Terms of Service

Last updated: June 2, 2026

These Terms of Service ("Terms") govern use of secureless.ai and related services ("Service"), operated by Secureless UG (haftungsbeschränkt), Kollwitzstraße 76, 10435 Berlin, registered at Amtsgericht Charlottenburg HRB 287751 B ("Secureless," "we," "us").

By creating an account, running a free scan, or otherwise using the Service, you agree to these Terms. If you use the Service on behalf of an entity, you confirm you are authorised to bind it. These Terms apply to all users, including users of the free scan, whether or not they hold an account.

1. The Service

Secureless provides automated external security assessments of publicly accessible web domains, based on externally observable data such as DNS records, HTTP headers, SSL/TLS configuration, JavaScript resources, network request logs, cookie behaviour, and screenshots of publicly accessible pages. Assessments use only actions equivalent to a standard web browser. No authentication is used, no access controls are bypassed, and no systems are exploited.

Automated assessments are informational. They are not a compliance audit, certification, or legal advice, and do not constitute a SOC 2, ISO 27001, or GDPR compliance opinion.

Penetration testing and other advanced security services, where offered, are separate paid services provided under their own terms and are not included in any subscription unless expressly agreed in writing.

2. Accounts and free scans

You must provide accurate information and keep your credentials secure. You are responsible for activity under your account and must notify us of any unauthorised access. You must be at least 18 and use the Service in a business capacity; consumer protection provisions (Verbraucherschutzrecht) do not apply.

The free scan is available to any user, subject to rate and volume limits we may apply to prevent misuse. For a domain you have not verified as owner, the free scan returns the overall security grade only; detailed findings require an active subscription or verified ownership of the domain. A verified domain owner may run up to three free scans per domain. By running a scan, you agree to these Terms, whether or not you hold an account.

3. Plans, billing, and renewal

3.1 Plans. The Service is offered on fixed-term annual plans (for example, a 12-month plan), as described at checkout or in a separate agreement. A free surface snapshot is available as described on the website. Deep scans require an active subscription.

3.2 Billing. Subscriptions are billed via Stripe, either annually in advance or in monthly instalments across the term, as selected at checkout. Prices are in Euros, exclusive of VAT (Umsatzsteuer) where applicable.

3.3 Term and renewal. Each subscription runs for its fixed term and renews for a further term of equal length unless cancelled in writing at least 60 days before the end of the current term. A plan paid in monthly instalments renews on the same instalment basis for a further term; a plan paid annually renews annually. Monthly instalments are a payment method, not a month-to-month subscription, and do not create a right to cancel mid-term.

3.4 Plan changes. You may upgrade at any time, effective immediately. Downgrades take effect at the start of the next term.

3.5 Failed payments. If a payment fails, we may attempt collection for up to 14 days, after which the account may be suspended. Suspended accounts cannot run new scans but retain access to historical data for 30 days.

3.6 Price changes. We may change prices for future terms on at least 60 days' notice before renewal. Locked prices under a Special Offer (Section 5) are not affected.

3.7 Scans and credits. An active subscription includes two deep scans per billing cycle: one that runs automatically, and one verification rescan the customer triggers after addressing findings. Included scans do not carry over between cycles. Additional one-time deep scan credits may be purchased and remain valid for 12 months from purchase. Scans and credits require an active subscription.

3.8 Domains covered. Each subscription covers a single registrable domain (the apex domain, for example example.com) together with its subdomains (for example www.example.com and app.example.com). A subscription does not cover any other registrable domain, including the same or a related brand on a different top-level domain (for example example.de or example.org) or any other domain the customer holds. Each additional registrable domain requires its own subscription or a paid additional-domain add-on at the then-current price. All scans, monitoring, the trust badge, and included scan allowances apply only to the covered registrable domain. Verifying that you own a domain does not entitle you to scans, monitoring, or a trust badge for it unless that domain is on a paid subscription or add-on.

4. Acceptable use

4.1 Permitted. You may use the Service to assess domains you own or are authorised to assess; to assess domains of current or prospective vendors, suppliers, or partners for third-party risk management, including evaluating potential vendors during procurement; and to generate reports for internal use, compliance documentation, vendor evaluation, or sharing with the assessed vendor.

4.2 Prohibited. You may not use the Service to harass, threaten, or extort any party; publicly disclose detailed assessment results (beyond the grade) of a domain you do not own without the owner's consent; resell or white-label the Service without written agreement; interfere with the Service or circumvent limits; scan to facilitate an attack; or use the Service unlawfully.

