THESE PLATFORM TERMS OF USE (THE “TERMS”) GOVERN YOUR ACCESS TO AND USE OF THE XYGENI PLATFORM AND RELATED SERVICES PROVIDED BY XYGENI SECURITY, S.L. (“XYGENI”, “COMPANY”, “WE” OR “US”). PLEASE READ THESE TERMS CAREFULLY. BY ACCESSING OR USING THE PLATFORM, OR BY AGREEING TO ANY ORDER FORM THAT REFERENCES THESE TERMS, YOU (THE “CUSTOMER” OR “YOU”) ACCEPT AND AGREE TO BE BOUND BY THESE TERMS. IF YOU ARE ENTERING INTO THESE TERMS ON BEHALF OF A COMPANY OR OTHER LEGAL ENTITY, YOU REPRESENT THAT YOU HAVE AUTHORITY TO BIND THAT ENTITY. IF YOU DO NOT AGREE, DO NOT ACCESS OR USE THE PLATFORM.
For the purposes of these Terms:
Subject to these Terms and timely payment of applicable Fees, Xygeni grants Customer a limited, non-exclusive, non-transferable, non-sublicensable license to access and use the Platform during the Subscription Term solely for Customer’s internal business security purposes and in accordance with the Documentation and the applicable Order Form.
Xygeni may offer a free trial period of 14 days. During any free trial, Customer may access the Platform solely for internal evaluation purposes. The trial commences upon account activation and terminates at the end of the trial period unless Customer and Xygeni execute an Order Form for a paid subscription. Xygeni may modify or terminate the trial at any time without notice. Xygeni’s obligations under Sections 5.1 and 10 do not apply during any free trial period. All data gathered during a trial will be permanently deleted 30 days after trial expiration.
Customer must register at least one administrative account to access the Platform. Customer represents that all registration information provided is accurate and will be kept current. Customer is responsible for maintaining the confidentiality of account credentials and for all activities under its account. Customer must notify Xygeni immediately at legal@xygeni.io of any suspected unauthorised access or security breach.
A “contributor” is defined as any user, bot, build agent or other entity having made a commit to a monitored repository in the preceding 90 days. Customer’s subscription is based on the number of contributors and licensed seats specified in the applicable Order Form. Customer may not exceed these limits without executing a new or amended Order Form and paying applicable additional Fees.2.5 No Support or Maintenance (Free Accounts).
For free or trial accounts, Xygeni has no obligation to provide any support or maintenance. For paid subscriptions, support is provided in accordance with Xygeni’s support policy and the applicable Order Form.
Customer shall use commercially reasonable efforts to prevent unauthorised access to or use of the Platform and notify Xygeni promptly of any such unauthorised access. Customer shall not, directly or indirectly:
Customer shall not use any information obtained from the Platform — including Xygeni’s vulnerability database and associated proprietary information (“Services Data”) — for the purpose of creating, developing, enhancing or improving any products, services or offerings of Customer or any third party, without Xygeni’s express prior written consent. As between the parties, Xygeni retains all right, title and interest in and to Services Data. Any unauthorised use or disclosure of Services Data may result in immediate suspension of access and pursuit of legal remedies.
Customer represents, covenants and warrants that it will use the Platform only in compliance with applicable laws and regulations. Customer agrees to indemnify and hold harmless Xygeni against any damages, losses, liabilities and expenses arising from any claim resulting from Customer’s violation of applicable law in connection with its use of the Platform.
Customer is responsible for obtaining and maintaining all equipment, software and connectivity needed to access and use the Platform. Customer is solely responsible for the security of its own systems, credentials, networks and infrastructure. All use of the Platform through Customer’s accounts — whether or not authorised by Customer — is Customer’s responsibility.
Where Customer installs Xygeni scanners, sensors, agents or CLI tools within its own infrastructure (whether in a fully on-premise or hybrid deployment), Customer assumes full and exclusive responsibility for: (a) the security, configuration and maintenance of its environment; (b) the timely application of all patches, updates and security fixes made available by Xygeni; (c) the management of access credentials and permissions granted to Xygeni software within its environment; and (d) data protection, backup and disaster recovery within its infrastructure. Xygeni has no visibility into or control over Customer’s on-premise environment and shall have no liability for incidents arising from Customer’s infrastructure or failure to apply Xygeni’s recommendations.
