THESE PLATFORM TERMS OF USE (THE “TERMS”) GOVERN YOUR ACCESS TO AND USE OF THE XYGENI PLATFORM AND RELATED SERVICES PROVIDED BY XYGENI SECURITY, S.L. (“XYGENI”, “COMPANY”, “WE” OR “US”). BY ACCESSING OR USING THE PLATFORM, OR BY AGREEING TO ANY ORDER FORM THAT REFERENCES THESE TERMS, YOU (THE “CUSTOMER” OR “YOU”) AGREE TO BE BOUND BY THESE TERMS. IF YOU ARE ENTERING INTO THESE TERMS ON BEHALF OF A COMPANY OR OTHER LEGAL ENTITY, YOU REPRESENT THAT YOU HAVE AUTHORITY TO BIND THAT ENTITY.
For the purposes of these Terms:
Subject to these Terms and timely payment of applicable Fees, Xygeni grants Customer a limited, non-exclusive, non-transferable, non-sublicensable license to access and use the Platform during the Subscription Term solely for Customer’s internal business security purposes and in accordance with the Documentation and the applicable Order Form.
Xygeni may offer a free trial period of 7 days. During any free trial, Customer may access the Platform solely for internal evaluation purposes. The trial commences upon account activation and terminates at the end of the trial period unless Customer and Xygeni execute an Order Form for a paid subscription. Xygeni may modify or terminate the trial upon reasonable notice. Xygeni’s obligations during any free trial period are limited to providing access to the Platform on an “as is” basis, without any service level commitments. All data gathered during a trial will be permanently deleted 30 days after trial expiration.
Customer must register at least one administrative account to access the Platform. Customer represents that all registration information provided is accurate and will be kept current. Customer is responsible for maintaining the confidentiality of account credentials and for all activities under its account. Customer must notify Xygeni immediately at legal@xygeni.io of any suspected unauthorised access or security breach.
A “contributor” is defined as any user, bot, build agent or other entity having made a commit to a monitored repository in the preceding 90 days. Customer’s subscription is based on the number of contributors and licensed seats specified in the applicable Order Form. Customer may not exceed these limits without executing a new or amended Order Form and paying applicable additional Fees.2.5 No Support or Maintenance (Free Accounts).
For free or trial accounts, Xygeni has no obligation to provide any support or maintenance. For paid subscriptions, support is provided in accordance with Xygeni’s support policy and the applicable Order Form.
Xygeni may make a free tier of the Platform available (“Free License”) subject to the usage limits and feature set specified on Xygeni’s pricing page at https://xygeni.io/pricing, as updated from time to time. A Free License is granted for Customer’s internal business security purposes only and is subject to these Terms in their entirety, with the following modifications:
Customer shall use commercially reasonable efforts to prevent unauthorised access to or use of the Platform and notify Xygeni promptly of any such unauthorised access. Customer shall not, directly or indirectly:
Customer shall not use any Services Data for the purpose of developing or commercialising a competing product or service. As between the parties, Xygeni retains all right, title and interest in and to Services Data. Any unauthorised use or disclosure of Services Data may result in immediate suspension of access and pursuit of legal remedies.
Customer represents, covenants and warrants that it will use the Platform only in compliance with applicable laws and regulations. Customer agrees to indemnify Xygeni from third party claims arising from Customer’s use of the Platform in material breach of these Terms or applicable law.
Customer is responsible for obtaining and maintaining all equipment, software and connectivity needed to access and use the Platform. Customer is solely responsible for the security of its own systems, credentials, networks and infrastructure. All use of the Platform through Customer’s accounts — whether or not authorised by Customer — is Customer’s responsibility.
Where Customer installs Xygeni scanners, sensors, agents or CLI tools within its own infrastructure (whether in a fully on-premise or hybrid deployment), Customer assumes full and exclusive responsibility for: (a) the security, configuration and maintenance of its environment; (b) the timely application of all patches, updates and security fixes made available by Xygeni; (c) the management of access credentials and permissions granted to Xygeni software within its environment; and (d) data protection, backup and disaster recovery within its infrastructure. Xygeni shall not be responsible for incidents arising primarily from Customer’s infrastructure or failure to apply Xygeni’s recommendations.
Xygeni may suspend Customer’s access to the Platform if: (i) the Platform is being used in material violation of these Terms; (ii) suspension is necessary to protect Xygeni’s network or other customers; (iii) Customer’s use may expose Xygeni or its affiliates to liability; or (iv) suspension is required by law. Xygeni will use reasonable efforts to provide advance notice of suspension where practicable. Xygeni shall use reasonable efforts to limit any suspension to the affected portion of the Platform and to restore access as soon as reasonably practicable.
