These Terms of Service ("Terms") govern access to and use of the website, software, and services provided by Xora LLC, a Utah limited liability company ("Xora," "we," "us"). By accessing our website, creating an account, running a scan, or otherwise using the Services, you ("you" or "Customer") agree to these Terms.
If you are entering into these Terms on behalf of a company or other legal entity, you represent that you have authority to bind that entity, in which case "you" and "Customer" refer to that entity.
If you do not agree to these Terms, do not use the Services.
1. Relationship to Other Agreements
If you and Xora have entered into a signed Master Subscription Agreement or similar written agreement covering the Services (an "MSA"), that MSA governs and supersedes these Terms to the extent of any conflict. Otherwise, these Terms are the complete agreement between you and Xora regarding the Services.
Order Forms and Statements of Work executed by both parties are incorporated by reference into the governing agreement (MSA or these Terms, as applicable).
2. Definitions
"Services" means the Xora software-as-a-service cybersecurity products (including automated red-team, penetration testing, and vulnerability scanning capabilities), the Xora website, and related documentation and support.
"Customer Data" means data, content, code, logs, telemetry, or other information you submit, upload, or make available to the Services, or that the Services generate specifically for you (including scan results and findings).
"Authorized User" means an employee or contractor whom you authorize to access the Services on your behalf.
"Target Systems" means the applications, networks, infrastructure, repositories, accounts, or other technology assets that you authorize Xora to scan, probe, or test.
"Documentation" means the user guides and technical materials we make available describing the Services.
3. The Services
3.1 Access
Subject to these Terms, Xora grants you a non-exclusive, non-transferable, non-sublicensable right to access and use the Services during your subscription or trial period, solely for your internal business purposes.
3.2 Accounts
You are responsible for the acts and omissions of your Authorized Users, for maintaining the confidentiality of account credentials, and for notifying us promptly of any unauthorized use or suspected compromise.
3.3 Free Trials and Beta Features
We may make free trials, preview features, or beta features available. These are provided "AS IS," are excluded from any service-level commitments, and may be modified or discontinued at any time.
3.4 Modifications
We may modify the Services from time to time. We will not materially reduce core functionality of a paid Service during a paid subscription term without your consent.
4. Scanning Authorization — Critical Notice
The Services perform active security testing, including simulated attacks, exploitation attempts, and authorization probing against Target Systems. By using the Services you grant Xora, and authorize Xora to perform, the testing activities described in this Section 4.
4.1 Your Authorization and Ownership
You represent, warrant, and covenant that:
(a) You own the Target Systems, or have obtained all necessary rights, permissions, and authorizations from the owners and operators of those Target Systems (including any parent, subsidiary, affiliate, or third party) to permit Xora to conduct security testing against them;
(b) You have the legal authority to authorize the testing on behalf of your organization and any other parties whose systems are included;
(c) Your authorization constitutes valid legal consent under applicable computer-misuse, anti-hacking, and unauthorized-access laws (including the U.S. Computer Fraud and Abuse Act and equivalents in other jurisdictions); and
(d) Running the Services against the Target Systems will not violate any law, contract, policy, or third-party right.
4.2 Scope Limitation
Xora will only test the Target Systems you have expressly identified in an Order Form, in-product configuration, or other written authorization. You must not configure the Services to scan, probe, or target any system that is not within the authorized scope. If you do so, you are solely responsible for the consequences, and Xora may suspend the Services and terminate your access.
Xora is not responsible for verifying that you have authority over the Target Systems you configure. You bear that responsibility.
4.3 Third-Party Environments
Many Target Systems run on third-party infrastructure (for example, AWS, Google Cloud, Azure, GitHub, Cloudflare, or SaaS vendors). Some providers require advance notice, specific forms, or prior approval before permitting security testing against workloads hosted on their platforms; others restrict or prohibit it. You are solely responsible for:
(a) Reviewing and complying with each relevant provider's acceptable use policy, penetration testing policy, and terms of service;
(b) Obtaining any required approvals or filing any required notifications before scans run; and
(c) Ensuring that testing authorized under these Terms does not conflict with an active bug bounty program, responsible-disclosure policy, or third-party testing engagement covering the same Target Systems.
Xora has no obligation to confirm third-party approval status and is not liable for any consequences arising from your non-compliance with third-party provider requirements.
4.4 Production Systems and Risk
Security testing carries inherent risk. Testing may cause service disruption, data corruption, elevated load, triggered alerts, account lockouts, or other unintended operational impact. You acknowledge this risk. You are responsible for deciding whether to authorize testing against production or production-like environments, for maintaining backups and rollback capabilities, and for coordinating with your own operations, incident response, and compliance teams in advance of scans.