Xygeni may suspend Customer’s access to the Platform if: (i) the Platform is being used in material violation of these Terms; (ii) suspension is necessary to protect Xygeni’s network or other customers; (iii) Customer’s use may expose Xygeni or its affiliates to liability; or (iv) suspension is required by law. Xygeni will use reasonable efforts to provide advance notice of suspension where practicable.
All intellectual property rights in and to the Platform, Documentation, Services Data and related materials remain exclusively with Xygeni. These Terms do not transfer any ownership rights in Xygeni’s technology to Customer. The limited license granted in Section 2.1 is the sole right granted to Customer with respect to Xygeni’s intellectual property.
Customer retains all intellectual property rights in and to Customer Data. Xygeni does not claim any ownership of Customer Data or Customer’s software artefacts, code, repositories or projects. Customer grants Xygeni a limited, non-exclusive license to access and process Customer Data solely to the extent necessary to provide the Platform and fulfil its obligations under these Terms.
For standard security scanning, Xygeni only processes findings and metadata — source code is not stored on or transmitted to Xygeni’s servers. Certain features, including AI-powered code remediation and analysis, require access to specific code segments to function. In such cases, only the portions of code strictly necessary for the operation of the feature are accessed, solely for the duration required to deliver the result. Where Customer has integrated their own AI model, all processing occurs entirely within Customer’s own infrastructure and Xygeni has no access to that data. Xygeni does not use Customer code to train AI models.
Xygeni may collect and use anonymised, aggregated data derived from Customer’s use of the Platform — including tool version data, scan performance metrics and usage patterns — for the purpose of improving the Platform. Such data will not identify Customer or any individual. Xygeni retains all rights to such aggregated data.
If Customer provides Xygeni with feedback, suggestions or ideas regarding the Platform (“Feedback”), Customer hereby assigns to Xygeni all rights in such Feedback. Xygeni may use and exploit such Feedback in any manner without restriction or obligation to Customer.
XYGENI WILL PAY NO COMPENSATION OF ANY KIND FOR ANY FEEDBACK. CUSTOMER WAIVES ANY RIGHTS IT MAY HAVE TO PAYMENT OR COMPENSATION IN CONNECTION WITH ANY FEEDBACK.
Customer agrees that Xygeni has the right to identify Customer as a customer of the Platform, including by displaying Customer’s name and logo on Xygeni’s website and marketing materials. Customer may revoke this permission at any time by providing written notice to legal@xygeni.io.
Each party (as “Receiving Party”) agrees to: (a) hold the other party’s (“Disclosing Party’s”) Confidential Information in strict confidence using at least the same degree of care it uses to protect its own confidential information (and in no event less than reasonable care); (b) not use Confidential Information for any purpose other than exercising rights or fulfilling obligations under these Terms; and (c) not disclose Confidential Information to any third party except to employees, contractors or advisors who have a need to know and are bound by confidentiality obligations at least as protective as those herein.
“Confidential Information” means any non-public information disclosed by one party to the other that is designated as confidential or that reasonably should be understood to be confidential given its nature. Xygeni’s Confidential Information includes non-public features, functionality and performance information about the Platform. Customer’s Confidential Information includes Customer Data.
Confidentiality obligations do not apply to information that: (a) is or becomes publicly available through no fault of the Receiving Party; (b) was rightfully known to the Receiving Party before disclosure; (c) is independently developed without use of Confidential Information; or (d) is required to be disclosed by applicable law or court order, provided the Receiving Party gives the Disclosing Party reasonable prior written notice.
Confidentiality obligations survive termination of these Terms for five (5) years.
Certain features of the Platform utilise artificial intelligence components for purposes including code remediation, vulnerability analysis and security insights. Customer acknowledges and agrees that:
Customer shall pay the Fees set out in the applicable Order Form. All Fees are non-refundable except as expressly required by applicable law.