All intellectual property rights in and to the Platform, Documentation, Services Data and related materials remain exclusively with Xygeni. These Terms do not transfer any ownership rights in Xygeni’s technology to Customer. The limited license granted in Section 2.1 is the sole right granted to Customer with respect to Xygeni’s intellectual property.
Customer retains all intellectual property rights in and to Customer Data. Xygeni does not claim any ownership of Customer Data or Customer’s software artefacts, code, repositories or projects. Customer grants Xygeni a limited, non-exclusive license to access and process Customer Data solely to the extent necessary to provide the Platform and fulfil its obligations under these Terms.
For standard security scanning, Xygeni only processes findings and metadata — source code is not stored on or transmitted to Xygeni’s servers. Certain features, including AI-powered code remediation and analysis, require access to specific code segments to function. In such cases, only the portions of code strictly necessary for the operation of the feature are accessed, solely for the duration required to deliver the result. Where Customer has integrated their own AI model, all processing occurs entirely within Customer’s own infrastructure and Xygeni has no access to that data. Xygeni does not use Customer code to train AI models. Any such access shall be subject to appropriate security and confidentiality safeguards.
Xygeni may collect and use anonymised and, aggregated data derived from Customer’s use of the Platform provided that such data does not identify Customer or any individual and is not reasonably capable of identifying Customer or any individual.
Customer grants Xygeni a non-exclusive, worldwide, royalty-free license to use and incorporate Feedback for the purpose of improving the Platform.
Xygeni may identify Customer as a customer of the Platform, subject to Customer’s prior written consent (not to be unreasonably withheld or delayed).
Each party (as “Receiving Party”) agrees to: (a) hold the other party’s (“Disclosing Party’s”) Confidential Information in strict confidence using at least the same degree of care it uses to protect its own confidential information (and in no event less than reasonable care); (b) not use Confidential Information for any purpose other than exercising rights or fulfilling obligations under these Terms; and (c) not disclose Confidential Information to any third party except to employees, contractors or advisors who have a need to know and are bound by confidentiality obligations at least as protective as those herein.
“Confidential Information” means any non-public information disclosed by one party to the other that is designated as confidential or that reasonably should be understood to be confidential given its nature. Xygeni’s Confidential Information includes non-public features, functionality and performance information about the Platform. Customer’s Confidential Information includes Customer Data.
Confidentiality obligations do not apply to information that: (a) is or becomes publicly available through no fault of the Receiving Party; (b) was rightfully known to the Receiving Party before disclosure; (c) is independently developed without use of Confidential Information; or (d) is required to be disclosed by applicable law or court order, provided the Receiving Party gives the Disclosing Party reasonable prior written notice.
Confidentiality obligations survive termination of these Terms for five (5) years.
Certain features of the Platform utilise artificial intelligence components for purposes including code remediation, vulnerability analysis and security insights. Customer acknowledges and agrees that:
Customer shall pay the Fees set out in the applicable Order Form. All Fees are non-refundable except as expressly required by applicable law.
Xygeni may perform periodic audits (no more than once per calendar year) to verify Customer’s compliance with the licence usage limits specified in the applicable Order Form. If an audit reveals that Customer has exceeded the licensed contributor limits, Xygeni will notify Customer and Customer shall purchase the additional licences required to achieve compliance within thirty (30) days of such notice. Additional licenses identified through an audit will be billed from the date of notification at the then-applicable rate.
Unless otherwise specified in the Order Form, invoices are due within thirty (30) days of the invoice date. Xygeni may suspend access to the Platform if any undisputed payment is overdue by more than fifteen (15) days after written notice.
All Fees are exclusive of applicable taxes, including VAT. Customer is responsible for all applicable taxes other than taxes on Xygeni’s net income.
Xygeni may adjust Fees at renewal upon at least sixty (60) days’ prior written notice.
Xygeni warrants that it will use commercially reasonable efforts consistent with prevailing industry standards to maintain the Platform in a manner that minimises errors and interruptions. The Platform may be temporarily unavailable for scheduled or emergency maintenance or due to causes beyond Xygeni’s reasonable control. Xygeni will use reasonable efforts to provide advance notice of scheduled maintenance.
