Terms of Service

By creating an account, accessing, browsing, or otherwise using the Service, you acknowledge that you have read, understood, and agree to be bound by these Terms and our Privacy Policy, which is incorporated herein by reference. These Terms apply to all visitors, registered users, subscribers, and any other persons who access or use the Service ("Users").

You agree that by clicking "I Agree," "Sign Up," "Start Free Trial," or any similar button or link, or by accessing or using the Service in any manner, you are entering into a legally binding agreement with FindTheBreach and accept all terms and conditions contained and referenced herein.

If you do not agree to all of these Terms, you are expressly prohibited from using the Service and must discontinue use immediately. Your continued use of the Service following the posting of any changes to these Terms shall constitute your acceptance of such revised Terms.

Electronic Agreement. You acknowledge and agree that by clicking "I Agree," "Sign Up," "Start Free Trial," or similar buttons, or by using the Service, you are providing your electronic signature and consent in accordance with the Electronic Signatures in Global and National Commerce Act (ESIGN Act, 15 U.S.C. § 7001 et seq.), the Uniform Electronic Transactions Act (UETA), and applicable state law. You agree that your electronic acceptance has the same legal force and effect as a handwritten signature. You further consent to receive all communications, agreements, disclosures, and notices electronically.

These Terms were last updated on February 1, 2026. We reserve the right, in our sole discretion, to modify, amend, or replace these Terms at any time. It is your responsibility to review these Terms periodically for changes. Material changes will be communicated via email to registered Users or by posting a prominent notice on the Service.

For purposes of these Terms, the following definitions shall apply:

• "Service" or "Platform" means the FindTheBreach website located at findthebreach.com, including all software, applications, APIs, tools, features, dashboards, reports, and related services provided by FindTheBreach.
• "User" means any individual or entity that accesses, browses, or uses the Service, whether or not they have created an account.
• "Subscriber" means a User who has purchased a paid subscription plan or is utilizing a free trial of the Service.
• "Account" means the unique, password-protected account created by a User to access and use the Service.
• "Content" means all text, data, graphics, images, reports, software, audio, video, and other materials displayed on, generated by, or otherwise made available through the Service.
• "User Content" means any data, information, targets, configurations, or other materials submitted, uploaded, or otherwise provided by a User to or through the Service.
• "Scan Data" means all data generated as a result of a vulnerability scan, penetration test, or security assessment initiated by a User through the Service, including but not limited to scan results, vulnerability findings, risk ratings, remediation recommendations, and associated metadata.
• "Target" means any domain name, IP address, URL, web application, network, server, infrastructure component, or other digital asset submitted by a User for scanning or assessment through the Service.
• "Authorized Representative" means a person or entity who has been granted explicit, documented, written permission by the owner or operator of a Target to conduct security scanning, penetration testing, or vulnerability assessments against such Target.
• "Subscription Plan" means the specific tier of service selected by a Subscriber, as described on the pricing page of the Service, which governs the features, scan limits, and capabilities available to the Subscriber.
• "Third-Party Tools" means any open-source or commercial security tools, libraries, scanners, or software integrated into or utilized by the Service to perform vulnerability scanning and security assessments.
• "Confidential Information" means all non-public information disclosed by one party to the other in connection with the Service, including but not limited to Scan Data, business plans, technical data, product plans, and financial information.

FindTheBreach is a software-as-a-service (SaaS) penetration testing and vulnerability scanning platform headquartered in Bothell, Washington. The Platform provides automated and configurable security assessment services designed to help organizations identify potential vulnerabilities, misconfigurations, and security weaknesses in their web applications, networks, APIs, cloud infrastructure, and related digital assets.

The Service includes, but is not limited to, the following capabilities:

• Automated vulnerability scanning of domains, IP addresses, subdomains, web applications, and network infrastructure utilizing industry-standard tools such as Nmap, Nikto, OWASP ZAP, Nuclei, SSLyze, WhatWeb, and other integrated scanning engines
• Comprehensive security assessment reports with severity ratings (Critical, High, Medium, Low, Informational), CVSS scoring, CVE references, and actionable remediation guidance
• Continuous monitoring, recurring scheduled scans, and alerting capabilities for ongoing security posture management
• Interactive dashboards and analytics for tracking vulnerability trends, remediation progress, and overall security posture over time
• RESTful API access for programmatic integration with third-party tools, CI/CD pipelines, SIEM platforms, and security workflows
• Exportable reports in multiple formats (PDF, CSV, JSON) suitable for compliance documentation and audit purposes
• Multi-user team management with role-based access controls

The Service is designed to assist with security assessments and is not a substitute for comprehensive manual penetration testing, security audits, or professional cybersecurity consulting. The results generated by the Service are informational in nature and are provided to help Users improve their security posture.

• (a) Scan Results are provided on an "AS-IS" basis and represent a point-in-time assessment based on the scanning tools, techniques, and signatures available at the time of the scan. Scan Results do NOT constitute a comprehensive security audit, penetration test report, or certification of security posture.
• (b) FindTheBreach does not guarantee the detection of all vulnerabilities, security weaknesses, misconfigurations, or threats present in any Target system. The absence of reported findings does not indicate that a Target is free from vulnerabilities.
• (c) Scan Results should be used as one component of a broader security program and should not be relied upon as the sole basis for security decisions, compliance certifications, or regulatory filings.
• (d) You shall not represent FindTheBreach scan reports as formal penetration test reports, compliance certifications, or audit attestations unless explicitly authorized in writing by FindTheBreach.
• (e) FindTheBreach expressly disclaims all liability for damages arising from reliance on Scan Results, including but not limited to security breaches, data losses, or regulatory penalties that occur despite or as a result of vulnerability scanning activities.
• (f) Scan results are not a substitute for professional penetration testing, security audits, or independent compliance assessments conducted by qualified professionals.

FindTheBreach may offer certain features, tools, or capabilities designated as "Beta," "Preview," "Experimental," or similar labels ("Beta Features"). These include but are not limited to AI Security Copilot, Attack Graph Visualization, Executive Risk Center, and any other features explicitly marked as beta or preview in the interface.

• Beta Features are provided "AS-IS" and "AS-AVAILABLE" without any warranty of any kind.
• FindTheBreach may modify, suspend, or discontinue Beta Features at any time without notice or liability.
• Your use of Beta Features is at your own risk, and FindTheBreach shall have no liability for any damages arising from the use of Beta Features.
• Beta Features may collect additional telemetry data to improve functionality; such data collection is disclosed in the Privacy Policy.
• Beta Features are not covered by the Service Level Agreement (SLA) and are excluded from uptime guarantees.

FindTheBreach maintains commercially reasonable insurance coverage, including but not limited to: (a) commercial general liability insurance; (b) professional liability / errors and omissions (E&O) insurance; (c) cyber liability and data breach insurance; and (d) technology errors and omissions insurance. Coverage details and certificates of insurance are available to Enterprise customers upon written request to contact@findthebreach.com.

Eligibility. The Service is available only to individuals who are at least eighteen (18) years of age and who are capable of forming legally binding contracts under applicable law. By using the Service, you represent and warrant that you meet all eligibility requirements. If you are using the Service on behalf of an organization, you represent and warrant that you are authorized to bind that organization to these Terms.

