Terms of Service

Effective Date: May 7, 2026

1. Introduction

Cipherline LLC (“Company”, “we”, “us”, “our”) operates the XploitScan security scanning platform available at xploitscan.com and through our CLI tool, GitHub Action, and API (collectively, the “Service”). These Terms of Service (“Terms”) govern your use of the Service. By accessing or using the Service, you agree to be bound by these Terms. If you do not agree to these Terms, please do not use the Service. Our Privacy Policy explains how we handle your data and is incorporated into these Terms by reference.

2. Service Description

XploitScan is a security scanning tool designed to identify vulnerabilities in AI-generated and human-written code. The Service analyzes your code for common security issues, provides plain-English explanations of findings, maps findings to compliance frameworks, and offers fix suggestions. XploitScan can be used via our web interface, our CLI tool (npx xploitscan scan .), our GitHub Action for CI/CD integration, our API, and our Model Context Protocol (MCP) server for AI coding agents. The Service also includes a Free Trust Page builder that lets any visitor publish a public security overview at xploitscan.com/t/<slug>. Specific terms for the Free Trust Page builder and the MCP server appear in sections 10 and 11 below.

Compliance Mapping Disclaimer: The compliance mapping feature is provided for informational and educational purposes only. It maps scan findings to relevant compliance framework controls but does not constitute a compliance audit, certification, or legal opinion. Achieving compliance with SOC2, ISO 27001, or any other framework requires comprehensive organizational controls beyond code scanning. You should consult qualified compliance professionals for formal compliance assessments.

AI Disclaimer: XploitScan uses artificial intelligence to analyze code, detect vulnerabilities, generate fix suggestions, and map compliance controls. AI-generated results, explanations, and fix suggestions may contain errors, omissions, or inaccuracies. Fix suggestions are starting points, not drop-in solutions — an AI-suggested fix may be incomplete, context-dependent, or may itself introduce new vulnerabilities if applied without review. You are solely responsible for independently verifying all findings and reviewing all suggested fixes before applying them to any codebase, especially production systems. The Service is not a substitute for human security expertise, professional code review, penetration testing, or legal advice.

3. Accounts and Authentication

To use certain features of the Service, you must create an account. We use Clerk as our authentication provider. When you create an account, you agree to:

  • Provide accurate and complete information
  • Keep your login credentials secure
  • Notify us immediately of any unauthorized access to your account
  • Accept responsibility for all activity that occurs under your account

You may authenticate using email, social logins, or other methods supported by Clerk. We are not responsible for Clerk’s availability or security practices, though we have selected them as a trusted provider.

4. Plans, Pricing, and Billing

XploitScan offers the following plans:

  • Free Plan: Limited scans per day with core security rules. No credit card required.
  • Pro Plan: Unlimited scans, all available security rules, PDF reports, compliance mapping, webhook integrations, and priority support. Available with monthly or annual billing. Includes a 7-day free trial.
  • Team Plan: Everything in Pro, plus team seats, shared scan history, role-based access control, and team management. Additional seats available at an additional per-seat fee. Available with monthly or annual billing. Includes a 7-day free trial.

Current pricing is listed on our pricing page.

Paid subscriptions are processed through Stripe. New accounts that have never had a paid subscription are eligible for a one-time 7-day free trial. Each account is limited to one free trial — if you have previously subscribed to any plan (Pro or Team), new subscriptions will begin billing immediately without a trial period, regardless of which plan you select. At the end of your trial period, your payment method will be automatically charged the applicable rate (monthly or annual) unless you cancel before the trial ends. You may cancel your subscription at any time through the billing portal, and you will retain access to paid features until the end of your current billing period. Refunds are not provided for partial billing periods.

Plan Changes: You may upgrade or downgrade your plan or switch between monthly and annual billing at any time through your account settings. Plan changes take effect immediately. When switching plans or billing intervals, charges are prorated: you will receive credit for the unused portion of your current billing period and be charged for the new plan at the prorated rate.

Team Plan: Team members invited by a Team plan owner receive Pro-level access at no additional cost (up to the included seat limit). The team owner is solely responsible for billing and subscription management. Team members do not need their own paid subscription. If a team owner downgrades from Team to Pro or cancels their subscription, all team members will immediately lose their inherited access and be reverted to the Free plan.

