Terms and Conditions of Service

Parties and Agreement to Terms

1.1 The Parties

These Terms and Conditions ("Terms", "Agreement") constitute a legally binding agreement between:

• "Company", "We", "Us", "Our": DefZero, the provider of the SecRaptor platform, registered in the Netherlands with Chamber of Commerce (KVK) number 93371896.
• "Customer", "You", "Your": A legal entity, or a natural person acting in the course of business (including a sole trader/freelancer), that registers for, accesses, or uses the Service.

1.2 The Service

1.3 Agreement to Terms

B2B-Only: The Service is offered only to business/professional customers. The Company does not offer the Service for consumer use. By using the Service, you represent and warrant that you are acting in the course of business (trade, craft, or profession) and not as a consumer within the meaning of applicable Dutch and European consumer law.

By:

• Creating an account on the Platform;
• Clicking "I Agree", "Accept", or similar buttons during registration;
• Accessing or using any part of the Service; or
• Executing an Order Form that references these Terms,

You acknowledge that you have read, understood, and agree to be bound by these Terms and our Privacy Policy (incorporated by reference). If you do not agree with these Terms, you must not access or use the Service.

1.4 Authority to Enter Agreement

You represent and warrant that:

• If entering into this Agreement on behalf of an organization, you have the legal authority to bind that organization to these Terms;
• You are at least 18 years of age (or the age of majority in your jurisdiction) and have the legal capacity to enter into binding contracts;
• You are not prohibited from using the Service under any applicable laws or regulations;
• All information provided during registration is accurate, complete, and current.

1.5 Order Forms and Amendments

These Terms apply to all subscriptions, whether purchased through:

• Self-service registration on our website;
• Execution of a separate Order Form or Statement of Work (SOW); or
• Any other purchasing mechanism.

In the event of a conflict between these Terms and an Order Form, the Order Form shall prevail solely with respect to the specific matters addressed in the Order Form (e.g., pricing, subscription tier, payment terms).

1.6 Sample Report Requests

We may offer a downloadable sample report through our public website. To receive that sample report, you must provide a business email address and company name and affirmatively confirm that you have read and accepted these Terms and the Privacy Policy.

By requesting the sample report through that form, you authorize us to send the sample report to the email address provided and to contact you afterwards about that request, the sample report, and related SecRaptor services. You are responsible for ensuring that the contact details you provide are accurate and that you are authorized to submit them in a business context.

If you do not agree to those conditions, do not submit the sample-report form.

Definitions

In addition to terms defined elsewhere in this Agreement, the following capitalized terms have the meanings set forth below:

Grant of License and Service Access

3.1 License Grant

Subject to Customer's compliance with these Terms and timely payment of applicable Fees, the Company grants Customer a limited, non-exclusive, non-transferable, non-sublicensable, revocable license during the Subscription Term to:

• Access and use the Service solely for Customer's internal business security assessment purposes;
• Permit Authorized Users to access and use the Service in accordance with these Terms and the applicable Subscription Plan limits;
• Access and use Documentation provided by the Company in connection with the Service.

3.2 License Restrictions

Customer shall not, and shall not permit any third party to:

• Sublicense, resell, rent, lease, loan, or otherwise provide access to the Service to any third party (except Authorized Users);
• Use the Service to provide service bureau, time-sharing, or managed security services to third parties;
• Reverse engineer, decompile, disassemble, or attempt to derive source code from the Service;
• Modify, translate, adapt, or create derivative works based on the Service;
• Copy, reproduce, or duplicate the Service except as expressly permitted;
• Remove, obscure, or alter any proprietary notices, labels, or marks on the Service;
• Benchmark, test the security of, or otherwise attempt to compromise the Service without prior written authorization from the Company;
• Use automated systems (bots, scripts) to extract data or content from the Service for external purposes;
• Interfere with or disrupt the integrity or performance of the Service or any third-party data contained therein;
• Attempt to gain unauthorized access to the Service, related systems, or networks.

3.3 Subscription Plans and Limitations

Customer's use of the Service is subject to the limitations of the selected Subscription Plan, including:

• Number of scans per month/year;
• Number of Targets;
• Number of Authorized Users;
• Data retention periods;
• Feature availability (e.g., API access, advanced scanning modes, compliance reports);
• Support level (response time SLAs).

The Company may enforce these limitations through technical means. Exceeding plan limits may result in additional charges, service degradation, or suspension.

3.4 Account Credentials and Security

Customer is responsible for:

• Maintaining the confidentiality of all account credentials, API keys, and access tokens;
• All activities that occur under Customer's account or through Authorized Users;
• Immediately notifying the Company of any unauthorized use or security breach;
• Implementing reasonable security measures, including strong passwords and multi-factor authentication.

Customer acknowledges that the Company will not be liable for losses arising from unauthorized use of Customer's account credentials.

Customer Obligations and Responsibilities

4.1 Target Authorization

Customer shall:

• Maintain documented evidence of authorization for all Targets;
• Provide such evidence to the Company immediately upon request;
• Ensure Targets are within Customer's legal and operational control;
• Not scan third-party systems without explicit, documented permission from the system owner;
• Notify Target owners of scanning activities where required by law or contractual obligation.

4.2 Compliance with Laws and Regulations

Customer shall use the Service in compliance with all applicable laws, regulations, and industry standards, including but not limited to:

• Applicable anti-hacking/unauthorized access laws, including the Netherlands Penal Code (Wetboek van Strafrecht), particularly Article 138ab (computer intrusion), and similar laws in other jurisdictions;
• The GDPR, UAVG, and other applicable data protection laws;
• NIS2 Directive (Directive (EU) 2022/2555) and applicable national implementing legislation;
• Industry-specific regulations (PCI DSS, HIPAA, SOX, etc.) where applicable;
• Export control and sanctions laws (EU, Dutch, U.S., and other jurisdictions);
• Anti-money laundering (AML) and counter-terrorism financing (CTF) regulations;
• Applicable fraud, anti-money laundering, and proceeds-of-crime laws where relevant.

4.3 Authorized Users Management

Customer shall:

• Ensure that all Authorized Users comply with these Terms;
• Implement appropriate user access controls and role-based permissions;
• Promptly revoke access for Authorized Users who are no longer authorized;
• Monitor Authorized User activities for compliance with these Terms;
• Not share account credentials among multiple individuals.

4.4 Data Accuracy and Responsibility

Customer is solely responsible for:

• The accuracy, quality, legality, and integrity of Customer Data;
• The means by which Customer acquires and provides Customer Data to DefZero;
• Ensuring Customer Data does not violate any third-party rights or applicable laws;
• Maintaining backup copies of Customer Data (DefZero backups are for disaster recovery, not customer convenience).

4.5 High-Risk Features; Assumption of Risk

The Service may offer optional scan settings and payloads intended for advanced security testing (for example, full penetration testing mode and/or settings described as dangerous, intrusive, or similar) (collectively, "High-Risk Features"). High-Risk Features may cause adverse effects, including service disruption, performance degradation, crashes, data corruption/loss, account lockouts, rate limiting, or other negative impact to Targets.

4.5.1 Explicit Authorization Requirement. Before enabling any High-Risk Feature, Customer must, through the Platform, provide a logged acknowledgment confirming that: (a) Customer holds explicit written authorization from the Target owner to conduct disruptive or intrusive testing; (b) Customer has assessed the suitability of the Target for High-Risk testing, including whether it is shared, production, or otherwise sensitive infrastructure; and (c) Customer accepts sole responsibility for any adverse consequences arising from enablement.

