Last updated: October 18, 2025

Terms of Service

These Terms of Service (“Terms”) govern the access to and use of the Flodmonitor platform, including all attack surface discovery, vulnerability scanning, penetration testing automation, alerting and reporting capabilities (collectively, the “Services”). By creating an account, running a scan, or otherwise using the Services, you agree to be bound by these Terms. If you are signing up or using the Services on behalf of an organisation, you represent that you have the authority to bind that organisation, and “Customer”, “you”, and “your” refer to that entity.

1. Our role

Flodmonitor (“Flodmonitor”, “we”, “us”, or “our”) provides software and managed automations that surface vulnerabilities and exposures across internet-facing assets. We act as a service provider / data processor in relation to any personal data that is processed during delivery of the Services. The Customer is responsible for determining the lawful basis for monitoring the assets that it includes in the platform.

2. Eligibility and account registration

• Customers must be at least 18 years old and legally capable of entering into contracts.
  
• Accounts are provisioned per Customer and may only be used by authorised personnel of that Customer.
  
• You must keep credentials, API keys, and authentication factors confidential and promptly notify us of any suspected compromise.

3. Permitted use of the Services

• You may only submit targets (domains, IP addresses, cloud resources, repositories, etc.) for scanning that you own or are expressly authorised to test.
  
• You must ensure that any third-party agreements (e.g., hosting providers, cloud vendors, SaaS suppliers) permit the level of testing you initiate through Flodmonitor.
  
• You may not use the Services to gain unauthorised access, disrupt systems, transmit malware, harvest credentials, or otherwise violate applicable law (including computer misuse, export control, or sanctions regulations).
  
• You remain responsible for validating findings and for implementing remediation. Flodmonitor provides recommendations but does not directly modify Customer systems unless both parties agree in writing.

4. Service scope and changes

• We continuously improve the discovery engines, scanning modules, integrations, and risk scoring logic. Specific features may change, but we will not materially reduce core functionality without prior notice.
  
• We may suspend the Services to address security emergencies or misuse. Paid subscriptions will receive pro-rated credits for unplanned downtime exceeding our service commitment.
  
• We reserve the right to decline or terminate scans that create legal risk, burden shared infrastructure, or are otherwise inconsistent with these Terms.

5. Customer responsibilities

• Provide accurate configuration details (domains, asset ownership, API keys, login credentials, rate limits) and update them when changes occur.
  
• Configure exclusions or maintenance windows where required to avoid disruption.
  
• Obtain all necessary consents and give legally required notifications to employees, partners, or third parties before initiating monitoring or testing.
  
• Review reports promptly, assign remediation owners, and ensure that serious findings (especially critical vulnerabilities and exposed credentials) are acted upon without undue delay.
  
• Maintain reliable backup copies of artefacts you wish to retain; Flodmonitor’s retention periods are described below.

6. Data handling, retention, and GDPR

6.1 Categories of data processed

The platform processes several classes of information:

• Account data: administrator and user contact details, authentication tokens, billing contact information.
  
• Scan input data: domains, IP addresses, infrastructure descriptors, API keys, credentials, and other configuration metadata supplied by Customer.
  
• Scan output data: HTTP responses, headers, banners, certificate details, service fingerprints, discovered assets, vulnerability evidence, screenshots, exploit test payloads, workflow execution logs, and remediation status updates.
  
• Operational telemetry: job execution metrics, performance logs, error traces, and support tickets.

6.2 GDPR compliance

• When the Services reveal personal data (e.g., exposed credentials, employee email addresses, customer data), the Customer acts as the data controller and Flodmonitor acts as a data processor under Regulation (EU) 2016/679 (“GDPR”).
  
• The lawful basis for processing is determined by the Customer (typically legitimate interest, contractual necessity, or legal obligation relating to security).
  
• We process data strictly on documented instructions from the Customer, maintain appropriate technical and organisational measures, and ensure confidentiality through staff access controls and auditing.
  
• Flodmonitor will promptly inform the Customer about detected personal-data breaches and cooperate with incident investigations, regulatory notifications, and data subject requests.
  
• Data processing agreements (DPAs) and, where required, Standard Contractual Clauses are available upon request via our contact centre at https://flodmonitor.com/contact.
  
• Data is primarily stored within the European Union. Transfers to sub-processors outside the EEA employ recognised transfer safeguards (standard contractual clauses or adequacy decisions).

6.3 Retention

• Default retention for scan logs and findings is 18 months unless the Customer chooses shorter periods or deletes data earlier.
  
• Aggregated statistics and anonymised benchmarks may be retained to improve detection models, but they no longer contain personal data or Customer identifiers.
  