4.5 Revocation and Suspension
You may revoke scanning authorization for specific Target Systems at any time via in-product controls or written notice. Xora may suspend scanning at its discretion if it reasonably believes that testing is unauthorized, unlawful, or causing harm.
5. AI and Findings Disclosure
The Services use machine learning, large language models, and other automated techniques to generate security context, authorization test cases, and findings.
(a) Findings are not guaranteed to be accurate. The Services may produce false positives (reporting issues that are not real vulnerabilities), false negatives (missing real vulnerabilities), incomplete proofs-of-concept, or incorrect severity ratings.
(b) No scanner can detect every vulnerability. The Services are a tool to assist your security program, not a substitute for human expert review, manual penetration testing, secure-development practices, or a comprehensive security program.
(c) Findings are informational. You are responsible for independently verifying findings before acting on them, for prioritization and remediation decisions, and for any resulting changes to your systems.
(d) No absolute security. Cybersecurity is an evolving field. Xora does not represent or warrant that use of the Services will make your systems secure, compliant, or free from breach, or that the Services will detect or prevent all threats, intrusions, or malicious activity.
6. Acceptable Use
You will not, and will not permit any Authorized User or third party to:
(a) access or use the Services except as expressly permitted;
(b) resell, sublicense, or make the Services available to any third party that is not an Authorized User;
(c) reverse engineer, decompile, or attempt to derive the source code or underlying structure of the Services, except to the extent applicable law prohibits such a restriction;
(d) use the Services to build or train a competing product or service;
(e) interfere with or disrupt the integrity or performance of the Services;
(f) attempt to gain unauthorized access to the Services or to other customers' data;
(g) use the Services to test, probe, or attack any system you are not authorized to test (see Section 4);
(h) transmit malicious code, viruses, or other harmful content through the Services;
(i) use the Services in violation of any applicable law or to violate the rights of any third party; or
(j) remove or obscure proprietary notices in the Services or Documentation.
Violation of this Section 6 is a material breach and may result in immediate suspension or termination.
7. Customer Data
7.1 Ownership
As between the parties, you retain all right, title, and interest in and to Customer Data. You grant Xora a limited, non-exclusive, worldwide, royalty-free license to host, process, transmit, display, and otherwise use Customer Data solely to provide, maintain, secure, and improve the Services and to perform our obligations to you.
7.2 Your Responsibility
You are solely responsible for the accuracy, quality, and legality of Customer Data, for the means by which it was obtained, and for your compliance with applicable law (including data protection and privacy laws) in connection with Customer Data.
7.3 Aggregated and De-Identified Data
We may collect, generate, and use aggregated and de-identified data derived from use of the Services ("Aggregated Data"), including for purposes of improving the Services, developing new products and features, benchmarking, threat intelligence, and analytics. Aggregated Data will not identify you or any individual, and we will not disclose Aggregated Data in a manner that identifies you without your prior consent.
7.4 Data Return and Deletion
Upon termination or expiration, you may request return of Customer Data within 30 days after termination. After that period, we may delete Customer Data from active systems in the ordinary course, subject to legal retention obligations and our standard backup retention schedule.
8. Security
We maintain a written information security program with administrative, technical, and physical safeguards designed to protect the security, confidentiality, and integrity of Customer Data. These include encryption of Customer Data in transit and at rest, role-based access controls, logging and monitoring, and periodic security reviews.
9. Confidentiality
Each party will (a) use the other party's confidential information only as needed to perform under these Terms; (b) not disclose it to third parties except to employees, contractors, advisors, and affiliates bound by comparable confidentiality obligations; and (c) protect it with at least reasonable care. Confidential information does not include information that is publicly known through no fault of the receiving party, was already known without restriction, was independently developed without reference to the disclosing party's information, or was rightfully received from a third party without restriction. A party may disclose confidential information as required by law or legal process, with prompt notice to the other party where legally permitted.
Customer Data is your confidential information. The Services, Documentation, product roadmap, and pricing are our confidential information.
10. Fees and Payment
If you purchase paid Services, you will pay the fees set forth in the applicable Order Form or in-product purchase flow. Except as otherwise specified, fees are non-refundable and non-cancellable. Undisputed invoices are due within 30 days of the invoice date. Past-due amounts accrue interest at the lesser of 1.0% per month or the maximum rate permitted by law. Fees are exclusive of taxes, which you are responsible for (other than taxes on our net income). We may suspend Services for non-payment of undisputed amounts more than 30 days past due, with 10 days' prior notice.