4.5.2 Logged Consent. Each enablement of a High-Risk Feature is recorded in the Platform's audit log with the Authorized User identity, tenant identifier, target scope, timestamp, and related confirmation data. This record constitutes contemporaneous evidence of Customer's informed consent for the purposes of this Section.

4.5.3 Assumption of Risk. Customer acknowledges and agrees that enabling or using High-Risk Features is at Customer's sole risk. Customer is responsible for ensuring Target suitability and operational readiness, including maintenance windows, monitoring, backups, rollback plans, and all required internal and third-party approvals.

4.5.4 Limitation. To the maximum extent permitted by applicable law, the Company shall have no responsibility or liability for downtime, outages, instability, data loss or corruption, or other damage arising from Customer's decision to enable or use High-Risk Features. Any remaining liability is subject to the limitations in Section 13.

4.6 Production and Non-Production Target Requirements

4.6.1 Production Scanning Is Customer's Operational Decision. Customer is solely responsible for deciding whether a Target is suitable for scanning. If Customer submits a Production Environment as a Target, Customer does so at Customer's own operational and legal risk, even where the Service uses Safe Payloads or default scan settings.

4.6.2 Safe Payloads Are Not a Production Warranty. The Company implements Safe Payloads, scan controls, and dangerous-payload gating where feasible. Customer acknowledges that automated security testing can still trigger unexpected behaviour in Production Environments, including WAF or CDN blocking, rate limiting, account lockouts, alert storms, performance degradation, third-party abuse reports, cloud-provider enforcement, fragile legacy-system failure, business-process side effects, or downtime. Safe Payloads reduce risk; they do not eliminate it.

4.6.3 Required Production Precautions. Before scanning any Production Environment, Customer must: (a) obtain all internal, customer, supplier, hosting-provider, cloud-provider, and third-party approvals required for the scan; (b) notify relevant operational, security, and support teams; (c) schedule the scan during an agreed maintenance window, off-hours, or low-traffic period unless Customer has a documented reason not to do so; (d) configure conservative scan speed, concurrency, timeout, retry, and scope settings appropriate for the Target; (e) maintain current backups, rollback plans, and incident-response procedures; (f) monitor the Target during the scan; and (g) stop or pause the scan immediately if instability, abnormal load, user impact, or third-party complaints occur.

4.6.4 No Liability for Customer Production Decisions. To the maximum extent permitted by applicable Dutch and European law, the Company shall not be liable for downtime, outage, degraded performance, lost revenue, lost profits, business interruption, SLA credits, support costs, remediation costs, data loss or corruption, third-party enforcement, provider suspension, customer complaints, or other losses arising from Customer's decision to scan a Production Environment, Customer's scan configuration, Customer's failure to follow the precautions in this Section, or Customer's use of High-Risk Features. Any remaining liability is subject to Section 13.

4.6.5 Logged Acknowledgments. The Platform may require Customer to provide logged confirmations regarding Target authorization, Non-Production Environment preference, Production Environment risk, dangerous payload enablement, or other scope controls. Customer agrees that those records may be used by the Company to evidence Customer's authorization, instructions, and assumption of operational risk.

4.7 Cooperation with Investigations

Customer shall cooperate with DefZero and law enforcement authorities in any investigation of suspected illegal activities, abuse, or violations of these Terms.

Payment Terms and Billing

5.1 Fees and Pricing

Customer agrees to pay the Company the fees ("Fees") for the selected Subscription Plan as set forth in:

• The pricing page at the time of registration (for self-service plans); or
• The Order Form (for enterprise or custom plans).

Fees are stated in the currency shown at checkout, in the Platform, or in the applicable Order Form/invoice, as applicable. Fees are exclusive of all applicable taxes, duties, and levies (see Section 5.7).

5.2 Payment Methods

For self-service subscriptions, payments are processed via Stripe (or other payment processors designated by the Company). Payment card data is handled by the payment processor rather than stored by SecRaptor. Customer authorizes the Company to charge the payment method on file for:

• Subscription Fees at the beginning of each billing cycle (monthly, annually, or as specified);
• Any applicable taxes; and
• Any other fees expressly agreed in an Order Form (if applicable).

For invoice-billed customers (typically enterprise/custom plans), payment terms are governed by the applicable Order Form and the invoice itself.

5.3 Billing Cycle and Automatic Renewal

• Recurring Billing: Subscriptions automatically renew at the end of each billing cycle unless Customer cancels before the renewal date.
• Cancellation Effective Date: Unless otherwise stated in an Order Form, cancellation takes effect at the end of the then-current billing period. Customer retains access through the end of that period.
• No Refunds for Partial Periods: Except as expressly provided in Section 5.9 or required by mandatory law, Fees are non-refundable once charged.

5.4 Invoicing (Invoice-Billed Plans)

For enterprise or custom plans billed via invoice (including manual invoice mode):

• The Company will issue invoices according to the billing schedule specified in the Order Form or tenant billing settings (as applicable);
• The due date is stated on the invoice (unless otherwise specified in an Order Form);
• The Company may suspend access to the Service for overdue invoices, subject to Section 5.8.

5.5 Price Changes

The Company reserves the right to change Fees at any time. For existing self-service subscriptions, fee changes generally take effect at the next renewal unless otherwise required by law or agreed in an Order Form. Where feasible, the Company may provide notice via email and/or in the Platform.

• Price changes for existing subscriptions typically do not take effect until the next renewal period;
• If Customer does not agree with a price change, Customer may cancel the subscription before the renewal date.

5.6 Usage Limits and Upgrades

The Service enforces plan limits (e.g., number of assets, scan modes, and scan quotas) as described on the pricing page and/or in an Order Form. If Customer attempts to exceed applicable limits, the Company may:

• Temporarily suspend additional usage until Customer upgrades the plan or the next billing cycle; or
• Contact Customer to discuss upgrading to a higher-tier plan or entering an Order Form.

The Company does not charge overage fees unless expressly agreed in writing (e.g., in an Order Form or add-on agreement).

5.7 Taxes

All Fees are exclusive of taxes. Customer is responsible for all sales, use, value-added (VAT), goods and services (GST), and other taxes or duties imposed by any governmental authority, excluding taxes based on the Company's net income.

For EU customers:

• Business Customers (B2B): VAT reverse charge applies if Customer provides a valid VAT identification number. Customer is responsible for accounting for VAT in their jurisdiction.
• If reverse charge does not apply, the Company will charge VAT if and to the extent required by applicable law.

For non-EU customers, tax treatment will be determined under applicable Dutch, EU, and local tax rules. The Company may charge taxes where required by applicable law.

5.8 Suspension for Non-Payment

If Customer fails to pay any amount when due (including failed Stripe charges or overdue invoices), the Company may, without limiting other rights or remedies:

• Restrict access to the Service or features until payment issues are resolved;
• Suspend access to the Service; and/or
• Terminate the Agreement for non-payment, subject to Section 6.

The Company is not liable for any damages resulting from suspension or termination for non-payment.

5.9 Refund Policy

• Trial Period (No Charge): If a trial period is offered, Customer may cancel during the trial period and will not be charged.
• No Refunds Otherwise: Fees are non-refundable once charged, including for early termination, reduced usage, or dissatisfaction with results, except where required by mandatory law or expressly agreed in writing (e.g., an Order Form).
• Service Credits: Any service credits or SLA remedies (if offered) will be set forth in an Order Form, SLA, or other written agreement, and are not available for self-service plans unless explicitly stated.

Subscription Term and Termination

6.1 Initial Term and Renewal

The initial Subscription Term commences on the date Customer completes registration or the effective date specified in an Order Form, and continues for the period selected by Customer (monthly, annual, or custom).