Account Registration. To access certain features of the Service, you must create an Account. When registering for an Account, you agree to:

• Provide accurate, current, and complete information during the registration process, including your full legal name, valid email address, company name (if applicable), and any other information requested
• Maintain and promptly update your Account information to keep it accurate, current, and complete at all times
• Maintain the security and confidentiality of your login credentials, including your password and any API keys issued to your Account
• Accept sole responsibility for all activities that occur under your Account, whether or not authorized by you
• Notify FindTheBreach immediately at contact@findthebreach.com of any unauthorized use of your Account or any other breach of security
• Not create more than one Account per individual unless expressly authorized by FindTheBreach
• Not share your Account credentials with any third party

FindTheBreach reserves the right to suspend or terminate your Account, refuse any and all current or future use of the Service, or limit your access to the Service, if any information provided during registration or thereafter proves to be inaccurate, false, outdated, or incomplete. FindTheBreach shall not be liable for any loss or damage arising from your failure to comply with the security obligations set forth in this section.

By initiating any scan, assessment, or test through the Service, you expressly represent, warrant, and covenant that:

• You are the legal owner of the Target system, domain, network, or infrastructure being scanned, OR you have obtained explicit, written authorization from the owner or authorized operator of the Target granting you permission to conduct security scanning, penetration testing, and vulnerability assessments against such Target
• You possess a valid, current, and enforceable written authorization document (such as a signed scope-of-work agreement, rules of engagement document, penetration testing authorization letter, or equivalent legal instrument) that covers the specific scope, timing, and nature of the scanning activities you intend to perform
• The scanning activities you initiate will not violate any applicable federal, state, local, or international laws, statutes, regulations, or ordinances, including but not limited to the Computer Fraud and Abuse Act (CFAA), the Electronic Communications Privacy Act (ECPA), the General Data Protection Regulation (GDPR), and any applicable state computer crime laws
• The scanning activities will not violate any third-party agreements, terms of service, acceptable use policies, or contractual obligations to which you or the Target owner are bound
• You have informed all relevant parties, including the Target owner, system administrators, hosting providers, and internet service providers (as applicable) about the planned scanning activities
• You understand that vulnerability scanning and penetration testing may cause service disruptions, performance degradation, system crashes, data corruption, or other adverse effects on the Target systems, and you accept full responsibility for any and all consequences resulting from the scan
• You shall maintain copies of all written authorizations and shall provide such documentation to FindTheBreach promptly upon request
• You shall indemnify and hold harmless FindTheBreach from any and all claims, damages, losses, or liabilities arising from your unauthorized or improper use of the Service

Managed Service Provider (MSP/MSSP) Use. If you use the Service to scan, test, or assess systems belonging to your own clients (“End Customers”), you represent and warrant that: (a) you have obtained explicit, written authorization from each End Customer to conduct security scanning on their systems; (b) you maintain a current, documented agreement with each End Customer that authorizes such testing; (c) you shall be solely responsible for ensuring all End Customer systems comply with the authorization requirements set forth in these Terms; and (d) you acknowledge that End Customers do not have direct access to or a direct relationship with FindTheBreach, and you remain fully responsible for all scanning activities conducted on their behalf.

Verification of Target Ownership. FindTheBreach may, at its discretion, require technical verification of Target ownership or authorization before permitting scanning activities. Verification methods may include but are not limited to: (a) DNS TXT record verification; (b) file-based verification via a unique token placed at a specified URL path; (c) meta tag verification; or (d) email-based domain ownership confirmation. You agree to complete any requested verification steps promptly. Failure to complete verification may result in the suspension or restriction of scanning capabilities for the unverified Target.

FindTheBreach reserves the right to:

• Request and verify proof of authorization before or after any scan is initiated
• Immediately suspend or terminate any scan that appears to target unauthorized systems
• Immediately suspend or terminate the Account of any User suspected of unauthorized scanning
• Report suspected unauthorized scanning activities to appropriate law enforcement authorities, including the Federal Bureau of Investigation (FBI), without prior notice to the User
• Cooperate fully with law enforcement investigations and legal proceedings related to unauthorized scanning
• Retain and preserve Scan Data and Account information as required by law enforcement or applicable legal process

You acknowledge that unauthorized access to computer systems is a federal crime under 18 U.S.C. 1030 (Computer Fraud and Abuse Act) and may also violate applicable state laws in the State of Washington (RCW 9A.90) and other jurisdictions. Violations may result in severe civil and criminal penalties, including fines and imprisonment.

You agree that you shall not, and shall not permit any third party to, use the Service to:

• Scan, test, probe, or assess any Target for which you do not have explicit written authorization from the Target owner
• Conduct denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks against any system, network, or infrastructure
• Attempt to gain unauthorized access to any computer system, network, account, or data
• Exploit any vulnerability discovered through the Service to gain unauthorized access, exfiltrate data, or cause harm to any system or its users
• Use the Service to distribute malware, ransomware, viruses, worms, Trojans, or any other malicious software or code
• Use the Service for any purpose that violates any applicable federal, state, local, or international law, regulation, or ordinance
• Use the Service to facilitate or support any criminal activity, including but not limited to hacking, fraud, identity theft, or cyber extortion
• Resell, sublicense, redistribute, or provide access to the Service to any third party without the prior written consent of FindTheBreach
• Reverse engineer, decompile, disassemble, or otherwise attempt to derive the source code, algorithms, or architecture of the Service or any component thereof
• Interfere with, disrupt, or create an undue burden on the Service, its servers, or the networks connected to the Service
• Circumvent, disable, or otherwise interfere with any security-related features of the Service, including features that prevent or restrict use or copying of any Content
• Use any automated means, including bots, scrapers, crawlers, or spiders, to access the Service except through the officially provided API
• Impersonate any person or entity, or falsely state or otherwise misrepresent your affiliation with a person or entity
• Harvest, collect, or store personal information of other Users without their express consent
• Use the Service to send unsolicited communications, spam, or phishing messages
• Attempt to circumvent scan limits, rate limits, or other restrictions imposed by your Subscription Plan
• Use the Service to scan or assess critical infrastructure, government systems, healthcare systems, or financial systems without proper authorization and applicable regulatory compliance
• Share, publish, or disclose vulnerability findings in a manner that could enable malicious exploitation by third parties
• Use Scan Data or vulnerability findings to extort, blackmail, or coerce any person or entity

FindTheBreach reserves the right to investigate and take appropriate legal action against anyone who, in FindTheBreach's sole discretion, violates this provision, including without limitation removing offensive content, suspending or terminating the Account of such violators, and reporting such activity to applicable law enforcement authorities.

Subscription Plans. The Service is offered through various Subscription Plans, each with different features, capabilities, scan limits, and pricing. The specific terms of each Subscription Plan are described on the pricing page of the Service at findthebreach.com/pricing. FindTheBreach reserves the right to modify, add, or discontinue any Subscription Plan at any time.