Free trials and free-tier Services are provided without charge, for the period and within the limits we specify, and we may terminate or modify them at any time.
11. Term and Termination
11.1 Term
These Terms apply from your first use of the Services and continue until terminated.
11.2 Termination for Cause
Either party may terminate for the other party's uncured material breach after 30 days' written notice describing the breach.
11.3 Termination for Convenience
You may stop using the Services at any time. We may terminate or suspend your access to free or trial Services at any time for any reason. We may also terminate these Terms on 30 days' notice if we discontinue the Services generally.
11.4 Immediate Suspension
We may suspend your access immediately if we reasonably believe you are violating Section 4 (Scanning Authorization) or Section 6 (Acceptable Use), or if your use creates a risk of harm to the Services, to us, or to any third party.
11.5 Effect of Termination
Upon termination, your right to access the Services ceases; each party will return or destroy the other's confidential information subject to legal retention; and you will pay all fees accrued through termination. If we terminate a paid subscription for your uncured material breach, you will also pay fees that would have been payable through the remainder of the then-current term. If you terminate a paid subscription for our uncured material breach, we will refund pre-paid fees for the unused portion of the term on a pro-rata basis.
11.6 Survival
Sections 2, 4.1, 5, 6, 7.1, 7.3, 9, 10 (as to accrued amounts), 11.5, 11.6, 12, 13, 14, and 15 survive termination.
12. Warranties and Disclaimers
12.1 Mutual
Each party represents that it has authority to enter into these Terms and will comply with applicable law in its performance.
12.2 Service Warranty (Paid Services Only)
For paid Services, during the paid subscription term, we warrant that the Services will perform materially in accordance with the Documentation. Your sole and exclusive remedy, and our entire liability, for breach of this warranty is for us to (a) use commercially reasonable efforts to correct the non-conformity, or (b) if we cannot, terminate the affected subscription and refund pre-paid fees for the non-conforming portion of the term. This warranty does not apply to free trials, Beta Features, or issues caused by misuse.
12.3 Disclaimer
EXCEPT AS EXPRESSLY SET FORTH IN THESE TERMS, THE SERVICES ARE PROVIDED "AS IS" AND "AS AVAILABLE." XORA MAKES NO WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, AND SPECIFICALLY DISCLAIMS ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT. XORA DOES NOT WARRANT THAT THE SERVICES WILL BE UNINTERRUPTED, ERROR-FREE, OR COMPLETELY SECURE, THAT FINDINGS WILL BE ACCURATE OR COMPLETE, OR THAT THE SERVICES WILL DETECT OR PREVENT ALL SECURITY THREATS, VULNERABILITIES, INTRUSIONS, OR MALICIOUS ACTIVITY. YOU ACKNOWLEDGE THAT CYBERSECURITY IS AN EVOLVING FIELD AND THAT NO SECURITY SOLUTION CAN PROVIDE ABSOLUTE PROTECTION.
13. Indemnification
13.1 By Xora
For paid Services, we will defend you against third-party claims that the Services, used in accordance with these Terms, infringe a U.S. patent, copyright, or trade secret, and will indemnify you for damages finally awarded or agreed in settlement by us. If the Services become the subject of an infringement claim, we may, at our option, (a) procure the right to continue using them, (b) modify them to be non-infringing while preserving substantially equivalent functionality, or (c) terminate the affected subscription and refund pre-paid fees for the unused portion. This obligation does not apply to claims arising from modifications not made by us, combinations with non-Xora products, use in violation of these Terms, Customer Data, free trials, or Beta Features.
13.2 By You
You will defend us against third-party claims arising from (a) Customer Data, (b) your use of the Services in violation of these Terms, applicable law, or the Documentation, (c) combinations with non-Xora products, or (d) your breach of Section 4 (Scanning Authorization), including any claim by an owner or operator of a system you directed us to test, and will indemnify us for damages finally awarded or agreed in settlement by you.
13.3 Procedure
Indemnification is conditioned on the indemnified party promptly notifying the indemnifying party in writing, giving sole control of defense and settlement (with no admission of fault or non-monetary obligation on the indemnified party without consent), and providing reasonable cooperation at the indemnifying party's expense. This Section 13 is the indemnifying party's sole liability, and the indemnified party's exclusive remedy, for the third-party claims described.