Xygeni may perform periodic audits (no more than once per calendar year) to verify Customer’s compliance with the licence usage limits specified in the applicable Order Form. If an audit reveals that Customer has exceeded the licensed contributor limits, Xygeni will notify Customer and Customer shall purchase the additional licences required to achieve compliance within thirty (30) days of such notice. Additional licences identified through an audit will be billed from the date of the audit, co-terminus with the existing Order Form, at a price equal to the then-applicable rate plus a ten percent (10%) premium.
Unless otherwise specified in the Order Form, invoices are due within thirty (30) days of the invoice date. Xygeni may suspend access to the Platform if any undisputed payment is overdue by more than fifteen (15) days after written notice.
All Fees are exclusive of applicable taxes, including VAT. Customer is responsible for all applicable taxes other than taxes on Xygeni’s net income.
Xygeni may adjust Fees at renewal upon at least sixty (60) days’ prior written notice.
Xygeni warrants that it will use commercially reasonable efforts consistent with prevailing industry standards to maintain the Platform in a manner that minimises errors and interruptions. The Platform may be temporarily unavailable for scheduled or emergency maintenance or due to causes beyond Xygeni’s reasonable control. Xygeni will use reasonable efforts to provide advance notice of scheduled maintenance.
CUSTOMER ACKNOWLEDGES THAT NO SOFTWARE, SYSTEM OR SERVICE — INCLUDING APPLICATION SECURITY TOOLS — IS COMPLETELY SECURE OR FREE FROM VULNERABILITIES. XYGENI DOES NOT WARRANT OR GUARANTEE THAT THE PLATFORM WILL PREVENT ALL SECURITY INCIDENTS, DETECT ALL VULNERABILITIES, OR PROVIDE COMPLETE PROTECTION AGAINST ALL FORMS OF UNAUTHORISED ACCESS, MALWARE, RANSOMWARE, ADVANCED PERSISTENT THREATS OR STATE-SPONSORED ATTACKS. THE PLATFORM IS DESIGNED TO IDENTIFY KNOWN THREATS AND VULNERABILITIES BASED ON CURRENT THREAT INTELLIGENCE AS OF THE DATE OF PROVISION. CUSTOMER IS SOLELY RESPONSIBLE FOR ACTING ON FINDINGS PROVIDED BY THE PLATFORM AND FOR IMPLEMENTING APPROPRIATE SECURITY MEASURES IN ITS OWN ENVIRONMENT.
EXCEPT AS EXPRESSLY SET FORTH IN SECTION 8.1, THE PLATFORM IS PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS. XYGENI AND ITS SUPPLIERS EXPRESSLY DISCLAIM ALL WARRANTIES, WHETHER EXPRESS, IMPLIED OR STATUTORY, INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, ACCURACY AND UNINTERRUPTED OR ERROR-FREE OPERATION. CUSTOMER SHOULD NOTE THAT IN USING THE PLATFORM, INFORMATION MAY TRAVEL THROUGH THIRD-PARTY INFRASTRUCTURES NOT UNDER XYGENI’S CONTROL. XYGENI MAKES NO WARRANTY WITH RESPECT TO THE SECURITY OF SUCH THIRD-PARTY INFRASTRUCTURES.
Customer warrants that: (a) it has authority to enter into these Terms; (b) it has a valid legal basis for providing Customer Data to Xygeni; (c) its use of the Platform will comply with all applicable laws; and (d) it will maintain reasonable security measures for its own systems and integrations.
IN NO EVENT WILL XYGENI OR ITS AFFILIATES BE LIABLE TO CUSTOMER UNDER OR IN CONNECTION WITH THESE TERMS, UNDER ANY LEGAL OR EQUITABLE THEORY — INCLUDING BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY AND OTHERWISE — FOR ANY: (I) CONSEQUENTIAL, INCIDENTAL, INDIRECT, EXEMPLARY, SPECIAL, ENHANCED OR PUNITIVE DAMAGES; (II) INCREASED COSTS, DIMINUTION IN VALUE OR LOST BUSINESS, PRODUCTION, REVENUES OR PROFITS; (III) LOSS OF GOODWILL OR REPUTATION; (IV) LOSS, INTERRUPTION, DELAY OR RECOVERY OF ANY DATA, OR BREACH OF DATA OR SYSTEM SECURITY; OR (V) COST OF REPLACEMENT GOODS OR SERVICES — IN EACH CASE REGARDLESS OF WHETHER CUSTOMER WAS ADVISED OF THE POSSIBILITY OF SUCH LOSSES OR DAMAGES.