Fees and Payment. By selecting a paid Subscription Plan, you agree to pay all applicable fees as described on the pricing page at the time of purchase. You agree to:

• Provide valid and current payment information, including credit card or other accepted payment method details
• Authorize FindTheBreach (or its third-party payment processor) to charge your designated payment method for all fees associated with your Subscription Plan on a recurring basis (monthly or annually, as applicable)
• Pay all applicable taxes, duties, and levies imposed by any governmental authority in connection with your use of the Service, excluding taxes based on FindTheBreach's net income

Automatic Renewal. All paid Subscription Plans shall automatically renew for successive periods of the same duration as the initial subscription term unless you cancel your subscription before the renewal date. You may cancel auto-renewal through your Account settings or by contacting us at contact@findthebreach.com at least five (5) business days before the renewal date.

Price Changes. FindTheBreach reserves the right to change pricing for any Subscription Plan at any time. For existing Subscribers, price changes shall take effect at the beginning of the next renewal period. FindTheBreach shall provide at least thirty (30) days' prior written notice of any price increase via email to the address associated with your Account.

Refunds. All fees are non-refundable except as expressly set forth herein or as required by applicable law. If FindTheBreach materially breaches these Terms and fails to cure such breach within thirty (30) days of written notice, you may be entitled to a pro-rata refund for the unused portion of your current subscription term.

Late Payment. Any amounts not paid when due shall bear interest at the lesser of one and one-half percent (1.5%) per month or the maximum rate permitted by applicable law. FindTheBreach reserves the right to suspend or terminate your access to the Service for any past-due amounts after providing five (5) business days' written notice of non-payment.

Downgrades. If you downgrade your Subscription Plan, the downgrade shall take effect at the beginning of the next billing cycle. You acknowledge that downgrading may result in the loss of access to certain features, data, or capabilities. FindTheBreach shall not be liable for any loss of Content or functionality resulting from a downgrade.

FindTheBreach may, at its sole discretion, offer a free trial of the Service for a limited period. The following terms apply to free trials:

• Free trial eligibility is limited to new Users who have not previously held a FindTheBreach Account or utilized a free trial
• Free trials are limited to one (1) per individual, organization, household, or payment method
• FindTheBreach reserves the right to determine free trial eligibility in its sole discretion and may revoke a free trial at any time if abuse or duplicate accounts are detected
• Free trial features and scan limits may differ from paid Subscription Plans
• Unless you cancel before the end of the free trial period, your Account will automatically convert to a paid subscription at the applicable rate, and your designated payment method will be charged
• All provisions of these Terms, including the Authorized Use requirements, Prohibited Conduct, and Limitation of Liability, apply in full during the free trial period
• Scan Data generated during a free trial may be retained or deleted in accordance with our data retention policies upon trial expiration

FindTheBreach Intellectual Property. The Service, including all Content, features, functionality, design, layout, user interface, software code, algorithms, scanning methodologies, documentation, and related materials, are and shall remain the exclusive property of FindTheBreach and its licensors. The Service is protected by copyright, trademark, patent, trade secret, and other intellectual property laws of the United States and international jurisdictions.

The FindTheBreach name, logo, and all related names, logos, product and service names, designs, and slogans are trademarks of FindTheBreach or its affiliates. You shall not use such marks without the prior written permission of FindTheBreach. All other names, logos, product and service names, designs, and slogans on the Service are the trademarks of their respective owners.

Limited License. Subject to your compliance with these Terms, FindTheBreach grants you a limited, non-exclusive, non-transferable, non-sublicensable, revocable license to access and use the Service solely for your internal business purposes during the term of your Subscription Plan. This license does not include the right to: (a) modify, copy, or create derivative works based on the Service; (b) sublicense, sell, resell, transfer, assign, distribute, or otherwise commercially exploit or make available to any third party the Service; (c) reverse engineer or access the Service in order to build a competitive product or service; or (d) copy any features, functions, or graphics of the Service.

Feedback. If you provide FindTheBreach with any feedback, suggestions, ideas, or recommendations regarding the Service ("Feedback"), you hereby assign to FindTheBreach all right, title, and interest in and to such Feedback. FindTheBreach shall be free to use, reproduce, disclose, and otherwise exploit such Feedback without restriction or obligation to you.

Ownership. You retain all right, title, and interest in and to your User Content. FindTheBreach does not claim any ownership rights in your User Content.

License Grant. By submitting User Content to the Service, you grant FindTheBreach a limited, non-exclusive, worldwide, royalty-free license to use, process, store, transmit, and display your User Content solely to the extent necessary to provide the Service to you. This license terminates when you delete your User Content from the Service or when your Account is terminated, except as required for backup, archival, or legal compliance purposes.

Representations. You represent and warrant that: (a) you own or have the necessary rights, licenses, consents, and permissions to submit your User Content to the Service and to grant the license described above; (b) your User Content does not violate the intellectual property rights, privacy rights, publicity rights, or other legal rights of any third party; and (c) your User Content complies with all applicable laws and regulations.

Responsibility. You are solely responsible for your User Content and the consequences of submitting it through the Service. FindTheBreach does not endorse, verify, or assume any responsibility for User Content.

Ownership of Scan Data. You retain ownership of all Scan Data generated through your use of the Service. FindTheBreach acknowledges that Scan Data may contain sensitive security information about your systems and infrastructure and treats all Scan Data as Confidential Information.

Handling and Storage. FindTheBreach shall handle Scan Data in accordance with the following safeguards:

• Scan Data is encrypted at rest using AES-256 encryption and in transit using TLS 1.2 or higher
• Scan Data is logically segregated and associated exclusively with the Account that initiated the scan
• Access to Scan Data is restricted to authorized personnel on a need-to-know basis, subject to role-based access controls and the principle of least privilege
• FindTheBreach shall not sell, share, or disclose your Scan Data to any third party except as required by law, legal process, or with your explicit written consent
• Scan Data shall be retained in accordance with the retention periods specified in our Privacy Policy and your Subscription Plan

Aggregated Data. FindTheBreach may use aggregated, de-identified, and anonymized data derived from Scan Data (with all personally identifiable information, target-specific details, IP addresses, domain names, and other identifying information removed) for the purposes of improving the Service, developing new features, conducting research, generating industry benchmarks, and producing statistical analyses. Such aggregated data shall not be attributable to any specific User or Target.

No Re-identification. FindTheBreach makes a binding commitment not to attempt to re-identify de-identified data or combine it with other data sources in a manner that could identify individual Users, Targets, or Accounts. Any benchmarking reports, threat intelligence summaries, or statistical publications derived from aggregated data will contain no fewer than five (5) contributing data sources per reported metric to prevent inference attacks.

Data Deletion. You may request deletion of your Scan Data at any time by contacting contact@findthebreach.com or through the Account settings. FindTheBreach shall process such requests within thirty (30) days, subject to any legal or regulatory retention requirements.

Data Residency. Customer scan data and reports are stored in data centers located in Frankfurt, Germany and Falkenstein, Germany (European Union). Enterprise customers may request data residency in a specific geographic region subject to availability. FindTheBreach will not transfer scan data outside the designated region without Customer's prior written consent, except as required by applicable law (in which case FindTheBreach will provide advance notice where legally permitted). Data residency preferences can be configured in Account Settings or by contacting support@findthebreach.com.