Unless Customer cancels via the Platform billing settings (for self-service plans) or the parties agree otherwise in an Order Form (for invoice-billed plans), the subscription will automatically renew for successive periods equal to the initial term.

6.2 Termination by Customer

Customer may terminate the subscription:

• By Cancellation: By canceling via the Platform billing settings. Cancellation takes effect at the end of the then-current billing period; Customer retains access through the end of that period;
• For Cause: Immediately upon written notice if the Company materially breaches these Terms and fails to cure within 30 days of written notice;
• For Convenience: At any time by written notice, subject to no refund of prepaid Fees (except as provided in Section 5.9).

6.3 Termination by the Company

The Company may suspend or terminate Customer's access to the Service:

• For Cause: Immediately if:
  • Customer breaches Section 7 (Acceptable Use Policy) or Section 4.1 (Target Authorization);
  • Customer's use poses a security risk or legal liability to the Company or third parties;
  • Customer fails to pay Fees when due (after notice period as specified in Section 5.8);
  • Customer materially breaches these Terms and fails to cure within 10 days of written notice;
• For Convenience: Upon 60 days' written notice. Fees are non-refundable once charged except where required by law.

6.4 Effects of Termination

Upon termination or expiration of the Agreement:

• All licenses granted to Customer immediately terminate;
• Customer's access to the Service and Customer Data will be disabled;
• Customer shall immediately cease all use of the Service and Documentation;
• Following termination or expiration, Customer access to service data will be disabled. Where cancellation takes effect at the end of a current billing term, deletion will occur after that term ends. Deleted service data is then scheduled for purge 30 days later in accordance with our data retention policy;
• Customer shall immediately pay all outstanding Fees and charges;
• Sections that by their nature should survive termination will survive (including Sections 8, 9, 10, 13, 14, 18, 19, and 23).

6.5 Data Export Before Termination

Customer is solely responsible for exporting Customer Data before termination. The Company provides data export functionality via:

• JSON/CSV export of scan results;
• PDF report downloads;
• API access (if included in Customer's plan).

The Company is not obligated to provide Customer Data after the 30-day post-termination grace period.

Acceptable Use Policy

7.1 Permitted Uses

Customer may use the Service solely for:

• Authorized security assessments of Customer's own systems, applications, and infrastructure;
• Authorized security assessments of third-party systems where Customer has obtained explicit, documented written permission from the system owner;
• Compliance assessments and vulnerability management for Customer's organization;
• Security research and testing within authorized scope;
• Educational purposes on Customer's own test environments or explicitly authorized lab systems.

7.2 Prohibited Uses

Customer shall NOT use the Service to:

Unauthorized Scanning and Hacking

• Scan, test, or probe any system, network, or application without explicit authorization from the owner;
• Conduct "bug bounty" or vulnerability disclosure program testing without explicit permission;
• Perform penetration testing on third-party infrastructure, even if publicly accessible;
• Use High-Risk Features against any Target hosted on shared infrastructure (including shared cloud tenancy, shared hosting environments, or multi-tenant SaaS platforms) unless Customer has obtained explicit written confirmation from the infrastructure provider, and not merely the application owner, that disruptive testing is authorized at the infrastructure level;
• Scan a Production Environment without proper authorization, operational approval, monitoring, backups, rollback readiness, and a suitable maintenance window, off-hours window, or other documented low-risk timing decision;
• Exploit discovered vulnerabilities for any purpose other than legitimate security assessment;
• Access, modify, delete, or exfiltrate data from Target systems beyond what is necessary for vulnerability assessment;

Harmful or Disruptive Activities

• Cause denial-of-service (DoS), resource exhaustion, or performance degradation on Target systems;
• Introduce malware, viruses, worms, trojans, or other malicious code;
• Delete, corrupt, or modify data on Target systems;
• Disrupt, damage, or impair the operation of any Target system or network;
• Interfere with or disrupt the Service itself or the Company's infrastructure;

Illegal Activities

• Engage in any activity that violates applicable laws or regulations, including:
  • Computer intrusion laws (e.g., Netherlands Penal Code Article 138ab and similar laws);
  • Data protection laws (GDPR, UAVG, and other applicable implementing legislation);
  • Cybercrime conventions and directives;
  • Export control and sanctions laws;
• Facilitate or enable illegal activities, including fraud, identity theft, or unauthorized access;
• Scan government systems, critical infrastructure, or military networks without explicit legal authorization;

Abuse and Misuse

• Use the Service to harass, threaten, defame, or abuse any person or entity;
• Collect or harvest personal data without proper legal basis and consent;
• Send unsolicited communications (spam, phishing) via the Service;
• Impersonate any person or entity or misrepresent affiliation with the Company;
• Use automated systems to scrape or extract data from the Service for commercial purposes;

Competitive or Harmful Research

• Reverse engineer, decompile, or analyze the Service to build competitive products;
• Benchmark the Service without prior written permission from the Company;
• Conduct security testing of the Service itself without the Company's Responsible Disclosure Program authorization;

7.3 Monitoring and Enforcement

The Company reserves the right to:

• Monitor Customer's use of the Service to ensure compliance with this Policy;
• Investigate suspected violations, including reviewing scan logs and Target lists;
• Immediately suspend or terminate Service access upon discovery of prohibited activities;
• Report violations to law enforcement authorities where required by law or where the Company reasonably believes illegal activity has occurred;
• Cooperate with law enforcement investigations and provide Customer Data pursuant to lawful requests.

7.4 Consequences of Violation

Violation of this Acceptable Use Policy may result in:

• Immediate suspension or termination of Service access without notice or refund;
• Legal action by the Company to recover damages and costs;
• Criminal prosecution under applicable laws;
• Civil liability to third parties harmed by Customer's actions;
• Full indemnification obligations under Section 14.

Intellectual Property Rights

8.1 Company's Intellectual Property

As between the parties, the Company owns all right, title, and interest in and to:

• The Service, including all software, code, algorithms, interfaces, and architecture;
• Documentation, user guides, and technical materials;
• The "SecRaptor" trademarks, logos, and brand elements;
• All improvements, enhancements, modifications, and derivative works of the foregoing;
• All Intellectual Property rights therein (patents, copyrights, trade secrets, know-how).

No rights are granted to Customer except the limited license in Section 3.1. These Terms do not constitute a sale of any Intellectual Property.

8.2 Customer Data Ownership

As between the parties, Customer retains all right, title, and interest in and to Customer Data. Customer grants the Company a limited, worldwide, non-exclusive license to:

• Use, process, store, and transmit Customer Data solely to provide the Service;
• Create derivative works of Customer Data for the purpose of providing the Service (e.g., parsing scan configurations, generating reports);
• Use aggregated, anonymized, and de-identified data for analytics, research, and service improvement, provided such data cannot reasonably be re-identified to Customer.

This license terminates upon deletion of Customer Data or termination of the Agreement.

8.3 Feedback and Suggestions

If Customer provides the Company with feedback, suggestions, ideas, or recommendations regarding the Service ("Feedback"), Customer grants the Company a non-exclusive, worldwide, perpetual, irrevocable, royalty-free license to use, reproduce, modify, and create derivative works from such Feedback for the purposes of developing, improving, and operating the Service. This license does not extend to Feedback that constitutes a patentable invention or that contains Customer Confidential Information, which remains subject to Section 9.