Taxes: All prices displayed on our pricing page are exclusive of applicable taxes. Depending on your location, sales tax, VAT, GST, or other transaction taxes may be added to your invoice at checkout. Taxes are calculated and collected by Stripe at the applicable rate for your jurisdiction. You are responsible for any taxes associated with your use of the Service.

We reserve the right to change our pricing with 30 days’ advance notice. Price changes will not affect your current billing period.

5. Referral Program

XploitScan offers a referral program that allows you to invite others to the Service. By participating in the referral program, you agree to the following:

  • The referral program is available only to users with active Pro or Team subscriptions who are team owners or admins
  • Each eligible user receives a unique referral code that can be shared
  • When a new user signs up using your referral link and subscribes to a paid plan, you receive a credit equal to one month of your current plan, applied to your next invoice via Stripe balance credit
  • Referral rewards are at the sole discretion of Cipherline LLC and may be modified or discontinued at any time
  • Self-referrals, fake accounts, or any form of referral fraud will result in disqualification and may lead to account termination
  • Referral links may not be distributed through spam, unsolicited messages, or any deceptive means

6. Data Retention and Cleanup

To maintain service quality and protect your privacy, we automatically clean up certain data:

  • Free plan scan data: Scan results for free-tier accounts are retained for 90 days and then automatically deleted.
  • Paid plan scan data: Scan results for Pro and Team accounts are retained indefinitely while the subscription is active.
  • Shared checklists: Shared checklist links expire after 30 days and the associated data is automatically deleted.
  • Audit logs: Activity logs are retained for 180 days and then automatically deleted.

7. Acceptable Use

You must be at least 18 years old to use the Service. By using the Service, you represent that you meet this age requirement. You agree not to use the Service to:

  • Violate any applicable law or regulation
  • Scan code that you do not have the legal right to analyze
  • Attempt to reverse-engineer, decompile, or disassemble the Service
  • Interfere with or disrupt the Service or its infrastructure
  • Use the Service to develop competing products
  • Automate access to the Service beyond what our API, CLI tool, and GitHub Action permit
  • Use scan results to exploit vulnerabilities in systems you do not own or have authorization to test
  • Use the Service to develop malware, exploits, or any tools intended to cause harm
  • Upload code containing live production credentials, secrets, or sensitive personal data
  • Share, resell, or sublicense access to the Service without authorization
  • Circumvent rate limits, scan quotas, or other usage restrictions

8. Intellectual Property

Your Code: You retain full ownership of any code you submit for scanning. XploitScan does not claim any ownership rights over your source code, repositories, or intellectual property. We do not use your code to train models or for any purpose beyond providing the scan results you requested.

Our Service: The XploitScan platform, including its software, design, branding, documentation, security rules, compliance mappings, and scan analysis algorithms, is owned by Cipherline LLC and protected by intellectual property laws. These Terms do not grant you any rights to our trademarks, logos, or brand assets.

Feedback: If you provide us with suggestions, feature requests, or other feedback about the Service, you grant Cipherline LLC a non-exclusive, royalty-free, perpetual, irrevocable, worldwide license to use, modify, and incorporate that feedback into the Service without any obligation or compensation to you.

9. Code Handling and Data Practices

We take the security of your code seriously. When you submit code for scanning, it is processed in memory, analyzed for vulnerabilities, and then immediately deleted. We do not store your source code on our servers, in our database, or in any persistent storage. The only data we retain from a scan is the metadata (such as scan date, number of findings, and severity levels) and the results themselves (including finding details, affected file paths, line numbers, and fix suggestions). Your actual source code is never stored.

10. Free Trust Page Service (User-Generated Content)

The Free Trust Page builder at xploitscan.com/free-trust-page lets any visitor — including those without an XploitScan account — create and publish a public security overview page (each, a “Free Trust Page”) at xploitscan.com/t/<slug>. The following terms apply specifically to that feature.

User-Generated Content. Free Trust Page content (company name, website, policy URLs, security contact, data retention text, incident response text, subprocessors, and self-attested compliance flags) is provided entirely by the creator. XploitScan acts as a passive host. We do not author, edit, endorse, or independently verify any field. We do not confirm that the creator is affiliated with, employed by, or authorized to represent the company named on the page.