In compliance with the EU Data Act (Regulation 2023/2854) and GDPR Article 20, FindTheBreach commits to the following data portability provisions:

• Self-Service Export: You may export your data at any time via Account Settings or the API (GET /api/auth/export-data) in structured, commonly used, machine-readable formats including JSON, CSV, and SARIF 2.1.0
• Post-Termination Access: Upon termination or expiration of your Subscription, you will have a minimum of thirty (30) days to export all Scan Data, vulnerability reports, and Account data before permanent deletion
• No Lock-In: FindTheBreach shall not impose contractual, technical, or commercial barriers that impede or discourage you from switching to an alternative service provider
• Switching Assistance: FindTheBreach will provide reasonable assistance with data migration, including standard-format exports, at no additional charge. Custom migration support may be available under Enterprise plans
• Interoperability: Scan results are available in industry-standard formats (SARIF 2.1.0, CSV, JSON) compatible with common vulnerability management platforms

The Service utilizes artificial intelligence (“AI”), machine learning (“ML”), and automated analysis technologies to enhance vulnerability detection, provide security recommendations, and power features including the AI Security Copilot. By using the Service, you acknowledge and agree that:

• Probabilistic Results: AI/ML-generated findings are probabilistic in nature and may contain false positives or false negatives. Results should be verified by qualified security professionals before taking remediation action.
• No Guarantee of Detection: AI-powered scanning does not guarantee detection of all vulnerabilities. The absence of findings does not indicate the absence of security issues.
• Human Oversight: Critical security decisions should not be based solely on automated AI outputs. We recommend human review of all AI-generated recommendations.
• Data Usage: Customer scan data and vulnerability findings are NOT used to train FindTheBreach’s AI/ML models. AI features operate on pre-trained models and real-time analysis only.
• AI Feature Availability: AI-powered features may be modified, updated, or discontinued as the underlying technology evolves. Such changes do not constitute a material change to the core scanning Service.
• US State AI Compliance: FindTheBreach monitors and complies with applicable US state laws governing artificial intelligence and automated decision-making, including but not limited to the Colorado AI Act (SB 21-169, effective February 2026), which requires transparency disclosures for AI systems that make consequential decisions. FindTheBreach’s AI features are designed to assist and augment human security professionals, not to make autonomous consequential decisions. Users retain full control over remediation actions and security decisions informed by AI outputs.

FindTheBreach is committed to supporting customers’ compliance with evolving EU cybersecurity regulations:

• NIS2 Directive (2022/2555): Our scanning and reporting capabilities support NIS2 risk management and incident reporting requirements. Customers classified as “essential” or “important” entities may use FindTheBreach scan reports as part of their NIS2 cybersecurity risk assessments.

  FindTheBreach’s scanning capabilities align with the security testing requirements specified in Commission Implementing Regulation (EU) 2024/2690 and ENISA’s 2025 Technical Implementation Guidance on cybersecurity risk management measures, which map penetration testing and vulnerability assessment as recommended practices for NIS2-regulated entities including managed service providers and digital infrastructure operators.

• DORA (Regulation 2022/2554): For financial sector customers, FindTheBreach supports Digital Operational Resilience Act requirements including continuous vulnerability assessment and third-party ICT risk management.
• EU AI Act (Regulation 2024/1689): FindTheBreach’s AI-powered features comply with transparency requirements for AI systems. Our platform does not constitute a “high-risk” AI system under the Act, as security scanning tools are used in an advisory capacity with human oversight.
• Cyber Resilience Act: As a SaaS platform, FindTheBreach monitors developments under the CRA and ensures our software development practices align with emerging product security requirements.
• Supply Chain Security: FindTheBreach maintains a Software Bill of Materials (SBOM) for its platform in compliance with emerging CRA requirements (Art. 13(5)). Our software supply chain practices include: (a) dependency vulnerability scanning in CI/CD pipelines; (b) signed software artifacts and verified provenance; (c) automated dependency update monitoring; and (d) third-party component risk assessment. Customers may request the current SBOM in CycloneDX or SPDX format by contacting security@findthebreach.com. Our open-source component inventory is publicly available at /open-source-licenses.
• EU Cyber Solidarity Act (Regulation 2025/38): FindTheBreach acknowledges the EU Cybersecurity Reserve and the new certification framework for Managed Security Service providers established under the Cyber Solidarity Act, which entered into force in February 2025. While self-hosted deployments of FindTheBreach are not directly in scope, we align our incident response capabilities with the Act’s emphasis on coordinated cyber crisis management and cross-border detection infrastructure.
• EU Cybersecurity Act 2 (CSA2 — proposed January 2026): FindTheBreach acknowledges the proposed revision to Regulation (EU) 2019/881 (the Cybersecurity Act), which introduces an expanded European cybersecurity certification framework covering managed security services, including penetration testing and vulnerability assessment. FindTheBreach is monitoring the legislative process and will align its service delivery with applicable EU certification schemes for managed security services as they are adopted by ENISA and the European Commission. Customers requiring certified penetration testing services under future EU schemes will be notified of our certification status.

In January 2026, the European Commission proposed amendments to NIS2 to harmonize cross-border implementation and reduce regulatory fragmentation. FindTheBreach monitors these developments and will update its compliance posture as member states transpose the amended requirements (expected by early 2027).

The Service integrates and utilizes various open-source security tools and libraries. These tools are subject to their own respective open-source license terms, which may include the GNU General Public License (GPL), Apache License, MIT License, and others. A list of integrated open-source components and their respective licenses is available at /open-source-licenses.

Nothing in these Terms is intended to limit your rights under, or grant you rights that supersede, the terms of any applicable open-source license. If there is a conflict between these Terms and the terms of an applicable open-source license with respect to your use of the applicable open-source software, the open-source license terms shall prevail for that software.

The Service integrates with and utilizes various Third-Party Tools and services to provide its scanning and assessment capabilities. These may include, but are not limited to, open-source security tools such as Nmap, Nikto, OWASP ZAP, Nuclei, SSLyze, WhatWeb, Subfinder, Amass, and other vulnerability scanners and reconnaissance tools.

You acknowledge and agree that:

• Third-Party Tools are subject to their own respective licenses, terms of use, and limitations, and FindTheBreach makes no warranties regarding the accuracy, completeness, or reliability of results generated by such tools
• FindTheBreach may add, remove, modify, or replace Third-Party Tools integrated into the Service at any time without prior notice
• The Service may contain links to or integrations with third-party websites, services, or platforms. FindTheBreach does not control and is not responsible for the content, privacy practices, or security of such third-party services
• Your use of any third-party service is governed by such third party's terms of service and privacy policy
• FindTheBreach shall not be liable for any loss, damage, or harm resulting from your use of or reliance on any third-party service or the results generated by any Third-Party Tool

FindTheBreach provides a RESTful Application Programming Interface (API) that enables Subscribers to programmatically interact with the Service. Your use of the API is subject to the following additional terms:

• API Keys. Access to the API requires authentication via API keys issued to your Account. You are responsible for maintaining the confidentiality and security of your API keys. Any activity conducted using your API keys shall be attributed to your Account.
• Rate Limits. API usage is subject to rate limits as specified in the API documentation and your Subscription Plan. FindTheBreach reserves the right to throttle, limit, or block API requests that exceed applicable rate limits or that negatively impact the performance or availability of the Service.
• Permitted Use. The API may be used only for lawful purposes and in accordance with these Terms, the API documentation, and your Subscription Plan. You shall not use the API to build a competing product or service.
• No Warranty. The API is provided "as is" and FindTheBreach makes no warranties regarding the availability, performance, or compatibility of the API. FindTheBreach reserves the right to modify, deprecate, or discontinue any API endpoint at any time, with reasonable notice when practicable.
• Compliance. All scans initiated through the API are subject to the same Authorized Use requirements and Prohibited Conduct restrictions as scans initiated through the web interface.