WITHOUT LIMITING THE FOREGOING, XYGENI SHALL HAVE NO LIABILITY FOR ANY SECURITY INCIDENT, LOSS OR DAMAGE ARISING FROM: (A) CYBERATTACKS, INTRUSIONS, DDOS ATTACKS OR UNAUTHORISED ACCESS BY THIRD PARTIES; (B) EXPLOITATION OF VULNERABILITIES IN CUSTOMER’S OWN ENVIRONMENT OR THIRD-PARTY INFRASTRUCTURE; (C) MALWARE, RANSOMWARE OR SIMILAR THREATS TARGETING CUSTOMER’S SYSTEMS; (D) ACTS OF ADVANCED PERSISTENT THREAT ACTORS OR STATE-SPONSORED ACTORS; (E) CUSTOMER’S FAILURE TO APPLY UPDATES, PATCHES OR SECURITY RECOMMENDATIONS PROVIDED BY XYGENI; OR (F) INCIDENTS ORIGINATING IN CUSTOMER’S ON-PREMISE OR HYBRID ENVIRONMENT.
THE COMBINED AGGREGATE LIABILITY OF XYGENI AND ITS AFFILIATES UNDER OR IN CONNECTION WITH THESE TERMS SHALL NOT EXCEED THE AMOUNTS ACTUALLY PAID BY CUSTOMER TO XYGENI PURSUANT TO THESE TERMS DURING THE 0 (ZERO) MONTHS IMMEDIATELY PRECEDING THE DATE ON WHICH CUSTOMER BRINGS ITS CLAIM. ACCORDINGLY, IF CUSTOMER HAS NOT PAID XYGENI ANY AMOUNTS IN SUCH 0-MONTH PERIOD, XYGENI SHALL HAVE NO LIABILITY TO CUSTOMER WHATSOEVER.
Liability cap parameter: [0] ([ZERO]) months. This is the default; a different cap may be agreed in writing in an Order Form.
Some jurisdictions do not allow the limitation or exclusion of liability for incidental or consequential damages, so to that extent some of the above limitations or exclusions may not apply.
The parties acknowledge that the limitations in this Section 9 reflect a fair and reasonable allocation of risk and are an essential element of the basis of the bargain between the parties.
Customer agrees to defend, indemnify and hold harmless Xygeni, its affiliates, officers, directors, employees and agents from and against any claims, damages, liabilities, costs and expenses (including reasonable legal fees) arising from: (a) Customer’s use of the Platform in violation of these Terms or applicable law; (b) Customer Data, including any claim that it infringes third-party rights; (c) Customer’s breach of any representation or warranty; or (d) any security incident originating in Customer’s own environment resulting from Customer’s failure to fulfil its obligations under Section 3.
Xygeni shall defend, indemnify and hold harmless Customer from and against third-party claims alleging that the Platform, as provided by Xygeni and used by Customer in strict accordance with these Terms, infringes a third party’s intellectual property rights. This obligation does not apply to claims arising from: (a) Customer’s modification of the Platform; (b) combination with third-party products not provided by Xygeni; or (c) use in violation of these Terms or the Documentation.
The indemnified party shall promptly notify the indemnifying party in writing of any claim and give the indemnifying party sole control of the defence and settlement. The indemnified party shall provide reasonable cooperation at the indemnifying party’s expense. The indemnifying party may not settle any claim that imposes liability on the indemnified party without prior written consent.
Where Xygeni processes personal data on behalf of Customer in connection with the Platform, such processing is governed by Xygeni’s Data Processing Agreement (DPA), available at https://xygeni.io/legal/dpa, which is incorporated into these Terms by reference. By accepting these Terms (or any Order Form incorporating them), Customer confirms it has read and accepted the DPA. Customer is solely responsible for ensuring it has a valid legal basis under applicable data protection law for providing Customer Data to Xygeni.
Where the parties have separately executed a written DPA, that executed version governs over the publicly published version with respect to data protection matters.
