By creating an account or running any scan through CyberGrid (the "Service"), you ("Customer") agree to these Terms of Service (these "Terms"). If you are entering into these Terms on behalf of a company or other legal entity, you represent that you have authority to bind that entity. If you do not agree, do not use the Service.
CyberGrid provides an automated security assessment service. The Service runs open-source security scanning tools (including but not limited to nuclei, httpx, testssl.sh, and nmap) against Customer-designated targets on a documented quarterly cadence, generates a findings report, and issues a publicly-verifiable attestation. The Service is not a penetration test and CyberGrid makes no representation that it substitutes for manual security testing performed by qualified human professionals.
Penetration Testing is a separate service. CyberGrid also offers Penetration Testing on a per-engagement basis. Penetration Testing engagements are governed by a written Statement of Work and Master Services Agreement executed at engagement kickoff and are not subject to these Terms unless a Statement of Work explicitly incorporates them. See /penetration-testing and /trust-package for the scope, methodology, process, and template paperwork for that service.
SOC 2 Readiness is a separate service. CyberGrid also offers a SOC 2 readiness program (the "Readiness Service"), described at /soc2. The Readiness Service is a consulting engagement — CyberGrid configures GRC tooling, deploys policy templates, implements controls, and coordinates with an independent CPA audit firm referred to Customer. CyberGrid is not a licensed CPA firm and does not perform SOC 2 audits, issue SOC 2 reports, or render any opinion on the effectiveness of Customer's controls. The SOC 2 Type I or Type II report itself is issued by the independent CPA firm engaged by Customer under a separate engagement letter; audit fees are paid directly to the CPA firm and are not included in the Readiness Service fee. Readiness Service engagements are governed by a written Statement of Work executed at kickoff and are not subject to these Terms unless a Statement of Work explicitly incorporates them.
Customer may register only targets (domains, hostnames, IP addresses) that Customer owns or has explicit written authorization to test. Target ownership is verified by CyberGrid via DNS TXT record prior to any scan being executed. Customer warrants that:
Violation of this Section 3 is a material breach. CyberGrid reserves the right to suspend or terminate any account that registers unauthorized targets, refuse to issue an attestation, and cooperate with law enforcement in cases of suspected unauthorized scanning.
The Service is offered under the following pricing options, as described on the Pricing page:
Auto-renewal. Continuous Monthly auto-renews monthly until cancelled. Continuous Annual and Automated Annual subscriptions do not auto-renew by default — Customer receives a renewal notice at least thirty (30) days before the end of the term. If Customer does not renew, the subscription ends and no new scans run; prior reports and attestations remain accessible to Customer for the lifetime of the underlying records.
Payment. Billing is processed by Stripe; Customer is subject to Stripe's terms in addition to these Terms. CyberGrid does not see, store, or process payment card information.
Taxes. Fees are exclusive of sales, use, and value-added taxes. Customer is responsible for all applicable taxes other than taxes on CyberGrid's net income.
Refunds. Subscription fees are non-refundable but Customer may cancel at any time to prevent renewal. Pro-rata refunds are not provided for partially-used annual terms.
Customer retains all right, title, and interest in data Customer submits to the Service, including target metadata, scan results, and generated reports ("Customer Data"). CyberGrid is granted a limited, non-exclusive license to process Customer Data solely to provide the Service.
Where CyberGrid processes personal data on behalf of Customer, the Data Processing Addendum applies. EU and UK customers should execute a signed DPA prior to activating the Service.
Retention. CyberGrid retains active-account Customer Data for the duration of the subscription. Upon account closure, Customer Data is deleted within ninety (90) days, except for: (a) data CyberGrid is legally required to retain, and (b) attestation verification records, which remain valid for the lifetime of the issued attestation so third parties relying on the attestation URL continue to receive accurate verification.
Customer agrees not to:
CyberGrid IP. CyberGrid retains all right, title, and interest in the Service, its testing tools, methodology, and any pre-existing intellectual property used to provide the Service.
Deliverables. Upon issuance, Customer owns its reports, findings, and attestations and may use them for any lawful purpose, including providing them to its customers, auditors, and regulators.