Self-Attestation, Not Audit. Compliance flags (SOC 2, ISO 27001, HIPAA, GDPR, PCI DSS) shown on a Free Trust Page are self-attested by the creator. Their presence on a page is not a certification, audit, attestation report, or verification of any kind by XploitScan. The public page displays a clear “Self-Attested · Unverified” label adjacent to compliance content and a “Provided by page creator · Not independently verified” label adjacent to policy and contact content. Visitors should request original compliance reports and verify creator identity directly with the company named on the page before relying on any statement displayed.

Creator Representations. By creating a Free Trust Page, you represent and warrant that: (i) you have the right to publish the information you submit; (ii) you are affiliated with the company named on the page or have its authorization to publish on its behalf; (iii) the information you submit is accurate to the best of your knowledge; and (iv) you will not publish content that infringes the rights of, defames, or impersonates any third party.

Takedown and Removal. XploitScan reserves the right to remove, disable, or modify any Free Trust Page at any time, with or without prior notice to the creator, including but not limited to: pages that impersonate companies or individuals; pages that contain false, misleading, or unlawful statements; pages that infringe third-party rights; pages subject to a credible complaint from a party whose name appears on the page; and pages we determine, in our sole discretion, present a risk to the platform or its users. To report a page, email admin@xploitscan.com with the URL and your concern. We aim to respond to legitimate takedown requests promptly.

License to Display. By publishing a Free Trust Page you grant XploitScan a non-exclusive, royalty-free, worldwide license to host, display, cache, index, and distribute the content of that page through the Service. You retain ownership of the content. You may delete your page or claim it (and thereafter manage it from your account) at any time using the manage URL we send to the email address you provided.

11. XploitScan MCP Server

XploitScan publishes a Model Context Protocol (MCP) server (xploitscan-mcp on NPM) that exposes the scanner engine as callable tools inside MCP-compatible AI coding clients (Claude Desktop, Cursor, Windsurf, Continue, Cline, Zed, and similar). The MCP server is distributed separately from the hosted Service under the following terms:

  • License. The MCP server is open-source software released under the MIT License. The license text accompanies the package on NPM and in the source repository.
  • Local Execution. The MCP server runs entirely locally inside your MCP client process. It makes no network calls to XploitScan or any third party during scanning and transmits no telemetry. Source code submitted to the MCP server never leaves your machine.
  • No Warranty. The MCP server is provided “as is” without warranty of any kind, express or implied, including but not limited to merchantability, fitness for a particular purpose, and non-infringement. The Limitation of Liability section below applies to the MCP server to the maximum extent permitted by law.
  • Acceptable Use. The acceptable-use restrictions in Section 7 apply to the MCP server. Notably, you must not use the server to scan code you do not have authorization to analyze, to develop competing scanners, or to extract or replicate the underlying rule bank for purposes outside personal or authorized organizational use.
  • Updates. We may release updated versions of the MCP server at any time. Older versions remain functional but may lack rules added later or fixes for false positives identified later. We do not guarantee compatibility between major versions.

12. Email Communications

By creating an account, you agree to receive transactional emails related to the Service, including welcome emails, scan completion notifications, team invitations, and billing-related communications. You may manage your email preferences through your account settings to opt out of non-essential notifications (such as scan completion alerts and weekly digests). You cannot opt out of essential transactional and security-related emails (such as billing confirmations, breach notifications, and Terms updates).

13. Limitation of Liability

XploitScan is a tool that provides security suggestions and recommendations. It is important to understand that:

  • Scan results are suggestions, not guarantees. We do not guarantee that our scans will identify every vulnerability in your code.
  • XploitScan is not a substitute for professional security audits, penetration testing, or code review by qualified security engineers.
  • Compliance mappings are informational only and do not constitute compliance certification or legal advice.
  • We are not liable for any damages, losses, or security incidents that arise from relying on XploitScan scan results or compliance mapping information.
  • The Service is provided “as is” and “as available” without warranties of any kind, whether express or implied, including but not limited to implied warranties of merchantability, fitness for a particular purpose, and non-infringement.