CUSTOMER ACKNOWLEDGES THAT NO SOFTWARE OR SECURITY SOLUTIONS CAN GUARANTEE ABSOLUTE PROTECTION AGAINST ALL VULNERABILITIES OR THREATS. XYGENI DOES NOT WARRANT OR GUARANTEE THAT THE PLATFORM WILL PREVENT ALL SECURITY INCIDENTS, DETECT ALL VULNERABILITIES, OR PROVIDE COMPLETE PROTECTION AGAINST ALL FORMS OF UNAUTHORISED ACCESS, MALWARE, RANSOMWARE, ADVANCED PERSISTENT THREATS OR STATE-SPONSORED ATTACKS. THE PLATFORM IS DESIGNED TO IDENTIFY KNOWN THREATS AND VULNERABILITIES BASED ON CURRENT THREAT INTELLIGENCE AS OF THE DATE OF PROVISION. CUSTOMER IS SOLELY RESPONSIBLE FOR ACTING ON FINDINGS PROVIDED BY THE PLATFORM AND FOR IMPLEMENTING APPROPRIATE SECURITY MEASURES IN ITS OWN ENVIRONMENT.
EXCEPT AS EXPRESSLY SET FORTH IN THESE TERMS, THE PLATFORM IS PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS. TO THE MAXIMUM EXTENT PERMITTED BY LAW, XYGENI DISCLAIMS ALL WARRANTIES, WHETHER EXPRESS, IMPLIED OR STATUTORY. NOTHING IN THESE TERMS EXCLUDES OR LIMITS ANY LIABILITY THAT CANNOT BE EXCLUDED UNDER APPLICABLE LAW.
Customer warrants that: (a) it has authority to enter into these Terms; (b) it has a valid legal basis for providing Customer Data to Xygeni; (c) its use of the Platform will comply with all applicable laws; and (d) it will maintain reasonable security measures for its own systems and integrations.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, XYGENI SHALL NOT BE LIABLE FOR ANY INDIRECT DAMAGES OR LOSSES, INCLUDING, IN PARTICULAR, LOSS OF PROFITS, LOSS OF BUSINESS, LOSS OF REVENUE, LOSS OF GOODWILL OR REPUTATIONAL DAMAGE, ARISING OUT OF OR IN CONNECTION WITH THESE TERMS.
XYGENI SHALL NOT BE LIABLE FOR ANY LOSS OR CORRUPTION OF DATA, OR FOR ANY INTERRUPTION OF BUSINESS, EXCEPT TO THE EXTENT SUCH DAMAGE RESULTS DIRECTLY FROM XYGENI’S BREACH OF ITS OBLIGATIONS UNDER THESE TERMS.
Xygeni shall not be liable for security incidents to the extent they are caused by: (a) Customer’s systems or infrastructure; (b) third-party services not controlled by Xygeni; or (c) Customer’s failure to implement reasonable security measures or follow Xygeni’s documented recommendations.
The aggregate liability of Xygeni under or in connection with these Terms shall not exceed the total amounts paid by Customer to Xygeni in the 0 months preceding the event giving rise to the claim.
Nothing in these Terms shall limit or exclude liability for: (i) death or personal injury caused by negligence; (ii) fraud or fraudulent misrepresentation; or (iii) any liability which cannot be limited under applicable law.
Some jurisdictions do not allow the limitation or exclusion of liability for incidental or consequential damages, so to that extent some of the above limitations or exclusions may not apply.
The parties acknowledge that the limitations in this Section 9 reflect a fair and reasonable allocation of risk and are an essential element of the basis of the bargain between the parties.
Customer shall indemnify Xygeni from third party claims arising from customer’s use of the Platform in breach of these Terms or applicable law.
Xygeni shall defend, indemnify and hold harmless Customer from and against third-party claims alleging that the Platform, as provided by Xygeni and used by Customer in strict accordance with these Terms, infringes a third party’s intellectual property rights. This obligation does not apply to claims arising from: (a) Customer’s modification of the Platform; (b) combination with third-party products not provided by Xygeni; or (c) use in violation of these Terms or the Documentation.
In the event of such a claim, Xygeni may, at its option: (i) procure the right for Customer to continue using the Platform; (ii) replace or modify the Platform to make it non-infringing; or (iii) terminate the affected services and refund any prepaid unused fees.
The indemnified party shall promptly notify the indemnifying party in writing of any claim and give the indemnifying party sole control of the defence and settlement. The indemnified party shall provide reasonable cooperation at the indemnifying party’s expense. The indemnifying party may not settle any claim that imposes liability on the indemnified party without prior written consent.
Where Xygeni processes personal data on behalf of Customer in connection with the Platform, such processing is governed by Xygeni’s Data Processing Agreement (DPA), available at https://xygeni.io/legal/dpa, which is incorporated into these Terms by reference. By accepting these Terms (or any Order Form incorporating them), Customer confirms it has read and accepted the DPA. Customer is solely responsible for ensuring it has a valid legal basis under applicable data protection law for providing Customer Data to Xygeni. Customer Data may include personal data, as further described in the DPA.