Xygeni implements and maintains appropriate technical and organisational security measures for the Platform infrastructure under its direct control, consistent with Xygeni’s ISO 27001 certified information security management system. Such measures include logical access controls, encryption in transit (TLS 1.2+) and at rest (AES-256), network segmentation, regular vulnerability scanning and security incident response procedures.
In the event of a confirmed security incident affecting Customer Data within Xygeni’s Platform infrastructure, Xygeni shall notify Customer without undue delay and, where feasible, within 48 hours of becoming aware, including the nature of the incident, approximate volume of Customer Data affected, likely consequences and measures taken. Notification does not constitute an admission of liability. Obligations regarding personal data breaches are further governed by the DPA.
Customer shall implement and maintain reasonable security measures for its own systems and integrations, including: (a) multi-factor authentication where technically feasible; (b) appropriate network security controls; (c) regular backups of Customer Data independent of the Platform; and (d) timely application of Xygeni’s security recommendations. Customer’s failure to maintain these measures may reduce or eliminate Xygeni’s liability under Section 9.
These Terms commence on the date Customer first accepts them or executes an Order Form and continue for the Subscription Term specified in the Order Form. Subscription Terms automatically renew for successive periods equal to the initial term unless either party provides written notice of non-renewal at least sixty (60) days before the end of the then-current term.
Either party may terminate these Terms or any Order Form immediately upon written notice if: (a) the other party materially breaches these Terms and fails to cure within thirty (30) days of written notice specifying the breach; or (b) the other party becomes insolvent or has a receiver or liquidator appointed.
Upon termination or expiration: (a) all licenses immediately cease; (b) Customer shall cease using the Platform and uninstall and delete all copies of any software; (c) Customer remains liable for all Fees due up to the termination date; (d) Xygeni shall retain Customer Data for 3 months post-subscription before deletion, unless earlier deletion is requested; and (e) each party shall promptly return or destroy the other party’s Confidential Information upon request.
Sections 3.2, 4.1, 4.6, 5, 9, 10, 13.3 and 14 survive termination.
Xygeni may modify these Terms at any time. Xygeni will provide at least ten (10) days’ notice of changes by posting updated Terms on the Site and notifying registered users by email. Your continued use of the Platform following the effective date of changes constitutes acceptance. If you do not agree to the updated Terms, you must stop using the Platform.
By using the Platform, Customer consents to receive communications from Xygeni in electronic form. All terms, agreements, notices and communications provided electronically satisfy any legal requirement that such communications be in writing.
If a dispute arises under or relating to these Terms, the parties shall first attempt to resolve it informally by having representatives with decision-making authority meet in good faith within fifteen (15) days of written notice of the dispute. If the dispute is not resolved within thirty (30) days after such notice, or if no meeting occurs within fifteen (15) days, either party may initiate formal proceedings.
These Terms are governed by the laws of Spain, without regard to conflicts of laws principles. The United Nations Convention on Contracts for the International Sale of Goods is excluded. Subject to the dispute resolution process in Section 14.3, the parties submit to the exclusive jurisdiction of the courts of Madrid, Spain.
These Terms, together with any executed Order Forms and the DPA, constitute the entire agreement between the parties regarding the Platform and supersede all prior agreements and representations.
These Terms may be amended only as described in Section 14.1. Individual Order Forms may include terms that supplement or modify these Terms for that specific engagement; in case of conflict, the Order Form prevails on commercial terms and these Terms prevail on liability and legal terms.
If any provision is held invalid or unenforceable, the remaining provisions remain in full force.
Customer may not assign these Terms without Xygeni’s prior written consent. Xygeni may assign to an affiliate or in connection with a merger or acquisition.
The parties are independent contractors. Nothing herein creates a partnership, joint venture or employment relationship.
Customer agrees to comply with all applicable export and import control laws and regulations in connection with its use of the Platform.
During the Subscription Term and for one (1) year thereafter, neither party may directly or indirectly solicit or recruit for employment any employee or contractor of the other party who had material involvement in the performance of these Terms. This restriction does not prevent either party from hiring any such person who responds to a general public job posting or who approaches the hiring party on an entirely unsolicited basis.
For legal notices under these Terms: Xygeni Security, S.L., Calle Pasión 4, 2 Planta, 47001 Valladolid, Spain. Email: legal@xygeni.io.