8.4 OSINT and Public Data

The Service may collect and enrich information from public sources ("OSINT") and third-party datasets subject to applicable law and third-party terms. The Company does not claim ownership over underlying third-party rights in such sources. The Company may use OSINT and derived analytics to provide and improve the Service, including in aggregated and de-identified form, provided Customer-specific Confidential Information and Customer Data are not disclosed.

8.5 Open Source Software

The Service may incorporate open-source software components subject to separate license terms. A list of open-source components and their licenses is available upon request. Customer agrees to comply with applicable open-source licenses.

Confidentiality

9.1 Definition of Confidential Information

"Confidential Information" means all non-public information disclosed by one party ("Discloser") to the other party ("Recipient"), whether orally, in writing, or by any other means, that is:

• Designated as "Confidential," "Proprietary," or with a similar marking; or
• Reasonably understood to be confidential given the nature of the information and circumstances of disclosure.

Confidential Information includes, but is not limited to:

• Company Confidential Information: The Service's architecture, source code, algorithms, security measures, pricing, roadmaps, and customer lists;
• Customer Confidential Information: Customer Data, scan results, vulnerability findings, authentication credentials, and business operations.

9.2 Obligations of Recipient

Recipient shall:

• Maintain Confidential Information in strict confidence using the same degree of care as for its own confidential information (but no less than reasonable care);
• Not disclose Confidential Information to third parties except as permitted in Section 9.3;
• Use Confidential Information solely to fulfill obligations under this Agreement;
• Not reverse engineer, decompile, or otherwise attempt to derive source code or algorithms from Confidential Information.

9.3 Permitted Disclosures

Recipient may disclose Confidential Information to:

• Employees, contractors, and agents who have a legitimate need to know and are bound by confidentiality obligations no less protective than these Terms;
• Professional advisors (lawyers, accountants) bound by professional confidentiality duties;
• Service providers and subprocessors subject to written confidentiality agreements (for the Company only).

9.4 Exceptions

Confidential Information does not include information that:

• Was publicly known at the time of disclosure or becomes publicly known through no breach by Recipient;
• Was rightfully known to Recipient without confidentiality restrictions prior to disclosure;
• Is rightfully received by Recipient from a third party without confidentiality restrictions;
• Is independently developed by Recipient without reference to Confidential Information.

9.5 Compelled Disclosure

If Recipient is legally compelled to disclose Confidential Information (by court order, subpoena, or regulatory request), Recipient shall:

• Promptly notify Discloser (unless legally prohibited);
• Cooperate with Discloser's efforts to seek a protective order or other appropriate relief;
• Disclose only the minimum information required by the legal obligation.

9.6 Return or Destruction

Upon termination of this Agreement or upon Discloser's written request, Recipient shall promptly (within 30 days):

• Return or destroy (at Discloser's election) all Confidential Information in tangible form; and
• Certify in writing that such return or destruction has been completed.

Recipient may retain Confidential Information to the extent required by law or professional standards (e.g., audit records), subject to continued confidentiality obligations.

9.7 Duration of Obligations

Confidentiality obligations survive for 5 years from the date of disclosure or until the information ceases to be confidential under Section 9.4, whichever is sooner, except for trade secrets, which remain confidential indefinitely.

Data Protection and Privacy

10.1 Incorporation of Privacy Policy

The parties' obligations with respect to Personal Data are set forth in the Privacy Policy, available at /legal/privacy, which is incorporated into these Terms by reference.

10.2 Data Processing Agreement (DPA)

To the extent the Company processes Personal Data on behalf of Customer (i.e., the Company acts as a "processor" under the GDPR), the Data Processing Agreement ("DPA") set forth in Appendix A below applies and forms part of these Terms. The DPA complies with Article 28 GDPR. If the parties execute a separate DPA addendum/order form that references these Terms, that addendum will prevail in case of conflict solely with respect to data protection terms.

Key DPA terms include:

• Customer as Controller: Customer is the data controller for Personal Data of individuals whose systems are scanned (if applicable);
• The Company as Processor: The Company processes Personal Data solely on Customer's instructions and in accordance with the GDPR and UAVG where applicable;
• Security Measures: The Company implements technical and organizational measures as described in Section 10 of the Privacy Policy;
• Sub-processors: The Company may engage sub-processors identified in the Privacy Policy and/or made available upon request, with Customer's general consent;
• Data Subject Rights: The Company will assist Customer in responding to data subject requests;
• Data Breach Notification: The Company will notify Customer of Personal Data breaches without undue delay (within 72 hours where feasible);
• Audits: Customer may audit the Company's compliance once per year upon reasonable notice and subject to confidentiality.

10.3 Customer's Data Protection Obligations

Customer represents and warrants that:

• Customer has a lawful basis under the GDPR and other applicable data protection law for processing any Personal Data submitted to the Service;
• Customer has obtained all necessary consents, provided required notices, and complies with data protection laws;
• Customer will not submit special categories of Personal Data (e.g., health, biometric, genetic data) to the Service without the Company's prior written consent;
• Customer will indemnify the Company for violations of data protection laws arising from Customer's misuse of Personal Data.

10.4 Data Localization

Customer Data is primarily stored in data centers located in the European Union, depending on the deployment and infrastructure used for the Service. Customer acknowledges that certain sub-processors may process data outside the EU/EEA subject to EU Standard Contractual Clauses, the EU-US Data Privacy Framework, and/or other lawful safeguards (see Privacy Policy Section 7).

10.5 Data Retention and Deletion

The Company will retain Customer Data in accordance with the retention periods specified in the Privacy Policy and Customer's account settings. Upon termination or expiry, service data will be deleted when the termination takes effect and then scheduled for purge 30 days later (see Section 6.4), except where retention is required by applicable law (including Dutch tax and accounting requirements and any other mandatory recordkeeping obligations that apply).

Service Levels and Support

11.1 Service Availability

The Company will use commercially reasonable efforts to make the Service available 99.5% of the time during each calendar month ("Uptime Target"), excluding:

• Scheduled maintenance (announced at least 24 hours in advance, typically during off-peak hours);
• Emergency maintenance (for security patches or critical issues);
• Downtime caused by factors outside the Company's reasonable control (Force Majeure, internet failures, third-party services);
• Downtime resulting from Customer's equipment, actions, or violations of these Terms.

11.2 Service Level Agreement (SLA)

No SLA applies unless expressly agreed in an Order Form or SLA addendum signed by both parties. Self-service plans do not include an SLA unless explicitly stated in writing.

11.3 Support Services

The Company provides technical support as specified in the Subscription Plan:

Support does not include:

• Consulting, implementation, or integration services (available separately);
• Support for third-party tools or systems;
• Assistance with interpreting scan results or remediation advice (available in higher-tier plans).

11.4 Service Modifications

The Company reserves the right to modify, update, or discontinue features of the Service at any time, provided that:

• Core functionality will not be materially reduced for existing Subscription Plans during the then-current term;
• Customer will be notified of material changes at least 30 days in advance;
• Security patches and bug fixes may be deployed without advance notice.

Third-Party Services and Integrations

12.1 Third-Party Services

The Service may integrate with or rely on third-party services, APIs, and data sources ("Third-Party Services"), including:

• Shodan API for port scanning and exposure intelligence;
• Certificate Transparency logs;
• WHOIS databases;
• Payment processors (Stripe);
• Cloud infrastructure providers;
• CDN and security services (Cloudflare).

12.2 No Warranties for Third-Party Services

The Company does not control Third-Party Services and is not responsible for:

• Availability, accuracy, reliability, or security of Third-Party Services;
• Changes, discontinuation, or pricing changes by third-party providers;
• Privacy practices or terms of service of Third-Party Services;
• Errors, omissions, or inaccuracies in data provided by Third-Party Services.