THE SERVICE, INCLUDING ALL CONTENT, SOFTWARE, FUNCTIONS, MATERIALS, SCAN RESULTS, VULNERABILITY FINDINGS, REMEDIATION RECOMMENDATIONS, AND INFORMATION MADE AVAILABLE ON OR ACCESSED THROUGH THE SERVICE, IS PROVIDED ON AN "AS IS" AND "AS AVAILABLE" BASIS WITHOUT ANY WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE.

TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, FINDTHEBREACH AND ITS OFFICERS, DIRECTORS, EMPLOYEES, AGENTS, SUBSIDIARIES, AFFILIATES, LICENSORS, AND SERVICE PROVIDERS EXPRESSLY DISCLAIM ALL WARRANTIES OF ANY KIND, WHETHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO: (A) IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT; (B) WARRANTIES ARISING FROM COURSE OF DEALING, COURSE OF PERFORMANCE, OR USAGE OF TRADE; (C) WARRANTIES THAT THE SERVICE WILL BE UNINTERRUPTED, TIMELY, SECURE, ERROR-FREE, OR FREE OF VIRUSES OR OTHER HARMFUL COMPONENTS; AND (D) WARRANTIES REGARDING THE ACCURACY, COMPLETENESS, RELIABILITY, OR AVAILABILITY OF ANY CONTENT OR INFORMATION PROVIDED THROUGH THE SERVICE.

WITHOUT LIMITING THE FOREGOING, FINDTHEBREACH DOES NOT WARRANT OR GUARANTEE THAT:

• THE SERVICE WILL DETECT ALL VULNERABILITIES, SECURITY FLAWS, MISCONFIGURATIONS, OR WEAKNESSES PRESENT IN ANY TARGET SYSTEM
• THE SCAN RESULTS WILL BE ACCURATE, COMPLETE, CURRENT, OR FREE OF FALSE POSITIVES OR FALSE NEGATIVES
• THE REMEDIATION RECOMMENDATIONS PROVIDED BY THE SERVICE WILL BE SUFFICIENT TO FULLY REMEDIATE ANY IDENTIFIED VULNERABILITY
• THE ABSENCE OF REPORTED VULNERABILITIES CONSTITUTES A GUARANTEE THAT A TARGET SYSTEM IS SECURE
• THE SERVICE WILL MEET YOUR SPECIFIC REQUIREMENTS OR EXPECTATIONS
• THE SERVICE WILL BE COMPATIBLE WITH ANY SPECIFIC HARDWARE, SOFTWARE, OR NETWORK CONFIGURATION
• ANY ERRORS OR DEFECTS IN THE SERVICE WILL BE CORRECTED

THE SERVICE IS NOT A SUBSTITUTE FOR PROFESSIONAL CYBERSECURITY CONSULTING, MANUAL PENETRATION TESTING, SECURITY AUDITS, OR COMPLIANCE ASSESSMENTS. YOU ACKNOWLEDGE THAT THE USE OF THE SERVICE IS AT YOUR SOLE RISK AND THAT YOU ARE SOLELY RESPONSIBLE FOR ANY DECISIONS MADE BASED ON THE RESULTS PROVIDED BY THE SERVICE. FINDTHEBREACH STRONGLY RECOMMENDS THAT USERS ENGAGE QUALIFIED SECURITY PROFESSIONALS FOR COMPREHENSIVE SECURITY ASSESSMENTS.

SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF CERTAIN WARRANTIES, SO SOME OF THE ABOVE EXCLUSIONS MAY NOT APPLY TO YOU. IN SUCH CASES, THE WARRANTIES ARE LIMITED TO THE MINIMUM EXTENT PERMITTED BY APPLICABLE LAW.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL FINDTHEBREACH, ITS OFFICERS, DIRECTORS, EMPLOYEES, AGENTS, SUBSIDIARIES, AFFILIATES, LICENSORS, OR SERVICE PROVIDERS BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, INCLUDING WITHOUT LIMITATION:

• LOSS OF PROFITS, REVENUE, BUSINESS, OR ANTICIPATED SAVINGS
• LOSS OF DATA, USE, GOODWILL, OR OTHER INTANGIBLE LOSSES
• BUSINESS INTERRUPTION OR DOWNTIME
• COST OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES
• DAMAGES RESULTING FROM ANY SECURITY BREACH, CYBERATTACK, OR VULNERABILITY THAT THE SERVICE FAILED TO DETECT
• DAMAGES RESULTING FROM UNAUTHORIZED ACCESS TO OR ALTERATION OF YOUR TRANSMISSIONS, DATA, OR CONTENT
• DAMAGES RESULTING FROM YOUR USE OF OR INABILITY TO USE THE SERVICE
• DAMAGES RESULTING FROM ANY CONDUCT OR CONTENT OF ANY THIRD PARTY ON THE SERVICE
• DAMAGES RESULTING FROM ANY DISRUPTION, DEGRADATION, OR ADVERSE EFFECT CAUSED TO A TARGET SYSTEM BY A SCAN INITIATED THROUGH THE SERVICE

WHETHER BASED ON WARRANTY, CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, OR ANY OTHER LEGAL THEORY, AND WHETHER OR NOT FINDTHEBREACH HAS BEEN INFORMED OF THE POSSIBILITY OF SUCH DAMAGE, EVEN IF A LIMITED REMEDY SET FORTH HEREIN IS FOUND TO HAVE FAILED OF ITS ESSENTIAL PURPOSE.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE AGGREGATE LIABILITY OF FINDTHEBREACH AND ITS OFFICERS, DIRECTORS, EMPLOYEES, AND AGENTS ARISING OUT OF OR IN CONNECTION WITH THESE TERMS OR YOUR USE OF THE SERVICE SHALL NOT EXCEED THE GREATER OF: (A) THE TOTAL AMOUNT PAID BY YOU TO FINDTHEBREACH DURING THE TWELVE (12) MONTH PERIOD IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE CLAIM; OR (B) ONE HUNDRED UNITED STATES DOLLARS (USD $100.00).

THE LIMITATIONS SET FORTH IN THIS SECTION SHALL APPLY REGARDLESS OF THE FORM OF ACTION, WHETHER THE CLAIM IS BASED ON CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY, OR ANY OTHER LEGAL OR EQUITABLE THEORY, AND SHALL SURVIVE ANY TERMINATION OR EXPIRATION OF THESE TERMS.

SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE ABOVE LIMITATION OR EXCLUSION MAY NOT APPLY TO YOU. IN SUCH JURISDICTIONS, THE LIABILITY OF FINDTHEBREACH SHALL BE LIMITED TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW.