• Backups follow a rolling 35-day schedule. Upon termination, Customer data is deleted within 60 days except where longer retention is required by law.

7. Confidentiality and security

• Each party must keep the other party’s confidential information secret and may only use it to perform or receive the Services.
  
• Flodmonitor implements role-based access control, network segmentation, encryption in transit and at rest, continuous vulnerability management, secure software development practices, and incident response procedures.
  
• Customers are responsible for the security of their own systems, identity providers, and any credentials supplied to Flodmonitor or stored in the platform.

8. Intellectual property

• Flodmonitor retains all intellectual property rights in the Services, including discovery methodologies, detection content, user interface designs, APIs, and documentation.
  
• Customers receive a non-exclusive, non-transferable licence to use the platform during the subscription term.
  
• Customers grant Flodmonitor a limited licence to use submitted logos, marks, and testimonials for marketing only with prior written approval.
  
• Feedback and suggestions may be used by Flodmonitor without obligation.

9. Fees and payment

• Subscription fees, usage-based charges, and payment terms are specified in the applicable order form or pricing plan.
  
• Amounts are exclusive of taxes unless stated otherwise. Customers are responsible for VAT, GST, or similar taxes, excluding taxes on Flodmonitor’s income.
  
• Late payments may incur interest (1.5% per month or the maximum allowed by law) and may result in suspension of the Services.

10. Service credits and support

• Support channels and response targets are detailed in the support policy published at https://flodmonitor.com/support.
  
• Customers must open support tickets or incident reports with sufficient detail for replication.
  
• For paid tiers, recurring SLA credits are issued when uptime or response commitments are not met, provided Customer’s account is in good standing.

11. Disclaimers

• The Services are provided “as is” and “as available”. We do not guarantee that every vulnerability will be discovered or that exploitation attempts will never bypass safeguards.
  
• Reports and playbooks are advisory; implementation decisions remain with the Customer.
  
• Except where prohibited by law, we disclaim all implied warranties, including merchantability, fitness for a particular purpose, and non-infringement.

12. Limitation of liability

• To the fullest extent permitted by law, neither party is liable for indirect, incidental, consequential, special, exemplary, or punitive damages, including lost profits, business interruption, or data loss.
  
• Each party’s aggregate liability under these Terms is limited to the fees paid or payable by the Customer to Flodmonitor in the twelve (12) months preceding the event giving rise to the claim.
  
• The limitations above do not apply to (a) a party’s gross negligence or wilful misconduct, (b) breach of confidentiality obligations, (c) Customer’s payment obligations, or (d) indemnities expressly granted herein.

13. Indemnification

• The Customer agrees to defend and indemnify Flodmonitor against claims, damages, fines, or expenses arising from the Customer’s breach of these Terms, infringement of third-party rights, or unauthorised/illegal scanning.
  
• Flodmonitor will defend and indemnify the Customer against third-party claims alleging that the Services infringe intellectual property rights, provided the Customer promptly notifies us and allows us to control the defence. We may modify the Services to address infringement concerns or terminate affected functionality with a pro-rated refund if modification is not commercially reasonable.

14. Suspension and termination

• Either party may terminate for material breach if the breach is not cured within 30 days of written notice.
  
• Flodmonitor may suspend access immediately in case of security threats, suspected misuse, non-payment, or legal obligations.
  
• Upon termination, Customer access is disabled, data is deleted as described above, and any outstanding fees become immediately due.

15. Changes to these Terms

• We may update these Terms to reflect service improvements, regulatory requirements, or operational adjustments.
  
• Material changes will be communicated via in-product notifications or email at least 30 days before the effective date. Continued use of the Services after the effective date constitutes acceptance of the revised Terms.

16. Governing law and jurisdiction

• These Terms are governed by the laws of the Netherlands, excluding its conflict-of-law rules.
  
• The competent courts of Amsterdam, the Netherlands, will have exclusive jurisdiction over disputes, unless overriding mandatory law grants either party a different forum.

17. Export control and sanctions

• You may not use the Services in violation of EU, UK, or US export control or sanctions laws.
  
• You represent that neither you nor your beneficial owners are on any denied-party list or located in an embargoed jurisdiction.

18. Miscellaneous

• These Terms, together with any order forms and policies referenced herein, constitute the entire agreement between the parties.
  
• Failure to enforce a provision is not a waiver.
  
• If any provision is found unenforceable, the remaining Terms remain in effect.
  
• You may not assign or transfer rights without our prior written consent; we may assign in connection with a merger, acquisition, or sale of substantially all assets.

19. Contact

For privacy, legal, or support questions, please reach out through https://flodmonitor.com/contact or submit a ticket via the in-product help centre.