4.3 Delivery and visibility of results. A domain's overall security grade is shown publicly and may also appear in the dashboard of a buyer monitoring that domain. Every published grade is displayed together with the date of the assessment it reflects. Detailed assessment findings and full reports are delivered only to the user who requested the scan (via their account or by email) and to a verified owner of the assessed domain; they are not shown publicly. Where a grade is disputed, or where a domain's configuration has changed, Section 9 sets out how the grade may be corrected or refreshed.

4.4 Enforcement. We may suspend or terminate access for breach, with notice and a chance to cure where practical.

5. Special Offers and the Founding Partner programme

5.1 Scope. We may make specific offers (for example, the Founding Partner offer, content or co-marketing packages). The details of a Special Offer (price, deliverables, term, benefits) are set out in this Section 5, unless otherwise provided in a separate document. All contractual terms governing Special Offers are those set out in these Terms.

5.2 Price locks. Where a Special Offer states a price is "locked in," that locked price applies only to the customer's subscription to the scanning plan covered by the offer, and is held for as long as the customer maintains a continuous, active, paid subscription on that plan. A failed payment cured within the Section 3.5 window does not break continuity. The lock does not extend to anything sold separately from that plan, including add-ons, one-time deep scan credits, penetration testing or other advanced services, an upgrade to a higher plan, or any product, module, or feature released or priced separately in future, each of which is charged at the then-current price. If the subscription is cancelled or downgraded, the lock is lost. We may retire a locked plan on at least 90 days' notice, offering the nearest equivalent plan on comparable terms.

5.3 Change of control. A price lock and Founding Partner status are personal to the customer, are non-transferable, and end on a change of control of the customer unless we agree otherwise in writing.

5.4 Logos, names, and marks. Each party grants the other a limited, non-exclusive, non-transferable, revocable licence to use the other's name, logo, and provided marks (including any Founding Partner badge) for marketing and promotional purposes, including websites, partner pages, sales materials, and social media, following any reasonable brand guidelines. Either party may revoke on written notice if the other ceases to be a customer, materially breaches, or misuses the marks. On ceasing to be a customer, the right to display a Founding Partner badge ends; factual historical reference (for example, "former Founding Partner") remains permitted.

5.5 No performance guarantee. Marketing, co-marketing, and visibility benefits are provided on a reasonable-efforts basis. We do not guarantee any reach, impressions, views, clicks, leads, sales, audience size, or monetary or commercial value. Any stated figures (for example, combined audience or total package value) are illustrative estimates, not promises.

5.6 Feedback and testimonials. The customer agrees to provide reasonable feedback and a testimonial that we may use publicly. Any feedback, suggestions, or ideas the customer provides are ours to use freely, perpetually, and without payment, attribution, or confidentiality obligation. Non-delivery of a testimonial is not a material breach.

5.7 Pre-release confidentiality. Where a Special Offer gives access before public release, the customer keeps that information confidential and uses it only to evaluate and use the Service. This does not prevent the customer from referencing their participation.

6. Domain verification and monitoring

To use vendor-side features (scheduled monitoring, trust badge, verification rescan), you must verify control of the domain (DNS record, file upload, or email verification). We may re-verify periodically; if verification fails, scanning pauses until re-confirmed.

Monitoring, scans, and the trust badge cover only the single registrable domain on your subscription (Section 3.8). Each additional registrable domain you wish to monitor requires its own subscription or add-on, and its own ownership verification. Subdomains of a covered domain (for example www and app) are included and need no separate verification.

Where monitoring is enabled, you switch it on and select a date in each billing cycle on which a scan runs automatically. Monitoring is a recurring scheduled scan you have enabled, not real-time observation. You may change or disable the schedule at any time.

6.1 Trust badge. Where entitled, you may display a Secureless trust badge only in unaltered form and only while you hold an active, verified subscription. You must remove it on cancellation or suspension, or if your grade falls below the display threshold. We may revoke the right to display it on notice, including where display would mislead.

7. Assessed third-party domains

When you scan a domain you do not own, you acknowledge the data is publicly accessible and equivalent to what a browser observes, you are responsible for your use of the results under Section 4, and we are not liable for a third party's objection to a scan conducted within the Service's scope.

7.1 Objections. A domain owner may object to or request removal from active monitoring by contacting support@secureless.ai. We will consider reasonable requests in good faith and may remove the domain from active monitoring and notify affected customers. This does not require us to withdraw assessments already provided to a customer for their internal use, nor does it limit a customer's right to assess publicly accessible domains for internal risk management.