Customer's use of Third-Party Services may be subject to separate terms and conditions between Customer and the third-party provider.

12.3 Third-Party Integrations (Customer-Initiated)

Customer may integrate the Service with Customer's own third-party tools (via API or export). The Company is not responsible for the security, compatibility, or functionality of such integrations. Customer is solely responsible for securing API keys and authentication tokens.

12.4 Links to Third-Party Websites

The Service or Documentation may contain links to third-party websites for informational purposes. The Company does not endorse and is not responsible for the content, privacy practices, or terms of such websites.

Limitation of Liability

13.1 Exclusion of Consequential Damages

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL THE COMPANY, ITS AFFILIATES, OFFICERS, DIRECTORS, EMPLOYEES, AGENTS, OR SUPPLIERS BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, PUNITIVE, OR EXEMPLARY DAMAGES ARISING OUT OF OR RELATED TO THESE TERMS OR THE SERVICE, INCLUDING BUT NOT LIMITED TO:

• Loss of profits, revenue, business opportunities, or anticipated savings;
• Loss or corruption of data or information;
• Business interruption or downtime;
• Loss of goodwill or reputation;
• Cost of procurement of substitute services;
• Unauthorized access to or disclosure of Customer Data;
• Errors, inaccuracies, or omissions in scan results or reports;
• Failure to detect vulnerabilities or security issues;
• Damages arising from exploitation of discovered vulnerabilities by third parties;
• Claims by third parties (except as addressed in Section 14).

THIS EXCLUSION APPLIES REGARDLESS OF THE LEGAL THEORY (CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY, OR OTHERWISE) AND WHETHER OR NOT THE COMPANY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

13.2 Cap on Monetary Damages

TO THE MAXIMUM EXTENT PERMITTED BY LAW, THE COMPANY'S TOTAL AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THESE TERMS OR THE SERVICE, WHETHER IN CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY, OR OTHERWISE, SHALL NOT EXCEED THE GREATER OF:

• (A) The total Fees paid by Customer to the Company in the 12 months immediately preceding the event giving rise to liability; OR
• (B) €10,000 (ten thousand Euros).

This cap applies in the aggregate to the specific event, series of related events, or claim arising from the same underlying facts, and reflects the parties' allocation of risk and the pricing basis on which the Service is offered.

13.3 Exceptions to Limitations

The limitations in Sections 13.1 and 13.2 do NOT apply to:

• Customer's indemnification obligations under Section 14;
• Customer's payment obligations (Fees);
• Liability for death or personal injury caused by negligence — this liability cannot be excluded or limited under any circumstances;
• Liability arising from either party's fraud, fraudulent misrepresentation, deliberate default, or any other conduct that cannot lawfully be excluded or limited under applicable law;
• Liability for fraud or fraudulent misrepresentation;
• Breaches of Section 9 (Confidentiality) by the Company;
• Violations of Intellectual Property rights under Section 8;
• Liability that cannot be excluded or limited under applicable mandatory Dutch or European law.

13.3A Reasonableness and Mandatory Law

The limitations and exclusions in this Section 13 are intended to apply to the maximum extent permitted by applicable Dutch and European law. The Company considers these limitations to be fair and reasonable having regard to: the fact that the Service is an automated software tool and not a professional advisory service; the B2B nature of the customer base; the requirement that customers independently validate findings and remediation decisions; the express disclaimers regarding completeness, false positives, and false negatives in Section 21; the expectation that customers maintain appropriate cyber, business interruption, and professional insurance; and the allocation of risk reflected in the Fees charged and the availability of negotiated terms in Order Forms for enterprise customers.

13.3B High-Risk Features; Third-Party Claims

Nothing in Sections 13.1 or 13.2 limits Customer's indemnification obligations under Section 14 in respect of third-party claims arising from Customer's enablement or use of High-Risk Features. The liability cap in Section 13.2 does not apply to claims by third parties, including infrastructure providers, co-tenants, or affected parties, arising from damage caused by Customer's use of dangerous, disruptive, or resource-exhaustion payloads.

13.3C Production Environment Scanning

Customer acknowledges that Production Environment scanning is outside the Company's recommended default use pattern and is an operational risk decision made by Customer. To the maximum extent permitted by applicable Dutch and European law, the Company has no responsibility or liability for any direct or indirect loss, outage, downtime, rate limiting, provider suspension, lockout, alert escalation, business interruption, contractual penalty, SLA credit, customer claim, remediation cost, support cost, data loss, data corruption, or third-party claim arising from Customer's decision to scan, schedule, configure, or continue scanning a Production Environment, whether or not Safe Payloads or default scan settings were used. Any remaining liability is subject to Sections 13.1 and 13.2.

13.4 Nature of Security Scanning Services

Customer acknowledges and agrees that:

• No Guarantee of Complete Security: Security scanning is inherently imperfect. The Service may not detect all vulnerabilities, and absence of findings does not guarantee security;
• False Positives and Negatives: Scan results may contain false positives (incorrectly identified vulnerabilities) and false negatives (missed vulnerabilities);
• Rapidly Evolving Threat Landscape: New vulnerabilities are discovered daily. Past scan results may not reflect current security posture;
• Customer's Responsibility: Customer is solely responsible for securing its systems, remediating vulnerabilities, and implementing security best practices;
• No Substitute for Professional Security Services: The Service is a tool to assist security assessments, not a replacement for human expertise, manual testing, or professional security consulting.

13.5 Allocation of Risk

The limitations of liability in this Section 13 reflect an allocation of risk between the parties. The Fees reflect this allocation, and Customer acknowledges that the Company would not enter into this Agreement without these limitations.

13.6 Applicability

The limitations in this Section 13 apply to the fullest extent permitted by applicable law, including the laws of the Netherlands, European Union law, and any other mandatory law that applies. If any jurisdiction does not allow certain limitations, such limitations shall apply only to the extent permitted in that jurisdiction.

Indemnification

14.1 Indemnification by Customer

Customer shall defend, indemnify, and hold harmless the Company, its affiliates, and their respective officers, directors, employees, agents, contractors, and licensors (collectively, the "Company Indemnitees") from and against any and all third-party claims, actions, demands, liabilities, losses, damages, costs, and expenses (including reasonable attorneys' fees and court costs) ("Claims") arising out of or related to:

(a) Unauthorized Scanning and Illegal Use

• Customer's scanning of Targets without proper authorization or legal right;
• Violation of computer intrusion laws, hacking statutes, or cybercrime laws (e.g., Netherlands Penal Code Article 138ab and similar laws);
• Scanning government systems, critical infrastructure, or third-party systems without permission;
• Exploitation of vulnerabilities discovered via the Service;

(b) Violation of Acceptable Use Policy

• Any violation of Section 7 (Acceptable Use Policy);
• Use of the Service to cause harm, damage, or disruption to third parties;
• Denial-of-service attacks, data exfiltration, or malicious activities;

(c) Data Protection Violations

• Customer's violation of GDPR, UAVG, or other data protection laws;
• Failure to obtain required consents or provide required notices;
• Unauthorized processing of Personal Data or special categories of data;
• Claims by data subjects for privacy violations resulting from Customer's use of the Service;

(d) Customer Data and Intellectual Property

• Claims that Customer Data infringes or violates third-party Intellectual Property rights;
• Claims that Customer Data is defamatory, violates privacy rights, or violates other third-party rights;

(e) Breach of Terms

• Any material breach of these Terms by Customer or any Authorized User;
• Negligent or willful misconduct by Customer or Authorized Users;

(f) Third-Party Claims

• Claims by system owners alleging unauthorized access or damage;
• Claims by regulatory authorities or law enforcement arising from Customer's activities;
• Claims by individuals whose data was processed without lawful basis;
• Claims by customers, hosting providers, cloud providers, infrastructure providers, co-tenants, payment providers, monitoring providers, or other third parties arising from Customer's scanning of Production Environments, Customer's scan configuration, Customer's failure to follow required production precautions, or Customer's use of High-Risk Features;

14.2 Indemnification Procedures

The Company's right to indemnification is conditioned upon the Company:

• Promptly notifying Customer in writing of the Claim (failure to do so does not relieve Customer's obligations except to the extent prejudiced);
• Providing Customer with reasonable cooperation and information to defend the Claim;
• Granting Customer sole control of the defense and settlement (provided the Company may participate with its own counsel at its own expense).