You agree to defend, indemnify, and hold harmless FindTheBreach and its officers, directors, employees, contractors, agents, licensors, suppliers, successors, and assigns (collectively, the "Indemnified Parties") from and against any and all claims, demands, actions, suits, proceedings, damages, obligations, losses, liabilities, costs, and expenses (including but not limited to reasonable attorneys' fees, expert witness fees, and court costs) arising out of or in connection with:

• Your access to, use of, or misuse of the Service
• Your violation of any term or provision of these Terms
• Your violation of any applicable law, statute, regulation, or ordinance
• Your violation of any third-party right, including without limitation any intellectual property right, property right, privacy right, or publicity right
• Any claim that your use of the Service caused damage, harm, or loss to any third party, including damage to any Target system
• Unauthorized scanning, testing, or assessment of any system, network, or infrastructure for which you did not have proper written authorization
• Any User Content submitted by you through the Service
• Any breach of your representations, warranties, or obligations under these Terms
• Your failure to comply with applicable export control laws, sanctions, or data protection regulations

FindTheBreach reserves the right, at its own expense, to assume the exclusive defense and control of any matter otherwise subject to indemnification by you, in which event you shall cooperate with FindTheBreach in asserting any available defenses. You shall not settle any claim without the prior written consent of FindTheBreach. This indemnification obligation shall survive the termination or expiration of these Terms.

FindTheBreach respects the intellectual property rights of others and expects Users to do the same. In accordance with the Digital Millennium Copyright Act of 1998 ("DMCA"), 17 U.S.C. 512, FindTheBreach will respond expeditiously to claims of copyright infringement committed using the Service.

If you believe that your copyrighted work has been copied in a way that constitutes copyright infringement and is accessible through the Service, please notify our designated copyright agent with the following information:

• A physical or electronic signature of the copyright owner or a person authorized to act on their behalf
• Identification of the copyrighted work claimed to have been infringed
• Identification of the material that is claimed to be infringing and information reasonably sufficient to permit FindTheBreach to locate the material
• Your contact information, including address, telephone number, and email address
• A statement that you have a good faith belief that use of the material in the manner complained of is not authorized by the copyright owner, its agent, or the law
• A statement, made under penalty of perjury, that the above information is accurate and that you are the copyright owner or authorized to act on the copyright owner's behalf

DMCA notices should be sent to: contact@findthebreach.com with the subject line "DMCA Notice."

The Service and related technology may be subject to export control and sanctions laws and regulations of the United States and other applicable jurisdictions, including but not limited to the Export Administration Regulations (EAR) administered by the U.S. Department of Commerce, Bureau of Industry and Security, and sanctions programs administered by the U.S. Department of Treasury, Office of Foreign Assets Control (OFAC).

You represent and warrant that:

• You are not located in, under the control of, or a national or resident of any country or territory that is subject to comprehensive U.S. economic sanctions (including, without limitation, Cuba, Iran, North Korea, Syria, and the Crimea, Donetsk, and Luhansk regions of Ukraine)
• You are not listed on any U.S. government list of prohibited or restricted parties, including the Specially Designated Nationals and Blocked Persons List (SDN List), the Entity List, or the Denied Persons List
• You shall not access, use, export, re-export, or transfer the Service in violation of any applicable export control or sanctions laws or regulations
• You shall not use the Service for any purpose prohibited by applicable export control laws, including the development, production, or proliferation of weapons of mass destruction

FindTheBreach reserves the right to restrict or terminate access to the Service from any jurisdiction as required to comply with applicable export control and sanctions laws.

These Terms and any dispute or claim arising out of or in connection with them or their subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the laws of the State of Washington, United States, without regard to its conflict of law provisions.

To the extent that any lawsuit or court proceeding is permitted hereunder, you and FindTheBreach agree to submit to the exclusive personal jurisdiction of the state and federal courts located in King County, Washington, for the purpose of litigating all such disputes. You hereby waive any objection to the exercise of jurisdiction over you by such courts and to the venue of such courts.

The United Nations Convention on Contracts for the International Sale of Goods shall not apply to these Terms.

Jurisdictional Variations. Notwithstanding the foregoing choice of law:

• (a) EU/EEA Consumers: If you are a consumer in the European Union or European Economic Area, nothing in these Terms shall deprive you of the protection afforded by mandatory provisions of the law of your country of habitual residence under Regulation (EC) No 593/2008 (Rome I), including but not limited to consumer protection provisions of Directive 93/13/EEC on unfair contract terms. EU consumers may bring proceedings in the courts of their country of habitual residence.
• (b) United Kingdom: If you are located in the United Kingdom, disputes may be subject to the exclusive jurisdiction of the courts of England and Wales, to the extent required by applicable UK consumer protection law including the Consumer Rights Act 2015.
• (c) Data Protection: Mandatory local data protection laws (including GDPR, UK GDPR, and applicable national implementations) shall apply regardless of the governing law of this Agreement.

Informal Resolution. Before filing any formal legal action, you agree to first contact FindTheBreach at contact@findthebreach.com and attempt to resolve the dispute informally. The parties shall make a good faith effort to resolve any dispute within sixty (60) days of the initial notice.

Binding Arbitration. If the parties are unable to resolve a dispute informally, any dispute, controversy, or claim arising out of or relating to these Terms, or the breach, termination, enforcement, interpretation, or validity thereof, including the determination of the scope or applicability of these Terms to arbitrate, shall be determined by binding arbitration administered by the American Arbitration Association ("AAA") in accordance with its Commercial Arbitration Rules and Mediation Procedures then in effect. The arbitration shall be conducted by a single arbitrator. The place of arbitration shall be King County, Washington. The language of the arbitration shall be English.

Arbitration Procedures. The arbitrator shall have the authority to grant any remedy or relief that a court of competent jurisdiction could order, including injunctive or other equitable relief and specific performance. The arbitrator's award shall be final and binding and may be entered as a judgment in any court of competent jurisdiction. The costs of arbitration, including administrative fees, arbitrator compensation, and other expenses, shall be shared equally by the parties, provided that each party shall bear its own attorneys' fees unless the arbitrator determines that a party's claims or defenses were frivolous, in which case the arbitrator may award reasonable attorneys' fees to the prevailing party.

Exceptions. Notwithstanding the foregoing, either party may seek injunctive or other equitable relief in any court of competent jurisdiction to prevent the actual or threatened infringement, misappropriation, or violation of a party's copyrights, trademarks, trade secrets, patents, or other intellectual property rights. Additionally, claims for amounts less than ten thousand United States dollars ($10,000.00) may be brought in small claims court in King County, Washington.

YOU AND FINDTHEBREACH AGREE THAT EACH PARTY MAY BRING CLAIMS AGAINST THE OTHER ONLY IN YOUR OR ITS INDIVIDUAL CAPACITY, AND NOT AS A PLAINTIFF OR CLASS MEMBER IN ANY PURPORTED CLASS, CONSOLIDATED, OR REPRESENTATIVE ACTION OR PROCEEDING. UNLESS BOTH YOU AND FINDTHEBREACH AGREE OTHERWISE IN WRITING, THE ARBITRATOR MAY NOT CONSOLIDATE OR JOIN MORE THAN ONE PERSON'S OR PARTY'S CLAIMS AND MAY NOT OTHERWISE PRESIDE OVER ANY FORM OF A CONSOLIDATED, REPRESENTATIVE, OR CLASS PROCEEDING.