Where the parties have separately executed a written DPA, that executed version governs over the publicly published version with respect to data protection matters.
For clarity, the DPA applies only where Xygeni processes personal data on behalf of Customer in connection with the Services.
Each party shall comply with its respective obligations under applicable data protection laws.
Xygeni implements and maintains appropriate technical and organisational security measures for the Platform infrastructure under its direct control, consistent with Xygeni’s ISO 27001 certified information security management system. Such measures include logical access controls, encryption in transit (TLS 1.2+) and at rest (AES-256), network segmentation, regular vulnerability scanning and security incident response procedures.
In the event of a confirmed security incident affecting Customer Data within Xygeni’s Platform infrastructure, Xygeni shall notify Customer without undue delay and, where feasible, within 48 hours of becoming aware, including the nature of the incident, approximate volume of Customer Data affected, likely consequences and measures taken, in accordance with the DPA. Notification does not constitute an admission of liability. Obligations regarding personal data breaches are further governed by the DPA.
Customer shall implement and maintain reasonable security measures for its own systems and integrations, including: (a) multi-factor authentication where technically feasible; (b) appropriate network security controls; (c) regular backups of Customer Data independent of the Platform; and (d) timely application of Xygeni’s security recommendations. Customer’s failure to maintain these measures may reduce or eliminate Xygeni’s liability under Section 9.
These Terms commence on the date Customer first accepts them or executes an Order Form and continue for the Subscription Term specified in the Order Form. Subscription Terms automatically renew for successive periods equal to the initial term unless either party provides written notice of non-renewal at least sixty (60) days before the end of the then-current term.
Either party may terminate these Terms or any Order Form immediately upon written notice if: (a) the other party materially breaches these Terms and fails to cure within thirty (30) days of written notice specifying the breach; or (b) the other party becomes insolvent or has a receiver or liquidator appointed.
Upon termination or expiration: (a) all licenses immediately cease; (b) Customer shall cease using the Platform and uninstall and delete all copies of any software; (c) Customer remains liable for all Fees due up to the termination date; (d) Xygeni shall retain Customer Data for a limited period following termination solely for operational and legal purposes, after which it will be deleted in accordance with Xygeni’s data retention policy; and (e) each party shall promptly return or destroy the other party’s Confidential Information upon request.
Sections 3.2, 4.1, 4.6, 5, 9, 10, 13.3 and 14 survive termination.
Xygeni may update these Terms at from time to time. Material changes will be notified in advance. If Customer does not agree to such changes, Customer may terminate the affected services.
By using the Platform, Customer consents to receive communications from Xygeni in electronic form. All terms, agreements, notices and communications provided electronically satisfy any legal requirement that such communications be in writing.
If a dispute arises under or relating to these Terms, the parties shall first attempt to resolve it informally by having representatives with decision-making authority meet in good faith within fifteen (15) days of written notice of the dispute. If the dispute is not resolved within thirty (30) days after such notice, or if no meeting occurs within fifteen (15) days, either party may initiate formal proceedings.
These Terms are governed by the laws of Spain, without regard to conflicts of laws principles. The United Nations Convention on Contracts for the International Sale of Goods is excluded. Subject to the dispute resolution process in Section 14.3, the parties submit to the exclusive jurisdiction of the courts of Madrid, Spain.
These Terms, together with any executed Order Forms and the DPA, constitute the entire agreement between the parties regarding the Platform and supersede all prior agreements and representations.
These Terms may be amended only as described in Section 14.1. Individual Order Forms may include terms that supplement or modify these Terms for that specific engagement; in case of conflict, the Order Form prevails on commercial terms and these Terms prevail on liability and legal terms.
If any provision is held invalid or unenforceable, the remaining provisions remain in full force.
Customer may not assign these Terms without Xygeni’s prior written consent. Xygeni may assign to an affiliate or in connection with a merger or acquisition.
The parties are independent contractors. Nothing herein creates a partnership, joint venture or employment relationship.
Customer agrees to comply with all applicable export and import control laws and regulations in connection with its use of the Platform.
During the Subscription Term and for one (1) year thereafter, neither party may directly or indirectly solicit or recruit for employment any employee or contractor of the other party who had material involvement in the performance of these Terms. This restriction does not prevent either party from hiring any such person who responds to a general public job posting or who approaches the hiring party on an entirely unsolicited basis.
For legal notices under these Terms: Xygeni Security, S.L., Calle Pasión 4, 2 Planta, 47001 Valladolid, Spain. Email: legal@xygeni.io.