Customer shall not settle any Claim that:

• Admits liability or wrongdoing by the Company;
• Imposes obligations on the Company; or
• Grants injunctive or equitable relief against the Company,

without the Company's prior written consent (not to be unreasonably withheld).

14.3 Indemnification by the Company (Intellectual Property)

The Company shall defend, indemnify, and hold harmless Customer from Claims that the Service, when used in accordance with these Terms, infringes a third party's patents, copyrights, or trademarks, provided that:

• Customer promptly notifies the Company of the Claim;
• Customer grants the Company sole control of the defense and settlement; and
• Customer provides reasonable cooperation.

If the Service is, or in the Company's opinion is likely to become, subject to an infringement claim, the Company may, at its option and expense:

• Obtain the right for Customer to continue using the Service;
• Replace or modify the Service to make it non-infringing without materially reducing functionality; or
• Terminate the Agreement and refund Customer a pro-rata portion of any prepaid Fees for the unused remainder of the then-current Subscription Term.

14.4 Exclusions from the Company's IP Indemnity

The Company has no obligation for Claims arising from:

• Modification of the Service by anyone other than the Company;
• Use of the Service in combination with third-party products, services, or data not provided by the Company;
• Customer Data or content provided by Customer;
• Failure to implement updates or patches provided by the Company;
• Use of the Service in violation of these Terms or Documentation.

14.5 Exclusive Remedy

THIS SECTION 14 STATES THE ENTIRE LIABILITY OF EACH PARTY AND THE EXCLUSIVE REMEDY OF THE OTHER PARTY FOR INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS.

14.6 Survival

The indemnification obligations in this Section 14 survive termination or expiration of the Agreement.

Export Control and Sanctions

15.1 Export Compliance

Customer acknowledges that the Service and related technology may be subject to export control laws and regulations of the European Union, the Netherlands, the United States, and other jurisdictions.

Customer shall not, directly or indirectly:

• Export, re-export, or transfer the Service or related technology to any prohibited country, entity, or person under EU, Dutch, or U.S. export control laws;
• Use the Service for prohibited end-uses, including development of weapons of mass destruction, military applications (without authorization), or other prohibited purposes;
• Provide access to the Service to persons or entities on sanctions lists (e.g., EU Consolidated List, Dutch sanctions implementation lists, OFAC SDN List);
• Use the Service in violation of EU Council Regulation 833/2014 (Russia sanctions), EU Iran sanctions, Dutch sanctions implementation rules, U.S. sanctions, or other applicable sanctions regimes.

15.2 Prohibited Jurisdictions

Customer represents that Customer and Authorized Users are not located in, ordinarily resident in, or organized under the laws of any country or territory subject to comprehensive sanctions, including (as of the Effective Date):

• Crimea, Donetsk, and Luhansk regions of Ukraine;
• Cuba, Iran, North Korea, Syria;
• Any other jurisdiction designated by the EU, the Netherlands, or the U.S. as subject to comprehensive sanctions.

15.3 Customer Certifications

Customer certifies that:

• Customer is not identified on any sanctions list or owned/controlled by such persons;
• Customer will not use the Service in support of sanctioned activities or entities;
• Customer will comply with all applicable export control and sanctions laws.

15.4 Suspension for Violations

The Company may immediately suspend or terminate Service access if the Company reasonably believes Customer is in violation of export control or sanctions laws, without liability or refund obligation.

Compliance with Laws; NIS2 (Where Applicable)

16.1 General Compliance Obligation

Each party shall comply with all applicable laws, regulations, and industry standards in performing its obligations under this Agreement.

16.2 NIS2 Directive Compliance

The Company maintains an information security program designed to meet applicable legal obligations and industry standards, including requirements that may apply under the NIS2 Directive (Directive (EU) 2022/2555) and applicable Dutch national implementation, where and when applicable to the Company's services and classification.

• Implementing appropriate cyber security risk management measures;
• Cooperating with applicable reporting obligations to competent authorities/CSIRTs where legally required;
• Maintaining security measures proportionate to the risks, including encryption, access controls, and incident response capabilities.

16.3 Customer's Regulatory Compliance

Customer is responsible for determining whether Customer is subject to NIS2, GDPR, UAVG, PCI DSS, HIPAA, or other regulatory requirements, and for ensuring that Customer's use of the Service complies with such requirements.

The Company provides tools and features to assist compliance efforts (e.g., compliance report mappings), but Customer is solely responsible for achieving and maintaining compliance.

16.4 Regulatory Inquiries and Audits

If either party receives a regulatory inquiry, investigation, or audit request related to the Service or this Agreement, the receiving party shall promptly notify the other party (unless legally prohibited) and cooperate as reasonably necessary.

16.5 Cybersecurity Incident Reporting

The Company will notify Customer of any security incident affecting Customer Data in accordance with the Privacy Policy and DPA. Customer acknowledges that the Company may be required to report certain incidents to regulatory authorities under applicable law, including the Autoriteit Persoonsgegevens or another competent supervisory authority under the GDPR and, where applicable, competent authorities under the NIS2 Directive or Dutch implementation.

Force Majeure

17.1 Definition and Effect

Neither party shall be liable for failure or delay in performing its obligations (other than payment obligations) to the extent caused by a Force Majeure Event, defined as an event or circumstance beyond a party's reasonable control, including:

• Acts of God (earthquakes, floods, fires, storms, epidemics, pandemics);
• War, terrorism, civil unrest, or armed conflict;
• Government actions, including sanctions, embargoes, or regulations;
• Labor disputes, strikes, or lockouts (not involving the affected party's own employees);
• Failures of internet backbone providers, telecommunications carriers, or power utilities;
• Cyberattacks (DDoS attacks, ransomware) not attributable to the affected party's negligence;
• Failures of third-party cloud infrastructure or data centers.

17.2 Notice and Mitigation

The affected party shall:

• Notify the other party as soon as reasonably practicable of the Force Majeure Event;
• Use commercially reasonable efforts to mitigate the effects and resume performance;
• Provide periodic updates on the status and expected resolution.

17.3 Termination for Extended Force Majeure

If a Force Majeure Event prevents performance of material obligations for more than 60 consecutive days, either party may terminate this Agreement upon written notice. Fees are non-refundable once charged except where required by mandatory law.

Representations and Warranties

18.1 Mutual Representations

Each party represents and warrants that:

• It is duly organized, validly existing, and in good standing under the laws of its jurisdiction;
• It has full power and authority to enter into and perform this Agreement;
• Execution and performance of this Agreement does not violate any law, regulation, or obligation to third parties;
• This Agreement constitutes a valid and legally binding obligation.