To the maximum extent permitted by law, in no event shall Cipherline LLC be liable for any indirect, incidental, special, consequential, or punitive damages, including but not limited to loss of profits, data, business opportunities, or security incidents arising from missed vulnerabilities, regardless of the cause of action or theory of liability. Our total liability for any claims arising from your use of the Service is limited to the amount you paid us in the 12 months preceding the claim, or $100, whichever is greater.

14. Termination

You may stop using the Service and close your account at any time. We may suspend or terminate your access to the Service if:

  • You violate these Terms
  • You engage in activity that could harm the Service or other users
  • We are required to do so by law
  • We decide to discontinue the Service (with reasonable notice)

Upon termination, your right to use the Service ends immediately. If you are a Team plan owner, all team members will lose access upon your termination. Any provisions of these Terms that should reasonably survive termination (such as limitation of liability, intellectual property, indemnification, and dispute resolution) will continue to apply.

15. Changes to These Terms

We may update these Terms from time to time. When we make significant changes, we will notify you by email or through the Service and update the effective date at the top of this page. Your continued use of the Service after changes take effect constitutes acceptance of the updated Terms. We encourage you to review these Terms periodically.

16. Governing Law

These Terms and any disputes arising out of or related to them or the Service shall be governed by and construed in accordance with the laws of the State of Connecticut, USA, without regard to its conflict of law provisions. The courts located in Connecticut shall have exclusive jurisdiction over any disputes arising under these Terms.

17. Dispute Resolution and Class Action Waiver

In the event of any dispute, claim, or controversy arising out of or relating to these Terms or the Service, the parties agree to first attempt to resolve the matter through good-faith negotiation. If the dispute cannot be resolved through negotiation within thirty (30) days, it shall be settled by binding arbitration conducted in the State of Connecticut, in accordance with the rules of the American Arbitration Association. The arbitrator’s decision shall be final and binding on both parties.

CLASS ACTION WAIVER: All claims must be brought in the parties’ individual capacity only, and not as a plaintiff or class member in any purported class, consolidated, or representative proceeding. The arbitrator may not consolidate more than one person’s claims and may not otherwise preside over any form of a representative or class proceeding. You acknowledge that by agreeing to these Terms, you and the Company are each waiving the right to a trial by jury and the right to participate in a class action.

18. Indemnification

You agree to indemnify, defend, and hold harmless Cipherline LLC, its officers, directors, employees, agents, and affiliates from and against any and all claims, liabilities, damages, losses, costs, and expenses (including reasonable attorneys’ fees) arising out of or in connection with your use of the Service, your violation of these Terms, or your violation of any rights of a third party.

19. Force Majeure

Cipherline LLC shall not be liable for any failure or delay in performing its obligations under these Terms where such failure or delay results from circumstances beyond its reasonable control, including but not limited to acts of God, natural disasters, war, terrorism, pandemic, power outages, internet or telecommunications failures, government actions, or failures of third-party service providers (including but not limited to hosting, authentication, payment processing, and email delivery services).

20. Severability

If any provision of these Terms is found to be unenforceable or invalid by a court of competent jurisdiction, that provision shall be limited or eliminated to the minimum extent necessary so that the remaining provisions of these Terms shall remain in full force and effect.

21. Waiver

The failure of Cipherline LLC to enforce any right or provision of these Terms shall not constitute a waiver of such right or provision. Any waiver of any provision of these Terms will be effective only if in writing and signed by Cipherline LLC.

22. Assignment

You may not assign or transfer these Terms, or any rights or obligations hereunder, without the prior written consent of Cipherline LLC. Cipherline LLC may assign these Terms, in whole or in part, without restriction, including in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets. Subject to the foregoing, these Terms shall bind and inure to the benefit of the parties and their respective successors and permitted assigns.

23. Entire Agreement

These Terms, together with our Privacy Policy, constitute the entire agreement between you and Cipherline LLC regarding your use of the Service and supersede all prior agreements, representations, and understandings.

24. Contact

If you have questions about these Terms, please reach out to Cipherline LLC at admin@xploitscan.com.

Terms of Service — XploitScan