8. Intellectual property and data

8.1 Our IP. The Service, including its software, methodology, scoring, and detection logic, is our intellectual property. You receive only the limited licence to use the Service described here.

8.2 Reports. Assessment reports are licensed to you for internal business use, including sharing with the assessed vendor, auditors, and compliance stakeholders. You gain no rights in the underlying methodology.

8.3 Your data. You retain ownership of data you provide (account details, domain lists, settings). We use it to operate and improve the Service per the Privacy Policy.

8.4 Use of assessment data. We may use technical data derived from use of the Service to operate and improve the Service, and to produce aggregated benchmarks, statistics, and industry reports. Such outputs are aggregated across cohorts large enough that they do not identify any individual customer or assessed domain, and they do not draw on screenshot content. We do not publish detailed findings naming a specific company or domain without that company's written consent. The public display of an individual domain's overall grade under Section 4.3 is a separate activity and is not affected by this Section 8.4.

8.5 AI subprocessors. The Service uses third-party processors, including AI providers, to deliver assessments. We do not permit them to use your data to train their own models. Current subprocessors are listed in the Privacy Policy.

8.6 Attribution. Where you reference Secureless in digital or online materials, you must include a link to secureless.ai where reasonably practicable.

9. Disclaimers

The Service identifies externally observable findings only and does not guarantee detection of all issues; a clean result does not mean a domain is secure or compliant. Results may contain false positives or negatives; we provide a dispute mechanism and correct confirmed errors. Some data comes from third-party sources we do not warrant. We aim for high availability but do not guarantee uninterrupted access.

10. Liability

10.1 To the maximum extent permitted by law, our total aggregate liability under these Terms is capped at the amount you paid us in the 12 months before the event giving rise to the claim.

10.2 We are not liable for indirect, incidental, special, or consequential damages, including lost profits, revenue, data, or opportunities.

10.3 Nothing limits liability for intent (Vorsatz), gross negligence (grobe Fahrlässigkeit), injury to life, body, or health, or any liability that cannot be excluded under German law.

10.4 We are not liable for decisions you make based on assessment results, including vendor selection or remediation.

11. Indemnification

You will indemnify Secureless against claims, damages, and reasonable costs arising from your use of the Service in breach of these Terms, including claims by third parties whose domains you scanned.

12. Data protection and DPA

We process personal data per our Privacy Policy. Where we act as processor on your behalf, our standard Data Processing Agreement (Auftragsverarbeitungsvertrag) at secureless.ai/legal/dpa applies and forms part of these Terms on your use of the Service. Customers requiring a separately signed DPA may request one.

13. Term and termination

13.1 These Terms apply from account creation or first use until terminated. 13.2 You may terminate by cancelling per Section 3 and requesting deletion at support@secureless.ai. 13.3 We may suspend or terminate immediately for material breach, with 14 days to cure where remediable. 13.4 On termination, access ends; scan data is retained 30 days for export, then deleted, subject to legal retention obligations. 13.5 Clauses that by nature survive (Sections 8, 10, 11, 14, governing law, and accrued payment obligations including remaining instalments of a committed term) continue after termination.

14. Assignment

You may not assign these Terms without our written consent. We may assign or transfer these Terms, in whole or part, to a successor or affiliated entity (for example, on a reorganisation, merger, or sale of the business) without your consent, on notice to you.

15. Changes to these Terms

We may update these Terms on at least 30 days' notice of material changes. Continued use after the effective date is acceptance; otherwise you may terminate before they take effect.

16. Force majeure

Neither party is liable for delay or failure caused by events beyond its reasonable control. Payment obligations are not excused.

17. Notices

We give notices by email to your account address or via the Service; you give notices to support@secureless.ai. Notices are deemed received the next business day.

18. Governing law

These Terms are governed by German law, excluding its conflict-of-law rules and the UN Convention on Contracts for the International Sale of Goods (CISG). Exclusive jurisdiction is Berlin, to the extent permitted by law.

19. Severability and entire agreement

If a provision is unenforceable, the rest stands and the provision is replaced by the closest valid one. These Terms, with the Privacy Policy, the DPA, and any applicable Special Offer, are the entire agreement and supersede prior understandings.

20. Contact

Secureless UG (haftungsbeschränkt), Kollwitzstraße 76, 10435 Berlin. support@secureless.ai