18.2 Company's Additional Warranties

The Company represents and warrants that:

• The Service will perform substantially in accordance with the Documentation under normal use;
• The Company will perform the Service using personnel with appropriate skill, care, and diligence;
• To the Company's knowledge, the Service does not contain malicious code (viruses, backdoors, trojans) intentionally introduced by the Company;
• The Company has the right to grant the licenses and provide the Service as contemplated in this Agreement.

18.3 Customer's Additional Representations

Customer represents and warrants that:

• Customer owns or has authorization to scan all Targets submitted to the Service;
• Customer Data does not infringe third-party Intellectual Property rights or violate applicable laws;
• Customer has obtained all required consents and provided required notices for processing Personal Data;
• Customer will use the Service in compliance with Section 7 (Acceptable Use Policy) and all applicable laws.

18.4 Breach of Warranty Remedies

If the Service fails to conform to the warranty in Section 18.2 during the Subscription Term, and Customer notifies the Company in writing within 30 days of discovery, the Company will, at its option:

• Repair or replace the non-conforming Service; or
• Terminate the Agreement. Fees are non-refundable once charged except where required by mandatory law.

These remedies are Customer's sole and exclusive remedies for breach of warranty.

18.5 Warranty Exclusions

The warranties in Section 18.2 do not apply to issues caused by:

• Misuse, abuse, or use contrary to Documentation;
• Modifications by anyone other than the Company;
• Third-Party Services or infrastructure failures;
• Customer's equipment, software, or internet connectivity;
• Force Majeure Events.

Assignment and Subcontracting

19.1 Assignment by Customer

Customer may not assign, transfer, delegate, or sublicense this Agreement or any rights or obligations hereunder without the Company's prior written consent, which may be withheld in the Company's sole discretion.

Any attempted assignment in violation of this Section is void.

19.2 Assignment by the Company

The Company may assign this Agreement without Customer's consent:

• To an affiliate or subsidiary;
• In connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all assets;
• To a successor entity.

The Company will notify Customer of any such assignment.

19.3 Subcontracting

The Company may engage subcontractors and sub-processors to assist in providing the Service, provided such subcontractors are bound by confidentiality and data protection obligations no less protective than these Terms.

The Company remains responsible for the performance of subcontractors.

19.4 Effect of Permitted Assignment

This Agreement is binding upon and inures to the benefit of the parties' permitted successors and assigns.

Publicity and Marketing

20.1 Use of Customer Name

The Company may list Customer's name and logo on the Company's website (https://www.secraptor.com) and marketing materials as a customer only with Customer's prior written consent. If Customer operates in a regulated sector or is subject to confidentiality, procurement, or security restrictions, no publicity use is permitted unless expressly approved in writing by Customer.

20.2 Case Studies and Testimonials

The Company may not publish case studies, testimonials, or detailed descriptions of Customer's use of the Service without Customer's prior written approval.

20.3 Press Releases

Neither party may issue a press release or public announcement regarding this Agreement without the other party's prior written approval, except as required by law or stock exchange regulations.

Disclaimers of Warranties

21.1 Disclaimer of Implied Warranties

EXCEPT AS EXPRESSLY PROVIDED IN SECTION 18.2, AND EXCEPT AS REQUIRED BY MANDATORY APPLICABLE DUTCH OR EUROPEAN LAW, THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE" WITHOUT ANY WARRANTIES OF ANY KIND.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE COMPANY DISCLAIMS ALL WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING BUT NOT LIMITED TO:

• Implied warranties of merchantability, fitness for a particular purpose, title, and non-infringement;
• Warranties arising from course of dealing, course of performance, or usage of trade;
• Warranties that the Service will meet Customer's requirements or expectations;
• Warranties that the Service will be uninterrupted, error-free, secure, or free of viruses or harmful components;
• Warranties regarding the accuracy, completeness, reliability, or currency of scan results, reports, or OSINT data;
• Warranties that the Service will detect all vulnerabilities or security issues.

21.2 No Guarantee of Security Outcomes

CUSTOMER ACKNOWLEDGES THAT:

• Security scanning tools, including the Service, have inherent limitations and cannot guarantee complete detection of all vulnerabilities;
• Scan results may include false positives (incorrectly identified issues) and false negatives (missed vulnerabilities);
• The absence of reported vulnerabilities does not mean a system is secure;
• New vulnerabilities are discovered continuously, and past scans do not reflect current security posture;
• The Service is a tool to assist security professionals, not a replacement for human expertise, judgment, or comprehensive security programs;
• Customer is solely responsible for evaluating scan results, making security decisions, and implementing remediation.

21.3 Third-Party Data Disclaimer

OSINT data and information from third-party sources (WHOIS, Shodan, certificate transparency logs, etc.) are provided for informational purposes only. The Company does not warrant the accuracy, completeness, timeliness, or reliability of such data.

21.4 Regulatory Compliance Disclaimer

While the Service provides compliance mapping and reporting features (e.g., GDPR, PCI DSS, NIS2), the Company does not warrant that use of the Service will ensure Customer's compliance with any specific laws, regulations, or standards. Compliance is Customer's sole responsibility.

21.5 Jurisdictional Limitations

These Terms are intended for business/professional use. Any exclusions and limitations apply to the maximum extent permitted by applicable mandatory Dutch and European law. Nothing in these Terms excludes or limits liability to the extent such exclusion or limitation is prohibited by mandatory law.

Notice Procedures

22.1 Method of Notice

Except as otherwise specified in this Agreement, all notices, requests, consents, and other communications required or permitted under this Agreement shall be in writing and shall be deemed given:

• When delivered personally;
• When sent by email to the notice email address (or the registered account email address), deemed received 24 hours after sending unless the sender receives a bounce-back or delivery failure notice;
• Three (3) business days after being sent by registered or certified mail, postage prepaid, return receipt requested; or
• One (1) business day after being sent via internationally recognized courier (e.g., DHL, FedEx).

22.2 Notice Addresses

Notices to the Company shall be sent to:

DefZero
NOT CONFIGURED
NOT CONFIGURED NOT CONFIGURED
Netherlands
Email: legal@secraptor.com
Attn: Legal Department

Notices to Customer shall be sent to:

• The email address associated with Customer's account; or
• The address provided in an Order Form.

22.3 Change of Address

Either party may change its notice address by providing written notice to the other party in accordance with this Section 22.

22.4 Service Notifications

The Company may provide operational notices (service updates, maintenance schedules, security alerts) via:

• Email to the account email address;
• In-platform notifications or banners.

Customer is responsible for monitoring these communication channels.

Appendix A: Data Processing Agreement (DPA)

This Appendix A forms part of the Terms and applies where the Company processes Personal Data on behalf of Customer as a processor under the GDPR (including where Customer provides authentication data, user data, scan inputs, or scan results containing Personal Data). This Appendix complies with Article 28 GDPR.

A.1 Subject Matter, Duration, Nature, and Purpose

• Subject Matter: Processing of Personal Data to provide the Service (security scanning, reporting, compliance mapping, customer support, and platform administration).
• Duration: For the Subscription Term and any retention period described in the Terms/Privacy Policy, unless otherwise required by law.
• Nature of Processing: Collection, storage, analysis, transmission, and deletion of Customer Data and scan outputs; user administration; troubleshooting and support.
• Purpose: Delivering the Service, maintaining security, and improving Service quality (including aggregated/de-identified analytics).

A.2 Types of Personal Data and Data Subjects

• Data Subjects: Customer's Authorized Users; and, depending on Customer's use, individuals whose Personal Data may appear in scanned systems (e.g., names/emails in pages, logs, or documents).
• Personal Data Categories: Account identifiers (name, email, role), authentication materials provided by Customer (e.g., cookies/tokens) where applicable, scan inputs (targets/headers), scan outputs (findings, evidence snippets), and usage/billing metadata.