THE ARBITRATOR MAY AWARD RELIEF (INCLUDING MONETARY, INJUNCTIVE, AND DECLARATORY RELIEF) ONLY IN FAVOR OF THE INDIVIDUAL PARTY SEEKING RELIEF AND ONLY TO THE EXTENT NECESSARY TO PROVIDE RELIEF WARRANTED BY THAT PARTY'S INDIVIDUAL CLAIM(S). ANY RELIEF AWARDED CANNOT AFFECT OTHER USERS.

If this class action waiver is found to be unenforceable, then the entirety of the arbitration provision set forth in Section 20 (other than this waiver) shall be null and void, and the dispute shall be adjudicated in the state or federal courts located in King County, Washington.

Termination by FindTheBreach. FindTheBreach may, in its sole discretion, suspend or terminate your Account and access to the Service, in whole or in part, at any time and for any reason, including without limitation if FindTheBreach reasonably believes that: (a) you have violated any provision of these Terms; (b) you have engaged in unauthorized scanning or other prohibited conduct; (c) your use of the Service poses a security risk to FindTheBreach or any third party; (d) your use of the Service may subject FindTheBreach to liability; (e) your Account has been inactive for an extended period; or (f) FindTheBreach is required to do so by law or legal process.

Notice and Cure Period. For any termination based on a breach of these Terms that is reasonably capable of being cured (excluding Sections 5, 6, and 22 relating to unauthorized scanning, prohibited conduct, and export controls, which may result in immediate termination), FindTheBreach shall provide written notice specifying the nature of the breach and a cure period of thirty (30) days. If the breach is cured within such period, the termination notice shall be deemed withdrawn. This cure right may be exercised no more than twice in any twelve (12) month period.

Termination by You. You may terminate your Account at any time by: (a) using the account cancellation feature in your Account settings; or (b) contacting FindTheBreach at contact@findthebreach.com. Termination of your Account shall take effect at the end of the current billing period. You shall remain responsible for all fees incurred through the date of termination.

Effect of Termination. Upon termination of your Account:

• Your right to access and use the Service shall immediately cease
• Any licenses granted to you under these Terms shall immediately terminate
• FindTheBreach may delete your Account data, including Scan Data, in accordance with our data retention policies and the Privacy Policy
• All outstanding fees and amounts owed shall remain due and payable
• FindTheBreach shall not be liable to you or any third party for any termination of your access to the Service

Survival. The following sections shall survive termination or expiration of these Terms: Definitions, Intellectual Property Rights, User Content and Data, Scan Data Ownership and Handling, Disclaimer of Warranties, Limitation of Liability, Indemnification, Governing Law, Dispute Resolution and Arbitration, Class Action Waiver, Confidentiality, and any other provisions that by their nature should survive termination.

In the unlikely event that FindTheBreach decides to permanently cease providing the Service:

• (a) Advance Notice: FindTheBreach will provide a minimum of ninety (90) days' advance written notice to all active Subscribers via email and prominent notice on the Service.
• (b) Continued Access: During the notice period, all Users will retain full access to their data, scan reports, and export functionality.
• (c) Data Migration Assistance: FindTheBreach will provide reasonable assistance with data migration, including bulk export of all Customer data in standard formats (JSON, CSV, SARIF 2.1.0).
• (d) Pro-Rata Refunds: Pro-rata refunds will be issued for any prepaid subscription period extending beyond the cessation date.
• (e) Secure Data Destruction: All Customer data will be securely destroyed in accordance with the Data Processing Agreement within thirty (30) days following the cessation date, and certificates of destruction will be provided to Enterprise customers upon request.
• (f) Regulatory Compliance: FindTheBreach will comply with all applicable data protection laws regarding data deletion and notification during the wind-down period.

(a) Duty of Care. Each party agrees to protect the other party's Confidential Information using at least the same degree of care it uses to protect its own Confidential Information, but no less than reasonable care.

(b) Non-Disclosure. Neither party shall disclose the other party's Confidential Information to any third party except: (i) to employees, contractors, or agents who need to know such information and who are bound by obligations of confidentiality no less restrictive than these Terms; (ii) as required by law, regulation, or court order, provided the receiving party gives prompt notice to the disclosing party (where legally permitted) and cooperates with efforts to limit the scope of disclosure; or (iii) with the prior written consent of the disclosing party.

(c) Exclusions. Confidential Information excludes information that: (i) is or becomes publicly available through no fault of the receiving party; (ii) was rightfully in the receiving party's possession before receipt; (iii) is rightfully received from a third party without restriction; or (iv) is independently developed without use of the disclosing party's Confidential Information.

(d) Scan Data. Scan Data, vulnerability findings, and security assessment results are deemed Confidential Information of the Customer. FindTheBreach will not disclose Customer Scan Data to any third party except as necessary to provide the Service, as expressly permitted in these Terms, or as required by law.

(e) Survival. Confidentiality obligations survive termination of these Terms for three (3) years, except for trade secrets which remain protected indefinitely.

YOU EXPRESSLY ACKNOWLEDGE AND AGREE THAT VULNERABILITY SCANNING, PENETRATION TESTING, AND SECURITY ASSESSMENTS ARE INHERENTLY INTRUSIVE ACTIVITIES THAT CARRY RISKS INCLUDING BUT NOT LIMITED TO: SERVICE DISRUPTIONS, SYSTEM CRASHES, PERFORMANCE DEGRADATION, DATA CORRUPTION, DENIAL OF SERVICE, UNINTENDED EXPOSURE OF SENSITIVE DATA, AND TRIGGERING OF SECURITY ALARMS OR INCIDENT RESPONSE PROCEDURES ON TARGET SYSTEMS.

BY USING THE SERVICE, YOU VOLUNTARILY ASSUME ALL RISKS ASSOCIATED WITH THE SCANNING AND TESTING OF TARGET SYSTEMS, INCLUDING RISKS THAT MAY RESULT FROM: (A) THE NATURE AND INTENSITY OF AUTOMATED SECURITY SCANS; (B) INTERACTIONS BETWEEN SCANNING TOOLS AND TARGET SYSTEM CONFIGURATIONS; (C) UNEXPECTED BEHAVIOR OF TARGET SYSTEMS IN RESPONSE TO SECURITY PROBES; (D) FALSE POSITIVE OR FALSE NEGATIVE RESULTS; AND (E) ANY DOWNSTREAM EFFECTS ON SYSTEMS, SERVICES, OR THIRD PARTIES CONNECTED TO OR DEPENDENT UPON THE TARGET SYSTEMS.

