the change is the most intimate of all. Home care is the closest physical distance the healthcare system reaches. The aide is in the bathroom. The nurse is in the bedroom. The personal assistant is at the kitchen table. The caregiver-family-patient triad is built on trust at a distance no other healthcare setting matches, and the records produced inside that distance are unusually personal. The vendor stack a home care agency operates should reflect that intimacy, not extract from it. For Medicare-certified HHAs the obligation runs through CMS Conditions of Participation, OASIS integrity, and OCR HIPAA enforcement; for NY LHCSAs through state DOH oversight and the HHAeXchange concentration that the regulator created and the agency cannot meaningfully escape; for CDPAP fiscal intermediaries through the post-2025 PPL transition landscape; for private-duty agencies through state privacy law and consumer-protection enforcement. The moral frame is the same across all four: trust at the most intimate distance. (See also the vertical-specific hub and type pages shaped for home care agencies — Medicare-certified HHAs, NY LHCSAs and state-DOH-licensed equivalents, NY CDPAP fiscal intermediaries, and private-duty home care agencies each have their own page.)

The shape changes again in religious institutions and diaspora community organizations, and the change is the most multi-generational of all. Every tradition names the obligation in different vocabulary — dignity, shmirat ha-lashon, amanah, stewardship, duty of care, selfless service, duty of trust — but the duty itself is the same: the people in your records came to you because they trusted you, not your vendor. The records often span generations the people in them never consented to commercial intermediation of: a baptism in 1962, a chevra burial society's roll going back four generations, a Chinese benevolent association's family ledger of remittances since 1948, an awqaf donor register reaching across borders, a federation member roll that includes people who gave their first dollar in 1979 and whose grandchildren now receive scholarships from the same fund. State Attorney General enforcement on tax-exempt organizations is active, and donor data is squarely in scope. Church Management Systems and federation operational platforms have activated AI features without denominational review. Sterling does not speak for any tradition; we hold the technical layer; the tradition holds its own ethical layer. The same anti-lock-in doctrine that protects member sovereignty for mutual carriers, client confidentiality for attorneys, therapeutic alliance for behavioral health practices, customer-list equity for trades firms, and patient-family-caregiver trust for home care agencies protects multi-generational records here, in a context where the moral weight is older than every privacy statute on the books. (See also the vertical-specific hub and type pages shaped for religious institutions and diaspora community organizations — single-congregation institutions, national federations and umbrella organizations, diaspora mutual-aid societies, and faith-based foundations and apostolates each have their own page.)

The shape changes again in nonprofits and tax-exempt organizations broadly, and the change is structural rather than sector-specific. A public charity does not exist alone. A 501c3 operates alongside a 501c2 that holds the building, a 501c4 that holds the advocacy capacity the c3 cannot carry, a fraternal 501c8 or 501c10 that holds the membership-and- fellowship business, a 501c19 that holds the veterans-service operations — and so on. The donor gave to the mission. The beneficiary received the mission. The member carries the fellowship. The public exempts the cluster from taxation. The vendor stack the cluster operates should reflect that stewardship across all the entities, not extract from it. State attorneys general read the whole cluster; the IRS examines the whole cluster; the donor sees one organization even when the law sees five. The same anti-lock-in doctrine that protects member sovereignty for the mutual carriers we work with and protects client confidentiality for the attorneys we work with protects cluster-wide stewardship here, across whatever combination of 501c entities a given mission runs on. (See also the vertical-specific hub and type pages shaped for nonprofits and tax-exempt organizations broadly, with type pages for 501c3 public charities and private foundations, 501c19 veterans organizations, fraternal 501s (501c8 and 501c10), and 501c2 title-holding and 501c4 social welfare support structures. For faith-based clusters where the heaviest framing is tradition-specific, see also religious institutions and diaspora community organizations.)

We do this evaluation for free because the people who need it most cannot afford the cost of a wrong vendor decision. Helping you see what is exposed now is the work we are here to do. Forensics on an incident we could have helped you prevent is work nobody should have to pay for twice.

One question worth answering.

Thirty minutes from now you will either be on a discovery call with me or you will still be doing whatever it is you are doing today. Eighteen months from now, the data exposure you decided not to evaluate will either have hit you or will not have. The asymmetry between those two outcomes is enormous and it is not in your favor.