A.3 Customer (Controller) Obligations

• Customer is responsible for determining the lawful basis for processing and for providing required notices to data subjects.
• Customer will ensure scan targets are authorized and that Personal Data is provided to the Company only as necessary.
• Customer will not provide special categories of data unless strictly necessary and permitted by law, and will configure the Service to minimize collection where possible.

A.4 Company (Processor) Obligations

• The Company will process Personal Data only on documented instructions from Customer as set out in these Terms and Customer's use/configuration of the Service.
• The Company will ensure persons authorized to process Personal Data are under appropriate confidentiality obligations.
• The Company will implement appropriate technical and organizational measures to protect Personal Data (see A.8).
• The Company will inform Customer without undue delay if, in the Company's opinion, an instruction from Customer infringes the GDPR, UAVG, or other applicable data protection law (Article 28(3), second subparagraph).

A.5 Sub-processors

• Customer provides general authorization for the Company to engage sub-processors necessary to provide the Service (e.g., hosting, email delivery, billing/payment processing such as Stripe).
• The Company will impose data protection obligations on sub-processors no less protective than this Appendix.
• The Company will maintain a current sub-processor list at a stable URL or by other durable written means and will provide at least 14 days' prior notice before adding or replacing a material sub-processor where required by law.
• Customer may object in writing during the notice period on reasonable data protection grounds. If the parties cannot resolve the objection in good faith, Customer may terminate the affected Service for cause before the new sub-processor is engaged.

A.6 International Transfers

Where Personal Data is transferred outside the EU/EEA, the Company will implement appropriate safeguards, such as EU Standard Contractual Clauses (SCCs), the EU-US Data Privacy Framework, or other lawful transfer mechanisms.

A.7 Assistance, Requests, and Audits

• Data Subject Requests: The Company will provide reasonable assistance for Customer to respond to data subject requests, taking into account the nature of processing and available information.
• Security/Breach: The Company will notify Customer without undue delay after becoming aware of a Personal Data breach affecting Customer Data and will provide reasonable information to support Customer's obligations.
• Audits: Upon reasonable written notice (no more than once per year unless required by law), Customer may request information necessary to demonstrate compliance with this Appendix, subject to confidentiality and security constraints.

A.8 Security Measures

The Company maintains security measures appropriate to the risk, which may include access controls, encryption in transit, separation of tenants, logging/monitoring, backups, and vulnerability management. Specific measures may evolve over time as part of the Company's security program.

A.9 Deletion/Return

Upon termination, at Customer's election, the Company will either delete or return Customer Data within the retention period described in the Terms/Privacy Policy (Article 28(3)(g) GDPR). If Customer does not make an election within 30 days of termination, the Company will delete Customer Data. Retention beyond deletion is permitted only where required by applicable law (e.g., tax records). Customer is responsible for exporting data prior to deletion.

General Provisions

23.1 Entire Agreement

This Agreement, including all incorporated documents (Privacy Policy, DPA, Order Forms, SLA), constitutes the entire agreement between the parties regarding the Service and supersedes all prior or contemporaneous agreements, understandings, negotiations, or representations, whether written or oral.

23.2 Amendments and Modifications

The Company may modify these Terms from time to time by:

• Posting updated Terms on the SecRaptor website with a revised effective date;
• Notifying Customer via email at least 30 days before material changes take effect.

Continued use of the Service after the effective date constitutes acceptance of the updated Terms. If Customer does not agree with a material change, Customer may terminate the Agreement before the effective date (see Section 6.2), and the Company will refund a pro-rata portion of any prepaid Fees for the unused remainder of the then-current Subscription Term.

23.3 Governing Law

This Agreement shall be governed by and construed in accordance with the laws of the Netherlands, without regard to conflict of law rules that would require the application of another jurisdiction's laws.

The parties acknowledge that:

• Mandatory laws that cannot be excluded by contract may still apply where required by law, including GDPR, UAVG, mandatory Dutch law, and other applicable mandatory statutes or regulations;
• EU mandatory consumer protection rules may apply if a consumer enters into this Agreement despite the B2B restriction in Section 1.3.

The United Nations Convention on Contracts for the International Sale of Goods (CISG) is expressly excluded and shall not apply.

23.4 Jurisdiction and Venue

Any dispute, controversy, or claim arising out of or relating to this Agreement, or the breach, termination, or invalidity thereof, shall be submitted to the exclusive jurisdiction of the competent courts of Amsterdam, the Netherlands.

Each party irrevocably submits to the jurisdiction of such courts and waives any objection to venue or inconvenient forum, except to the extent mandatory law requires otherwise.

23.5 Dispute Resolution and Mediation

Before initiating litigation, the parties agree to attempt to resolve disputes through good faith negotiations for at least 30 days.

If negotiation fails, the parties may agree to non-binding mediation under the rules of the Netherlands Mediation Institute (NMI) or another mutually agreed mediation framework before commencing litigation.

23.6 Injunctive Relief

Notwithstanding Section 23.5, either party may seek injunctive or equitable relief in any court of competent jurisdiction to prevent irreparable harm, including for breaches of Sections 7 (Acceptable Use), 8 (Intellectual Property), or 9 (Confidentiality).

23.7 Waiver

No waiver of any provision of this Agreement shall be effective unless in writing and signed by the party against whom the waiver is sought to be enforced. No failure or delay by a party in exercising any right, power, or privilege shall operate as a waiver, nor shall any single or partial exercise preclude any other or further exercise or the exercise of any other right, power, or privilege.

23.8 Severability

If any provision of this Agreement is held by a court of competent jurisdiction to be invalid, illegal, or unenforceable, the remaining provisions shall continue in full force and effect. The invalid provision shall be modified to the minimum extent necessary to make it valid and enforceable while preserving the parties' intent.

23.9 Headings

Section headings are for convenience only and shall not affect the interpretation of this Agreement.

23.10 No Third-Party Beneficiaries

This Agreement is for the sole benefit of the parties and their permitted successors and assigns. No third party (including Authorized Users, end users, or customers of Customer) has any right to enforce or benefit from any provision of this Agreement.

23.11 Relationship of Parties

The parties are independent contractors. This Agreement does not create a partnership, joint venture, agency, franchise, employment, or fiduciary relationship. Neither party has authority to bind the other or incur obligations on the other's behalf.

23.12 Counterparts and Electronic Signatures

This Agreement and any Order Forms may be executed in counterparts, each of which shall be deemed an original and all of which together shall constitute one instrument. Electronic signatures (including DocuSign, Adobe Sign, or similar) and scanned/PDF signatures have the same legal effect as original signatures.

23.13 Language

This Agreement is executed in English. If translated into other languages, the English version shall prevail in the event of any conflict or ambiguity.

23.14 Interpretation

In interpreting this Agreement:

• "Including" and "includes" mean "including without limitation";
• Singular includes plural and vice versa;
• References to Sections refer to sections of this Agreement;
• Ambiguities shall not be construed against the drafter.

23.15 Survival

The following Sections survive termination or expiration of this Agreement: Sections 4.1 (Target Authorization), 5 (Payment Terms - outstanding obligations), 6.4 (Effects of Termination), 8 (Intellectual Property), 9 (Confidentiality), 10.3 (Data Protection Obligations), 13 (Limitation of Liability), 14 (Indemnification), 18.3 (Customer Representations), 19 (Assignment), 21 (Disclaimers), and 23 (General Provisions).

Contact Information