Feedback. If Customer provides suggestions or feedback about the Service, Customer grants CyberGrid a perpetual, irrevocable, royalty-free license to use that feedback to improve the Service.
THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE." CYBERGRID DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND ANY WARRANTY THAT THE SERVICE WILL IDENTIFY ALL VULNERABILITIES IN A TARGET. AUTOMATED SECURITY TESTING DETECTS A SUBSET OF POSSIBLE ISSUES; THE ABSENCE OF FINDINGS DOES NOT CONSTITUTE A WARRANTY OF SECURITY. CUSTOMER IS SOLELY RESPONSIBLE FOR THE SECURE OPERATION OF SYSTEMS IT OWNS OR MAINTAINS.
IN NO EVENT SHALL EITHER PARTY BE LIABLE FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, EXEMPLARY, OR PUNITIVE DAMAGES, INCLUDING LOST PROFITS, LOST REVENUE, OR LOSS OF DATA, ARISING OUT OF OR RELATED TO THESE TERMS OR THE SERVICE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
EACH PARTY'S TOTAL CUMULATIVE LIABILITY UNDER THESE TERMS, REGARDLESS OF THE FORM OF ACTION, SHALL NOT EXCEED THE TOTAL FEES PAID OR PAYABLE BY CUSTOMER TO CYBERGRID IN THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO THE CLAIM.
The foregoing limitations do not apply to: (a) Customer's breach of Section 6 (Acceptable use); (b) either party's breach of confidentiality obligations; (c) either party's gross negligence or willful misconduct; or (d) either party's indemnification obligations under Section 10.
By Customer. Customer shall defend, indemnify, and hold harmless CyberGrid from third-party claims arising from Customer's breach of its representations and warranties (including authorization to test targets under Section 3), Customer's gross negligence, or Customer's willful misconduct.
By CyberGrid. CyberGrid shall defend, indemnify, and hold harmless Customer from third-party claims alleging that the Service or Deliverables infringe a U.S. patent, copyright, or trademark, subject to Customer providing prompt notice, sole control of the defense, and reasonable cooperation. This obligation does not apply to claims arising from Customer Data, modifications by Customer, or use of Deliverables in combination with non-CyberGrid materials.
Each party will protect the other party's non-public information with the same care it uses for its own confidential information (and in no event less than reasonable care), and will use such information solely to perform under these Terms. This obligation survives termination for three (3) years; for trade secrets, indefinitely as permitted by law. Findings discovered through the Service are Confidential Information of Customer; CyberGrid will not publicly disclose specific findings without Customer's prior written consent.
Either party may terminate these Terms for any reason upon thirty (30) days' written notice, or immediately upon written notice if the other party materially breaches and fails to cure the breach within thirty (30) days. Upon termination, Customer's access to the Service ends. Reports and attestations issued prior to termination remain accessible to Customer as described in Section 5. Sections 5–11 and 13–16 survive termination.
CyberGrid may update these Terms from time to time. Material changes will be announced via email to account holders at least thirty (30) days before they take effect. Continued use of the Service after the effective date constitutes acceptance.
These Terms are governed by the laws of the State of Delaware, USA, without regard to its conflict-of-laws principles. The parties consent to the exclusive jurisdiction of the state and federal courts located in Delaware for any dispute arising under these Terms.
Independent contractors. The parties are independent contractors. Nothing in these Terms creates an employment, agency, partnership, or joint venture relationship.
Assignment. Neither party may assign these Terms without the other party's prior written consent, except in connection with a merger, acquisition, or sale of substantially all of its assets.
Force majeure. Neither party is liable for delays or failure to perform due to causes beyond its reasonable control.
Entire agreement. These Terms, together with the DPA (where applicable) and any executed order form or written agreement, constitute the entire understanding of the parties with respect to the Service and supersede all prior or contemporaneous communications.
Severability. If any provision of these Terms is held to be invalid or unenforceable, the remaining provisions remain in full force and effect.
Questions about these Terms: legal@thecybergrid.com. For enterprise contracts (MSA, DPA, BAA, SoW): hello@thecybergrid.com or see the Trust package Compliance mapping.