YOU ACKNOWLEDGE THAT FINDTHEBREACH HAS NO CONTROL OVER THE CONFIGURATION, RESILIENCE, OR BEHAVIOR OF YOUR TARGET SYSTEMS AND THAT SCANNING RESULTS MAY VARY BASED ON NETWORK CONDITIONS, SYSTEM STATE, SECURITY CONTROLS, AND OTHER FACTORS OUTSIDE FINDTHEBREACH'S CONTROL. YOU AGREE THAT FINDTHEBREACH SHALL NOT BE LIABLE FOR ANY HARM, DAMAGE, OR LOSS ARISING FROM OR RELATED TO THE SCANNING OR TESTING OF ANY TARGET SYSTEM, REGARDLESS OF WHETHER SUCH HARM WAS FORESEEABLE.

FindTheBreach shall not be liable for any failure or delay in performing its obligations under these Terms where such failure or delay results from circumstances beyond FindTheBreach's reasonable control, including but not limited to: acts of God, natural disasters, epidemics, pandemics, government actions or orders, war, terrorism, cyberattacks, distributed denial of service attacks, power outages, internet disruptions, telecommunications failures, third-party service outages (including cloud hosting providers), labor disputes, supply chain disruptions, or any other events beyond FindTheBreach's reasonable control ("Force Majeure Events").

In the event of a Force Majeure Event, FindTheBreach's obligations shall be suspended for the duration of the event. FindTheBreach shall use commercially reasonable efforts to resume performance as soon as practicable and shall provide notice to affected Users of any material service disruptions caused by a Force Majeure Event.

FindTheBreach reserves the right to modify, amend, or replace these Terms at any time in its sole discretion. If a revision is material, FindTheBreach shall provide at least thirty (30) days' notice prior to the new terms taking effect. What constitutes a material change will be determined at FindTheBreach's sole discretion.

Notice of material changes may be provided by: (a) posting a notice on the Service; (b) sending an email to the address associated with your Account; or (c) other means as determined by FindTheBreach.

By continuing to access or use the Service after the effective date of any revised Terms, you agree to be bound by the revised Terms. If you do not agree to the new Terms, in whole or in part, you must stop using the Service and terminate your Account. Your sole remedy with respect to any dissatisfaction with these Terms or any policy or practice of FindTheBreach shall be to terminate your Account and discontinue use of the Service.

If any provision of these Terms is held to be invalid, illegal, or unenforceable by a court of competent jurisdiction, such invalidity, illegality, or unenforceability shall not affect any other provision of these Terms. The remaining provisions shall continue in full force and effect. The invalid, illegal, or unenforceable provision shall be modified to the minimum extent necessary to make it valid, legal, and enforceable while preserving the original intent of the parties to the greatest extent possible. If such modification is not possible, the invalid provision shall be severed from these Terms, and the remaining provisions shall be interpreted so as to best reflect the original intent of the parties.

FindTheBreach shall not be liable for any failure or delay in performance of its obligations under these Terms to the extent that such failure or delay is caused by circumstances beyond its reasonable control, including but not limited to: acts of God, natural disasters, pandemics, epidemics, fire, flood, earthquake, hurricane, tornado; war, terrorism, civil unrest, insurrection; government actions, embargoes, sanctions, or regulatory changes; strikes, labor disputes, or work stoppages; power outages, internet outages, telecommunications failures, or infrastructure failures; cyberattacks, distributed denial-of-service attacks, or other malicious activities directed at FindTheBreach's infrastructure; failure of third-party service providers, cloud infrastructure providers, or hosting services; or any other cause beyond the reasonable control of FindTheBreach (each, a "Force Majeure Event").

In the event of a Force Majeure Event, FindTheBreach shall: (a) promptly notify affected Users of the nature and expected duration of the event; (b) use commercially reasonable efforts to minimize the impact of the event and resume performance as soon as practicable; and (c) provide updates regarding the status of the disruption. If a Force Majeure Event continues for more than sixty (60) consecutive days, either party may terminate these Terms upon written notice to the other party.

You may not assign, transfer, or delegate these Terms or any rights or obligations hereunder, in whole or in part, whether voluntarily, by operation of law, or otherwise, without the prior written consent of FindTheBreach. Any attempted assignment, transfer, or delegation without such consent shall be null and void.

FindTheBreach may assign, transfer, or delegate these Terms or any rights or obligations hereunder, in whole or in part, without your consent, to any successor entity (whether by merger, consolidation, acquisition of all or substantially all assets, or otherwise) or to any affiliate or subsidiary of FindTheBreach. In the event of any such assignment, transfer, or delegation, FindTheBreach shall notify you of the assignment and the identity of the assignee.

Subject to the foregoing, these Terms shall be binding upon, and inure to the benefit of, the parties and their respective successors and permitted assigns.

The failure of FindTheBreach to exercise or enforce any right or provision of these Terms shall not constitute a waiver of such right or provision. No waiver by FindTheBreach of any term or condition set forth in these Terms shall be deemed a further or continuing waiver of such term or condition or a waiver of any other term or condition. Any waiver must be in writing and signed by an authorized representative of FindTheBreach to be effective.

The exercise of any right or remedy by FindTheBreach under these Terms shall not preclude or limit the exercise of any other right or remedy available to FindTheBreach under these Terms, at law, or in equity.

These Terms, together with the Privacy Policy and any other legal notices, policies, or agreements published by FindTheBreach on the Service (including, without limitation, the Cookie Policy, Acceptable Use Policy, and any order forms or subscription agreements), constitute the entire agreement between you and FindTheBreach concerning the Service and supersede all prior or contemporaneous agreements, communications, representations, warranties, and understandings, whether written or oral, between you and FindTheBreach with respect to the subject matter hereof.

In the event of a conflict between these Terms and any other agreement between you and FindTheBreach (such as a separately executed enterprise agreement or master services agreement), the terms of such other agreement shall control to the extent of the conflict, unless otherwise specified.

If you have any questions, concerns, or inquiries regarding these Terms of Service, please contact us using the information below:

For legal notices, service of process, or formal correspondence, please send communications to the email address above with the subject line "Legal Notice."

Subject to the confidentiality obligations set forth in these Terms, FindTheBreach may identify you as a customer and use your company name and logo in its marketing materials, website, and customer lists, unless you provide written notice opting out to contact@findthebreach.com. No other use of your trademarks or intellectual property is permitted without your prior written consent.

Fee Changes. FindTheBreach reserves the right to modify Subscription fees upon renewal. We will provide at least thirty (30) days’ prior written notice of any fee increase. If you do not agree with the revised fees, you may cancel your Subscription before the start of the next billing period by providing written notice to contact@findthebreach.com.

Auto-Renewal. Subscriptions automatically renew at the end of each billing period unless you cancel at least thirty (30) days prior to the renewal date. Renewal fees will be charged to the payment method on file at the then-current rate, inclusive of any notified fee adjustments.

For the purposes of data aggregation and analytics provisions in these Terms, “de-identified” means that the data has been processed such that it cannot reasonably be used to infer information about, or otherwise be linked to, a particular User, Target, or Account. De-identification is performed using industry-standard statistical techniques including k-anonymity, data suppression, and generalization, in accordance with NIST SP 800-188 (De-Identifying Government Datasets).

These Terms of Service are effective as of February 1, 2026. These Terms apply to all Users who access or use the Service on or after the effective date. If you were a User prior to the effective date, your continued use of the Service after the effective date constitutes your acceptance of these revised Terms.

Previous versions of the Terms of Service are available upon request by contacting contact@findthebreach.com.