Terms of Service

BleedWatch means the continuous external attack surface management service operated by BleedWatch SASU, including the public marketing site, the authenticated application, APIs, scanners, reports, integrations, and related support channels.

Customer means the person or organization that creates an account, starts a trial, signs an order form, or otherwise authorizes use of the service. Authorized users are the employees, contractors, or service providers invited into that customer account.

Assets mean the domains, repositories, packages, registries, cloud identifiers, IP ranges, or other targets that a customer submits or confirms as within their authorized scope. Findings mean the observations, evidence packs, risk ratings, tickets, and remediation guidance produced by BleedWatch.

These definitions are placeholder drafting. Counsel should replace or expand them before launch, especially where an order form, enterprise addendum, data processing addendum, or service-level agreement introduces terms that need to control.

BleedWatch provides continuous, externally observable scanning across authorized public surfaces such as Docker registries, package registries, Git hosting platforms, DNS, certificates, and live web exposure. The service is designed to discover risk, correlate evidence, and route remediation work to customer tools.

The service may include self-serve scans, scheduled monitoring, module-specific analysis, integrations, dashboards, email notifications, support interactions, and generated reports. Feature availability depends on the customer's tier, contracted scope, and any operational limits described in the pricing page or order form.

BleedWatch may modify, improve, suspend, or retire individual features when needed for security, reliability, legal compliance, or product quality. Material reductions to a paid tier should be handled with reasonable notice and a commercially fair remedy.

The customer remains responsible for confirming scope, validating findings, prioritizing remediation, and deciding whether to take operational action. BleedWatch provides security intelligence and workflow support; it does not guarantee that every vulnerability, secret, misconfiguration, or exposure will be found.

Customers are responsible for the accuracy of account information, billing contacts, workspace ownership, and administrator assignments. Shared accounts should be avoided because audit history, integration ownership, and support authority depend on identifiable users.

Self-serve plans may be billed monthly or annually through the checkout provider. Enterprise plans may use order forms, purchase orders, invoices, usage commitments, or negotiated renewal mechanics.

Trials, downgrades, refunds, taxes, late payment, and renewal notices should be finalized before launch. The pricing page should remain aligned with these terms so a buyer does not see different commercial promises across the site.

BleedWatch may contact account owners about billing, security, operational notices, feature changes, and contract administration. Marketing messages should respect the Privacy Policy and applicable consent requirements.

Subject to these terms and payment of applicable fees, BleedWatch grants the customer a limited, non-exclusive, non-transferable, revocable right to access and use the service for the customer's internal security, compliance, and remediation workflows.

The customer may invite authorized users, configure integrations, export reports, and share findings internally or with professional advisors who are bound by confidentiality obligations. Enterprise customers may receive additional rights through an order form or written addendum.

The customer may not resell, white-label, sublicense, benchmark for publication, reverse engineer, interfere with, or use the service to build a competing product without prior written permission. This placeholder should be tuned for partner, auditor, and managed-service-provider scenarios before launch.

BleedWatch retains all rights in the platform, software, detection logic, user interface, templates, documentation, and aggregate operational learning. The customer retains rights in customer data, submitted assets, integration metadata, and customer-specific findings.

Customers must only submit assets that they own, operate, administer, or have explicit written authorization to test. This requirement applies to passive scanning, active validation, package review, repository analysis, and any integration-triggered workflow.

The service may not be used for unauthorized reconnaissance, exploit development against third parties, credential harvesting, denial-of-service activity, phishing, spam, malware distribution, evasion testing, or any activity that violates law or third-party rights.

Customers must keep account credentials, magic links, API keys, webhooks, and integration tokens secure. If a customer suspects unauthorized access or scope misuse, they should notify BleedWatch promptly so the account can be reviewed and protected.

BleedWatch may throttle, pause, or suspend scans that appear unsafe, abusive, out of scope, or likely to harm third-party systems. SaintScan and other active validation modules may require stricter authorization checks, tier gates, and manual review before execution.

Support channels, response targets, onboarding assistance, and security review packages may vary by tier. Community users should expect self-serve help, while enterprise customers may receive named support paths through an order form.

BleedWatch may publish changelog entries, status updates, product emails, or in-app notices when features, limits, integrations, or operational practices change. Material contract changes should follow the notice mechanics finalized by counsel.

Preview, beta, or early-access features may be provided with additional limitations. They should not be used for production decisions unless BleedWatch explicitly marks them as generally available.

Customer feedback may be used to improve the service unless the customer has signed a separate confidentiality term that restricts that use.

Any public use of BleedWatch names, logos, or testimonials should require written approval unless a signed agreement says otherwise.

Customers should keep integration destinations, notification channels, and administrative contacts current so urgent security or service notices reach the right team.

The service is provided for security monitoring and risk reduction. It is not a substitute for a complete secure development lifecycle, incident-response program, legal compliance program, penetration test, or insurance review.

To the maximum extent permitted by applicable law, BleedWatch should not be liable for indirect, incidental, consequential, special, punitive, or exemplary damages, including lost profits, lost revenue, loss of goodwill, business interruption, or loss of data.

Any aggregate liability cap, warranty disclaimer, indemnity allocation, payment refund, or carve-out for confidentiality, data protection, gross negligence, willful misconduct, or unpaid fees must be finalized by counsel. This placeholder intentionally avoids pretending those commercial terms are settled.

Customers are responsible for ensuring that scanning scope, integrations, notifications, and remediation workflows match their legal obligations and internal policies. BleedWatch is responsible for operating the service with reasonable care, security controls, and professional diligence.

Customers may stop using the service, cancel self-serve subscriptions, or downgrade according to the applicable billing flow. Enterprise termination rights should be controlled by the signed order form, master services agreement, or addendum.

BleedWatch may suspend or terminate access for non-payment, material breach, unsafe scanning activity, unauthorized scope, legal requirement, security risk, or conduct that threatens the service, customers, employees, or third parties.

After termination, BleedWatch should disable account access and handle retained data according to the privacy policy, DPA, order form, and applicable law. Some records may be retained for billing, security, audit, legal defense, abuse prevention, and compliance purposes.

Customers should export reports, findings, and evidence they need before cancellation where the product makes export available. BleedWatch should document any post-termination retrieval window before production launch.

These placeholder terms are intended to be governed by French law, without regard to conflict-of-law rules. Counsel should confirm whether consumer, commercial, public-sector, or international contracting rules require additional language.

Subject to any mandatory venue rules, disputes should be submitted to the competent courts of Paris, France. Enterprise agreements may include escalation, mediation, injunctive relief, or procurement-specific dispute procedures.

If part of these terms is found unenforceable, the remaining provisions should continue to apply, and the unenforceable provision should be replaced with an enforceable provision that most closely reflects the intended commercial purpose.

Questions about these terms, account authorization, or enterprise contracting should be sent to [email protected]. This page is not final legal advice and must be reviewed before production use.