14. Limitation of Liability
14.1 Exclusion of Indirect Damages
EXCEPT FOR EXCLUDED MATTERS, IN NO EVENT WILL EITHER PARTY BE LIABLE FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, PUNITIVE, OR EXEMPLARY DAMAGES, OR FOR ANY LOSS OF PROFITS, REVENUE, BUSINESS, GOODWILL, OR DATA, WHETHER BASED ON CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, OR OTHERWISE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
14.2 Cap
EXCEPT FOR EXCLUDED MATTERS, EACH PARTY'S TOTAL CUMULATIVE LIABILITY ARISING OUT OF OR RELATING TO THESE TERMS WILL NOT EXCEED THE GREATER OF (A) THE TOTAL FEES PAID BY YOU TO XORA IN THE 12 MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE CLAIM, OR (B) U.S. $100. FOR FREE TRIALS AND FREE-TIER SERVICES, THE CAP IN (B) APPLIES.
14.3 Excluded Matters
"Excluded Matters" means (a) each party's indemnification obligations; (b) breach of confidentiality; (c) your payment obligations; (d) either party's gross negligence, willful misconduct, or fraud; (e) infringement or misappropriation of the other party's intellectual property; and (f) your breach of Section 4 (Scanning Authorization).
14.4 Basis of Bargain
The limitations in this Section 14 are an essential element of the bargain and apply notwithstanding the failure of essential purpose of any limited remedy. The fees (and free-tier availability) reflect this allocation of risk.
15. General
15.1 Publicity.You grant Xora permission to use your name and logo to identify you as a Xora customer on our website, in customer lists, and in marketing materials (including pitch decks, case studies referenced by name only, and social media posts announcing the customer relationship). We will use your name and logo consistent with any brand guidelines you provide and will stop using them within a reasonable period after you request in writing. Any other use of your name or logo — including in press releases, detailed case studies, quoted testimonials, or co-marketing content — requires your prior written consent. You may not use Xora's name, logo, or trademarks in any public materials without our prior written consent, not to be unreasonably withheld.
15.2 Assignment.Neither party may assign these Terms without the other's prior written consent, except that either party may assign without consent to a successor in a merger, acquisition, reorganization, or sale of substantially all assets, provided the assignee agrees in writing to be bound. Any assignment in violation is void.
15.3 Force Majeure. Neither party is liable for delay or failure to perform (other than payment obligations) to the extent caused by circumstances beyond its reasonable control, including acts of God, war, civil unrest, labor disputes, telecommunications or internet failures, governmental actions, or widespread cybersecurity attacks not specifically targeting that party.
15.4 Notices. Notices must be in writing and are deemed given when delivered personally, one business day after overnight courier, or when sent by email with confirmation of receipt, to the addresses on file.
15.5 Governing Law. These Terms are governed by the laws of the State of Utah, without regard to conflict-of-laws principles. The U.N. Convention on Contracts for the International Sale of Goods does not apply.
15.6 Dispute Resolution. The parties will first attempt to resolve any dispute through good-faith negotiation. If unresolved within 30 days, the dispute will go to non-binding mediation before a single mediator in Utah County, Utah, with costs shared equally. Mediation is a condition precedent to litigation, except for actions seeking injunctive or equitable relief. Any action must be brought exclusively in the state courts of Utah located in the Fourth Judicial District (Utah County), and each party consents to personal jurisdiction and venue there.
15.7 Entire Agreement. These Terms, together with any Order Forms and exhibits, constitute the entire agreement between the parties regarding the Services and supersede all prior and contemporaneous agreements, proposals, or representations, except to the extent superseded by a signed MSA.
15.8 Order of Precedence. In the event of conflict: (a) a signed MSA governs over these Terms; (b) an Order Form governs over these Terms (and over an MSA only as to the subject matter of that Order Form); (c) terms of any purchase order or similar customer-issued document have no force or effect.
15.9 Amendments. We may update these Terms from time to time. If we make material changes, we will provide notice (via email or in-product notice) at least 30 days before the changes take effect. Your continued use of the Services after the effective date constitutes acceptance. If you do not agree, your sole remedy is to stop using the Services. For paid subscriptions, material adverse changes take effect at renewal rather than mid-term, unless required by law.
15.10 Severability. If any provision is held invalid or unenforceable, the remaining provisions remain in effect, and the invalid provision will be modified to the minimum extent necessary to be enforceable.
15.11 Independent Contractors. The parties are independent contractors. These Terms do not create a partnership, joint venture, agency, or employment relationship.
15.12 Electronic Acceptance.You may accept these Terms by clicking "I agree," creating an account, or using the Services. Electronic acceptance has the same legal effect as a handwritten signature.
Questions about these Terms? Contact us at legal@getxora.ai.